introduction to upki project in japan
DESCRIPTION
Introduction to UPKI project in JAPAN. Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University. Statistics of Higher Education Institutions in Japan. by Ministry of Education and Science, 2005FY. Information Infrastructure Centers in the Seven Universities in JAPAN. - PowerPoint PPT PresentationTRANSCRIPT
2007/9/4 TF-EMC2 Meeting Prague
Introduction to UPKI projectin JAPAN
Yasuo OkabeAcademic Center for Computing and Media Studies
Kyoto University
2007/9/4 TF-EMC2 Meeting Prague
Statistics of Higher Education Institutions in Japan
#inst. #student #faculty #staff #people
University 726 2,865,051 161,690 179,521 3,206,262
national 87 627,850 60,937 56,470 745,257
public 86 124,910 11,426 11,940 148,276
private 553 2,112,291 89,327 111,111 2,312,729
Junior College 488 219,355 11,960 6,635 237,950
national 10 1,643 244 140 2,027
public 42 14,347 1,209 361 15,917
private 436 203,365 10,507 6,134 220,006
Tech. College 63 59,160 4,469 2,903 66,532
national 55 52,210 3,952 2,713 58,875
public 5 4,594 363 154 5,111
private 3 2,356 154 36 2,546
Total 1,277 3,143,566 178,119 189,059 3,510,744
by Ministry of Education and Science, 2005FY
2007/9/4 TF-EMC2 Meeting Prague
Tohoku UniversityInformation
Synergy Center
Hokkaido UniversityInformation Initiative
Center
University of Tokyo
Information Technology Center
Nagoya UniversityInformation
Technology Center
Kyoto UniversityAcademic Center for
Computing and Media Studies
Osaka UniversityCybermedia Center
Kyushu UniversityComputing and
Communications Center
Sapporo
Sendai
TokyoKyoto
Osaka
Fukuoka
Information Infrastructure Centersin the Seven Universities in JAPAN
Nagoya
National Institute of Informatics
(NII)
2007/9/4 TF-EMC2 Meeting Prague
Brief history of federation among the Centers 1965 ~ 70
• 7 centers stablished as supercomputer centers for nation-wide service
1981• Connected by commercial X.25 serv
ice 1986
• NACSIS (predecessor of NII) established
• N-1 Network project• Dedicated interuniversity X.25 netw
ork service• Federated Identity Management ( ~
2004)• Unified ID• Online subscription to secondary ce
nters 1988
• JAIN (Japan Academic Inter-university Network) project started
1992• SINET, the academic Internet backb
one service was started by NACSIS
1998-2003• Reorganized as Information Infrastr
ucture centers• Merger of education centers for co
mputer literacy 2000
• NII (National Institute of Informatics) establised
2002• Operation of SuperSINET was start
ed 2003
• NAREGI (National Research Grid Initiative) project started
• Grid Computing Research Group 2005
• AuthN/AuthZ Reseach Group• UPKI project planned
2006• UPKI project has officially launched
2007/9/4 TF-EMC2 Meeting Prague
Fundamental Resources for Academic and Research Activities
Education and Training / Encouraging Young Talent
NAREGI (National Research Grid Initiative)
NII-REO (Repository of ElectronicJournals and Online Publications
NII: Toward Cyber-Science InfrastructureNII: Toward Cyber-Science Infrastructure Next-generation Academic Information Infrastructure for
Interuniversity Collaboration
UPKI: Authentication and Authorization Platform
Cyber-Science Infrastructure
● ★
★
★★★
★★
☆
SINET/SuperSINET
National Academic Internet Backbone
北海道大学
