GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

Slides:

Advertisements

Similar presentations

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

Advertisements

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

MyProxy Jim Basney Senior Research Scientist NCSA

Federated Identity for Grid Architects Tom Scavo NCSA

MyProxy: A Multi-Purpose Grid Authentication Service

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

The MyProxy Online Credential Repository Jim Basney NCSA

Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

GridShib Grid-Shibboleth Integration An Overview Von Welch

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

2NCSA/University of Illinois

MyProxy and NVO or Web SSO for Grid Portals

NSF Middleware Initiative: GridShib

Open Source Web Initial Sign-On Packages

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

TeraGrid 08 The Third Annual TeraGrid Conference

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

A Grid Authorization Model for Science Gateways

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

NSF Middleware Initiative: GridShib

Presentation transcript:

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

OGF19http://myproxy.ncsa.uiuc.edu/2 Plug - Longer Talks 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel

OGF19http://myproxy.ncsa.uiuc.edu/3 GridShib l dev.Globus Incubator Project l Collaborative between NCSA and U. Chicago l GridShib is a project funded by the NSF Middleware Initiative u NMI awards and u Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. l Also many thanks to Internet2 Shibboleth Project

OGF19http://myproxy.ncsa.uiuc.edu/4 What is GridShib? l Allows Shibboleth interoperability and SAML functionality in the Globus Toolkit l Allows GT to parse SAML attributes and use for authorization l Allows portals to embed Shibboleth attributes in Grid credentials l Allows conversion of Shibboleth authentication to Grid credentials

OGF19http://myproxy.ncsa.uiuc.edu/5 Software Components l GridShib for Globus Toolkit l GridShib for Shibboleth u Includes GridShib Certificate Registry l GridShib Certificate Authority l GridShib SAML Tools

OGF19http://myproxy.ncsa.uiuc.edu/6 Online Roadmap l We present current plans and timelines l Roadmap online at GridShib dev.globus incubator site l Roadmap will be maintained as work progresses, check web page for updates

OGF19http://myproxy.ncsa.uiuc.edu/7 GridShib for GT 0.5 l GridShib for GT 0.5 announced Nov 30 u Compatible with both GT4.0 and GT4.1 l GT4.1 introduces powerful authz framework l Separate binaries for each GT version l Source build auto-senses target GT platform u New identity-based authorization feature l Uses grid-mapfile instead of DN ACLs u Logging enhancements u Bug fixes

OGF19http://myproxy.ncsa.uiuc.edu/8 GridShib for GT l GridShib for GT (expected any day now) u Combined VOMS/SAML attribute to account mapping l As with the current gridmap situation, GT4.0.x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks l To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML

OGF19http://myproxy.ncsa.uiuc.edu/9 GridShib for GT 0.6 l GridShib for GT 0.6 (expected March 2007) u Full-featured attribute push PIP l Compatible with current GridShib Attribute Tools u More powerful attribute-based authz policies l Allow unique issuer in authz policy rules

OGF19http://myproxy.ncsa.uiuc.edu/10 GridShib SAML Tools l Current version l Self-issues a SAML assertion with up to two statements l Optionally binds this assertion to an X.509 proxy certificate l Supports both SAML AuthenticationStatement and AttributeStatement l Separates the issuing of the SAML from the binding of the SAML

OGF19http://myproxy.ncsa.uiuc.edu/11 GridShib SAML Tools l Target release date: February 2007 l Same command-line interface as v0.1.x (but with more options) l Leverages Shibboleth Attribute Resolver to support more complicated attribute requirements l Support for nested SSO Response l Enhanced logging l Java API for Portal developers

OGF19http://myproxy.ncsa.uiuc.edu/12 GridShib for Shib Versions l GridShib for Shib u Announced Aug 8, 2006 l GridShib for Shib 0.6 u Expected Jan 2007 u Will include SAML Issuer Tool (derived from Shib resolvertest tool)

OGF19http://myproxy.ncsa.uiuc.edu/13 GridShib for Shib 0.6 l GridShib for Shib 0.6 (expected April 2007) u Core (already included in 0.5) l Requires Shib IdP l Includes basic plugins and handlers u Certificate Registry (already included in 0.5) l Requires GridShib for Shib Core l Includes Derby embedded database u SAML Tools (new in 0.6) l Requires GridShib for Shib Core l Includes SAML Issuer Tool and SAML X.509 Binding Tool

