GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey, Jim Jokl, and Jim Basney** *Department of Computer Science, University of Virginia,

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

MyProxy Jim Basney Senior Research Scientist NCSA

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Using the Collaborative Tools in NEESgrid Charles Severance University of Michigan.

MyProxy: A Multi-Purpose Grid Authentication Service

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Grid Security. Typical Grid Scenario Users Resources.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

CSCI 6962: Server-side Design and Programming

OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West

Session 11: Security with ASP.NET

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

USCGrid A (Very Quick) Introduction To PubCookie

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

Module 11: Securing a Microsoft ASP.NET Web Application.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Introduction to the PKI Issues at UW Madison Presented to ITC on Friday, 3/18/2005 Tom Jordan Systems Engineer,

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.

CAS and Web Single Sign-on at UConn

MyProxy and NVO or Web SSO for Grid Portals

MyProxy Integration with PubCookie

Central Authentication Service

Use of MyProxy for the FusionGrid

A Grid Authorization Model for Science Gateways

JAAS AuthN Tokens in uPortal and Beyond

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Presentation transcript:

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia, Charlottesville, VA **NCSA/University of Illinois, Urbana-Champaign, IL Supported by: NSF Next Generation Software (NSF NGS), NSF Middleware Initiative (NMI), San Diego Supercomputing Center

GGF15 Workshop The Challenge I have a dream… Opportunistically expand campus researchers’ local resources to “The Grid” [Security] Problem: Relatively little of campus is PKI-enabled Grid is (largely) PKI (GSI) Goal: Leverage existing site (campus) authentication infrastructure Approach: integrate PubCookie and MyProxy

GGF15 Workshop PubCookie

GGF15 Workshop PubCookie in Action (1) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter From Tom Jordon, UW-Madison

GGF15 Workshop PubCookie in Action (2) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Nope From Tom Jordon, UW-Madison

GGF15 Workshop Logged In PubCookie in Action (3) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Redirect Login From Tom Jordon, UW-Madison

GGF15 Workshop Logged In PubCookie in Action (4) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Redirect Authenticated to Central Login Server? -- Yep Access Allowed From Tom Jordon, UW-Madison

GGF15 Workshop Logged In PubCookie in Action (5) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Another IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- YepAccess Allowed From Tom Jordon, UW-Madison

GGF15 Workshop PubCookie/MyProxy Integration Browser Pubcookie Login Server Campus Authentication Server MyProxy Server 8 (SSL) 9 (SSL) 10 Grid request Pubcookie- enabled Application Server

GGF15 Workshop

Technical Details 3 main cookies involved in PubCookie ( Granting cookie: “contains the authenticated username and some other items” Granting cookie is signed by PubCookie login server and encrypted in symmetric key shared between app server and PubCookie login server Login cookie: “scoped to the login server and will be used on any subsequent visits by the user to the login server” Opaque to the client – only login server can decrypt Session cookie: scoped to app server Problem: granting cookie does not persist

GGF15 Workshop Software Development No mods to the MyProxy Client Upload creds via normal mechanism Presents the granting cookie in the “password” field Mods to MyProxy server to be able to decrypt and verify signature on pubcookie Mods to portal (uPortal) to keep the granting cookie Issue: JSR 168 does not deal well with cookies Note: we cannot use the granting cookie as the password directly

GGF15 Workshop Cleartext in MyProxy Server? Yes, in this instantiation We are not unique in this regard Alternative: Use the granting cookie as the basis to generate/retrieve user-specific [large] passphrase, like so….

GGF15 Workshop PubCookie/MyProxy Integration Browser Pubcookie Login Server Campus Authentication Server MyProxy Server 10 (SSL) 11 (SSL) 12 Grid request Pubcookie- enabled Application Server Password server 8 9

GGF15 Workshop Summary Integration of PubCookie with MyProxy reduces the number of passphrases Currently pushing mods to OGCE2 and MyProxy CVS Future What about Shibboleth?