Internet2 Middleware Activities Progress Renee Woodten Frost Project Manager, Internet2 Middleware...
-
Upload
todd-rodney-joseph -
Category
Documents
-
view
230 -
download
3
Transcript of Internet2 Middleware Activities Progress Renee Woodten Frost Project Manager, Internet2 Middleware...
Internet2 Middleware Activities Progress
Renee Woodten Frost
Project Manager, Internet2 Middleware Initiative
I2 Middleware Liaison, University of Michigan
………………. And an ensemble of hundreds
CIC AIS Directors Fall 2001
Acknowledgments
MACE and the working groups
NSF catalytic grant and meeting
Early Adopters
Higher Education partners - campuses, EDUCAUSE, CREN, AACRAO, SURA, NACUA, etc.
Corporate partners - IBM, ATT, Sun, Accord, Metamerge, et al.
Government partners - including NSF and the fPKI TWG
CIC AIS Directors Fall 2001
Activities
Mace - RL “Bob” Morgan (Washington)
Early Harvest / Early Adopters - Renee Frost (Michigan)
LDAP Recipe - Michael Gettes (Georgetown)
EduPerson and EduOrg - Keith Hazelton (Wisconsin)
Directory of Directories for Higher Ed - Michael Gettes (Georgetown)
Metadirectories - Keith Hazelton (Wisconsin)
Shibboleth - Steven Carmody (Brown)
PKI Labs - Dartmouth and Wisconsin
HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken Klingenstein (Colorado)
HEBCA - Mark Luker (EDUCAUSE)
Medical Middleware - Rob Carter (Duke), Jack Buchanan (UT Health Science Ctr)
NSF Middleware Initiative – core middleware, pki, video, the GRID
CIC AIS Directors Fall 2001
MACE (Middleware Architecture Committee for Education)
Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education
Membership - Bob Morgan (UW) Chair, Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Georgetown), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Bruce Vincent (Stanford), David Wasley (California), Von Welch (Grid)
European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands)
Creates working groups in major areas, including directories, interrealm authentication, PKI, medical issues, etc.
Works via conference calls, emails, occasional serendipitous in-person meetings...
CIC AIS Directors Fall 2001
National Science Foundation
Catalytic grant in Fall 99 started the organized efforts, with Early Harvest and Early Adopters
NSF Middleware Initiative - three year cooperative agreement, begun 9/1/01, with Internet2/EDUCAUSE/SURA and the GRIDs Center, to develop and deploy a national middleware infrastructure for science, research and higher education
Work products are community standards, best practices, schema and object classes, reference implementations, open source services, corporate relations
Work areas are identifiers, directories, authentication, authorization, GRIDs, PKI, video
CIC AIS Directors Fall 2001
Early Harvest
NSF funded workshop in Fall 99 and subsequent activities
Defined the territory and established a work plan
Best practices in identifiers, authentication, and directories (http://middleware.internet2.edu/internet2-mi-best-practices-00.html)
http://middleware.internet2.edu/earlyharvest/
CIC AIS Directors Fall 2001
Early Adopters: The Campus Testbed Phase
A variety of roles and missions
Commitment to move implementation forward
Provided some training and facilitated support
Develop national models of deployment alternatives
Address policy standards
Profiles and plans are on Internet2 middleware site
http://middleware.internet2.edu/earlyadopters/
Participants: Dartmouth, Hawaii, Johns Hopkins, Maryland-Baltimore County, Memphis, Michigan Tech, Michigan, Pittsburgh, Tennessee Health Science Center, Tufts, USC
CIC AIS Directors Fall 2001
Early Adopters Business Case
Middleware Business Case and Writer’s Guide version 1.0
http://middleware.internet2.edu/earlyadopters/
Review and send comments to:
CIC AIS Directors Fall 2001
What is Middleware?
specialized networked services that are shared by applications and users
a set of core software components that permit scaling of applications and networks
tools that take the complexity out of application integration
a second layer of the IT infrastructure, sitting above the network
a land where technology meets policy
the intersection of what networks designers and applications developers each do not want to do
CIC AIS Directors Fall 2001
A Map of Middleware
CIC AIS Directors Fall 2001
Core Middleware
Identity - unique markers of who you (person, machine, service, group) are
Authentication - how you prove or establish that you are that identity
Directories - where an identity’s basic characteristics are kept
Authorization - what an identity is permitted to do
PKI - emerging tools for security services
CIC AIS Directors Fall 2001
Identity Services on One Slide
Campus authentication Enterprise directory
Web services and
servers
WebISO
Learning Management
Systems PersonalPortals
Objectclassstandards
(e.g.eduperson,gridperson)
ContentPortals
Shibbolethexchange of
attributes
FuturePKI
DoDHEet al.
