������ID���������ID���Shibboleth ��Shibboleth ��

NAREGI���������NAREGI���������

2008/12/242008/12/24Manabu HigashidaManabu Higashidamanabu@cmc.osaka-u.ac.jp

��� ��������������� !�����"#$%&' (����"#$%&' (

MICS)*+,-./0�1Shibboleth IdP/SP/2!��� �#34 56%&�2!�����#3456%&�

CA

RARA������A

Shib IdP ID: K b %&789:Shib SP

4 5

DS:�W.A.Y.F.

Shib IdP ID:�Kerberos %&789:Shib SP

3

2

; Shib SP �!<=>?@�����#34

A DS B�C-DEF?@GH����

56789:BWebIJKL�ME�8

��NO"#/PQRN/ST

User�Certificate

License�ID1

7 grid�certreqU��������������V�WRNXNGShib IdP/Y

Z[\ RANOJ-��8ID ]^_!/6^G��VB`a1R

UMS Shib IdP ID:�LDAP %&789:

6 b!<"#^G��VB`a1R

MyProxy������B

; Shibboleth�SP�

(Service�Provider)��!<=>?@����

A DS�(Discovery�

Service)�B�C-DE

U��������������V�WRNXNG

Z[\"#cGRANOJ-��8ID]^_!/6^ ��

CA

<=>?@�����#3456789:BWebIJKLNOME�8

F?@GH������NO"#/PQRN/ST

Shibboleth�IdP(Idendity Provider)�/Yb!<d8e��BfR"#/6g

^_!/6^G��VB`a1R (UMSh����#34/ij1RkBlm)

RABfR"#/6g

Shib IdP ID:�Kerberos %&789:Shib SP 2

4 5

DS:�W.A.Y.F.3

������A

7 grid�certreq

User�Certificate

License�ID1

6

UMS

M P

Shib IdP ID:�LDAP %&789:

MyProxy������B

MICS)*+,-./0�1Shibboleth�IdP/SP/2!�����#3456%&�

4

;�8FnNOopCMCIdP (Identity Provider) /qqq

Shibboleth SP (Service Provider) /ME�81R�GrsIdPDS (Discovery Service) B�C-DEF?@R�C-DEF?@R:

• tpCAS (12u)GvwpNIS (1u)��xT

• ����y�z{�9|��}~�/`�<����������xTxT

A ����)M�)

U opCMCp�����789:�������M�K�F

(MS ActiveDirectory Server – Kerberos)( y )ID/d8e��/��!"#/PQR

IdPBfR"#cGShibboleth SP (Service Provider) B�R�op����"#$NO��L#34/561R��Blm��RJ-��8ID56/S� (opCMC�5��):lm��RJ-��8ID56/S� (opCMC�5��):

U��

NAREGI���. (Web UI) B<G��!�J-��8ID�����/��1R�op����"#$NO��L#34�56?@��1RUMS (User Management Server) Bij?@R:��1RUMS (User Management Server) Bij?@R:

Z��

\��\��

�����B� !�UMSB����#34/ij1R¡¢£G

¤¥UMSCUIB<¤¥UMSCUIB<“grid-certreq” y¦��/=61R

§¨ ©©Bª«�¬­/§¨G©©Bª«�¬­/®¯°1±²qqq®¯°1±²

��������� ������The Case of “clark/clark”

WOr!• WOr!– 7�).�d8e��³M��EBfR´�

f � µ F ) ��/¶ ·?@• rootkitBfR��µ.³FJ�)�ID/Password��/¶¸·?@R– ´�V (¹º) »¼/½^_!<C�9|�OS/¾-�8F�.¿À• ¿À– ID/Password����/ÁÂ(

