Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
������ID���������ID���Shibboleth ��Shibboleth ��
NAREGI���������NAREGI���������
2008/12/242008/12/24Manabu HigashidaManabu [email protected]
��� ��������������� !�����"#$%&' (����"#$%&' (
MICS)*+,-./0�1Shibboleth IdP/SP/2!��� �#34 56%&�2!�����#3456%&�
CA
RARA������A
Shib IdP ID: K b %&789:Shib SP
4 5
DS:�W.A.Y.F.
Shib IdP ID:�Kerberos %&789:Shib SP
3
2
; Shib SP �!<=>?@�����#34
A DS B�C-DEF?@GH����
56789:BWebIJKL�ME�8
��NO"#/PQRN/ST
User�Certificate
License�ID1
7 grid�certreqU��������������V�WRNXNGShib IdP/Y
Z[\ RANOJ-��8ID ]^_!/6^G��VB`a1R
UMS Shib IdP ID:�LDAP %&789:
6 b!<"#^G��VB`a1R
MyProxy������B
; Shibboleth�SP�
(Service�Provider)��!<=>?@����
A DS�(Discovery�
Service)�B�C-DE
U��������������V�WRNXNG
Z[\"#cGRANOJ-��8ID]^_!/6^ ��
CA
<=>?@�����#3456789:BWebIJKLNOME�8
F?@GH������NO"#/PQRN/ST
Shibboleth�IdP(Idendity Provider)�/Yb!<d8e��BfR"#/6g
^_!/6^G��VB`a1R (UMSh����#34/ij1RkBlm)
RABfR"#/6g
Shib IdP ID:�Kerberos %&789:Shib SP 2
4 5
DS:�W.A.Y.F.3
������A
7 grid�certreq
User�Certificate
License�ID1
6
UMS
M P
Shib IdP ID:�LDAP %&789:
MyProxy������B
MICS)*+,-./0�1Shibboleth�IdP/SP/2!�����#3456%&�
4
;�8FnNOopCMCIdP (Identity Provider) /qqq
Shibboleth SP (Service Provider) /ME�81R�GrsIdPDS (Discovery Service) B�C-DEF?@R�C-DEF?@R:
• tpCAS (12u)GvwpNIS (1u)��xT
• ����y�z{�9|��}~�/`�<����������xTxT
A ����)M�)
U opCMCp�����789:�������M�K�F
(MS ActiveDirectory Server – Kerberos)( y )ID/d8e��/��!"#/PQR
IdPBfR"#cGShibboleth SP (Service Provider) B�R�op����"#$NO��L#34/561R��Blm��RJ-��8ID56/S� (opCMC�5��):lm��RJ-��8ID56/S� (opCMC�5��):
U��
NAREGI���. (Web UI) B<G��!�J-��8ID�����/��1R�op����"#$NO��L#34�56?@��1RUMS (User Management Server) Bij?@R:��1RUMS (User Management Server) Bij?@R:
Z��
\��\��
�����B� !�UMSB����#34/ij1R¡¢£G
¤¥UMSCUIB<¤¥UMSCUIB<“grid-certreq” y¦��/=61R
§¨ ©©Bª«�¬/§¨G©©Bª«�¬/®¯°1±²qqq®¯°1±²
��������� ������The Case of “clark/clark”
WOr!• WOr!– 7�).�d8e��³M��EBfR´�
f � µ F ) ��/¶ ·?@• rootkitBfR��µ.³FJ�)�ID/Password��/¶¸·?@R– ´�V (¹º) »¼/½^_!<C�9|�OS/¾-�8F�.¿À• ¿À– ID/Password����/ÁÂ(
"#à Ä/ÅÆ! Ç� L���ÈÉ�à Ä�£Ê²Ë1• "#Ã�Ä/ÅÆ!GÌÇ��L���ÈÉ�Ã�Ä�£Ê²Ë1– ÍÎOS/ �!G��LÏB)*�8Я/Ñ�B�Ë1R
IDSBfRÒÓ– IDSBfRÒÓ• Force10ÔÕP10 (Ö MetanetworksÔÕ) �
×Ø789:��-Ù�Ú@2005×Ø789:��-Ù Ú@2005
• Web���.NO7��.³Ã-�Û�– ��LID�e��-:³d8e��
• ÜSECURE MATRIX” by CSE
uid
otpSECURE MATRIX by CSE
• �ÝÃ�Þ8ßà³�T/áÆ– VPN+ÍÎÃ�ÄBf«<1â<Ã�Þ8/ã2
NAREGI Certificate
ã2• NAS• HPC/Grid/Visualization• CGM
