Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois."— Presentation transcript:

1 National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign vwelch@ncsa.uiuc.edu

2 National Center for Supercomputing Applications MyProxy Logon Authenticate to retrieve PKI credentials –End Entity or Proxy Certificate –CA Certificates and Certificate Revocation Lists (CRLs) (http://myproxy.ncsa.uiuc.edu/trustroots) Maintains the user’s PKI context –Users don’t need to manage long-lived credentials –Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) –CA certificates and CRLs updated automatically at login Integrates with existing authentication systems –Providing a gateway to grid authentication

3 National Center for Supercomputing Applications MyProxy CA Issues short-lived X.509 EECs Authentication via certificate, PAM, SASL/Kerberos, Pubcookie, VOMS –Including “renewal authentication” where trusted service authenticates and proves possession of user credential to get a new user credential Name mapping via mapfile, callout, and LDAP Certificate extensions specified by OpenSSL configuration file or callout http://myproxy.ncsa.uiuc.edu/ca

4 National Center for Supercomputing Applications MyProxy and IGTF SLCS Profile Recent modifications to MyProxy CA based on IGTF SLCS Profile recommendations: –Log all certificate requests –Archive all issued certificates –Use 1024 bit keys –Use SHA1 instead of MD5 –Set recommended certificate extensions NCSA SLCS undergoing TAGPMA review

5 National Center for Supercomputing Applications NCSA SLCS Architecture http://security.ncsa.uiuc.edu/CA/

6 National Center for Supercomputing Applications NCSA CA Architecture

7 National Center for Supercomputing Applications MyProxy OCSP Support Server checks certificate validity before performing delegation –Includes CRL and OCSP checks –Removes invalid credentials from repository Follows recommendations in OGF CAOPS “OCSP Requirements for Grids” Server can be configured to use: –OCSP responder in AIA extension –Trusted OCSP responder http://myproxy.ncsa.uiuc.edu/ocsp OCSP checking code contributed to Globus –http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4788

8 National Center for Supercomputing Applications MyProxy and HSMs Prototypes –MyProxy repository keys protected by IBM 4758 –MyProxy CA key protected by Aladdin eToken MyProxy CA HSM support coming soon –To be deployed for NCSA SLCS –Using OpenSSL Engine interface –http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=3 49

9 National Center for Supercomputing Applications MyProxy and VOMS MyProxy server now understands VOMS attributes for authorization –For example: services with “compute element” attribute can be authorized to renew credentials MyProxy developers worked with VOMS developers on GT4 compatibility issues –http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=3 45 http://myproxy.ncsa.uiuc.edu/voms

10 National Center for Supercomputing Applications MyProxy Trust Provisioning MyProxy Logon can install/update trust roots in ~/.globus/certificates or $X509_CERT_DIR –CA certificates, signing policies, and CRLs –Improves client-side security via automated CA configuration and CRL updates Configuration managed by MyProxy server admin –Maintains up-to-date “master” certificates directory on server Future work –Bootstrap trust of myproxy-server certificate –Improved handling of expired CRLs –Java support http://myproxy.ncsa.uiuc.edu/trustroots

11 National Center for Supercomputing Applications MyProxy Server Fail-Over Clients try multiple server IP addresses Documentation for server replication –http://myproxy.ncsa.uiuc.edu/failover.html –myproxy-replicate tool for primary-backup repository replication –CA server replication by partition of serial number space

12 National Center for Supercomputing Applications External MyProxy Audit To be conducted by Jim Kupsch from UW-Madison Computer Sciences –Vulnerability Assessment of Grid Software Project led by Prof. Bart Miller –http://www.cs.wisc.edu/condor/CondorWeek200 6/presentations/kupsch_security.ppt March 7 kick-off meeting at NCSA

13 National Center for Supercomputing Applications GSI-OpenSSH Authorization GSI-OpenSSH 3.8 and later support Globus Authorization callouts –http://www.globus.org/security/callouts/ –Service name for callout is “ssh” –Tested with PRIMA/GUMS

14 National Center for Supercomputing Applications Java GSI-SSHTerm Java applet/application that combines MyProxy and GSISSH functionality –Developed by UK NGS, NRC Canada, … –http://sourceforge.net/projects/gsi-sshterm/ Customized for TeraGrid –http://grid.ncsa.uiuc.edu/gsi-sshterm/

15 National Center for Supercomputing Applications MyProxy and GSISSH on TeraGrid All TG users assigned a TERAGRID.ORG (Kerberos) username and password –Login to TeraGrid User Portal (https://portal.teragrid.org/) –Login to TeraGrid MyProxy CA to obtain a short- lived (NCSA) certificate All TG sites run GSI-OpenSSH servers –Single sign-on via Java GSI-SSHTerm –http://www.teragrid.org/userinfo/access/

Download ppt "National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois."

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google