The ISAAC Secure Enclave offers services for two type of systems to support sensitive research and data: (i) Windows Virtual machines (VMs) (ii) HPSC cluster. In this section we will learn how to transfer data from Secure Enclave to any other machine authorized by Office of Research and OIT Security.
Data transfer on the Secure Enclave is performed with the Globus, which is data transfer service and uses GridFTP protocol, an extension of FTP (File Transfer Protocol). GridFTP is a protocol defined by Global Grid Forum Recommendation GFD.020 and the following IETF standards (in RFC documents): RFC 959 (ftp), RFC 2228 (ftp security extensions), RFC 2389 (feature negotiation), RFC 3659 (Extensions), and RFC 4217 (TLS). Key features of GridFTP are:
The data transfer command and control mechanism uses the Globus cloud-based services to communicate with Globus endpoints (also called collections) to provide authentication and access control, get file listings, manage files (delete, rename, etc.), and transfer files between endpoints. The traditional file transfer tools such as SFTP, SCP or other utilities are not the preferred, approved, and documented way of transferring files and should not be used on the Secure Enclave. Please be aware that all data transfer operations should be done on the Secure Enclave Data Transfer Nodes (DTN). There are two DTNs: one for the Secure Enclave VMs and one for the HPSC cluster. The Globus endpoint names for these DTNs are given below:
The computers to (from) which the data needs to be transferred from (to) Secure Enclave are required to be in the University of Tennessee Knoxville’s (UTK) network. For the computers outside of the UTK network, please use Secure pulse VPN and connect to UTK network prior to access the Secure Enclave or get authorization to transfer data to (from) computer/server outside the University network by submitting a Service request and approve from the concerned authorities.
As Globus is a web-based data transfer application, which uses the location of computers (source or destination), also called as endpoints to transfer data, therefore, the users do not need to connect to VPN as long as the location of the systems to (from) which data to be transferred from (to) Secure Enclave are inside the UTK’s network. For example: users are not required to connect to Secure pulse VPN if they intend to transfer data from ISAAC Open Enclave HPSC cluster or Secure Enclave VM to Secure Enclave HPSC cluster or vice versa because all these systems are already in the UTK’s network.
However, if a user intend to transfer data to (from) a computer outside UTK’s network from (to) one of the Secure Enclaves and is not connected to VPN, then initiating a transfer of data to (from) the Secure Enclave using Globus will create the corresponding file/folder and it will look like it was successful. However, the file will be empty and have a size of 0 kB. This is because the access for the command protocol to the Globus cloud is open but the connections to the Globus endpoint file transfer ports are only allowed from approved external endpoints and the endpoints from University IP addresses including the VPN.
To learn how to setup and configure the VPN on your device, please review OIT’s VPN User Guide.
As discussed above, there are two separate endpoints to transfer data to/from Secure Enclave Windows VM and HPSC cluster. The step by step process of data transfer for each of these systems is given below:
The process of transferring data to/from Windows VM can be divided into two parts:
The first part involves the authentication on the data transfer node (sie-dtn) and grant access to the directory from where the data in the Secure Enclave VM will be transferred. The steps to grant the access to this data directory are given below:
After authorizing data transfer on DTN, the next step is to log in to Globus web based interface using your organizational credentials. Below are the important steps:
Please note that the files in the D:\Globus folder on Windows VM should not be kept there permanently. After exchanging the files, please move/remove them from D:\Globus folder.
As discussed in File Systems, data on Secure Enclave HPSC cluster is stored in encrypted and unencrypted mode. The process of data transfer from each of these storage spaces is discussed one by one.
The data in the unencrypted storage space can be transferred to any authorized local machine or server by following the below steps:
To transfer data stored in the encrypted storage space, we need to perform few additional steps to decrypt the data before using Globus to start the data transfer. These steps are outlined below:
$ sudo sipmount <project_account>
$ sudo sipmount <project_account> Filesystem Size Used Avail Use% Mounted on ---- --- --- --- --- / -------- --- --- --- --- /dev -do- encfs 1.2P 124T 1.1P 11% /projects/<project_name>
After you complete your data transfers, you may unmount the encrypted space on the Secure Enclave cluster. Use the sipumount command to unmount this space as described below
$ sudo sipumount <project_account>
Its syntax and usage is the same as the
sipmount command. If you do not unmount the encrypted space, it will automatically be unmounted after 15 minutes. For more information, please refer to the File Systems document.
