Virtual Venue Management User Manual

Access Grid Toolkit Documentation

 

The Futures Laboratory

5/28/2003

1.0 Introduction

Background

The Access Grid is an internet-based model for video conferencing that focuses on group-to-group communication, using an ensemble of resources including multimedia large-format displays, presentation and interactive environments, and interfaces to Grid middleware and visualization environments.  For instance, the Access Grid is used for large-scale distributed meetings, collaborative work sessions, seminars, lectures, tutorials, and training.  Even though the Access Grid is concentrated on group interactions, it also provides an access point for individual desktop users, permitting one-to-many or one-to-one communication.

 

The virtual meeting space, where people come together to collaborate in the Access Grid, is called a Virtual Venue.  If authorized, the Venue provides users with all the necessary information needed to communicate with each other, including audio and video streams, user capabilities, data, services, applications, and connections to other venues. 

 

Users connect to a Virtual Venue from their particular environment, identified as a node, which contains collaborative resources needed to provide high-quality user experiences.  Access Grid users are given the ability to configure nodes according to their own preference.  Examples of node configurations are a desktop using a Quick Camera or an entire room with several microphones, cameras, and advanced display environments.  The image in Figure 1 shows one of several nodes available at Argonne National Laboratory.

 

Figure 1 A node at Argonne National Laboratory.

Overview

The Venue Management is an administrative tool used to create and maintain venues located on a server.  It includes information about present venues on the server, authorization, type of encryption used for media communication, and addressing options. 

 

Figure 2 shows the Venue Management connected to a venue server at https://vv2:9000/VenueServer.  The Venues tab displays a list of venues currently up and running, with the selected venue’s information displayed to the right.  The buttons Add, Modify, and Delete seen under the list can be used to add a new venue or modify a currently selected venue in the list.

 

Figure 2 Venue Management, with focus on the Venues tab

 

The second tab, shown in Figure 3, includes details about the server configuration.  Multicast addresses are by default assigned from a standard range but can be customized to fulfill users’ needs in the Multicast Address box.  If the Encryption Media option is set, all venues will, by default, use encrypted media streams.  However, each venue has the option to change the encryption setting.

 

 

Figure 3 Venue Management, with focus on the Configuration tab

 

Finally, the Security Tab in Figure 4 allows you to change the authorization setting for the venue server.

 

Figure 4 Venue Management, with focus on the Security tab

2. 0 Actions

This section describes various actions you can take to start using Venue Management.  It also provides information on how to add, modify, or remove a venue, how to set the venue server configuration, and to control the server authorization policy.  

2.1 Using Venue Management

Set up Certificate

To connect to a venue server you have to have a valid grid identity certificate (for more information about certificates, see Section 3.1).  You have to request and configure your certificate only once; the same certificate can then be used for all future Access Grid interactions.  Also, you are allowed to user the same certificate on several machines; so if you already have a certificate, you can simply export your certificate files over to the other machines.

 

  1. Start Venue Management. The Venue Management software provides a mechanism for requesting certificates to use with the Access Grid.  When starting the Venue Management, the Certificate Request Wizard will open automatically if you do not have certificates already installed.

 

  1. Click Next > in the first page of the wizard, see Figure 5.

 

Figure 5 Certificate Request Wizard; Step 1

 

  1. Enter your Information. The second wizard page, in Figure 6, will appear prompting you for necessary information to create your certificate and the distinguished name you will be associated with (for more information about distinguished names read Section 3.3).  Take care to remember the password you select because you will be using this in the future.  Also, certificate requests with incorrect first and last names will not be approved. 

 

Figure 6 Certificate Request Wizard; Step 2

 

  1. Review. Finally, review the information that will be included in your certificate and click Finish to submit the request, see Figure 7. The certificate will be approved manually.  This may take some time depending on how many requests are being processed at the moment; please be patient.  When your request has been approved, you will receive an email containing instructions on how to install your certificate.  For further questions regarding certificates, send an email to agdev-ca@mcs.anl.gov.

