Presentation is loading. Please wait.

Presentation is loading. Please wait.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, 16-18 January, 2012 Heithem ABBES Mohamed JEMNI

Published byJudith Walker Modified over 7 years ago

Similar presentations

Presentation on theme: "TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, 16-18 January, 2012 Heithem ABBES Mohamed JEMNI"— Presentation transcript:

1 TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, 16-18 January, 2012 Heithem ABBES Mohamed JEMNI heithem.abbes@esstt.rnu.tn mohamed.jemni@fst.rnu.tn Research Unit Technolgies of Information and Communication University of Tunis

2 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 2 TNGrid : Tunisian National Grid  The TNGrid project is an initiative of the research unit of Technologies of Information and Communication (UTIC) at the Higher School of Sciences and Technology of Tunis (ESSTT) of the University of Tunis  TNGrid offers an open and free Tunisian National Grid for researchers  The grid computing platform is based on institutional resources and volunteer participations.

3 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 3 TNGrid : Tunisian National Grid http://www.tngrid.tn/

4 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 4 TNGrid CA  UTIC research unit is involved in grid computing research axis since 2004.  UTIC research unit is working and is participating in EUMEDGRID projects coordinated by INFN (Italy) since 2006.  We have started as Registration Authority, managed by Mohamed Jemni, with INFN CA and still using INFN CA services.  We have prepared to set up the TNGrid CA and to be fully operational just after our accreditation process with EuGridPMA.

5 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 5 Certificate usage  Certificates issued by the TNGrid CA are only valid in the context of scientific activities: User certificates can be issued to authenticate the users who benefit from academic and research resources, services and activities. Host certificates can be used for the machines of clusters inside TNGrid Service certificates can be used to recognize services used inside TNGrid

6 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 6 CA Manager  TNGrid CA will be managed by UTIC which manages TNGrid infrastructure  The Manager of the TNGrid CA is: Mohamed Jemni (mohamed.jemni@fst.rnu.tn) The alternate representative is: Heithem Abbes (heithem.abbes@esstt.rnu.tn)

7 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 7 CP/CPS  OID: 1.3.6.1.4.1.37660.1.1.1.0 [CP/CPS 7.1.6]  Structured as defined in RFC 3647 [CP/CPS 1.1] 1.3.6.1.4.1.37660.1.1.1.0 OID 1.3.6.1.4.1IANA 37660UTIC.1TNGrid CA.1CP/CPS document 1.0CP/CPS Version

8 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 8 CP/CPS  Policy Administration [CP/CPS 1.5] UTIC research unit (ESSTT University) is responsible for the management, registration, maintenance and interpretation of TNGrid CA. It is reachable at: http://www.utic.rnu.tn http://www.utic.rnu.tn All major changes related to policy, technology or security must be approved by TNGRID CA before signing any certificates under the new CP/CPS  All versions will be available at online repository https://www.tngrid.tn/pki/pub/ => “PKI Info” => “Get CA Policy”https://www.tngrid.tn/pki/pub/ http://www.tngrid.tn => “Certification Authority” => “Policy Document”http://www.tngrid.tn

9 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 9 CA System  Uses 2 dedicated machines: One offline signing server (Offline CA server)  Intel Core 2 Duo 2,33GHZ, 3GB RAM ;300 GB HD  Operating System: Debian 5.0.5  Software: OpenCA v1.1.1, OpenSSL V2.0.31, Apache V2.2.9, MySQL v 5.1 One online web server (Online CA server):  https://www.tngrid.tn/pki/pub/ : For Subscribers https://www.tngrid.tn/pki/pub/  https://www.tngrid.tn/pki/ra :For RA Manager https://www.tngrid.tn/pki/ra  Intel Core 2 Duo 2,33GHZ, 3GB RAM ; 200 GB HD  Operating System: Debian 5.0.5  Software: OpenCA v1.1.1, OpenSSL V2.0.31, Apache V2.2.9, MySQL v 5.1  Located at Grid Center Room, ESSTT  Only CA managers and CA operators can be granted physical access to CA machines  A secure environment where access is controlled

