Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC)

Similar presentations


Presentation on theme: "TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC)"— Presentation transcript:

1 TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC) 17 July 2007 (revised)

2 TAGPMA F2F Banff 17 Jul 20072 Intro: TACC MICS CA Goals Leverage existing IdM infrastructures. Simplify user credential acquisition and management. Generate short-term X.509v3 end entity certificates for academic science and research users relevant to TACC's campus, state, national and international research projects. Leverage existing IdM infrastructures. Simplify user credential acquisition and management. Generate short-term X.509v3 end entity certificates for academic science and research users relevant to TACC's campus, state, national and international research projects.

3 TAGPMA F2F Banff 17 Jul 20073 First Candidate IdM: UT-System Shibboleth Policy Charter, Fees, Attributes, Federation Operating Procedures, Member Operating Procedures LoATechnology 17 Identity providers, (IdPs) 1 per campus 10 federated applications 1 external vendorGovernance IdM Governing Board: Technical Operations, Policy Mgmt Audit Dispute resolution https://www.utsystem.edu/IdentMgmt/UTsysFedApply.asp

4 TAGPMA F2F Banff 17 Jul 20074 U.T. System IdM Roadmap Source: https://idm.utsystem.edu/ IdentityMgmtpage4.pdf Color Key: Complete Current Development In-Progress Longer-term Future

5 TAGPMA F2F Banff 17 Jul 20075 Possible Future IdM Candidates … an evolving landscape Bridged Relationships Arranged by the UT- System Federation –Cross-certifying UT campus CAs with FBCA University of Texas employs Verisign CAs http://www.cio.gov/fbca/ Texas A&M Shibboleth Federation? Maybe Texas Tech?

6 TAGPMA F2F Banff 17 Jul 20076 UTShib IdM Integration into X.509 Certificate Workflow CA –Establish policies and procedures –Process CSRs; Sign certificates RA –Institution is authoritative (and responsible) for: Phone directory (public) information Org status and entitlements –Initial RA F2F meeting is authoritative for: Project and allocation eligibility VO membership

7 TAGPMA F2F Banff 17 Jul 20077 In User and Relying Party Workflow User –Initial Identity Vetting with IdM and with RA –Authenticated Portal Login before anything else –"Request a short-term X.509 Certificate" –Store cert somewhere(MyProxy server; HW token, web browser) –Generate a proxy to enable mutual authentication & delegation –Present proxy to perform grid tasks; access grid resources Relying Party (relies on TACC CA, not directly on UT IdP) –Load CA cert and signing policy –Accept cert from requesting user –Check expiration date and signature –Map DN to account in grid-mapfile –Honor user request –Log access

8 TAGPMA F2F Banff 17 Jul 20078 TACC Member-Integrated CA Portal Services AUTHENTICATEAUTHENTICATE Identity –Does IdP know this user based on in-person ID vetting (LoA)? If not in-person, user access to low-risk applications is ok, but no X.509 credential –Query TACC Accounting System (TAS) DB for User Context Can check that user answers security question setup at initial registration Check for active Projects, Allocations, and VO membership and roles Find user's unique Distinguished Name (CN+issuer) by querying CN list by eduPersonPrincipalName OR eduPersonTargetedID Check that IdM is not re-using eduPersonPrincipalName by matching email, phone,address Query VOMRS attribute server to verify user's VO membership and roles Determine length of short-term certificate –Enable "Get short-term X.509 cert" button PROVIDEPROVIDE resulting short-term X.509 credential when user wants it

9 TAGPMA F2F Banff 17 Jul 20079 Grid Portal Authentication: Portal Account or Shibboleth Either login method integrates with TACC TAS database. Both authentication methods integrated with underlying TACC TAS database.