Future PKI
Interrealm
Security Domain
Gridset al.
CIC AIS Directors Fall 2001
Simple point-to-point model
client
EnterpriseLDAP
directory
Attributeauthority
AuthenticationService target
Attributerequestor
Policvdecision
point
Policyenforcement
pointPolicy
enforcementpoint
Policyenforcement
points
Video directory
Service discoveryservice
Protocols
Griddirectory Video
directory
EnterpriseLDAP
directory
CIC AIS Directors Fall 2001
The Major Projects
eduPerson and eduOrg (mace-dir)
the Directory of Directories for Higher Education (DoDHE)
Shibboleth (mace-shibboleth) and Webiso (mace-webiso)
Directories
metadirectories
groups
affiliated directories
HEBCA and PKI-Light (HEPKI-PAG and HEPKI-TAG)
PKI Labs at Dartmouth and Wisconsin
Videoconferencing and video on demand (vidmid)
OKI, JA-SIG and the Grids
CIC AIS Directors Fall 2001
eduPerson
A directory objectclass intended to support inter-institutional applications
Fills gaps in traditional directory schema
For existing attributes, states good practices where known
Specifies several new attributes and controlled vocabulary to use as values.
Provides suggestions on how to assign values, but it is up to the institution to choose.
Version 1.0 now done; one or two revisions anticipated
CIC AIS Directors Fall 2001
eduPerson 1.0
parent objectclass=inetOrgPerson
includes:• affiliation (multi-valued)
• primary affiliation (faculty/student/staff)
• orgUnitDN (string)
• nickname (string)
• ePPN (identifier, user@securitydomain)
version 1.5 and beyond will contain other shared attributes
CIC AIS Directors Fall 2001
A Directory of Directories
an experiment to build a combined directory search service
to show the power of coordination
will highlight the inconsistencies between institutions
technical investigation of load and scaling issues, centralized and decentralized approaches
human interface issues - searching large name spaces with limits by substring, location, affiliation, etc...
to suggest the service to follow
Sun donation of server and 6 million DNs
http://dodhe.internet2.edu/dodhe/
CIC AIS Directors Fall 2001
Shibboleth
A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii.
Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.
- Webster's Revised Unabridged Dictionary (1913):
CIC AIS Directors Fall 2001
Shibboleth
inter-institutional web authentication and basic authorization
authenticate locally, act globally - the Shibboleth shibboleth
emphasizes privacy through progressive disclosure of attributes
linked to commercial standards development in XML through OASIS
scenarios and architecture done; coding has commenced with alpha code due in January, 2002 to pilot sites
coding and design teams feature IBM/Tivoli, CMU, and the Ohio State University
strong partnership with IBM to develop and deploy
http://middleware.internet2.edu/shibboleth/
CIC AIS Directors Fall 2001
Stage 1 - Addressing Three Scenarios
Member of campus community accessing licensed resource• Anonymity required
Member of a course accessing remotely controlled resource• Anonymity required
Member of a workgroup accessing controlled resources• Controlled by unique identifiers (e.g. name)
Taken individually, each of these situations can be solved in a variety of straightforward ways.
Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.
CIC AIS Directors Fall 2001
Target Web
Server
Origin Site Target Site
Browser
Authentication Phase
First Access - Unauthenticated
Authorization Phase
Pass content if user is allowed
Shibboleth ArchitectureConcepts - High Level
CIC AIS Directors Fall 2001
Second Access - Authenticated
Target Web
Server
Origin Site Target Site
Browser
First Access - Unauthenticated
Web Login Server Redirect User to Local Web Login
Ask to Obtain Entitlements
Pass entitlements for authz decision
Pass content if user is allowedAuthentication
AttributeServer
Entitlements
Auth OK
Req Ent
Ent Prompt
Authentication Phase
Authorization Phase
Success!
Shibboleth ArchitectureConcepts (detail)
CIC AIS Directors Fall 2001
Shibboleth Architecture - Components and Flow
CIC AIS Directors Fall 2001
Middleware Inputs & Outputs
GridsGridsJA-SIG &JA-SIG &
uPortaluPortalOKIOKI
Inter-realmInter-realmcalendaringcalendaring
Shibboleth, eduPerson, Affiliated Dirs, etc.Shibboleth, eduPerson, Affiliated Dirs, etc.
