Directories and Certificates.ppt

1、Directories and Certificates,Renee Woodten Frost Project Manager, Internet2 Middleware Initiative I2 Middleware Liaison, University of Michigan. And an ensemble of hundreds,ACUTA August 1, 2001,Topics,Acknowledgements What is Middleware? Core middleware: the basic technologies Directories Issues, ar

2、chitecture, good practices Current activities - LDAP Recipe, eduPerson, MACE-Dir, Directory of Directories, Metadirectories Certificates PKI fundamentals Current events in PKI Shibboleth Where to watch,ACUTA August 1, 2001,Internet2,Mission: Develop and deploy advanced network applications and techn

3、ologies, accelerating the creation of tomorrows Internet.Goals: Enable new generation of applications Re-create leading edge Research and Education network capability Transfer technology and experience to the global production Internet,ACUTA August 1, 2001,Middleware Initiatives Acknowledgements,MAC

4、E and the working groups Early Harvest - NSF catalytic grant and meeting Early Adopters testbed campuses Higher Education partners - campuses, EDUCAUSE, CREN, AACRAO, NACUA, etc. Corporate partners - IBM, ATT, Sun, et al. Government partners - including NSF and the fPKI TWG,ACUTA August 1, 2001,MACE

5、 (Middleware Architecture Committee for Education),Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education Membership - Bob Morgan (UW) Chair, Steven Carmody (Brown), Michael Gettes (Georgetown), Keith Hazelton (Wisc

6、onsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), David Wasley (California), Von Welch (Grid) Creates working groups in major areas, including directories, inter-realm authentication, PKI, medical issues, video, etc. Works via conference calls, emails, occasional serendipitous in-pe

7、rson meetings.,ACUTA August 1, 2001,Early Harvest,NSF funded workshop in Fall 99 and subsequent activitiesDefined the territory and established a work planBest practices in identifiers, authentication, and directories (http:/middleware.internet2.edu/best-practices.html)http:/middleware.internet2.edu

8、/earlyharvest/,ACUTA August 1, 2001,Early Adopters: The Campus Testbed Phase,A variety of roles and missionsCommitment to move implementation forwardProvided some training and facilitated supportDevelop national models of deployment alternativesAddress policy standardsProfiles and plans are on Inter

9、net2 middleware site,ACUTA August 1, 2001,Early Adopter Participants,Dartmouth U. of Hawaii Johns Hopkins U. of Maryland, BC U. of Memphis U. of Michigan,Michigan Tech U. U. of Pittsburgh U. of Southern Cal U. of Tennessee, Memphis Tufts U.,ACUTA August 1, 2001,Partnerships,EDUCAUSE CREN Grids, JA-S

10、IG, OKI Campuses Higher education professional associations - AACRAO, NACUA, CUMREC, etc. Increasing international interactions Corporate - IBM, Sun, ATT, etc.,ACUTA August 1, 2001,Remedial IT architecture,The proliferation of customizable applications requires a centralization of “customizations”Th

11、e increase in power and complexity of the network requires access to user profilesElectronic personal security services is now an impediment to the next-generation computing gridsInter-institutional applications require interoperational deployments of institutional directories and authentication,ACU

12、TA August 1, 2001,What is Middleware?,Specialized networked services that are shared by applications and users A set of core software components that permit scaling of applications and networks Tools that take the complexity out of application integration A second layer of the IT infrastructure, sit

13、ting above the network A land where technology meets policy The intersection of what networks designers and applications developers each do not want to do,ACUTA August 1, 2001,Specifically,Digital libraries need scalable, interoperable authentication and authorization. The Grid is a new paradigm for

14、 a computational resource; Globus provides middleware, including security, location and allocation of resources, and scheduling. This relies on campus-based services and inter-institutional standards. Instructional Management Systems need authentication and directories. Next-generation portals want

15、common authentication and storage. Academic collaboration requires restricted sharing of materials between institutions. What Internet1 did with communication, Internet2 may do with collaboration.,ACUTA August 1, 2001,A Map of Middleware,ACUTA August 1, 2001,The Grid,A model for a distributed comput

16、ing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc. Globus (www.globus.org) is the software that implements most of these components; Legion is another such software environment Needs to integrate with campus infrast

17、ructure Gridforum (www.gridforum.org) umbrella activity of agencies and academics Look for grids to occur locally and nationally, in physics, earthquake engineering, etc.,ACUTA August 1, 2001,Core Middleware,Identity - unique markers of who you (person, machine, service, group) areAuthentication - h

