Upload
alexandra-mcconnell
View
231
Download
1
Tags:
Embed Size (px)
Citation preview
14-Nov-05 JISC Core Middleware Meeting
1
Middleware Initiatives in Australia
Alex Reid
Director, eResearch/Middleware, AARNet
14-Nov-05 JISC Core Middleware Meeting
2
Contents
• Australian Research Infrastructure• Government Initiatives• NREN• Middleware• Strategy• MAMS• PKI Project• eduroam
14-Nov-05 JISC Core Middleware Meeting
3
National Research InfrastructureBacking Australia’s Ability – An Innovation Action Plan for the Future
2001/2004: http://backingaus.innovation.gov.au/
$3 billion over 5 years from 2000-1$5.3 billion over 7 years from 2004-5
Systemic Infrastructure Initiative (SII) to upgrade research infrastructure at Australian universities:
$246m over 5 years from 2000-1 to 2005-6$542m over 6 years from 2005-6 to 2010-11
● HEBAC (Higher Education Bandwidth Advisory Committee) 2002-3 http://www.dest.gov.au/highered/research/pdf/aren.pdf
● ARENAC (Australian Research and Education Network Advisory Committee) 2003+ http://www.dest.gov.au/sectors/research_sector/programmes_funding/programme_categories/key_research_priorities/australian_research_and_education_network/arenac.htm
● HEIIAC -> ARIIC (Australian Research Information Infrastructure Committee) 2003+ http://www.dest.gov.au/highered/research/ariic.htm
● NRIT (National Research Infrastructure Task Force) 2003-4 http://www.dest.gov.au/sectors/research_sector/policies_issues_reviews/reviews/previous_reviews/national_research_infrastructure_taskforce_framework/default.htm
● NCRIS (National Collaborative Research Infrastructure Strategy) 2004-5 http://www.dest.gov.au/sectors/research_sector/policies_issues_reviews/key_issues/ncris/default.htm
● eResearch Coordinating Committee 2005+ http://www.dest.gov.au/sectors/research_sector/policies_issues_reviews/key_issues/e_research_consult/default.htm/
14-Nov-05 JISC Core Middleware Meeting
4
Research Infrastructure Framework
BAA$3b + $5.3b
HEIIAC HEBAC NRIT
ARIIC ARENAC NCRIS
eRCC
SII$246m + $542m
FRODO$12m
MERRI$19m
NREN$70m
eResearch$???
14-Nov-05 JISC Core Middleware Meeting
5
AARNet3 Components
• APL Tender for v3 of AARNet mid-2004• ARENAC $70m + APL own reserves• National Backbone: own 2 fibre pairs across the
country – deployed since 2004 at 10Gbps• Regional Network: diverse routes, using DWDM, up
to 320Gbps• International Links: IRU on 2x 10Gbps fibres across
the Pacific (SCCN) – PoPs in Seattle, LA• “Commodity” connectivity in Australia & USA
(Seattle, Palo Alto)• Participate in TEIN2 – PoPs in Singapore & Frankfurt
14-Nov-05 JISC Core Middleware Meeting
6
AARNet3 Infrastructure – National
14-Nov-05 JISC Core Middleware Meeting
7
AARNet3 Infrastructure – Comparison
14-Nov-05 JISC Core Middleware Meeting
8
AARNet3 Infrastructure – Global
14-Nov-05 JISC Core Middleware Meeting
9
Place of Middleware
Facilities, Services, Resources: Processing, Data Storage, Instruments, Electronic Information
Local, Regional, National & International Network Infrastructure
Authentication, Authorisation, Access, Accounting: PKI, Shibboleth, etc
Knowledge Management, Resource Management, Collaboration Tools, Grid
Services
Applications, Human Interfaces
Users
Middleware:
Application-independent;
Resource- & Location-neutral
14-Nov-05 JISC Core Middleware Meeting
10
Draft Middleware Action PlanFollowing National Forum Dec-04, a Draft Plan was agreed: Undertake an environmental scan. Establish a single PKI Certification Authority for R&E. Establish a sound basis for federated security systems in
Australia that will scale to international federations. Establish appropriate mechanisms to coordinate all R&E
Middleware initiatives in Australia. Agree to investigate adopting Shibboleth. Establish and sustain strong connections with relevant
Australian initiatives/entities. Establish and strengthen overseas links. Promote the swift implementation of enterprise directory
services at all Australian education and research institution. Develop strong visibility for and marketing of the Middleware
agenda in Australia.
