knowledge · information · learning - Forschungszentrum L3S
knowledge · information · learning - Forschungszentrum L3S
knowledge · information · learning - Forschungszentrum L3S
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
54<br />
INFORMATION<br />
D-Grid Integration Project Phase 2<br />
Toward a Reliable grid<br />
Infrastructure in germany<br />
The first D-grid Integration Project (DgI-1)<br />
established a core grid infrastructure in germany.<br />
The follow-up project, DgI-2, will establish<br />
this infrastructure for long-term use and<br />
sustainability. Towards these goals, the main<br />
objectives of DgI-2 (in close collaboration with<br />
existing e-science communities in germany)<br />
Challenges<br />
D-Grid allows many different communities to access distributed<br />
high performance computing and storages resources.<br />
The challenge of DGI-2 is to create feasible accessibility<br />
and sound business models by ensuring suitable levels of<br />
security and performance; in conjunction with commercial<br />
and legal support.<br />
Highlights<br />
Security Management in D-Grid: The objective of security<br />
management is to coordinate all security related activities<br />
in D-Grid. One task is the definition of appropriate criteria<br />
for evaluating existing and potential security levels for the<br />
D-Grid communities. Another important task is the creation<br />
of suitable policies for supporting the sustainable operation<br />
of the D-Grid infrastructure. Additionally, <strong>L3S</strong> delivers<br />
pertinent recommendations and supports enforcing each<br />
security level while taking into account the specific applications<br />
of each grid community.<br />
In D-Grid, authorization is currently based solely on user<br />
identities as represented by public key certificates. This rudimentary<br />
approach will be replaced by a more fine-grained<br />
one, which extends the authentication and authorization<br />
infrastructure to additionally rely on user attributes. Authorization<br />
decisions shall be based upon attributes managed<br />
by the users’ Virtual Organizations (groups, roles), as well<br />
as the so-called campus attributes which are managed by<br />
their respective home organizations (nationality, affilia-<br />
FORSCHUNGSZENTRUM <strong>L3S</strong> <strong>L3S</strong> RESEARCH CENTER<br />
were precisely outlined. In phase two, emphasis<br />
will be placed on the support and operation<br />
of the grid infrastructure, its data management,<br />
and security. The <strong>L3S</strong> Research Center<br />
is responsible for security management and<br />
development activities within DgI-2.<br />
<strong>L3S</strong> coordinates the security and development<br />
activities in DgI-2 with a strong focus on the sustainable<br />
implementation of services for e-science.<br />
For this purpose, <strong>L3S</strong> defines suitable<br />
levels of security in D-grid, implements the<br />
required authentication and fine-grained authorization<br />
together with concepts for using firewalls,<br />
and provides a comprehensive accounting<br />
infrastructure.<br />
tion). Further, the use of a Short-Lived Certificate Service<br />
shall simplify the access to D-Grid for entire communities<br />
by mapping users of existing identity management systems<br />
to short-lived public key certificates.<br />
The vast majority of resources in D-Grid are operated within<br />
networks that are protected by firewalls. Firewalls need to<br />
be correctly configured, so that unauthorized accesses are<br />
blocked, while seamlessly allowing legitimate communications<br />
to take place. To simplify this process, <strong>L3S</strong> delivers<br />
a set of profiles for firewall configuration characterized<br />
by different levels of security. Resource providers and user<br />
communities are able to choose the configuration that best<br />
meets their requirements. In order to verify that a given<br />
profile is correctly implemented, a tool automatically performs<br />
periodic checks to verify that the firewall is in compliance<br />
with expected behavior.