internet2 middleware drinking kool-aid from a fire hose or sniffing glue-ware
DESCRIPTION
Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware. Michael R. Gettes Principal Technologist Georgetown University [email protected] http://www.georgetown.edu/giia/internet2. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/1.jpg)
Internet2 Middleware
Drinking Kool-Aid From A Fire Hoseor
Sniffing Glue-Ware
Michael R. GettesPrincipal TechnologistGeorgetown University
[email protected]://www.georgetown.edu/giia/internet2
![Page 2: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/2.jpg)
“Middleware is the intersection of what the Network Engineers and the Application Programmers don’t want to do”
- Ken KlingensteinChief Technologist, Univ. of Colorado, Boulder
Director, Internet2 Middleware InitiativeLead Clergy, MACE
PS of LC
Middleware makes “Transparently use” happen
![Page 3: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/3.jpg)
3
Internet2 Middleware
If the goal is a PKI, then you need to consider:• Identifiers (SSNs and other untold truths)• Identification & Authen process (“I & A”)• Authentication systems (Kerberos, LDAP, etc)• Lawyers, Policy & Money (lawyers, guns & $$$)• Directories (and the applications that use them)• Certificate Mgmt System (CMS) Deployment
–CA Certficate, Server Certificates, Client Certificates
• Authorizations (a real hard problem, Roles, etc)
![Page 4: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/4.jpg)
4
Internet2 Middleware
• Building Application/System Infrastructure
• What is missing in Internet 1
• Not “Network Security” (wire level)
• Assumes the wire is insecure
• Assumes the Application is insecure
If security was easy,
everyone would be doing it.
• http://middleware.internet2.edu
![Page 5: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/5.jpg)
5
National Science FoundationNMI program
•$12 million over 3 years
•www.nsf-middleware.org
•Middleware Service Providors, Integrators, Distributors
•GRID (Globus)
•Internet2 + EDUCAUSE + SURA
•May 2002 – first set of deliverables from all parties
![Page 6: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/6.jpg)
6
MACE
Middleware Architecture Committee for Ed.
IT Architects – meet often – no particular religious affiliations
MACE-DIR – eduPerson, Recipe, DoDHE
MACE-SHIBBOLETH – global AuthN/Z
MACE-PKI HEPKI (TAG/PAG/PKI-Labs)
MACE-WebISO – Web Initial Sign-on
VID-MID – Video Middleware (H.323/SIP)
MACE-FDRM – Federated Digital Rights Management
NMI - NSF Middleware Initiative
![Page 7: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/7.jpg)
7
MACE-ochists
RL “Bob” Morgan, Chair, Washington
Steven Carmody, Brown
Michael Gettes, Georgetown
Keith Hazelton, Wisconsin
Paul Hill, MIT
Ken Klingenstein, Colorado
Mark Poepping, CMU
Jim Jokl, Virginia
David Wasley, UCOP
Von Welch, ANL/Grid
Scott Cantor, Ohio St
Bruce Vincent, Stanford
Euro: Brian Gilmore & Ton Verschuren, Diego Lopez
![Page 8: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/8.jpg)
8
A Map of Middleware Land
![Page 9: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/9.jpg)
9
MACE-DIR
Keith Hazelton, Chair, Wisconsin•eduPerson objectclass•LDAP-Recipe•Dir of Dirs for Higher Education (DoDHE)•Shibboleth project dir dependencies•Meta Directories – MetaMerge•Groups (Dynamic vs. Static; Management)•Afilliated Directories (Stitched, Data Link)•http://middleware.internet2.edu/directories
![Page 10: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/10.jpg)
10
MACE-DIR:eduPerson 1.0 (1/22/01 release)
• MACE initiated (Internet2 + EDUCAUSE)
• Globally interesting useful attributes
• Get community buy-in, must use it also
eduPersonAffiliation (DoDHE), eduPersonPrincipalName (Shibboleth)
• “Less is more”, how to use standard objectclasses
• http://www.educause.edu/eduperson
![Page 11: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/11.jpg)
11
eduPerson 1.5 object class
Included as part of the NSF Middleware Initiative (NMI) Release 1.0 May 7th, 02
eduPerson 1.0 is the production version, 1.5 status is “released for public review” (RPR)
Next NMI release will include final 1.5 based on review period discussions
![Page 12: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/12.jpg)
12
eduPerson 1.5 object class
Changes from 1.0:
• Introductory section added
• RFC2252 style definitions included for the eduPerson object class itself and for each of the eduPerson attributes.
