Introducing Grid Services at NERSC

1
Introducing Grid Services at NERSC

• Iwona Sakrejda
• ISakrejda_at_lbl.gov
• NERSC User Services Group
• January 23rd 2003

2
Introducing Grid Services at NERSC (for true
beginners and believers)

• The Grids are coming ..
• Grid vs Globus Whats the difference?
• Schedule (tentative) for introducing Globus-based
  services at NERSC.
• Do I have to (Whats in it for a regular user)?
• What do I need to access those services?
• File transfers and job submissions.
• We are not rolling out Grid services of
  production quality for all the users yet.
  Initially they will be available to those who
  are willing to try new stuff and put up with some
  hardship.

3
The Grids are (have been) Coming
..http//www.globus.org/research/testbeds.htm
l

• Computing on a grid (power grid as a prototype)
• SETI _at_ HOMEhttp//setiathome.ssl.berkeley.edu/
• CACTUS problem solving environmenthttp//www.cact
  uscode.org/
• Storage Resource Brokerhttp//www.npaci.edu/DICE/
  SRB/
• Grid test-beds for HENP experimentshttp//www.gri
  phyn.org/index.php

4

• featuring
• The Globus Toolkit The Open Source Solution
  for Grid Computing
• Hilton San Diego ResortSan Diego, California
  USAJanuary 13 - 17, 2003
• 450 participants participated this past week at
  GlobusWorld in San Diego - including
  representatives from diverse industry sectors,
  academic institutions and leaders in scientific
  research - traveling from over 25 countries
  worldwide...
• Congratulations to the 25 selected GlobusWorld
  Posters - the participants gave high marks to the
  poster presentations and discussions!! -
  Abstracts from the posters will be posted under
  the Posters Section during the week of 27
  January.
• If you are interested in submitting an abstract
  to present at next year's GlobusWorld, please
  send email to planners_at_globusworld.org with "GW -
  speaker proposal" in the subject line.

5
GlobusWorld Meeting Room in San Diego
6
Grids and the Globus Project

• The Globus Project is developing fundamental
  technologies needed to build computational grids.
• Development includes designs, standard
  definitions, APIs (programming interfaces) and
  implementation of basic building blocks.

7
Globus Project and GlobusToolkit(http//www.globu
s.org)

• Groups around the world are using the Globus
  Toolkit to build Grids and to develop Grid
  applications.
• Globus Project research targets technical
  challenges that arise from these activities.
  Typical research areas include resource
  management, data management and access,
  application development environments, information
  services, and security.
• Globus Project software development has resulted
  in the Globus Toolkit, a set of services and
  software libraries to support Grids and Grid
  applications. The Toolkit includes software for
  security, information infrastructure, resource
  management, data management, communication, fault
  detection, and portability.

8
Globus Toolkit (2.x)
Information services MDS
Resource management GRAM
Data management GSIftp


GSI security protocol at the connection layer
9
Grid Security Infrastructure (GSI)

• Globus Toolkit uses the Grid Security
  Infrastructure (GSI) for enabling secure
  authentication and communication over an open
  network.
• Secure communication (authenticated and perhaps
  confidential) between elements of a computational
  Grid.
• Support for security across organizational
  boundaries, thus prohibiting a centrally-managed
  security system.
• Support for "single sign-on" for users of the
  Grid, including delegation of credentials for
  computations that involve multiple resources
  and/or sites.
• GSI is based on public key encryption, X.509
  certificates, and the Secure Sockets Layer (SSL)
  communication protocol.
• Extensions added to support single sign-on.

10
Public Key Cryptography (Also Known as Asymetric
Cryptography)

• Public and Private KeysKeys are numbers that
  are mathematically related in such a way that if
  either key is used to encrypt a message, the
  other key must be used to decrypt it.I keep
  one number (private key) and distribute the other
  one to anybody I safely need to communicate with
  (public key).It is almost impossible (with our
  current knowledge of math and available
  computers) to obtain the second key from the
  first one and/or any messages encoded with the
  first key.If you are able to decrypt my message
  with my public key, it came froma person that
  has access to my private key (me!).
• Some people think that allowing regular users to
  keep their private keys is not the best idea from
  a security point of view ..

