TOE: tinfrastructure

1
TOE t-infrastructure
Mike Mineter mjm_at_nesc.ac.uk
2
OVERVIEW

• Revision
• TOE - What we use
• NGS training CA

3
e-Infrastructure t-Infrastructure

• T - is for training
• Training grid
• Training support services
• Enabling
• Training CA
• Facilitating
• Training Repositories
• Training trainers

4
T-Infrastructure

• - mirrors production services to provide
  infrastructure for training and education.
• - is bookable to ensure availability and
  responsiveness during courses
• - is sufficiently distributed that the experience
  of using a grid is real
• - has light-weight authentication giving limited
  access to resources, avoiding the need for
  participants to establish grid access before
  courses.
• - can run alternative middleware stacks to those
  on production grids - for example, future
  releases of these stacks
• - can be used for installation courses and other
  courses impossible to run on production systems
• - to permit course participants to perform
  actions that are incompatible with production
  infrastructure - for example to explore security
  risks

5
Current TOE courses use

• For EGEE GILDA
• With TOE cluster as CE
• For NGS
• Reserved queue on core nodes
• OGSA-DAI service on TOE cluster
• Training CA
• For GT4, Condor
• TOE cluster

6
Training Certificates

• To run any practicals, attendees need
  certificates
• One solution is to require all attendees to have
  gone through process of obtaining certificates
  from a CA.
• Complex time-consuming process.
• Difficult to ensure that this has been done by
  all attendees
• Attendees would need to bring their certificates
  with them to event
• Need training in how to manage the certificate
• Configuring resource reservation is complex
• Better Solution the Training CA.

7
The Training Certificate Authority

• A fully functional certificate authority for
  issuing low-assurance short-lived certificates
• Low-assurance
• Certificates and pass-phrases issued to local
  organiser and not the attendee.
• Attendees do not need to sign UK Terms and
  conditions of use.
• Identity checks on attendees are not needed.
• No need for the attendee to do anything
  pre-event.
• All certificate DNs are known pre-event.
• Easy to distinguish trainees Training CA signs
  as /CUK/OGrid/OTest/OUAuthority/CNRoot

8
Site support of the Training CA

• To support the Training CA from sites/resources
• Download the training CA public key and signing
  policy from http//homepages.nesc.ac.uk/gcw/Train
  ingCA/
• Install these into their certificates folder
• Normally /etc/grid-security/certificates
• Create a pool of local training accounts
• Map the training certificates to these pool
  accounts
• Certificate DNs are /CUK/OGrid/OTraining/
• is normally user00, user01, user02,
• user00 is reserved for testing by the local
  organisers/site administrators

9
Certificate Manager

• Allows certificates to be distributed to
  attendees using a secure, traceable method
• Deliberately similar to download from UK CA
• Designed for use with (NGS developed) java gsissh
  tool.
• Only suitable for use when unique IP address is
  detectable
• No proxy or NA(P)T
• Correspondence established between issued
  certificate and IP address

10
If the tool cannot be used.

• Due to e.g. proxy IP addresses
• Either
• organiser receives all certificates
• Manual distribution of certificates
• Or perhaps
• Use MyProxy server for all certificates

11
Question

• t-Infrastructure for self-paced learning?