Internet2 Middleware Activities Progress. Internet2 All staff tutorial Nov.28, 2001 Acknowledgments...

Internet2 Middleware Activities Progress

Internet2 All staff tutorial Nov.28, 2001

Acknowledgments

MACE and the working groupsNSF catalytic grant and meetingEarly AdoptersHigher Education partners - campuses, EDUCAUSE, CREN, AACRAO, SURA, NACUA, etc.Corporate partners - IBM, ATT, Sun, Accord, Metamerge, et al.Government partners - including NSF and the fPKI TWG


Activites

Integration•MACE RL“Bob”Morgan (Washington) •Early Harvest / Early Adopters –Renee Frost (Michigan)

•Shibboleth - Steven Carmody (Brown)

•Vid Mid - Ken Klingenstein (Colorado)• VC- Egon Verharen (SURFnet)• VoD- Mairead Martin (Tennessee)

•NSF Middleware Initiative – Internet2, EDUCAUSE, SURA and The GRIDs Center

•Medical Middleware - Rob Carter (Duke), Jack Buchanan (UT Health Science Ctr)

Core •MACE- Dir Keith Hazelton(Wisconsin)

• Groups- Tom Barton (Memphis)• Metadirectories - Keith Hazelton (Wisconsin)

•Directory of Directories for Higher Ed - Michael Gettes (Georgetown)

•EduPerson and EduOrg - Keith Hazelton (Wisconsin)

•LDAP Recipe - Michael Gettes (Georgetown)•HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken Klingenstein (Colorado)

•HEBCA - Mark Luker (EDUCAUSE)

•PKI Labs - Dartmouth and Wisconsin


MACE (Middleware Architecture Committee for Education)

Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher educationCreates working groups in major areas, including directories, interrealm authentication, PKI, medical issues, etc.Works via conference calls, emails, occasional serendipitous in-person meetings...

US MembersBob Morgan (UW) Chair Scott Cantor (Ohio State) Steven Carmody (Brown) Keith Hazelton (Wisconsin) Paul Hill (MIT) Michael Gettes (Georgetown) Jim Jokl (Virginia) Mark Poepping (CMU) Bruce Vincent (Stanford) David Wasley (California) Von Welch (Grid)European members Brian Gilmore (Edinburgh) Ton Verschuren (Netherlands)


National Science Foundation

Catalytic grant in Fall 99 started the organized efforts, with Early Harvest and Early Adopters NSF Middleware Initiative - three year cooperative agreement, begun 9/1/01, with Internet2/EDUCAUSE/SURA and the GRIDs Center, to develop and deploy a national middleware infrastructure for science, research and higher educationWork products are community standards, best practices, schema and object classes, reference implementations, open source services, corporate relationsWork areas are identifiers, directories, authentication, authorization, GRIDs, PKI, video


Early Harvest

NSF funded workshop in Fall 99 and subsequent activitiesDefined the territory and established a work planBest practices in identifiers, authentication, and directories (http://middleware.internet2.edu/internet2-mi-best-practices-00.html)http://middleware.internet2.edu/earlyharvest/

http://middleware.internet2.edu/earlyharvest/






Early Adopters: The Campus Testbed Phase

A variety of roles and missionsCommitment to move implementation forwardProvided some training and facilitated supportDevelop national models of deployment alternativesAddress policy standardsProfiles and plans are on Internet2 middleware site http://middleware.internet2.edu/earlyadopters/

Participants: Dartmouth, Hawaii, Johns Hopkins, Maryland-Baltimore County, Memphis, Michigan Tech, Michigan, Pittsburgh, Tennessee Health Science Center, Tufts, USC


What is Middleware?

specialized networked services that are shared by applications and usersa set of core software components that permit scaling of applications and networkstools that take the complexity out of application integrationa second layer of the IT infrastructure, sitting above the network a land where technology meets policythe intersection of what networks designers and applications developers each do not want to do


