Grid Lock: USC Supercomputer is Testbed for New Authentication Middleware

November 4, 2002

USC's Linux Cluster Supercomputer is the testbed for a new Grid security feature, tested as part of a multimillion-dollar National Science Foundation-funded, USC-led effort to put Grid Technology resource-sharing tools into the hands of working scientists.

Carl Kesselman of the USC School of Engineering's Information Sciences Institute is principal investigator on the project, part of NSF's National Middleware Initiative.

Using new software called KX.509 developed at the University of Michigan at Ann Arbor, the NMI now offers on-line, real time access to the 320-node Linux cluster computer at USC's center for High Performance Computing and Communications (HPCC) over high speed Internet 2 standard connections.

Other participants in the project include the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign, the University of Chicago, the University of California-San Diego and the University of Wisconsin-Madison.

The HPCC Linux cluster, already the largest of its kind in Southern California academia, is being expanded to 570 nodes, an upgrade that will make it one of the largest of its kind in the world. The HPCC is a joint venture of ISI and USC Information Services division.

According to John McGee, the NMI project administrator working with Kesselman on the project, use of the new software protocols written and rolled out as part of the NMI initiative now potentially "gives everyone with a USC computer account access to supercomputing power," in a secure environment, using the well-known Kerberos authentication system.

Named after the three-headed dog who guarded Hades in Greek mythology, Kerberos was originally developed at M.I.T. by a team that included B. Clifford Neuman, who is now at ISI. Among the first users of the new Grid environment will be geophysicists working with USC Professor of Earth Sciences Tom Jordan, who is also head of the Southern California Earthquake Center (SCEC).

Developed at the University of Michigan, KX.509 has been packaged with the GRIDS Center Software Suite in both NMI releases (NMI-R1 and -R2). Another NMI team, EDIT (Enterprise and Desktop Integration Technologies) also supports KX.509 separately from the GRIDS suite. It provides a bridge between Kerberos and the Public Key Infrastructure (PKI) associated with Grid security. GRIDS Center leaders like Kesselman believe KX.509 can play a crucial role in the adoption of Grids on campuses and in other organizations where Kerberos is used.

"This is a significant development," said Kesselman, who is director of ISI's Center for Grid Technologies. "We have successfully deployed KX.509 across the USC campus, which is a win for Grid users because it shows how their applications can be integrated with Kerberos infrastructure, and it's a win for Kerberos sites because it shows they can be hospitable to Grids."

Interoperability is key to Grids, whose architects are reluctant to dictate local choices for security, authorization and authentication. Grids are designed to give individual users and sites autonomy, while helping to ensure that local choices can be based on a technology's merit instead of its popularity elsewhere.

The certificate and private key generated by KX.509 are normally stored in the same cache alongside the Kerberos credentials. This enables systems that already have a mechanism for removing unused Kerberos credentials to also automatically remove the X.509 credentials. Netscape or Internet Explorer can then load a special library to access and use these credentials for secure web activity.

To use KX.509, the user should be on a system in an existing Kerberos realm and have a Kerberos login for that domain. In other words, Kerberos client software should already be installed, allowing KX.509 to generate a Grid certificate and private key based on the user's Kerberos credentials.

What is not required is the presence of X.509 certificates, the format used for Grid Security Infrastructure (GSI) by software such as the Globus Toolkit and Condor-G. KX.509 is able to generate a GSI certificate that, when used with either of those packages, can be fully recognized by any Grid server.

According to HPCC Director Jim Pepin, "We see USC's successful campuswide implementation of Kerberized certificates with NMI as a first step toward KX.509's broader use for Grid environments both at USC and across the academic community."

Pepin pointed out that USC was situated to capitalize quickly on KX.509 because researchers like Kesselman have long been involved in helping to shape campus policy, something other universities can emulate. (Kesselman is co-chair of the HPCC faculty advisory committee.)

"This is the plumbing, and now we need to build 'appliances' that use this capability across campus," he said. "We're a huge university with many pedagogical and research applications that could capitalize, including the Shoah Visual History Foundation's multimedia database of testimony from Holocaust survivors, the Digital Encyclopedia of Los Angeles — a collaboration with UCLA to digitize motion pictures and other artifacts — and the Southern California Earthquake Center, part of the Network for Earthquake Engineering and Simulation (NEES). Each of these projects and others are now much better positioned to deploy Grid tools thanks to our KX.509 deployment."

In non-Kerberos environments, to use Globus Toolkit utilities on a local or remote machine, the user must authenticate his or her identity to the machine with a Grid Security Infrastructure certificate, also called an X.509 certificate. These long-term certificates let the user create a short-term proxy certificate that expires after a period generally defined by the owner of the local or remote resource, after which a new proxy must be generated to renew access.

KX.509 can actually be used in place of permanent, long-term certificates. It does this by creating an certificate and private key in X.509 format based on the user's existing Kerberos ticket. These credentials are then used to generate the GSI proxy certificate in Kerberos environments just as in the non-Kerberos example above.