Setting the context: the importance of middleware for research and higher education

eResearch and Collaborative Research Infrastructure initiatives
Mike Sargent, NCRIS and e-Research Coordinating Committee

Over the past decade, the Australian Government has invested systematically in research infrastructure to underpin Australian research. The key role that middleware has and will play in enabling researchers to use this infrastructure effectively has been recognised through investments through ARIIC and by initiatives to establish strategic frameworks through the eResearch Coordinating Committee, and the National Collaborative Research Infrastructure Strategy. This presentation outlines the scope of those initiatives and the framework of middleware development that is evolving. Challenges to provide the expert resources and to establish an integrated framework of research and implementation are discussed.

Platforms for Collaboration
Rhys Francis, NCRIS

Collaboration has been widely identified as a key requirement for success in the 21st century, for a wide range of reasons. One notable reason is that when dealing with increasingly complex issues such as climate and health, a fusion of ideas and an interaction in developments across many disciplines and many different organisations is needed. A second notable reason is that in the increasingly technological world, innovation rates are recognised as a key to economic competitiveness, and future innovation is seen to lie as much between as within traditional disciplines and organisations.

The National Collaborative Research Infrastructure Strategy has recognised this issue not only by identifying Platforms for Collaboration as a separate capability but also by focussing attention on access and inter-operation within and across all research infrastructure capabilities.

The NCRIS Strategic Roadmap provides the following areas of focus for Platforms for Collaboration:
• Data storage management, access, discovery and curation to improve interaction and collaboration;
• Grid enabled technologies and infrastructure to enable seamless access to the facilities and services required in various research fields;
• Support skills to assist researchers in developing and using this infrastructure effectively;
• High performance computing to allow analysis, modelling and simulation; and
• High quality network access through high capacity bandwidth to permit interaction with diverse data and computing resources.

However, agreement on such things as our path forward in authentication and authorisation; and who is really responsible for what within data curation, retention and access; and what end-user and middleware capabilities might motivate collaborative working; have all emerged as uncertainties in the landscape and therefore risks for infrastructure investment.

This talk will provide an update on progress within the NCRIS planning related to Platforms for Collaboration, identify some of these key issues emerging and relate them back to consultative activities which will take place over the next few months.

Middleware Action Plan and Strategy Project
Nick Tate, University of Queensland

MAPS is a project funded by the Department of Education, Science and Training (DEST) as part of “Backing Australia’s Ability – Building Our Future Through Science and Innovation”. The project is a collaborative effort with UQ as the lead university and Macquarie University, ANU, Monash, CAUDIT, CAUL, AARNet, and GrangeNet as partners. The main aim of the project is to develop a strategic roadmap for middleware services, which will identify the services that need to be offered and describe how they ought to be offered, in order to provide ongoing, effective support for research and higher education in Australia. The presentation will describe the project approach and timeline, and will highlight some of the key questions faced in developing a middleware services strategy for Australia.

Federations and MAMS
James Dalziel, Macquarie University

The DEST-funded MAMS project is implementing a Shibboleth-based trust federation for use in Australian higher education and research. Since December 2005, a functioning testbed federation has been in operation, including over 500,000 identities from 20+ organisations, as well as a range of different services. This presentation will: provide an overview of Shibboleth (and related components); discuss the current implementation work of MAMS in Australia (and its relationship to similar international projects); and explore policy, governance, legal and technical issues to be finalized for a national production federation. The presentation will also discuss interactions between Shibboleth and PKI (and the prospects for a unified approach), and the role of Shibboleth in NCRIS, RQF, institutional repositories and eResearch middleware.

e-Security Framework and PKI
Nick Tate, University of Queensland

The DEST-funded e-Security Framework project builds upon existing PKI and MAMS projects to develop models and pilot implementations of a common trust federation which would support a common approach to authentication and authorisation across the sector. This includes the development of a unified model for federation and trust which aligns PKI and Shibboleth approaches. This unified model, once complete, could form the basis for a future production federation service across the higher education and research sector.

The APAC National Grid
John O'Callaghan, APAC
(Presentation delivered by Rhys Francis)

The APAC National Grid is being installed to allow researchers easy access to distributed computation and data management facilities at the APAC National Facility and the partner facilities and to services that support research collaboration, nationally and internationally.

