NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

MyProxy Jim Basney Senior Research Scientist NCSA

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

MyProxy Guy Warner NeSC Training.

MyProxy: A Multi-Purpose Grid Authentication Service

Report on Attribute Certificates By Ganesh Godavari.

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

08/11/908 WP2 e-NMR Grid deployment and operations Technical Review in Brussels, 8 th of December 2008 Marco Verlato.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.

Grid security in NAREGI project NAREGI the Japanese national science grid project is doing research and development of grid middleware to create e- Science.

Grid security in NAREGI project July 19, 2006 National Institute of Informatics, Japan Shinichi Mineo APAN Grid-Middleware Workshop 2006.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Introduction of NAREGI-CA National Institute of Informatics JAPAN Toshiyuki Kataoka, July 19, 2006 APAN Grid-Middleware Workshop, Singapore.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

Next Steps: becoming users of the NGS Mike Mineter

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

The Roadmap of NAREGI Security Services Masataka Kanamori NAREGI WP

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Gilda certificates. Certification Authority

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.

15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK

Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL

New open source CA development as Grid research platform.

Regional Operations Centres Core infrastructure Centres

Authentication, Authorisation and Security

Guidelines for auditing Grid CAs

Technical Board Meeting, CNAF, 14 Feb. 2004

EGEE VO Management.

Grid Services Ouafa Bentaleb CERIST, Algeria

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Organized by governmental sector (National Institute　of information )

THE STEPS TO MANAGE THE GRID

Installing a gLite VOMS Server

Update on EDG Security (VOMS)

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

From Prototype to Production Grid

Use of MyProxy for the FusionGrid

Grid Engine Diego Scardaci (INFN – Catania)

Grid Computing Software Interface

Presentation transcript:

EGEE/NAREGI Interoperability Meeting Security,Authenticaton,Authorization

NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit To experiment the operation of PKI authentication service (CA server software and CP/CPS) for grid environment freely, we developed our own CA software. Software is availabe for anyone. http://www.naregi.org/download/index.html CP/CPS CA/RA policy and authentication service policy is developed to be satisfied with basic assurance level by GGF. https://www.naregi.org/ca/index.html Audit Auditing of Grid CAs is proposed at GGF13.

NAREGI-CA NAREGI PMA is established and CA Operation started. NAREGI PMA is Established. (June 17,2005) NAREGI CA joined the APGrid PMA. (July 26, 2005) NAREGI-CA Operation started. (Sep 1,2005) NAREGI CA has been approved as a production-level CA. (Nov. 7, 2005)

NAREGI-CA server components LDAP Server Collaborate with Grid Service, S/MIME, Group ware and so on. LDAP RA Server CA Server email certreq aienroll LCMP aicrlpub airad aicad enroll (apache CGI) HTTP WEB LCMP gridmapgen XKMS API LCMP email User CA management tools aica PKI utilities certview certconv CA Administrator

NAREGI Registration Sequence User site NAREGI site End user Host administrator CA Administrator Site Administrator (LRA) LicenseIDs Request Issue 1. Prepare LicenseIDs Telephone, Mail and so on. Certificate Request Issue a LicenseID 2. User registration Account Request Account Registration Might be face to face. Apply certificate operation 3. Submit a licenseID and request to issue a certificate 4. Request to revoke a certificate 5. Request to update a certificate Accept a user request (issue,revoke,update) RA Server Via command line or WEB (Online) Download a base grid-mapfile and generate mapfile for local site base grid-mapfile publish 6. grid-mapfile generation

NAREGI Middleware b components VOMS MyProxy VOMS Proxy Certificate MyProxy+ VOMS Proxy Certificate voms-myproxy-init User Management Server(UMS) VOMS Proxy Certificate User Private Key Information Service Client Environment Portal WFT PSE GVS VOMS Proxy Certificate SS client GridVM Super Scheduler NAREGI CA GridVM VOMS Proxy Certificate GridVM

VO and User Certificate Treatment gLite VOMS Server(Ver.1.3) is adopted for VO Management. (Is the upgrade needed to the latest version for the interoperation?) Some components call gLite Java API to obtain VO attribute from the certificate. “org.glite.security.utils” and “org.glite.security.voms” packages are used. User management server is used for the repository of the user certificates. Proxy certificates with VO attribute are issued through the NAREGI portal operations. This is experimantal and very simple implementation. It may be replaced to another implementation (e.g. PURSe)

VO and User Certificate Treatment NAREGI Middleware b has some restrictions for VO and proxy certificate treatment. Only VO name is used for the authentication(group,role and capability are not referred as authentication attribute) A user can belong to more than one VO, but a job can use one VO at the same time. Credential renewal for the long running jobs is not supported. NREGI Middleware b has been still testing. It will be released at next GGF.

Exchange VO and User account information Interoperation Scenario 1 VOb VO2 VOa VO1 Super Scheduler VO1,VO2,… VOa,VOb,… VOMS VOMS Exchange VO and User account information UMS, MyProxy Login-Machine Portal User User EGEE NAREGI

Interoperaton Scenario 1 Only the first step of interoperation Interoperation between different middlewares based on the same authentication information, which is the first fruit Discussion Common VO namespace Management and exchange of Information (VO、user account,…etc) How to generate and distribute grid-mapfile Beyond the Scenario1 Making a next model and scenario after realizing interoperations of Job Submission and Information Service