CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Lecture 23 Internet Authentication Applications

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

WebFTS as a first WLCG/HEP FIM pilot

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

CERN IT Department CH-1211 Geneva 23 Switzerland t The Experiment Dashboard ISGC th April 2008 Pablo Saiz, Julia Andreeva, Benjamin.

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Tim Bell 24/09/2015 2Tim Bell - RDA.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Grid Technology CERN IT Department CH-1211 Geneva 23 Switzerland t DBCF GT DPM / LFC and FTS news Ricardo Rocha ( on behalf of the IT/GT/DMS.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Monitoring of the LHC Computing Activities Key Results from the Services.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

CERN - IT Department CH-1211 Genève 23 Switzerland t Grid Reliability Pablo Saiz On behalf of the Dashboard team: J. Andreeva, C. Cirstoiu,

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

Experiment Support CERN IT Department CH-1211 Geneva 23 Switzerland t DBES The Common Solutions Strategy of the Experiment Support group.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

GRID-FR French CA Alice de Bignicourt.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

European Life Sciences Infrastructure for Biological Information European Life Sciences Infrastructure for Biological Information.

Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research.

WLCG Update Hannah Short, CERN Computer Security.

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Bring the WLCG federation Home

JRA3 Introduction Åke Edlund EGEE Security Head

Grid accounting system

The GENIUS Security Services

AAI in EGI Status and Evolution

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN STS IOTA CA Paolo Tedesco CERN - IT/OIS 35 th EUGridPMA meeting, Berlin 09/2015

Operating Systems & Information Services Background: WebFTS Web based tool to transfer files between grid/cloud storages Protocols: gsiftp, https, xrootd and srm Cloud extensions: dropbox, CERNBox Based on FTS3 Low-level data movement service Moves LHC data across WLCG infrastructure Allows participating sites to control usage of network resources 20PB per month (max: 2PB/day) transfer volume CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

Operating Systems & Information Services Importance of WebFTS WebFTS provides A service accessing the grid on users’ behalf From a browser With full VOMS credentials WebFTS needs the user’s certificate and private key to access the grid CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

Operating Systems & Information Services Goal Allow WLCG services to access the grid On behalf of the user Without x509 certificate delegation Solution: Users use EduGAIN credentials (no certificates) Application gets proxy certificate for grid authentication CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

Operating Systems & Information Services Current prototype Current working prototype based on “internal” CA  Must move to accredited CA CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam CA WebFTS Grid Storage Element EduGAIN credentials Get proxy certificate Access grid with proxy

Operating Systems & Information Services IdP-dependent assurance Problem: assurance level very IdP-dependent No consistent identity information Solution: combine federated authentication with LHC VOMS data VO membership linked to CERN HR database Physical presence required for registration  Very high assurance level CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

Operating Systems & Information Services No unique identity Problem: no guarantee that an identity is uniquely assigned to a single user Solution: restrict access to IdPs providing a federation-wide unique identifier for each user eduPersonPrincipalName CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

WebFTS 1: browser 2: Auth EduGAIN IdP CERN SSO 3: SAML CERN LCG IOTA CA Security Token Service for WebFTS PKI Service LHC VOMS 4: get proxy for user in VO 1: get user data 2: get proxy signing certificate 3: generate proxy Grid Storage Element 5: access Grid eduPersonPrincipalName Proxy is requested for the user in the context of a VO STS service access restricted on service (WebFTS) and VO base (ATLAS)

Operating Systems & Information Services CERN LHC IOTA CA CA Infrastructure consists of –PKI Service –STS Services (one per client) PKI Service: –Issues certificates only to STS –Issues CRLs STS Service –Issues certificates (proxies) to client applications –Enforces restrictions on VO membership –Enforces restriction on unique user ID CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam CERN LCG IOTA CA Security Token Services PKI Service Security Token Services

Operating Systems & Information Services Certificate formats Intermediate certificates –CN=Unique ID,O=Organization,O=Grid,O=STS –Valid 48 hours –Not reused (this could change in the future) –O=Grid,O=STS used to avoid any possible name clash Proxy certificates –CN=Unique ID,O=Organization,O=VO,O=Grid,O=STS –Valid 48 hours –Contain VOMS extensions for user CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

Operating Systems & Information Services Current status CP/CPS document available for review –Please send comments PKI service under construction –Setup similar to other CERN authorities STS service will only need re-configuration Currently WebFTS is the only real use case, and ATLAS the only VO to be supported  We need to build an "accredited" pilot to encourage adoption from other client applications and VOs CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam