+ All Categories

Gateway

Date post: 25-Feb-2016
Category:
Upload: kareem
View: 39 times
Download: 2 times
Share this document with a friend
Description:
Gateway. Building Secure Web Portals for Scientific Computing. Marlon Pierce School of Computational Science and Information Technology Florida State University. Overview. Design Goals and Constraints System Architecture Three-tiered system Security Considerations - PowerPoint PPT Presentation
Popular Tags:
22
Gateway Building Secure Web Portals for Scientific Computing Marlon Pierce School of Computational Science and Information Technology Florida State University
Transcript
Page 1: Gateway

GatewayBuilding Secure Web Portalsfor Scientific Computing

Marlon PierceSchool of Computational Science and Information TechnologyFlorida State University

Page 2: Gateway

OverviewDesign Goals and ConstraintsSystem Architecture

Three-tiered systemSecurity Considerations

What security do we need? Three-tiered security system

Page 3: Gateway

Project GoalsProvide seamless access to HPC

resources from the user’s web browser.Hide underlying complexities of

environment behind a point-and-click interface.

Use platform and language independent tools to build distributed infrastructure. Java, CORBA, XML

Page 4: Gateway

Funding and DeploymentProject funded by DoD Modernization

Program (PET).Deployment targeted for ASC and

ARL MSRCs.Requirement: Compatible with

existing security infrastructure Kerberos and SecurID

Page 5: Gateway

Project Design OverviewThree-tiered architecture

Browser-based, dynamic front-end Scalable, distributed middle-tier Heterogeneous backend resources

Three major constituents: Problem Solving Environment for users (OSC) WebFlow (NPAC) HPC resources (ASC)

Page 6: Gateway

PSE Design GoalsUser interface with three toolkitsProblem Description Toolkit

Describe problem in scientific terms Archive old sessions

Code Toolkit Assist user in creating job requests

Analysis Toolkit

Page 7: Gateway

PSE Decision Containers

Marlon’s Chemistry

Project30 Particles,

Energy, Crystal Structure

Run Gausssianon SP2 with

In.dat

User Context

Problem Context

Session Context

Page 8: Gateway

WebFlowCORBA-based distributed components.Each user has a personal slave server.Master server acts as a gatekeeper,

maintaining proxies of all child objects.WebFlow provides general methods for

managing containers (contexts).WebFlow can be extended with modules

(ContextManager, submitJob, Charon)

Page 9: Gateway

T. Haupt 9

WebFlow Context HierarchyMaster Server (Gatekeeper)

Slave Server

Slave Server

User Context

Application Context

Module

Slave Server Proxy

Page 10: Gateway

Back-End ResourcesHigh performance computers

Batch queues Globus schedular

Mass storage devicesDatabases (through JDBC)Chemistry, visualization softwareEverything else

Page 11: Gateway

Gateway Communication I

Browser

Apache Tomcat

Web ServerHPC

Resources,Mass

Storage,DBs

PSE

WebFlow

ORB

ORB

HTTP(S)

krsh,krcp

Page 12: Gateway

CORBA Security Service OverviewProvides generic interfaces to standard

security services Authentication Integrity and Confidentiality Delegation

Implementations can be built over specific security mechanisms. GSS mechanisms like Kerberos SSL

Page 13: Gateway

CORBA Security Services

Security SpecificationAPI

Security Implementation

Vendor-Supplied Interface

Page 14: Gateway

Gateway Communication II

Browser

CharonORB

ORB

HPC Resources,

Mass Storage,

DBs

HTTP

SECIOP

WebFlowServers

ApacheTomcat PSE

ORB

ORB

SECIOP

krsh, krcp

Page 15: Gateway

Secure Gateway Login ProcessUser gets forwardable Kerberos ticket

at beginning of the day with kinit.User starts personal WebFlow slave

server that registers with the master. Slave runs with user’s id.

User starts Charon Client, which uses his/her TGT to authenticate to the WebFlow master server.

Page 16: Gateway

Charon: Client-Server SecurityCharon application intercepts all requests

to predetermined port on user’s computer.

Requests are wrapped with WebFlow methods and tunneled to web server with SECIOP. Server masquerades as client’s localhost.

Different browsers on same machine distinguished with session cookies.

Page 17: Gateway

Charon IICharon extracts user’s name from

his credentials.This is used to set a server-side

cookie. PSE servlets use the info in the

cookie for access control.

Page 18: Gateway

PSE-WebFlow CommunicationA WebFlow client

ORB runs in a servlet.Master’s ORB is

declared static.All PSE servlets

access WebFlow methods directly.

PSE accesses slave server indirectly through master.

JVMs

WebFlow Client

PSEServlets

Slave WFS

Page 19: Gateway

Middle Tier SecurityClient does not talk

directly to slave.Indirect invocation

through master’s proxy.

Master and slave run with different ids.

Need delegation and mutual authentication.

Client

Master

Slave

Proxy

Module

Page 20: Gateway

Security: WebFlow to HPCsUser requests are passed from

master to appropriate slave.Slave makes external call with krsh,

krcp to HPC resources.The slave is created by the user with

forwardable credentials, so external calls use existing security mechanism.

Page 21: Gateway

AcknowledgementsNPAC/FSU/MSU

Geoffrey Fox Tomasz Haupt Erol Akarsu Choonhan Youn

OSC Ken Flurchick Jan Labanowski Armen Ezekielian

Adiron Software Polar Humenn

Page 22: Gateway

Further Informationwww.gatewayportal.org (coming

soon)www.osc.edu/~kenf/sciPortalwww.erc.msstate.edu/~haupt/

WebFlow


Recommended