11
Digital Signatures

• A digital "signature" assures a recipient that
  the information hasn't been tampered with since
  it left the originators account.

message
Hash (with a public hashing algorithm) and
encrypt with your private key
Send them both
Recipient takes hashed message and decrypts it
with your public key
Recipient takes the unencrypted message
Recipient compares both encrypted messages, if
they compare, nobody tampered with the message
Hashes it (knows the algorithm)
12
Certificates

• Every user and service on the Grid is identified
  via a certificate.
• A GSI certificate includes four primary pieces of
  information
• A subject name, which identifies the person or
  object that the certificate represents.
• The public key belonging to the subject.
• The identity of a Certificate Authority (CA) that
  has signed the certificate to certify that the
  public key and the identity both belong to the
  subject.
• The digital signature of the named CA.
• The link between the CA and its certificate must
  be established via some non-cryptographic means,
  or else the system is not trustworthy.
• GSI certificates are encoded in the X.509
  certificate format

13
Mutual Authentication

• I sent to B my Certificate (who am I, my public
  key, who signed my certificate (called a cert)
  -all signed by the CA).
• B has CAs public key, so he can check that the
  cert is ok.He sends me a phrase asking me to
  encrypt it with my private key.I do it and send
  the encrypted phrase back.He has my public key
  so he decrypts it. If it matches the original
  then I have my private key, so its either really
  me or I am in deep trouble anyway
• Now same goes the other way round..
• Since B is busy (especially if he owns some good
  resources, lots of people want to talk to him),
  he deploys a Gatekeeper to talk to clients.
• Private key is very important, protected by a
  password or in a smart-card.

DOE CA Certificate
DOE CA Certificate
14
Delegation and Single Sign-on

• The GSI provides a delegation capability an
  extension of the standard SSL protocol which
  reduces the number of times the user must enter
  his pass phrase.
• A proxy consists of
• a new certificate (with a new public key in it)
• a new private key.
• The new certificate
• Contains the owner's identity, modified slightly
  to indicate that it is a proxy. 
• Is signed by the owner, rather than a CA.
• The certificate also includes a time notation
  after which the proxy should no longer be
  accepted by others.
• B receives my original cert signed by the CA and
  the proxy cert. All the further exchanges are
  between B and my proxy and I can just do my work.

15
Service Overview

• Globus resource management architecture is a
  system in which a high-level global resource
  management services are layered on top of local
  resource allocation services. It has 3
  components
• extensible resource specification language
• interface to local resource management tools
  (LSF, NQS, Condor) - (GRAM)
• co-allocator
• Globus Metacomputing Directory Service (MDS)
  provides the necessary tools to build an
  LDAP-based information infrastructure for
  computational grids.
• GridFTP is a high-performance, secure, reliable
  data transfer protocol optimized for
  high-bandwidth wide-area networks. The GridFTP
  protocol is based on FTP, the highly-popular
  Internet file transfer protocol.
• GSI security on control and data channels
• Multiple data channels for parallel transfers
• Partial file transfers
• Third-party (direct server-to-server) transfers
• Authenticated data channels
• Reusable data channels
• Command pipelining

16
Unified Science Environment (USE)(NERSC Effort
to Participate the Grid(s) )

• The Unified Science Environment (USE) is the
  integration of computation, storage, theory and
  experimentation into a tightly knit environment
  adapted to the processes of modern science.
• The core of the USE is being constructed using
  NERSC's unique supercomputing and large-scale
  data storage facilities and integrated into the
  DOE Science Grid with Grid middleware.
• USE is I process of bringing together the
  resources required to create and sustain
  distributed application environments.