14-Nov-05 JISC Core Middleware Meeting
11
Survey of Identity & Access Management
• Undertaken in May 2005• Establish State-of-Play at Australian universities• Identify best practice, barriers to rapid implementation,
authorisation requirements• Goal is:
– pervasive, federated infrastructure that integrates organisations internally while simultaneously allowing them to interoperate with others [Burton Group, 2002]
• 49% response (low, due to complexity)• Currently:
– Usernames/passwords, Same Sign-on, EZProxy, VPNs, LDAP, in-house integration
• Moving to:– Single Sign-on, automated integration (data feeds from corporate
systems), Portals, PKI• Barriers:
– Resources, high risk to critical systems, lack of standards/guidance & training, coordinated middleware
14-Nov-05 JISC Core Middleware Meeting
12
ARIIC Projects
1st Round (FRODO) 22-Oct-03 ($12m):
(Federated Repositories of Digital Objects)
– MAMS (Meta Access Management System) $4.2m
– ARROW (Australian Research Repositories Online to the World)
– ADT (Australian Digital Theses Program Expansion)
– APSR (Australian Partnership for Sustainable Repositories)
2nd Round (MERRI) 22-Aug-05 ($19m):(Managed Environment for Research Repository Infrastructure)
– MAPS
– PKI/Shibboleth (operationalise the CAUDIT PKI Standards Project)
– 18 Others (mostly specific collections development/access & digitisation)
14-Nov-05 JISC Core Middleware Meeting
13
ARIIC MERRI Grant – MAPS
• Announced by Minister 22-Aug-05• $582,910 granted• Lead site: University of Queensland (Nick Tate)• Supported by: CAUDIT, CAUL, Monash, ANU, Macquarie,
AARNet, GrangeNet• From now till end 2006• Purpose:
– This project will identify the software and services (middleware) that are currently being used in Australia to link applications across a range of resources on networks and computer systems in Australian universities. The MAPS project will identify existing areas of activity in the university and research sectors, and use these results to tap into the expertise across the sector to build a strategic plan of activities and projects for an Australian collaborative middleware strategy. This is an important project whose outcomes will enable other projects to leverage off common infrastructure and focus on providing new services that can be shared across the education and research sectors.
14-Nov-05 JISC Core Middleware Meeting
14
MAPS ActivitiesGoal: Agreed Strategy for Middleware Deployment and
Development (note the 2 strands)• Project Manager• Steering Committee, Reference Group, Kick-off Forum• Wide consultation: committees, forums, wikis,
mailing lists, Website• Environmental Scan/Stocktake (local and global)• Analysis of findings, development of draft Strategy• Expert Reports• Round-Table• Finalisation of Strategy• Future Funding Proposals
14-Nov-05 JISC Core Middleware Meeting
15
Existing Middleware Activity
• APAC Grid (http://www.apac.edu.au/programs/GRID/index.html)• Nimrod-G (http://www.csse.monash.edu.au/~davida/nimrod/)• CAUDIT-PKI
(http://www.aarnet.edu.au/engineering/middleware/archive/middle/2004/ref/CAUDIT%20PKI%20Standards%20Proposal%20-%20V5.doc)
• AARLIN (http://www.aarlin.edu.au/)• DEST/JISC e-Framework• eduroam• Emerging developers, end users, identity providers, service
providers• MAMS (https://mams.melcoe.mq.edu.au/zope/mams):
– Developing hands-on technical/policy experience with Shibboleth within the community
– Test Shibboleth federation is being established, including a WAYF server
– Scouting for suitable test IdP’s and SP’s
14-Nov-05 JISC Core Middleware Meeting
16
MAMS – Broad Goals
Meta-Access Management System Addressing the “Authentication, Authorisation, Identity, Single-
Sign-On, Federation, Trust, Security, Digital Rights and Automated Access Policy” Cluster of Problems!!
Iterative demonstrations to help drive the gathering of user requirements
Development of common services prototypes– Intra-institutional multi-modal SSO
– Inter-institutional access management• Attribute exchange (Shibboleth)• Automation of policy
– Federated and extensible identity
– Other common services: DRM, search, metadata
Implementation advice and programs
14-Nov-05 JISC Core Middleware Meeting
17
MAMS Next Steps
• Shibbolise Fedora, Dspace repository systems• Add Shib to test environments at NLA, APSR, …• Organise install-fests (SSO workshop) & roadshows• Offer support (CMS, forum, mailing-list, FAQs)• Start an Australian Federation:
– 3 levels: Test-Fed (sand pit); OZFed (identity verification); Legal (technically = OZFed, but formal agreement like InCommon)
• Integrate cross-domain SSO with institutional SSO• Integrate with desktop SSO (Kerberos)• Integrate XACML into SAML• Develop plug-ins for legacy systems• Develop ARP manager (Sharpe) & provisioning tools• Easy installation packages (Shib+WebISO)• Virtual Organisation (client & server) packages• Offer policy & legal documents, etc…
14-Nov-05 JISC Core Middleware Meeting
18
MAMS ARP Editor – Sharpe
Manage SP:
- Add & Delete SPs
Manage Attribute Mapping:
- Create, Edit, Copy (clone), Delete Mapping Sets
Manage SP Contracts:
- Create, Edit, Delete SP Contracts
Manage User Contracts:
- Create, Edit, Delete User Contracts
14-Nov-05 JISC Core Middleware Meeting
19
CAUDIT PKI Project
The CAUDIT PKI Project involves developing a single national PKI standards framework for HE & Research, including:– Certification Authority (CA)– Registration Authorities (RA) – 50+– Certificate Policy (CP)– Certification Practice Statement (CPS)– Able to scale to 1 million clients
Initially built purely for test/trial purposes:– not evolve into a production service model;– only survive until late 2005;– support 4 levels of assurance;– support cross-certification;– support embedding in web browsers (positive Microsoft
discussions);– support signed emails.
