14-Nov-05 JISC Core Middleware Meeting 1 Middleware Initiatives in Australia Alex Reid Director, eResearch/Middleware, AARNet

14-Nov-05 JISC Core Middleware Meeting

1

Middleware Initiatives in Australia

Alex Reid

Director, eResearch/Middleware, AARNet


2

Contents

• Australian Research Infrastructure• Government Initiatives• NREN• Middleware• Strategy• MAMS• PKI Project• eduroam


3

National Research InfrastructureBacking Australia’s Ability – An Innovation Action Plan for the Future

2001/2004: http://backingaus.innovation.gov.au/

$3 billion over 5 years from 2000-1$5.3 billion over 7 years from 2004-5

Systemic Infrastructure Initiative (SII) to upgrade research infrastructure at Australian universities:

$246m over 5 years from 2000-1 to 2005-6$542m over 6 years from 2005-6 to 2010-11

● HEBAC (Higher Education Bandwidth Advisory Committee) 2002-3 http://www.dest.gov.au/highered/research/pdf/aren.pdf

● ARENAC (Australian Research and Education Network Advisory Committee) 2003+ http://www.dest.gov.au/sectors/research_sector/programmes_funding/programme_categories/key_research_priorities/australian_research_and_education_network/arenac.htm

● HEIIAC -> ARIIC (Australian Research Information Infrastructure Committee) 2003+ http://www.dest.gov.au/highered/research/ariic.htm

● NRIT (National Research Infrastructure Task Force) 2003-4 http://www.dest.gov.au/sectors/research_sector/policies_issues_reviews/reviews/previous_reviews/national_research_infrastructure_taskforce_framework/default.htm

● NCRIS (National Collaborative Research Infrastructure Strategy) 2004-5 http://www.dest.gov.au/sectors/research_sector/policies_issues_reviews/key_issues/ncris/default.htm

● eResearch Coordinating Committee 2005+ http://www.dest.gov.au/sectors/research_sector/policies_issues_reviews/key_issues/e_research_consult/default.htm/


4

Research Infrastructure Framework

BAA$3b + $5.3b

HEIIAC HEBAC NRIT

ARIIC ARENAC NCRIS

eRCC

SII$246m + $542m

FRODO$12m

MERRI$19m

NREN$70m

eResearch$???


5

AARNet3 Components

• APL Tender for v3 of AARNet mid-2004• ARENAC $70m + APL own reserves• National Backbone: own 2 fibre pairs across the

country – deployed since 2004 at 10Gbps• Regional Network: diverse routes, using DWDM, up

to 320Gbps• International Links: IRU on 2x 10Gbps fibres across

the Pacific (SCCN) – PoPs in Seattle, LA• “Commodity” connectivity in Australia & USA

(Seattle, Palo Alto)• Participate in TEIN2 – PoPs in Singapore & Frankfurt


6

AARNet3 Infrastructure – National


7

AARNet3 Infrastructure – Comparison


8

AARNet3 Infrastructure – Global


9

Place of Middleware

Facilities, Services, Resources: Processing, Data Storage, Instruments, Electronic Information

Local, Regional, National & International Network Infrastructure

Authentication, Authorisation, Access, Accounting: PKI, Shibboleth, etc

Knowledge Management, Resource Management, Collaboration Tools, Grid

Services

Applications, Human Interfaces

Users

Middleware:

Application-independent;

Resource- & Location-neutral


10

Draft Middleware Action PlanFollowing National Forum Dec-04, a Draft Plan was agreed: Undertake an environmental scan. Establish a single PKI Certification Authority for R&E. Establish a sound basis for federated security systems in

Australia that will scale to international federations. Establish appropriate mechanisms to coordinate all R&E

Middleware initiatives in Australia. Agree to investigate adopting Shibboleth. Establish and sustain strong connections with relevant

Australian initiatives/entities. Establish and strengthen overseas links. Promote the swift implementation of enterprise directory

services at all Australian education and research institution. Develop strong visibility for and marketing of the Middleware

agenda in Australia.