L
GSI Credential
Kerberos Ticket
• ��Läåæç/�è– )J-Ä7���é{�9|
• �ÌÊ��LNOêË1R©���é{�9|³Ä-ÛD 7ë��ì�é{�9|³Ä-ÛD�7ë��ì©R��/ÁÂ(
• í-d�Ä-LNOî�ÒÓ³ÒïL f Ñ� � � -ð User
Virtual H ti– ��LBfRÑ���8�¦-ð
• OSGJ-IJ�GM)�ñ�7ë��@òó£'b'ô
• 6õ¬ö��õ£G8÷�)7ë�F
VPN
UserTerminal
HostingServer
6õ¬ö��õ£G8÷�)7ë�FBfR*�.Ä�E
isolated security domain
Global Storage Sharing with NFSv4
Local AreaNetwork
NAS
NFSv4 Serverfor LAN
SuperSINET 10GbENASGW
act as NFSv4 Clients
HPC HPC10GbE
Wid A
Pseudo-Filesystemsfor importing to LAN
HPCHost HostWide Area
NetworkPseudo-Filesystems
for exporting to WAN
Host
act as GFS Clients
FC Storage AreaNetwork
NASGWLDAPKDC
act as GFS Clients
NFSv4 Serverfor WANTGT
for Cross RealmID-mapping
“Web2 0”�������!?Web2.0 �������!?
� �� �• ���� �!��"���Web#��$%?– RFB on Web Browser (VNC Java Viewer)
• &'()*�+,-!?– AjaxTerm�.��/0�-1?
htt // t l i / b/t / iki/Aj T• http://antony.lesuisse.org/qweb/trac/wiki/AjaxTerm
– Latain�12345: UTF�8?678?
• 9:;���� �#��$�<=>?• 9:;���� �#��$�<=>?…– Windows Active Directory�Kerberos+LDAP�@-A������BCDE FGH!DE FGH!
• WindowsIJA �.�KLMN-!?
– PKI�@-OPQR�STUV;…
• MacOS X�ADSF2WXY�Z;[N\– http://www.apple.com/jp/macosx/features/windows/
http // apple com/jp/ser er/macos /feat res/ indo sser ices html– http://www.apple.com/jp/server/macosx/features/windowsservices.html
• Linux Distro]s�^_Kerberos45
`a�kerberizebcdde-1�`a�kerberizebcdde-1�…
• Microsoft Active Directory– f�ghV�;-Kerberosi�$2A������BCDE
• KDC (Key distribution Center) FV�jklmYno;• SPNEGO�ready
IE 5 0 1 and IIS 5 0– IE 5.0.1 and IIS 5.0
• MIT Kerberos for Windows3 0�pqr= \– 3.0�pqr=s\…
– 3.1 on �
Wi d IJA • WindowsIJA – Firefox 1.5tPuTTYtWinSCPtFileZillauv
/ b d• KX.509/KPKCS11tKerberized MyProxy
SPNEGO – Simple and Protected GSSAPINegotiation Mechanism
• RFC�2478/4178
– MSwx*� “Securer Protocol Negotiation”
• SPNEGO�awareuWeb#�y (z�� )�AI�$V�KerberosI"��{ �K|VSSO�a}– Apache2
• mod_auth_krb (http://sourceforge.net/projects/modauthkerb)
– Microsoft~�?» http://support.microsoft.com/?id=555092
d (h // f / j / d h )• mod_spnego (http://sourceforge.net/projects/modgssapache)
• mod_auth_vas (http://rc.vintela.com/topics/mod_auth_vas/)
– Apache2 for Windows– Apache2 for Windows• mod_auth_sspi (http://sourceforge.net/projects/mod�auth�sspi)
API�� (SSPI vs GSSAPI)API�� (SSPI vs. GSSAPI)
• RFC�2048/2743 GSSAPI (Generic Security Service API)– MSwx SSPI (Security Service Provider Interface)
NTLMuv�45�-\N?• NTLMuv�45�-\N?
