Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Composition and Execution of Secure Workflows in WSRF-Grids Tim Dörnemann, Matthew Smith, Bernd Freisleben  Department of M...
Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Eval...
Service Workflows in Grids <ul><li>Grid applications tend to be complex </li></ul><ul><li>Service-oriented Grid applicatio...
Sample Application (Biz2Grid) Distributed Meshing in Computer Aided Engineering
Sample Application (InGrid) Metal Casting:  Numerical simulations are performed to substitute the expensive and time-consu...
Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Eval...
Business Process Execution Language <ul><li>BPEL  is the de-facto standard for workflow / business process modeling in the...
BPEL and the Grid <ul><li>While BPEL works well with standard web services, there are some shortcomings when  WSRF-based s...
WS–Resource Framework (WSRF) <ul><li>Evolved from the  Open Grid Services Infrastructure  (OGSI)  </li></ul><ul><li>Introd...
BPEL and WSRF Factory Pattern <ul><li>< gridCreateResourceInvoke  resourceLink=&quot;rlnName&quot; partnerLinkSet=&quot;pl...
Security in Grid Workflows
Security in Grid Workflows <ul><li>Grid Security Infrastructure defines security  mechanisms  for  secure conversation  an...
Sample Workflow <ul><li>Organisations A, B, C are involved  </li></ul><ul><li>Security mechanisms differ from task to task...
Security Settings in BPEL <ul><li><gridInvoke resourceLink=&quot;rl1&quot;  partnerLinkSet=&quot;pls1&quot;  operation=&qu...
Handling of Certificates <ul><li>X.509  certificates  are used to authorize users and for  delegation  to perform actions ...
Integration of MyProxy solution SOAP-Client Username=doernemt password=XXXXX HTTPS MyProxy Server R equest Proxy  (TLS) Se...
Advantages of MyProxy <ul><li>Certificate does not need to be kept locally on a user‘s machine(s), but on  a single secure...
Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Eval...
Implementation <ul><li>Described in detail in the paper </li></ul><ul><li>Software used: </li></ul><ul><ul><li>ActiveBPEL ...
BPEL Engine – Security Extensions
Visual Grid Orchestrator (ViGO) <ul><li>Complies to BPEL standards (+ Grid extensions) </li></ul><ul><li>Supports collabor...
ViGO-Wizards Creation of new elements (here: invocation of Grid service) using wizards
Defining Security Settings Graphically
Adaptive Detail View
Monitoring of Running Processes Detail view
Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Eval...
Performance Results Results for integrity (message signing)
Performance Results Results for privacy (message encryption)
Performance Results Integrity (Signing of messages) Encryption (Encryption of messages)
Conclusions <ul><li>WSRF-related extensions to BPEL </li></ul><ul><li>Seamless integration of Grid security (GSI) into BPE...
That‘s it... Thank You! Questions?
call create deploy create create deploy Workflow Engine execute GDT Workflow Workflow Editor User Certifi-cate GDT Certifi...
Grid Development Tools (GDT) Model-Driven Development of Grid Services (IBM Eclipse Innovation Award, 2005; Globus Incubat...
Extension to the ActiveBPEL Engine
BPEL W.M. Tool – High-Level Architecture
Upcoming SlideShare
Loading in …5
×

Composition and Execution of Secure Workflows in WSRF-Grids, IEEE CCGrid 2008, Lyon

424 views

Published on

BPEL is the de-facto standard for business process modeling in today\\\'s enterprises and is a promising candidate for the integration of business and Grid applications. While BPEL works well for traditional web services, it has a number of drawbacks with respect to the more complex world of WSRF-based Grid computing, especially where security is concerned. In this paper, a solution that extends the BPEL security approach to encompass secure Grid application interactions is presented. The proposed approach is capable of handling both web service and Grid service resources and their corresponding security mechanisms. The BPEL language is extended by security-related settings. An implementation of a GSI-compliant BPEL engine that can also manage the lifetime of proxy certificates is presented.