"#à Ä/ÅÆ! Ç� L���ÈÉ�à Ä�£Ê²Ë1• "#Ã�Ä/ÅÆ!GÌÇ��L���ÈÉ�Ã�Ä�£Ê²Ë1– ÍÎOS/ �!G��LÏB)*�8Я/Ñ�B�Ë1R

IDSBfRÒÓ– IDSBfRÒÓ• Force10ÔÕP10 (Ö MetanetworksÔÕ) �

×Ø789:��-Ù�Ú@2005×Ø789:��-Ù Ú@2005

• Web���.NO7��.³Ã-�Û�– ��LID�e��-:³d8e��

• ÜSECURE MATRIX” by CSE

uid

otpSECURE MATRIX by CSE

• �ÝÃ�Þ8ßà³�T/áÆ– VPN+ÍÎÃ�ÄBf«<1â<Ã�Þ8/ã2

NAREGI Certificate

ã2• NAS• HPC/Grid/Visualization• CGM

L

GSI Credential

Kerberos Ticket

• ��Läåæç/�è– )J-Ä7���é{�9|

• �ÌÊ��LNOêË1R©���é{�9|³Ä-ÛD 7ë��ì�é{�9|³Ä-ÛD�7ë��ì©R��/ÁÂ(

• í-d�Ä-LNOî�ÒÓ³ÒïL f Ñ� � � -ð User

Virtual H ti– ��LBfRÑ���8�¦-ð

• OSGJ-IJ�GM)�ñ�7ë��@òó£'b'ô

• 6õ¬ö��õ£G8÷�)7ë�F

VPN

UserTerminal

HostingServer

6õ¬ö��õ£G8÷�)7ë�FBfR*�.Ä�E

isolated security domain

Global Storage Sharing with NFSv4

Local AreaNetwork

NAS

NFSv4 Serverfor LAN

SuperSINET 10GbENASGW

act as NFSv4 Clients

HPC HPC10GbE

Wid A

Pseudo-Filesystemsfor importing to LAN

HPCHost HostWide Area

NetworkPseudo-Filesystems

for exporting to WAN

Host

act as GFS Clients

FC Storage AreaNetwork

NASGWLDAPKDC

act as GFS Clients

NFSv4 Serverfor WANTGT

for Cross RealmID-mapping

“Web2 0”�������!?Web2.0 �������!?

� �� �• ���� �!��"���Web#��$%?– RFB on Web Browser (VNC Java Viewer)

• &'()*�+,-!?– AjaxTerm�.��/0�-1?

htt // t l i / b/t / iki/Aj T• http://antony.lesuisse.org/qweb/trac/wiki/AjaxTerm

– Latain�12345: UTF�8?678?

• 9:;���� �#��$�<=>?• 9:;���� �#��$�<=>?…– Windows Active Directory�Kerberos+LDAP�@-A������BCDE FGH!DE FGH!

• WindowsIJA �.�KLMN-!?

– PKI�@-OPQR�STUV;…

• MacOS X�ADSF2WXY�Z;[N\– http://www.apple.com/jp/macosx/features/windows/

http // apple com/jp/ser er/macos /feat res/ indo sser ices html– http://www.apple.com/jp/server/macosx/features/windowsservices.html

• Linux Distro]s�^_Kerberos45

`a�kerberizebcdde-1�`a�kerberizebcdde-1�…

• Microsoft Active Directory– f�ghV�;-Kerberosi�$2A������BCDE

• KDC (Key distribution Center) FV�jklmYno;• SPNEGO�ready

IE 5 0 1 and IIS 5 0– IE 5.0.1 and IIS 5.0

• MIT Kerberos for Windows3 0�pqr= \– 3.0�pqr=s\…

– 3.1 on �

Wi d IJA • WindowsIJA – Firefox 1.5tPuTTYtWinSCPtFileZillauv

/ b d• KX.509/KPKCS11tKerberized MyProxy

SPNEGO – Simple and Protected GSSAPINegotiation Mechanism

• RFC�2478/4178

– MSwx*� “Securer Protocol Negotiation”

• SPNEGO�awareuWeb#�y (z�� )�AI�$V�KerberosI"��{ �K|VSSO�a}– Apache2

• mod_auth_krb (http://sourceforge.net/projects/modauthkerb)