A Map of Middleware


Core Middleware

Identity - unique markers of who you (person, machine, service, group) areAuthentication - how you prove or establish that you are that identityDirectories - where an identity’s basic characteristics are keptAuthorization - what an identity is permitted to doPKI - emerging tools for security services


The Major Projects

eduPerson and eduOrg (mace-dir)the Directory of Directories for Higher Education (DoDHE)Shibboleth (mace-shibboleth) and Webiso (mace-webiso)Directories

metadirectoriesgroupsaffiliated directories

HEBCA and PKI-Light (HEPKI-PAG and HEPKI-TAG)PKI Labs at Dartmouth and WisconsinVideoconferencing and video on demand (vidmid)OKI, JA-SIG and the Grids


eduPerson

A directory objectclass intended to support inter-institutional applicationsFills gaps in traditional directory schemaFor existing attributes, states good practices where knownSpecifies several new attributes and controlled vocabulary to use as values.Provides suggestions on how to assign values, but it is up to the institution to choose.Version 1.0 now done; one or two revisions anticipated


eduPerson 1.0

parent objectclass=inetOrgPersonincludes:

• affiliation (multi-valued)• primary affiliation (faculty/student/staff)• orgUnitDN (string)• nickname (string)• ePPN (identifier, user@securitydomain)

version 1.5 and beyond will contain other shared attributes


A Directory of Directories

an experiment to build a combined directory search serviceto show the power of coordinationwill highlight the inconsistencies between institutionstechnical investigation of load and scaling issues, centralized and decentralized approaches human interface issues - searching large name spaces with limits by substring, location, affiliation, etc...to suggest the service to followSun donation of server and 6 million DNshttp://dodhe.internet2.edu/dodhe/


Shibboleth

A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii.

Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.

- Webster's Revised Unabridged Dictionary (1913):

http://www.dict.org/bin/Dict?Form=Dict3&Database=web1913


Shibboleth

inter-institutional web authentication and basic authorizationauthenticate locally, act globally - the Shibboleth shibbolethemphasizes privacy through progressive disclosure of attributeslinked to commercial standards development in XML through OASISscenarios and architecture done; coding has commenced with alpha code due in January, 2002 to pilot sitescoding and design teams feature IBM/Tivoli, CMU, and the Ohio State Universitystrong partnership with IBM to develop and deployhttp://middleware.internet2.edu/shibboleth/


Stage 1 - Addressing Three Scenarios

Member of campus community accessing licensed resource• Anonymity required

Member of a course accessing remotely controlled resource• Anonymity required

Member of a workgroup accessing controlled resources• Controlled by unique identifiers (e.g. name)

Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.


Target Web

Server

Origin Site Target Site

Browser

Authentication Phase

First Access - Unauthenticated

Authorization Phase

Pass content if user is allowed

Shibboleth ArchitectureConcepts - High Level


Middleware Inputs & Outputs

GridsGrids JA-SIG &JA-SIG &uPortaluPortalOKIOKI Inter-realmInter-realm

calendaringcalendaring

Shibboleth, eduPerson, Affiliated Dirs, etc.Shibboleth, eduPerson, Affiliated Dirs, etc.

EnterpriseEnterpriseDirectoryDirectory

EnterpriseEnterpriseAuthenticationAuthentication

LegacyLegacySystemsSystems

CampusCampusweb SSOweb SSO

futuresfutures

EnterpriseEnterpriseauthZauthZ

LicensedLicensedResourcesResources

EmbeddedEmbeddedApp SecurityApp Security

Shibboleth, eduPerson, and everything else


Project Status

Architecture definition finished (v0.9+)Design/Programming now Underway

• Team membership drawn from IBM/Tivoli, CMU, Ohio State• First Face-to-Face meeting on Sept 27, 28 at CMU

First Set of Pilot Sites Selected• Chosen to test all 3 scenarios• UK participation