• SPNEGO45�@L�� � FV��GSSAPIFk�YeL
– WindowsIJA 2y�!���IJA �
• MS SSPI�2345V\A������
– IEtWeb�� � (a.k.a. ����������)������2MSA������– Firefox 1.0
• MIT GSSAPI�2345V\A������
– WinSCP (http://winscp.net/ t�P���$*SSPI45)WinSCP (http://winscp.net/ t�P�� $*SSPI45)– FileZilla (http://sourceforge.net/projects/filezilla/)
• ���45V�;-A������– Firefox 1.5 (�rn��u2*XPI��->?eL)– PuTTY
» CSS� at http://www certifiedsecuritysolutions com/downloads html» CSS� at http://www.certifiedsecuritysolutions.com/downloads.html
» Vintela� at http://rc.vintela.com/topics/putty/
ccache (Credential Cache)��ccache (Credential Cache)��
� � a • MS2�¡��a vs. MIT (vs. Heimdal)– LSA: Local Security Authority#¢�$�£�I"��{ �¤¥
• MIT2GSSAPI1U�AI�$ST– ¦§*z� : ms2mit.exe�§*z� : NetIDMgr a k a “Network Identity Manager”– �§*z� : NetIDMgr a.k.a. Network Identity Manager
• 3.11U¨©ªF§«? (��$ ¬…)• MIT2ccache1UMS LSA�!I$z� (mit2ms.exe)�STMIT2ccache1UMS LSA� I$z (mit2ms.exe)�ST
– �m�®¯u;1?
Kerberos and PKI Integration – Efforts Since 1995Kerberos and PKI Integration Efforts Since 1995
• PK�INIT– Kerberos2pre�authentication (kinit)�PKI*
• °sFRFC�4556 (2006/10/06}±: Standards Track)�…
• Draft�392a : Microsoft (Since Draft�9)tHeimdal
PK CROSS• PK�CROSS– Cross�Realm²³´µ2QR (¶·�)�PKI*
d ft i tf t k b k 08• draft�ietf�cat�kerberos�pk�cross�08
• PK�APP (?)b 2I"�� 1U 2RH¸ (¹Pº)�K|– Kerberos2I"��{ 1UPKI2RH¸ (¹Pº)�K|
• KX.509
• MyProxy• MyProxy
������BøQRSingle Sign-On����� BøQRSingle Sign On
ù� ùú� ûü• ù�³ùú�Pre Authenticationûü–��VBý!<qqq��VBý!<–�/lm�1Rþ��Bý!<qqq
• ���������!<��%&=�• �WebM)�ñ�7ë�����WebM)�ñ 7ë����
– WebÃ�Þ8(�/°?�^� • �É• p��
Lessons�from�operation�in�the�Earth�Simulatorp
• AuthenticationAuthentication– Two�Factor Authentication
• One�Time�Password,�combination�of,– PIN�or�Passphrase
– Pseudo�random�number,�periodically�being�generated�from�Security�Token
• Job�Management– NQS�II�with�node�by�node
ti
http://www.jamstec.go.jp/es/en/system/scheduling.html