17
(No Transcript)
18
USE Implementation Plan

• FY2002 (a lot has been accomplished last year
  under lead of Steve Chan)
• Data Grid pre-production activities (HPSS)
• Computational Grid test- bed (PDSF, Dev2,
  Alvarez, escher)
• Track Development
• FY2003
• Data Grid production rollout (GSIftp servers on
  seaborg and HPSS)
• Pre-production Compute Grid
• Security infrastructure (user certification
  process)
• Track Collaboration and workflow development
  (prototype services for users visualization
  group)
• FY2004
• Focus on Compute Grid production rollout
  (gatekeepers on production systems)
• Pre-production Collaboration and Workflow (offer
  portals to few early users for data transfers and
  visualization needs)
• FY2005
• Collaboration and Workflow production rollout
• FY2006 Full USE in place

19
Do I have to?

• No, You dont we take extreme care not to
  disrupt regular production services and not
  interfere with your work!
• We are looking for some volunteers who are
  willing to test new developments and put up with
  certain amount of hardship. As a reward theyll
  be able to try new technology, profit from
  improved file transfer rates and the improved
  authentication and sign-on procedures.

20
What do Volunteer Users Need to Participate?

• Globus Toolkit 2.2 client software installed on
  their workstation not all the platforms are
  supported yet.
• Certificates for yourself, your host and the CA
  that issued your certificate installed on your
  client host.
• Tell us (NERSC) about your certificate (enter
  info about it into NIM).
• Only then you are ready to use our services..

21
Installing Globus 2.2 Client Software

• Binary Globus Toolkit is available on the
  following platforms
• Linux 2.x-i686-gcc
• Linux 2.x-ia64-gcc
• Linux 2.x-powerpc-gcc
• Linux2.x-alpha-gcc
• Solaris 8-sparc-cc
• IRIX 6.5-mips-cc
• True64 5.1-alpha-cc
• HPUX11-ia64-cc
• HPUX11-pa-risc-cc
• For AIX contact IBM
• It might be already installed on your system
  ask your system administrator.
• If you work on a multi-user system, ask your
  system administrator to install it.
• Download the toolkit (client bundle only) from
  http//www.globus.org/gt2.2/download.html
• Install the toolkit http//www.globus.org/gt2.2/i
  nstall.html
• If your system is not on the list, source bundles
  are available too. They can be downloaded and
  built, but its not trivial ( there is an ongoing
  effort for Win 2k and XP and Mac OsX).

22
Acquiring and Installing Certificates

• Personal Certificate can be obtained from the DOE
  certification authority (http//www.doegrids.org/i
  ndex.html).

The DOE Grids Certificate Services supports DOE
Scientists and Engineers working on the new
Computational Grids being deployed around the
world. This service issues Identity Certificates
to individual subscribers and Service
certificates for Grid services. This is an
evolving service that will keep pace with the
requirements of this expanding community. ESnet,
is actively working with the Global Grid Forum,
the European Data Grid and Cross Grid CA managers
to insure the service has the widest possible
acceptance.
23
Requesting and Installing Certificates

• Detailed instructions for obtaining user, host
  and CA certificates available on the Web
  http//www.doegrids.org/pages/cert-request.htm
• Fill out the certificate application
• Personal information
• Sponsor information(This information is used to
  identify what virtual organization you belong to.
  This CA supports several SciDAC projects and the
  sponsor information will be used to direct this
  request to the RA for your project, who will
  contact your sponsor to authenticate your
  request. The list of sponsors can be found at
  each site. If your name is not recognized by your
  project's RA, he will contact the sponsor. In the
  affiliation field you should list your home
  institution followed by your virtual
  organization. eg. LBNL - DOESG, FNL - PPDG or MIT
  - Fusion Collaboratory )
• Key quality
• It is not necessary to apply from a host where
  you intend to use it.
• Retrieve your certificate once you are notified.
• Export it from your browser
• Install it in a form that it can be used by the
  Globus software (openssl)
• (all the instructions for retrieval, exporting
  and installation of certificates are also
  available on the page listed above)

24
Extracting Information about Your Certificate

• Globus client installation needs to be in your
  path.
• pdsflx008 56 grid-cert-info
• Certificate
• Data
• Version 3 (0x2)
• Serial Number 210 (0xd2)
• Signature Algorithm sha1WithRSAEncryption
  