EnterpriseEnterpriseDirectoryDirectory
EnterpriseEnterpriseAuthenticationAuthentication
LegacyLegacySystemsSystems
CampusCampusweb SSOweb SSO
futuresfutures
EnterpriseEnterpriseauthZauthZ
LicensedLicensedResourcesResources
EmbeddedEmbeddedApp SecurityApp Security
Shibboleth, eduPerson, and everything else
CIC AIS Directors Fall 2001
Project Status
Architecture definition finished (v0.9+)
Design/Programming now Underway• Team membership drawn from IBM/Tivoli, CMU, Ohio State
• First Face-to-Face meeting on Sept 27, 28 at CMU
First Set of Pilot Sites Selected• Chosen to test all 3 scenarios
• UK participation
Timeline for programming, piloting available end of October
CIC AIS Directors Fall 2001
A Campus Directory Architecture
Metadirectory
Enterprisedirectory
DirDB
Departmentaldirectories
OS directories(MS, Novell, etc)
Borderdirectory
Registries Sourcesystems
CIC AIS Directors Fall 2001
Metadirectories
The critical functions to glue together what inevitably turns out to be a number of campus, departmental and application-oriented directory services
Typically a coordinated set of services that watches updates to specific directories or from legacy data feeds and spreads those updates to other directories
Performs several subfunctions• an identity registry or crosswalk to relate entries in different
directories
• a set of connectors that take changes from one source and convert them for dissemination to other sources
Basic implementation from Metamerge is free to higher ed
CIC AIS Directors Fall 2001
Directories – Group Management
Best practices in the use of core middleware to meet the authorization and messaging needs of applications
Initial foci are:
1) the conduct of a survey of several organizations' practices in this area and
2) investigations into meaningful definitions of, and productive ways of representing and operating on, "groups", "affiliations", "roles", and "correlations".
Groups Practices Survey
http://middleware.internet2.edu/dir/groups/
CIC AIS Directors Fall 2001
PKI
First thoughts
Fundamentals - Components and Contexts
The missing pieces - in the technology and in the community
Higher Education activities (CREN, HEPKI-TAG, HEPKI-PAG, Net@EDU, PKI Labs)
CIC AIS Directors Fall 2001
PKI: A few observations
Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…but it is that ubiquitous and important
Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITPs...
Options breed complexity; managing complexity is essential
PKI can do so much that right now it does very little
CIC AIS Directors Fall 2001
A few more...
IP connectivity was a field of dreams. We built it and then the applications came. Unfortunately, here the applications have arrived before the infrastructure, making its development much harder.
No one seems to be working on the solutions for the agora.
A general-purpose PKI seems like a difficult task, but instituting a PKI Light as a first step may not have enough paybacks.
CIC AIS Directors Fall 2001
The general state of PKI
There are campus and corporate successes
• Corporations use internally for VPN, some authentication, signed email (with homogeneous client base)
• MIT, UT medical, soon VA, UCOP
Key is limited application use, lightweight policy approaches
There is very limited interrealm, community of interest or general interoperable work going on
• Federal efforts
• HealthKey
• Higher Ed
• Some European niches
CIC AIS Directors Fall 2001
Why X.509/PKI?
Single infrastructure to provide all security services
Established technology standards, though little operational experience
Elegant technical underpinnings
Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption
Low cost in mass numbers
CIC AIS Directors Fall 2001
Why Not X.509/PKI?
High legal barriers
Lack of mobility support
Challenging user interfaces, especially with regard to privacy and scaling
Persistent technical incompatibilities
Overall complexity
CIC AIS Directors Fall 2001
The Four Planes of PKI
on the road to general purpose interrealm PKI
the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI
simplifications in policies, technologies, applications, scope
each plane provides experience and value
CIC AIS Directors Fall 2001
The Four Planes are:
Full interrealm PKI - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues
Simple interrealm PKI - multipurpose within a community, operating under standard policies and structured hierarchical directory services
PKI-Light - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; may be extended within selected communities
PKI-Ultralight - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...
CIC AIS Directors Fall 2001
Examples of Areas of Simplification
Spectrum of Assurance Levels
Signature Algorithms Permitted
Range of Applications Enabled
Revocation Requirements and Approaches
Subject Naming Requirements
Treatment of Mobility
...
