Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Slides:



Advertisements
Similar presentations
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Advertisements

Active Directory and NT Kerberos Rooster JD Glaser.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
MyProxy: A Multi-Purpose Grid Authentication Service
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
HEP Data Sharing … … and Web Storage services Alberto Pace Information Technology Division.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Designing Active Directory for Security
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Configuring Active Directory Objects and Trusts
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Module 9: Fundamentals of Securing Network Communication.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
W2K and Kerberos at FNAL Jack Mark
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
Single Sign-On
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Windows 2000 Certificate Authority By Saunders Roesser.
Module 11: Securing a Microsoft ASP.NET Web Application.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Web Services Security Patterns Alex Mackman CM Group Ltd
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Password? CLASP Phase 2: Revised Proposal FOCUS, 3 May 2001 Denise Heagerty, IT/IS.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Project Status: Computer Security June 26, Agenda Background, Technical Going Forward.
Company LOGO January 24 th, 2007 PC Manager Meeting.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Secure Connected Infrastructure
Grid Security.
Data and Applications Security Developments and Directions
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Goals Introduce the Windows Server 2003 family of operating systems
Public Key Infrastructure from the Most Trusted Name in e-Security
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003

Outline Motivation and goals Motivation and goals Authentication mechanisms Authentication mechanisms Implementing web single sign-on Implementing web single sign-on Mapping certificates to accounts Mapping certificates to accounts Providing certificates to users Providing certificates to users Current status Current status Summary and conclusions Summary and conclusions

Motivation and goals The GRID environment offers: The GRID environment offers: A lot of computing power A lot of computing power The possibility to execute big and complex applications The possibility to execute big and complex applications But GRID users will also need basic services: But GRID users will also need basic services: Mail Mail Web Web Access to administrative procedures Access to administrative procedures We want to integrate the services for GRID and local users We want to integrate the services for GRID and local users Cross-platform authentication Cross-platform authentication Single sign-on Single sign-on

Authentication mechanisms PKI/Certificates PKI/Certificates Off-line authentication Off-line authentication Someone (CA) signs a document saying who I am Someone (CA) signs a document saying who I am The service verifies the signature The service verifies the signature Used across platforms Used across platforms Standard extension mechanisms Standard extension mechanisms Kerberos tickets Kerberos tickets On-line authentication On-line authentication Someone (KDC) tells the service that I am really who I claim to be Someone (KDC) tells the service that I am really who I claim to be Intra-site security mechanism (used by Unix and Microsoft) Intra-site security mechanism (used by Unix and Microsoft)

Implementing single sign-on Users coming from GRID and local Unix and Windows environments Users coming from GRID and local Unix and Windows environments Services are multi-platform (Unix/Windows) Services are multi-platform (Unix/Windows) Logon and Authentication mechanisms are different Logon and Authentication mechanisms are different A user must type his/her credentials again and again A user must type his/her credentials again and again Solution? Solution? We will focus on web services We will focus on web services

Single sign-on via web The user must provide a valid PKI/Certificate We must trust the web server: it will impersonate the user! Complex scenario: many possibilities Web Server User Services

Impersonation in Apache/Unix Direct impersonation via Certificates Direct impersonation via Certificates Privileged server Privileged server DB to map certificates into accounts DB to map certificates into accounts The service runs as the user owning the certificate (login) The service runs as the user owning the certificate (login) Impersonation via Kerberos ticket Impersonation via Kerberos ticket The service acquires the user ticket to access the resources The service acquires the user ticket to access the resources It should get Kerberos ticket from the certificate It should get Kerberos ticket from the certificate May use extra software: Kerberos leveraged PKI May use extra software: Kerberos leveraged PKI KCT (Kerberos Certificate Translation) KCT (Kerberos Certificate Translation) Mod_KCT (Apache module) Mod_KCT (Apache module)