• Issuer DCnet, DCes, OUCertificate
  Authorities, OUDOE Science Grid, CNpki1
• Validity
• Not Before May 23 225225 2002 GMT
• Not After May 23 225225 2003 GMT
• Subject Odoesciencegrid.org, OUPeople,
  CNIwona Sakrejda 302074
• Subject Public Key Info
• Public Key Algorithm rsaEncryption
• RSA Public Key (1024 bit)

25
Subject Public Key Info Public Key
Algorithm rsaEncryption RSA Public
Key (1024 bit) Modulus (1024
bit) 00cbb4c4742ff249
4f9d82e850f29e
3b8cb5f5adce7de0b58949f2947454
709292d2deec5361ce50e42
4173f63
01b66b72361e9ea68e52ebd8fac4fb
e072b99c5685ee7d8e85439
afb5466
85a9f407ac98fbd7db3c399af7fe1c
1190050cc5208327aaa453c
f085f68
1f9cc4bab3c921d85fa82e1c57b2ad
4acd1f4637b7aaded9
Exponent 65537 (0x10001) X509v3
extensions Netscape Cert Type
SSL Client, SSL Server, S/MIME
X509v3 Key Usage critical
Digital Signature, Non Repudiation, Key
Encipherment, Data Encipherment
X509v3 Authority Key Identifier
keyid541788CA03C13926B855A6C499F42B
02ABBE00E9 X509v3 Subject
Alternative Name
emailisakrejda_at_lbl.gov
26
Signature Algorithm sha1WithRSAEncryption
2b5de27fd8963701c8f39c1640fe8ace3
f92 61ec402a361300f776a17728
011a0ffff029 222934c420302da2
2f25e6886b4bf48b69f7
caf37085f0a557e0fd2d06e1fbb4ad5ab4
d1 7465dc892833d319625f86c18
eac9bd09200 23edf363400f4310
4c032a1930288f489799
b3b5b62b0760082c8e1534f47adcbd8731
bd 549191df0fa942259018eb0dc
f8a14522b9b b7fcef0be2d69a1b
68607bc6fd244c0a5e95
9d9c9da51f6c435b45bdc991659af434c3
d9 6e08b20ac924f5bb60664e608
a352e512c4e 98e39bc70ee9246f
167da0931e91e3bd908c
1b337bbd8dc751b9d87478677a5c17d700
15 e2270f572172197554819f936
15d945d922c 1d486a7f
27
Certificate Processing at NERSC

• Update your personal information in NIM with the
  subject/issuer data (exists)
• Subject/issuer data is uploaded into an LDAP
  server (LDAP server exists, fingers for uploading
  in development, for now uploading done manually)
• Scripts generate grid-mapfile updates based on
  LDAP info. Certificates are mapped onto existing
  accounts (exists).
• System administrators update grid-mapfiles. Those
  files map user entries onto existing unix
  accounts. All the processes are run for you under
  user name that you were mapped to.

28
NIM User Info http//nim.nersc.gov
29
(No Transcript)
30
Currently Available Grid Services at NERSC

• Available gatekeekeepers pdsfgrid1.nersc.gov,
  pdsfgrid2.nersc.gov, pdsfgrid3.nersc.gov,
  escher.nersc.gov (HPSS to come soon)
• Example of a grid-mapfile
• pdsfgrid1 52 more /etc/grid-security/grid-mapfile
  
• "/Odoesciencegrid.org/OUPeople/CNAlexander Sim
  937593" asim
• "/OGrid/OGlobus/OUusatlas.bnl.gov/CNDantong
  Yu" dtyu
• "/OGrid/OGlobus/OUusatlas.bnl.gov/CNWensheng
  Deng" wdeng
• "/Odoesciencegrid.org/OUPeople/CNTorre Wenaus
  987973" wenaus
• "/Odoesciencegrid.org/OUPeople/CNDouglas L
  Olson" olson
• "/Odoesciencegrid.org/OUPeople/CNJie Yang"
  yangj
• "/CUS/ONational Computational Science
  Alliance/CNThomas Radke" tradke
• "/CUS/ONational Computational Science
  Alliance/CNDenis Pollney" pollney
• "/CUS/ONational Computational Science
  Alliance/CNGabrielle Allen" allen

31
File Transfers with Globus Software

• Targeted host has to run a GSIftp server(end of
  January for HPSS, later this year for seaborg,
  PDSF is ready now)
• Targeted host has to recognize the CA
  (Certification Authority) that issued your
  certificate (NERSC recognizes DOE Science Grid
  certificates).
• Information about your certificate needs to be
  installed in the grid-mapfile of the targeted
  host.
• and you are ready to go..