The National Grid is being developed in collaboration with specific research teams in astronomy, high-energy physics, bioinformatics, geosciences, chemistry and earth systems science.

The core grid middleware is based on the Globus Toolkit, complemented with tools for virtual organisation management, resource discovery, job scheduling and job monitoring. This middleware is enabling researchers to access the APAC and partner facilities from their desktop and facilities in other organisations (eg, data sources, data respositories).

The presentation will focus on the design of the National Grid and its services for distributed computing and data management. It will provide examples of the use of these services by the applications.

JISC/DEST e-Framework
Neil McLean, IMS Global Learning Consortium

The e-Framework for Education and Research (the e-Framework) is an initiative by the UK’s Joint Information Systems Committee (JISC) and Australia’s Department of Education, Science and Training (DEST). The primary goal of the e-Framework is to facilitate technical interoperability within and across education and research through improved strategic planning and implementation processes. This brief paper begins by outlining the rationale for establishing the e-Framework and by describing the main processes for developing and documenting the service components of relevance to particular communities. There will be some explanation of the efforts to involve other countries as well as industry partners in developing the e-Framework. The means of engagement with Australian initiatives will be examined in some detail and the paper will conclude with an assessment of the prospects for the e-Framework as an international collaborative venture.

Current events in the US in middleware
Ken Klingenstein, Internet2 Middleware Initiative

Despite some turmoil at other levels of the protocol stack, middleware activities in the US continue. Shibboleth is moving forward and the effort is evolving into an international, coordinated development model. Federating activities lurch onward both with InCommon and in peering with the US Government federation. The Grouper and Signet tools are beginning to help define approaches to privilege management. Virtual organization support, in both collaboration tools and domain-specific software, is highly active. Some new areas are identified for work if funding can be found. This session will cover life in the empire of the last century.
 

UK middleware overview
Brian Gilmore, University of Edinburgh

The UK Academic Community is active in the areas of Authentication, Authorisation, Directory Services and Identifiers. For a number of years the UK has been running a successful national service, called ATHENS, to give consistent and location independent access to electronic journals and other bibliographic services. A decision was taken in 2004 to move over to a Federated Access Management System to enable the existing services and new collaborations and services that could not be supported by the current system. A number of significant development and infrastructure projects have been underway with a formal decision to switch over taken in March 2006 with the intention of a full service being introduced by July 2008. This talk will outline these activities in the UK.

New Zealand Education Sector ICT Connectivity: An Overview
Murray Leach, NZ Ministry of Education

New Zealand’s education sector agencies have been working closely together over the past three years to establish a collaborative and coordinated approach to ICT development. This includes establishing an Information and Communication Technologies (ICT) Strategic Framework to guide ICT investment while supporting the National Digital Strategy and the education priorities of the New Zealand government. A key component of the Strategic Framework is Connectivity - providing access to a robust national open standards-driven ICT infrastructure for education.

The connectivity targets we are endeavouring to achieve for New Zealand are that:
• Every education organisation has access to a reliable high-speed internet connection and the ability share ideas and resources electronically;
• Communities of interest are able to easily locate, access and share relevant content hosted in disparate national and international repositories;
• All education organisations will be able to utilise information and knowledge held across the sector; and
• All learners can acquire and update their abilities, interests, knowledge and qualifications from pre-school years to post-retirement.

Significant milestones have been achieved - from cooperative agreements with key international partners such as Joint Information Systems Committee (JISC), U.K, Department of Education, Science and Training (DEST), Australia and IMS Global, to the development of a New Zealand architecture framework to delivery connectivity through the provision of infrastructures and services for the education sector. This conference provides an opportunity to share with you these developments underway in New Zealand’s education sector.

Shaping the European Middleware Landscape
Diego Lopez (by video), RedIRIS, The Spanish NREN

The talk will introduce the current coordinated efforts of the European NRENs
in middleware, structured around the following activities:
• Simplifying PKI usage and applicability, through both technical and management approaches intended to lower the hurdles in PKI adoption and interoperability.
• Allowing for AAI interoperability, introducing the confederation concept, already demonstrated by eduroam, and being further developed by eduGAIN. Going beyond, the new DAMe proposal aims for a seamless user experience in network and application access.
• Schema harmonization, with the deployment and refinement of SCHAC, grown on top of eduPerson and defined to enable pan-European student and staff mobility through the Bologna Process.
• Better coordination, through direct collaboration with the Grid community, continuous evangelism around campuses, and the (hopefully) next establishment of a steering group appointed to act as a European MACE.