• Notes on additional attributes from existing object classes, existing notes clarified, syntax and indexing recommendations updated.
![Page 13: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/13.jpg)
13
eduPerson 1.5 object class
Two new attributes:
eduPersonPrimaryOrgUnitDN
eduPersonEntitlement• Simple case: value is the name of a contract for
licensed resource• http://xstor.com/contract1234• Values of eduPersonEntitlement can be URLs or
URNs
![Page 14: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/14.jpg)
14
eduPerson 1.5 object class
eduPersonEntitlement• Values of eduPersonEntitlement can be URLs or
URNs– http://www.w3.org/Addressing/– RFC2396 Uniform Resource Identifiers– RFC2141 Uniform Resource Names
• URNs to allow federation of name creation without name clashes.– urn:mace:brown.edu:foo
• [email protected] for information on URN registration
![Page 15: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/15.jpg)
15
eduOrg 1.0
eduOrg 1.0 released as “Experimental” object class• Basic organizational info attributes from X.520
– Telecomm, postal, locale
• eduOrgHomePageURI• eduOrgIdentityAuthNPolicyURI• eduOrgLegalName• eduOrgSuperiorURI• eduOrgWhitePagesURI
![Page 16: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/16.jpg)
16
LDAP-Recipe positioning and the NMI R1
•A special case document
•Pre-existed NMI and MACE document standards for format and naming.
•Will conform to NMI/MACE naming and future process for acceptance.
•Content??? Well, we shall see…
![Page 17: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/17.jpg)
17
LDAP-RecipeVersion 1.5 (pre May 7, 2002)
•Directory Tree
•Schema (Design, upgrading, maint)
•AuthN (binding and pw mgmt)
•eduPerson attr discussion (select)
•Access Control
•Replication
•Name population
![Page 18: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/18.jpg)
18
LDAP-RecipeVersion 2.0 (NMI R1 May 7, 2002)
•Groups, Groups, Groups• Static, Dynamic, app issues, builds on “NMI Groups Doc”
•E-Mail Routing considerations• Attribute firewalling, Sendmail, app issues
•eduPersonOrgDN and eduPerson{Primary}OrgUnitDN
• Original Intent for eduPerson 1.0 and Primary
•RDN Issues (a must read)
•Software reference (small, needs to grow)
![Page 19: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/19.jpg)
19
MACE-DIR:Directory of Directoriesfor Higher Education
Web of Data vs. Web of People
Prototype: April, 2000 (by M. Gettes)
Highly scalable parallel searching• Interesting development/research problems• Configs, LDAP libraries, Human Interface
Realized the need to:• Promote eduPerson & common schema• Promote good directory design (recipe)
Work proceeding – Sun Microsystems Grant
http://middleware.internet2.edu/dodhe
![Page 20: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/20.jpg)
20
MACE-DIR:DoDHE and LDAP Analyzer
Todd Piket, Michigan Tech
Web based tool to empirically analyze a directory
eduPerson compliance
Indexing and naming
LDAP-Recipe guidance (good practice)
Beta: http://morpheus.dcs.it.mtu.edu/~tcpiket/dodhe
![Page 21: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/21.jpg)
21
MACE-Dir Futures
•Technical Advisory Board
•eduOrg, eduPerson, edu???????
•Shibboleth and other related work
•Roles (RBAC)
•Group Implementations (Eileen Shepard, BC; Tom Barton, Memphis)
•Blue Pages
•LDAP-Recipe (next?)
