Cyber- -Science Infrastructure: Science Infrastructure: Cyber Cyber-Science Infrastructure: the next- -generation national academic generation national academic the next the next-generation national academic information infrastructure for interuniversity information infrastructure for interuniversity information infrastructure for interuniversity collaboration in Japan collaboration in Japan collaboration in Japan Yasuo OKABE Academic Center for Computing and Media Studies, Kyoto University okabe@i.kyoto-u.ac.jp 21st APAN e 21st APAN e- -Scinece Scinece 1 1 1
Information Infrastructure Centers in the Seven Universities in JAPAN Sapporo Hokkaido Uni Hokkaido University ty Kyot Kyoto U o University iversity Information Initiative Academic Center for Center Computing and Media Studies Sendai Tohoku Univers Tohok University ty Information Kyushu U Kyushu Univers iversity ty Synergy Center Computing and Communications Center Kyoto Tokyo Nagoya Unive Un iversity o of To Tokyo kyo Osaka Information Technology Center Fukuoka National Institute of Informatics (NII) Nagoya U Nagoya Univers iversity ty Osak aka Un Univer ersity Information Cybermedia Technology Center Center 21st APAN e- -Scinece Scinece 2 21st APAN e 2 2
Brief history of the federation among the Brief history of the federation among the Brief history of the federation among the Centers Centers Centers � 1988 � 1968 ~ 69 � JAIN (Japan Academic Inter- � Established as supercomputer university Network) project started centers for nation-wide service � IP over X.25 � 1981 � 1992 � Connected by commercial X.25 service � SINET , the academic Internet � 1986 backbone service was started by � Dedicated interuniversity X.25 NACSIS network service was started by � 2002 NACSIS (predecessor of NII) � Federated Identity Management ( ~ � Operation of SuperSINET was 2004) started � Unified ID � Grid Computing WG by 8 centers � Online subscription to secondary centers � 2003 � NAREGI (National Research Grid Initiative) project started 21st APAN e- -Scinece Scinece 3 21st APAN e 3 3
4 4 4 -Scinece Scinece 21st APAN e- 21st APAN e
5 5 5 -Scinece Scinece 21st APAN e- 21st APAN e
NII: Toward Cyber- -Science Infrastructure Science Infrastructure NII: Toward Cyber Next-generation Academic Information Infrastructure for Interuniversity Collaboration Cyber-Science Infrastructure GeNii (Global Environment for NII-REO (Repository of Electronic Networked Intellectual Information) Journals and Online Publications NAREGI (National Research Grid Initiative) International Collaboration Corporation with Industry UPKI: Authentication and Authorization Platform 北海道大学 ★ SINET/SuperSINET National Academic Internet Backbone ★ ● 東北大学 京都大学 ☆ ★ ★ ★ 東京大学 九州大学 ★ NII 名古屋大学 ★ 大阪大学 Fundamental Resources for Academic and Research Activities Education and Training / Encouraging Young Talent 21st APAN e- -Scinece Scinece 7 21st APAN e 7 6
NAREGI NAREGI NAREGI National Research Grid Initiative � http://www.naregi.org/ � collaboration projects among industry, academic sector and the government. 21st APAN e- -Scinece Scinece 8 21st APAN e 8 7
NAREGI Grid Middleware stack NAREGI Grid Middleware stack NAREGI Grid Middleware stack http://www.naregi.org/concept/index_e.html#05 21st APAN e- -Scinece Scinece 9 21st APAN e 9 8
NAREGI CA NAREGI CA NAREGI CA � A full-fledged CA (Certificate Authority) Software for PKI � Originally developed for Grid computing, but can be used for general purpose � Free open source software available at the download site http://www.naregi.org/download/ Many universities have already installed the NAREGI middleware on their testbed and join testing it. 21st APAN e- -Scinece Scinece 10 21st APAN e 10 9
Nationwide Academic Grid Networks Nationwide Academic Grid Networks Nationwide Academic Grid Networks over SuperSINET SuperSINET (experimental) over over SuperSINET (experimental) (experimental) U. Tokyo Hokkaido U. Kyoto U. Tohoku U. Nagoya U. 8-center Grid Computing WG network Doshisha U. Doshisha SD Osaka U. Kyushu U. Kyushu I. Tech. Tokyo I. Tech. NAREGI Kyushu U. Grid network AIST (Tsukuba) I. Molecular Sci. (Okazaki) NAREGI NAREGI NII NII core Cluster NAREGI IMS Cluster 21st APAN e- -Scinece Scinece 12 21st APAN e 12 10
