The development of SAGrid Certificate Authority was the focus of a recent article written after an interview with Tarirai Chani of the Meraka Institute. Read the full article below for more information.
South Africa’s compute grid certification authority gathers momentum, thanks to CSIR
Following accreditation to the EU grid policy management authority (EUGridPMA), South Africa will take one step closer to establishing a national certification authority (CA) for the South African National Compute Grid (SAGrid) which provides a federated computing platform to South Africa's various research communities. Groundwork in this regard is being undertaken by Tarirai Chani of the CSIR’s Meraka Institute, with support from the SAGrid coordinator, Dr Bruce Becker. Chani is on a PhD studentship in the high performance computing research group of the Meraka Institute.
Prior to joining the Meraka Institute, Chani was with the department of computer science at the University of Zululand where she did her M.Sc. degree. Her dissertation focused on service level agreements (SLAs) in grid environments. She obtained her B.Sc. Hons. at the Midlands State University in Zimbabwe in 2005 before her stint as a systems analyst for Pelhams Holdings. Her research interests include grid security, public key infrastructure, SLAs and web services.
With this public key infrastructure for the scientific community in place, South Africa will attain the status of an internationally trusted grid node among its peers, with immediate benefits to the scientific users of the SA National Grid. In the meantime, the SAGrid infrastructure and users are issued with digital certificates from the Italian National Institute of Nuclear Physics (INFN). The INFN CA has served as extraordinary authority for other projects similar to SAGrid, notably EUMedGrid, in the past.
A grid-based computing infrastructure allows users to collaborate with each other, via a national research network, in this case, the South African National Research Network, as well as with other grid users internationally. The CA plays a vital role by ensuring that users are identified and authorised to perform tasks. This is done by the issuing of digital certificates.
Advantages of a compute grid are numerous: Users are able to collaborate across administrative domains and can perform computationally intensive tasks, as well as obtain collaborative access to data sets in a secure way. International resources can be accessed more readily and faster due to the interoperability of the middleware. And all of this happens with peace of mind when a CA is put in place to ensure security.
How to set up a CA
Underlying this activity is a stringent set of policies and practices (the so-called CP/CPS). Chani has produced a draft document containing the CP/CPS for the South African CA, which is now under review. Reviewers include CAs from the Netherlands (David Groep), the United Kingdom (Jens Jensen), Austria (Willy Weisz) and Italy (INFN) (Roberto Cecchini), and colleagues at the Meraka Institute, notably Dr Barend Taute and Karel Matthee, both experts in the field of information security. Chani will present this at the Berlin meeting of the EUGridPMA in September 2009 for review by her peers.
In parallel, she is testing the operation of the CA itself on the SAGrid virtual pre-production and testing environment (PPS) at the Free State University site. Open source software is used to run the machine, notably Open SSL.
While there is definite public benefit from this exercise, Chani is planning to write up her research into this unique infrastructure as the content of a PhD in computer science.
What are digital certificates?
Digital certificates are often embedded in a browser and requested via the web-interface of the CA. To qualify for a digital certificate, the prospective grid user follows a process of identification by which he or she is confirmed as a trusted user by a registration authority. Personal details are verified by the CA against a range of records and a user may have more than one digital certificate. In certain cases, where personal certificates are not strictly applicable, so-called robot certificates are issued in order to allow access to the grid services for certain communities (read more about robot certificates at wikipedia, the Grid Application User Support site, or how they work with the GENIUS portal)
To ensure that these certificates remain trusted, the CA will have in place a process by which they can be issued, renewed (when past an end date) or revoked, in cases where they have been compromised. Information from other CAs is cross-referenced to ensure that digital certificates are continually cross-checked against revocation lists. A meticulous process is followed by which all delays in daily updates of this nature must be explained to CAs in other countries across the PMA.
Keeping the CA secure
Other measures in place to keep the CA safe are extremely practical. The machine is kept off-line unless it is in operation and the CA digital keys are stored on a machine in a locked safe. Back-ups of data are stored off-site and all closures are scheduled and users informed. The CP/CPS is also updated regularly with approval from the PMA.
At present, it is envisaged that the CA will be operated from the Meraka Institute, and certain responsibilities will be delegated to trusted registration authorities across the country. The central CA retains responsibility for the approval of the issuing of digital certificates.
Chani envisages issuing 10 certificates per week for starters, but this could grow very significantly over the next year as the SA Grid becomes widely used.
Share
| < Prev | Next > |
|---|