Introduction of NAREGI-CAIntroduction of NAREGI-CA

National Institute of InformaticsNational Institute of InformaticsJAPANJAPAN

Toshiyuki Kataoka,Toshiyuki Kataoka,kataoka@nii.ac.jpkataoka@nii.ac.jp

July 19, 2006

APAN Grid-Middleware Workshop, Singapore

2

OUTLINEOUTLINE

1. NAREGI & UPKI projects

2. NAREGI Certification Service

3. NAREGI-CA for Grid middleware

4. Enhancement in UPKI

5. Future Plan

3

1. NAREGI & UPKI projects

4

●

Publication of scientific results from academia

Human Resource Development and strong organization

NAREGI Middleware

Virtual OrganizationFor science

CyberScience Infrastructure for Advanced Science (by NII)CyberScience Infrastructure for Advanced Science (by NII) 　　

To Innovate Academia and Industry

UPKI

★

★

★★★

★★

☆

Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers

Cyber Science Infrastructure

北海道大学

東北大学

東京大学ＮＩＩ

名古屋大学

京都大学

大阪大学

九州大学

（東京工業大学、早稲田大学、高エネルギー加速器研究機構等）

Scientific Repository

Ind

ustry L

iaison

and

So

cial B

enefit

Global C

ontribution

5

2. NAREGI-CA Certification Service

6

NAREGI Certification ServiceNAREGI Certification Service

CA SoftwareCA Software(NAREGI-CA)(NAREGI-CA)

PolicyPolicy ManagementManagement

(NAREGI-PMA)(NAREGI-PMA)

OperationOperation(NAREGI CA)(NAREGI CA)

- CP/CPS- CP/CPS-Satisfy APGridSatisfy APGrid minimum requirementminimum requirement

- CA/RA- CA/RA- UI (Character, Web)- UI (Character, Web)

- Operation of CAOperation of CA- Authorized by the APGridAuthorized by the APGrid PMA Production Level CAPMA Production Level CA

7

3. NAREGI-CA for Grid middleware

8

• Free Software under the NAREGI intellectual Free Software under the NAREGI intellectual property management rules (Apache ver2.0)property management rules (Apache ver2.0)

• Current versionCurrent version– Ver2.0 released in May.10.2006 included in NAREGI Ver2.0 released in May.10.2006 included in NAREGI

Grid Middleware BetaGrid Middleware Beta

• Distribution recordsDistribution records– 129 downloads ( 31 of Ver2.0)129 downloads ( 31 of Ver2.0)

• Research collaboration Research collaboration – Audit of CA :AIST, JapanAudit of CA :AIST, Japan– PMA for international cooperation : APGRIDPMA for international cooperation : APGRID

• User SitesUser Sites– NAREGI, AIST, Several UniversitiesNAREGI, AIST, Several Universities

Distribution & User SitesDistribution & User Sites

9

• License ID management– Transfer authentication responsibility to Local RA

• Grid operation extensions– Assistance of Grid-mapfile creation

• Dual interfaces for certificate request– Web & command line enrollment

• CA/RA architecture– Independent Registration Authority (RA) Server– Practical CP/CPS Template

NAREGI-CA Software FeaturesNAREGI-CA Software Features

10

NAREGI-CA ArchitectureNAREGI-CA Architecture

RA (Registration Authority)

CA(CertificateAuthority)

Local RA(Site Administrator)

End User &Host Administrator

Site Administrator

①Get License ID

②Authorize to pass License ID

④Pass License ID& Public Key

⑦Get Certificate

⑤Send CSR

⑥Issue Certificate

③Generate a Key Pair

⑧Get Grid Map file

11

4.Enhancement in UPKI

12

UPKI Three Layer ArchitectureUPKI Three Layer Architecture

EEEE

A Univ.NAREGI CA

EEEE

B Univ.NAREGI CA

Grid PKI

Grid Computing

ProxyProxyProxy EEProxyProxyProxy EE

学内用学内用

A Univ.CA

EE学内用学内用

B Univ.CA

EE

CampusPKI

Auth, Sign, Encrpt. Auth, Sign, Encrpt.

Student,Faculty

Server, Super Computer

Student,Faculty

Server, Super Computer

Webｻ ｰ ﾊ ﾞWebｻ ｰ ﾊ ﾞ

NIIPub CA

Web Srv.Webｻ ｰ ﾊ ﾞWebｻ ｰ ﾊ ﾞ S/ MIMES/ MIME

OtherPub CA

S/ MIMEWeb Srv.

OpenDomainPKI

S/ MIMES/ MIMES/ MIME

Sign, Encrpt.

Future plan

- Each university will start to install NAREGI-CA Each university will start to install NAREGI-CA and operate CA to be a grid site.and operate CA to be a grid site.

- Those grid sites will be operated in the PKI layer Those grid sites will be operated in the PKI layer of UPKI three layer architecture.of UPKI three layer architecture.

- Reduced burden of CA operation is necessary Reduced burden of CA operation is necessary for actual operation in universities.for actual operation in universities.

- Efficient operation by interconnecting PKI layers Efficient operation by interconnecting PKI layers is needed. is needed.

ObjectiveObjective

Enhancement in UPKIEnhancement in UPKI

Enhancement for actual operation of Enhancement for actual operation of CA/RA at universities;CA/RA at universities;

1. To split and delegate RA.2. To provide staffs/students means to apply

by themselves.3. To issue grid certificate by identification of

campus certificate.

1.1. To split and delegate RA.To split and delegate RA.- Created RA/LRA operator authorities split from

RA administrator authorities.

- Secure delegation by using IC card. - Delegation to hierarchized institutions in universi

ties for actual operation.

2.2. To provide staffs/students means to apply To provide staffs/students means to apply by themselves.by themselves.

- Easy application of registration, issuance, and revocation from the web.

- Secure application by using challenge PIN.- Reduced burden of RA operation.

Enhancement in UPKIEnhancement in UPKI

16

CA Administrator

CA RA

RA Administrator

TARO SUZUKITARO SUZUKI 08/07

IC Card

Enhanced Procedure To Issue CertificateEnhanced Procedure To Issue Certificate

CA Administrator

RA Administrator

RA Operator

User

License ID

Issue Certificate

RACA

Apply

IdentifyApprove

Issue Certificate

Application Server (web)

Management Server (web)

Delegate

Challenge PINChallenge PIN

Challenge PINChallenge PIN

License ID

Local RA User

Identify

Apply

License ID

License ID

3.3. To issue grid certificate by identification of To issue grid certificate by identification of campus certificate.campus certificate.

- Cooperation of Grid CA and Campus CA.

- Reduced burden of RA operation.

- Any certificate can be issued for other AP.

Enhancement in UPKIEnhancement in UPKI

18

CampusCA

Issue Certificate

Campus PKI Grid PKI

NAREGI CA

Super Computer

Super Computer

Grid System

Super Computer

Issue Certificate

Request Certificate(Use IC Card as credential)

LDAP

NAREGI RA

TARO SUZUKITARO SUZUKI 08/07

IC Card

Certificate for Grid System

Access

User

Campus-Grid PKI FederationCampus-Grid PKI Federation

19

5.Future Plan

- Release scheduleRelease schedule- Enhanced features will be released in Autumn

this year.

- Usability improvementUsability improvement- Create and distribute Start-Up Package for

Campus CA/RA including CP/CPS templates for certain application, such as wireless LAN authentication and authorization.

5. Future Plan5. Future Plan