Published in: Technology
  • Be the first to comment

Composition and Execution of Secure Workflows in WSRF-Grids, IEEE CCGrid 2008, Lyon

  1. 1. Composition and Execution of Secure Workflows in WSRF-Grids Tim Dörnemann, Matthew Smith, Bernd Freisleben Department of Mathematics & Computer Science University of Marburg, Germany {doernemt, matthew, freisleb}@informatik.uni-marburg.de
  2. 2. Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Evaluation </li></ul>
  3. 3. Service Workflows in Grids <ul><li>Grid applications tend to be complex </li></ul><ul><li>Service-oriented Grid applications consist of invocations of different services at various Grid sites, file transfers etc.  service workflow </li></ul><ul><li>Tools and techniques are needed to model and execute service workflows </li></ul>
  4. 4. Sample Application (Biz2Grid) Distributed Meshing in Computer Aided Engineering
  5. 5. Sample Application (InGrid) Metal Casting: Numerical simulations are performed to substitute the expensive and time-consuming building processes for physical tools and prototypes (Simulation of a motor piston)
  6. 6. Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Evaluation </li></ul>
  7. 7. Business Process Execution Language <ul><li>BPEL is the de-facto standard for workflow / business process modeling in the web service area </li></ul><ul><li>Programming in the large : complex applications are built by composing existing components (web services) </li></ul><ul><li>When BPEL is used, the composed process is exposed as a web service itself and integrates perfectly into SOAs </li></ul><ul><li>Using BPEL for service-oriented Grid applications brings business standards into the Grid world  commercial adoption of Grid technology </li></ul>
  8. 8. BPEL and the Grid <ul><li>While BPEL works well with standard web services, there are some shortcomings when WSRF-based services are used </li></ul><ul><li>No explicit support for stateful web services </li></ul><ul><li> resourceKeys, Factory Services </li></ul><ul><li>No support for Grid Security Infrastructure (GSI) </li></ul><ul><li>No explicit support for data handling </li></ul>
  9. 9. WS–Resource Framework (WSRF) <ul><li>Evolved from the Open Grid Services Infrastructure (OGSI) </li></ul><ul><li>Introduces extensions to normal Web services : „WS-Resource“, combining: </li></ul><ul><ul><li>Stateless Web Service </li></ul></ul><ul><ul><li>Resource Property Document (Capturing State) </li></ul></ul><ul><li>Adopted for standardization by OASIS </li></ul><ul><li>Usage example: „Job“ representation resource (for weeks) </li></ul>
  10. 10. BPEL and WSRF Factory Pattern <ul><li>< gridCreateResourceInvoke resourceLink=&quot;rlnName&quot; partnerLinkSet=&quot;plsName&quot; /> </li></ul><ul><li>< gridInvoke resourceLink=&quot;rlnName&quot; partnerLinkSet=&quot;plsName&quot; </li></ul><ul><li>operation=&quot;opName&quot; inputVariable=&quot;inVar&quot; outputVariable=&quot;outVar&quot; /> </li></ul><ul><li>< gridDestroyResourceInvoke resourceLink=&quot;rlsName&quot; </li></ul><ul><li>partnerLinkSet=&quot;plsName&quot;/> </li></ul>Details: T. Dörnemann, T. Friese, S. Herdt, E. Juhnke, B. Freisleben: Grid Workflow Modelling Using Grid-Specific BPEL Extensions In: Proceedings of German e-Science Conference 2007, pp. 1-9, 2007
  11. 11. Security in Grid Workflows
  12. 12. Security in Grid Workflows <ul><li>Grid Security Infrastructure defines security mechanisms for secure conversation and authentication between parties </li></ul><ul><ul><li>Transport Layer Security (TLS) / GSITransport </li></ul></ul><ul><ul><li>WS-Security / GSISecureMessage </li></ul></ul><ul><ul><li>WS-SecureConversation / GSISecureConversation </li></ul></ul>
  13. 13. Sample Workflow <ul><li>Organisations A, B, C are involved </li></ul><ul><li>Security mechanisms differ from task to task in a single workflow </li></ul><ul><li>Solution must support per-operation security settings </li></ul><ul><li>Organisation C offers pure Web Services </li></ul><ul><li>Support for all three security methods + pure Web Service invocations needed </li></ul>
