Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Published byNathan Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory."— Presentation transcript:

1 ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory

2

3 ATF Overview Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal Primarily focused on the Office of Science community Primarily focused on the Office of Science community ATF’s principle service is a set of certificate authorities (CAs) ATF’s principle service is a set of certificate authorities (CAs) Policy is driven completely by the needs of the science community Policy is driven completely by the needs of the science community Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities the IGTF - International Grid Trust Federation the IGTF - International Grid Trust Federation the Americas “regional” policy management authority – TAGPMA the Americas “regional” policy management authority – TAGPMA ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners

4 3 FTEs plus heavy support from ESnet UNIX services 3 FTEs plus heavy support from ESnet UNIX services Plus additional support from network engineering, services, and windows support Plus additional support from network engineering, services, and windows support Roles Roles CA Operator CA Operator Developer Developer Federation Liaison Federation Liaison Product Manager (community outreach) Product Manager (community outreach) Specialized system administration Specialized system administration PMA chairman / member PMA chairman / member Contributor to community best practices/standards efforts Contributor to community best practices/standards efforts All team members have cross trained to insure continuity. All team members have cross trained to insure continuity. Authentication and Trust Federation Team

5 ESnet subordinate Certificate Authorities and Services ESnet Root CA FUSION (Credential Store) ESnet SSL/TLS ESnet Root CA only signs subordinate CAs DOEGrids Future Co-hosting OCSP Service NERSC Site – NIM Integration PKI Certificate Authorities Overview

6 Offline Vaulted Root CA Internet Firewall Intrusion Detection Grid User HSM Secure Data Center Building Security LBNL Site security Hardware Security Modules Access controlled racks PKI Systems PKI Security Environment Secure VLAN

7 DOEGrids CA Usage Statistics User Certificates 1999 Total No. of Certificates 5479 Host & Service Certificates 3461 Total No. of Requests 7006 ESnet SSL Server CA Certificates 38 DOEGrids CA 2 CA Certificates (NERSC) 15 Fusion GRID CA certificates 76 * Report as of Jun 15, 2005

8 RAF, eduroam ™ and Internet2 interconnects eduroam ™ ESnet RAF eduroam US Internet2 eduroam US Internet2 ESnet LBNL TERENA NL Internet2 UTK Interconnecting with eduroam™ at UTK Interconnect Grid Realms at TERENA ESnet possible secondary route for eduroam™ ORNL PPNL ANL NERSC eduroam ™ Grid realms DOEGrids MyProxy Crypto Card Secure ID Aladdin Smart Card

9 Grid eduroam ™ Experiment Phase 0 Phase 0 Use Infoblox loaded with IGTF root certificates Use Infoblox loaded with IGTF root certificates EAP/TLS Strong Authentication based on Grid Identity Certs EAP/TLS Strong Authentication based on Grid Identity Certs eduroam ™ Authorization attributes – eduroam ™ defines eduroam ™ Authorization attributes – eduroam ™ defines TACAR or EUGridPMA repository as trust anchor TACAR or EUGridPMA repository as trust anchor IGTF OCSP experimental service – GGF defining the service IGTF OCSP experimental service – GGF defining the service Interconnect to eduroam ™ at UTK Interconnect to eduroam ™ at UTK Grid top level interconnect Grid top level interconnect TERENA - Root TERENA - Root ESnet ESnet Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA User experience local site dependency User experience local site dependency eduroam ™ defines eduroam ™ defines Each site controls how they expose or provide a service to the community. Each site controls how they expose or provide a service to the community. Develop Federation document set Develop Federation document set Based on GGF documents Plus eduroam ™ policies Based on GGF documents Plus eduroam ™ policies

10 Next Phases Phase 1 Phase 1 Add Authorization Schema Add Authorization Schema Phase 0 plus LDAP server Phase 0 plus LDAP server Phase 2 Phase 2 Add Virtual Organization Management System Add Virtual Organization Management System Shibboleth Shibboleth GGF – GridShib or other? GGF – GridShib or other? TF-EMC2 TF-EMC2 Phase 0 plus VOMS servers Phase 0 plus VOMS servers Phase 3 – production hardening Phase 3 – production hardening Implement our community’s selected solution – or ? Implement our community’s selected solution – or ?

11 ESnet RAF Experiment systems LDAP User Account DB phase 1+ Grid Interconnect TERENA RAF radius appliance eduroam ™ Internet2 Interconnect Possible eduroam ™ backup route Cisco Catalyst 4000 EAPOL test bed

Download ppt "ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003.

DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
CA-OPS Authentication Profiles Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.

CA-OPS Authentication Profiles Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Understanding Active Directory

Understanding Active Directory
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Public Key Infrastructure Ammar Hasayen 2013. ….

Public Key Infrastructure Ammar Hasayen ….

Similar presentations

Ads by Google