Node 1 Access and Backbone Experiment A101, Slice

041713_GIMI_Figures GENI I&M Architecture: 4a) GIMI I&M Tools Config Spiral 5 Page 1 of 7

Experiment A101, Slice 029 on ExoGENI servers/VMs

Access and Backbone Experimenter’s slice is NOT persistent; must Exper A Exper Mgmt Environ send data to portal or user p/o GIMI Portal Srvc (on a Linux server/VM) storage service before (based on IREEL) Node 1 Node n slice ends! Experimenters may register Console Exper A Partition GUIs on their I&M services, (persistent) so that they can be Exper App Exper App Browser discovered and used by Operators and (when SQL S1: Establish test/experiment environment OML iRODS permitted) Experimenters Intfc DB Intfc iRODS script ssh (push/pull) Intfc Where is this done? GEMINI portal service? (push) GUI Manage DB S2: Obtain slice, install I&M tools OMF RC OML OMF RC OML Presentation Client Client OMF RC Srvc Flukes GUI shell (MP) shell (MP) (real time) OMNI script ssh Presentation ML O Srvc GUI flow (post processing) OML S3A: Run/orchestrate experiment app (push) flow Node n+1 (push) ssh? Measurement Collector (MC) (optional) script OMF EC? Experimenter Z Partition OML SQL iRODS custom? Intfc DB Intfc ++ Default assumption: (push) S3B: Run/orchestrate I&M tools Measurement Data (MD) traffic is light, and is carried on the Control Ntwk GUI Manage DB Browser Presentation GENI Storage and Archive Service Srvc L ++ Option if MD traffic is heavy, e.g., OMF RC GUI SQ (based on iRODS, federated) (real time) file SQL Agg Mgr SM sensor traffic or port monitoring traffic. SQL GENI file Then need to carry traffic in the Data shell (push) Exper A Partition Archive S4, S5 and S6: file (push/pull) AM API Network (on a VLAN) (long term) Observe and manage I&M results (push) (persistent) Then, need an OML Server with an OML Intfc on the Data Ntwk. Browser Experiment A101 Then may use IPFIX, or other protocol icmd (with DOI) suited to high traffic flows Intfc Directory ExoSM ExoSM Subdirectories API Store and manage experiment artifacts SQL file REST Intfc (push/pull) object Retreive DOI archived Infc Experiment A101 icmd bag Directory client descriptor Subdirectories p/o GIMI Portal Srvc certs/cred’s REST (based on IREEL) If authentication of a service (i.e., client Exper A Measure Analysis Environ OML Client service or iRODS rspecs Exper A Partition (on a Linux server/VM) interface service) is required as it (persistent) connects to a server, how can it be scripts done? Experiment A205 Experimenters may transfer S3A: Run/orchestrate exper app (with DOI) some of their objects to an descriptors (optional) Directory archive service, so that they SQL Consider making a proxy cert from iRODS the user’s cert that can be will be available for a long S3B: Run/orchestrate I&M tools DB Intfc GUI Manage artifacts delegated period of time. (push/pull) Search Experimenter can set policy OMF EC GUI and so that objects may be iCAT script curate searched by and shared with GUI Create/edit descriptors rscripts srvc x objects Researchers, etc.

analysis/present srvc z Create BAG Manage BAG object object GUI icmd script client XML Msg Srvc to archive (push) icmd (federated) Directory client XMPP

Experimenter Z Partition

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies 041713_GIMI_Figures GENI I&M Architecture: 5) GIMI Portal Config Page 2 of 7

XML Msg Srvc (federated) 1) OMF choice: stay with OMF 5.4, since OMF 6.0 will not Experiment A101, Slice 029 on ExoGENI servers/VMs arrive until 4/13, and then it will take time to become stable a) How are RCs provided? Exper A Exper Mgmt Environ Access and Backbone b) How are XMPP topics set? (on a Linux server/VM) XMPP c) Why,when should we consider OMF 6.0?