resource�reservation
• File Sharing– Multiple�gateways�
to�pass with�different�credentials
http://www.jamstec.go.jp/jamstec-j/spod/system/hardware.ja/mdps.html
CMCCMC
� “G idO ti ”� “Grid�Operation”�
� Grid
�
� PC
� Grid�PKI
� CMC� CMC
� (ILE)
� (RCNP)
Grid�
NAREGI�GridVM
(CSI )( )
� NEC�NQS�II
��
� SX:�SUPER�UX
� PCCluster: SuSE Enterprise LinuxPC�Cluster:�SuSE Enterprise�Linux,��
OpenSuSE
� :�Faire�Share�Queue�+�Job�
Assigned�Map
�SX Grid
GridMPI�
GridMPI
opCMCp�����789:�� Total:�46.1�TFLOPS,�16.0�TB
�9*�EJ8�
NEC SX-9• NEC SX�PCEJ8��ô• +�M7�MBfRT���• NQSBfR��ÚëI��
��®��PCEJ8�NEC�Express�5800�56Xd
NQSBfR��ÚëI��• FC-SANBfR8FD�Ú�å
CMC
16.4�TFLOPS
10.0 TB18.3�TFLOPS
1.0�TB
1PB
FC-Storage Ü���ÍÎÃ�Ä+,�:�
CMC
FC StorageNEC Express-5800 120Rg-
1��
������
NEC�SX�8R
• é{��� R���®
!�"#$%
�����������
RCNPILE
6.1�TFLOPS
2.0 TB
��PCEJ8�� !B�¸&r@R
• 10GbE w/TOE NICBf5.3�TFLOPS
3.0�TB
2.0�TB • 10GbE w/TOE NICBfREJ8����
NAREGI�M/W'y���µ�F�opCMC���( )*LocalAuthentication
CA/RA VOMS NAREGI�Grid�Middleware��2
MyProxy+MyProxy
UMSGrid�LDAP�(CMC�Proprietary)
GridVMServerfor�PC�Cluster
GridVMServer
Grid�Portal SS GridVMServerfor�SX
for�PC�Cluster
userIS�CDASIS�NAS
frontend
Kerberos�KDC
Local Scheduler:NEC�NQS�IIw/JobManipulatorw/GridScheduleMaster
login
w/GridScheduleMaster
* �."#BK b / �! CUI/GUI�B� 1RSi l
+,������789:�NAREGI-�.K�M�2�,
• *��."#BKerberos/ �!GCUI/GUI�B� 1RSingle�
Sign�On/=.1R��®BGNAREGI"#789:/Web-���+�-8B/0
• *��.³8ñÚ{�JNEC�NQS�IIý1NAREGIy���µ�F/+,���2,ÈÉ�fgB�5
Grid�PKI� NAREGI�CA Grid�PKI CMC CP/CPS (v1.1)
� APG id PMA i i CA i t ?!� AP�Grid�PMA�minimum�CA�requirements ?!� CA
�
� ?!
� Web�I/F Kerberos� License�ID
� Passphrase
� Campus�CA Kerberos�PKINIT�(RFC4556)� Grid�CA
���
� RA� NEC�DEVIAS��NAVIAS�( )
3 4 5 6 7 8 9 10 11 12 1 2 3 4 5
:� 13
Grid�LDAP
• Grid�LDAP IDWeb ”1�Click”
(2 3 )• 3
•• ID• Kerberos Web SSO • 3
••
Kerberos Web SSO• “1�Click” Grid
• UMS
1�Click• UMS• CUI
•• CA
NAREGI-�2: ��34NAREGI �2: ��34LDAP
CMC��V56Ã�Ä
