EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum September 2011, Lyon Conference Centre, France Giuseppe LA ROCCA INFN Sez. di Catania, EGI-InSPIRE RI Outline Introduction to the RESTful lightweight crypto library API: The Architecture; SW/HW Requirements; Success stories. Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. GriF: a collaborative tool for grid empowered computational applications. EGI-InSPIRE RI Introduction to the RESTful lightweight crypto library API: The Architecture; Software Requirements: Java PKCS#11, Bouncy Castle and Java CoG Kits; JAX-RS 1.2 Java APIs using Jersey implementation; VOMS-API v.3.0; Apache Tomcat as a Web Container; Success Stories: The DECIDE, ViralGrid and EUMEDGrid-Support use cases. EGI-InSPIRE RI REST (Representational State Transfer) is nowadays a de facto standard to access distributed resources in a web-affine manner. Why a RESTful lightweight crypto library ? Every resources is uniquely represented by a global IDs; Eg.: https://infn-lb-01.ct.pi2s2.it:9000/cANG8Wt2C8PYcL6h8YiLRghttps://infn-lb-01.ct.pi2s2.it:9000/cANG8Wt2C8PYcL6h8YiLRg The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services;JAX-RS Jersey is the open source JAX-RS (JSR 311) Reference Implementation for building RESTful Web services. Jersey EGI-InSPIRE RI Additional SW/HW Requirements The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc;Cryptographic Token Interface Standard (PKCS#11)RSA Data Security Inc It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, ); The Bouncy Castle APIs provide support for creating two kinds of X.509 certificates (ver.1 and ver.3);Bouncy Castle CoG Kits allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed; CoG Kits VOMS-Admin library (ver. 3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO; VOMS-AdminDILIGENT D4Science eToken PRO smart cards (32/64KB) with the pki-client software (ver ). EGI-InSPIRE RI Users Client Applications Grid Portals / Science Gateways The 4-tier architecture of the lightweight crypto library EGI-InSPIRE RI Deployed on Tomcat Application Server (ver ); Based on PKCS#11 standard; Thread-safe access to the list of smart cards; SSL encryption using a trusted host certificate; Caching of proxy certificates for each valid requestID = serial + vo + fqan If lifetime (requestID) threshold > 0 the proxy cached will be sent to the Science Gateways Evaluated performance of the server using Apache Jmeter: ~ 6-8 s waiting time for a new proxy; 20 ms for a cached proxy. Main Features EGI-InSPIRE RI eTokenServer MyProxy Server ask for VOMS AC attributes and groups/roles VOMS Server store long proxy The working scenario (*) SSL encryption get results ask for a service list/create request execute service get results retrieve serials/proxy (*) EGI-InSPIRE RI Some examples of usage (1/3) Printing results in JSON format Listing the X.509 certificates installed on the eTokenServer. EGI-InSPIRE RI Generating a VOMS proxy from a given robot certificate: Using VOMS-Admin library to update the list of groups/roles Some examples of usage (2/3) EGI-InSPIRE RI Success Stories The new crypto library is currently used by: The DECIDE Science Gateway (See the DECIDE demonstration at EGI-UF 2011 here);here (Abstract [47] The DECIDE project Science Gateway, on Sept. 20 th, 14:00 14:15, Rhone 3) The ViralGrid Science Gateway ( web );web The EUMEDGRID-Support Service Challenge ( web ) and Science Gatewayweb (Abstract[57] The EUMEDGRID-Support User Forum, on Sept. 23 rd, 09:00 12:30, Rhone 2) EGI-InSPIRE RI Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. EGI-InSPIRE RI IGI (Italian Grid Initiative) is developing a web portal to ease the access to grid and cloud services; The main goal is to hide the complexity of X.509 certificates (request and management); IGTF policies and guidelines have been taken into account when designing the framework. Overview EGI-InSPIRE RI Two different scenarios We distinguish between users with or without a X.509 certificate. User with certificate: upload it; User without certificate: portal asks for a certificate to a CA-online on behalf of the user. EGI-InSPIRE RI The portal, using SAML Delegation mechanism, asks for a Member Integrated Credential Services (MICS) certificate to a CA online on behalf of the user; Member Integrated Credential Services Why MICS? The certificate management is easier and more transparent for the user; Avoid failure for jobs that have been submitted close to the Short Lived Certificates (SLCs) expiration date. Our Proposal EGI-InSPIRE RI During the first login, the user has to set his/her personal settings: Select the Identity Federation; Personal Information (FirstName, LastName, Institution, ); Upload a new certificate (if any); If not, a CA-online certificate will be contacted. Add a VO membership; Configuration Request a new VO membership; Specify for each VO a FQAN. EGI-InSPIRE RI Strong user identification by means of an IdP belonging to an accredited identity federation (i.e. IDEM federation); If a user is not registered in accredited identity federation he/she cant access the grid and cloud services through the portal. The portal redirects user to his/her IdP login page; Once the proper IdP has authenticated the user he/she will be automatically logged into the portal; Authentication (1/2) EGI-InSPIRE RI Authentication (2/2) The VOMS Server is contacted to sign the proxy with the right VOMS extensions. The portal asks for a passphrase to retrieve the proxy from the MyProxy Server; EGI-InSPIRE RI For Job Submission and Data Management tasks, the portal uses WS-PGrade (MTA-SZTAKI); Other solutions are under investigation: e.g.: JSAGA (IN2P3); For Cloud resource provisioning the portal is interfaced with WNoDES (INFN-CNAF); The accounting portlet provides information for both environment. 4. Grid & Cloud Access EGI-InSPIRE RI The Portal Schema as a whole EGI-InSPIRE RI GriF: a collaborative tool for grid empowered computational applications. EGI-InSPIRE RI What is GriF ? GriF is a SOA Grid Framework aimed at running on the EGI Grid multi-purpose scientific applications; Easy submission over the Grid; Optimized distributions of tasks; Java based framework; Support single and multiple job submission; For further information visit the linklink EGI-InSPIRE RI Tools for an E-science environment: Efficient Grid submission EGI-InSPIRE RI GCreS: a credit system to reward member activities Use Grid sensors to evaluate services provided; Use Grid sensors to evaluate user activities; Introduce a metric in the VO; Implement a credit system and cost of services. EGI-InSPIRE RI Thank you!