– Microsoft~�?» http://support.microsoft.com/?id=555092

d (h // f / j / d h )• mod_spnego (http://sourceforge.net/projects/modgssapache)

• mod_auth_vas (http://rc.vintela.com/topics/mod_auth_vas/)

– Apache2 for Windows– Apache2 for Windows• mod_auth_sspi (http://sourceforge.net/projects/mod�auth�sspi)

API�� (SSPI vs GSSAPI)API�� (SSPI vs. GSSAPI)

• RFC�2048/2743 GSSAPI (Generic Security Service API)– MSwx SSPI (Security Service Provider Interface)

NTLMuv�45�-\N?• NTLMuv�45�-\N?

• SPNEGO45�@L�� � FV��GSSAPIFk�YeL

– WindowsIJA 2y�!���IJA �

• MS SSPI�2345V\A������

– IEtWeb�� � (a.k.a. ����������)������2MSA������– Firefox 1.0

• MIT GSSAPI�2345V\A������

– WinSCP (http://winscp.net/ t�P���$*SSPI45)WinSCP (http://winscp.net/ t�P�� $*SSPI45)– FileZilla (http://sourceforge.net/projects/filezilla/)

• ���45V�;-A������– Firefox 1.5 (�rn��u2*XPI��->?eL)– PuTTY

» CSS� at http://www certifiedsecuritysolutions com/downloads html» CSS� at http://www.certifiedsecuritysolutions.com/downloads.html

» Vintela� at http://rc.vintela.com/topics/putty/

ccache (Credential Cache)��ccache (Credential Cache)��

� � a • MS2�¡��a  vs. MIT (vs. Heimdal)– LSA: Local Security Authority#¢�$�£�I"��{ �¤¥

• MIT2GSSAPI1U�AI�$ST– ¦§*z� : ms2mit.exe�§*z� : NetIDMgr a k a “Network Identity Manager”– �§*z� : NetIDMgr a.k.a. Network Identity Manager

• 3.11U¨©ªF§«? (��$ ¬…)• MIT2ccache1UMS LSA�!I$z� (mit2ms.exe)�STMIT2ccache1UMS LSA� I$z (mit2ms.exe)�ST

– ­�m�®¯u;1?

Kerberos and PKI Integration – Efforts Since 1995Kerberos and PKI Integration Efforts Since 1995

• PK�INIT– Kerberos2pre�authentication (kinit)�PKI*

• °sFRFC�4556 (2006/10/06}±: Standards Track)�…

• Draft�392a : Microsoft (Since Draft�9)tHeimdal

PK CROSS• PK�CROSS– Cross�Realm²³´µ2QR (¶·�)�PKI*

d ft i tf t k b k 08• draft�ietf�cat�kerberos�pk�cross�08

• PK�APP (?)b 2I"�� 1U 2RH¸ (¹Pº)�K|– Kerberos2I"��{ 1UPKI2RH¸ (¹Pº)�K|

• KX.509

• MyProxy• MyProxy

������BøQRSingle Sign-On����� BøQRSingle Sign On

ù� ùú� ûü• ù�³ùú�Pre Authenticationûü–��VBý!<qqq��VBý!<–�/lm�1Rþ��Bý!<qqq

• ���������!<��%&=�• �WebM)�ñ�7ë�����WebM)�ñ 7ë����

– WebÃ�Þ8(�/°?�^� • �É• p��

Lessons�from�operation�in�the�Earth�Simulatorp

• AuthenticationAuthentication– Two�Factor Authentication

• One�Time�Password,�combination�of,– PIN�or�Passphrase

– Pseudo�random�number,�periodically�being�generated�from�Security�Token

• Job�Management– NQS�II�with�node�by�node

ti

http://www.jamstec.go.jp/es/en/system/scheduling.html

resource�reservation

• File Sharing– Multiple�gateways�

to�pass with�different�credentials

http://www.jamstec.go.jp/jamstec-j/spod/system/hardware.ja/mdps.html

CMCCMC

� “G idO ti ”� “Grid�Operation”�

� Grid

�

� PC

� Grid�PKI

� CMC� CMC

� (ILE)

