Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003.

Similar presentations


Presentation on theme: "Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003."— Presentation transcript:

1 DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003

2 2 Outline Grids AuthN/AuthZ model Grids AuthN/AuthZ model International Grid Federation efforts International Grid Federation efforts DOEGrids Federation DOEGrids Federation Experimental OCSP service Experimental OCSP service

3 3 Grids AuthN/AuthZ Separate the two problems Separate the two problems First focus on solving identity First focus on solving identity Harmonize identities policiesHarmonize identities policies Standard efforts: GGF, Grid PMAStandard efforts: GGF, Grid PMA Grid identity Federations: EDG, Cross Grid, DOEGridsGrid identity Federations: EDG, Cross Grid, DOEGrids Other federations: TERENA, EGEE, eInfrastructure?Other federations: TERENA, EGEE, eInfrastructure? Authorization still research topic Authorization still research topic Individual grids developing own policesIndividual grids developing own polices VOMS, Proxy services VOMS, Proxy services

4 4 International Grid Federation Informal confederation Informal confederation Representatives from Major Grid PMAs Representatives from Major Grid PMAs European Data Grid and Cross Grid PMAEuropean Data Grid and Cross Grid PMA NCSA AllianceNCSA Alliance DOEGrids PMADOEGrids PMA NASA Information Power GridNASA Information Power Grid TERENATERENA Asian Pacific PMAAsian Pacific PMA AIST, Japan AIST, Japan SDSC, USA SDSC, USA KISTI, Korea KISTI, Korea BII, Singapore BII, Singapore Kasetsart Univ., Thailand Kasetsart Univ., Thailand CAS, China CAS, China

5 5 DOEGrids Federation Managed by multiple stake holders Managed by multiple stake holders 15 member Policy Management Authority Representing DOE and NSF15 member Policy Management Authority Representing DOE and NSF PMA Responsible for Certificate Policy and Certification Practice statementPMA Responsible for Certificate Policy and Certification Practice statement PMA Manages operator relationshipPMA Manages operator relationship Operator: ESnet at Lawrence Berkeley National Laboratory Operator: ESnet at Lawrence Berkeley National Laboratory Peers with European Data Grid PMA and the Cross Grid project Peers with European Data Grid PMA and the Cross Grid project 20+ Registration Authority Agents 20+ Registration Authority Agents

6 DOEGrids community * Includes DOESG transitioned Certificates

7 DOEGrids usage

8 8 General PKI Service Architecture ESnet Root CA Virtual Secure Card (SLAC) K/X509 (FNAL) ESnet subordinate Certificate Authorities and proposed CAs DOEGrids VO support NERSC NIM Integration Integrated Site AuthN Certificate Authority links ESnet only signs subordinate CAs

9 9 DOEGrids Physical Security Architecture Vaulted Root CA

10 10 DOEGrids PKI roles Policy Management Authority Policy Management Authority Manages PKI policiesManages PKI policies Security Officer Security Officer Manages PKI infrastructureManages PKI infrastructure Responsible for implementing PKI policiesResponsible for implementing PKI policies Registration Authority Registration Authority Represents VO on PMARepresents VO on PMA Responsible for identity vetting of VO membersResponsible for identity vetting of VO members Registration Agent Registration Agent Delegated identity vetting from RADelegated identity vetting from RA Grid Administrator (new) Grid Administrator (new) Delegated by Agent to issue Service CertificatesDelegated by Agent to issue Service Certificates

11 11 Grid Admin Server Cert Interface Provide PKCS#10 Server Request and submit SSL Client Authentication Using DOEGrids CA certificate successful failed Authentication Error GridAdmin LDAP Request Validation & Authorization process against GridAdmin LDAP Successful ? No Authorization Error Yes Issue Server Certificate Grid Admin Role

12 12 *OCSP Service LDAP Machine B Machine A OCSP Service * edg-fetch-crl-cron downloads all the CRLs listed on EDG website into /opt/edg/certificates folder OCSP Service *postcrl_ocsp OCSP Admin Interface checks if the file is new for every CRL file ( *.r0)under /opt/edg/certificates folder Parse the CRL file and filter only base64 encoded CRL portion. Apply URL encoding logic Post this CRL data into OCSP Service Admin interface (SSL Client Authentication * edg-fetch-crl-cron & postcrl_ocsp are cron job runs every night * All the CA certificates listed on table-ca.html has been installed with OCSP Servicehttp://marianne.in2p3.fr/datagrid/ca/ca- table-ca.html Experimental OCSP service


Download ppt "Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003."

Similar presentations


Ads by Google