18、ow you prove or establish that you are that identityDirectories - where an identitys basic characteristics are keptAuthorization - what an identity is permitted to doPKI, etc - emerging tools for security services,ACUTA August 1, 2001,What is the nature of the work?,Technological Establish campus-wi

19、de services: name space, authentication Build an enterprise directory service Populate the directory from source systems Enable applications to use the directory Policies and Politics Clarify relationships between individuals and institution Determine who manages, who can update and who can see comm

20、on data Structure information access and use rules between departments and central administrative units Reconcile business rules and practices,ACUTA August 1, 2001,What are the benefits to the institution?,Economies for central IT - reduced account management, better web site access controls, tighte

21、r network security. Economies for distributed IT - reduced administration, access to better information feeds, easier integration of departmental applications into campus-wide use. Improved services for students and faculty - access to scholarly information, control of personal data, reduced legal e

22、xposures. Participation in future research environments - Grids, videoconferencing, etc. Participation in new collaborative initiatives Directory of Directories, Shibboleth, etc.,ACUTA August 1, 2001,What are the costs to the institution?,Modest increases in capital equipment and staffing requiremen

23、ts for central IT Considerable time and effort to conduct campus wide planning and vetting processes One-time costs to retrofit some applications to new central infrastructure One-time costs to build feeds from legacy source systems to central directory services The political wounds from the reducti

24、on of duchies in data and policies,ACUTA August 1, 2001,OIDs to reference identifiers,Numeric coding to uniquely define many middleware elements, such as directory attributes and certificate policiesNumbering is only for identification (are two OIDs equal? If so, the associated objects are the same)

25、 - no ordering, search, hierarchy, etc.Distributed management; each campus typically obtains an “arc”, e.g. 1.3.4.1.16.602.1, and then creates OIDs by extending the arc, e.g 1.3.4.1.16.602.1.0, 1.3.4.1.16.602.1.1, 1.3.4.1.16.602.1.1.1,ACUTA August 1, 2001,Getting an OID,Apply at IANA at http:/www.ia

26、na.org/cgi-bin/enterprise.pl Apply at ANSI at http:/web.ansi.org/public/services/reg_org.htmlMore info at http:/middleware.internet2.edu/a-brief-guide-to-OIDs.doc,ACUTA August 1, 2001,Major campus identifiers,UUID Student and/or emplid Person registry ID Account login ID Enterprise-LAN ID Student ID

27、 card,Net ID Email address Library/departmental ID Publicly visible ID (and pseudo-SSN) Pseudonymous ID,ACUTA August 1, 2001,General Identifier Characteristics,Uniqueness (within a given context) Dumb vs intelligent (i.e. whether subfields have meaning) Readability (machine vs human vs device) Affor

28、dance (centrally versus locally provided) Resolver approach (how identifier is mapped to its associated object) Metadata (both associated with the assignment and resolution of an identifier) Persistence (permanence of relationship between identifier and specific object) Granularity (degree to which

29、an identifier denotes a collection or component) Format (checkdigits) Versions (can the defining characteristics of an identifier change over time) Capacity (size limitations imposed on the domain or object range) Extensibility (the capability to intelligently extend one identifier to be the basis f

30、or another identifier).,ACUTA August 1, 2001,Important Characteristics,Semantics and syntax- what it names and how does it name itDomain - who issues and over what space is identifier uniqueRevocation - can the subject ever be given a different value for the identifierReassignment - can the identifi

31、er ever be given to another subjectOpacity - is the real world subject easily deduced from the identifier - privacy and use issues,ACUTA August 1, 2001,Identifier Mapping Process,Map campus identifiers against a canonical set of functional needsFor each identifier, establish its key characteristics,

32、 including revocation, reassignment, privileges, and opacityShine a light on some of the shadowy underpinnings of middlewareA key first step towards the loftier middleware goals,ACUTA August 1, 2001,Authentication Options,Password based Clear text LDAP Kerberos (Microsoft or K5 flavors)Certificate b

33、asedOthers - challenge-response, biometricsInter-realm is now the interesting frontier,ACUTA August 1, 2001,Cuttings: Authentication,User side management - crack, change, compromiseCentral-side password management - change management, OS security First password assignment - secure deliveryPolicies -

34、 restrictions or requirements on use,ACUTA August 1, 2001,Some authentication good practices,Precrack new passwords Precrack using foreign dictionaries as well as US Confirm new passwords are different than old Require password change if possibly compromised Use shared secrets or positive photo ID t