10 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 10 Name Forms  Issuer (TNGrid CA) : C=TN/O=TNGrid/CN=TNGrid CA  User : C=TN, O=TNGrid, OU=organizationName, CN=commonName – organizationName is the organization name of the subject. – commonName must be the Forename and the Surname of the subject  Host : C=TN, O=TNGrid, OU=organizationName, CN=commonName – organizationName is the name of the organization owning the host. – commonName must be the DNS FQDN of the host preceded by ‘host/’  Service : C=TN, O=TNGrid, OU=organizationName, CN=commonName – organizationName is the name of the organization owning the service. – commonName must be the DNS FQDN of the server preceded by ‘serviceName/’ where serviceName must uniquely identify the service

11 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 11 CA Private Key  Asymmetric algorithm: RSA  Key size: 2048 bits [CP/CPS 4.1.2]  Protected by a pass-phrase of 15 characters [CP/CPS 6.4.1]  The pass-phrase is only known to CA operators  TNGrid CA private key is kept, encrypted, in multiple copies and in different locations [CP/CPS 6.2.4]  In case the private key of the TNGrid CA is (or suspected to be) compromised, the CA shall [CP/CPS 5.7.3] : notify subscribers terminate issuing certificates and CRLs generate a new CA key pair revoke all certificates signed using the compromised key

12 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 12 CA Certificate  Version: 3 (0x2)  Serial Number: 2 (0x2)  Signature Algorithm: sha256WithRSAEncryption  Issuer: CN=TNGrid CA,O=TNGrid,C=TN  Validity Not Before: Dec 16 14:27:25 2011 GMT Not After : Dec 11 14:27:25 2031 GMT  Subject: CN=TNGrid CA,O=TNGrid,C=TN  Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: 2048 bit

13 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 13 CA Certificate  The values of extensions in case of CA certificate are following: Basic Constraints: critical, CA:TRUE Key Usage: critical, keyCertSign, CRL Signing Subject Key Identifier: CA key ID Authority Key Identifier: keyid,issuer crlDistributionPoints = URI

14 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 14 End Entity Certificates & Keys  Key size >=1024 bits [CP/CPS 6.1.5]  Life time :1 year plus one month (395 days) [CP/CPS 6.3.2]  User certificate must not be shared [CP/CPS 4.5]  Each entity must generate its key pair [CP/CPS 6.1.1, 6.1.2]  End entity should protect his/her passphrase according to “Guidelines on Private Key Protection” [CP/CPS 4.1.2]

15 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 15 Enrollment process & responsibilities For user certificates  User certificate requests is submitted by an online procedure on TNGrid CA secure website (https://www.tngrid.tn/index/ca/), using a web browser.  The key pairs are generated by the web browser locally on the user's machine.  The certificate (public key signed by the CA) can only be downloaded using the same browser, including the key pair, on the same machine, by a secure URL from TNGrid CA website.

16 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 16 For host or service certificat es  The host or service administrator creates key pair and certificate request file using OpenSSL packages, submit certificate request file to the TNGrid CA by a signed e-mail.  The private key is kept by the host or service administrator.  The certificate request will be verified by the appropriate RA  If the request is approved by the RA, the requester will then receive an e-mail, containing his/her certificate or information needed to download using a browser by a secure URL on the TNGrid CA website. Enrollment process & responsibilities

17 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 17 Certificate issuance  The certificate request shall be transferred to the machine which holds the private key of TNGrid CA and which is offline.  On this machine the certificate is created and signed.  The signed certificate shall then be transferred back to the online CA server and an email will be sent to the relevant RA manager informing him/her about the action.  The lifetime of the certificate is one year.

18 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 18 Certificate acceptance  The subscriber must send an e-mail within 15 days from the day that his/her certificate was issued.  He/she will sign his/her e-mail with issued certificate confirming the acceptance of the certificated his/her adhesion to the policy.  Upon receipt of a certificate acceptance the TNGrid CA will make available the certificate on its repository.