Console Node 1 Node n Browser Exper App Exper App S1: Establish test/experiment environment

script ssh 2) OML choice: use OML 2.9, since includes new features, and should be stable. iRODS a) What are key features? Intfc b) Is there a way to show triggers/transitions in the data, S2: Obtain slice, install I&M tools (push) perhaps inserted by OMF script? Flukes OMF RC OML OMF RC c) Assume user specifies experiment with exp_29[UUID + OML HRN]; can OML 2.9 handle this long identifier? Client Client OMNI (MP) shell script shell (MP) ssh

S3A: Run/orchestrate experiment app 3) Mgmt of I&M: ssh OML SQL a) How does user set data to be flow OML file 6) user_a account on iRODS: script OMF EC collected and rate? (push) flow (push) a) established by admin b) How does user keep track of (push) b) login or access by: data being collected? some username/password custom? p/o GIMI Portal Srvc metadata file? cert-user_a (not based on IREEL; 12) Present srvc: c) How does user orchestrate a) based on OMFweb proxycert_user_a S3B: Run/orchestrate I&M tools I&M? using OMF working towards LabWiki) 7) Mgmt of postgres DB: Presentation Port d) How does user verify a) Each user’s data identified by Srvc Browser 8001 GENI Storage and Archive Service collection is working? exp_29[UUID + HRN], which is unique 13) Portal srvc: (based on iRODS, federated) e) How does user specify because of UUID a) web page individualized experiment: exp_29[UUID + HRN] b) Each user can find and retrieve their data for each user; what OML postgres technology? User A Account S4, S5 and S6: using UUID Intfc DB b) template to format new (persistent) Observe and manage I&M results c) Do we need some protection to prevent another user from grabbing user’s data? Presentation web page; how can this be Browser perhaps not? Srvc Port populated? include each Experiment 29 (with d) How can a user erase their data? 8029 avail exper? then pull icmd DOI) variables from DB? Intfc Directory Subdirectories Store and manage experiment artifacts REST ssh User A Account Intfc (persistent) object Portal Experiment A101 SQL data icmd 5) user_a account on GIMI data flow Srvc Port Directory 9) SQL file format:: (pull) client portal: (push) 80 descriptor Subdirectories a) sqlite; fully supported a) established by admin by r, new_plot SQL file template certs/cred’s REST b) login or access to GUI by: b) sql dump; ? (pull) client username/password rspecs cert-user_a exp_29 process SQL dump file Experiment 63 scripts 11) web_present_process (push) (with DOI) 10) iRODS_process a) create present process, with new port, bind descriptors Directory 8) exp_29 process: a) pull from DB, to portal a) established by user push to iRODS target iRODS target: b) pull from DB, push to present process; or? GUI Manage artifacts b) includes iRODS target: b) triggered by OMF server, account, path c) real time or post time? Search server, account, path c) triggered by d) how is this created/configured? via OMF? c) includes proxycert_user_a GUI and OMF RC chron job from template in portal srvc? iCAT for entry into iRODS proxycert_user_a curate GUI Create/edit descriptors exp_29 d) complete, or e) can data be manipulated by script? how to objects 15) Optional extension to incremental? include script? iRODS web browser to view Create data: a) written in php exp_63 process 14) Extended analysis features: BAG object to archiveb) plots sqlite files 4) AuthN and AuthZ: a) Can data be pulled back into portal from c) selection for variable, a) User_a identity held in ExperMgmtEnviron (user iRODS? group, can include avg workspace): b) Is there a way to run rscripts in GIMI x.509 cert_user_a signed by CA, and privatekey_a portal? or newplot? User Z Partition proxycert_user_a (includes cert_user_a) and User Z Account c) What features are coming with Labwiki? privatekey_proxya b) GENI slice credentials as necessary, obtained from SA

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies 041713_GIMI_Figures GENI I&M Architecture: 7) OML Result Isolation Page 3 of 7

Experiment_A, Slice 029 on ExoGENI servers/VMs

Access and Backbone 1) Between OML Clients and OML Server, the experimenter MUST:

a) use this experiment_id format, configured at beginning of the experiment: Node 1 Node n exper_id = user_1-experiment_A-2654111326

Exper App Exper App where user_1 is same as username at GIMI portal experiment_A is experiment name that is unique to this user 2654111236 is an index, INTEGER or TEXT, which is selected by user to be difficult for others to guess iRODS Intfc b) for a new run of experiment_A, the experiment SHOULD change the index. (push) c) for a new experiment, the experimenter SHOULD change the experiment name and the index OMF RC OML OMF RC OML Client Client d) CONSIDER: adding user_id into information transferred from OML Client to OML Server at connect shell (MP) shell (MP)

OML OML flow flow (push) (push) 3) The OML Server:

a) creates a DB in the postgreSQL Server for each exper_id = user_1-experiment_A-2654111326 and gives read/write/erase privileges to the “user” equal to exper_id.