•Affiliated Directories (Rob Banz, UMBC)
•pkiUser/pkiCa, Bridge CA, etc…
•Video Middleware (commObject{Uri} OCs)
•GRID interoperability
•Directory Policy
![Page 22: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/22.jpg)
22
MACE-Dir Futures (continued)
EduOrg “blue page” entries
EduOrgUnit 1.0 object class and attributes
Affiliated directories scenarios• Identity management in Health Sciences• Assembling info on the fly• Data/Metadata bundles as units of exchange• Exploring with our Technical Advisory Board
![Page 23: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/23.jpg)
23
MACE-SHIBBOLETH
Steven Carmody, Brown, Chair
A Biblical pass phrase – “password”• Get it right or “off with your head”• Inter-institutional Authentication/Authorization
• Web Authorization of Remote Sites with Local Credentials
• Authentication via WebISO• October, 2002 – Version 1.0 with NMI• http://middleware.internet2.edu/shibboleth
![Page 24: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/24.jpg)
24
MACE-WEBISOWeb Initial Sign-on
Based on University of Washington “pubcookie” implementation
Washington will developing and steward with external funding
JA-SIG uPortal, Blackboard, WebCT, Shibboleth – will do or are highly likely to do.
http://www.washington.edu/computing/pubcookie
![Page 25: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/25.jpg)
25
VID-MIDVideo Middleware
Authentication and Authorization of H.323 sessions.
Client to Client
Client to MCU
Directory enabled
How to find video enabled people?
What is necessary to describe video capabilities?
Will likely extend to IP Telephony and so on…
![Page 26: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/26.jpg)
26
Technical Policy
PKI is1/3 Technical
and 2/3 Policy?
![Page 27: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/27.jpg)
27
HEPKI
TAG – Technical Activities Group• Jim Jokl, Chair, Virginia• Mobility, Cert Profiles, PKI-Lite, etc, etc, lots of techno
PAG – Policy Activities Group• Default Chair, Ken Klingenstein, Colorado• Knee-deep in policy, HEBCA, Campus, Subs+RP
PKI Labs (AT&T)– Neal McBurnett, Avaya• Wisconsin-Madison & Dartmouth• Industry, Gov., Edu expert guidance
http://www.educause.edu/hepki
![Page 28: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/28.jpg)
Transforming Education Through Information Technologies
http://www.educause.edu/
28
Common Solutions Group, January, 2002 (Sanibel Island)
Multiple CAs in FBCA Membrane
• Survivable PKI
• Cross Certificates
allow for
“one/two-way
policy”
• Directories are
critical in BCA
world.
![Page 29: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/29.jpg)
Transforming Education Through Information Technologies
http://www.educause.edu/
29
Common Solutions Group, January, 2002 (Sanibel Island)
A Snapshot of the U.S. Federal PKI
Federal Bridge CA
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI Illinois PKI
University PKI
CANADA PKI
![Page 30: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/30.jpg)
30
UNIVERSITY
GeorgetownUniversity
NIH
Peer-to-peer
USA GovernmentFederal
BCA
DoD
NASA
Peer-to-peer
USAHigher Education
BCA
UNIVERSITY
. . .
UNIVERSITY
University ofWashington
Peer-to-peer
USA Health Care"Health Key"
BCA
NCHICA
Special Relationships
Peer-to-peer
EuropeanHigher Education
BCA
UNIVERSITY
University ofEdinburgh
UNIVERSITY
SpecialRelationships
MayoClinic
![Page 31: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/31.jpg)
31
Bridge CAs
• Higher Education Bridge CA – FBCA peering
• We have a draft HEBCA CP (Net@EDU PKI WG) FBCA Compatible
• How many HEBCAs? (EDUCAUSE!)
• Do we really understand PKI implementations with respect to policy needs? (proxy certificates, relying party agreements, name constraints, FERPA, HIPAA, who eats who?)
• BCA seems to be the most promising perspective. Will each person be a BCA?
• Does ALL software (Client/Server) need to be changed?