VOMSNAREGI-
CA atCMC
MyProxyVOMSProxy
Certificate
User ManagementWF Credential
Repository
delegation
KDC
CMC
Server(UMS)VOMSProxy
Certificate
UserCertificate
PrivateKey
p yVOMSProxy
Certificate
delegationGrid Jobs
delegationdelegation
KDC
Client Environment
PortalServices
WFT
PSEVOMSProxy
Certificate clie
nt
The Super Scheduler (SS)
VOMSProxy
GridVM
GridVMUsers
delegation
ServicesGVS S
S
yCertificate
GridVMWorkflow(WF)
NAREGI-�2: #3456NAREGI �2: #3456LDAP
CMC��V56Ã�Ä
VOMSNAREGI-
CA atCMC
MyProxyVOMSProxy
Certificate
User ManagementWF Credential
Repository
delegation
KDC
CMC
Server(UMS)VOMSProxy
Certificate
UserCertificate
PrivateKey
p yVOMSProxy
Certificate
delegationGrid Jobs
delegationdelegation
KDC
Client Environment
PortalServices
WFT
PSEVOMSProxy
Certificate clie
ntThe Super
Scheduler (SS)VOMSProxy
GridVM
GridVMUsers
delegation
ServicesGVS S
S
yCertificate
GridVMWorkflow(WF)
NAREGI-�2: Proxy#3456NAREGI �2: Proxy#3456LDAP
CMC��V56Ã�Ä
VOMSNAREGI-
CA atCMC
MyProxyVOMSProxy
Certificate
User ManagementWF Credential
Repository
delegation
KDC
CMC
Server(UMS)VOMSProxy
Certificate
UserCertificate
PrivateKey
p yVOMSProxy
Certificate
delegationGrid Jobs
delegationdelegation
KDC
Client Environment
PortalServices
WFT
PSEVOMSProxy
Certificate clie
nt
The Super Scheduler (SS)
VOMSProxy
GridVM
GridVMUsers
delegation
ServicesGVS S
S
yCertificate
GridVMWorkflow(WF)
»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£.Æ�$�£ÇH
ÈÉÊËÌËÍ»m�ÎÏÐÑ Ò»m�¼½#�yÓ
�$�£ÔÕÖ
»m�¼½×Ø
×ÉÙÚÛܾÝÉÞÙÉÞ×ÉÙÚÛÜ
ßÃà¾á��âÌÞ�ã×Àä åÞÚæçæÛèçæÛèÜ
éêêèÜ
ë�ì! ��ítJ�$Ä×ÎÏtîŧ
Ò×ÉÙÚÛÜ# ïD� � Ó»m�¼½×Ø
ÊÛÙÚÛÜðÌÊêÌççÉÞñòñó
ÄôQRõö�$�£
J ÏtîÒ×ÉÙÚÛÜ# ïD�� �� Ó
»m�¼½#�y
ÊÛÙÚÛÜÀåÉÊê
Í÷ÜømäÌÞêùúûüýþ�¾ÜÜé
ømäÌÞêùúûüúü�
ë�ì! ��ítî
ÊÚÜ ×ÉÙÚÛÜßÃà¾á��âÌÞ�ãÚÊÍ� ë�ì! ��ít
��£��"I ��ítî×ÉÙÚÛÜ
�äô¾á��âÌÞ�ãÚÊÍ�
ÊÛÙÚÛÜÀåÉÊê
ÙÌ÷ÜømäÌÞêùúûüúü�
���2ÎÏë�ì! ��í
÷ÛÚçë�ì! ��ít��£��"I ��ítî
ømäÌÞêùúûüýþ�¾ÜÜé
ømäÌÞêùúûüýþ�¾ÜÜé×ÉÙÚÛÜ�äô¾á��âÌÞ�ãÚÊÍ�
×ÉÙÚÛÜ
×ÉÙÚÛÜßÃà¾á��âÌÞ�ãÚÊÍ�
ÊÛÙÚÛÜÀåÉÊê
åÞÚæÙ÷ÜýømäÌÞêùúûüúü�
