Experiences of working on the GÉANT project representing MARnet:Testimonials

www.geant.org

Boro Jakimovski (NA1T4, NA3T3, JRA3T1)

Vladislav Bidikov (SA1T4, NA1T4)

Sonja Filiposka (JRA2T2 TL)

GÉANT Info day, Skopje, Macedonia, 06.06.2018

Public

2 www.geant.org

Boro Jakimovski

Part of the GÉANT projects

since 2009

GN3

•SA - testing software developed under Multi-Domain Network Operations Services (AutoBAHNand cNIS)

GN3+

•SA - development and implementation of High Availability clustering of GEANT services (CROWD)

•NA - Campus best practices

GN4-1

•JRA - Development of GÉANT trust broker measurements and statistics

•SA - establishment of AAIEDU.mk in Macedonia

GN4-2

•NA1 – IT support

•NA3 – international liaison

•JRA3 – Campus and Federation

3 www.geant.org

• Involved in GÉANT since for more than 9 years• Early tasks involved mainly SA tasks (GÉANT 3, GÉANT 3 plus

and GÉANT 4 phase 1):• testing software developed under Multi-Domain Network

Operations Services (AutoBAHN and cNIS)• development and implementation of High Availability clustering of

GÉANT services (CROWD)• Establishment of AAIEDU.mk in Macedonia

• Contributed to work in NA tasks (GÉANT 3 plus):• Campus best practices producing documents based on our

experience with different topic like cloud computing, AAI service integration with Office365

• Later involved in JRA tasks (GÉANT 4 phase 1):• Development of GÉANT trust broker measurements and statistics

Involvement in past projects and activities

4 www.geant.org

GN4P2 Involvement

• Currently involved in NA and JRA activities

• NA activities:• NA1T4 – IT support (leading MARNet’s team for GÉANT Linux

IT support

• NA3T3 – International liaison (involved in developing inter-project liaison between GÉANT and EGI)

• JRA activities:• JRA3T1 - Campus and Federation (subtask: Measurements and

statistics)

5 www.geant.org

NA activities

• Networking Activities (NAs) support the operation and management of all GN4-2 activities including project management, internal and external communications and promotion, international liaison, and business development.

• NA1T4: Information Systems• task covers all the aspects of ICT services – infrastructure, platforms, systems, software

and tools – required for the project to work efficiently. • This includes, among other components, virtual machines, intranets/extranets, security,

content management system, document management system, communication and collaboration tools, customer relationship management (CRM) system, reporting tools, meeting and events registration and facilitation, contacts database and calendars.

• UKIM NA1T4 activities• involved in maintaining the monitoring Nagios portal• developing new metrics and measurements for the services• involved in deployment of new Linux VMs and services• migration of Puppet configurations

6 www.geant.org

NA activities

• NA3T3: e-Infrastructure Liaison• coordinates the support provided by GÉANT, the NRENs and global

partners to e-infrastructures to develop alignment of service portfolios, co-ordination of engagement and joint initiatives.

• this Task will also seek to develop and implement GÉANT's role in the emerging integrated e-infrastructure landscape and coordinate the different strands of integration and consolidation work

• UKIM NA3T3 activities• involved in liaising activities for GÉANT JRA (JRA1) activities

concerning integration of Cloud services and Networking services with EGI Federated cloud

• locating possible use cases for GÉANT service portfolio to be used by different EU projects and communities

7 www.geant.org

JRA activities

• Joint Research Activities (JRAs) are targeted at critical analyses of future network and application technologies with a view to future deployment of emerging technologies across the network and services.

• JRA3T1: Campus and Federation• This Task delivers developments aimed at federations and

campus identity providers, based on the existing federated identity and eduGAIN models and technologies.

• It aims to make federated identity on a pan-European scale easier for federations and campus IdPs to adopt, more scalable to cope with significant growth of entities via eduGAIN, and more secure in complex operating environments.

