National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Slides:



Advertisements
Similar presentations
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
MyProxy: A Multi-Purpose Grid Authentication Service
High Performance Computing Course Notes Grid Computing.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Module 9: Fundamentals of Securing Network Communication.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.
The MyProxy Online Credential Repository Jim Basney NCSA
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Web Services Security Patterns Alex Mackman CM Group Ltd
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Grid Security.
Presentation transcript:

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements Jim Basney

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Online Credential Retrieval Defined ClientServer Authenticate Request Credential Verify Authorization Retrieve Credential

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Motivation for OCR Credential management –Securely manage credential files on user’s behalf –Ease use of multiple credentials Credential translation –Single sign-on to multiple authentication mechanisms and domains Credential renewal by trusted services –Alternative to delegating long-lived proxies Indirect credential delegation –Example: web portals

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science OCR Examples ServiceAuth MethodCredential MyProxyPasswordX509 user proxy K5CertKerberosK5 CA issued X509 cert CASGSIX509 community proxy GSIklogGSIAFS token SSLK5SSLKerberos ticket Kerberos KDCAS_REQ+preauthKerberos ticket CAOOB or IAKCA issued X509 certificate

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science OCR Implementations Online Credential Authority –Examples: Online CA, Kerberos KDC –Creates credentials on demand –Vulnerability of authority’s private key a concern Encrypted credential repository –Credentials stored encrypted in the repository –Credentials may be opaque to protocol and repository –Requires client to decrypt credentials on receipt Delegating credential repository –Unencrypted credential stored in repository –Server delegates credential to client

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Proposed GGF Activity OCR Requirements document –What OCR services are needed for Grids? OCR Framework document –Address policy issues of credential repositories, credential translation, credential renewal –Recommendations for interoperability OCR Protocol document –Define an OCR protocol framework that enables interoperability between different types of OCR services –Share mechanisms between OCR implementations (auditing, delegation tracing, event notification, etc.)

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Standards Activity IETF SACRED WG –Credential format MUST be opaque to the protocol –Protocol MUST NOT force credentials to be present in clear text on the server IETF PKIX WG –Online Certificate Authorities –Certificate request may include Initial Authentication Key

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Protocol Requirements Mutual authentication –Client-side configuration required to authenticate server Multiple authentication mechanisms –Password, GSI, Kerberos Delegate different credential types –X509 cert, X509 proxy, Kerberos ticket Client can choose among available credentials –Query available credentials and choose –Request credential that meets specification Administrative protocols –Credential upload and remove –Authorization control (user, administrator, and community) OGSA-compliant

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science OCR Issues Authorization Restricted delegation Delegation tracing across multiple mechanisms Audit trail Notification services Compatibility with site security policies Availability/Replication

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Discussion Is there a need for OCR services in the Grid? –If so, what types of OCR services are needed? Will production Grid policies allow OCR services? –Centralized key storage –Transitive trust Is there interest in GGF OCR activity? Any comments on requirements draft? Other comments or discussion topics?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.