� (RCNP)

Grid�

NAREGI�GridVM

(CSI )( )

� NEC�NQS�II

��

� SX:�SUPER�UX

� PCCluster: SuSE Enterprise LinuxPC�Cluster:�SuSE Enterprise�Linux,��

OpenSuSE

� :�Faire�Share�Queue�+�Job�

Assigned�Map

�SX Grid

GridMPI�

GridMPI

opCMCp�����789:�� Total:�46.1�TFLOPS,�16.0�TB

�9*�EJ8�

NEC SX-9• NEC SX�PCEJ8��ô• +�M7�MBfRT���• NQSBfR��ÚëI��

��®��PCEJ8�NEC�Express�5800�56Xd

NQSBfR��ÚëI��• FC-SANBfR8FD�Ú�å

CMC

16.4�TFLOPS

10.0 TB18.3�TFLOPS

1.0�TB

1PB

FC-Storage Ü���ÍÎÃ�Ä+,�:�

CMC

FC StorageNEC Express-5800 120Rg-

1��

������

NEC�SX�8R

• é{��� R���®

!�"#$%

�����������

RCNPILE

6.1�TFLOPS

2.0 TB

��PCEJ8�� !B�¸&r@R

• 10GbE w/TOE NICBf5.3�TFLOPS

3.0�TB

2.0�TB • 10GbE w/TOE NICBfREJ8����

NAREGI�M/W'y���µ�F�opCMC���( )*LocalAuthentication

CA/RA VOMS NAREGI�Grid�Middleware��2

MyProxy+MyProxy

UMSGrid�LDAP�(CMC�Proprietary)

GridVMServerfor�PC�Cluster

GridVMServer

Grid�Portal SS GridVMServerfor�SX

for�PC�Cluster

userIS�CDASIS�NAS

frontend

Kerberos�KDC

Local Scheduler:NEC�NQS�IIw/JobManipulatorw/GridScheduleMaster

login

w/GridScheduleMaster

* �."#BK b / �! CUI/GUI�B� 1RSi l

+,������789:�NAREGI-�.K�M�2�,

• *��."#BKerberos/ �!GCUI/GUI�B� 1RSingle�

Sign�On/=.1R��®BGNAREGI"#789:/Web-���+�-8B/0

• *��.³8ñÚ{�JNEC�NQS�IIý1NAREGIy���µ�F/+,���2,ÈÉ�fgB�5

Grid�PKI� NAREGI�CA Grid�PKI CMC CP/CPS (v1.1)

� APG id PMA i i CA i t ?!� AP�Grid�PMA�minimum�CA�requirements ?!� CA

�

� ?!

� Web�I/F Kerberos� License�ID

� Passphrase

� Campus�CA Kerberos�PKINIT�(RFC4556)� Grid�CA

���

� RA� NEC�DEVIAS��NAVIAS�( )

3 4 5 6 7 8 9 10 11 12 1 2 3 4 5

:� 13

Grid�LDAP

• Grid�LDAP IDWeb ”1�Click”

(2 3 )• 3

•• ID• Kerberos Web SSO • 3

••

Kerberos Web SSO• “1�Click” Grid

• UMS

1�Click• UMS• CUI

•• CA

NAREGI-�2: ��34NAREGI �2: ��34LDAP

CMC��V56Ã�Ä

VOMSNAREGI-

CA atCMC

MyProxyVOMSProxy

Certificate

User ManagementWF Credential

Repository

delegation

KDC

CMC

Server(UMS)VOMSProxy

Certificate

UserCertificate

PrivateKey

p yVOMSProxy

Certificate

delegationGrid Jobs

delegationdelegation

KDC

Client Environment

PortalServices

WFT

PSEVOMSProxy

Certificate clie

nt

The Super Scheduler (SS)

VOMSProxy

GridVM

GridVMUsers

delegation

ServicesGVS S

S

yCertificate

GridVMWorkflow(WF)