11

Survey of Identity & Access Management

• Undertaken in May 2005• Establish State-of-Play at Australian universities• Identify best practice, barriers to rapid implementation,

authorisation requirements• Goal is:

– pervasive, federated infrastructure that integrates organisations internally while simultaneously allowing them to interoperate with others [Burton Group, 2002]

• 49% response (low, due to complexity)• Currently:

– Usernames/passwords, Same Sign-on, EZProxy, VPNs, LDAP, in-house integration

• Moving to:– Single Sign-on, automated integration (data feeds from corporate

systems), Portals, PKI• Barriers:

– Resources, high risk to critical systems, lack of standards/guidance & training, coordinated middleware


12

ARIIC Projects

1st Round (FRODO) 22-Oct-03 ($12m):

(Federated Repositories of Digital Objects)

– MAMS (Meta Access Management System) $4.2m

– ARROW (Australian Research Repositories Online to the World)

– ADT (Australian Digital Theses Program Expansion)

– APSR (Australian Partnership for Sustainable Repositories)

2nd Round (MERRI) 22-Aug-05 ($19m):(Managed Environment for Research Repository Infrastructure)

– MAPS

– PKI/Shibboleth (operationalise the CAUDIT PKI Standards Project)

– 18 Others (mostly specific collections development/access & digitisation)


13

ARIIC MERRI Grant – MAPS

• Announced by Minister 22-Aug-05• $582,910 granted• Lead site: University of Queensland (Nick Tate)• Supported by: CAUDIT, CAUL, Monash, ANU, Macquarie,

AARNet, GrangeNet• From now till end 2006• Purpose:

– This project will identify the software and services (middleware) that are currently being used in Australia to link applications across a range of resources on networks and computer systems in Australian universities. The MAPS project will identify existing areas of activity in the university and research sectors, and use these results to tap into the expertise across the sector to build a strategic plan of activities and projects for an Australian collaborative middleware strategy. This is an important project whose outcomes will enable other projects to leverage off common infrastructure and focus on providing new services that can be shared across the education and research sectors.


14

MAPS ActivitiesGoal: Agreed Strategy for Middleware Deployment and

Development (note the 2 strands)• Project Manager• Steering Committee, Reference Group, Kick-off Forum• Wide consultation: committees, forums, wikis,

mailing lists, Website• Environmental Scan/Stocktake (local and global)• Analysis of findings, development of draft Strategy• Expert Reports• Round-Table• Finalisation of Strategy• Future Funding Proposals


15

Existing Middleware Activity

• APAC Grid (http://www.apac.edu.au/programs/GRID/index.html)• Nimrod-G (http://www.csse.monash.edu.au/~davida/nimrod/)• CAUDIT-PKI

(http://www.aarnet.edu.au/engineering/middleware/archive/middle/2004/ref/CAUDIT%20PKI%20Standards%20Proposal%20-%20V5.doc)

• AARLIN (http://www.aarlin.edu.au/)• DEST/JISC e-Framework• eduroam• Emerging developers, end users, identity providers, service

providers• MAMS (https://mams.melcoe.mq.edu.au/zope/mams):

– Developing hands-on technical/policy experience with Shibboleth within the community

– Test Shibboleth federation is being established, including a WAYF server

– Scouting for suitable test IdP’s and SP’s


16

MAMS – Broad Goals

Meta-Access Management System Addressing the “Authentication, Authorisation, Identity, Single-

Sign-On, Federation, Trust, Security, Digital Rights and Automated Access Policy” Cluster of Problems!!

Iterative demonstrations to help drive the gathering of user requirements

Development of common services prototypes– Intra-institutional multi-modal SSO

– Inter-institutional access management• Attribute exchange (Shibboleth)• Automation of policy

– Federated and extensible identity

– Other common services: DRM, search, metadata

Implementation advice and programs


17

MAMS Next Steps

• Shibbolise Fedora, Dspace repository systems• Add Shib to test environments at NLA, APSR, …• Organise install-fests (SSO workshop) & roadshows• Offer support (CMS, forum, mailing-list, FAQs)• Start an Australian Federation:

– 3 levels: Test-Fed (sand pit); OZFed (identity verification); Legal (technically = OZFed, but formal agreement like InCommon)

• Integrate cross-domain SSO with institutional SSO• Integrate with desktop SSO (Kerberos)• Integrate XACML into SAML• Develop plug-ins for legacy systems• Develop ARP manager (Sharpe) & provisioning tools• Easy installation packages (Shib+WebISO)• Virtual Organisation (client & server) packages• Offer policy & legal documents, etc…


18

MAMS ARP Editor – Sharpe

Manage SP:

- Add & Delete SPs

Manage Attribute Mapping:

- Create, Edit, Copy (clone), Delete Mapping Sets

Manage SP Contracts:

- Create, Edit, Delete SP Contracts

Manage User Contracts:

- Create, Edit, Delete User Contracts


19

CAUDIT PKI Project

The CAUDIT PKI Project involves developing a single national PKI standards framework for HE & Research, including:– Certification Authority (CA)– Registration Authorities (RA) – 50+– Certificate Policy (CP)– Certification Practice Statement (CPS)– Able to scale to 1 million clients

Initially built purely for test/trial purposes:– not evolve into a production service model;– only survive until late 2005;– support 4 levels of assurance;– support cross-certification;– support embedding in web browsers (positive Microsoft

discussions);– support signed emails.