b) The user_1 partition is configured with p/o GIMI Portal Srvc exper_id = user_1-experiment_A-2654111326 2) The OML server in the GIMI portal service should (not based on IREEL; accept all connections from OML clients, and: working towards LabWiki) c) then, user_1 partition can read/write/erase DB tables (records) in the GENI Storage and Archive Service postgreSQL Server a) start a new DB identified by exper_id: (based on iRODS, federated) Portal exper_id = user_1-experiment_A-2654111326 Srvc where Port User_1 Account OML 80 (persistent) user_1 is same as username at GIMI portal postgreSQL experiment_A is experiment name that is Server Server unique to this user Experiment_A (with 2654111236 is an index, INTEGER or TEXT, icmd DOI) which is selected by user_1 to be difficult for others to Intfc Directory SQL data guess; for example, it could be a hash of the current SQL dump file Subdirectories Unix time. (pull) (pull) REST Intfc b) each DB will have multiple tables. object QUESTION: How are all tables created when User_1 partition (account) there are multiple OML Clients, all sending data from (persistent) the same experiment? LabWiki descriptor Srvc Port c) each DB owned by user_1 will be identified with an icmd 8001 exper_id starting with user_1 client

d) since the index is selected by user_1 to be difficult Store 4) user_1 in their partition selects experiment_A based on for others to guess, it is difficult for a malicious user to DB exper_id = user_1-experiment_A-265411132 mimic data from a user_1 experiment Srvc iRODS target: Search server, account, path a) Then, user_1 partition can pull SQL_dump file from postgreSQL DB for this experiment GUI and e) even if a malicious user were able to mimic data iCAT b) Then, user_1 partition can push SQL_dump file (e.g., experiment_a-dump.sql) to iRODS using: curate from a user_1 experiment, this data will NOT erase any proxycert_user_1 data from a user_1 experiment url of chosen iRODS server objects HomeDirectory of user_1 CurrentExperimentDirectory of (for example) HD/experiment_A/ collect_measurements_run1 Create newly created TargetDirectory of CED/measurment_dataset_1360324567 BAG object where 1360324567 is unix timestamp when push is initiated to archive using iput to TD/experiment_dump.sql 5) user_1 account on GIMI portal: REFERENCE: “GENI Storage and Archiving Service: Storing and Archiving Experiment a) established by admin User_99 partition (account) Artifacts (Objects)” b) login or access to shell or GUI by: username/password c) user_1 identity held in GIMI portal: User_99 Partition cert-user_1 proxycert_user_a (includes cert_user_a) and privatekey_proxya

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies 041713_GIMI_Figures GENI I&M Architecture: 6) iRODS Config Page 4 of 7

1a) GENI has an assigned Handle Prefix Researcher Z 3a) 1b) There may be multiple Local HRS in GENI, each associated request, with an Archive Srvc and Global resolve 1c) Each Local HRS uses an assigned range of Handle suffixes, Handle Resolution Srvc to which are provided by Local Handle Minting Srvc local site maintains registry 1d) Each Local HRS reqisters its range with the Global HRS provides resolution service to local site

1d) register 3b) request, and resolve GENI Storage and Archive Service to ct (based on iRODS, federated) obje location If authentication of a service (i.e., Experimenters may transfer Exper A Partition Archive OML Client service or iRODS some of their objects to an Local (persistent) (long term) interface service) is required as it archive service, so that they Handle Resolution Srvc 3a) Reference link provides a url that is resolved by dns to global handle resolution srvc connects to a server, how can it be will be available for a long 3c) done? Experiment A101 period of time. maintains registry icmd retrieve (with DOI) provides resolution 3b) Then global handle resolution srvc resolves handle Intfc object Consider making a proxy cert from Directory Experimenter can set policy service to archive (DO Identifier) to proper Local Handle Resolution srvc the user’s cert that can be Subdirectories so that objects may be delegated searched by and shared with 3c) Local HRS resolves handle directly to the object in the REST Archive Srvc, and then redirects web browser to it Intfc Researchers, etc. (or not, Handle Minting object i.e., no sharing) Srvc 3d) When an object is viewed via web interface, it mints unique persistent reconstitutes the directory structure 2) When an object is object identifier (e.g., descriptor transferred to the archive handle) service, a handle is minted and assigned

Experiment A205 (with DOI) Retrieve Directory 2a) get minted archived handle bag Search GUI and 2b) iCAT curate push objects object (bag or Create bundle) BAG object to archive

Experimenter Z Partition

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies 041713_GIMI_Figures GENI I&M Architecture: 1b) A&A: to iRODS with GSI Page 5 of 7