• Mitretek announces new BCA deployment model 2/15/2001• Scalable & deployable
• Server plug-ins make client changes less likely
![Page 32: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/32.jpg)
32
CampusSystems
The PKI Puzzle
Fed Bridge Educause HE Bridge
CREN Root CA
CampusSystems
CampusPKI
Directory
PKI provides:• Strong Authentication• Flexible Authorization• Secure Digital Signature• Powerful Data Security
CampusPKI
Directory
ServerCerts
VendorResources
CampusResources
Shib
By David Wasley, UCOP
EDUPKI
Hierarchy
COMPKI
Hierarchy
PKIHierarchy
Medical
![Page 33: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/33.jpg)
33
domainComponent (DC=) Naming
• Traditional X.500 naming:
cn=Michael R Gettes, ou=Server Group, ou=UIS, o=Georgetown University, c=US
• domainComponent (DC) naming:
uid=gettes,ou=People,dc=georgetown,dc=edu
• HEPKI is issuing guidance and advice on DC= naming
![Page 34: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/34.jpg)
34
Attributes for PKI
Store them in a Certificate?• Attributes persist for life of Certificate• No need for Directory or other lookup
– The Certificate itself becomes the AuthZ control point
Store them in a Directory?• Very light-weight Certificates• Requires Directory Access• Long-term Certificate, Directory is AuthZ control point.
How many Certificates will we have?
Pseudonymous Certificates
![Page 35: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/35.jpg)
We’re Building A
“Bridge Over The River PKI”
![Page 36: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/36.jpg)
Shibboleth Update
Steven Carmbody, Brown UniversityProject Leader, Shibboleth
Michael R. Gettes, Georgetown University
![Page 37: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/37.jpg)
37
Target Web
Server
Origin Site Target Site
Browser
Authentication Phase
First Access - Unauthenticated
Authorization Phase
Pass content if user is allowed
Shibboleth ArchitectureConcepts - High Level
![Page 38: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/38.jpg)
38
Second Access - Authenticated
Target Web
Server
Origin Site Target Site
Browser
First Access - Unauthenticated
Web Login Server Redirect User to Local Web Login
Ask to Obtain Entitlements
Pass entitlements for authz decision
Pass content if user is allowedAuthentication
AttributeServer
Entitlements
Auth OK
Req Ent
Ent Prompt
Authentication Phase
Authorization Phase
Success!
Shibboleth ArchitectureConcepts (detail)
![Page 39: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/39.jpg)
39
Shibboleth Architecture
![Page 40: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/40.jpg)
40
Shibboleth Components
![Page 41: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/41.jpg)
41
Descriptions of services
1. local authn server - assumed part of the campus environment
2. web sso server - typically works with local authn service to provide web single sign-on
3. resource manager proxy, resource manager - may serve as control points for actual web page access
4. attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables
5. attribute repository - an LDAP directory, or roles database or….
6. Where are you from service - one possible way to direct external users to their own local authn service
7. attribute mapper - converts user entitlements into local authorization values
8. PDP - policy decision points - decide if user attributes meet authorization requirements
9. SHAR - Shibboleth Attribute Requestor - used by target to request user attributes
![Page 42: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/42.jpg)
42
Shibboleth Flows Draft
![Page 43: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/43.jpg)
43
Target Web
Server
Origin Site Target Site
Browser
Shibboleth Architecture -- Managing Trust
TRUST
AttributeServer
Shibengine
![Page 44: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/44.jpg)
44
Personal Privacy
Web Login Server provides a pseudononymous identity
An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on:
• Site Defaults– Business Rules
• User control– myAA
• Filtered by– Contract provisions
My AASiteDefaults
Contact Provisions
BrowserUser
![Page 45: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/45.jpg)
45
Managing ARPs
![Page 46: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/46.jpg)
Middleware Marketing
![Page 47: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/47.jpg)
47
Drivers of Vapor Convergence
JA-SIG uPortal Authen
OKI/Web Authentication
Local Web SSO Pressures
We all get Web SSO for Local Authentication and an Enterprise Authorization Framework with an Integrated Portal that will all work inter-institutionally!
Shibboleth Inter-Realm AuthZ
![Page 48: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/48.jpg)
48
Middleware Inputs & Outputs
GridsGrids JA-SIG &JA-SIG &uPortaluPortalOKIOKI Inter-realmInter-realm
calendaringcalendaring
Shibboleth, eduPerson, Affiliated Dirs, etc.Shibboleth, eduPerson, Affiliated Dirs, etc.
EnterpriseEnterpriseDirectoryDirectory
EnterpriseEnterpriseAuthenticationAuthentication
LegacyLegacySystemsSystems
CampusCampusWeb SSOWeb SSO
futuresfutures
EnterpriseEnterpriseauthZauthZ
LicensedLicensedResourcesResources
EmbeddedEmbeddedApp SecurityApp Security
![Page 49: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/49.jpg)
Errata--ica
![Page 50: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/50.jpg)
50
The Liberty Alliancewww.project-liberty.org
Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony …
Initiated in September 2001.
Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service
Funny, doesn’t this stuff sound familiar?
![Page 51: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/51.jpg)
Got Directory?
![Page 52: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/52.jpg)
52
Techniques for Product Independence
Good/Evil – make use of cool features of your product.
• Does this make it more difficult or impossible to switch products later?
• Does this make you less interoperable? Standard?
• Does this limit your ability to leverage common solutions?
All the above applies to enabled apps as well.
![Page 53: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/53.jpg)
53
Groups, Groups, Groups
Static vs. Dynamic (issues of large groups)• Static Scalability, performance, bandwidth
• Dynamic Manageability (search based, but search limits)
Is there something neutral?
Indexed Static Groups• MACE-DIR consideration (Todd Piket, MTU)
• Index unique/member
• The likely approach, IMHO, doesn’t inhibit dynamic stuff
Group Math
(& (group=faculty)(!(group=adjunct)) (member=DN) )
![Page 54: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/54.jpg)
54
Roles
Is this an LDAP issue?• MIT roles DB – a roles registry
Are groups good enough for now?• Probably not, see next
Are your apps prepared for this? Maybe they need some service to consult? Will Shibboleth help here?
Vendors have proprietary solutions.
![Page 55: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/55.jpg)
55
Stitching disparate directories
How to relate to distinct directories and their entries. Kjk@colorado & kjk@ViDe -- are they the same?
Locate someone in a large directory (DoDHE) and then switch to their video abilities
Suggestion: define new object of a “data source directory”. Associate it with a Cert. Send signature of all data elements for an object, store in same. This allows for digital trust/verification. Still working this out. Not much work in this space? (the affiliated dirs problem)
X.520 AttributeIntegrityInfo Attribute – will it suffice?
![Page 56: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/56.jpg)
56
A Campus Directory Architecture
metadirectory
enterprisedirectory
directorydatabase
departmentaldirectories
OS directories(MS, Novell, etc)
borderdirectory
registries sourcesystems
Enterpriseapplications dir
![Page 57: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/57.jpg)
Middleware 201Directories
Configuration & Operations
Michael R. Gettes
Principal Technologist
Georgetown University
![Page 58: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/58.jpg)
58
How Deep?
Background
Site Profile - configuration
Applications
General Operational Controls
Schema
Access Lists
Replication
Related Directories
LDAP-Recipe – http://middleware.internet2.edu
![Page 59: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/59.jpg)
59
Site Profiledc=georgetown,dc=edu
Netscape/iPlanet DS version 4.16• 2 Sun E250 dual cpu, 512MB RAM
105,000 DNs (25K campus, others = alums + etc)
Directory + apps implemented in 7 months
Distinguished names: uid=x,ou=people• DC rap, “Boom shacka lacka”• Does UUID in DN really work?
NSDS pre-op plugin (by [email protected])• Authentication over SSL; Required• Can do Kerberos – perf problems to resolve
1 supplier, 4 consumers
![Page 60: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/60.jpg)
60
Authentication:Overall Plan @ Georgetown
Currently, Server-Side PKI self-signed
Best of all 3 worlds• LDAP + Kerberos + PKI
– LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in.
• Credential Caching handled by Directory.• Cooperative effort – Georgetown, GATech, Michigan
– All directory authentications SSL protected. Enforced with necessary exceptions
• Use Kerberos for Win2K Services and to derive X.509 Client Certificates
• One Userid/Password (single-signon vs. FSO)
![Page 61: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/61.jpg)
61
Applications
Mail routing with Sendmail 8.12 (lists also)
Netscape messaging server v 4.15 (IMAP)• WebMail profile stored in LDAP
Apache server for Netscape roaming (no SSL)
Apache & Netscape enterprise web servers
Blackboard CourseInfo Enterprise 5.5.1
Whitepages: Directory Server GateWay
DSGW for priv’d access and maintenance
![Page 62: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/62.jpg)
62
Applications (Continued)
Remote access with RADIUS (funk).• No SSL (3/2000); proper LDAP
binds (fix 8/2000)• Authenticates and authorizes for
dial-up, DSL and VPN services using RADIUS called-id.
