introduction of naregi-ca national institute of informatics japan toshiyuki kataoka,...
TRANSCRIPT
Introduction of NAREGI-CAIntroduction of NAREGI-CA
National Institute of InformaticsNational Institute of InformaticsJAPANJAPAN
Toshiyuki Kataoka,Toshiyuki Kataoka,[email protected]@nii.ac.jp
July 19, 2006
APAN Grid-Middleware Workshop, Singapore
2
OUTLINEOUTLINE
1. NAREGI & UPKI projects
2. NAREGI Certification Service
3. NAREGI-CA for Grid middleware
4. Enhancement in UPKI
5. Future Plan
4
●
Publication of scientific results from academia
Human Resource Development and strong organization
NAREGI Middleware
Virtual OrganizationFor science
CyberScience Infrastructure for Advanced Science (by NII)CyberScience Infrastructure for Advanced Science (by NII)
To Innovate Academia and Industry
UPKI
★
★
★★★
★★
☆
Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers
Cyber Science Infrastructure
北海道大学
東北大学
東京大学NII
名古屋大学
京都大学
大阪大学
九州大学
(東京工業大学、早稲田大学、高エネルギー加速器研究機構等)
Scientific Repository
Ind
ustry L
iaison
and
So
cial B
enefit
Global C
ontribution
6
NAREGI Certification ServiceNAREGI Certification Service
CA SoftwareCA Software(NAREGI-CA)(NAREGI-CA)
PolicyPolicy ManagementManagement
(NAREGI-PMA)(NAREGI-PMA)
OperationOperation(NAREGI CA)(NAREGI CA)
- CP/CPS- CP/CPS-Satisfy APGridSatisfy APGrid minimum requirementminimum requirement
- CA/RA- CA/RA- UI (Character, Web)- UI (Character, Web)
- Operation of CAOperation of CA- Authorized by the APGridAuthorized by the APGrid PMA Production Level CAPMA Production Level CA
8
• Free Software under the NAREGI intellectual Free Software under the NAREGI intellectual property management rules (Apache ver2.0)property management rules (Apache ver2.0)
• Current versionCurrent version– Ver2.0 released in May.10.2006 included in NAREGI Ver2.0 released in May.10.2006 included in NAREGI
Grid Middleware BetaGrid Middleware Beta
• Distribution recordsDistribution records– 129 downloads ( 31 of Ver2.0)129 downloads ( 31 of Ver2.0)
• Research collaboration Research collaboration – Audit of CA :AIST, JapanAudit of CA :AIST, Japan– PMA for international cooperation : APGRIDPMA for international cooperation : APGRID
• User SitesUser Sites– NAREGI, AIST, Several UniversitiesNAREGI, AIST, Several Universities
Distribution & User SitesDistribution & User Sites
9
• License ID management– Transfer authentication responsibility to Local RA
• Grid operation extensions– Assistance of Grid-mapfile creation
• Dual interfaces for certificate request– Web & command line enrollment
• CA/RA architecture– Independent Registration Authority (RA) Server– Practical CP/CPS Template
NAREGI-CA Software FeaturesNAREGI-CA Software Features
10
NAREGI-CA ArchitectureNAREGI-CA Architecture
RA (Registration Authority)
CA(CertificateAuthority)
Local RA(Site Administrator)
End User &Host Administrator
Site Administrator
①Get License ID
②Authorize to pass License ID
④Pass License ID& Public Key
⑦Get Certificate
⑤Send CSR
⑥Issue Certificate
③Generate a Key Pair
⑧Get Grid Map file
12
UPKI Three Layer ArchitectureUPKI Three Layer Architecture
EEEE
A Univ.NAREGI CA
EEEE
B Univ.NAREGI CA
Grid PKI
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
学内用学内用
A Univ.CA
EE学内用学内用
B Univ.CA
EE
CampusPKI
Auth, Sign, Encrpt. Auth, Sign, Encrpt.
Student,Faculty
Server, Super Computer
Student,Faculty
Server, Super Computer
Webサ ー ハ ゙Webサ ー ハ ゙
NIIPub CA
Web Srv.Webサ ー ハ ゙Webサ ー ハ ゙ S/ MIMES/ MIME
OtherPub CA
S/ MIMEWeb Srv.
OpenDomainPKI
S/ MIMES/ MIMES/ MIME
Sign, Encrpt.
Future plan
- Each university will start to install NAREGI-CA Each university will start to install NAREGI-CA and operate CA to be a grid site.and operate CA to be a grid site.
- Those grid sites will be operated in the PKI layer Those grid sites will be operated in the PKI layer of UPKI three layer architecture.of UPKI three layer architecture.
- Reduced burden of CA operation is necessary Reduced burden of CA operation is necessary for actual operation in universities.for actual operation in universities.
- Efficient operation by interconnecting PKI layers Efficient operation by interconnecting PKI layers is needed. is needed.
ObjectiveObjective
Enhancement in UPKIEnhancement in UPKI
Enhancement for actual operation of Enhancement for actual operation of CA/RA at universities;CA/RA at universities;
1. To split and delegate RA.2. To provide staffs/students means to apply
by themselves.3. To issue grid certificate by identification of
campus certificate.
1.1. To split and delegate RA.To split and delegate RA.- Created RA/LRA operator authorities split from
RA administrator authorities.
- Secure delegation by using IC card. - Delegation to hierarchized institutions in universi
ties for actual operation.
2.2. To provide staffs/students means to apply To provide staffs/students means to apply by themselves.by themselves.
- Easy application of registration, issuance, and revocation from the web.
- Secure application by using challenge PIN.- Reduced burden of RA operation.
Enhancement in UPKIEnhancement in UPKI
16
CA Administrator
CA RA
RA Administrator
TARO SUZUKITARO SUZUKI 08/07
IC Card
Enhanced Procedure To Issue CertificateEnhanced Procedure To Issue Certificate
CA Administrator
RA Administrator
RA Operator
User
License ID
Issue Certificate
RACA
Apply
IdentifyApprove
Issue Certificate
Application Server (web)
Management Server (web)
Delegate
Challenge PINChallenge PIN
Challenge PINChallenge PIN
License ID
Local RA User
Identify
Apply
License ID
License ID
3.3. To issue grid certificate by identification of To issue grid certificate by identification of campus certificate.campus certificate.
- Cooperation of Grid CA and Campus CA.
- Reduced burden of RA operation.
- Any certificate can be issued for other AP.
Enhancement in UPKIEnhancement in UPKI
18
CampusCA
Issue Certificate
Campus PKI Grid PKI
NAREGI CA
Super Computer
Super Computer
Grid System
Super Computer
Issue Certificate
Request Certificate(Use IC Card as credential)
LDAP
NAREGI RA
TARO SUZUKITARO SUZUKI 08/07
IC Card
Certificate for Grid System
Access
User
Campus-Grid PKI FederationCampus-Grid PKI Federation
- Release scheduleRelease schedule- Enhanced features will be released in Autumn
this year.
- Usability improvementUsability improvement- Create and distribute Start-Up Package for
Campus CA/RA including CP/CPS templates for certain application, such as wireless LAN authentication and authorization.
5. Future Plan5. Future Plan