8 www.geant.org

JRA activities

• UKIM JRA3T1 involvement• Involved in Measurements and statistics subtask for

specification of the F-TICKS format in order to measure the amount of authentication events within an Authentication and Authorization Infrastructure (AAI), in particular eduGAIN.

• Developing architecture for collection and analysis of large measurements data

• Visualization of measurements data

• Definition of AAI deployment scenarios for Cloud-based IdP

9 www.geant.org

JRA3T1 activities

Private overlay network

IdP

LDAP

Apache (phpldapadmin)

IdP Swarm Service

Persistent volumes

Private overlay network

IdP

LDAP

Apache (phpldapadmin)

IdP Swarm Service

Persistent volumes

Worker Worker Worker Worker Worker Worker

Manager Manager Manager

Distributed store

HAProxy(Load balancer)

Private overlay network

IdP

LDAP

Apache (phpldapadmin)

IdP Swarm Service

Persistent volumes

GN Web clientAnsible master

Swarm cluster

Persistent volume

Certs, haproxy conf

10 www.geant.org

Vladislav Bidikov

GN4-1

• Campus best practices

GN4-2

• NA1 – IT support

• SA1T4 – Trust and Identity Operations

11 www.geant.org

• CPB-39: Cloud implementation using OpenNebula

• CPB-68: Profile and role-based firewall control for campus classrooms labs

• CPB-17: Integration of Office 365 with existing faculty SSO

• CPB-12: Access Control and Monitoring for Campus Computer Labs

12 www.geant.org

Task 2: Trust and Identity Operations

• This Task will manage and operate Trust and Identity-related services in production as well as other such services from appropriate Activities that are transitioned into production.

• This Task will ensure that relevant procedures are well defined, taken up and followed for all processes involved. It will also ensure that all of the services are operated within their defined operations baseline and requested availability level; that the operational health and usage of the services are monitored; and that second-level support is provided.

13 www.geant.org

Unlocking global research and education collaboration

• eduGAIN – service operations management and development and operations (DevOps) of eduGAINinfrastructure and its supporting services, including but not limited to eduGAIN Metadata Service (MDS) and technical portal with statistics and troubleshooting/verification tools. Also includes operational governance, i.e. coordination and consultation with the eduGAIN Steering Group (SG), who provide technical direction for the service and management of the processes for adding new members.

https://www.geant.org/Services/Trust_identity_and_security/Pages/eduGAIN.aspx

14 www.geant.org

Seamless Wi-Fi access for research and education around the world

• eduroam – service operations management and DevOps of eduroam infrastructure and its supporting services, including but not limited to European top-level RADIUS servers (ETLRs) and the associated monitoring and supporting services suite (eduroam Configuration Assistant Tool (CAT)). Also includes operational governance, i.e. coordination and consultation with the European Confederation eduroam SG, who provide technical direction for the service in Europe, and engagement with the Global eduroam Governance Committee (GeGC).

https://www.geant.org/Services/Connectivity_and_network/Pages/eduroam.aspx

15 www.geant.org

Helping NRENs to build identity federations and deliver AAI services

• Federation as a Service (FaaS) – service operations management and DevOps of FaaS service instances and infrastructure.

https://www.geant.org/Services/Trust_identity_and_security/Pages/FaaS.aspx

16 www.geant.org

eduPKI

• eduPKI – service operations management, including Certification Authority (CA), which issues certificates for GÉANT services where they are not available on the market, and Policy Management Authority (PMA), which maintains existing eduPKI trust profiles, defines new eduPKI trust profiles and accredits interested CAs that want to comply with some existing eduPKI trust profiles.

https://www.geant.org/Services/Trust_identity_and_security/eduPKI/Pages/Home.aspx

17 www.geant.org

Key objectives

• Define operations baseline for all services in production and ensure that all of the services are operated within them and their requested availability level.

• Ensure that the relevant procedures and processes are well defined, taken up and followed.