åÞÚæ÷ÛèâÚçÉ�í
ËÛÍêé
×ÉÙÚÛÜßÃà¾á��âÌÞ��ÚÊæÌÜ
ÉÞ�ÉÞÌÜÝÉÞÙÉÞÒ×áÓ
× Ú»m��$ ���
ÊÛÙÚÛÜÀåÉÊê
åÞÚæÙ÷Üú
Úæ �
ømäÌÞêùúûüúü�
åÞÚæ÷ÛèâÚçÉ�í
èÜ�Êð
ømäÌÞêùúûüý��
×ÉÙÚÛÜ�äô¾á��âÌÞ��ÚÊæÌÜ
»m��$ ����
ÊÛÙÚÛÜÀåÉÊê
åÞÚæÙ÷Ü�ømäÌÞêùúûüúü�
åÞÚæ÷ÛèâÚçÉ�í
×ÉÙÚÛÜ�äô¾ÝÉÞÙÉÞ
éêêèÜèÜ�Êð
�$ ����#�y
»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£»m�ÎÏÅ&
»m�¼½�$�£Ò»m�ÎÏ��Ó
à Úæ çæ ÎÏ�-J�$Ä×��§�í�-ÃÞÚæ�çæÛè�ÎÏ�-J�$Ä×��§�í�-�
»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£ë�ì���@-RH¸��Ò�É�!�� Ó
ë�ìRH¸���½���$
y�I�J��*»m�2ë�ìRH¸�����-
!ÃÁÄ×z�� �$�£���
"#�½F$Q�½n�§*�½bc<��
�É�!�� �$�£�D{�
ÒÉÞ�ÉÞÌÜ�ÝÝ�Ó
%!ë�ìRH¸���I�I��I
&!ë�ìRH¸���½Ò'�()23Ó
ë�ìRH¸n�íbc-
»m�¼½¾¿ÀÁÂÃÄlm¼½Å&�$�£�$�£í*
lmYh+,�Y2-.%�/0%
RH¸"#
¼½�2¦§ÐÑ»m�2,�
ë�ìRH¸"#1»m�A2� "#�3�
¼½�
J�$Ä×�í
RH¸"# ë ìRH¸"# »m�A2� "#�3�
J�$Äפ¥ J�$Ä×¼½14.�§%
J�$Ä×��56
J�$Ä×78
I��I23*RH¸��
»m�
9:%
�$�"�;78I��I23*RH¸��
RH¸��
opCMC%&789:opCMC%&789:� ����7���V��B8«<^R56� ����7���V��B8«<^R56V789: (NECÕDEVIAS)� 56V-���+�-8BG����#3456Blm�9J-��8ID:]^_!;9<=VO:�T>?�9J-��8ID:]^_!;9<=VO:�T>?/@
� Ä�EA��B6789:BGUnixM�K�F56�H��CB ����¦�)+,-.D��H�H��CBG����¦�)+,-.D��H�����B6/@
� APGrid PMA�9MICS)*+,-.:BfR%&/E"! F 9�`��GHI:�%&/E"!GF9�`��GHI:�JK1@LG1â<��������LB����#34/56�õRMN£WR!?B����#34/56�õRMN£WR!?
OgP«<^�®Ø�OgP«<^�®Ø�W²r!�qqqW²r!�
opCMCM)*�Q –O19 � R S pT9NAREGI��U<R6:�Só<^�VqqqopTQ��
• W1XYW1XY– 1â<����LB����#34/
• “1�click”�BfR����#3456– 1â<���"#/����B�è
• *��.8ñÚ{�Jd-)é{�/Z[³�\1R©���è"#/]^I_/]^I_
T2KM)*�QM) Q• NAREGI�CABfR`�"#��áÆ• a��/bBST!�Ä�QÚëI=6• GfarmBfRc���å
nde,�“T2k��������”,�T2K7��ÚK:fgL 2008.
h�i·,�“T2k��������”,�T2K7��ÚK:fgL 2008.
opCMCM)*�Q �O2� � jk P �, S lT2K�����jk/PQ<�,/Sól�R
• W2XYW2XY– �����������LB�����#34/56
• MICS)*+,-./0�1Shibboleth SP/IdPBfR�– �è"#/�m�!B�å
• *��.8ñÚ{�Jx�¦�)/Ù�8ñÚ{�JBcnNO-�Ú E7 �Ú�E7ë�
“RESTful” �����
“Web2 0” £1â</og!?Web2.0 £1â</og!?� -÷. A- D ��W bà Þ8(?• ��-÷.³A-{D���WebÃ�Þ8(?– RFB on Web Browser (VNC Java Viewer)
�pq��8óR!?• �pq��8óR!?– AjaxTerm£�</rs1RN?
