Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003.

Slides:

Advertisements

Similar presentations

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Advertisements

2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09: :20 # Participants: 26.

Introduction of Grid Security

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,

MyProxy Jim Basney Senior Research Scientist NCSA

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Grid Tech Team Certificates, Monitoring, & Firewall September 15, 2003 Chiang Mai, Thailand Allan Doyle, NASA With the help of the entire Grid Tech Team.

VO Support and directions in OMII-UK Steven Newhouse, Director.

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

CA-OPS Authentication Profiles Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

Security Mechanisms The European DataGrid Project Team

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

TERENA TF-EMC2 Workshop David Groep,

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.

ESnet PKI Developed for the DOE Science Grid and SciDAC.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

TAGPMA & the Bridge WG (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Activities and Applications Update - Chicago, IL.

Security Mechanisms The European DataGrid Project Team

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

GIRAF Grid Integrated Radius Authentication Fabric A Whole Bunch of People GGF-11 June 9, 2004.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Gilda certificates. Certification Authority

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

GRID-FR French CA Alice de Bignicourt.

OSG PKI Transition Mine Altunay OSG Security Officer

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Grids & PKI: TAGPMA & Bridges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL.

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Update on EDG Security (VOMS)

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

The GENIUS Security Services

Presentation transcript:

DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003

2 Outline Grids AuthN/AuthZ model Grids AuthN/AuthZ model International Grid Federation efforts International Grid Federation efforts DOEGrids Federation DOEGrids Federation Experimental OCSP service Experimental OCSP service

3 Grids AuthN/AuthZ Separate the two problems Separate the two problems First focus on solving identity First focus on solving identity Harmonize identities policiesHarmonize identities policies Standard efforts: GGF, Grid PMAStandard efforts: GGF, Grid PMA Grid identity Federations: EDG, Cross Grid, DOEGridsGrid identity Federations: EDG, Cross Grid, DOEGrids Other federations: TERENA, EGEE, eInfrastructure?Other federations: TERENA, EGEE, eInfrastructure? Authorization still research topic Authorization still research topic Individual grids developing own policesIndividual grids developing own polices VOMS, Proxy services VOMS, Proxy services

4 International Grid Federation Informal confederation Informal confederation Representatives from Major Grid PMAs Representatives from Major Grid PMAs European Data Grid and Cross Grid PMAEuropean Data Grid and Cross Grid PMA NCSA AllianceNCSA Alliance DOEGrids PMADOEGrids PMA NASA Information Power GridNASA Information Power Grid TERENATERENA Asian Pacific PMAAsian Pacific PMA AIST, Japan AIST, Japan SDSC, USA SDSC, USA KISTI, Korea KISTI, Korea BII, Singapore BII, Singapore Kasetsart Univ., Thailand Kasetsart Univ., Thailand CAS, China CAS, China

5 DOEGrids Federation Managed by multiple stake holders Managed by multiple stake holders 15 member Policy Management Authority Representing DOE and NSF15 member Policy Management Authority Representing DOE and NSF PMA Responsible for Certificate Policy and Certification Practice statementPMA Responsible for Certificate Policy and Certification Practice statement PMA Manages operator relationshipPMA Manages operator relationship Operator: ESnet at Lawrence Berkeley National Laboratory Operator: ESnet at Lawrence Berkeley National Laboratory Peers with European Data Grid PMA and the Cross Grid project Peers with European Data Grid PMA and the Cross Grid project 20+ Registration Authority Agents 20+ Registration Authority Agents

DOEGrids community * Includes DOESG transitioned Certificates

DOEGrids usage

8 General PKI Service Architecture ESnet Root CA Virtual Secure Card (SLAC) K/X509 (FNAL) ESnet subordinate Certificate Authorities and proposed CAs DOEGrids VO support NERSC NIM Integration Integrated Site AuthN Certificate Authority links ESnet only signs subordinate CAs

9 DOEGrids Physical Security Architecture Vaulted Root CA

10 DOEGrids PKI roles Policy Management Authority Policy Management Authority Manages PKI policiesManages PKI policies Security Officer Security Officer Manages PKI infrastructureManages PKI infrastructure Responsible for implementing PKI policiesResponsible for implementing PKI policies Registration Authority Registration Authority Represents VO on PMARepresents VO on PMA Responsible for identity vetting of VO membersResponsible for identity vetting of VO members Registration Agent Registration Agent Delegated identity vetting from RADelegated identity vetting from RA Grid Administrator (new) Grid Administrator (new) Delegated by Agent to issue Service CertificatesDelegated by Agent to issue Service Certificates

11 Grid Admin Server Cert Interface Provide PKCS#10 Server Request and submit SSL Client Authentication Using DOEGrids CA certificate successful failed Authentication Error GridAdmin LDAP Request Validation & Authorization process against GridAdmin LDAP Successful ? No Authorization Error Yes Issue Server Certificate Grid Admin Role

12 *OCSP Service LDAP Machine B Machine A OCSP Service * edg-fetch-crl-cron downloads all the CRLs listed on EDG website into /opt/edg/certificates folder OCSP Service *postcrl_ocsp OCSP Admin Interface checks if the file is new for every CRL file ( *.r0)under /opt/edg/certificates folder Parse the CRL file and filter only base64 encoded CRL portion. Apply URL encoding logic Post this CRL data into OCSP Service Admin interface (SSL Client Authentication * edg-fetch-crl-cron & postcrl_ocsp are cron job runs every night * All the CA certificates listed on table-ca.html has been installed with OCSP Servicehttp://marianne.in2p3.fr/datagrid/ca/ca- table-ca.html Experimental OCSP service