NAREGI-�2: #3456NAREGI �2: #3456LDAP

CMC��V56Ã�Ä

VOMSNAREGI-

CA atCMC

MyProxyVOMSProxy

Certificate

User ManagementWF Credential

Repository

delegation

KDC

CMC

Server(UMS)VOMSProxy

Certificate

UserCertificate

PrivateKey

p yVOMSProxy

Certificate

delegationGrid Jobs

delegationdelegation

KDC

Client Environment

PortalServices

WFT

PSEVOMSProxy

Certificate clie

ntThe Super

Scheduler (SS)VOMSProxy

GridVM

GridVMUsers

delegation

ServicesGVS S

S

yCertificate

GridVMWorkflow(WF)

NAREGI-�2: Proxy#3456NAREGI �2: Proxy#3456LDAP

CMC��V56Ã�Ä

VOMSNAREGI-

CA atCMC

MyProxyVOMSProxy

Certificate

User ManagementWF Credential

Repository

delegation

KDC

CMC

Server(UMS)VOMSProxy

Certificate

UserCertificate

PrivateKey

p yVOMSProxy

Certificate

delegationGrid Jobs

delegationdelegation

KDC

Client Environment

PortalServices

WFT

PSEVOMSProxy

Certificate clie

nt

The Super Scheduler (SS)

VOMSProxy

GridVM

GridVMUsers

delegation

ServicesGVS S

S

yCertificate

GridVMWorkflow(WF)

