Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC)

Similar presentations


Presentation on theme: "TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC)"— Presentation transcript:

1 TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC) 17 July 2007 (revised)

2 TAGPMA F2F Banff 17 Jul Intro: TACC MICS CA Goals Leverage existing IdM infrastructures. Simplify user credential acquisition and management. Generate short-term X.509v3 end entity certificates for academic science and research users relevant to TACC's campus, state, national and international research projects. Leverage existing IdM infrastructures. Simplify user credential acquisition and management. Generate short-term X.509v3 end entity certificates for academic science and research users relevant to TACC's campus, state, national and international research projects.

3 TAGPMA F2F Banff 17 Jul First Candidate IdM: UT-System Shibboleth Policy Charter, Fees, Attributes, Federation Operating Procedures, Member Operating Procedures LoATechnology 17 Identity providers, (IdPs) 1 per campus 10 federated applications 1 external vendorGovernance IdM Governing Board: Technical Operations, Policy Mgmt Audit Dispute resolution https://www.utsystem.edu/IdentMgmt/UTsysFedApply.asp

4 TAGPMA F2F Banff 17 Jul U.T. System IdM Roadmap Source: https://idm.utsystem.edu/ IdentityMgmtpage4.pdf Color Key: Complete Current Development In-Progress Longer-term Future

5 TAGPMA F2F Banff 17 Jul Possible Future IdM Candidates … an evolving landscape Bridged Relationships Arranged by the UT- System Federation –Cross-certifying UT campus CAs with FBCA University of Texas employs Verisign CAs Texas A&M Shibboleth Federation? Maybe Texas Tech?

6 TAGPMA F2F Banff 17 Jul UTShib IdM Integration into X.509 Certificate Workflow CA –Establish policies and procedures –Process CSRs; Sign certificates RA –Institution is authoritative (and responsible) for: Phone directory (public) information Org status and entitlements –Initial RA F2F meeting is authoritative for: Project and allocation eligibility VO membership

7 TAGPMA F2F Banff 17 Jul In User and Relying Party Workflow User –Initial Identity Vetting with IdM and with RA –Authenticated Portal Login before anything else –"Request a short-term X.509 Certificate" –Store cert somewhere(MyProxy server; HW token, web browser) –Generate a proxy to enable mutual authentication & delegation –Present proxy to perform grid tasks; access grid resources Relying Party (relies on TACC CA, not directly on UT IdP) –Load CA cert and signing policy –Accept cert from requesting user –Check expiration date and signature –Map DN to account in grid-mapfile –Honor user request –Log access

8 TAGPMA F2F Banff 17 Jul TACC Member-Integrated CA Portal Services AUTHENTICATEAUTHENTICATE Identity –Does IdP know this user based on in-person ID vetting (LoA)? If not in-person, user access to low-risk applications is ok, but no X.509 credential –Query TACC Accounting System (TAS) DB for User Context Can check that user answers security question setup at initial registration Check for active Projects, Allocations, and VO membership and roles Find user's unique Distinguished Name (CN+issuer) by querying CN list by eduPersonPrincipalName OR eduPersonTargetedID Check that IdM is not re-using eduPersonPrincipalName by matching , phone,address Query VOMRS attribute server to verify user's VO membership and roles Determine length of short-term certificate –Enable "Get short-term X.509 cert" button PROVIDEPROVIDE resulting short-term X.509 credential when user wants it

9 TAGPMA F2F Banff 17 Jul Grid Portal Authentication: Portal Account or Shibboleth Either login method integrates with TACC TAS database. Both authentication methods integrated with underlying TACC TAS database.

10 TAGPMA F2F Banff 17 Jul ) UT-System Shibboleth WAYF Dialogue User Selects Identity Provider from Pull- down menu

11 TAGPMA F2F Banff 17 Jul ) Authenticate with Home Identity Provider Regular Campus/IdP login. This one is for UT- System

12 TAGPMA F2F Banff 17 Jul Attributes Returned by UT-System IdP

13 TAGPMA F2F Banff 17 Jul Each IdP Presents Its Own Dialogue/Look and Feel This is the login dialogue for the UT-Austin IdP

14 TAGPMA F2F Banff 17 Jul Debugging Information Returned by UT-Austin IdP March 07 June 07

15 TAGPMA F2F Banff 17 Jul UT-System Also Supports the ProtectNetwork IdP ProtectNetwork offers both free LoA-1 identity and Validated LoA-2 identity for $$. (One option for external, low- risk application users.)

16 TAGPMA F2F Banff 17 Jul TACC MICS Namespace Accommodates Multiple IdM/IdPs DC = edu; DC = utexas; DC = tacc O = UT-Austin; O=TACC MICS CA O = {IdM}; OU = {IdP} CN = {PERSON: firstname initial lastname{seq}} SubjectAltName = {PERSON: address} Based on feedback received during the meeting, all grid and RA Information - if attached to the X.509 certificate - will reside in optional extensions. (18Jul07)

17 TAGPMA F2F Banff 17 Jul TACC CA Structure Off-line self-signed Root CA generates only subordinate CA CSRs (signed by Root CA). (OpenCA) Subordinate CA private keys protected by HSM on CA server. (openssl & SafeNet cryptoki SDK) TACC Root CA (off-line) TACC Subordinate MICS CA (on-line) TACC Subordinate Classic CA (on-line)

18 TAGPMA F2F Banff 17 Jul TACC MICS Initial Registration Portal front-end already has general information about user from UT-System Shibboleth –General Info: cn, eduPersonPrincipalName, address, , phone Need for good contact info is stronger than privacy, but public telephone directory info used where possible Portlet front-end checks Name (cn) against array of guaranteed unique existing CNs –Results: No match (OK) OR send to Security Officer "Identity Verification Followup Required!" CN bound to one and only one individual CN can be used in both Classic and MICS certificates

19 TAGPMA F2F Banff 17 Jul Same Initial Registration Tool for TACC Classic and TACC MICS CAs Both need CN/DN uniqueness check Both follow same vetting procedure under control of distributed RA personnel Both are integrated with the TACC TAS database that supports user management Only difference: MICS CA can fill in some fields automatically from IdP attributes.