• http://antony lesuisse org/qweb/trac/wiki/AjaxTermhttp://antony.lesuisse.org/qweb/trac/wiki/AjaxTerm– Latain-1¸ý1: UTF-8? tÝu?
• vw^��-÷.³Ã�Þ8£rTlm…– Windows Active Directory£Kerberos+LDAPBfRM-c�9|9|³¦µÚÙ�F�x3!
Wi d EJ-M�F/�<�²&�R!?• WindowsEJ-M�F/�<�²&�R!?– PKIBfRyØ"#�ÈÉO!^…
• MacOS X�ADS�z{/|^l��– http://www.apple.com/jp/macosx/features/windows/– http://www.apple.com/jp/server/macosx/features/windowsservi
ces.html}• Linux Distro~s��}Kerberosý1
MICS%&�T
����"#$%&������"#$%&��) CE "#$ ���• )*CE7ë�D�."#$����(RA) h��Ì��n(RA) h�� ��n–�gRA��L@���^��qqq
• LRA����–����
• ����������7 (789:567)
–O@����V£����=�• Photo ID and/or Official DocumentPhoto ID and/or Official Document
“Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to AP Grid PMA”by Toshiyuki Kataoka and others at APAN-24
� (“must contact and present”�)
�
� ( )( )
� Grid PKI?!?!
� CMC CP/CPS 1��
� RA CP/CPS ?!� Campus PKI RA ?!� Campus PKI RA ?!
� “Production Level CA” ?!NII KEK� : NII, KEK,
� VO RO CP/CPS?!?!
MICS)*+,-.Member�Integrated�X.509�PKI�Credential�Service
� ��� ��� TeraGridNCSA����"#$ (ÍE"?)
� NCSA�©@r�6«<õ�9zMDÞ{�:BfRM�K�F56��¸/KN1
� 91�1�u:§�,à!<^R+,"#���� !<����#34/561R� The�initial�vetting�of�identity�for�any�entity�in�the�primary� F56��¸/KN1
� TACC����"#$� Classic)*+,-.����"#$�2,?
g y y y p y
authentication�system�that�is�valid�for�certification�should be�based�
on�a�face�to�face�meeting�and�should be�confirmed�via�photo�
identification�and/or�similar�valid�official�documents.
“IGTF�Accrediation Review�of�MICS�Authentication�Profile�(Update)”�by�Marg Murray,�TACC,�2007/05/30
MICS£1â</og!?MICS£1â</og!?
�� £ � ! "��è• ���£GNSF�ÌÖ!B"��è– NCSA�������/Ì�B�õPQ<õ�NCSA�������/ �B�õPQ<õ�– PI (Principal Investigator) h�±��
• tÝ�£G�p��������G.'������������������������ ���������
VO��¬��VO��¬��• Phase-0 (2006-)
– opÅ'�²�¸• 1â<����VBGrid PKI#34/56 (�õRfgBLicense ID/56)• 1â<����VBGrid PKI#34/56 (�õRfgBLicense ID/56)
– Default VO: “CMC_Osaka”– #34SubjectDN � UID � ���.�)
» grid-mapfile/��789: “NAVIAS” (Í ) �' D�
• Phase-1 (2007/06-)– v¡p�� (+¢p+NII)
• oph��34!Gv¡pUID/£�QR– op�VO¤89|��: “CMCGSIC_Osaka”– #34SubjectDN@op � UID@op � ���.�)@op#34SubjectDN@op � UID@v¡p � ���.�)@v¡p#34SubjectDN@op � UID@v¡p � ���.�)@v¡p