Timeline for programming• Stage I alpha code Feb 2002• Stage II beta code June 2002• Stage III release summer 2002


A Campus Directory Architecture

Metadirectory

Enterprisedirectory

DirDB

Departmentaldirectories

OS directories(MS, Novell, etc)

Borderdirectory

Registries Sourcesystems


Metadirectories

The critical functions to glue together what inevitably turns out to be a number of campus, departmental and application-oriented directory servicesTypically a coordinated set of services that watches updates to specific directories or from legacy data feeds and spreads those updates to other directoriesPerforms several subfunctions

• an identity registry or crosswalk to relate entries in different directories

• a set of connectors that take changes from one source and convert them for dissemination to other sources

Basic implementation from Metamerge is free to higher ed


Directories – Group Management

Best practices in the use of core middleware to meet the authorization and messaging needs of applications

Initial foci are: 1) the conduct of a survey of several organizations' practices in

this area and 2) investigations into meaningful definitions of, and productive

ways of representing and operating on, "groups", "affiliations", "roles", and "correlations".

Groups Practices Survey

http://middleware.internet2.edu/dir/groups/


PKI: A few observations

Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…but it is that ubiquitous and importantDoes it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITPs...Options breed complexity; managing complexity is essentialPKI can do so much that right now it does very little


A few more...

IP connectivity was a field of dreams. We built it and then the applications came. Unfortunately, here the applications have arrived before the infrastructure, making its development much harder.No one seems to be working on the solutions for the agora.A general-purpose PKI seems like a difficult task, but instituting a PKI Light as a first step may not have enough paybacks.


The general state of PKI

There are campus and corporate successes• Corporations use internally for VPN, some authentication, signed

email (with homogeneous client base)

• MIT, UT medical, soon VA, UCOP

Key is limited application use, lightweight policy approaches

There is very limited interrealm, community of interest or general interoperable work going on

• Federal efforts

• HealthKey

• Higher Ed

• Some European niches


The Four Planes of PKI

on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKIsimplifications in policies, technologies, applications, scopeeach plane provides experience and value


The Four Planes are:

Full interrealm PKI - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues

Simple interrealm PKI - multipurpose within a community, operating under standard policies and structured hierarchical directory services

PKI-Light - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; may be extended within selected communities

PKI-Ultralight - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...


D. Wasley’s PKI Puzzle


Uses for PKI and Certificates

authentication and pseudo-authenticationsigning docsencrypting docs and mailnon-repudiationsecure channels across a networkauthorization and attributessecure multicastand more...


PKI Components

X.509 v3 certs - profiles and usesValidation - Certificate Revocation Lists, OCSP, path constructionCert management - generating certs, using keys, archiving and escrow, mobility, etc.Directories - to store certs, and public keys and maybe private keysTrust models and I/ACert-enabled apps


Directories

to store certsto store CRLto store private keys, for the time beingto store attributesimplement with border directories, or ACLs within the enterprise directory, or proprietary directories


Certificate Policies (CP) and Practices Statements (CPS)

Policies: legal responsibilities and liabilities (indemnification issues)Operations of certificate management systemsWill hopefully be somewhat uniform across the communityAssurance levels - varies according to I/A processes and other operational factorsPractices - site-specific details of operational compliance with a cert policyA Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.


Inter-organizational trust model components

verifying sender-receiver assurance by finding a common trusted entitymust traverse perhaps branching paths to establish trust pathsmust then use CRLs etc. to validate assuranceif policies are in cert payloads, then validation can be quite complexdelegation makes things even harderHierarchies vs. Bridges

• a philosophy and an implementation issue• the concerns are transitivity and delegation• hierarchies assert a common trust model• bridges pairwise agree on trust models and policy mappings


VidMid

Middleware for videoVideoconferencing

authenticated, identified video clients - work with commercial clients to use the underlying middleware plumbing