»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£.Æ�$�£ÇH

ÈÉÊËÌËÍ»m�ÎÏÐÑ Ò»m�¼½#�yÓ

�$�£ÔÕÖ

»m�¼½×Ø

×ÉÙÚÛܾÝÉÞÙÉÞ×ÉÙÚÛÜ

ßÃà¾á��âÌÞ�ã×Àä åÞÚæçæÛèçæÛèÜ

éêêèÜ

ë�ì! ��ítJ�$Ä×ÎÏtîŧ

Ò×ÉÙÚÛÜ# ïD� � Ó»m�¼½×Ø

ÊÛÙÚÛÜðÌÊêÌççÉÞñòñó

ÄôQRõö�$�£

J ÏtîÒ×ÉÙÚÛÜ# ïD�� �� Ó

»m�¼½#�y

ÊÛÙÚÛÜÀåÉÊê

Í÷ÜømäÌÞêùúûüýþ�¾ÜÜé

ømäÌÞêùúûüúü�

ë�ì! ��ítî

ÊÚÜ ×ÉÙÚÛÜßÃà¾á��âÌÞ�ãÚÊÍ� ë�ì! ��ít

��£��"I ��ítî×ÉÙÚÛÜ

�äô¾á��âÌÞ�ãÚÊÍ�

ÊÛÙÚÛÜÀåÉÊê

ÙÌ÷ÜømäÌÞêùúûüúü�

���2ÎÏë�ì! ��í

÷ÛÚçë�ì! ��ít��£��"I ��ítî

ømäÌÞêùúûüýþ�¾ÜÜé

ømäÌÞêùúûüýþ�¾ÜÜé×ÉÙÚÛÜ�äô¾á��âÌÞ�ãÚÊÍ�

×ÉÙÚÛÜ

×ÉÙÚÛÜßÃà¾á��âÌÞ�ãÚÊÍ�

ÊÛÙÚÛÜÀåÉÊê

åÞÚæÙ÷ÜýømäÌÞêùúûüúü�

åÞÚæ÷ÛèâÚçÉ�í

ËÛÍêé

×ÉÙÚÛÜßÃà¾á��âÌÞ��ÚÊæÌÜ

ÉÞ�ÉÞÌÜÝÉÞÙÉÞÒ×áÓ

× Ú»m��$ ���

ÊÛÙÚÛÜÀåÉÊê

åÞÚæÙ÷Üú

Úæ �

ømäÌÞêùúûüúü�

åÞÚæ÷ÛèâÚçÉ�í

èÜ�Êð

ømäÌÞêùúûüý��

×ÉÙÚÛÜ�äô¾á��âÌÞ��ÚÊæÌÜ

»m��$ ����

ÊÛÙÚÛÜÀåÉÊê

åÞÚæÙ÷Ü�ømäÌÞêùúûüúü�

åÞÚæ÷ÛèâÚçÉ�í

×ÉÙÚÛÜ�äô¾ÝÉÞÙÉÞ

éêêèÜèÜ�Êð

�$ ����#�y

»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£»m�ÎÏÅ&

»m�¼½�$�£Ò»m�ÎÏ��Ó

à Úæ çæ ÎÏ�-J�$Ä×��§�í�-ÃÞÚæ�çæÛè�ÎÏ�-J�$Ä×��§�í�-�

»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£ë�ì���@-RH¸��Ò�É�!�� Ó

ë�ìRH¸���½���$

y�I�J��*»m�2ë�ìRH¸�����-

!ÃÁÄ×z�� �$�£���

"#�½F$Q�½n�§*�½bc<��

�É�!�� �$�£�D{�

ÒÉÞ�ÉÞÌÜ�ÝÝ�Ó

%!ë�ìRH¸���I�I��I

&!ë�ìRH¸���½Ò'�()23Ó

ë�ìRH¸n�íbc-

»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£�$�£í*

lmYh+,�Y2-.%�/0%

RH¸"#

¼½�2¦§ÐÑ»m�2,�

ë�ìRH¸"#1»m�A2� "#�3�

¼½�

J�$Ä×�í

RH¸"# ë ìRH¸"# »m�A2� "#�3�

J�$Äפ¥ J�$Ä×¼½14.�§%

J�$Ä×��56

J�$Ä×78

I��I23*RH¸��

»m�

9:%

�$�"�;78I��I23*RH¸��

RH¸��

opCMC%&789:opCMC%&789:� ����7���V��B8«<^R56� ����7���V��B8«<^R56V789: (NECÕDEVIAS)� 56V-���+�-8BG����#3456Blm�9J-��8ID:]^_!;9<=VO:�T>?�9J-��8ID:]^_!;9<=VO:�T>?/@

� Ä�EA��B6789:BGUnixM�K�F56�H��CB ����¦�)+,-.D��H�H��CBG����¦�)+,-.D��H�����B6/@

� APGrid PMA�9MICS)*+,-.:BfR%&/E"! F 9�`��GHI:�%&/E"!GF9�`��GHI:�JK1@LG1â<��������LB����#34/56�õRMN£WR!?B����#34/56�õRMN£WR!?

OgP«<^�®Ø�OgP«<^�®Ø�W²r!�qqqW²r!�

opCMCM)*�Q –O19 � R S pT9NAREGI��U<R6:�Só<^�VqqqopTQ��

• W1XYW1XY– 1â<����LB����#34/

• “1�click”�BfR����#3456– 1â<���"#/����B�è

• *��.8ñÚ{�Jd-)é{�/Z[³�\1R©���è"#/]^I_/]^I_

T2KM)*�QM) Q• NAREGI�CABfR`�"#��áÆ• a��/bBST!�Ä�QÚëI=6• GfarmBfRc���å

nde,�“T2k��������”,�T2K7��ÚK:fgL 2008.

h�i·,�“T2k��������”,�T2K7��ÚK:fgL 2008.

opCMCM)*�Q �O2� � jk P �, S lT2K�����jk/PQ<�,/Sól�R

• W2XYW2XY– �����������LB�����#34/56

• MICS)*+,-./0�1Shibboleth SP/IdPBfR�– �è"#/�m�!B�å

• *��.8ñÚ{�Jx�¦�)/Ù�8ñÚ{�JBcnNO-�Ú E7 �Ú�E7ë�

“RESTful” �����

“Web2 0” £1â</og!?Web2.0 £1â</og!?� -÷. A- D ��W bà Þ8(?• ��-÷.³A-{D���WebÃ�Þ8(?– RFB on Web Browser (VNC Java Viewer)

�pq��8óR!?• �pq��8óR!?– AjaxTerm£�</rs1RN?

