Presentation is loading. Please wait.

Presentation is loading. Please wait.

Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Published byCody Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "Large-scale issuing of host certs in a member-integrated or institutional CA environment."— Presentation transcript:

1 Large-scale issuing of host certs in a member-integrated or institutional CA environment

2 21 st EUGridPMA Utrecht meeting – Jan 2011 - 2 David Groep – davidg@eugridpma.org Initial use case  Centrally managed Large data centres  Example: CERN >> 10 000 systems  Institutional properties  operating (as an EIRO) an institutionally-embedded CA but could also be an automated RA for an external CA...  managed hosts in physically controlled environment  fully centralised configuration management Aim: provision host certs in a scalable and secure way

3 21 st EUGridPMA Utrecht meeting – Jan 2011 - 3 David Groep – davidg@eugridpma.org Simplified request flow

4 21 st EUGridPMA Utrecht meeting – Jan 2011 - 4 David Groep – davidg@eugridpma.org Workflow 1.New servers that are put into production in the CERN Computer Center will communicate with the Configuration Manager Servers and will signal that they require a host certificate. 2.After the validation of the requester Configuration Manager Servers will be able to request host certificates of the new template on behalf of the servers from step 1. Only those Configuration Manager Server possessing a valid Robot certificate will be able to do that. Robot certificates will be installed on them manually and following the standard through- the-website procedure. 3.The requests from step 2 will be securely sent to CERN CA using a special web service (not a website) 4.The reply from CERN CA will be sent to the Server from step 1.

5 21 st EUGridPMA Utrecht meeting – Jan 2011 - 5 David Groep – davidg@eugridpma.org Obvious pros and cons  With O(1000) requests, humans cannot accurately check them all for correctness: automated process reduces number of errors  Close integration with CA request process reduces number of points between admin  RA  CA  Automated processes can make errors as well, and very fast indeed  Identification of ‘new’ computer hardware is non-trivial  Humans are good at identifying oddities, making some attack modes harder to exploit

6 21 st EUGridPMA Utrecht meeting – Jan 2011 - 6 David Groep – davidg@eugridpma.org Proposal  Full discussion in January (Ljubljana)  extended description will be given by Alexey (CERN)  assess risks and opportunities  Needs description in CP/CPS  address attacks on CM servers (referring to the attacks on automated CAs recently, like Comodo, DigiNotar,...)  heuristics to mitigate risk (correlation with installments, domain checks, time-of-day, etc.)  identification of requesting machines? How can that be done? TPM, MAC, network,...  Case should be supported – scaling really needed!

Download ppt "Large-scale issuing of host certs in a member-integrated or institutional CA environment."

Similar presentations

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
EXTENDING TESTING INTO THE LAB Richard Fennell Engineering Director, Black Marble

EXTENDING TESTING INTO THE LAB Richard Fennell Engineering Director, Black Marble
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Outline  Company Profile  Services Provided  Assets  System Schema  Risk Categories  Technical Risks and Mitigation  Summary.

Outline  Company Profile  Services Provided  Assets  System Schema  Risk Categories  Technical Risks and Mitigation  Summary.
LinuxUNIX Red HatSUSECentOSUbuntuDebianOracleAIXHP-UXSolaris Configuration Manager * * * * * * Endpoint Protection No Plans.

LinuxUNIX Red HatSUSECentOSUbuntuDebianOracleAIXHP-UXSolaris Configuration Manager * * * * * * Endpoint Protection No Plans.
Page 1 - © Richard L. Goldman Mainframe Networking ©Richard L. Goldman January 7, 2002.

Page 1 - © Richard L. Goldman Mainframe Networking ©Richard L. Goldman January 7, 2002.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.
WP4 Security and AA(A) issues For WP4: David Groep

WP4 Security and AA(A) issues For WP4: David Groep
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Similar presentations

Ads by Google