• Ensure that the timeline and tasks are well defined and coordinated between the various teams involved, such as DevOps, IT, networking, service desk support, security teams, etc., in order to ensure that the production process is carried out smoothly and in line with allocated resources.

• Maintain the services in production, including monitoring of service health, usage and appropriate KPIs.

• Liaise with other 5/SA2 Tasks for efficient preparation of production teams, reporting, software management and services optimisation

18 www.geant.org

Core team – catalyst between Service Managers

• Monitoring Policy (done)

• Backup and archiving policy (draft done, GDPR?)

• Resource Inventory (planned)

• Central monitoring solution (POC & Beta)

• Central Backup and archiving solution (planned)

• Prepare the operational environment for new services (planned)

• Consolidated HSM requirements (drafting)

19 www.geant.org

Central monitoring solution (POC & Beta)

• POC in progress, analysis of each service specific requirements• First test services have been selected• Demo in ~Q3-2018

20 www.geant.org

TCS - Trusted Certificate Service

TCS takes advantage of a bulk purchasing arrangement whereby participating national research and education networking organisations (NRENs) may issue close to unlimited numbers of certificates provided by a commercial CA at a significantly reduced price.

• The five main types of certificates available are:

• SSL certificates – for authenticating servers and establishing secure sessions with end clients.

• Grid certificates – for authenticating Grid hosts and services (IGTF compliant).

• Client certificates – for identifying individual users and securing email communications.

• Code signing certificates – for authenticating software distributed over the internet.

• Document signing certificates – for authenticating documents from Adobe PDF, Microsoft Office, OpenOffice, and LibreOffice.

21 www.geant.org

Sonja Filiposka

Part of the GÉANT projects

since 2013

GN3+

• JRA1-T2 – Network Architectures for Cloud Services

• JRA2-T2 – Network as a Service

GN4-1

• JRA1-T2 – Cloud aware networking architecture and design patterns

•NA3-T3 GreenICT

GN4-2

• JRA2-T2 – Service Provider Architecture

22 www.geant.org

• consolidated connection services

CCS

• service provider architecture

SPA

• GEANT testbed service

GTS

• performance monitoring and verification

PMV

• network management as a service

NMaaS

• firewall on demand

FoD

GN4-2 JRA2 Network Services Development

23 www.geant.org

• Cloud service delivery networks

• GÉANT’s Open Cloud eXchange (gOCX) • architecture solution to run data intensive real-time cloud

applications on top of GÉANT to address the growing demand for cloud services within the R&E environment

Research and Innovation

24 www.geant.org

Research and Innovation cont.

• Zero-touch provisioning• User-controlled automated orchestration and management

25 www.geant.org

26 www.geant.org

Research and Innovation cont.

• Service provider architecture• Customer-centric OSS/BSS based on

• TMF standards

• Interoperability

• Microservices

• Pluggable components

• Business process engine

• System-wide orchestration

Sel f - ser vi ce por t al

ESB

R & S

I nvent or y

Act i vat i on

( T1)

Moni t or i ng

( T4)Faul t s

Net wor k

CRM Or der i ng Cat al ogue Pr obl ems

TMF API

BP

M

27 www.geant.org

28 www.geant.org

Publications

• 1 whitepaper

• 2 demos – Supercomputing and TNC

• 2 posters

• 3 conference papers

GN3+

• 2 demos – Supercomputing and TNC

• 1 poster

• 2 conference papers

GN4-1

• 2 demos – SIG-PMV and TNC

• 2 conference papers

• 1 pilot implementation

GN4-2

29 www.geant.org

Challenges and Opportunities

Highly interactive environment

New friends and colleagues

Different perspectives and knowledge sharing

Training opportunities

• Management

• Software development

• Certification for standards (i.e. ITIL/TMF)

Dynamic teams Cultural diversity

30 www.geant.org

Thank you

www.geant.org

Any questions?

© GÉANT Association on behalf of the GN4 Phase 2 project (GN4-2).The research leading to these results has received funding fromthe European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 731122 (GN4-2).