grid computing in higher education (scott rea) educause pki deployment forum madison, wi - april 15,...
TRANSCRIPT
Grid Computing in Higher Education(Scott Rea)
EDUCAUSE PKI Deployment ForumMadison, WI - April 15, 2008
2
Overview
• Brief introduction to Grids
• Why PKI is important for Grid computing
• International Grid Trust Federation - IGTF
• The Americas Grid Policy Management Authority - TAGPMA
3
Brief Introduction to Grids
• Some research activities require massive compute and/or data storage capability – usually associated with supercomputing needs
– E.g. particle & nuclear physics modeling, protein folding, financial modeling, earthquake simulation, climate/weather modeling
• Not everyone has the resources to build a Supercomputer.
• Those fortunate enough to have a Supercomputer, may not have local resources that utilize its full potential 100% of the time
• Grid computing is distributed computing that brings the power of Supercomputing to the masses by creating a large and powerful self managing virtual computer out of a large collection of connected heterogeneous systems sharing various combinations of resources.
• The traditional Supercomputer has massive co-located processors and storage connected via a high speed bus – the traditional Grid computing setup utilizes many individual networked machines managed via a common interface to provide similar benefits
4
Examples of Grid Projects• Open Science Grid (http://www.opensciencegrid.org/)
– OSG is a consortium of software, service and resource providers and researchers, from universities, national laboratories and computing centers across the U.S., who together build and operate the OSG project. The project is funded by the NSF and DOE, and provides staff for managing various aspects of the OSG
• TeraGrid (http://www.teragrid.org/)
– TeraGrid is an open scientific discovery infrastructure combining leadership class resources at eleven partner sites to create an integrated, persistent computational resource. Resource Provider sites include: Indiana University, Oak Ridge National Laboratory, National Center for Supercomputing Applications, Pittsburgh Supercomputing Center, Purdue University, San Diego Supercomputer Center, Texas Advanced Computing Center, University of Chicago/Argonne National Laboratory, the National Institute for Computational Sciences, the Louisiana Optical Network Initiative, and the National Center for Atmospheric Research.
• SuraGrid (http://www.sura.org/programs/sura_grid.html)
– SURAgrid is a consortium of 30+ organizations collaborating and combining resources to help bring grid technology to the level of seamless, shared infrastructure. The vision for SURAgrid is to orchestrate access to a rich set of distributed capabilities in order to meet diverse users' needs. Capabilities to be cultivated include locally contributed resources, project-specific tools and environments, highly specialized or HPC access, and gateways to national and international cyberinfrastructure.
5
PKI in Grid Computing
• Why PKI is critical to grid computing– Massive compute power in the wrong hands can be extremely dangerous
so there is a need for strong authentication of researchers who access Grid computing resources
– PKI provides a cryptographic binding of researcher identities to an authentication token, and provides a mechanism for a central virtual organization to manage those credentials e.g. revoke if required
– PKI facilitates the establishment of the trust infrastructure needed to create the virtual Supercomputer and secures communications between nodes in the Grid
– PKI allows multiple local authorities to be trusted globally via a set of commonly agreed policies and practices for operational consistency
6
IGTF
7
International Grid Trust Federation
• IGTF founded in Oct, 2005 at GGF 15• IGTF Purpose:
– Manage authentication services for global computational grids via policy and procedures
• IGTF goal: – harmonize and synchronize member PMAs policies to establish and
maintain global trust relationships • IGTF members:
– 3 regional Policy Management Authorities• EUgridPMA• APgridPMA• TAGPMA
• 100+ CAs, 100,000+ credentials
8
IGTF general Architecture
• The member PMAs are responsible for accrediting authorities that issue identity assertions.
• The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers.
• The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. – Proposed changes to an AP will be circulated by the chair of the PMA
managing the AP to all chairs of the IGTF member PMAs. • Each of the PMAs will accredit credential-issuing authorities and
document the accreditation policy and procedures. • Any changes to the policy and practices of a credential-issuing
authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.
