Internet2 Middleware Activities Progress Renee Woodten Frost Project Manager, Internet2 Middleware Initiative I2 Middleware Liaison, University of Michigan.

Internet2 Middleware Activities Progress

Renee Woodten Frost

Project Manager, Internet2 Middleware Initiative

I2 Middleware Liaison, University of Michigan

………………. And an ensemble of hundreds

CIC AIS Directors Fall 2001

Acknowledgments

MACE and the working groups

NSF catalytic grant and meeting

Early Adopters

Higher Education partners - campuses, EDUCAUSE, CREN, AACRAO, SURA, NACUA, etc.

Corporate partners - IBM, ATT, Sun, Accord, Metamerge, et al.

Government partners - including NSF and the fPKI TWG


Activities

Mace - RL “Bob” Morgan (Washington)

Early Harvest / Early Adopters - Renee Frost (Michigan)

LDAP Recipe - Michael Gettes (Georgetown)

EduPerson and EduOrg - Keith Hazelton (Wisconsin)

Directory of Directories for Higher Ed - Michael Gettes (Georgetown)

Metadirectories - Keith Hazelton (Wisconsin)

Shibboleth - Steven Carmody (Brown)

PKI Labs - Dartmouth and Wisconsin

HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken Klingenstein (Colorado)

HEBCA - Mark Luker (EDUCAUSE)

Medical Middleware - Rob Carter (Duke), Jack Buchanan (UT Health Science Ctr)

NSF Middleware Initiative – core middleware, pki, video, the GRID


MACE (Middleware Architecture Committee for Education)

Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education

Membership - Bob Morgan (UW) Chair, Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Georgetown), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Bruce Vincent (Stanford), David Wasley (California), Von Welch (Grid)

European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands)

Creates working groups in major areas, including directories, interrealm authentication, PKI, medical issues, etc.

Works via conference calls, emails, occasional serendipitous in-person meetings...


National Science Foundation

Catalytic grant in Fall 99 started the organized efforts, with Early Harvest and Early Adopters

NSF Middleware Initiative - three year cooperative agreement, begun 9/1/01, with Internet2/EDUCAUSE/SURA and the GRIDs Center, to develop and deploy a national middleware infrastructure for science, research and higher education

Work products are community standards, best practices, schema and object classes, reference implementations, open source services, corporate relations

Work areas are identifiers, directories, authentication, authorization, GRIDs, PKI, video


Early Harvest

NSF funded workshop in Fall 99 and subsequent activities

Defined the territory and established a work plan

Best practices in identifiers, authentication, and directories (http://middleware.internet2.edu/internet2-mi-best-practices-00.html)

http://middleware.internet2.edu/earlyharvest/


Early Adopters: The Campus Testbed Phase

A variety of roles and missions

Commitment to move implementation forward

Provided some training and facilitated support

Develop national models of deployment alternatives

Address policy standards

Profiles and plans are on Internet2 middleware site

http://middleware.internet2.edu/earlyadopters/

Participants: Dartmouth, Hawaii, Johns Hopkins, Maryland-Baltimore County, Memphis, Michigan Tech, Michigan, Pittsburgh, Tennessee Health Science Center, Tufts, USC


Early Adopters Business Case

Middleware Business Case and Writer’s Guide version 1.0

http://middleware.internet2.edu/earlyadopters/

Review and send comments to:

[email protected]


What is Middleware?

specialized networked services that are shared by applications and users

a set of core software components that permit scaling of applications and networks

tools that take the complexity out of application integration

a second layer of the IT infrastructure, sitting above the network

a land where technology meets policy

the intersection of what networks designers and applications developers each do not want to do


A Map of Middleware


Core Middleware

Identity - unique markers of who you (person, machine, service, group) are

Authentication - how you prove or establish that you are that identity

Directories - where an identity’s basic characteristics are kept

Authorization - what an identity is permitted to do

PKI - emerging tools for security services


Identity Services on One Slide

Campus authentication Enterprise directory

Web services and

servers

WebISO

Learning Management

Systems PersonalPortals

Objectclassstandards

(e.g.eduperson,gridperson)

ContentPortals

Shibbolethexchange of

attributes

FuturePKI

DoDHEet al.