10 TAGPMA F2F Banff 17 Jul 200710 2) UT-System Shibboleth WAYF Dialogue User Selects Identity Provider from Pull- down menu

11 TAGPMA F2F Banff 17 Jul 200711 3) Authenticate with Home Identity Provider Regular Campus/IdP login. This one is for UT- System

12 TAGPMA F2F Banff 17 Jul 200712 Attributes Returned by UT-System IdP

13 TAGPMA F2F Banff 17 Jul 200713 Each IdP Presents Its Own Dialogue/Look and Feel This is the login dialogue for the UT-Austin IdP

14 TAGPMA F2F Banff 17 Jul 200714 Debugging Information Returned by UT-Austin IdP March 07 June 07

15 TAGPMA F2F Banff 17 Jul 200715 UT-System Also Supports the ProtectNetwork IdP ProtectNetwork offers both free LoA-1 identity and Validated LoA-2 identity for $$. (One option for external, low- risk application users.)

16 TAGPMA F2F Banff 17 Jul 200716 TACC MICS Namespace Accommodates Multiple IdM/IdPs DC = edu; DC = utexas; DC = tacc O = UT-Austin; O=TACC MICS CA O = {IdM}; OU = {IdP} CN = {PERSON: firstname initial lastname{seq}} SubjectAltName = {PERSON: email address} Based on feedback received during the meeting, all grid and RA Information - if attached to the X.509 certificate - will reside in optional extensions. (18Jul07)

17 TAGPMA F2F Banff 17 Jul 200717 TACC CA Structure Off-line self-signed Root CA generates only subordinate CA CSRs (signed by Root CA). (OpenCA) Subordinate CA private keys protected by HSM on CA server. (openssl & SafeNet cryptoki SDK) TACC Root CA (off-line) TACC Subordinate MICS CA (on-line) TACC Subordinate Classic CA (on-line)

18 TAGPMA F2F Banff 17 Jul 200718 TACC MICS Initial Registration Portal front-end already has general information about user from UT-System Shibboleth –General Info: cn, eduPersonPrincipalName, address, email, phone Need for good contact info is stronger than privacy, but public telephone directory info used where possible Portlet front-end checks Name (cn) against array of guaranteed unique existing CNs –Results: No match (OK) OR send email to Security Officer "Identity Verification Followup Required!" CN bound to one and only one individual CN can be used in both Classic and MICS certificates

19 TAGPMA F2F Banff 17 Jul 200719 Same Initial Registration Tool for TACC Classic and TACC MICS CAs Both need CN/DN uniqueness check Both follow same vetting procedure under control of distributed RA personnel Both are integrated with the TACC TAS database that supports user management Only difference: MICS CA can fill in some fields automatically from IdP attributes.

20 TAGPMA F2F Banff 17 Jul 200720 Grix by Markus Binsteiner TACC RA Interface Development in Progress Written in Java Standalone app works with GT4 (except for proxy renewal (gt4 bug?) Talks to VOMRS Talks to MyProxy3.6 Markus released source code and can check/assist with mods for TACC CAs

21 TAGPMA F2F Banff 17 Jul 200721 Vetting by Distributed RAs Web page lists RA Operators List and contact info. TACC can offer a web form to document ID and setup security questions & answers Amenable to f2f mtg (in person or by video), phone investi- gation, notarized documents, etc. until RA is satisfied.

22 TAGPMA F2F Banff 17 Jul 200722 Sidebar: Grix facilitates Certificate Renewal APACGrid CA sends reminder email to user one month before certificate expires. User initiates renewal from Grix Mostly relevant to long-term certificates, but might consider using it for long- running jobs.

23 TAGPMA F2F Banff 17 Jul 200723 Grix 'Get Grid Proxy': User Option 1

24 TAGPMA F2F Banff 17 Jul 200724 Grix Get Grid Proxy: User Option 2

25 TAGPMA F2F Banff 17 Jul 200725 Grix Destroy Grid Proxy

26 TAGPMA F2F Banff 17 Jul 200726 Grix Supports MyProxy http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html MyProxy 3.8 adds openssl engine support MyProxy 4.0 adds setup and mgmt, (but uses SimpleCA?). This will reside on its own front-end server?