• http://antony lesuisse org/qweb/trac/wiki/AjaxTermhttp://antony.lesuisse.org/qweb/trac/wiki/AjaxTerm– Latain-1¸ý1: UTF-8? tÝu?

• vw^��-÷.³Ã�Þ8£rTlm…– Windows Active Directory£Kerberos+LDAPBfRM-c�9|9|³¦µÚÙ�F�x3!

Wi d EJ-M�F/�<�²&�R!?• WindowsEJ-M�F/�<�²&�R!?– PKIBfRyØ"#�ÈÉO!^…

• MacOS X�ADS�z{/|^l��– http://www.apple.com/jp/macosx/features/windows/– http://www.apple.com/jp/server/macosx/features/windowsservi

ces.html}• Linux Distro~s��}Kerberosý1

MICS%&�T

����"#$%&������"#$%&��) CE "#$ ���• )*CE7ë�D�."#$����(RA) h��Ì��n(RA) h�� ��n–�gRA��L@���^��qqq

• LRA����–����

• ����������7 (789:567)

–O@����V£����=�• Photo ID and/or Official DocumentPhoto ID and/or Official Document

“Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to AP Grid PMA”by Toshiyuki Kataoka and others at APAN-24

� (“must contact and present”�)

�

� ( )( )

� Grid PKI?!?!

� CMC CP/CPS 1��

� RA CP/CPS ?!� Campus PKI RA ?!� Campus PKI RA ?!

� “Production Level CA” ?!NII KEK� : NII, KEK,

� VO RO CP/CPS?!?!

MICS)*+,-.Member�Integrated�X.509�PKI�Credential�Service

� ��� ��� TeraGridNCSA����"#$ (ÍE"?)

� NCSA�©@r�6«<õ�9zMDÞ{�:BfRM�K�F56��¸/KN1

� 91�1�u:§�,à!<^R+,"#���� !<����#34/561R� The�initial�vetting�of�identity�for�any�entity�in�the�primary� F56��¸/KN1

� TACC����"#$� Classic)*+,-.����"#$�2,?

g y y y p y

authentication�system�that�is�valid�for�certification�should be�based�

on�a�face�to�face�meeting�and�should be�confirmed�via�photo�

identification�and/or�similar�valid�official�documents.

“IGTF�Accrediation Review�of�MICS�Authentication�Profile�(Update)”�by�Marg Murray,�TACC,�2007/05/30

MICS£1â</og!?MICS£1â</og!?

�� £ � ! "��è• ���£GNSF�ÌÖ!B"��è– NCSA�������/Ì�B�õPQ<õ�NCSA�������/ �B�õPQ<õ�– PI (Principal Investigator) h�±��

• tÝ�£G�p��������G.'������������������������ ���������

ShibbolethBfRShibbolethBfRID+�cD�7ë�ID+�cD 7ë�

VO56VhVO56VhVO56�±��VO56�±��

VO��¬­��VO��¬­��• Phase-0 (2006-)

– opÅ'�²�¸• 1â<����VBGrid PKI#34/56 (�õRfgBLicense ID/56)• 1â<����VBGrid PKI#34/56 (�õRfgBLicense ID/56)

– Default VO: “CMC_Osaka”– #34SubjectDN � UID � ���.�)

» grid-mapfile/��789: “NAVIAS” (Í ) �' D�

• Phase-1 (2007/06-)– v¡p�� (+¢p+NII)

• oph��34!Gv¡pUID/£�QR– op�VO¤89|��: “CMCGSIC_Osaka”– #34SubjectDN@op � UID@op � ���.�)@op#34SubjectDN@op � UID@v¡p � ���.�)@v¡p#34SubjectDN@op � UID@v¡p � ���.�)@v¡p

» grid-mapfie£� �¥¦1RlmW²» ��L���é{M�§¨�XáÆ�lm» ©@O/�51R�O©���5Dqqq

• Phase-2– VO�

“RENKEI�Osaka”“RENKEI�O k ”Osaka”