CIC AIS Directors Fall 2001
PKI-Light example (Texas-Houston)
CP: VeriSign
CRL: VeriSign
Applications: authentication
Mobility: USB dongle
Signing: md5RSA
Thumbprint: sha1
Naming: X.500
Directory Services needed: I?
Deployment: 5,000 medical students
CIC AIS Directors Fall 2001
PKI-Light (MIT)
CP: none
CRL: limit lifetime
Applications: internal web authentication
Mobility: one per system; also password enabled
Signing: md5RSA
Thumbprint: sha1
Naming: X.500
Directory Services needed: none
Deployment: approximately 350,000 over five years
CIC AIS Directors Fall 2001
D. Wasley’s PKI Puzzle
CIC AIS Directors Fall 2001
Uses for PKI and Certificates
authentication and pseudo-authentication
signing docs
encrypting docs and mail
non-repudiation
secure channels across a network
authorization and attributes
secure multicast
and more...
CIC AIS Directors Fall 2001
Implementation varies by contexts/components
Contexts/Components
Intracampus Intercampus General
CertificateSystems
Inhouse,insource,outsource
ApplicationIntegration
I/A processes
Profiles andPolicies
CIC AIS Directors Fall 2001
PKI Components
X.509 v3 certs - profiles and uses
Validation - Certificate Revocation Lists, OCSP, path construction
Cert management - generating certs, using keys, archiving and escrow, mobility, etc.
Directories - to store certs, and public keys and maybe private keys
Trust models and I/A
Cert-enabled apps
CIC AIS Directors Fall 2001
X.509 certs
purpose - bind a public key to a subject
standard fields
extended fields
profiles to capture prototypes
client and server issues
v2 for those who started too early, v3 for current work, v4 being finalized to address some additional cert formats (attributes, etc.)
CIC AIS Directors Fall 2001
Standard fields in certs
cert serial number
the subject, as x.500 DN or …
the subject’s public key
the validity field
the issuer, as ID and common name
signing algorithm
signature info for the cert, in the issuer’s private key
CIC AIS Directors Fall 2001
Extension fields
Examples - authorization/subject subcodes, key usage, LDAP URL, CRL distribution points, etc.
Key usage is very important - for digital signatures, non-repudiation, key or data encipherment, etc.
Certain extensions can be marked “critical” - if an app can’t understand the extension, then it doesn’t use the cert
Requires profiles to document, and great care...
CIC AIS Directors Fall 2001
Cert Management
Certificate Management Protocol - for the creation, revocation and management of certs
Revocation Options - CRL, OCSP
Storage - where (device, directory, private cache, etc.) and how - format (DER, BER, etc.)
Escrow and archive of keys - when, how, and what else needs to be kept
Certificate Authority software or outsource options• Homebrews
• Open Source - OpenSSL, OpenCA, Oscar
• Third party - Baltimore, Entrust, etc.
• OS-integrated - W2K, Sun/Netscape, etc.
CIC AIS Directors Fall 2001
Directories
to store certs
to store CRL
to store private keys, for the time being
to store attributes
implement with border directories, or ACLs within the enterprise directory, or proprietary directories
CIC AIS Directors Fall 2001
Certificate Policies (CP) and Practices Statements (CPS)
Policies: legal responsibilities and liabilities (indemnification issues)
Operations of certificate management systems
Will hopefully be somewhat uniform across the community
Assurance levels - varies according to I/A processes and other operational factors
Practices - site-specific details of operational compliance with a cert policy
A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.
CIC AIS Directors Fall 2001
Inter-organizational trust model components
verifying sender-receiver assurance by finding a common trusted entity
must traverse perhaps branching paths to establish trust paths
must then use CRLs etc. to validate assurance
if policies are in cert payloads, then validation can be quite complex
delegation makes things even harder
Hierarchies vs. Bridges• a philosophy and an implementation issue• the concerns are transitivity and delegation• hierarchies assert a common trust model• bridges pairwise agree on trust models and policy mappings
CIC AIS Directors Fall 2001
Mobility Options
smart cards
USB dongles
passwords to download from a store or directory
proprietary roaming schemes abound - Netscape, VeriSign, etc.
SACRED within IETF recently formed for standards
Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)
CIC AIS Directors Fall 2001
Will it fly?
Well, it has to…
Scalability
Performance
OBE
“With enough thrust, anything can fly”
CIC AIS Directors Fall 2001
VidMid
Middleware for video
Videoconferencing
authenticated, identified video clients - work with commercial clients to use the underlying middleware plumbing
H.323, VRVS, and new SIP-oriented clients
Video on demand
access controls for video resources
schema for meta information
Works closely with ViDe (www.vide.org)
http://middleware.internet2.edu/video/
aggressive time frames
CIC AIS Directors Fall 2001
Mace-Med
Unique requirements - HIPAA, disparate relationships, extended community, etc.