9
Green: EMEA countries with an Accredited Authority
23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR,
UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids*
Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all
EUGridPMA members and applicants
10
EUgridPMA Membership
• X.509 certificate authorities– 50 CAs accredited from 44 organizations– active applicants: 8 organizations
• Major relying parties– EGEE, DEISA, SEE-GRID, LCG, TERENA,
OSG
11
Ex-officio Membership• APAC (Australia)• CNIC/SDG, IHEP (China)• AIST, KEK, NAREGI (Japan)• KISTI (Korea)• NGO (Singapore)• ASGCC, NCHC (Taiwan)• NECTEC, ThaiGrid (Thailand)• PRAGMA/UCSD (USA)
General Membership• U. Hong Kong (China)• U. Hyderabad (India)• Osaka U. (Japan)• USM (Malaysia)
Map of the APGrid PMA
12
APgridPMA Membership
• 14 Accredited CAs• AIST (Japan)• APAC (Australia)• ASGCC (Taiwan)• CNIC (China)• IHEP (China)• KEK (Japan)• NAREGI (Japan)• NCHC (Taiwan)• NECTEC (Thailand)• NGO (Singapore)• KISTI (Korea)• ThaiGrid (Thailand)• C-DAC (India)• UCSD (USA)
• General membership– Osaka U. (Japan)– U. Hong Kong (China)– U. Hyderabad (India)– USM (Malaysia)
13
TAGPMA
14
TAGPMA Membership• Accredited
– Argentina UNLP– Brazilian Grid CA– CANARIE (Canada)* – Chile REUNA CA– DOEGrids Root*– DOEGrids Classic*– EELA LA Catch all Grid CA– ESnet/DOE Office Science*– Mexico UNAM– NCSA – MICS– NCSA – SLCS– TACC – Root– Venezuela
• In Review– FNAL– Purdue University– TACC – Classic/SLCS– Virginia– USHER
• Relying Parties– Dartmouth/HEBCA– EELA– OSG– SDSC– SLAC– TeraGrid– TheGrid– LCG
*Accredited by EUgridPMA
15
IGTF Certificate Profiles
• Classic X.509 CA Profile– Created and managed by EUGridPMA– http://www.eugridpma.org/guidelines/IGTF-AP-classic-4-1.pdf
• SLCS Profile– Short Lived Credential Service– Created and managed by TAGPMA– http://www.tagpma.org/files/IGTF-AP-SLCS-20051115-1-1.pdf
• MICS Profile– Member Information Credential Service– Created and managed by TAGPMA– http://www.tagpma.org/files/IGTF-AP-MICS-1.0.pdf
• Classic X.509 High Root Profile– Created and managed by EUGridPMA– http://www.eugridpma.org/guidelines/igtf-policy-hlca-0.2.pdf
• Experimental CA– Created and managed by APGridPMA– http://www.apgridpma.org/docs/APGridPMA-Minimum-CA-Requirements-1.1.doc
16
ProposedInter-federations
FBCA
CA-1CA-2
CA-n
Cross-cert
HEBCADartmouth
Wisconsin
Texas
Univ-N
UVA
USHER
DSTACES
Cross-certs
SAFECertiPath
NIH
CA-1
CA-2 CA-3
CA-4
HE JP
AusCertCAUDIT PKI
CA-1
CA-2 CA-3HE BR
Cross-certs
OtherBridges
IGTF
C-4
17
High
Medium Hardware CBP
Medium Software CBP
Basic
Rudimentary
C-4
High
Medium
Basic
Rudimentary
Foundation
Classic Ca
SLCS
MICS
FPKI
IGTF
HEBCA/USHER
Classic Strong
E-Auth Level 1
E-Auth Level 2
E-Auth Level 3
E-Auth Level 4
E-AUTH
18
Summary• PKI facilitates Grid computing infrastructure
– It allows components to be reliably authenticated– It allows users to be strongly authenticated– It facilitates secure communications and transactions– It facilitates management of virtual organizations
• Your school’s own PKI credentials can be utilized for Grid computing – Your certificate authority must be accredited by the
IGTF (TAGPMA is the local body)– You must issue credentials matching one of the
approved profiles