210 likes | 416 Views
Introduction to UPKI project in JAPAN. Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University. Statistics of Higher Education Institutions in Japan. by Ministry of Education and Science, 2005FY. Information Infrastructure Centers in the Seven Universities in JAPAN.
E N D
Introduction to UPKI projectin JAPAN Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University TF-EMC2 Meeting Prague
Statistics of Higher Education Institutions in Japan TF-EMC2 Meeting Prague by Ministry of Education and Science, 2005FY
Information Infrastructure Centers in the Seven Universities in JAPAN Sapporo Hokkaido University Information Initiative Center Kyoto University Academic Center for Computing and Media Studies Sendai Tohoku University Information Synergy Center Kyushu University Computing and Communications Center Kyoto Tokyo Nagoya University of Tokyo Information Technology Center Osaka Fukuoka National Institute of Informatics (NII) Nagoya University Information Technology Center Osaka University Cybermedia Center TF-EMC2 Meeting Prague
1965~70 7 centers stablished as supercomputercenters for nation-wide service 1981 Connected by commercial X.25 service 1986 NACSIS (predecessor of NII) established N-1 Network project Dedicated interuniversity X.25 network service Federated Identity Management (~2004) Unified ID Online subscription to secondary centers 1988 JAIN (Japan Academic Inter-university Network) project started 1992 SINET, the academic Internet backbone service was started by NACSIS 1998-2003 Reorganized as Information Infrastructure centers Merger of education centers for computer literacy 2000 NII (National Institute of Informatics) establised 2002 Operation of SuperSINET was started 2003 NAREGI (National Research Grid Initiative) project started Grid Computing Research Group 2005 AuthN/AuthZ Reseach Group UPKIproject planned 2006 UPKI project has officially launched Brief history of federation among the Centers TF-EMC2 Meeting Prague
NII: Toward Cyber-Science Infrastructure Next-generation Academic Information Infrastructure for Interuniversity Collaboration Cyber-Science Infrastructure GeNii (Global Environment for Networked Intellectual Information) NII-REO (Repository of Electronic Journals and Online Publications NAREGI (National Research Grid Initiative) International Collaboration Corporation with Industry UPKI: Authentication and Authorization Platform 北海道大学 SINET/SuperSINET National Academic Internet Backbone ★ ● ★ 東北大学 京都大学 ☆ ★ ★ ★ 東京大学 九州大学 ★ NII 名古屋大学 ★ 大阪大学 Fundamental Resources for Academic and Research Activities Education and Training / Encouraging Young Talent TF-EMC2 Meeting Prague
UPKI B大の教授 B大職員 A 大アクセスポイント C 大電子コンテンツ Wireles LAN roaming C 大事務システム B 大アクセスポイント UPKI common specification Campus AAI Campus AAI Campus AAI C 大学 A 大学 B 大学 UPKI ― Inter-University Authentication and Authorization Platform forCSI • Conducted by NII and the information infrastructure centers in 7 universities • Supported by Ministry of Education, Science and Technology TF-EMC2 Meeting Prague
UPKI ― Inter-University Authentication and Authorization Platform forCSI • Motivation (for NII) • As a “glue” between SINET high-speed backbone and supercomputing grid (by NAREGI) or contents services by NII (for universities) • Promoting installation of campus AuthNZ infrastructure • Eliminating various costs by solidarity • Federated identity management is unavoidable even in a (big) university • Many political and cultural issues exist TF-EMC2 Meeting Prague
UPKI: project member NII SINET Headquarter Authentication and Authorization Working Group • Yasuo Okabe, Kyoto University (chair) • Noboru Sonehara, NII (vice chair) • Yoshiaki Takai, Hokkaido University • Hideaki Sone, Tohoku University • Hiroyuki Sato, University of Tokyo • Yasushi Hirano, Nagoya University • Ken-ichi Baba, Osaka University • Takahiro Suzuki, Kyushu University • Katsuyoshi Iida, Tokyo Institute of Technology • Fukuko Yuasa, KEK(Institute of High Energy Physics) TF-EMC2 Meeting Prague
UPKI: concept • Targets various applications • SSO of Web services • E-mail Digital Signature/Encryption by S/MIME • Network Services • wireless LAN roaming and VPN • Grid computing • Utilization of PKI • “U” stands University/Universal/Ubiquitous • Deployment of Grid/PKI middleware for national academic AA infrastructure TF-EMC2 Meeting Prague
UPKI three layer Architecture Sibboleth/SAML TF-EMC2 Meeting Prague
Subprojects by NII • UPKI common CP/CPS【WP1】 • Public server certificate【WP2】 • Inter-University W-LAN roaming【WP3】 • SSO for Digital Library Service by NII and other universities via Shibboleth/SAML【WP4】 • Development of CA middleware【WP5】 • Deployment of S/MIME e-mail signature/encryption architecture【WP6】 TF-EMC2 Meeting Prague
