Grid Research Integration Deployment and Support Center 

Home
GRIDS Essentials
Grid Ecosystem
Training & Support
News & Outreach
Grid Projects Database
Newsletter
Meetings
Stories
Papers
Downloads

Secure Sign-on and Credentials-Based Authentication for the LTER Grid

October 18, 2005 - Working with research communities to provide development and access management tools for Grid and other research environments, the eighth release of the National Science Foundation Middleware Initiative (NMI-R8) helps to facilitate the complex resource management and security required in a shared cyberinfrastructure. NMI-R8 is available to the public for downloading under open-source licenses at the NMI website.

A significant challenge in the development of such community grids as the LTER Grid is finding ways to take advantage of the community's existing authentication facilities. For example, LTER wanted to use its existing LDAP directory to grant single-sign-on access to grid resources. Unfortunately, at the time, MyProxy, which allows users to retrieve credentials over a network, only supported internal usernames and passphrases. NCSA Senior Research Scientist Jim Basney and GRIDS Center member Bill Baker, also at NCSA, added an option to use PAM (Pluggable Authentication Modules), a widely-supported framework, which was used to integrate with LDAP. PAM support in MyProxy has been taken up rapidly by the grid community, including TeraGrid, which uses it to integrate with Kerberos authentication.

However, PAM integration only solved half of LTER's problem; administrative intervention was still required to initialize credentials managed by MyProxy. The second half of the problem -- automatically creating security credentials based on LDAP accounts -- has recently been solved outside of the LTER pilot project by integrating a Certificate Authority into MyProxy. Thus, future LTER grid efforts will be able to fully provide single-signon access to Grid resources, using LTER's existing LDAP directory.

In another instance, Baker replaced username/password authentication with credential-based authentication, and in the process switched from HTTP to HTTPG (a form of HTTPS which uses grid security credentials to establish a SSL connection). This involved focusing on Metacat (or "Metadata Catalog"), a data search tool used within LTER which uses the LDAP directory for both authentication and authorization. Metacat's LDAP-based username and password were replaced with a grid security credential. On Metacat's server side, a mapping facility between credential Distinguished Names (DN's) and LDAP identities was added so that existing security policies could remain in effect.

Another goal of the pilot project, implemented by NCSA's Terry Fleury, was to expose Metacat's search functionality as GT4 Web Services.


2004 GRIDS Center. All Rights Reserved.
Site Map | Contact