東北大学
東京大学NII
名古屋大学
京都大学
大阪大学
九州大学
GeNii (Global Environment forNetworked Intellectual Information)C
orp
ora
tion
with
In
du
stry
Inte
rnatio
nal
Colla
bora
tion
2007/9/4 TF-EMC2 Meeting Prague
UPKI ― Inter-University Authentication
and Authorization Platform for CSI Conducted by NII and the information infrastructure
centers in 7 universities• Supported by Ministry of Education, Science and Technology
Campus AAI Campus AAI Campus AAI
UPKI common specification
UPKI
A 大アクセスポイント
B 大の教授 B 大職員
A 大学 B 大学 C 大学
C 大電子コンテンツ
B 大アクセスポイント
Wireles LAN roaming
C 大事務システム
2007/9/4 TF-EMC2 Meeting Prague
UPKI ― Inter-University Authentication
and Authorization Platform for CSI Motivation
(for NII)• As a “glue” between SINET high-speed backbone and supercom
puting grid (by NAREGI) or contents services by NII
(for universities)• Promoting installation of campus AuthNZ infrastructure
• Eliminating various costs by solidarity
• Federated identity management is unavoidable even in a (big) university
• Many political and cultural issues exist
2007/9/4 TF-EMC2 Meeting Prague
UPKI: project member
NII SINET Headquarter Authentication and Authorization Working Group Yasuo Okabe, Kyoto University (chair) Noboru Sonehara, NII (vice chair) Yoshiaki Takai, Hokkaido University Hideaki Sone, Tohoku University Hiroyuki Sato, University of Tokyo Yasushi Hirano, Nagoya University Ken-ichi Baba, Osaka University Takahiro Suzuki, Kyushu University Katsuyoshi Iida, Tokyo Institute of Technology Fukuko Yuasa, KEK (Institute of High Energy Physics)
2007/9/4 TF-EMC2 Meeting Prague
UPKI: concept
Targets various applications• SSO of Web services• E-mail Digital Signature/Encryption by S/MIME• Network Services
• wireless LAN roaming and VPN
• Grid computing Utilization of PKI
• “U” stands University/Universal/Ubiquitous• Deployment of Grid/PKI middleware for national
academic AA infrastructure
2007/9/4 TF-EMC2 Meeting Prague
UPKI three layer ArchitectureUPKI three layer Architecture
EEEE
A Univ.NAREGI CA
EEEE
B Univ.NAREGI CA
Grid PKI
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
äwì‡ópäwì‡óp
A Univ.CA
EEäwì‡ópäwì‡óp
B Univ.CA
EE
CampusPKI
Auth, Sign, Encrpt. Auth, Sign, Encrpt.
Student,Faculty
Server, Super Computer
Student,Faculty
Server, Super Computer
Webª∞ fiWebª∞ fi
NIIPub CA
Web Srv.Webª∞ fiWebª∞ fi S/MIMES/MIME
OtherPub CA
S/MIMEWeb Srv.
OpenDomainPKI
S/MIMES/MIMES/MIME
Sign, Encrpt.
Future plan
Sibboleth/SAML
2007/9/4 TF-EMC2 Meeting Prague
Subprojects by NII
UPKI common CP/CPS 【 WP1 】 Public server certificate 【 WP2 】 Inter-University W-LAN roaming 【 WP3 】 SSO for Digital Library Service by NII and
other universities via Shibboleth/SAML【 WP4 】
Development of CA middleware 【 WP5 】 Deployment of S/MIME e-mail
signature/encryption architecture 【 WP6 】
2007/9/4 TF-EMC2 Meeting Prague
UPKI Common Specifications Campus PKI procurement guidelines Campus PKI CP/CPS templates
Campus PKI model Two outsource models and one insource model
Developed and Published for outsource model https://upki-portal.nii.ac.jp/upkispecific/specific Only available in JAPANESE!
【 WP1 】 UPKI Common Specifications
CampusCP/CPStemplates
2006 2007 2009 -
-Deployment of campus PKI at each universities-Connecting universities- Federation of applications
2008
CampusPKISpec.
