Grid Tech TeamGrid Tech TeamCertificates, Monitoring, & Certificates, Monitoring, &
FirewallFirewallSeptember 15, 2003September 15, 2003Chiang Mai, ThailandChiang Mai, Thailand
Allan Doyle, NASAAllan Doyle, NASAWith the help of the entire Grid Tech TeamWith the help of the entire Grid Tech Team
September 15, 2003Grid Tech Team 2
CertificatesCertificates
September 15, 2003Grid Tech Team 3
Virtual Organization Virtual Organization DefinitionDefinition
• Grid Virtual Organization (VO)– Set of resources (computers, storage
systems)– Distributed among participating
organizations– Available for use by a group of users– Is defined by the grouping of resources plus
the grouping of individuals, brought together for a common purpose under mutually acceptable governing rules.
September 15, 2003Grid Tech Team 4
Organizations, Resources, Users, Organizations, Resources, Users, and Virtual Organizationsand Virtual Organizations
SC
Storage ResourceCompute Resource
SS SS
CCC CCCCC C
CCS SSSSS
OrgA OrgB OrgC
VOX
VOY
U2U1
September 15, 2003Grid Tech Team 5
Creating a VOCreating a VO• Hosts and users must obtain certificates• Users are then granted access to hosts
(by the owners of the hosts).• The set of users coupled with the set of
hosts they are allowed onto is what “defines” the VO
SC Storage Resource
Compute Resource
SS SS
CCC CCCCC C
CCS SSSSS
OA OB OC
VOX
VOY
U2U1
September 15, 2003Grid Tech Team 6
CEOS GridCEOS Grid
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.USGS EDCUSGS EDC
NOAA NOMADSNOAA NOMADSUAHUAH
GMUGMUESA ESRINESA ESRIN
Test-SGTTest-SGTTest-IITest-II
NASA ADGNASA ADG
CNESCNES
CoCololorsrsBlue - CEOS CertificatesBlue - CEOS CertificatesGreen - DataGrid CertificatesGreen - DataGrid CertificatesBlack - TBDBlack - TBD
September 15, 2003Grid Tech Team 7
CEOS Grid - CAsCEOS Grid - CAs• CEOS Grid Users will not all have the
same CA• We want to limit the number of CAs to
the smallest possible set.– Makes management easier– Makes policy decisions easier
• European users already have a high-quality operational CA
• US Users are encouraged to obtain certificates from NASA IPG
September 15, 2003Grid Tech Team 8
CEOS Certificates from CEOS Certificates from NASA IPGNASA IPG
• NASA Information Power Grid (IPG) already runs a high-quality CA that is accepted by most VOs.
• NASA IPG is providing CA resources for the CEOS Grid.
• Current status– Certificate request software has been delivered &
tested.– Operating well at 2 test sites (II, SGT) and at GMU.– Others are encouraged to try it out.
• Availabilityhttp://grid-tech.ceos.org/gridwiki/CeosGridVirtualOrganizationUsername ceos-grid, password grid-tech– Small tar file & quick installation instructions
September 15, 2003Grid Tech Team 9
MonitoringMonitoring
September 15, 2003Grid Tech Team 10
Network MonitoringNetwork Monitoring
September 15, 2003Grid Tech Team 11
Grid Tools MonitoringGrid Tools Monitoring
September 15, 2003Grid Tech Team 12
FirewallFirewall
September 15, 2003Grid Tech Team 13
General Firewall IssuesGeneral Firewall Issues• Using the Grid means that you have to make
new services accessible to the internet– System administrators and security people will be
uncomfortable with this– Some sites have different policies, some are set up
to allow experimentation outside the firewall• What you can do
1. Familiarity - install & test on a machine outside the firewall, learn about the Grid
2. Provide information about security issues to people who need it
3. Develop a relationship with the people you depend on for access
September 15, 2003Grid Tech Team 14
FirewallFirewall• Tech Team has put together a firewall
documenthttp://grid-tech.ceos.org/gridwiki/FirewallBestCommonPractices• Contents
– Introductory material• CEOS Grid overview; Quick primer on Grids; Globus port
numbers– Site specific sections
• Meant to be filled in by each site with anything you learned that might help someone else
– Product specific info• Currently only one - Cisco instructions
– Miscellaneous• Open Questions; References; To Do
September 15, 2003Grid Tech Team 15
CEOS Grid ToolkitCEOS Grid Toolkit
September 15, 2003Grid Tech Team 16
CEOS Grid ComponentsCEOS Grid Components• Baseline (Core)
– Globus 2.4.2 with latest bug-fix packages - see advisories page at:
• http://www-unix.globus.org/toolkit/advisories.html?version=2.4 – Grid Packaging Toolkit (GPT) 2.2.9– IPG Certificate Authority Package 0.0.3
– EU Data Grid 2.0 (being used by ESA)• Globus 2.4
• Other Dependent Packages– Java Community Grid Kit (Java CoG) 1.1– Other COG’s (Perl/Python)
September 15, 2003Grid Tech Team 17
Globus 2.4.2 Advisories*Globus 2.4.2 Advisories*• GridFTP Server 1.9• Gram Job Manager 3.13• Gram Client Tools 3.6• GSI Sysconfig 0.10• Globus Common 3.14• LDAP Modules 0.12• GSI Credential 0.9• GSI Cert. Utils 0.12• GSI Proxy Core 0.8• GSI Proxy Utils 0.9• FTP Control 1.9
*As of 8/11/2003
September 15, 2003Grid Tech Team 18
Grid Components we’re Grid Components we’re TrackingTracking
• Globus 3.0• Metadata Catalog Service (MCS) (Current
version as of 8/11/03)– Open Grid Services Architecture – Data Access &
Integration• (OGSA DAI 2.5 - http://www.ogsadai.org.uk/)
– Community Authorization Service (CAS) Alpha R2 Release
• OGSA DAI 3.0 – Ported version of MCS – planned
• MCS with Spatial Query capabilities – planned• Storage Resource Broker/Metadata Catalog
(SRB/MCAT) V. 2.1.2– Globus Grid Security Infrastructure (GSI)
September 15, 2003Grid Tech Team 19
CEOS Grid ToolkitCEOS Grid Toolkit• WGISS participants are developing higher-level tools &
components• GMU
– OGC WCS with GridFTP back end– OGC WCS with Grid front end– OGC Catalog wrapper on Grid MCS– Reprojection service, 13 NASA EOS projections
• ESA– Grid Engine - multi-Grid job management– Web Notification - Grid-to-Web events– Grid Portal - Web control of Grid applications– Reprojection Service
September 15, 2003Grid Tech Team 20
CEOS Grid Toolkit CatalogCEOS Grid Toolkit Catalog• We need to put some thought into how
we want to describe the components.• Possible metadata elements (thanks to Stu
Doescher):–short name–long name–summary description–pointer to additional discussion–latest version and date–maturity - new, obsolete–other parts needed–recommendations
–Contact points•supported and by who•used by
–Technical parts•Language•how to install•problems
September 15, 2003Grid Tech Team 21