Laws of identity
Kim Cameron, Microsoft

More information is available from Kim's blog: www.identityblog.com.

Panel discussion
Alex Reid (moderator), AARNet

Ken Klingenstein, Brian Gilmore, Bob Morgan, Scott Rea, Mike Sargent, Nick Tate, James Dalziel, Rhys Francis, John O'Callaghan, Jane Hunter, and Neil McLean will participate in the discussion.

Understanding the landscape: Reference modelsKen Klingenstein, Internet2 Middleware Initiative

We seem to be in the golden age of middleware. At fundamental levels of infrastructure, identity management for enterprises, and federations of enterprises are evolving rapidly. Beyond identity management, new components of middleware are being identified as activities currently embedded within applications are pushed down into infrastructure as standard enterprise services. Above the core middleware, Grids and other collaborative tools are adapting to the new infrastructure. And, in neighboring provinces, activities in user centric management, network access control, and other areas are moving briskly. This session will survey these activities and build the context for the rest of camp.

US higher education PKI landscape
Scott Rea, Higher Education Bridge Certification Authority

There are a number of heterogeneous campus based PKIs that have been in operation in the US Higher Education space for some time, created primarily for enterprise-centric activities. A natural outflow of these infrastructures is to leverage them for identification and authentication activities of the burgeoning inter-campus and inter-federation transaction space. The Higher Education Bridge Certificate Authority (HEBCA) is a project aimed at bringing homogeneous inter-federation to this heterogeneous network. Other projects like the US Higher Education Root (USHER) are aimed at providing a homogeneous network from the ground up for campuses that are able to subscribe to the proscribed policies and to kick-start adoption of PKI on campuses that are seeking to utilize this technology.

This session will take a look at the progress of the HEBCA and USHER initiatives with the US Higher Education community. It will present the challenges and opportunities these initiatives provide and some of the actions taken to address pertinent issues. With over 3500 institutions of Higher Education within the US, representing over 25 million potential human subscribers, and at least an equal or greater number of device entities, this community could develop into one of the largest PKI federations in the world. There are already designs in place and indeed progress towards linking the US Higher Education community with similar federations in Australia, Brazil, and Japan. This session will also look at the relationship developing between the higher education communities and the activities of the International Grid Trust Federation credentialing body - the Grid Policy Management Authority (Grid PMA), and its three member constituency: the Euro Grid PMA, the Asia-Pacific Grid PMA and the Americas Grid PMA.

Infocard and the identity metasystem
Kim Cameron, Microsoft

More information, including the demos and source code Kim showed during his presentation, is available from his blog: www.identityblog.com.

PKI implementation issues and case studies
Viviani Paz, AusCERT
Rodney McDuff, University of Queensland
James Lever, University of Queensland
John Zornig, University of Queensland

The Australian Higher Education and Research sectors Certification Authority Federation project is part of a larger effort from Australian Higher Education Sector with support from AusCERT, CAUDIT, the University of Queensland, the Department of Education, Science and Training, MAMS, APAC, Aarnet and other universities to develop an environment in which Universities can collaborate and interoperate with each other at low cost and low risk.

This project builds on previous CAUDIT PKI and MAMS projects to establish a production Public Key Infrastructure (PKI) for the University and Research Sector, based on the standards developed in the previous project, and to develop a pilot federation which leverages the PKI infrastructure in aligning the trust arrangements between institutions to support the implementation of Shibboleth across the sector. Computing grids are one of the most commonly deployed IT systems relying on PKI. This project will investigate the requirements and develop appropriate technologies to allow the use of Shibboleth in identity management within grids.

The ultimate goal is to enable the secure sharing of resources and research infrastructure across the domestic sector and with international partners.
This presentation will provide an update on the current and future work being done in this project and challenges faced.

The session will also include details on the Monash Univeristy PKI implementation.  Monash University has a well entrenched PKI service for staff that was implemented in 2002. This case study will give an overview of the service and discuss a number of practical issues such as the implementation process, end user training and acceptance, ongoing workload to maintain the service, and current issues.

