ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory

ATF Overview Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal Primarily focused on the Office of Science community Primarily focused on the Office of Science community ATF’s principle service is a set of certificate authorities (CAs) ATF’s principle service is a set of certificate authorities (CAs) Policy is driven completely by the needs of the science community Policy is driven completely by the needs of the science community Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities the IGTF - International Grid Trust Federation the IGTF - International Grid Trust Federation the Americas “regional” policy management authority – TAGPMA the Americas “regional” policy management authority – TAGPMA ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners

3 FTEs plus heavy support from ESnet UNIX services 3 FTEs plus heavy support from ESnet UNIX services Plus additional support from network engineering, services, and windows support Plus additional support from network engineering, services, and windows support Roles Roles CA Operator CA Operator Developer Developer Federation Liaison Federation Liaison Product Manager (community outreach) Product Manager (community outreach) Specialized system administration Specialized system administration PMA chairman / member PMA chairman / member Contributor to community best practices/standards efforts Contributor to community best practices/standards efforts All team members have cross trained to insure continuity. All team members have cross trained to insure continuity. Authentication and Trust Federation Team

ESnet subordinate Certificate Authorities and Services ESnet Root CA FUSION (Credential Store) ESnet SSL/TLS ESnet Root CA only signs subordinate CAs DOEGrids Future Co-hosting OCSP Service NERSC Site – NIM Integration PKI Certificate Authorities Overview

Offline Vaulted Root CA Internet Firewall Intrusion Detection Grid User HSM Secure Data Center Building Security LBNL Site security Hardware Security Modules Access controlled racks PKI Systems PKI Security Environment Secure VLAN

DOEGrids CA Usage Statistics User Certificates 1999 Total No. of Certificates 5479 Host & Service Certificates 3461 Total No. of Requests 7006 ESnet SSL Server CA Certificates 38 DOEGrids CA 2 CA Certificates (NERSC) 15 Fusion GRID CA certificates 76 * Report as of Jun 15, 2005

RAF, eduroam ™ and Internet2 interconnects eduroam ™ ESnet RAF eduroam US Internet2 eduroam US Internet2 ESnet LBNL TERENA NL Internet2 UTK Interconnecting with eduroam™ at UTK Interconnect Grid Realms at TERENA ESnet possible secondary route for eduroam™ ORNL PPNL ANL NERSC eduroam ™ Grid realms DOEGrids MyProxy Crypto Card Secure ID Aladdin Smart Card

Grid eduroam ™ Experiment Phase 0 Phase 0 Use Infoblox loaded with IGTF root certificates Use Infoblox loaded with IGTF root certificates EAP/TLS Strong Authentication based on Grid Identity Certs EAP/TLS Strong Authentication based on Grid Identity Certs eduroam ™ Authorization attributes – eduroam ™ defines eduroam ™ Authorization attributes – eduroam ™ defines TACAR or EUGridPMA repository as trust anchor TACAR or EUGridPMA repository as trust anchor IGTF OCSP experimental service – GGF defining the service IGTF OCSP experimental service – GGF defining the service Interconnect to eduroam ™ at UTK Interconnect to eduroam ™ at UTK Grid top level interconnect Grid top level interconnect TERENA - Root TERENA - Root ESnet ESnet Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA User experience local site dependency User experience local site dependency eduroam ™ defines eduroam ™ defines Each site controls how they expose or provide a service to the community. Each site controls how they expose or provide a service to the community. Develop Federation document set Develop Federation document set Based on GGF documents Plus eduroam ™ policies Based on GGF documents Plus eduroam ™ policies

Next Phases Phase 1 Phase 1 Add Authorization Schema Add Authorization Schema Phase 0 plus LDAP server Phase 0 plus LDAP server Phase 2 Phase 2 Add Virtual Organization Management System Add Virtual Organization Management System Shibboleth Shibboleth GGF – GridShib or other? GGF – GridShib or other? TF-EMC2 TF-EMC2 Phase 0 plus VOMS servers Phase 0 plus VOMS servers Phase 3 – production hardening Phase 3 – production hardening Implement our community’s selected solution – or ? Implement our community’s selected solution – or ?

ESnet RAF Experiment systems LDAP User Account DB phase 1+ Grid Interconnect TERENA RAF radius appliance eduroam ™ Internet2 Interconnect Possible eduroam ™ backup route Cisco Catalyst 4000 EAPOL test bed