Impersonation in MS web servers Based on the Windows Identity Mapping mechanism Based on the Windows Identity Mapping mechanism Maps a certificate to a Windows account (logon) Maps a certificate to a Windows account (logon) The identity mapping is set in the Active Directory The identity mapping is set in the Active Directory Common for the whole domain Common for the whole domain Provides an internal ticket Provides an internal ticket Allows accessing windows resources Allows accessing windows resources

Windows identity mapping Two flavors: manual and automatic Two flavors: manual and automatic In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In automatic mapping, the certificate must contain an extension with the User Principal Name (UPN) of the account In automatic mapping, the certificate must contain an extension with the User Principal Name (UPN) of the account No explicit mapping is needed No explicit mapping is needed Originally designed for smart cards Originally designed for smart cards

Integrating external GRID users Local account for GRID users? Local account for GRID users? Users not registered locally, but having valid GRID certificates Users not registered locally, but having valid GRID certificates How to handle them (Unix/Windows)? How to handle them (Unix/Windows)? Validate the certificate Validate the certificate Create account on-the-fly Create account on-the-fly Assign new user to appropriate groups Assign new user to appropriate groups Map the certificate to the new account Map the certificate to the new account Delete the account at user logout Delete the account at user logout

So far… Web services can be configured to use certificates for authentication Web services can be configured to use certificates for authentication We should be able to use GRID certificates to access these services We should be able to use GRID certificates to access these services Possibly adding some extensions Possibly adding some extensions …Now we need to integrate the local users …Now we need to integrate the local users How can we easily provide them with certificates ? How can we easily provide them with certificates ?

Providing certificates to users GRID users already have a certificate GRID users already have a certificate The others… The others… At CERN, both local Unix and Windows users receive a Kerberos ticket during logon At CERN, both local Unix and Windows users receive a Kerberos ticket during logon We can issue a PKI/Certificate from a Kerberos ticket We can issue a PKI/Certificate from a Kerberos ticket KCA (Kerberized CA) KCA (Kerberized CA)

Integrating non-GRID users Kerberos Leveraged PKI Kerberos Leveraged PKI Credentia l Cache Login KDC KCA Browser LibPKCS11 Web Server

Tools KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA clients are available for Unix and Windows KCA clients are available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows

Issues Interoperability puts extra requirements in the certificates Interoperability puts extra requirements in the certificates Specific extensions Specific extensions Revocation lists Revocation lists … It depends on many components It depends on many components Some of them not completely stable or ready for production Some of them not completely stable or ready for production The server must be able to The server must be able to Accept the certificate Accept the certificate Identify the account to which the certificate refers Identify the account to which the certificate refers

The integrated view Linu x Box Windows 2000 KDC Linux KCA OpenSSL CA Web Browser Lib PKCS11 Windows 2000 IIS 5.0 AD Resources Certificate Template Win Box Unix Apache Mod_KCT KCT MIT KDC GRID Certificates

Summary and conclusions It is possible It is possible To integrate GRID and local infrastructure services To integrate GRID and local infrastructure services Provide cross-platform Single Sign-on using GRID authentication mechanisms (i.e. PKI/Certificates ) Provide cross-platform Single Sign-on using GRID authentication mechanisms (i.e. PKI/Certificates ) But full functionality has issues… But full functionality has issues… Lots of components involved (KDC, KCA, AD…) Lots of components involved (KDC, KCA, AD…) Compatibility (not fully documented requirements) Compatibility (not fully documented requirements) Is the complexity worth while? Is the complexity worth while? Over-complex for a reliable service today Over-complex for a reliable service today But the components are being used/developed in other areas But the components are being used/developed in other areas

Summary and conclusions Nevertheless, it is an interesting mechanism Nevertheless, it is an interesting mechanism Web services are widely spread Web services are widely spread Can be shared by GRID and non-Grid users Can be shared by GRID and non-Grid users Smooth transition from non-GRID to GRID Smooth transition from non-GRID to GRID Partial functionality is possible and ready to work Partial functionality is possible and ready to work Mapping long term certificates Mapping long term certificates Some of the tools are being actively developed Some of the tools are being actively developed Weve heard of some related success stories Weve heard of some related success stories

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.