Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Published byRodney Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland."— Presentation transcript:

1 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN STS IOTA CA Paolo Tedesco CERN - IT/OIS 35 th EUGridPMA meeting, Berlin 09/2015

2 Operating Systems & Information Services Background: WebFTS Web based tool to transfer files between grid/cloud storages Protocols: gsiftp, https, xrootd and srm Cloud extensions: dropbox, CERNBox Based on FTS3 Low-level data movement service Moves LHC data across WLCG infrastructure Allows participating sites to control usage of network resources 20PB per month (max: 2PB/day) transfer volume CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

3 Operating Systems & Information Services Importance of WebFTS WebFTS provides A service accessing the grid on users’ behalf From a browser With full VOMS credentials WebFTS needs the user’s certificate and private key to access the grid CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

4 Operating Systems & Information Services Goal Allow WLCG services to access the grid On behalf of the user Without x509 certificate delegation Solution: Users use EduGAIN credentials (no certificates) Application gets proxy certificate for grid authentication CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

5 Operating Systems & Information Services Current prototype Current working prototype based on “internal” CA  Must move to accredited CA CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam CA WebFTS Grid Storage Element EduGAIN credentials Get proxy certificate Access grid with proxy

6 Operating Systems & Information Services IdP-dependent assurance Problem: assurance level very IdP-dependent No consistent identity information Solution: combine federated authentication with LHC VOMS data VO membership linked to CERN HR database Physical presence required for registration  Very high assurance level CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

7 Operating Systems & Information Services No unique identity Problem: no guarantee that an identity is uniquely assigned to a single user Solution: restrict access to IdPs providing a federation-wide unique identifier for each user eduPersonPrincipalName CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

8 WebFTS 1: browser 2: Auth EduGAIN IdP CERN SSO 3: SAML CERN LCG IOTA CA Security Token Service for WebFTS PKI Service LHC VOMS 4: get proxy for user in VO 1: get user data 2: get proxy signing certificate 3: generate proxy Grid Storage Element 5: access Grid eduPersonPrincipalName Proxy is requested for the user in the context of a VO STS service access restricted on service (WebFTS) and VO base (ATLAS)

9 Operating Systems & Information Services CERN LHC IOTA CA CA Infrastructure consists of –PKI Service –STS Services (one per client) PKI Service: –Issues certificates only to STS –Issues CRLs STS Service –Issues certificates (proxies) to client applications –Enforces restrictions on VO membership –Enforces restriction on unique user ID CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam CERN LCG IOTA CA Security Token Services PKI Service Security Token Services

10 Operating Systems & Information Services Certificate formats Intermediate certificates –CN=Unique ID,O=Organization,O=Grid,O=STS –Valid 48 hours –Not reused (this could change in the future) –O=Grid,O=STS used to avoid any possible name clash Proxy certificates –CN=Unique ID,O=Organization,O=VO,O=Grid,O=STS –Valid 48 hours –Contain VOMS extensions for user CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

11 Operating Systems & Information Services Current status CP/CPS document available for review –Please send comments PKI service under construction –Setup similar to other CERN authorities STS service will only need re-configuration Currently WebFTS is the only real use case, and ATLAS the only VO to be supported  We need to build an "accredited" pilot to encourage adoption from other client applications and VOs CERN STS IOTA CA – 35th EUGridPMA meeting, Amsterdam

Download ppt "CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t The Experiment Dashboard ISGC 2008 9-11 th April 2008 Pablo Saiz, Julia Andreeva, Benjamin.

CERN IT Department CH-1211 Geneva 23 Switzerland t The Experiment Dashboard ISGC th April 2008 Pablo Saiz, Julia Andreeva, Benjamin.
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Similar presentations

Ads by Google