Figure 7 Certificate Request Wizard; Step 3

 

  1. Install Certificate.  To install the certificate, open the Venue Client and go to Preferences – Manage Certificates – Certificate Manager…. In the Certificate Requests tab, you will see a list of requested certificates and their current status.  Click the Check status button to get current status of your requests. If status is Ready to Install, select the certificate from the list and click the Install Certificate button.  The certificate is now installed and you are ready to use it.

Creating Grid Proxy

In order to successfully connect to the venue server, you have to have a valid grid proxy certificate (for more information, read Section 3.1).  If such a certificate is missing, the dialog in Figure 8 will enable you to create a proxy.  Fill in the password you chose when you initially requested your certificate in the Pass phrase field.  You can set details of this grid proxy by clicking the Proxy Details… button.  The Proxy lifetime (hours) field indicates how long this proxy certificate will be valid; the default value is 8 hours, but you may change this number.  When the proxy life time expires, you will be prompted for your password again.  After specifying the validity of the proxy, click Ok.

 

Figure 8 Creating a grid proxy

2.2 Starting a Venue Server

For Windows users: 

Go to the Start menu, and select All Programs - Access Grid Toolkit - Venue Server - Venue Server.  The default server URL address is https://localhost:8000/VenueServer.  If your proxy is invalid, you will be prompted for your password.

 

For Linux users: 

Run VenueServer on the command line; use the –help flag to find out available options.   If your proxy is invalid, you will be prompted for your password.

2.3 Connecting To a Venue Server

To connect to a Venue Server, enter the venue server URL address (https://<host>:<port>/VenueServer) in the address bar, and  then click Go; see Figure 9. 

 

Figure 9 Use the address bar to connect to a venue server

2.4 Adding Venue

Click on Add under the list of venues in the Venues tab.  You will then see the dialog in Figure 10 appear.  The dialog is separated into three tabs, General, Encryption, and Addressing. At a minimum, you need to specify the title of the venue and give it a description in the Information section of the General tab. 

 

Figure 10 Creating a New Venue – General Tab

2.4.1 General

Information

The Information section shown in Figure 10 lets you give the new venue a Title and a short Description. This is the bare minimum information requested to create a venue.  If you want this venue to be the default venue of the server, mark the check box labeled “Set this venue as default”.  Each participant connecting to https://host:port/VenueServer/default will then automatically get directed to enter this venue.

 

Exits

To connect this venue to other venues, use the Exits section shown in Figure 10.  By default, venues located on the server you are connected to get displayed in the box labeled Available Venues.  However, you can get venues from other servers by entering the URL address of the remote server, available under the list of exits, and clicking Go.  To add an exit, select a venue and use the Add Exit button.  In the list to the right you can see exits added to this venue.  If you want to remove an exit, select the exit you wish to delete, and click Remove Exit. 

2.4.2 Encryption

From the Encryption tab illustrated in Figure 11, you are given the option to modify the encryption setting. If you mark Encrypt Media media streams in this venue will be encrypted.  You can decide whether you want to specify a key for the encryption or leave the Optional Key field blank.  The key will then be assigned automatically. 

 

Figure 11 Creating a New Venue – Encryption Tab

2.4.3 Addressing

The media streams by default use dynamic multicast addressing; however, venues can be created with static addressing as well. In the Addressing tab illustrated in Figure 12, static addressing of video and audio streams requires you to specify IP address, port, and a time-to-live value. Permitted IP addresses are within the range 224.0.0.0 – 239.255.255.255.

 

Figure 12 Creating a New Venue Addressing Tab

2.5 Modifying Venue

Select the venue you want to change and then click on Modify under the list of venues in the Venues tab.  A similar dialog to that used to add a venue is displayed (see Figure 10).  Modify the appropriate fields then click Ok.  (For more information about specific options, read section 2.4).  In addition to General, Encryption, and Addressing, the Modify Venue dialog has a fourth tab; Security.