Future PKI

Interrealm

Security Domain

Gridset al.


Simple point-to-point model

client

EnterpriseLDAP

directory

Attributeauthority

AuthenticationService target

Attributerequestor

Policvdecision

point

Policyenforcement

pointPolicy

enforcementpoint

Policyenforcement

points

Video directory

Service discoveryservice

Protocols

Griddirectory Video

directory

EnterpriseLDAP

directory


The Major Projects

eduPerson and eduOrg (mace-dir)

the Directory of Directories for Higher Education (DoDHE)

Shibboleth (mace-shibboleth) and Webiso (mace-webiso)

Directories

metadirectories

groups

affiliated directories

HEBCA and PKI-Light (HEPKI-PAG and HEPKI-TAG)

PKI Labs at Dartmouth and Wisconsin

Videoconferencing and video on demand (vidmid)

OKI, JA-SIG and the Grids


eduPerson

A directory objectclass intended to support inter-institutional applications

Fills gaps in traditional directory schema

For existing attributes, states good practices where known

Specifies several new attributes and controlled vocabulary to use as values.

Provides suggestions on how to assign values, but it is up to the institution to choose.

Version 1.0 now done; one or two revisions anticipated


eduPerson 1.0

parent objectclass=inetOrgPerson

includes:• affiliation (multi-valued)

• primary affiliation (faculty/student/staff)

• orgUnitDN (string)

• nickname (string)

• ePPN (identifier, user@securitydomain)

version 1.5 and beyond will contain other shared attributes


A Directory of Directories

an experiment to build a combined directory search service

to show the power of coordination

will highlight the inconsistencies between institutions

technical investigation of load and scaling issues, centralized and decentralized approaches

human interface issues - searching large name spaces with limits by substring, location, affiliation, etc...

to suggest the service to follow

Sun donation of server and 6 million DNs

http://dodhe.internet2.edu/dodhe/


Shibboleth

A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii.

Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.

- Webster's Revised Unabridged Dictionary (1913):


Shibboleth

inter-institutional web authentication and basic authorization

authenticate locally, act globally - the Shibboleth shibboleth

emphasizes privacy through progressive disclosure of attributes

linked to commercial standards development in XML through OASIS

scenarios and architecture done; coding has commenced with alpha code due in January, 2002 to pilot sites

coding and design teams feature IBM/Tivoli, CMU, and the Ohio State University

strong partnership with IBM to develop and deploy

http://middleware.internet2.edu/shibboleth/


Stage 1 - Addressing Three Scenarios

Member of campus community accessing licensed resource• Anonymity required

Member of a course accessing remotely controlled resource• Anonymity required

Member of a workgroup accessing controlled resources• Controlled by unique identifiers (e.g. name)

Taken individually, each of these situations can be solved in a variety of straightforward ways.

Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.


Target Web

Server

Origin Site Target Site

Browser

Authentication Phase

First Access - Unauthenticated

Authorization Phase

Pass content if user is allowed

Shibboleth ArchitectureConcepts - High Level


Second Access - Authenticated

Target Web

Server

Origin Site Target Site

Browser

First Access - Unauthenticated

Web Login Server Redirect User to Local Web Login

Ask to Obtain Entitlements

Pass entitlements for authz decision

Pass content if user is allowedAuthentication

AttributeServer

Entitlements

Auth OK

Req Ent

Ent Prompt

Authentication Phase

Authorization Phase

Success!

Shibboleth ArchitectureConcepts (detail)


Shibboleth Architecture - Components and Flow


Middleware Inputs & Outputs

GridsGridsJA-SIG &JA-SIG &

uPortaluPortalOKIOKI

Inter-realmInter-realmcalendaringcalendaring

Shibboleth, eduPerson, Affiliated Dirs, etc.Shibboleth, eduPerson, Affiliated Dirs, etc.