  14. 14. Security Settings in BPEL <ul><li><gridInvoke resourceLink=&quot;rl1&quot; partnerLinkSet=&quot;pls1&quot; operation=&quot;qcutlimit&quot; inputVariable=&quot;inVar&quot; outputVariable=&quot;outVar&quot;> <security method=&quot;GSISecureConversation&quot; level=&quot;integrity&quot; delegation=&quot;full&quot; </li></ul><ul><li>/> </li></ul><ul><li></gridInvoke> </li></ul><ul><li>Note : </li></ul><ul><li>Per-operation security settings </li></ul>
  15. 15. Handling of Certificates <ul><li>X.509 certificates are used to authorize users and for delegation to perform actions on behalf of a user </li></ul><ul><ul><li>Proxy certificates are short-lived certificates derived from a user‘s original certificate </li></ul></ul><ul><li>BPEL engine must be able to make use of those proxy certificates and handle their lifetime </li></ul><ul><ul><li>Our implementation utilizes MyProxy to store proxy certificates </li></ul></ul><ul><ul><li>Automatically renews proxy certificates during the runtime of a process </li></ul></ul>
  16. 16. Integration of MyProxy solution SOAP-Client Username=doernemt password=XXXXX HTTPS MyProxy Server R equest Proxy (TLS) Secure Grid Service A renew Renew Proxy (TLS) Secure Grid Service B
  17. 17. Advantages of MyProxy <ul><li>Certificate does not need to be kept locally on a user‘s machine(s), but on a single secure server </li></ul><ul><li>The maximal lifetime of a proxy can be individually set (for every instance of the process) </li></ul><ul><li>Our BPEL-Engine monitors the lifetime of proxies and can renew proxy certificates on-demand (if workflow runtime > lifetime of proxy) </li></ul>
  18. 18. Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Evaluation </li></ul>
  19. 19. Implementation <ul><li>Described in detail in the paper </li></ul><ul><li>Software used: </li></ul><ul><ul><li>ActiveBPEL version 2.0.0_28 </li></ul></ul><ul><ul><li>MyProxy 4.2 </li></ul></ul><ul><ul><li>Globus Toolkit 4.0.7 </li></ul></ul><ul><ul><li>Eclipse 3.3 with GEF 3.3, ECF 1.0 </li></ul></ul><ul><li>BPELEngine and visual Editor available for download at: http://mage.uni-marburg.de </li></ul>
  20. 20. BPEL Engine – Security Extensions
  21. 21. Visual Grid Orchestrator (ViGO) <ul><li>Complies to BPEL standards (+ Grid extensions) </li></ul><ul><li>Supports collaborative design of workflows </li></ul><ul><li>Available as Eclipse 3.3 plug-in + standalone version </li></ul>
  22. 22. ViGO-Wizards Creation of new elements (here: invocation of Grid service) using wizards
  23. 23. Defining Security Settings Graphically
  24. 24. Adaptive Detail View
  25. 25. Monitoring of Running Processes Detail view
  26. 26. Outline <ul><li>Motivation </li></ul><ul><li>Solution Architecture </li></ul><ul><li>Implementation </li></ul><ul><li>Evaluation </li></ul>
  27. 27. Performance Results Results for integrity (message signing)
  28. 28. Performance Results Results for privacy (message encryption)
  29. 29. Performance Results Integrity (Signing of messages) Encryption (Encryption of messages)
  30. 30. Conclusions <ul><li>WSRF-related extensions to BPEL </li></ul><ul><li>Seamless integration of Grid security (GSI) into BPEL </li></ul><ul><li>Visual Designer with Grid-specific extensions </li></ul><ul><li>BPEL Engine and visual Editor available for download at: http://mage.uni-marburg.de </li></ul><ul><li>Future work </li></ul><ul><ul><li>Automatic configuration of security settings </li></ul></ul><ul><ul><li>Fault tolerance / Runtime adaptability </li></ul></ul><ul><ul><li>Data handling </li></ul></ul>
  31. 31. That‘s it... Thank You! Questions?
  32. 32.
  33. 33. call create deploy create create deploy Workflow Engine execute GDT Workflow Workflow Editor User Certifi-cate GDT Certificate Tools Grid Service Grid Application Development Lifecycle public class SwABenchmark { @GridAttribute private long rt = 0; @GridMethod public void testA(Ref a) { … rt = System.nanoTime()-st; } } Generate Service.gar Package
  34. 34. Grid Development Tools (GDT) Model-Driven Development of Grid Services (IBM Eclipse Innovation Award, 2005; Globus Incubator Project, 2006) public class SwABenchmark { @GridAttribute private long rt = 0; @GridMethod public void testA(Ref a) { … rt = System.nanoTime()-st; } } Generate Deploy Service.gar Package
  35. 35. Extension to the ActiveBPEL Engine
  36. 36. BPEL W.M. Tool – High-Level Architecture

×