14-Nov-05 JISC Core Middleware Meeting
20
CAUDIT PKI Project Certification Levels
Certificate Level
Description
Level 1
No proactive identity check has been provided to the RA. However identity information has been provided by a body that the RA has a trust relationship.Example: A student being enrolled in at least one subject is sufficient for the certificate issuing however identity information has only been supplied by QTAC (or similar state body).
Level 2
Subject is required to provide proof of identity by an in-person appearance to the RA. However the individual for what ever reason can not provide the required 100 points of identification.Example: A contractor, who is at an institution for a short time but needs access to a system protected by PK, may not have enough credentials on her person to meet the 100 points check but can provide some credentials like a drivers licence and/or credit card.
Level 3
Subject is required to provide proof of identity by an in-person appearance to the RA. That proof should accrue to at least 100 points of identity.Example: A foreign staff member that has a valid passport and has a written reference from an acceptable referee.
Level 4Subject is required to provide the same information for Level 3 certification in addition to a positive check to be conducted by an appropriate external agency.
14-Nov-05 JISC Core Middleware Meeting
21
PKI Trust Model
CommercialCA
Chain
RA RA
Institution 1
CALevel 4CA
Level 3CA
Level 2CA
Level 1
AusCERTRoot CA
RA RA
Institution 2
CALevel 4CA
Level 3CA
Level 2CA
Level 1
Institution 53
CALevel 4CA
Level 3CA
Level 2...RA RA
Institution 52
CALevel 4CA
Level 3CA
Level 2CA
Level 1Old CACA
Level 1
AusCERTCA Level 4
AusCERTCA Level 3
AusCERTCA Level 2
AusCERTCA Level 1
RA RA RA RA
(self-signed)
Aus
CE
RT
PM
A
• AusCERT Root CA is trust anchor for the CAUDIT PKI
• Old CA’s continue to work
• Cross-certifies with national, international and global PKIs (eg HEBCA)
• AusCERT will provide:– PMA– Directory of
Directories– Single point Certificate
Dissemination.– Single point CRL and
OCSP.– Virtual CA for
institutions that can’t deploy own PKI
PMA = Policy Mgt Authority; CMS = Cert Mgt System; CRL = Cert Revocation List; OCSP = Online Cert Status Protocol
14-Nov-05 JISC Core Middleware Meeting
22
CAUDIT PKI Project Status
Current Status: The AusCERT Root CA and the 4-Certification-Level CA have been set
up and are issuing certificates. UQ has set up its 4 Institution Level CAs and is issuing end-entity
certificates. Monash and Victoria Universities have set up their Institution Level
CAs and issuing end-entity certificates; they are now heavily involved in client and CMS capability and interoperability studies with UQ and AusCERT.
Certificate Policy/ Certification Practice Statement has been drafted and sent to participant universities for feedback.
A few pilot sites have dropped out because they couldn't supply the necessary resources; the others have also had resourcing issues but are soldiering on.
Final Report submitted October 2005.
Next Step is to turn it into a production system, and establish close ties with Shibboleth (authorisation elements)– this has been funded as part of MERRI
14-Nov-05 JISC Core Middleware Meeting
23
eduroam
• Being undertaken jointly by AARNet & GrangeNet• 17 members signed up• Deploy eduroam in AARNet offices & staff• Write and seek endorsement for national eduroam
policies (ratification by CAUDIT imminent)• Promote and participate in eduroam developments
within the APAN region• Participate in eduroam global working group• See www.eduroam.edu.au
14-Nov-05 JISC Core Middleware Meeting
24
Global Middleware Involvement• Europe
– Close co-operation with JISC, Terena and European NRENs on eduroam & other Middleware activities
• Americas– Working on eduroam and Shibboleth activities
• APAN (Asia-Pacific Area Network)– Taking responsibility for advancing Middleware awareness/agenda
within APAN
– APAN Middleware mailing list
– APAN Middleware stream for Jan 2006 Tokyo APAN meeting
• Global– Convened eduroam global working group
– Involved in general Middleware policy (eg “Slaughter” meeting)
– Global Research & Education Federations mailing list (Refeds)
– MACE/MICE participation
14-Nov-05 JISC Core Middleware Meeting
25
END
QUESTIONS???
For further information about Australian Middleware developments, see:
http://www.aarnet.edu.au/engineering/middleware/
Email:
Alex Reid [email protected]
James Sankar: [email protected]