The Access
Grid is an Internet-based model for video conferencing that focuses on
group-to-group communication, using an ensemble of resources including
multimedia large-format displays, presentation and interactive environments,
and interfaces to Grid middleware and visualization environments. The Access Grid is used for large-scale
distributed meetings, collaborative work sessions, seminars, lectures,
tutorials, and training. Even though the
Access Grid is concentrated on group interactions, it also provides an access
point for individual desktop users, permitting one-to-many or one-to-one
communication.
The virtual meeting space, where people come together
to collaborate in the Access Grid, is called a Virtual Venue. If
authorized, the Venue provides users with all the necessary information needed
to communicate with each other, including audio and video streams, user
capabilities, data, services, applications, and connections to other
venues.
Users connect to a Virtual Venue from their
particular environment, identified as a node,
which contains collaborative resources needed to provide high-quality user
experiences. Access Grid users can
configure nodes according to their own preference. Examples of node configurations are a desktop
using a Quick Camera or an entire room with several microphones, cameras, and
advanced display environments. Figure 1
shows one of several nodes available at Argonne National Laboratory.
Figure 1 A node at Argonne National Laboratory
The Venue Management is an administrative tool used
to create and maintain venues located on a server. It includes information about present venues
on the server, authorization, type of encryption used for media communication,
and addressing options.
Figure 2 shows the Venue Management connected to a
venue server at https://vv2:9000/VenueServer.
The Venues tab displays a
list of venues currently up and running, with the selected venue’s information
displayed to the right. The buttons Add, Modify, and Delete seen
under the list can be used to add a new venue or modify a currently selected
venue in the list.
Figure 2 Venue
management, with focus on the Venues tab
The second tab, shown in Figure 3, includes details
about the server configuration.
Multicast addresses are by default assigned from a standard range but
can be customized in the Multicast
Address box to fulfill users’ needs.
If the Encryption Media
option is set, all venues will, by default, use encrypted media streams. However, each venue has the option to change
the encryption setting.
Figure 3 Venue management, with focus on the Configuration tab
The Security Tab in Figure 4 allows you to
change the authorization setting for the venue server.
Figure 4 Venue management, with focus on the Security tab
This section describes various actions you can take
to start using Venue Management. It also
provides information on how to add, modify, or remove a venue, how to set the
venue server configuration; and to control the server authorization
policy.
To connect to a venue server, you need a valid Grid
identity certificate (for more information about certificates, see Section
3.1). You have to request and configure
your certificate only once; the same certificate can then be used for all
future Access Grid interactions. Also,
you are allowed to use the same certificate on several machines; hence, if you
already have a certificate, you can simply export your certificate files to the
other machines.
Figure 5 Certificate request wizard; Step 1
Figure 6 Certificate request wizard; Step 2
Figure 7 Certificate request wizard; Step 3
To successfully connect to the venue server, you need
a valid Grid proxy certificate (for more information, read Section 3.1). If such a certificate is missing, the dialog
in Figure 8 will enable you to create a proxy.
In the Pass phrase field,
fill in the password you chose when you initially requested your
certificate. You can set details of this
Grid proxy by clicking the Proxy
Details… button. The Proxy lifetime (hours) field indicates
how long this proxy certificate will be valid; the default value is 8 hours,
but you may change this number. When the
proxy life time expires, you will be prompted for your password again. After specifying the validity of the proxy,
click Ok.
Figure 8 Creating a grid proxy
For Windows users:
Go to the Start menu, and select All Programs - Access Grid Toolkit - Venue Server - Venue Server. The default server URL address is https://localhost:8000/VenueServer. If your proxy is invalid, you will be
prompted for your password.
For Linux users:
Run VenueServer on the
command line; use the –help flag to find out available options. If your proxy is invalid, you will be
prompted for your password.
To connect to a Venue Server, enter the venue server
URL address (https://<host>:<port>/VenueServer)
in the address bar, and then click Go; see Figure 9.
Figure 9 Using the address bar to connect to a venue
server
Click on Add
under the list of venues in the Venues
tab. You will then see the dialog in
Figure 10 appear. The dialog is
separated into three tabs: General, Encryption, and Addressing. At a minimum, you need to specify the title of the
venue and give it a description in the Information
section of the General tab.
Figure 10 Creating a new venue – general tab
Information
The Information
section shown in Figure 10 lets you give the new venue a Title and a short Description.
This is the minimum information requested to create a venue. If you want this venue to be the default
venue of the server, mark the check box labeled “Set this venue as default.” Each participant connecting to
https://host:port/VenueServer/default will then automatically get directed to
enter this venue.
Exits
To connect this venue to other venues, use the Exits section shown in Figure 10. By default, venues located on the server you
are connected to get displayed in the box labeled Available Venues. However,
you can get venues from other servers by entering the URL address of the remote
server, available under the list of exits, and clicking Go. To add an exit, select a
venue, and use the Add Exit
button. In the list to the right you can
see exits added to this venue. If you
want to remove an exit, select the exit you wish to delete, and click Remove Exit.
From the Encryption
tab illustrated in Figure 11, you are given the option to modify the
encryption setting. If you mark Encrypt
Media, media streams in this venue will be encrypted. You can decide whether you want to specify a
key for the encryption or leave the Optional
Key field blank. The key will then
be assigned automatically.
Figure 11 Creating a new venue – encryption tab
The media streams by default use dynamic multicast
addressing; however, venues can be created with static addressing as well. In
the Addressing tab illustrated in
Figure 12, static addressing of video and audio streams requires you to specify
IP address, port, and a time-to-live value. Permitted IP addresses are within
the range 224.0.0.0–239.255.255.255.
Figure 12 Creating a new venue – addressing tab
Select the venue you want to change and then click on
Modify under the list of venues in
the Venues tab. A similar dialog to that used to add a venue
is displayed (see Figure 10). Modify the
appropriate fields and then click Ok. (For more information about specific options,
read Section 2.4). In addition to
General, Encryption, and Addressing, the Modify Venue dialog has a fourth tab, Security. Access Grid venues have a
role-based security to establish an authorization policy, determining which
participants to let in and with what authority.
Administrators can decide who are allowed to perform different actions,
such as entering the venue or adding data.
The Security tab
in Figure 13 displays current authorization setting for the venue. The venue has a set of Roles that identifies different authorization privileges for groups
of participants. The authorization
privileges are identified as Actions.
When you select a role from the left panel, the right action panel shows you
which actions are enabled for that role.
When a role is being expanded, participants included in the role are
shown. A participant may be added to several roles and are allowed to perform
all actions for that set of roles. You may add/remove roles, add/remove
participants to different roles, and add/remove actions to roles, according to
the menu opened by right clicking a role, participant, or action.
Figure 13 Venue authorization
Select the venue you wish to remove from the list of
venues, and click the Delete button
under the list. Click Ok in the next dialog to confirm that
you want to remove the venue. It should
disappear from the list.
Multicast addresses, for all venues in the server,
are by default assigned from a standard range.
This can be changed by selecting
If you select Encrypt
Media in the Encryption section
of the Configuration tab, all venues
on this server will by default use encryption.
However, you still can change the encryption setting when adding a new venue, or you can decide to modify an already existing venue
(see Section 2.4 or 2.5 for more information).
The Authorization
section of the Security tab
enables you to control the authorization for the server. Access Grid servers have a role-based security to
establish an authorization policy, determining which participants are allowed
to have access to the server and with what authority.
The frame in Figure 14 displays current authorization
setting for the server. The server has a
set of Roles that identifies
different authorization privileges for groups of participants. The authorization privileges are identified
as Actions. When you select a role
from the left panel, the right action panel shows you which actions are enabled
for that role. When a role is being
expanded, participants included in the role are shown. A participant may be
added to several roles and allowed to perform all actions for that set of
roles. You may add/remove roles, add/remove participants to different roles,
and add/remove actions to roles, according to the menu opened by right clicking
a role, participant, or action.
Figure 14 Server authorization
Every user and service in the Access Grid must have a
valid certificate issued from a trusted certificate authority. Certificates are
a form of electronic identification that is superior to the well-known and
widely used password strategy. This form
of authentication aims to reduce the many problems seen with passwords, such as
poorly chosen, forgotten, or insecurely stored passwords, in order to enable a
reliable environment for collaboration.
The certificate authority is responsible for giving you a certificate;
thus, make sure you really are who you say you are.
A certificate is basically used to assure your
security when connected to the Access Grid.
The following are examples of security provided in the certificate
mechanism:
1. Deal with authentication during log in procedures
to identify who you are.
2. Authorize what resources people are allowed and
have permission to access.
3. Preserve confidentiality by just showing given
individuals’ resources and information they are supposed to see, secure
transactions, and so forth.
4. Take care of users’ integrity; for example, back
up resources when something unexpected happens.
For more information about security through
certificates, see http://www.globus.org/security/.
A distinguished name (DN) is a
globally unique identifier that represents the user as an individual. In the
Access Grid, DNs are constructed from the entity name
and domain information. The following is
an example of a distinguished name: "/O=Grid/O=Globus/OU=mcs.anl.gov/CN=John
Doe.”
You are not actually using your certificate for
authentication. Rather, you have to
create a Grid proxy certificate, which is used for authentication without
requiring you to enter your pass phrase.
Once you have initiated the proxy with your password you will not have
to enter it again until the proxy is invalid.
However, longer validity means less security.