EnterpriseEnterpriseDirectoryDirectory

EnterpriseEnterpriseAuthenticationAuthentication

LegacyLegacySystemsSystems

CampusCampusweb SSOweb SSO

futuresfutures

EnterpriseEnterpriseauthZauthZ

LicensedLicensedResourcesResources

EmbeddedEmbeddedApp SecurityApp Security

Shibboleth, eduPerson, and everything else


Project Status

Architecture definition finished (v0.9+)

Design/Programming now Underway• Team membership drawn from IBM/Tivoli, CMU, Ohio State

• First Face-to-Face meeting on Sept 27, 28 at CMU

First Set of Pilot Sites Selected• Chosen to test all 3 scenarios

• UK participation

Timeline for programming, piloting available end of October


A Campus Directory Architecture

Metadirectory

Enterprisedirectory

DirDB

Departmentaldirectories

OS directories(MS, Novell, etc)

Borderdirectory

Registries Sourcesystems


Metadirectories

The critical functions to glue together what inevitably turns out to be a number of campus, departmental and application-oriented directory services

Typically a coordinated set of services that watches updates to specific directories or from legacy data feeds and spreads those updates to other directories

Performs several subfunctions• an identity registry or crosswalk to relate entries in different

directories

• a set of connectors that take changes from one source and convert them for dissemination to other sources

Basic implementation from Metamerge is free to higher ed


Directories – Group Management

Best practices in the use of core middleware to meet the authorization and messaging needs of applications

Initial foci are:

1) the conduct of a survey of several organizations' practices in this area and

2) investigations into meaningful definitions of, and productive ways of representing and operating on, "groups", "affiliations", "roles", and "correlations".

Groups Practices Survey

http://middleware.internet2.edu/dir/groups/


PKI

First thoughts

Fundamentals - Components and Contexts

The missing pieces - in the technology and in the community

Higher Education activities (CREN, HEPKI-TAG, HEPKI-PAG, Net@EDU, PKI Labs)


PKI: A few observations

Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…but it is that ubiquitous and important

Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITPs...

Options breed complexity; managing complexity is essential

PKI can do so much that right now it does very little


A few more...

IP connectivity was a field of dreams. We built it and then the applications came. Unfortunately, here the applications have arrived before the infrastructure, making its development much harder.

No one seems to be working on the solutions for the agora.

A general-purpose PKI seems like a difficult task, but instituting a PKI Light as a first step may not have enough paybacks.


The general state of PKI

There are campus and corporate successes

• Corporations use internally for VPN, some authentication, signed email (with homogeneous client base)

• MIT, UT medical, soon VA, UCOP

Key is limited application use, lightweight policy approaches

There is very limited interrealm, community of interest or general interoperable work going on

• Federal efforts

• HealthKey

• Higher Ed

• Some European niches


Why X.509/PKI?

Single infrastructure to provide all security services

Established technology standards, though little operational experience

Elegant technical underpinnings

Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption

Low cost in mass numbers


Why Not X.509/PKI?

High legal barriers

Lack of mobility support

Challenging user interfaces, especially with regard to privacy and scaling

Persistent technical incompatibilities

Overall complexity


The Four Planes of PKI

on the road to general purpose interrealm PKI

the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI

simplifications in policies, technologies, applications, scope

each plane provides experience and value


The Four Planes are:

Full interrealm PKI - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues

Simple interrealm PKI - multipurpose within a community, operating under standard policies and structured hierarchical directory services

PKI-Light - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; may be extended within selected communities

PKI-Ultralight - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...


Examples of Areas of Simplification

Spectrum of Assurance Levels

Signature Algorithms Permitted

Range of Applications Enabled

Revocation Requirements and Approaches

Subject Naming Requirements

Treatment of Mobility

...


PKI-Light example (Texas-Houston)

CP: VeriSign

CRL: VeriSign

Applications: authentication

Mobility: USB dongle

Signing: md5RSA

Thumbprint: sha1

Naming: X.500

Directory Services needed: I?