27 TAGPMA F2F Banff 17 Jul 200727 Hardware Security Controls SafeNet ProtectServer Gold PCI HSM card –FIPS 140-2 Level 3 (Certificate 739, 26 Apr 2007) TACC installed FIPS evaluated firmware and software Testing using command line tools was successful for multi- token operation in FIPS mode Application Development underway. Servers in Secure Rack within controlled access computer room (Logged access limited to Security Officers) Government-issue fireproof safe also in Secure Rack contains TACC Root CA materials and backups Server containing HSM is dedicated to CA functions Server is behind a working hardware firewall

28 TAGPMA F2F Banff 17 Jul 200728 Dedicated CA Server Contains tamper-proof PCI HSM Runs openssl, HSM command line utilities, libcthsm.so, libcryptoki.so, jcprov.jar TACC applications will handle PKCS#11 –Link with '-L /opt/Eracom/lib' and use FIPS mode –Require authenticated login prior to key access –One token per application Two slots per token (1 for CA key; 1 for User key) –Use KMU utility for key backup and restore –External keys used with key-encrypting-key –Master (CA) key-encrypting-key stored on HSM –Working (User) key unwrapped prior to use; destroyed after MyProxy repository (on its own front-end server)

29 TAGPMA F2F Banff 17 Jul 200729 HSM Configuration Uses FIPS Security Policy ("FIPS-mode") Slot Design –1 required 'HSM Admin' slot –1 User slot for CA key backup to SmartCard –3 Labeled User slots with Application PINs MICS CA; Classic CA; Root CA Secure memory = 4MB (~2500 1024b key-pairs) –Keys only exist in clear in slot on HSM token. –Application can "wrap" encrypt key-pairs for export –MICS key-pairs have a short lifetime (≤ 10.5 days)

30 TAGPMA F2F Banff 17 Jul 200730 Software Security Controls OS kept at most current security patch level CA Server timestamps synced with ntpd CA Server runs only minimum OS services CA Server runs shorewall (software firewall) Front-end and Back-end Portlets that talk to CA developed following security best practices –Now have a development portal server and a production portal server (provided by UT-System) –Portal prototype developed using Java 2 (JDK 1.5), GridSphere 3 and Tomcat 6

31 TAGPMA F2F Banff 17 Jul 200731 Event Logging CA server syslog (timestamped) –System startup & shutdown; Device install and errors; service startup & shutdown HSM event logs (timestamped in $ET_PTKC_LOGGER_FILE set in /etc/default/et_ptkc) –HSM tamper detect and device errors; Slot operations; SO, Admin and User access; ssh logs (timestamped in /var/log/secure) Portal apache and tomcat access and error logs (timestamped) HW firewall quells DoS when stateful packet inspection detects that rate of auth attempts is above threshold for an individual user.

32 TAGPMA F2F Banff 17 Jul 200732 Disaster Recovery Procedures CA private keys securely exported from HSM to SmartCard; stored in Government-issue safe CA server uses private keys and signs CSRs using tamper-proof HSM functions HSM card is on maintenance with spare shipped overnight End entity Certificates stored on dedicated CA server in HSM and in SMS protected file. Periodically burned to CDROM; stored in GSA safe Servers running RedHat Linux are on hardware and software maintenance. Security officer logs in and uses OTP to apply vetted patches: –% sudo up2date -uv{f}

33 TAGPMA F2F Banff 17 Jul 200733 For More Information on TACC MICS CA Marg Murray, Ph.D. Research Associate Advanced Computing Systems Texas Advanced Computing Center The University of Texas at Austin marg@tacc.utexas.edu J.J. Pickle Research Campus 10100 Burnet Rd. (R8700) Austin, TX USA 78758-4497 I gratefully acknowledge the contributions of Alan Sill (TTU), Paul Caskey (UT-System) and Markus Binsteiner (VPAC) to this project.


Download ppt "TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC)"

Similar presentations


Ads by Google