Unique demands - 7x24, visibility
PKI seen as a key tool
Mace-Med recently formed to explore the issues
CIC AIS Directors Fall 2001
The enterprise architect view of medical middleware
Person registry
Enterprise directory
Appdir
BorderDirectory
LAN dir
InstitutionalStudentFinancialPersonnelSystems
MedicalAdministrativeSystems
HospitalAdministrativeSystems
Peer institutions
PKI
AuthenticationServices
FederalState
Gov’ts
Corporatecollaborators
Internet
Research Systems
AuthorizationServices
CIC AIS Directors Fall 2001
HEPKI (www.educause.edu/hepki/)
HEPKI - Technical Activities Group (TAG)• universities actively working technical issues
• topics include Kerberos-PKI integration, public domain CA, profiles
• regular conference calls, email archives
HEPKI - Policy Activities Group (PAG)• universities actively trying to deploy PKI
• topics include certificate policies, RFP sharing, interactions with state governments
• regular conference calls, email archives
CIC AIS Directors Fall 2001
Internet2 PKI Labs
At Dartmouth and Wisconsin in computer science departments and IT organizations
Doing the deep research - two to five years out
Policy languages, path construction, attribute certificates, etc.
National Advisory Board of leading academic and corporate PKI experts provides direction
Catalyzed by startup funding from ATT
CIC AIS Directors Fall 2001
OKI, JA-SIG and Grids
OKI • major open learning management system being developed by MIT,
Stanford, and North Carolina State, funded by the Mellon Foundation; reference architecture and open source implementation
• http://web.mit.edu/oki/intro.html
JA-SIG• uPortal is a major portal architecture and implementation being
developed by a number of schools with funding from the Mellon Foundation; also hopes to share administrative Java applets
• http://www.ja-sig.org/ and http://mis105.mis.udel.edu/ja-sig/uportal/index.html
GRIDS Center• expanding use of Grids will reach to many campuses
• integration efforts underway
• http://www.globus.org and http://www.gridforum.org
CIC AIS Directors Fall 2001
NSF Middleware Initiative (NMI)
•NSF award for integrators to
– Internet2, EDUCAUSE, and SURA
– The GRIDs Center (NCSA, UCSD, University of Chicago, USC/ ISI, and University of Wisconsin)
•Build on the successes of the Internet2/MACE initiative and the Globus Project
•Three year cooperative agreement effective 9/1/01
•To develop and deploy a national middleware infrastructure for science, research and higher education
•Separate awards to academic pure research components
CIC AIS Directors Fall 2001
The Grid
a model for a distributed computing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc.
Globus (www.globus.org) is the software that implements most of these components; Legion is another such software environment
Needs to integrate with campus infrastructure
Gridforum (www.gridforum.org) umbrella activity of agencies and academics
Look for grids to occur locally and nationally, in physics, earthquake engineering, etc.
CIC AIS Directors Fall 2001
Map of Middleware
CIC AIS Directors Fall 2001
NMI: The Problem to Solve
•To allow scientists and engineers the ability to transparently use and share distributed resources, such as computers, data, and instruments
•To develop effective collaboration and communications tools such as Grid technologies, desktop video, and other advanced services to expedite research and education
•To develop a working architecture and approach which can be extended to Internet users around the world
Middleware is the stuff that makes “transparently use” happen, providing consistency, security, privacy and capability
CIC AIS Directors Fall 2001
NMI
•Work products–Community standards–Best practices–Schema and object classes–Reference implementations–Open source services–Corporate relations
Work areas–Identifiers–Directories–Authentication–Authorization–GRIDs–PKI–Video
CIC AIS Directors Fall 2001
More information
Early Harvest / Early Adopters: http://middleware.internet2.edu/earlyadopters/
Mace: middleware.internet2.edu
LDAP Recipe: http://www.georgetown.edu/giia/internet2/ldap- recipe/
EduPerson: www.educause.edu/eduperson
Directory of Directories: middleware.internet2.edu/dodhe
Shibboleth: middleware.internet2.edu/shibboleth
HEPKI-TAG: www.educause.edu/hepki
HEPKI-PAG: www.educause.edu/hepki
Video: http://middleware.internet2.edu/video/