Difference between revisions of "Introduction Grid Computing Lab Course Overview"
m (first go at it) |
m |
||
| Line 22: | Line 22: | ||
Trust in the grid today is established via a Public Key Infrastructure (PKI). Every entity in the system is issues with a "certificate" that links an identifier (the persons name, or a DNS name) to a piece of unique cryptographic data (an RSA keypair, for instance). These certificates usually have a limited lifetime when stored in a file, or are carried on hardware tokens like smart-cards and USB keys. | Trust in the grid today is established via a Public Key Infrastructure (PKI). Every entity in the system is issues with a "certificate" that links an identifier (the persons name, or a DNS name) to a piece of unique cryptographic data (an RSA keypair, for instance). These certificates usually have a limited lifetime when stored in a file, or are carried on hardware tokens like smart-cards and USB keys. | ||
| − | Commercial providers, like | + | Commercial providers, like [http://www.verisign.com/products-services/security-services/ Verisign], [http://www.thawte.com/ Thawte], or [http://www.entrust.com/ Entrust], operate a Certification Authority and sell[http://www.ietf.org/html.charters/pkix-charter.html X.509] public key certificates. |
| − | You can also setup an X.509 Certification Authority (CA) yourself. The simplest is to use the | + | You can also setup an X.509 Certification Authority (CA) yourself. The simplest is to use the [http://www.openssl.org/ OpenSSL] commands, that even come with a shellscript to automate the task. More complete functionality can be found in [http://www.openca.org/ OpenCA]. |
| − | Recent version of the | + | Recent version of the [http://www.globus.org/toolkit/ Globus Toolkit] also come with a package called "<tt>globus-simple-ca</tt>". |
| − | Establishing a trust domain is non-trivial (see, e.g., [http://www.eugridpma.org/] or [http://www.gridpma.org/], and raises issues like validity period of the certificates, | + | Establishing a trust domain is non-trivial (see, e.g., the [http://www.eugridpma.org/ EUGridPMA] or [http://www.gridpma.org/ IGTF] web sites), and it raises issues like validity period of the certificates, revocation lists or[http://www.ietf.org/rfc/rfc2459.txt CRLs], and on-line status checking via [http://www.faqs.org/rfcs/rfc2560.html OCSP]. |
| − | revocation lists [http://www.ietf.org/rfc/rfc2459.txt], and on-line status checking via | ||
=== Project proposal === | === Project proposal === | ||
Revision as of 00:04, 27 August 2005
Structure
The aim of the lab courses will be to install, deploy and operate a mini-grid, with some applications and services. The entire minigrid will be build and run by the students partipating in the course (of course with some help from the tutors). At the end of the lab course you'll know what a grid is, be able to build one, and what is needed to make it useful for applications.
A grid contains a few components that you cannot do without:
- a common trust domain (authentication)
- communities of resources and users (authorization)
- an information service
and of course some services to make the grid useful, like
- a job submission service
- data movement or indexing
- workload management
- database access
- your favourice custom services ...
For each of these, literature and documentation are given below, together with one or two projects (assignments) to be picked up by a team of students (say, 2-3 students per project).
Authentication
Trust in the grid today is established via a Public Key Infrastructure (PKI). Every entity in the system is issues with a "certificate" that links an identifier (the persons name, or a DNS name) to a piece of unique cryptographic data (an RSA keypair, for instance). These certificates usually have a limited lifetime when stored in a file, or are carried on hardware tokens like smart-cards and USB keys.
Commercial providers, like Verisign, Thawte, or Entrust, operate a Certification Authority and sellX.509 public key certificates.
You can also setup an X.509 Certification Authority (CA) yourself. The simplest is to use the OpenSSL commands, that even come with a shellscript to automate the task. More complete functionality can be found in OpenCA. Recent version of the Globus Toolkit also come with a package called "globus-simple-ca".
Establishing a trust domain is non-trivial (see, e.g., the EUGridPMA or IGTF web sites), and it raises issues like validity period of the certificates, revocation lists orCRLs, and on-line status checking via OCSP.
Project proposal
- Build a simple CA service, e.g. based on OpenSSL, that can be used by your fellow students to obtain certificates.
- Describe the way in which you would identify entities, and what the level of trust in your certificates should be. Describe what the limitations, vulnerabilities, and possible attack vectors.
- Build a more scalable system, incorporating Registration Authorities, and on-line checking of the status of your certificates (using an independent client program).
- Integrate on-line checks in a piece of middleware (optional)
