National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Slides:



Advertisements
Similar presentations
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Advertisements

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
High Performance Louisiana State University - LONI HPC Enablement Workshop – LaTech University,
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Module 9: Fundamentals of Securing Network Communication.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
The MyProxy Online Credential Repository Jim Basney NCSA
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Feb 2-4, 2004LNCC Workshop on Computational Grids & Apps Middleware for Production Grids Jim Basney Senior Research Scientist Grid and Security Technologies.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
Secure Connected Infrastructure
Grid Security.
Use of MyProxy for the FusionGrid
Grid Security Infrastructure
Presentation transcript:

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

National Center for Supercomputing Applications MyProxy A service for obtaining X.509 PKI credentials –A combined credential repository and certificate authority An Online Credential Repository –Issues short-lived X.509 Proxy Certificates –Long-lived private keys never leave the MyProxy server An Online Certificate Authority –Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods –Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software –Included in Globus Toolkit 4.0

National Center for Supercomputing Applications MyProxy Logon Authenticate to retrieve PKI credentials –End Entity or Proxy Certificate –Trusted CA Certificates –Certificate Revocation Lists MyProxy maintains the user’s PKI context –Users don’t need to manage long-lived credentials –Enables server-side monitoring and policy enforcement For example: passphrase quality checks –CA certificates and CRLs updated automatically at login

National Center for Supercomputing Applications MyProxy Online Credential Repository Stores X.509 End Entity and Proxy credentials –Private keys encrypted with user-chosen passphrases –Credentials may be stored directly by user/administrator or via proxy delegation protocol –Users can store multiple credentials from different CAs Access to credentials controlled by user and administrator policies –Set authentication requirements –Control whether credentials can be retrieved directly or if only proxy delegation is allowed –Restrict lifetime of retrieved proxy credentials

National Center for Supercomputing Applications MyProxy and Grid Portals

National Center for Supercomputing Applications User Registration Portals PURSE: Portal-based User Registration Service GAMA: Grid Account Management Architecture ESG

National Center for Supercomputing Applications MyProxy Online Certificate Authority Issues short-lived X.509 End Entity Certificates –Leverages MyProxy authentication mechanisms –Compatible with existing MyProxy clients Ties in to site authentication and accounting –Using PAM and/or Kerberos authentication –“Gridmap” file maps usernames to certificate subjects Avoid need for long-lived user keys Server can function as both CA and repository –Issues certificate if no credentials for user are stored

National Center for Supercomputing Applications Pluggable Authentication Modules Flexible, standard authentication mechanism –Specified by DCE RFC 86.0 –Supported by Unix/Linux vendors Many available modules: –Authentication: Unix Password, One Time Password, Radius, Kerberos, AFS, LDAP, SQL, SMB, Netware –Access Control: Access, Deny, Filter, Tally, Time MyProxy server PAM support –Configure PAM authentication as sufficient or required –Create standard PAM configuration file for MyProxy –Compatible with existing MyProxy clients

National Center for Supercomputing Applications Simple Authentication and Security Layer Authentication protocol framework –Specified by IETF RFC 2222 –Used by LDAP, POP, and IMAP Supports multiple mechanisms: –PLAIN, DIGEST-MD5, GSSAPI, NTLM MyProxy support: –Configure available mechanisms for client and server –Tested with GSSAPI (Kerberos) and PLAIN Use Kerberos ticket to obtain PKI credentials from MyProxy

National Center for Supercomputing Applications Conclusion MyProxy leverages site authentication –Using PAM and SASL to obtain PKI session credentials MyProxy eases credential distribution –User Registration Portals provide an interface for loading credentials into MyProxy –Online CA distributes credentials using existing MyProxy clients and authentication methods For more information: –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.