Client Server

1) Install CA Public Key Cert Cert User ID Connect User ID Pub Key (ssh, https, …) Pub Key 4) Receive Connect, verify Cert, 2) Make Cert, using CA Expir Expir recover User ID and Public Key, Signature Signature issue challenge, verify response, 3) Send Connect, allow connection including Cert

User ID User ID

Private Key Public Key CA Public Key Public Key Install (out-of-band)

Certificate Authority (CA)

CA Public Key

CA Private Key GENI Storage and Archive Service (based on iRODS, federated)

Exper A Partition Archive (persistent) (long term)

icmd Experiment A101 Experimenter A Intfc (with DOI) Experiment Mgmt Tools Directory Subdirectories REST Intfc Obtain object Retreive DOI resources Entry for Exp A archived Infc Exp A certs, priv slice 010 using cert bag keys, ssh keys Node n+1 descriptor Global Node (GN) or proxy cert Instrumentize Configure Slice 010 cred + Slice 010 script measure slice 010 GUI REST srvc’s Exp artifacts Intfc (objects) View GEMINI Present Experiment A205 portal Lite Measure measure GUI (with DOI) (browser) pS ntfc Store data Directory (MS)

Search Store GUI and measure iCAT * Exp A/Slice 010 curate data attribute cert objects

shell Create BAG Exp A proxy cert BAG object object to archive (push)

Experimenter Z Partition

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies 041713_GIMI_Figures GENI I&M Architecture: 1c) A&A: to iRODS with ticket Page 6 of 7

Entry for Exp A using cert or proxy cert Experimenter A GENI Storage and Archive Service Experiment Mgmt Tools (based on iRODS, federated) Entry for gimi_agent Archive using cert Exper A Partition (persistent) (long term) Obtain resources slice 010 Exp A certs, priv icmd Experiment A101 keys, ssh keys Intfc (with DOI) Directory Slice 010 cred Instrumentize script Subdirectories REST get IRODS ticket Intfc push iRODS ticket object Retreive DOI push iRODS target archived Infc bag iRODS ticket descriptor Issue: How does Exp A load GIMI Portal with IRODS target, and iRODS ticket?

View GIMI portal Use REST Intfc like UNIS? Experiment A205 (browser) (with DOI) Directory

p/o GIMI Portal Srvc Search (not based on IREEL; GUI and iCAT working towards LabWiki) curate objects

Exp A Create BAG Port BAG object object OML postgreSQL Lab Wiki 8001 to archive (push) Server Session Server SQL data (pull) Experimenter Z Partition

SQL dump file (pull) Exp A gimi_agent

Store icmd client DB Session gimi_agent cert, priv keys iRODS target: server, account, path

iRODS ticket

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies 041713_GIMI_Figures GENI I&M Architecture: 4b) WiMAX site config Spiral 5 Page 7 of 7

Experimenter A gpo229

Experimenter A, Slice 029

on WiMAX Site nodes

Access and Backbone

Mobile Node 1

Exper App WiMAX MS WiMAX BS Fixed Node n

Exper App OMF RC OML OMF RC Client Connect Server (MP) An Experimenter gains WiMAX RF AggMgr OMF RC This OML Server is intended to gather access to a site via measurements from all WIMAX sites, and be Login Service, per OML shared with all operators. Scheduler, and can shell OMF AM OML Client then orchestrate an Config (MP) Client shell experiment.

Currently, multiple Experimenters can be XMPP OML (Control Nwk) logged-in, and are OML Server (shared by Operators) assigned nodes per Scheduler. They are OML not othewise isolated. EC OML Server OML (Control Nwk) (local) (local) (Control Nwk) Results OML Web OML Server (shared by all users) SQL OMF Intfc DB Orchestrate pdf EC Exper

ssh OML Login Load images Intfc SQL DB Note: Control Network is protected, and Local EC and local OML Server available only to those who are logged-in. can be used when Mobile Node is OMF disconnected There is no other protection, i.e., each node Sched Orchestrate is typically loaded with a “root, no passowrd” Missing: results/ Missing: Exper login. visualization interface to user service at site workspacve/ Can OML Server archive service be loaded into a Experiment fixed node as an Controller experiment runs at site OMF AM XMPP Server with pub/ starts? Load Node Imaging XMPP Service (based on sub used to carry OMF PXE) messages

Printed on 4/17/2013 at 3:09:32 PM GENI Project Office at BBN Technologies