Access Grid venues has a role-based security to establish an authorization policy, determining which participants to let in and with what authority.  Administrators can decide who are allowed to perform different actions, such as entering the venue, adding data, and so forth.

 

The Security tab in Figure 13 displays current authorization setting for the venue.  The venue has a set of Roles that identifies different authorization privileges for groups of participants.  The authorization privileges are identified as Actions. When selecting a role from the left panel, you can see which actions are enabled for that role in the right action panel.  When expanding a role, participants included in the role are shown. A participant may be added to several roles and are allowed to perform all actions for that set of roles. You may add/remove roles, add/remove participants to different roles, and add/remove actions to roles according to the menu opened by right clicking a role, action, or participant.

 

Figure 13 Venue Authorization

2.6 Removing Venue

Select the venue you wish to remove from the list of venues, and click the Delete button under the list.  Click Ok in the next dialog to confirm that you want to remove the venue.   It should disappear from the list.

2.7 Changing Server Multicast Address

Multicast addresses, for all venues in the server, are by default assigned from a standard range.  This can be changed by selecting Custom Range from the Multicast Address section in the Configuration tab and entering an IP address and a mask value.  If you want to use static addressing for individual venues, you can specify that when you create a new venue (read Section 2.4)

2.8 Changing Server Encryption

If you select Encrypt Media in the Encryption section of the Configuration tab, all venues on this server will by default use encryption.  However, you still have the ability to change the encryption setting when adding a new venue or you can decide to modify an already existing venue (see Section 2.4 or 2.5 for more information).

2.9 Setting Server Authorization

The Authorization section of the Security tab enables you to control the authorization for the server. Access Grid servers has a role-based security to establish an authorization policy, determining which participants are allowed to have access to the server and with what authority. 

 

The frame in Figure 14 displays current authorization setting for the server.  The server has a set of Roles that identifies different authorization privileges for groups of participants.  The authorization privileges are identified as Actions. When selecting a role from the left panel, you can see which actions are enabled for that role in the right action panel.  When expanding a role, participants included in the role are shown. A participant may be added to several roles and are allowed to perform all actions for that set of roles. You may add/remove roles, add/remove participants to different roles, and add/remove actions to roles according to the menu opened by right clicking a role, action, or participant. 

 

Figure 14 Server Authorization

3.0 Certificates

3.1 What Is a Certificate?

Every user and service in the Access Grid is required to have a valid certificate issued from a trusted certificate authority. Certificates are a form of electronic identification that is superior to the well-known and widely used password strategy.  This form of authentication aims to reduce the many problems seen with passwords, such as poorly chosen, forgotten, or insecurely stored passwords, in order to enable a reliable environment for collaboration.  The certificate authority is responsible for giving you a certificate; thus, make sure you really are who you say you are.

3.2 Why Use Certificates?

A certificate is basically used to assure your security when connected to the Access Grid.  The following are examples of security provided in the certificate mechanism:

 

1. Deal with authentication during log in procedures to identify who you are.

2. Authorize what resources people are allowed and have permission to access.

3. Preserve confidentiality by just showing given individuals’ resources and information they are supposed to see, secure transactions, and so forth.

4. Take care of users’ integrity; for example, back up resources when something unexpected happens. 

 

For more information about security through certificates, see http://www.globus.org/security/.

3.3 Distinguished Name

A distinguished name (DN) is a globally unique identifier that represents the user as an individual. In the Access Grid, DNs are constructed from the entity name and domain information.  The following is an example of a distinguished name: "/O=Grid/O=Globus/OU=mcs.anl.gov/CN=John Doe”.  On Windows users can find the distinguished name in the usercert.pem file, created when they requested a certificate, found in C:\Documents and Settings\<your user name>\Application Data\globus\usercert.pem.  Linux users can run grid-cert-info –subject.

3.4 Grid Proxy

You are not actually using your certificate for authentication.  Rather, you have to create a grid proxy certificate, which is used for authentication without requiring you to enter your pass phrase.  Once you have initiated the proxy with your password you will not have to enter it again until the proxy is invalid.  However, longer validity means less security.