【WP1】UPKI CommonSpecifications • UPKI Common Specifications • Campus PKI procurement guidelines • Campus PKI CP/CPS templates • Campus PKI model • Two outsource models and one insource model • Developed and Published for outsource model • https://upki-portal.nii.ac.jp/upkispecific/specific Only available in JAPANESE! • To promote Campus • PKI deployment • To reduce cost • To keep multi-university • cooperativity 2006 2007 2008 2009 - Campus PKI Spec. Outsource model Insource model Multi-university cooperative model • Deployment of • campus PKI at • each universities • Connecting • universities • Federation of • applications Campus CP/CPS templates Outsource model Insource model Multi-university cooperative model TF-EMC2 Meeting Prague
Full outsource provider • Univ. IA RA Insource IA outsource provider • Univ • Univ RA IA IA RA Operation Models of CA CP/CPS TF-EMC2 Meeting Prague
【WP2】 Public server certificate project • Challenges • Optimization of RA operation for High-Ed • Customization of local operation in each institution • Automization of RA operation by using Campus PKI certs as a credential (in the future) • Expected outcomes • Best practice of local operation optimized for High-Ed • Tips for server certificate installation (for niche implementation) • Tips for local operations improvement in institutions • Demand of stimulation for S/MIME (using for Local Operators) TF-EMC2 Meeting Prague
Schemes for Registration and Issuance SECOM Trust Systems Offline Online IA Root CA (SC-Root1) Cert chain Registration & Issuance NII Organization identity Domain ownership Local operator acceptance Open Domain CA RA operator Bulk request Bulk recipience High-Ed Institution Web Server Installation Subscriber Identity Subscriber Acceptance Server ownership CSR Certificate Local Operator Subscriber TF-EMC2 Meeting Prague
IC Card 【WP4】 Shibboleth Architecture Request for resouces Access control SP User Resource Access Controler Actual access AuthN IdP AuthZ decision SSO Service Authn Authority Assertion Consumer Service Artifact Resolution Service Attribute Exchange Attribute Repository AAP Attribute Request Attribute Authority ARP TF-EMC2 Meeting Prague *WAYF (Where Are You From) Services are omitted 12
Certificate Users Host Administrators CA Operator RA Administrator 【WP5】 NII GOC CA operation User site NAREGI CA Account Registration Request Account Registration ①Preparation Application for bulk license ID Issuance of bulk license ID ②License ID request License ID request Receive request, Inspection ③Issuance request ④Revoke request ⑤Reissuance request Receive request, Issuance/Revoke certificate Certificate request ⑥Retrieve data for creating map file Retrieve data for creating map file Make data for creating map file TF-EMC2 Meeting Prague
CampusCA User IC Card Super Computer Super Computer Super Computer Campus-Grid PKI Federation Campus PKI Grid PKI NAREGI CA Issue Certificate Issue Certificate LDAP NAREGI RA Request Certificate (Use IC Card as credential) Grid System Access Certificate for Grid System TF-EMC2 Meeting Prague
Common specification NII CSI Headquarter AAI TWG UPKI Initiative Opinions and comments Hokkaido U Tohoku U U. Tokyo Nagoya U join Kyoto U Osaka U Kyushu U Univ J. College KEK Tokyo Tech Tech. College NII Research Institute etc. UPKI Initiative • Founded in 16 Aug 2006 • Sponsored by NII AAI TWG • Mission • Gathering interests and opinions of not only universities but also industries • https://upki-portal.nii.ac.jp/ TF-EMC2 Meeting Prague
Summary • UPKI national academic authentication and authorization infrastructure project has started. • Conducted by NII and the information infrastructure centers in the 7 universities • As a basic platform of Cyber Science Infrastructure • We have started later, so we have get some advantages • International federation/collaboration is a very important issue. TF-EMC2 Meeting Prague
APAN Middleware Working Group APAN (Asia-Pacific Advanced Networking) • 20th APAN (Taipei, Aug. 2005) • National Authentication and Authorization Infrastructure and NREN (proposed session) • 21st APAN (Tokyo, Jan. 2006) • Middleware Workshop (full day) • Middleware Working Group is approved • 22nd APAN (Singapore, July 2006) • Grid Middleware Workshop • 23rd APAN (Manila, Jan. 2007) • Grid Middleware Workshop • 24th APAN (Xian, Aug. 2007) • Middleware Workshop • 25th APAN (Hawaii, Jan. 2008) • Middleware Workshop (proposed) TF-EMC2 Meeting Prague