CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

6/2/2015Information Technology Standing Committee of the IMO 1 Digital Certificate Initiative Guy Springgay Holiday Inn - Oakville.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Summer School Certificates Diego Romano & Gilda Team.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

OSG RA plans Doug Olson, LBNL May Contents RA, agent, sponsor layout & OU=People use case Sample web form Agent Role GridAdmin Role Questions.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

LIGO's Evolving Certificate Authority and Account Management Needs Warren G. Anderson University of Wisconsin-Milwaukee LIGO Scientific Collaboration.

Opensciencegrid.org User Support in/and OSG Doug Olson, LBNL 2 nd EGEE/LCG Operations Workshop CNR, Bologna 25 May 2005.

OSG RA, DOEGrids CA features Doug Olson, LBNL August 2006.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Opensciencegrid.org Operations Interfaces and Interactions Rob Quick, Indiana University July 21, 2005.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Security Bob Cowles

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

OSG PKI Transition Mine Altunay OSG Security Officer

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

New OSG Virtual Organization Security Training OSG Security Team.

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.

PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.

OSG Security Kevin Hill.

UVOS and VOMS differences

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Update on EDG Security (VOMS)

Leigh Grundhoefer Indiana University

Presentation transcript:

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015

TAGPMA, Pittsburgh Need for Another CA OSG has always been running its Registration Authority. Has collaborated with various CA operators such as DOEGrids CA and DigiCert CA. OSG now forms a new collaboration with XSEDE  CILogon team will provide the CA services. CILogon already provides CA services for various communities.  OSG will continue to run its RA service

May 27, 2015 TAGPMA, Pittsburgh Need For Another CA Not a drastic change in OSG’s operations or architecture. Marginal cost is small. Motivators for the change is the synergies between the 2 projects  OSG and XSEDE already provide these services. Adding a new CILogon OSG CA instance is not costly.  Sharing resources and conserve our funding. 3

May 27, 2015 TAGPMA, Pittsburgh Familiar CA architecture 4 OSG RA (OIM Server) Register Create an account Create a ticket, assign to the RA Agent RA Agent Sponsor Verify Identity VO CA Issue a certificate Cert Same architecture we had with DigiCert and DOEgrids Subscriber

May 27, 2015 TAGPMA, Pittsburgh Familiar Identity Vetting Process The same identity vetting process we used with DigiCert and DOEGrids CAs. OSG Registration Authority is staffed and operated by the OSG Operations Center (GOC) at Indiana University. OSG Information Management (OIM) system provides the services and the user interface for OSG RA to perform its job. Subscribers goes to OIM website for any certificate related business. OSG RA authenticates the certificate requests in collaboration with Virtual Organizations that are members of OSG Consortium. OSG Council vets all member VOs and determines membership status. Each VO Manager is registered with OSG Information Management System. 5

May 27, 2015 TAGPMA, Pittsburgh Familiar Identity Vetting Process Currently, there are 93 VOs registered. Each VO management identifies a list of RA Agents and Sponsors within his/her VO. There are a few RA Agents per VO. Sponsors are located at institutions where the users are. The names of authorized personnel and their contact information are recorded in OIM. This includes GOC Staff acting as OSG RA, the RA Agents, and Sponsors. When a subscriber makes a certificate request, OIM creates an account for the user and collects the following information:  Full Name, Phone, ,  City, State, Zipcode, and Country  Profile, a few sentences to introduce themselves to the OSG community, the work they do and the role they play  Virtual Organization membership  Consent to IGTF Certificate Subscriber Agreement  A password to protect their private key 6

May 27, 2015 TAGPMA, Pittsburgh Familiar Identity Vetting Process When a certificate request is created in OIM, a ticket is created and assigned to one of the RA Agents assigned for the requested VO. RA Agent receives the ticket and routes the ticket to one of the Sponsors listed for the VO. RA Agent and Sponsors communicate:  Through the OIM ticketing system where they each need to have a valid certificate. Their DN is captured and appended to the ticket. Or,  Via digitally signed s. Or,  Via Phone calls, where the Sponsor’s phone number validated and stored in OIM.  If the communication is done through or phone, RA Agent must enter the data into the ticket. 7

May 27, 2015 TAGPMA, Pittsburgh Familiar Identity Vetting Process Sponsor verifies the subscriber’s identity by:  Knowing the requestor personally and verifying the request is made by the subscriber  Face-face meeting where sponsor checks the photo-id or a similar document.  Name, address and telephone number available from a publicly accessible directory of the institution where the subscriber is affiliated.  Unsigned from third parties known to the sponsor attesting to the validity of the request  Information about the subscriber posted on institutional web sites, such as description of a research group on a university web site, or an institutional organization chart. Sponsor makes a decision about the request and communicates back to the RA Agent. 8

May 27, 2015 TAGPMA, Pittsburgh Familiar Identity Vetting Process Identity Vetting for Host/Service Certificates The subscriber must have a personal certificate to authenticate his/her request. Each VO has a list of special RA Agents, called Grid Admins, whose sole purpose is to handle host/service certificate requests. Each VO registers with OIM the list of web domains (FQDNs) that they own. For each domain, the VO registers a list of GridAdmins in OIM. GridAdmins are located at institutions that owns the registered web domains. GridAdmins know which subscribers are entitled to obtain host/service certificate within their domains. They know subscribers personally or check with their institutional line management. 9

May 27, 2015 TAGPMA, Pittsburgh OSG RA 10 OSG RA. RA Agents Sponsors Personal certs Grid Admins Host/Service certs Server Cert