20

CAUDIT PKI Project Certification Levels

Certificate Level

Description

Level 1

No proactive identity check has been provided to the RA. However identity information has been provided by a body that the RA has a trust relationship.Example: A student being enrolled in at least one subject is sufficient for the certificate issuing however identity information has only been supplied by QTAC (or similar state body).

Level 2

Subject is required to provide proof of identity by an in-person appearance to the RA. However the individual for what ever reason can not provide the required 100 points of identification.Example: A contractor, who is at an institution for a short time but needs access to a system protected by PK, may not have enough credentials on her person to meet the 100 points check but can provide some credentials like a drivers licence and/or credit card.

Level 3

Subject is required to provide proof of identity by an in-person appearance to the RA. That proof should accrue to at least 100 points of identity.Example: A foreign staff member that has a valid passport and has a written reference from an acceptable referee.

Level 4Subject is required to provide the same information for Level 3 certification in addition to a positive check to be conducted by an appropriate external agency.


21

PKI Trust Model

CommercialCA

Chain

RA RA

Institution 1

CALevel 4CA

Level 3CA

Level 2CA

Level 1

AusCERTRoot CA

RA RA

Institution 2

CALevel 4CA

Level 3CA

Level 2CA

Level 1

Institution 53

CALevel 4CA

Level 3CA

Level 2...RA RA

Institution 52

CALevel 4CA

Level 3CA

Level 2CA

Level 1Old CACA

Level 1

AusCERTCA Level 4

AusCERTCA Level 3

AusCERTCA Level 2

AusCERTCA Level 1

RA RA RA RA

(self-signed)

Aus

CE

RT

PM

A

• AusCERT Root CA is trust anchor for the CAUDIT PKI

• Old CA’s continue to work

• Cross-certifies with national, international and global PKIs (eg HEBCA)

• AusCERT will provide:– PMA– Directory of

Directories– Single point Certificate

Dissemination.– Single point CRL and

OCSP.– Virtual CA for

institutions that can’t deploy own PKI

PMA = Policy Mgt Authority; CMS = Cert Mgt System; CRL = Cert Revocation List; OCSP = Online Cert Status Protocol


22

CAUDIT PKI Project Status

Current Status: The AusCERT Root CA and the 4-Certification-Level CA have been set

up and are issuing certificates. UQ has set up its 4 Institution Level CAs and is issuing end-entity

certificates. Monash and Victoria Universities have set up their Institution Level

CAs and issuing end-entity certificates; they are now heavily involved in client and CMS capability and interoperability studies with UQ and AusCERT.

Certificate Policy/ Certification Practice Statement has been drafted and sent to participant universities for feedback.

A few pilot sites have dropped out because they couldn't supply the necessary resources; the others have also had resourcing issues but are soldiering on.

Final Report submitted October 2005.

Next Step is to turn it into a production system, and establish close ties with Shibboleth (authorisation elements)– this has been funded as part of MERRI


23

eduroam

• Being undertaken jointly by AARNet & GrangeNet• 17 members signed up• Deploy eduroam in AARNet offices & staff• Write and seek endorsement for national eduroam

policies (ratification by CAUDIT imminent)• Promote and participate in eduroam developments

within the APAN region• Participate in eduroam global working group• See www.eduroam.edu.au


24

Global Middleware Involvement• Europe

– Close co-operation with JISC, Terena and European NRENs on eduroam & other Middleware activities

• Americas– Working on eduroam and Shibboleth activities

• APAN (Asia-Pacific Area Network)– Taking responsibility for advancing Middleware awareness/agenda

within APAN

– APAN Middleware mailing list

– APAN Middleware stream for Jan 2006 Tokyo APAN meeting

• Global– Convened eduroam global working group

– Involved in general Middleware policy (eg “Slaughter” meeting)

– Global Research & Education Federations mailing list (Refeds)

– MACE/MICE participation


25

END

QUESTIONS???

For further information about Australian Middleware developments, see:

http://www.aarnet.edu.au/engineering/middleware/

Email:

Alex Reid [email protected]

James Sankar: [email protected]

Documents

14-Nov-05 JISC Core Middleware Meeting 1 Middleware Initiatives in Australia Alex Reid Director, eResearch/Middleware, AARNet