» grid-mapfie£� �¥¦1RlmW²» ��L���é{M�§¨�XáÆ�lm» ©@O/�51R�O©���5Dqqq
• Phase-2– VO�
“RENKEI�Osaka”“RENKEI�O k ”Osaka”
“RENKEI�Osaka”VO
Domain
“vo1”
NII/NAREGICA
PKIopCMC
CA
PKIDomain
ª«RO 6ª«Kyusyu�Univ. Osaka�Univ. Nagoya�Univ. I.�of�Molecular�Sci. Tokyo�Tech. NII/NAREGIRO
User
Service
VO:�Virtual�OrganizationRO:�Real�OrganizationPKI:�Public�Key�InfrastructureGrid�Certificate�Authorities�and�Virtual�Organization
“RegistrationAgency”�ÎB¬Q<Registration�Agency ��ÎB¬Q<®M�K�9|��³��7�
• *��.³M�K�F/56!Ggrid�mapfile�#34�£�QR• pop�:�`¯������M�K�F56B����#34���• v°¡%p�:�`¯������M�K�F/56!G±²56?@�����#34/£�QO� ®M�K�F/56• O�:�Ì®M�K�F/56
³6´%&
• NII/NAREGIB<�M�K�F³656%&'ª«M�K�F56Blm���/µ• 'ª«M�K�F56Blm���/µ¶!<·�• ¸tG¹tG<=G}~�ºGÙ�.M• ¸tG¹tG<=G}~�ºGÙ .M�D8GpqGH�H
• 'ª«B̶!<³634• 'ª«B<#34�£�Q/6g
9»�`¼:I½ ��¾
VO¤89|��³+,�:VO�AdministratorVO�AdministratorVO�Administrator
VOMSVOMS VOMS
voms�myproxy�init
MyProxy MyProxyProxy� Proxy�
������A ������B
UMS UMSUser�
Certificate
Certificate�with�VO
User�Certificate
Certificate�with�VO
grid�certreq
56?@�����#34�'������*��.M�K�F/`�B£�QRlm�WR
RANAREGI�£G*��.M�K�F¿��grid�mapfileBfRý1� ����� /r��R
CA
'��� � H B"
Q�lm
fgB ) .M�K�F
������/r��RVOÀ�Á 53
O�O�VOMS/Hg¤89|��1RN?
VO56VB1â<VO56�±/��1RN?
'�������GHVOB"#�è1RN"ÈI_���
/^NB6gN?:
egeefgBG)�.M�K�F�ý11R�^gnÃ�WR�GLCAS/LCMAPSfg�$%�lm
• "#$– .®«�Ã�Þ8!<^R"#$
• )*CE7ë�D�. (Classic Profile))*CE7ë�D�. (Classic�Profile)– AIST,�KEK,�NII/NAREGI
• �-)*CE7ë�D�. (MICS�Profile�–�Ä")– opCMC
• )J-��F"#$)J- F"#$– T2KÅÆ
– °Çy����)�( )*/ÎT!<�¾1âõ• vp?GÈÉÊ?
• +,������%&789:��• +,������%&789:��– U�PKISSO=#=ËBopCMC��è1RShibboleth�SP�'������IdP��
• LDAP:�OK,�Kerberos�(ActiveDirectory Server):�OK,�NIS:�OK?
• VO��VO��– =M�K�FN?
• GT,�NAREGI– )�.M�K�FN?�����£?
• egee LCAS/LCMAPS
• 56Ì��– Í�½�=#B<CÎ����`���/�#ϸ��Ì � (G idVM)• ��Ì�� (GridVM)
– `¯���NAREGIh"#�è£2,• Ý�½=�xT�É$% (vwp[opB<)
– *��.8ñÚ{�J (NEC�NQS�II/ÎT)�hÐß!�x��NAREGI�SSNOx���m�!B�,( Q T) Ðß! x� x� �m�! �,– GridMPI§îMPIý1 (�T!�ÌGridVM�¸)
• ����£*��.8ñÚ{�J (r�£OS���É)��Ñ�– ÒÓ£O@ (NEC�NQS�II)�§î
• PBS Pro LoadLeveler
pop� CMC
PBS�Pro,�LoadLeveler• T2K�(Torque+SCore,�SGE,�Parallelnavi),�KEK�(LSF)
54