32
File Transfers..

• Start your certificate proxypdsflx008 58
  grid-proxy-init
• Your identity /Odoesciencegrid.org/OUPeople/CN
  Iwona Sakrejda 302074
• Enter GRID pass phrase for this identity
• Creating proxy ...................................
  .... Done
• Your proxy is valid until Tue Jan 21 103549
  2003
• And do the transfers
• pdsflx008 59 gsincftp gremlin.usatlas.bnl.gov
• NcFTP 3.0.3 (April 15, 2001) by Mike Gleason
  (ncftp_at_ncftp.com).
• Connecting to 130.199.48.30...
  
  
• gremlin.usatlas.bnl.gov FTP server (GridFTP
  Server 1.0 GSI patch v0.5 wu-2.6.1(2) Mon Aug
  19 163308 CDT 2002) ready.
• Logging in...
  
  
• User sakrejda logged in.
• Logged in to gremlin.usatlas.bnl.gov.
  
  
• ncftp /usatlas/u/sakrejda gt put .cshrc

33
File Transfers

• The remote file ".cshrc" already exists.
• Local 3887 bytes, dated Tue 18
  Jun 2002 015437 PM PDT.
• Remote 5356 bytes, dated Wed 25
  Jul 2001 023611 PM PDT.
• Overwrite? Append to? Skip?
  New Name?
• O!verwrite all? S!kip all? Cancel
  gt n
• Save as bubu
• .cshrc
  3.80 kB 1.23 kB/s
• ncftp /usatlas/u/sakrejda gt
• Interrupted.
• You have not saved a bookmark for this site.
• Would you like to save a bookmark to
• ftp//gremlin.usatlas.bnl.gov
• Save? (yes/no) yes
• Enter a name for this bookmark, or hit enter for
  "gremlin"
• Bookmark "gremlin" saved.
• pdsflx008 60 gsincftp gremlin
• NcFTP 3.0.3 (April 15, 2001) by Mike Gleason
  (ncftp_at_ncftp.com).
• Connecting to 130.199.48.30...
  
  

34
Running jobs

• pdsflx008 61 globus-job-run gremlin.usatlas.bnl.g
  ov /bin/ls
• bubu
• gram_job_mgr_12535.log
• gram_job_mgr_29918.log
• mbox
• NewKerberos5Password.txt
• rload.pl
• pdsflx008 62 globus-job-submit
  pdsfgrid1.nersc.gov/jobmanager-lsf /bin/ls
• https//pdsfgrid1.nersc.gov54708/11571/1043134397
  /
• pdsflx008 63 globus-job-status
  https//pdsfgrid1.nersc.gov54708/11571/1043134397
  /
• DONE

35
Visualization Poratal under Development
36
Globus Toolkit 2.x vs 3.x

• Good news your certificates will remain valid.
• Bad news thats almost the only thing that will
  remain valid.
• GSI ftp 2.x will work with the 3.0 Globus
  Toolkit.
• Globus team declares support for 2.x through 2003
• Transition from API (Application Programming
  Interface) to service definitions.
• It is a major headache for the application
  developers, users will be far less affected.
• NERSC will be responsive to users needs as far
  as transitioning from 2.x to 3.x goes.

37
Summary

• NERSC is actively pursuing implementation of Grid
  services.
• A comprehensive design exists and it will be
  implemented without interrupting or interfering
  with the production efforts.
• Service prototypes have been implemented and
  thoroughly tested by the staff.
• We are about ready to deploy GSIftp on HPSS.
• The certificate infrastructure has been design,
  implemented and is being tested.
• We are looking forward to work with a handful of
  volunteer users on improving and debugging the
  infrastructure.

38
(No Transcript)
39
(No Transcript)
40
(No Transcript)