Deployment: 5,000 medical students


PKI-Light (MIT)

CP: none

CRL: limit lifetime

Applications: internal web authentication

Mobility: one per system; also password enabled

Signing: md5RSA

Thumbprint: sha1

Naming: X.500

Directory Services needed: none

Deployment: approximately 350,000 over five years


D. Wasley’s PKI Puzzle


Uses for PKI and Certificates

authentication and pseudo-authentication

signing docs

encrypting docs and mail

non-repudiation

secure channels across a network

authorization and attributes

secure multicast

and more...


Implementation varies by contexts/components

Contexts/Components

Intracampus Intercampus General

CertificateSystems

Inhouse,insource,outsource

ApplicationIntegration

I/A processes

Profiles andPolicies


PKI Components

X.509 v3 certs - profiles and uses

Validation - Certificate Revocation Lists, OCSP, path construction

Cert management - generating certs, using keys, archiving and escrow, mobility, etc.

Directories - to store certs, and public keys and maybe private keys

Trust models and I/A

Cert-enabled apps


X.509 certs

purpose - bind a public key to a subject

standard fields

extended fields

profiles to capture prototypes

client and server issues

v2 for those who started too early, v3 for current work, v4 being finalized to address some additional cert formats (attributes, etc.)


Standard fields in certs

cert serial number

the subject, as x.500 DN or …

the subject’s public key

the validity field

the issuer, as ID and common name

signing algorithm

signature info for the cert, in the issuer’s private key


Extension fields

Examples - authorization/subject subcodes, key usage, LDAP URL, CRL distribution points, etc.

Key usage is very important - for digital signatures, non-repudiation, key or data encipherment, etc.

Certain extensions can be marked “critical” - if an app can’t understand the extension, then it doesn’t use the cert

Requires profiles to document, and great care...


Cert Management

Certificate Management Protocol - for the creation, revocation and management of certs

Revocation Options - CRL, OCSP

Storage - where (device, directory, private cache, etc.) and how - format (DER, BER, etc.)

Escrow and archive of keys - when, how, and what else needs to be kept

Certificate Authority software or outsource options• Homebrews

• Open Source - OpenSSL, OpenCA, Oscar

• Third party - Baltimore, Entrust, etc.

• OS-integrated - W2K, Sun/Netscape, etc.


Directories

to store certs

to store CRL

to store private keys, for the time being

to store attributes

implement with border directories, or ACLs within the enterprise directory, or proprietary directories


Certificate Policies (CP) and Practices Statements (CPS)

Policies: legal responsibilities and liabilities (indemnification issues)

Operations of certificate management systems

Will hopefully be somewhat uniform across the community

Assurance levels - varies according to I/A processes and other operational factors

Practices - site-specific details of operational compliance with a cert policy

A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.


Inter-organizational trust model components

verifying sender-receiver assurance by finding a common trusted entity

must traverse perhaps branching paths to establish trust paths

must then use CRLs etc. to validate assurance

if policies are in cert payloads, then validation can be quite complex

delegation makes things even harder

Hierarchies vs. Bridges• a philosophy and an implementation issue• the concerns are transitivity and delegation• hierarchies assert a common trust model• bridges pairwise agree on trust models and policy mappings


Mobility Options

smart cards

USB dongles

passwords to download from a store or directory

proprietary roaming schemes abound - Netscape, VeriSign, etc.

SACRED within IETF recently formed for standards

Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)


Will it fly?

Well, it has to…

Scalability

Performance

OBE

“With enough thrust, anything can fly”


VidMid

Middleware for video

Videoconferencing

authenticated, identified video clients - work with commercial clients to use the underlying middleware plumbing

H.323, VRVS, and new SIP-oriented clients

Video on demand

access controls for video resources

schema for meta information

Works closely with ViDe (www.vide.org)

http://middleware.internet2.edu/video/

aggressive time frames


Mace-Med

Unique requirements - HIPAA, disparate relationships, extended community, etc.

