Secure MDSplus Internet Access to Fusion Research Data

1
Secure MDSplusInternet Access to Fusion Research
Data

• This presentation will probably involve audience
  discussion, which will create action items. Use
  PowerPoint to keep track of these action items
  during your presentation
• In Slide Show, click on the right mouse button
• Select Meeting Minder
• Select the Action Items tab
• Type in action items as they come up
• Click OK to dismiss this box
• This will automatically create an Action Item
  slide at the end of your presentation with your
  points entered.

• Thomas W. Fredian

2
Topics to be discussed

• MDSplus Overview
• Secure Data Access (MDSIP/GSI)
• Whats next?

3
What is MDSplus?

• A Data Acquisition and Analysis System designed
  for pulsed fusion experiments
• Designed and implemented 1987-1991
• Collaboration between PSFC/MIT, IGI/Padova and
  LANL

4
MDSplus features

• Hierarchical Data Store
• Simple API for accessing data
• Built-in expression evaluator
• Rich set of supported data types
• Remote access to data via the Internet (available
  since 1994)
• Wide variety of computer platforms supported

5
Widely used in Fusion Research

• Used at more than 30 sites over 4 continents
• Has become a de facto standard for fusion data
  access

6
MDSworld
MDSWorld
7
NFC Enhancements to MDSplus

• Secure authentication
• Access to remote system only permitted for users
  with valid DOE X.509 certificate credentials
• Enforced by GSI (globus security infrastructure)
• Secure data exchange
• Contents of exchanged data guaranteed
• MDSplus Online Documentation

8
MDSIP
1
Send username
Access accepted/denied
2
Expression to evaluate
Answer
Client
Server
1) MdsConnect(server) 2) AnsMdsValue(expressio
n) 3) MdsDisconnect()
9
Secure MDSIP
2
Send X509 Credential
Access accepted/denied
3
Expression to evaluate
Answer
Client
Server
1) grid-proxy-init 2) MdsConnect(server) 3)
AnsMdsValue(expression) 3) MdsDisconnect()
10
Secure MDSIP Setup

• Install Globus toolkit
• Install Globus enabled MDSplus (rpm)
• Host credential obtained from CA and installed on
  server (passphrase-less, expires annually)
• User credential obtained from CA and installed on
  client (passphrase, expires annually)
• Mapping created on server to map user credentials
  to local account on server

11
Secure MDSIP Transaction Details

• Client and Server exchange credentials
• Client verifies that server credentials match
  target host and signed by valid CA
• Server verifies user credential signed by valid
  CA
• Server looks up user credential in certificate to
  username mapping file
• If accepted, server process switches to local
  user account to use operating system file access
  control
• Subsequent transactions are signed and verified
• Server process inherits user credentials for
  connections to other servers

12
Secure MDSIP Gateways

• Can provide secure gateway to any data store with
  dynamically loadable access libraries
• Legacy data systems
• Relational databases
• Can be used for remote job submission

13
GridPST

• Parallel Socket Tunnel
• High throughput over high bandwidth/high latency
  network connections

14
GridPST
Normal 3 Mbps
GridPST 30 Mbps
San Diego
Cambridge
15
GridPST Details

• Service assigned to port on local system
• User connects to local service
• Service establishes multi-socket connection to
  remote service
• Remote service connects to real service on its
  local lan
• Communication between GridPST services is done
  using parallel socket I/O
• ANY socket application can use GridPST without
  modification
• Effective only with services which transmit large
  blocks of data in single I/O operations

16
Possible next steps

• Improved installation procedure
• One step rpm kit for Fusion grid
• Explore alternative authentication mechanisms
• SecureID
• OpenSSL
• Production GridPST
• Continued work on documentation and faq system