OGF19http://myproxy.ncsa.uiuc.edu/14 GridShib CA 0.3 l Substantial improvement over version 0.2 l More robust protocol l Installation of trusted CAs at the client l Pluggable back-end CAs u Uses an openssl-based CA by default u A module to use a MyProxy CA is included l Certificate registry functionality u A module that auto-registers DNs with myVocs

OGF19http://myproxy.ncsa.uiuc.edu/15 GridShib CA 0.4 l Target release: March 2007 l Fall back to default SSLSocketFactory on error (Bug 4875) [1] l Create CA with domain name componements (Bug 4887) [2] l Register certificate on the front channel with GridShib for Shibboleth Certificate Registry l Integrate GridShib SAML Tools to bind simple attribute assertion to EEC l Bind IdP entityID to SIA extension l Handle creating DN from mix of atttributes (Bug 4889) [3]

OGF19http://myproxy.ncsa.uiuc.edu/16 What is MyProxy? l An Online Certificate Authority u Issues short-lived X.509 End Entity Certificates u Avoid need for long-lived user keys l An Online Credential Repository u Issues short-lived X.509 Proxy Certificates u Long-lived private keys never leave the server l Supporting multiple authentication methods u Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS l Open Source Software u Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits u C, Java, Python, and Perl clients available u Contributions from EDG, UVA, LBL, and others l Protocol specified in GFD-E.54

OGF19http://myproxy.ncsa.uiuc.edu/17 Topics for Discussion l Credential Renewal l High Availability l Attribute Support l Web Services l Web SSO l Security Context Provisioning l User Registration l HSM Support l Audit Logging l Others?

OGF19http://myproxy.ncsa.uiuc.edu/18 Credential Renewal l Existing MyProxy-based renewal support u EGEE Renewal Service u Condor-G l Future Work u MyProxy-based GT4 Renewal Service l Integrated with GT4 Delegation Service l Support for GRAM, WS-GRAM, RFT

OGF19http://myproxy.ncsa.uiuc.edu/19 High Availability l Existing support u Clients retry when server is unreachable u Documentation for MyProxy CA replication u Primary-backup replication of MyProxy repository l Future Work u Robust client retry u Peer-to-peer repository replication

OGF19http://myproxy.ncsa.uiuc.edu/20 Attribute Support l Existing support u VOMS authentication to MyProxy server u GridShib CA integration with MyProxy l Future Work u Issue credentials with VOMS assertions u SAML authentication to MyProxy server

OGF19http://myproxy.ncsa.uiuc.edu/21 Web Services l Currently MyProxy does not provide a Web Services interface u C, Java, Perl, Python APIs l Standard Delegation Service interface is needed u For MyProxy, GT4, and EGEE delegation services

OGF19http://myproxy.ncsa.uiuc.edu/22 Web Single Sign-on l Existing Support u MyProxy server accepts Pubcookie tokens l Future Work u Shibboleth/SAML support u Other web SSO methods?

OGF19http://myproxy.ncsa.uiuc.edu/23 Security Context Provisioning l Existing Support u MyProxy can provision user certificates, CA certificates, and CRLs u Requires MyProxy server CA certificate to be installed l Future Work u Java client support u Zero configuration bootstrap

OGF19http://myproxy.ncsa.uiuc.edu/24 User Registration l Existing Support u Provided by PURSE and GAMA u GridShib CA and OpenIDP l Future Work u Integration with MyProxy CA u Integration with attribute and authorization services

OGF19http://myproxy.ncsa.uiuc.edu/25 HSM Support l Existing Prototypes u MyProxy repository using IBM 4738 u MyProxy CA using Aladdin eToken l Future Work u Full support for OpenSSL hardware engines in MyProxy CA

OGF19http://myproxy.ncsa.uiuc.edu/26 Audit Logging l Existing Support u All MyProxy server operations are logged to syslog u Recent improvements to MyProxy CA logging to meet IGTF guidelines l Future Work u Include auditing information in issued credentials u Support standard grid logging interfaces

OGF19http://myproxy.ncsa.uiuc.edu/27 Thank you Reminder: 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel For more information: