Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Published byHilary Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012."— Presentation transcript:

1 OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012

2 The OSG PKI Transition from DOEGrids CA to OSG PKI. – Registration Authority Agents (RA Agent)/Grid Admins (GA) will interface directly with OSG and OSG Information Management System (OIM). – The back end CA, DigiCert CA, is invisible to RA Agents and GAs for their work. – Most of the RA Agent/GA functions remain the same. New user interface at OSG OIM, but basic functionalities are the same Using GOC ticketing system instead of mailing lists – Separation of RA Agent and GA duties: RA Agents only approve User certs, does not approve host certs anymore. GAs only approve host certs. – An RA Agent can be assigned to one or more VOs A GA can be assigned to one or more network domains (e.g. fnal.gov) and a domain can be approved by one or more GAs A person can be an RA Agent and GA simultaneously 10/1/122OSG PKI RA Training

3 The OSG PKI A GA can be assigned to one or more network domains (e.g. fnal.gov) and a domain can be approved by one or more GAs A person can be an RA Agent and GA simultaneously Quotas for the number of certificates: There is no quota for RA agent Each user can request up to 25 per year For GridAdmin, it's 50 per day, 1000 per year. 10/1/123OSG PKI RA Training

4 Training Goals and Outline Perform the RA Agent duties in OSG PKI. You will also act as an non-privileged user briefly. – Everything we perform in training is in ITB instance. No Production certs will be issued. – Request to become an RA Agent – Request a test cert for yourself, acting as a non-privileged user. – Approve the cert as an RA Agent – Revoke the cert as an RA Agent. Go over the policies and requirements of the new PKI After the training, request to become an RA Agent in the Production system. 10/1/124OSG PKI RA Training

5 Request to Become a RA Agent Check if you already done this: – Go to https://oim-itb.grid.iu.edu/oim/homehttps://oim-itb.grid.iu.edu/oim/home – Under your VOs, you should be listed as an RA Agent If you are not an RA Agent yet, request it now – Visit https://oim-itb.grid.iu.edu/oim/vo, select your VO, then click the "Request for RA Enrollment" button in the upper right hand corner, and complete the form.https://oim-itb.grid.iu.edu/oim/vo Read the Agreement before you click yes. Tell us what you think about it. Agreement can be found at https://twiki.grid.iu.edu/bin/view/Operations/OSGPKITrustedAgent 10/1/125OSG PKI RA Training

6 Request a Test User Cert Request a user certificate: Go to https://oim- itb.grid.iu.edu/oim/certificaterequestuser.https://oim- itb.grid.iu.edu/oim/certificaterequestuser You will do this as a normal non-privileged user. In the CN field, add “RA Training” next to your name. Select your VO. Check the "I AGREE" box and click Submit. 10/1/126OSG PKI RA Training

7 Approve the Test User Cert You are acting as an RA Agent. Check your email for a message from OSG containing: "An OIM Authenticated user... has requested a user certificate. Please determine this request's authenticity, and approve / disapprove at URL.” Look for a email from “FootPrints” Open the URL from the email message. (Your browser might already be on the right page.) For Training, we will NOT email sponsors, but normally, you will: Select a Sponsor who is best suited to perform the identity vetting. You can find sponsors at https://oim-itb.grid.iu.edu/oim/vo. Click on your VO and capture the list of Sponsors. All sponsors are cc’ed on the ticket, you should clarify which sponsor is responsible for vettinghttps://oim-itb.grid.iu.edu/oim/vo 10/1/127OSG PKI RA Training

8 Approve the Test User Cert When sponsor responds with a signed email about their decision, go to https://oim-itb.grid.iu.edu/oim/certificateuserhttps://oim-itb.grid.iu.edu/oim/certificateuser Under “User Certificate Requests that I Approve”, click on the request. In the Action Note Field, write down the sponsors name and his/her response. For training, we do not use the sponsors. Just type "OSG RA Training” in the Action Note Field and click the Approve button. No need to send a separate email to GOC ticketing system (or update GOC ticket) or to osg-ra@opensciencegrid.org. Action note will be added to the corresponding GOC ticket automatically. Email osg-ra email list if you have questions & need help. 10/1/12OSG PKI RA Training8

9 Retrieve the Test Cert Back to being a regular non-privileged user. Check your email for a message from OSG containing: "To retrieve your certificate please visit the URL” Open the URL from the email message. (Your browser might already be on the right page.) Enter a 12 character or longer password / pass phrase. Click the "Issue Certificate" button. Click the "Download Certificate & Private Key" button. 10/1/129OSG PKI RA Training