ー Inter UPKI ー UPKI ー Inter-University Authentication and UPKI Inter- -University Authentication and University Authentication and Authorization Platform for CSI CSI Authorization Platform for Authorization Platform for CSI � UPKI national academic authentication and authorization infrastructure project has just started. � Conducted by NII and the information infrastructure centers in 7 universities � As a “ glue ” of SINET/SuperSINET high-speed backbone and the Research Grid by NAREGI � Motivation � Actually, federated identity management is unavoidable even in a (big) university � Many political and cultural issues also exist 21st APAN e- -Scinece Scinece 13 21st APAN e 13 11
Integrated Identity Management and Integrated Identity Management and Integrated Identity Management and Federated Identity Management Federated Identity Management Federated Identity Management � Integrated Identity Management � Scalability � Campus wide … maybe possible � Nation wide … almost impossible � International … never! � Federated Identity Management � Solution for federation among independent organizations � Standardization in OASIS SAML WG � Liberty Alliance ID-FF, by Sun … � WS-Federation , by Microsoft, IBM, … � Service Model � Identity Provider; IdP � Service Provider; SP 21st APAN e- -Scinece Scinece 14 21st APAN e 14 12
What is Federated ID Management? What is Federated ID Management? What is Federated ID Management? Case study in library service Case study in library service Case study in library service � In campus � Integrated ID management � One can use lending service or get copy service by showing his campus- wide ID card (personnel ID or student ID) � Inter-university � SP (Service Provider) initiated � When a student visit another university, how can he use lending service? � IdP ( Identity Provider) initiated � When a professor visit a local library in his university, how can he get remote-copy service of books in a library in some other university? � In our UPKI � PKI (public Key Infrastracture) will be utilized in authentication among universities in Japan. 21st APAN e- -Scinece Scinece 15 21st APAN e 15 13
UPKI: requirements UPKI: requirements UPKI: requirements � Scalability � up to 800 universities in Japan � Centralized system will never work � Federated ID management is indispensable � Security against so many cyber attacks and increasing physical attacks � Privacy � Compliant to the law of privacy protection in Japan � Enforced since April 2005. � Mobility � Both students and professors may visit other universities � Cost � Each National University has become an independent agency since 2004. 21st APAN e- -Scinece Scinece 18 21st APAN e 18 14
UPKI: basic idea UPKI: basic idea UPKI: basic idea � Deployment of Grid/PKI middleware for national academic AA infrastructure � Management of faculty members, administrative staffs and students � Virtual Organizations (VO) like committees, research groups or academic societies should be supported � Targets all of � Educational activities like E-learning � Administrative works like exchange of credits among universities � Research activities like Grid computing � Other networking services like WLAN roaming and a single infrastructure is by all applications � AA based on Federated Identity Management is the key � PKI solves some authentication issues, but not all � PKI itself has many problems in deployment 21st APAN e- -Scinece Scinece 19 21st APAN e 19 15
UPKI UPKI UPKI Public PKI Public PKI Public PKI Private PKI Private PKI Private PKI (server certs (server certs) ) (server certs) (user certs certs) ) (user (user certs) NII Univ B PubCA Univ A ID federation Server Server EE1 B EE2 B EE3 B EE1 A EE2 A EE3 A cert cert Can be shorten the issuing process of NAREGI and S/MIME certificates when user has Private CA certificate Public PKI Public PKI Public PKI (S/MIME certs certs) ) (S/MIME (S/MIME certs) NAREGI-CA NAREGI PKI NAREGI PKI NAREGI PKI NII (Grid certs certs) ) (Grid (Grid certs) PubCA PubCA NII PubCA EE1 B EE2 B EE3 B EE1 A EE2 A EE3 A S/MIME S/MIME cert cert Proxy Proxy Proxy Proxy Proxy Proxy Cert Cert Cert Cert Cert Cert 21st APAN e- -Scinece Scinece 20 21st APAN e 20 16
Authentication for campus wireless LAN RA Hokkaido Univ. CA Bridge CA Mutual auth Policy mapping Pub key registrar NII Certif. Mutual auth repository Prof. A register Certf. PKI CA Campus LAN Campus Prof. A is Public visiting other univ. Wireless authenticatio AP authorization PKI token ( private key ) user ( Prof. A ) Roaming service 21st APAN e- -Scinece Scinece 21 21st APAN e 21 17
Recommend
More recommend