Monash University PKI Case Study
Leon Troeth, Monash University

Monash University has a well entrenched PKI service for staff that was implemented in 2002. This case study will give an overview of the service and discuss a number of practical issues such as the implementation process, end user training and acceptance, ongoing workload to maintain the service, and current issues.

Grids, groups and gremlins
Markus Buchhorn, Australian National University

An extremely brief overview of the grid world, where it's been, at and going to be. This is about accessing all kinds of resources, from computers to data to people. This requires a fairly rich set of tools, and some underlying help from an AAI/"real" middleware world. I'll also wander into the interesting world of group/project membership, which is causing as much grief as simple identity management, for consumers as well as providers.

The first part of this talk will discuss trends in Higher Ed institutional identity management (from a US perspective), and how web signon and federation, as implemented in the Shibboleth system and other packages, are affecting both identity management and applications. Some examples of recent deployments, including work with the US Federal Government, will illustrate significant issues. The last part of the talk will present emerging new work on "Internet identity" (sometimes called "user-centric identity" or "Identity 2.0") and consider its implications on institutional identity in the coming years.

The UK Academic Community has committed to a transition from an existing UK wide authentication service to a Federated Access Management System of which Shibboleth plays a major role. Significant resources have been put into making this change, targeted for a full service in July 2008. The resources have been placed in a Technology Development Programme, an Infrastructure Programme and an Implementation Programme. A highly successful federation has been set up for the pilot projects and early adopters and this federation will be used as the building block for the main UK academic federation which will encompass Higher Education, Further Education and the school sector. The talk will summarise the process as an example of how the technologies can be used to produce a large scale cooperative environment.

Shibboleth in the Land of Oz: leveraging cross-institutional SSO for collaboration and eResearch
Erik Vullings, Macquarie University
Neil Witheridge, Macquarie University

The tutorial will give an overview of the MAMS (Meta Access Management System) project, a $4.2m project funded by the Australian Department of Education, Science and Training in its "Backing Australia's Ability" program. MAMS is developing solutions based on Shibboleth® for HE federated, cross-institutional single sign-on using the Security Assertion Markup Language (SAML). Together with AARNet, we recently launched the first Australian testbed Federation with ~500k users, and we are currently developing, together with 11 other Australian universities, service providers to add value to the federation. In addition, we have developed a Shibboleth Attribute Policy Editor that allows administrators and users to control the release of personal attributes to Service Providers in the Federation.

The focus of the tutorial will be on demonstrating the benefits from a user as well as from a service provider, and how these benefits can be easily realized as a service provider. The talk will further give an overview of the requirements and software needed to become an identity provider and service provider. Furthermore, the tutorial will discuss authorization using the eXtended Access Control Markup Language (XACML) for controlling access to Fedora, an open source repository. Finally, I will briefly discuss our work on Virtual Organizations, especially our Identity and Access Management suite of tools which offers a SSO environment for e-Researchers.

Flash versions of the demos shown during this presentation are available here:

• Autograph
• Fed Manager
• Grid Portlets
• IR Web
• Shib Wiki
• VO Bridge
  

Shib and PKI: A many splendored thing
Ken Klingenstein, Internet2 Middleware Initiative
Shibboleth and/or PKI
Scott Rea, Higher Education Bridge Certification Authority

Shibboleth and PKI have a rich set of highly complementary relationships. First, Shib is enterprise-to-enterprise PKI. PKI can provide a high level of assurance method of local authentication that can be enhanced with privacy and/or attributes by Shibboleth in interrealm uses. Shib can provide new ways to obtain PKI credentials for PKI-based applications. Trust models developed for PKI are the basis for inter-federation peering. This session will examine these relationships as well as identify use cases where one technology is more appropriate than the other.

eduroam: wireless networking when and where you need it
Chris Myers, GrangeNet

eduroam allows roving staff and students to log-in, with their usual “user name/password”, to wireless networks at partici¬pating campuses around Australia and the world and gain access to resources at their home institution.

The presentation will cover:
• Regional updates on the service from Australia, Europe and the Asia-Pacific
• How do we move the service forward?
• What would make the service better?
• Work still needed to be done on the service.
• Localization of the service
• 802.1x requirements.
• Radius configuration.
• Client configuration.
• Where can I log in?