• We want to use this for other access control such as Oracle
![Page 63: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/63.jpg)
63
RADIUS server
RADIUS + LDAP
NAS(terminal server)
DialupUsers
User calls202-555-1110
CalledId from NAS is mapped to guRadProf
DirectoryServer
Netid = gettesguRadProf = 2025550001guRadProf = 2025551110guRadProf = OracleFin
LDAP Filter is:guRadProf = 2025551110+ NetID = gettes
![Page 64: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/64.jpg)
64
Applications (Continued)
Alumni services (HoyasOnline).• External vendor in Dallas, TX (PCI).• They authenticate back to home
directories. Apache used to authenticate and proxy to backend IIS server.
• Email Forwarding for Life
![Page 65: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/65.jpg)
65
NET ID
TMS
HRIS
SIS
Alumni
LDAP Master
Client Browser
WWW
hoyasonline Content
PCI (Dallas)
Vendor-provided services
Other local hostsGU provided self-serviceapplications
LDAP Replica
OS/390
HoyasOnline Architecture
Gratuitous Architectural Graphic (GAG)
WayDownIn Texas
![Page 66: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/66.jpg)
66
Applications (Continued)
Access+• Georgetown developed• Web interface to legacy systems using Unix front-
end to custom made mainframe tasks. Many institutions have re-invented this wheel.
• LDAP authentication, mainframe doesn’t yet do SSL. Always exceptions to rules.
• Student, Faculty, Staff, Directory/Telephone Access+ Services. This technique keeps mainframe alive. (good or bad?)
![Page 67: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/67.jpg)
67
Applications (Continued)
Specialized support apps• Self service mail routing• Help Desk: mail routing, password resets,
quota management via DSGW• Change password web page
Person registry populates LDAP people data, currently MVS (mainframe) based.
PerLDAP used quite a bit – very powerful! (make sure version >= 1.4)
Now moving to Net::LDAP
![Page 68: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/68.jpg)
68
Applications (Continued)
Georgetown Netscape Communicator Client Customization Kit (CCK).• Configured for central IMAP/SSL and
directory services.• Handles versions of profiles. Poor man’s
MCD
Future: more apps! Host DB, Kerberos integration, win2k/ad integration?, Oracle RADIUS integration, Automatic lists, Dynamic/static Groups, Top-Secret, Bb – further integration.
![Page 69: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/69.jpg)
69
General Operational Controls
Size limit trolling (300 or 20 entries?)
Lookthru limit (set very low)
Limit 3 processors for now, MP issues still! (v4)
100MB footprint, about 8000 DNs in cache• Your mileage will vary – follow cache
guidelines documented by iPlanet.
24x7 operations
What can users change?? (Very little)
No write intensive applications
![Page 70: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/70.jpg)
70
General Ops Controls (cont…)
Anonymous access allowed
•Needed for email clients
•Anonymous access is good if you resolve FERPA and other data access issues.
![Page 71: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/71.jpg)
71
Schema: Design & Maint
Unified namespace: there can be only one!
Schema design and maintenance• Space/time tradeoffs on indexing• Eduperson 1.0 vs. guPerson• guRestrict, guEmailBox, guAffil, guPrimAfil• guPWTimebomb, guRadProf, guType,
guSSN• Relationships (guref)
Maintained by ldif file using ldapmodify
![Page 72: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/72.jpg)
72
Access ListsDesign & Maintenance
Access lists: design & maintenance• Buckley(FERPA) protection & services• Priv’d users and services• userPassword & SSN
Maintained by file using ldapmodify
Working on large group controls at GU• Groups vs. Roles• Likely easy to populate, hard to design & implement
![Page 73: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/73.jpg)
73
Replication
Application/user performance
Failover, user and app service
Impact of DC= naming (replica init)• Fixed in 4.13 and iDS 5.0
Monitoring: web page and notification
Dumper replica – periodic LDIF dumps
Backups? We don’t need no stinkin’ backups!• Vendor Specific• No good solution for backups (iPlanet)• IBM uses DB2 under the covers• Novell?
