> > The Gateway System: Secure Access to Remote HPC Resources > > > > Marlon Pierce and Tomasz Haupt > > Northeast Parallel Architectures Center, Syracuse University > > > > Ken Flurchick > > Ohio Supercomputing Center > > > > In this case study, we describe the Gateway System, a joint effort of > > the Northeast Parallel Architectures Center, Ohio Supercomputing Center, > > and Aeronautical Systems Center. The > > design goals of Gateway are to provide secure, transparent, > > cross-platform access to remote high performance computing (HPC) > > resources for Department of Defense researchers. > > > > Gateway in implemented using a > > three-tiered architecture and makes use of industry standards (CORBA, > > XML) and commodity products (java, Netscape Navigator) as much > > as possible. On the client side, a user interacts through > > his or her web browser with a > > Problem Solving Environment (PSE) that is discipline specific. The PSE > > is an > > expert system that assists users in defining their problems, identifying > > available resources, submitting jobs, and analyzing results. > > These services are supported by WebFlow, a distributed object-based > > system modeled after Enterprise Java Beans that employs CORBA for > > communication rather than RMI. Decisions made in the PSE are mapped > > onto nested WebFlow container objects. The middle tier consists of a > > mesh of > > WebFlow servers. A single master server spawns off (possibly remote) > > slave servers for each client of the system. Each slave runs with its > > user's ID. WebFlow provides modules > > (such as wrappers for legacy codes) and services (such as job submission > > and monitoring tools) for use of the researcher. All access to back end > > resources (HPCs, mass storage) is controlled by server-side WebFlow > > objects. An important feature is that since the slave server runs with > > the client's ID, all services on the middle and back tiers run as the > > user. > > > > Deployment of Gateway at ASC requires that the system comply with > > existing security policies, such as the use of one-time passwords and > > Kerberos for authentication and authorization. In order for us to grant > > seamless access to HPC resources, our three-tiered architecture requires > > a three-tiered security system. Client-server security is implemented > > with kerberized CORBA security features, > > provided by our vendor, Adiron LLC. Mutual authentication is required > > between these tiers: the user's slave server runs under his ID, so we > > must guard against both client and server spoofing. CORBA security > > mechanisms also provide authentication and authorization between slave > > and master > > servers. Access to the backend HPC resources is obtained through > > kerberized rsh to a PBS job scheduler and rcp to mass storage systems. > > A user's Kerberos ticket is forwarded through all three levels. > > > >------------------------------------------------------------------- >Polar Humenn Adiron, LLC >mailto:polar@adiron.com 2-212 CST >Phone: 315-443-3171 Syracuse, NY 13244-4100 >Fax: 315-443-4745 http://www.adiron.com