“RENKEI�Osaka”VO

Domain

“vo1”

NII/NAREGICA

PKIopCMC

CA

PKIDomain

ª«RO 6ª«Kyusyu�Univ. Osaka�Univ. Nagoya�Univ. I.�of�Molecular�Sci. Tokyo�Tech. NII/NAREGIRO

User

Service

VO:�Virtual�OrganizationRO:�Real�OrganizationPKI:�Public�Key�InfrastructureGrid�Certificate�Authorities�and�Virtual�Organization

“RegistrationAgency”�ÎB¬Q<Registration�Agency ��ÎB¬Q<­®M�K�9|��³��7�

• *��.³M�K�F/56!Ggrid�mapfile�#34�£�QR• pop�:�`¯������M�K�F56B����#34���• v°¡%p�:�`¯������M�K�F/56!G±²56?@�����#34/£�QO� ®M�K�F/56• O�:�Ì®M�K�F/56

³6´%&

• NII/NAREGIB<�M�K�F³656%&'ª«M�K�F56Blm���/µ• 'ª«M�K�F56Blm���/µ¶!<·�• ¸tG¹tG<=G}~�ºGÙ�.M• ¸tG¹tG<=G}~�ºGÙ .M�D8GpqGH�H

• 'ª«B̶!<³634• 'ª«B<#34�£�Q/6g

9»�`¼:I½ ��¾

VO¤89|��³+,�:VO�AdministratorVO�AdministratorVO�Administrator

VOMSVOMS VOMS

voms�myproxy�init

MyProxy MyProxyProxy� Proxy�

������A ������B

UMS UMSUser�

Certificate

Certificate�with�VO

User�Certificate

Certificate�with�VO

grid�certreq

56?@�����#34�'������*��.M�K�F/`�B£�QRlm�WR

RANAREGI�£G*��.M�K�F¿��grid�mapfileBfRý1� ����� /r��R

CA

'��� � H B"

Q�lm

fgB ) .M�K�F

������/r��RVOÀ�Á 53

O�O�VOMS/Hg¤89|��1RN?

VO56VB1â<VO56�±/��1RN?

'�������GHVOB"#�è1RN"ÈI_���

/^NB6gN?:

egeefgBG)�.M�K�F�ý11R�^gnÃ�WR�GLCAS/LCMAPSfg�$%�lm

• "#$– .®«�Ã�Þ8!<^R"#$

• )*CE7ë�D�. (Classic Profile))*CE7ë�D�. (Classic�Profile)– AIST,�KEK,�NII/NAREGI

• �-)*CE7ë�D�. (MICS�Profile�–�Ä")– opCMC

• )J-��F"#$)J- F"#$– T2KÅÆ

– °Çy����)�( )*/ÎT!<�¾1âõ• vp?GÈÉÊ?

• +,������%&789:��• +,������%&789:��– U�PKISSO=#=ËBopCMC��è1RShibboleth�SP�'������IdP��

• LDAP:�OK,�Kerberos�(ActiveDirectory Server):�OK,�NIS:�OK?

• VO��VO��– =M�K�FN?

• GT,�NAREGI– )�.M�K�FN?�����£?

• egee LCAS/LCMAPS

• 56Ì��– Í�½�=#B<CÎ����`���/�#ϸ��Ì � (G idVM)• ��Ì�� (GridVM)

– `¯���NAREGIh"#�è£2,• Ý�½=�xT�É$% (vwp[opB<)

– *��.8ñÚ{�J (NEC�NQS�II/ÎT)�hÐß!�x��NAREGI�SSNOx���m�!B�,( Q T) Ðß! x� x� �m�! �,– GridMPI§îMPIý1 (�T!�ÌGridVM�¸)

• ����£*��.8ñÚ{�J (r�£OS���É)��Ñ�– ÒÓ£O@ (NEC�NQS�II)�§î

• PBS Pro LoadLeveler

pop� CMC

PBS�Pro,�LoadLeveler• T2K�(Torque+SCore,�SGE,�Parallelnavi),�KEK�(LSF)

54