![Page 74: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/74.jpg)
74
Replication (Continued)
Application/users config for mult servers
Deterministic operations vs random
Failover works for online repairs
Config servers are replicated also
10 to 1 SRA/CRA ratio recommended
Cannot cascade with DC= (iPlanet)• Cascading is scary to me
![Page 75: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/75.jpg)
75
Normal Ops
Replica Structure
MASTER
DUMPER
WHITEPAGES MAILHOST
POSTOFFICE
NetID RegistryWeb Servers
Users
Users
Failure Ops
![Page 76: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/76.jpg)
76
Netscape Console
• Java program (FAT client).
• Used to create, configure and monitor Netscape servers.
• Preferred the web page paradigm of the version 3 products.
• Has enough bugs that it is only used by server admins, not for mere mortals.
• Demo??? (nope)
![Page 77: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/77.jpg)
77
Other Directories
Novell – GU abandoning GroupWise.
Active directory??? Ugh!!!•Static Groups Only•Strict Tree Structure for Group Policy•No plans for MS to change this…
![Page 78: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/78.jpg)
78
Buyer Beware
• LDAP is LDAP is LDAP – yeah, right!
• “Sure! We support LDAP!” What does that mean?
• Contract for functionality and performance
• Include your Directory/Security Champion!!!
• Verify with other schools – so easy, rarely done.
• Beware of products that specify Dir Servers
• Get vendor to document product requirements and behavior. You paid for it!
![Page 79: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/79.jpg)
79
Microsoft Win2K Integration
Project Pismere
http://web.mit.edu/pismere
MIT, CMU, Michigan, Stanford, Colorado, etc…
One way trust from MIT KDC to Win2K KDC
The devil we know
Metamerge can play an important role
Handle DHCP/DNS as your site wishes
![Page 80: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/80.jpg)
80
Win2K & Enterprise Integration
W2K KerbAuthN Ent Kerb
AuthN
W2K ActiveDirectory
EnterpriseDirectory
1
2
3
One-way X-realm TrustIdentity mgmt
Meta-Dir FunctionMetaMerge?
![Page 81: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/81.jpg)
Other examples of research…
![Page 82: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/82.jpg)
82
Current Research (examples)
GROUPER
A special LDAP server (OpenLDAP) engineered to handle group math operations against the enterprise directory for applications that are not group savvy.
Application -> get group BLAH -> GROUPER -> combine 15 groups and remove those in the exclusion group -> give back combined static object as group BLAH
![Page 83: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/83.jpg)
83
Certificate Parsing Server
Peter Gietz - a draft to describe X.509 certificates as plain old directory objects. Finding certificates becomes easy for directory aware applications. Use PKI operations on the cert you select to verify it.
David Chadwick - a Certificate Parsing Server (CPS). Like GROUPER but only works on add/delete/modify operations and stores cert objects as child objects as well as userCertificate attributes where they are now.
This should have a dramatic impact on Bridge CA model operations.
![Page 84: Internet2 Middleware Drinking Kool-Aid From A Fire Hose or Sniffing Glue-Ware](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814937550346895db679fb/html5/thumbnails/84.jpg)
84
What to do next?
•eduOrg, eduPerson, edu(other …)
•Shibboleth
•Roles (RBAC)
•GIG (Group Implementer’s Guide)
•GROUPER, RI-Bot, GASP
•Blue Pages
•LDAP-Recipe (next?)
•Affiliated Directories
•HEBCA, Bridge PKI, etc…
•Video Middleware (commObject)
•GRID AuthN campus integration
•GRID AuthZ campus integration
•Medical Middleware (MedMid)
•Operational Issues (perf/mon)
•Directory Policy
•PKI Policy
•Identity Mgmt Practices
•Metadirectories
•Dir of Dirs Higher Ed (DoDHE)
•LDAP Analyzer
•The Art of Directories/Databases
•PKI-Lite and S/MIME
•Early Harvest for App Developers
•Digital Rights Management (DRM)
•Outreach and Dissemination
•N-Tier Systems (portals)
•Filesystems
•Selling it
•Project Mgmt
1
1
5
11
4
1
4
4
5
0
2
5
1
2
1
8
11
2
4
3
0
7
4
1
3
0
0
1
6