H.323, VRVS, and new SIP-oriented clientsVideo on demand

access controls for video resourcesschema for meta information

Works closely with ViDe (www.vide.org)http://middleware.internet2.edu/video/aggressive time frames


Mace-Med

Unique requirements - HIPAA, disparate relationships, extended community, etc.Unique demands - 7x24, visibilityPKI seen as a key toolMace-Med recently formed to explore the issues


HEPKI (www.educause.edu/hepki/)

HEPKI - Technical Activities Group (TAG)• universities actively working technical issues• topics include Kerberos-PKI integration, public domain CA,

profiles• regular conference calls, email archives

HEPKI - Policy Activities Group (PAG)• universities actively trying to deploy PKI• topics include certificate policies, RFP sharing, interactions with

state governments• regular conference calls, email archives


Internet2 PKI Labs

At Dartmouth and Wisconsin in computer science departments and IT organizationsDoing the deep research - two to five years outPolicy languages, path construction, attribute certificates, etc.National Advisory Board of leading academic and corporate PKI experts provides direction Catalyzed by startup funding from ATT


OKI, JA-SIG and Grids

OKI • major open learning management system being developed by MIT,

Stanford, and North Carolina State, funded by the Mellon Foundation; reference architecture and open source implementation

• http://web.mit.edu/oki/intro.html

JA-SIG• uPortal is a major portal architecture and implementation being

developed by a number of schools with funding from the Mellon Foundation; also hopes to share administrative Java applets

• http://www.ja-sig.org/ and http://mis105.mis.udel.edu/ja-sig/uportal/index.html

GRIDS Center• expanding use of Grids will reach to many campuses• integration efforts underway • http://www.globus.org and http://www.gridforum.org


NSF Middleware Initiative (NMI)

•NSF award for integrators to

– Internet2, EDUCAUSE, and SURA

– The GRIDs Center (NCSA, UCSD, University of Chicago, USC/ ISI, and University of Wisconsin)

•Build on the successes of the Internet2/MACE initiative and the Globus Project

•Three year cooperative agreement effective 9/1/01

•To develop and deploy a national middleware infrastructure for science, research and higher education

•Separate awards to academic pure research components


The Grid

a model for a distributed computing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc.Globus (www.globus.org) is the software that implements most of these components; Legion is another such software environmentNeeds to integrate with campus infrastructureGridforum (www.gridforum.org) umbrella activity of agencies and academicsLook for grids to occur locally and nationally, in physics, earthquake engineering, etc.


NMI: The Problem to Solve

•To allow scientists and engineers the ability to transparently use and share distributed resources, such as computers, data, and instruments

•To develop effective collaboration and communications tools such as Grid technologies, desktop video, and other advanced services to expedite research and education

•To develop a working architecture and approach which can be extended to Internet users around the world

Middleware is the stuff that makes “transparently use” happen, providing consistency, security, privacy and capability


NMI

•Work products–Community standards–Best practices–Schema and object classes–Reference implementations–Open source services–Corporate relations

Work areas–Identifiers–Directories–Authentication–Authorization–GRIDs–PKI–Video


More information

Early Harvest / Early Adopters: http://middleware.internet2.edu/earlyadopters/Mace: middleware.internet2.eduLDAP Recipe: http://www.georgetown.edu/giia/internet2/ldap- recipe/EduPerson: www.educause.edu/edupersonDirectory of Directories: middleware.internet2.edu/dodheShibboleth: middleware.internet2.edu/shibbolethHEPKI-TAG: www.educause.edu/hepkiHEPKI-PAG: www.educause.edu/hepkiVideo: http://middleware.internet2.edu/video/

http://www.educause.edu/hepki






Internet2 Middleware Activities Progress. Internet2 All staff tutorial Nov.28, 2001 Acknowledgments...

Documents

Transcript of Internet2 Middleware Activities Progress. Internet2 All staff tutorial Nov.28, 2001 Acknowledgments...