Unique demands - 7x24, visibility

PKI seen as a key tool

Mace-Med recently formed to explore the issues


The enterprise architect view of medical middleware

Person registry

Enterprise directory

Appdir

BorderDirectory

LAN dir

InstitutionalStudentFinancialPersonnelSystems

MedicalAdministrativeSystems

HospitalAdministrativeSystems

Peer institutions

PKI

AuthenticationServices

FederalState

Gov’ts

Corporatecollaborators

Internet

Research Systems

AuthorizationServices


HEPKI (www.educause.edu/hepki/)

HEPKI - Technical Activities Group (TAG)• universities actively working technical issues

• topics include Kerberos-PKI integration, public domain CA, profiles

• regular conference calls, email archives

HEPKI - Policy Activities Group (PAG)• universities actively trying to deploy PKI

• topics include certificate policies, RFP sharing, interactions with state governments

• regular conference calls, email archives


Internet2 PKI Labs

At Dartmouth and Wisconsin in computer science departments and IT organizations

Doing the deep research - two to five years out

Policy languages, path construction, attribute certificates, etc.

National Advisory Board of leading academic and corporate PKI experts provides direction

Catalyzed by startup funding from ATT


OKI, JA-SIG and Grids

OKI • major open learning management system being developed by MIT,

Stanford, and North Carolina State, funded by the Mellon Foundation; reference architecture and open source implementation

• http://web.mit.edu/oki/intro.html

JA-SIG• uPortal is a major portal architecture and implementation being

developed by a number of schools with funding from the Mellon Foundation; also hopes to share administrative Java applets

• http://www.ja-sig.org/ and http://mis105.mis.udel.edu/ja-sig/uportal/index.html

GRIDS Center• expanding use of Grids will reach to many campuses

• integration efforts underway

• http://www.globus.org and http://www.gridforum.org


NSF Middleware Initiative (NMI)

•NSF award for integrators to

– Internet2, EDUCAUSE, and SURA

– The GRIDs Center (NCSA, UCSD, University of Chicago, USC/ ISI, and University of Wisconsin)

•Build on the successes of the Internet2/MACE initiative and the Globus Project

•Three year cooperative agreement effective 9/1/01

•To develop and deploy a national middleware infrastructure for science, research and higher education

•Separate awards to academic pure research components


The Grid

a model for a distributed computing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc.

Globus (www.globus.org) is the software that implements most of these components; Legion is another such software environment

Needs to integrate with campus infrastructure

Gridforum (www.gridforum.org) umbrella activity of agencies and academics

Look for grids to occur locally and nationally, in physics, earthquake engineering, etc.


Map of Middleware


NMI: The Problem to Solve

•To allow scientists and engineers the ability to transparently use and share distributed resources, such as computers, data, and instruments

•To develop effective collaboration and communications tools such as Grid technologies, desktop video, and other advanced services to expedite research and education

•To develop a working architecture and approach which can be extended to Internet users around the world

Middleware is the stuff that makes “transparently use” happen, providing consistency, security, privacy and capability


NMI

•Work products–Community standards–Best practices–Schema and object classes–Reference implementations–Open source services–Corporate relations

Work areas–Identifiers–Directories–Authentication–Authorization–GRIDs–PKI–Video


More information

Early Harvest / Early Adopters: http://middleware.internet2.edu/earlyadopters/

Mace: middleware.internet2.edu

LDAP Recipe: http://www.georgetown.edu/giia/internet2/ldap- recipe/

EduPerson: www.educause.edu/eduperson

Directory of Directories: middleware.internet2.edu/dodhe

Shibboleth: middleware.internet2.edu/shibboleth

HEPKI-TAG: www.educause.edu/hepki

HEPKI-PAG: www.educause.edu/hepki

Video: http://middleware.internet2.edu/video/

Internet2 Middleware Activities Progress Renee Woodten Frost Project Manager, Internet2 Middleware Initiative I2 Middleware Liaison, University of Michigan.

Documents

internet2 middleware

videocic ais directors

gridcic ais directors

early harvestnsf

fpki twgcic ais directors

directories http

interrealm authentication

corporate partners ibm