35、o reset forgotten passwords US Mail a one-time password (time-bomb) In-person with a photo ID (some require two) For remote faculty or staff, an authorized departmental representative in person, coupled with a faxed photo ID Initial identification/authentication will emerge as a critical component o

36、f PKI,ACUTA August 1, 2001,Directory Issues,Applications Overall architecture chaining and referrals, redundancy and load balancing, replication, synchronization, directory discovery The Schema and the DIT (Directory Tree) attributes, organizational units (ou), naming, object classes, groups Attribu

37、tes and indexing Management clients, delegation of access control, data feeds,ACUTA August 1, 2001,Directory-enabled applications,Email Account management Web access controls Portal support Calendaring Grids,ACUTA August 1, 2001,A Campus Directory Architecture,metadirectory,enterprise directory,dire

38、ctory database,departmental directories,OS directories (MS, Novell, etc),border directory,registries,source systems,ACUTA August 1, 2001,Key Architectural Issues,Interfaces and relationships with legacy systems Performance in searching Binding to the directory Load balancing and backups are emerging

39、 but proprietary Who can read or update what fields How much to couple the enterprise directory with an operating system http:/www.georgetown.edu/giia/internet2/ldap-recipe/,ACUTA August 1, 2001,Schema and DIT Good Practices,People, machines, services Be very flat in people space Keep accounts as at

40、tributes, not as an organizational unit (ou) Replication and group policies should not drive schema RDN name choices rich and critical Other keys to index Creating and preserving unified name spaces,ACUTA August 1, 2001,Attribute Good Practices,inetOrgPerson, eduPerson, localPersonNever repurpose an

41、 RFC-defined field. Add new attributes - adding attributes is easier than thoughtKeep schema checking on, unless it is done in the underlying database; watch performanceMost LDAP clients do not treat multi-valued attributes well, but doing multiple fields and separate domain names (dns) is no better

42、.,ACUTA August 1, 2001,Management Good Practices,No trolling permitted; more search than read LDAP client access versus web access Give deep thought to who can update Give deep thought to when to update LDIF likely to be replaced by XML as exchange format Delegation of control - scalability “See als

43、o”, referrals, replication, synchronization in practice Replication should not be done tree-based but should be filtered by rules and attributes,ACUTA August 1, 2001,Current Activities in Directories,LDAP RecipeeduPersonMACE-DIRDirectory of Directories for Higher EducationMetadirectories,ACUTA Augus

44、t 1, 2001,LDAP Recipe,How to build and operate a directory in higher education 1 Tsp. DIT planning 1 Tbsp. schema design 3 oz. configuration 1000 lbs. of dataGood details, such as tradeoffs/recommendations on indexing, how and when to replicate, etc.http:/www.georgetown.edu/giia/internet2/ldap-recip

45、e/,ACUTA August 1, 2001,LDAP Recipe Contents,Directory Information Tree Schema Design Directory of Directories for Higher Education (DoDHE) expectations Schema Design (continued) Schema: How to upgrade it? Password Management Bindings eduPerson attribute discussions Access Control Replication Name P

46、opulation LDAP filter config file for white pages telephoneNumber formatting CHANGELOG,ACUTA August 1, 2001,eduPerson,A directory object class intended to support inter-institutional applications Fills gaps in traditional directory schema For existing attributes, states good practices where known Sp

47、ecifies several new attributes and controlled vocabulary to use as values Provides suggestions on how to assign values, but leaves it to the institution to choose Version 1.0 standard; v 1.5 under discussion,ACUTA August 1, 2001,Issues about Upper Class Attributes,eduPerson inherits attributes from

48、Person, inetOrgPerson Some of those attributes need conventions about controlled vocabulary (e.g. telephones) Some of those attributes need ambiguity resolved via a consistent interpretation (e.g. email address) Some of the attributes need standards around indexing and search (e.g. compound surnames

49、) Many of those attributes need access control and privacy decisions (e.g. JPEG photo, email address, etc.),ACUTA August 1, 2001,New eduPerson Attributes,edupersonAffiliationedupersonPrimaryAffiliationedupersonOrgDNedupersonOrgUnitDNedupersonPrincipalNameedupersonNickname,ACUTA August 1, 2001,eduPersonAffiliation,Multi-valued list of relationships an individual has with institutionControlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employeeApplications that use: Shibboleth digital libraries, DoDHE,