Outsource model Insource modelMulti-university cooperative model
Outsource model Insource modelMulti-university cooperative model
-To promote Campus To promote Campus PKI deploymentPKI deployment-To reduce costTo reduce cost-To keep multi-universityTo keep multi-university cooperativitycooperativity
2007/9/4 TF-EMC2 Meeting Prague
Insource
Univ
RA IA
Univ. providerFull outsource
RA IA
IA outsourceUniv provider
IARA
CP/CPS
Operation Models of CA
2007/9/4 TF-EMC2 Meeting Prague
【 WP2 】 Public server certificate project
Challenges• Optimization of RA operation for High-Ed• Customization of local operation in each institution• Automization of RA operation by using Campus PKI certs as a c
redential (in the future) Expected outcomes
• Best practice of local operation optimized for High-Ed • Tips for server certificate installation (for niche implementation)• Tips for local operations improvement in institutions• Demand of stimulation for S/MIME (using for Local Operators)
2007/9/4 TF-EMC2 Meeting Prague
Root CA(SC-Root1)
SECOM Trust Systems
Open Domain CA
Subscriber
Web Server
RA operator
IA
Local Operator
High-Ed Institution
CSRCertificate
Installation
Bulk requestBulk recipience
Registration &
Issuance
Subscriber IdentitySubscriber Acceptance
Server ownership
Organization identityDomain ownership
Local operator acceptance
NII
Offline
Online
Cert chain
Schemes for Registration and Issuance
2007/9/4 TF-EMC2 Meeting Prague
【 WP4 】 Shibboleth Architecture
IdP
SPUserResource
AuthnAuthority
AttributeAuthority
AssertionConsumer
Service
AccessControler
AuthN
Request for resoucesAccess control
SSOService
Artifact Resolution
Service
AttributeRequest
AttributeExchange
AuthZ decision
Actual access
AttributeRepository
ARP
AAP
12*WAYF (Where Are You From) Services are omitted
TA R O SUZUKI TA R O SUZUKI 08/ 07
IC Card
2007/9/4 TF-EMC2 Meeting Prague
Certificate UsersHost Administrators RA Administrator CA Operator
Application for bulk license ID
Issuance of bulk license ID
①Preparation
License ID request
Receive request,Inspection
②License ID request
Certificate request
③Issuance request④Revoke request⑤Reissuance request
Receive request,Issuance/Revoke
certificate
Retrieve data forcreating map file
Make data forcreating map file
⑥Retrieve data for creating map file
NAREGI CAUser site
Account Registration Request
Account Registration
【 WP5 】 NII GOC CA operation
2007/9/4 TF-EMC2 Meeting Prague
CampusCA
Issue Certificate
Campus PKI Grid PKI
NAREGI CA
Super Computer
Super Computer
Grid System
Super Computer
Issue Certificate
Request Certificate(Use IC Card as credential)
LDAP
NAREGI RA
TA R O SUZUKI TA R O SUZUKI 08/ 07
IC Card
Certificate for Grid System
Access
User
Campus-Grid PKI Federation
2007/9/4 TF-EMC2 Meeting Prague
UPKI Initiative Founded in 16 Aug 2006 Sponsored by NII AAI TWG Mission
• Gathering interests and opinions of not only universities but also industries
https://upki-portal.nii.ac.jp/
AAI TWG UPKI Initiative
Univ
Tech. College
J. College
Common specification
join
Research Institute
Hokkaido UTohoku UU. TokyoNagoya U
Kyoto U Osaka UKyushu U
KEK Tokyo Tech
NII
NII CSI Headquarter
Opinions and comments
etc.
2007/9/4 TF-EMC2 Meeting Prague
Summary UPKI national academic authentication and
authorization infrastructure project has started.• Conducted by NII and the information infrastructure
centers in the 7 universities• As a basic platform of Cyber Science Infrastructure
We have started later, so we have get some advantages
International federation/collaboration is a very important issue.
2007/9/4 TF-EMC2 Meeting Prague
APAN Middleware Working GroupAPAN (Asia-Pacific Advanced Networking) 20th APAN (Taipei, Aug. 2005)
• National Authentication and Authorization Infrastructure and NREN (proposed session)
21st APAN (Tokyo, Jan. 2006)• Middleware Workshop (full day)• Middleware Working Group is approved
22nd APAN (Singapore, July 2006)• Grid Middleware Workshop
23rd APAN (Manila, Jan. 2007) • Grid Middleware Workshop
24th APAN (Xian, Aug. 2007)• Middleware Workshop
25th APAN (Hawaii, Jan. 2008)• Middleware Workshop (proposed)