KFKI CA József Kadlecsik KFKI RMKI

Slides:

Advertisements

Similar presentations

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Advertisements

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Deploying and Managing Active Directory Certificate Services

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

The travelling physicist problem at the KFKI campus József Kadlecsik KFKI Research Institute for Particle and Nuclear Physics

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

EuGridPMA-Meeting Amsterdam GridKa-CA software Forschungszentrum Karlsruhe GmbH Institute for Scientific Computing.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

PKI Activities at Virginia September 2000 Jim Jokl

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Grid Canada Certificate Authority Darcy Quesnel

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

Training Objectives About D2F Download Installation Configuration

Public Key Infrastructure (PKI)

THE STEPS TO MANAGE THE GRID

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

MaGrid CA Self audit and update

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

BG.ACAD CA Self-audit report 2018

Presentation transcript:

KFKI CA József Kadlecsik KFKI RMKI

The KFKI Campus ● Hosts five independent academic research institutes ● One of them is the KFKI Research Institute for Particle and Nuclear Physics (KFKI RMKI) ● The Computer Networking Center of KFKI RMKI is responsible for the central computing and network services of the KFKI Campus

KFKI CA ● No subordinate CAs ● One RA, which is performed by the KFKI CA itself ● No plan for additional RAs ● Usual defaults: – Root CA key: 5 years, 2048 bits – Entity keys: 1 year, min 1024 bits – CRLs: after revocation or every month

KFKI CA end entities I. ● Academic entities of the KFKI Campus: – Institutions – Individuals, computers, services belonging to the institutions – External individuals involved in the scientific, research projects of the academic institutions Cert usages: user/host certs for Grid, service certs (http, pop/imap, smtp), user certs for roaming users (smtp ssl/tls)

KFKI CA end entities II. ● Entities of the Hungarian academic community involved in Grid related scientific or research projects.

Authentication of organizations ● Campus organization: RA directly contacts the representative for the autheticity of the request ● Non-campus organization: official document stamped and signed by the official representative of the organization is required

Authentication of individuals ● Local requester must appear in-person before the RA and show the identification card, passport or driving licence ● If the RA personally knows the requester, authentication over phone call is accepted ● Distant subscriber: copy of the identity card manually signed by a well-known contact person of the organization required and the subscriber is called back on the official phone number for further checkings.

Authentication of machine/service ● Either the requester must fulfil the individual authentication, or the request must be signed by the requester's valid cert issued by KFKI CA ● Requester must adequately prove that he/she is responsible for the entity in question: checked by the computer technical contact persons of the institutions

Re-keying ● The request must contain a new public key ● Authentication is either as a new request, or request must be signed by the valid non-expired, non-revoked certificate of the requester

Namespace ● Fixed part: C=HU,O=KFKI ● C=HU,O=KFKI,OU=people,CN=Kiss Istvan ● C=HU,O=KFKI,OU=services,CN= ● C=HU,O=KFKI,OU=services, CN=ldap/ldap.kfki.hu ● C=HU,O=KFKI,OU=grid,OU=people, CN=Kiss Pal Hungarian ISO Latin 2 chars are converted: é -> e, í -> i, ó -> o, ő -> o,...

Technical details ● Dedicated Linux PCs with CD writer drive – Full system backup on CD ● Signing machine has no network card, locked in a room on the first floor of the building of the Computer Networking Center ● Removable media is kept in a secure cabinet, backups in multiple locations

Software ● OpenCA ● Sleepycat DB ● Apache ● RBAC not activated yet - we are more accustomed to LIDS

Open issues ● Requests sent by (S/MIME) should be imported into OpenCA ● User interface for re-keying ● Full Hungarian translation of the user interface Suggestions are welcomed!