Data transfer from the Secure Enclave to external non-UT Globus endpoints is only allowed after authorization. These external endpoints must be authorized before they can be used. If you have an external Globus endpoint that you would like to be allowed to transfer data to/from the Secure Enclave, please submit a service request to the OIT Help Desk for the HPSC service with the request details (hostname, IP address, external Globus administrator contact, and external organization security contact).
Globus can manage transfers of collections of files within subdirectories automatically. You may want to try using this capability by asking Globus to transfer an entire directory as a test to get famliar with it then make use of this capability for transfer of large data collections of large numbers of files on the Secure Enclave file systems.
Before you initiate data transfers to or from the Secure Enclave endpoints, you could consider preparing the data you wish to transfer by aggregating multiple files with tar and compressing it. When you aggregate data, several files and directories can be added to the same file. When you compress data, you reduce its total size. Both methods reduce the total amount of data that must be sent across the network and make it easier for you to organize the data you wish to transfer. At the time of this writing, the tar and zip utilities are the best methods for data archiving and compression for Secure Enclave users across Linux, MacOS, and Windows.
When you prepare your data, please avoid using a login node. Instead, use the SIP’s DTN (data transfer node). Figure 1.1 in the Introduction shows how to access the DTN.
The tar (tape archiver) utility uses simple command syntax and allows large amounts of data to be aggregated into the same archive. Linux, MacOS, and updated Windows 10 systems can use tar. Older Windows systems will be limited to the zip utility.
To create a tar archive, execute
tar czvf <archive-name> <dir-to-archive>. Replace the <archive-name> argument with the name of the new archive. Be sure to follow the name with the .tar.gz extension, as in my_archive.tar.gz. Replace the <dir-to-archive> argument with the directory you wish to place within the archive. If the directory you intend to archive is not within your working directory, specify the relative or absolute path to it. By default, tar will recursively place the directory and its contents into the new archive as shown below
[user@sip-dtn1 ~]$ tar czvf new_archive.tar.gz Documents Documents/ Documents/IntroUnix.pdf Documents/JobSubData.zip Documents/MATLAB/ Documents/Scripts.zip Documents/PyLists.py
After the archive is created, execute
ls -l to verify that the archive exists. You can view its contents with the
tar tvf <archive-name> command. You may then transfer the archive using Globus. Please refer to the Configuring Globus section to learn how to configure it for your system.
On the remote system, execute
tar xvf <archive-name> to extract the contents of the archive. The files will be extracted into your working directory.
On older Windows systems, the zip utility should be used to archive and compress your data on the SIP.
To create a zip archive on the SIP, execute zip -r <archive-name>.zip <dir-to-archive>. Be sure that the directory you wish to archive is in your working directory. Otherwise, specify the relative or absolute path to the directory you wish to archive. Replace the <archive-name> argument with the name of the new zip archive. You may or may not include the .zip file extension to the archive’s name; if you do not, the zip utility will add it automatically. Replace the <dir-to-archive> argument with the directory you wish to place in the zip archive. The -r option ensures that the directory and its contents are archived and compressed as described below
[user@sip-dtn1 ~]$ zip -r Documents Documents adding: Documents/ (stored 0%) adding: Documents/IntroUnix.pdf (deflated 4%) adding: Documents/MATLAB/ (stored 0%) adding: Documents/PyLists.py (deflated 61%)
After the zip archive has been created, execute
ls -l in the directory from which you created it to ensure the archive exists. It will appear with the name you gave to the archive followed by the .zip extension.
With the zip archive created and verified, transfer it to your system using Globus. Please refer to the Configuring Globus section to learn how to use it on your system. Once you transfer the zip archive to your system, open the File Explorer and navigate to the directory in which you placed the archive. Right-click on the archive and select the “Extract All…” option in the submenu. Figure 2.3 shows where to locate this option. Specify the directory in which the contents should be extracted, then select “Extract.” You may then open the archive and peruse its contents.