20 TAGPMA F2F Banff 17 Jul Grix by Markus Binsteiner TACC RA Interface Development in Progress Written in Java Standalone app works with GT4 (except for proxy renewal (gt4 bug?) Talks to VOMRS Talks to MyProxy3.6 Markus released source code and can check/assist with mods for TACC CAs

21 TAGPMA F2F Banff 17 Jul Vetting by Distributed RAs Web page lists RA Operators List and contact info. TACC can offer a web form to document ID and setup security questions & answers Amenable to f2f mtg (in person or by video), phone investi- gation, notarized documents, etc. until RA is satisfied.

22 TAGPMA F2F Banff 17 Jul Sidebar: Grix facilitates Certificate Renewal APACGrid CA sends reminder to user one month before certificate expires. User initiates renewal from Grix Mostly relevant to long-term certificates, but might consider using it for long- running jobs.

23 TAGPMA F2F Banff 17 Jul Grix 'Get Grid Proxy': User Option 1

24 TAGPMA F2F Banff 17 Jul Grix Get Grid Proxy: User Option 2

25 TAGPMA F2F Banff 17 Jul Grix Destroy Grid Proxy

26 TAGPMA F2F Banff 17 Jul Grix Supports MyProxy MyProxy 3.8 adds openssl engine support MyProxy 4.0 adds setup and mgmt, (but uses SimpleCA?). This will reside on its own front-end server?

27 TAGPMA F2F Banff 17 Jul Hardware Security Controls SafeNet ProtectServer Gold PCI HSM card –FIPS Level 3 (Certificate 739, 26 Apr 2007) TACC installed FIPS evaluated firmware and software Testing using command line tools was successful for multi- token operation in FIPS mode Application Development underway. Servers in Secure Rack within controlled access computer room (Logged access limited to Security Officers) Government-issue fireproof safe also in Secure Rack contains TACC Root CA materials and backups Server containing HSM is dedicated to CA functions Server is behind a working hardware firewall

28 TAGPMA F2F Banff 17 Jul Dedicated CA Server Contains tamper-proof PCI HSM Runs openssl, HSM command line utilities, libcthsm.so, libcryptoki.so, jcprov.jar TACC applications will handle PKCS#11 –Link with '-L /opt/Eracom/lib' and use FIPS mode –Require authenticated login prior to key access –One token per application Two slots per token (1 for CA key; 1 for User key) –Use KMU utility for key backup and restore –External keys used with key-encrypting-key –Master (CA) key-encrypting-key stored on HSM –Working (User) key unwrapped prior to use; destroyed after MyProxy repository (on its own front-end server)

29 TAGPMA F2F Banff 17 Jul HSM Configuration Uses FIPS Security Policy ("FIPS-mode") Slot Design –1 required 'HSM Admin' slot –1 User slot for CA key backup to SmartCard –3 Labeled User slots with Application PINs MICS CA; Classic CA; Root CA Secure memory = 4MB (~ b key-pairs) –Keys only exist in clear in slot on HSM token. –Application can "wrap" encrypt key-pairs for export –MICS key-pairs have a short lifetime (≤ 10.5 days)

30 TAGPMA F2F Banff 17 Jul Software Security Controls OS kept at most current security patch level CA Server timestamps synced with ntpd CA Server runs only minimum OS services CA Server runs shorewall (software firewall) Front-end and Back-end Portlets that talk to CA developed following security best practices –Now have a development portal server and a production portal server (provided by UT-System) –Portal prototype developed using Java 2 (JDK 1.5), GridSphere 3 and Tomcat 6

31 TAGPMA F2F Banff 17 Jul Event Logging CA server syslog (timestamped) –System startup & shutdown; Device install and errors; service startup & shutdown HSM event logs (timestamped in $ET_PTKC_LOGGER_FILE set in /etc/default/et_ptkc) –HSM tamper detect and device errors; Slot operations; SO, Admin and User access; ssh logs (timestamped in /var/log/secure) Portal apache and tomcat access and error logs (timestamped) HW firewall quells DoS when stateful packet inspection detects that rate of auth attempts is above threshold for an individual user.

32 TAGPMA F2F Banff 17 Jul Disaster Recovery Procedures CA private keys securely exported from HSM to SmartCard; stored in Government-issue safe CA server uses private keys and signs CSRs using tamper-proof HSM functions HSM card is on maintenance with spare shipped overnight End entity Certificates stored on dedicated CA server in HSM and in SMS protected file. Periodically burned to CDROM; stored in GSA safe Servers running RedHat Linux are on hardware and software maintenance. Security officer logs in and uses OTP to apply vetted patches: –% sudo up2date -uv{f}

33 TAGPMA F2F Banff 17 Jul For More Information on TACC MICS CA Marg Murray, Ph.D. Research Associate Advanced Computing Systems Texas Advanced Computing Center The University of Texas at Austin J.J. Pickle Research Campus Burnet Rd. (R8700) Austin, TX USA I gratefully acknowledge the contributions of Alan Sill (TTU), Paul Caskey (UT-System) and Markus Binsteiner (VPAC) to this project.


Download ppt "TAGPMA Accreditation Review of TACC MICS CA Design and CP/CPS (Update) Marg Murray Advanced Computing Systems Group Texas Advanced Computing Center (TACC)"

Similar presentations


Ads by Google