19 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 19 End Entity Certificates & Keys  The values of extensions in case of user certificates are following basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth, emailProtection crlDistributionPoints=URI certificatePolicies=Your_OID, Authentication_Profile_OID subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName=email

20 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 20 End Entity Certificates & Keys  The values of extensions in case of host and service certificates are following: basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth, serverAuth crlDistributionPoints=URI: certificatePolicies=Your_OID, Authentication_Profile_OID subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName=DNS:

21 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 21 End Entity Certificates & Keys  Certificate Renewal [CP/CPS 4.6] TNGrid CA does not permit certificate signing request with the same key as the previous certificate  Certificate Re-key [CP/CPS 4.7.3] After a certificate has been revoked, expired, will be expired in one month, or the private key is compromised If the certificate has been revoked, expired, or compromised, it must follow enrolment process

22 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 22 Certificate Revocation  Can be requested by: the certificate subscriber any other entity presenting proof of knowledge of: – private key compromise – modification of the subscriber's data  A certificate will be revoked in the following circumstances : the subject of the certificate has ceased being an eligible end entity for certification the subject does not require the certificate any more the private key has been lost or compromised the information in the certificate is wrong or inaccurate the system to which the certificate has been issued has been retired the subject has failed to comply with the rules of TNGrid CP/CPS Policy

23 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 23 Certificate Revocation Procedure for Revocation Request [CP/CPS 4.9.3] :  A revocation request must be made: by the owner of the certificate in an e-mail signed with the private key associated with the (still not expired) certificate, on behalf of the owner who has lost his/her private key in an e-mail signed by an authorized person of the organization/unit that consented to the certificate by the RA using a secure web interface  The TNGrid CA must process revocation requests with the highest priority within one working day [CP/CPS 4.9.5]

24 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 24 Certificate Revocation List  Lifetime is 30 days [CP/CPS 4.9.7]  CRL issuance [CP/CPS 4.9.7] CRLs are issued after every certificate revocation at least every month, 7 days before the month-long validity of the CRL has expired Available at online repository:  http://www.tngrid.tn/pki/pub/crl/cacrl.crl http://www.tngrid.tn/pki/pub/crl/cacrl.crl  https://www.tngrid.tn/pki/pub/crl/cacrl.pem https://www.tngrid.tn/pki/pub/crl/cacrl.pem Version: x509 v3 [CP/CPS 7.2]

25 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 25 Compromise and Disaster Recovery  If CA private key is (or suspect to be) compromised [CP/CPS 5.7.1]: 1.Inform the RA, subscribers and relying parties of which the CA is aware 2.Terminate the certificates and CRL distribution services for certificates and CRLs issued using the compromised key 3.Notify relevant security contacts  If a RA Operator’s private key is (or suspected to be) compromised [CP/CPS 5.7.1]: the RA Operator or Manager must inform the CA and request the revocation of the RA Operator’s certificate  If Entity Private Key is compromised [CP/CPS 5.7.1]: RA has to be informed immediately in order to start the certificate revocation process

26 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 26 Publication & Repository  TNGrid CA will publish the following information on its website [CP/CPS 2.2]: General information about TNGrid CA E-mail addresses for inquiries and fault reporting Mailing address of CA Administration location TNGrid CA root certificate PEM format of the TNGrid CA certificate Issued certificates Certificate Revocation List CP/CPS document  This web repository is available 24x7 on a best effort basis

27 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 27 Achieved works  Preparation CP/CPS Document  CP/CPS is revised (3 times) by : Feyza Eryol from TUBITAK ULAKBIM,Turkey  Comments from Fayza were implemented  Software for CA setup (both for online and offline CA)  Testing the CA : Generate CA private key Issue CA certificates Issue a user certificates Issue a host certificates  Online web repository is operational

28 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 28 http://www.tngrid.tn/index/ca

29 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 29 https://www.tngrid.tn/pki/pub/

30 24 th EUGridPMA Meeting, Ljubljana, Slovenia, 2012 30 Thanks for your Attention

Download ppt "TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, 16-18 January, 2012 Heithem ABBES Mohamed JEMNI"

Similar presentations

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Tunis, Tunisia, 18-19 June 2012 Cloud Research Activities Pr. Mohamed JEMNI Computing Center Al Khawarizmi (CCK) Research Laboratory LaTICE

Tunis, Tunisia, June 2012 Cloud Research Activities Pr. Mohamed JEMNI Computing Center Al Khawarizmi (CCK) Research Laboratory LaTICE
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

Similar presentations

Ads by Google