10 Revoke the Test Cert Revoke the cert with your RA Agent privileges. Review circumstances under which RA Agents should revoke certificates. https://twiki.grid.iu.edu/bin/view/Security/NewOSGPKI https://twiki.grid.iu.edu/bin/view/Security/NewOSGPKI Open https://oim-itb.grid.iu.edu/oim/certificatesearchuser.https://oim-itb.grid.iu.edu/oim/certificatesearchuser Click the "Others" tab. Enter your name in "DN Contains" and click the "Search" button. Click on the line for your certificate. Enter an "Action Note" ("OSG RA Training") and click the "Revoke" button. Do not forget to remove the test certificate from your browser. It is only good for testing environment 10/1/1210OSG PKI RA Training

11 After the training: Request a User cert in Production System Obtain a real user certificate from https://oim.grid.iu.edu/oim/certificaterequestuse r. https://oim.grid.iu.edu/oim/certificaterequestuse r Note the difference between OIM-ITB and OIM Apply to become an OSG RA Agent. Go to https://oim.grid.iu.edu/oim/vo Select your VO and then click “Request for RA Enrollment" button in the upper right hand corner, and complete the form. https://oim.grid.iu.edu/oim/vo 10/1/1211OSG PKI RA Training

12 New Distinguished Names: Will NOT Affect the RAs, but affect your VOs Certificates from new OSG PKI will have new Distinguished Names – Users will need to register new certificate DNs in VOMS Current DOEGrids DNs: – Issuer: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 – Subject: /DC=org/DC=doegrids/OU=People/CN=full name DOEGRIDS-ID# New OSG PKI DNs: – Issuer: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1 – Subject: /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=full name OSG-OIM-ID# More details at: https://twiki.grid.iu.edu/bin/view/Security/DOEGrids2DigiCertDNTransitio n https://twiki.grid.iu.edu/bin/view/Security/DOEGrids2DigiCertDNTransitio n Testing so far has found no issues related to this DN change

13 End of the Training You are now Ready to handle production requests DOEGrids CA will shut down in mid-March and transition will start slowly after that – As users certs expire, they will start using OSG PKI Useful URLs: – https://twiki.grid.iu.edu/bin/view/Security/OSGPKITraining https://twiki.grid.iu.edu/bin/view/Security/OSGPKITraining – https://twiki.grid.iu.edu/bin/view/Security/NewOSGPKI – https://twiki.grid.iu.edu/bin/view/Operations/OSGPKITrust edAgent https://twiki.grid.iu.edu/bin/view/Operations/OSGPKITrust edAgent 10/1/1213OSG PKI RA Training

Download ppt "OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012."

Similar presentations

Help File For User Creation Click the “Course” button for Creating/Add User.

Help File For User Creation Click the “Course” button for Creating/Add User.
Using the UIM – A guide for Pharmacies. Creating a New User Ref to UIM helpsheet.

Using the UIM – A guide for Pharmacies. Creating a New User Ref to UIM helpsheet.
User Registration. Click on ‘Sign Up’ button. Enter Registration details and click on submit button.

User Registration. Click on ‘Sign Up’ button. Enter Registration details and click on submit button.
Northwest Nazarene University introduces PDLearn The CPD’s web access course selection and registration system for students and instructors Affiliated.

Northwest Nazarene University introduces PDLearn The CPD’s web access course selection and registration system for students and instructors Affiliated.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Steps to Recover Private Encryption Keys

Steps to Recover Private Encryption Keys
This demonstration will help you understand and perform (Internet Explorer Users: Click Browse, then Full Screen, to enlarge your view of this presentation.)

This demonstration will help you understand and perform (Internet Explorer Users: Click Browse, then Full Screen, to enlarge your view of this presentation.)
SPOT Registration and Log in Quick Guide The SPOT quick guide is targeted to provide the three main community users, Contractor Company, Government Organization,

SPOT Registration and Log in Quick Guide The SPOT quick guide is targeted to provide the three main community users, Contractor Company, Government Organization,
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
HP Asset Hub Support through Service Central

HP Asset Hub Support through Service Central
This demonstration will help you understand and perform (Internet Explorer Users: Click Browse, then Full Screen, to enlarge your view of this presentation.)

This demonstration will help you understand and perform (Internet Explorer Users: Click Browse, then Full Screen, to enlarge your view of this presentation.)
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
Role of Account Management at ERCOT Market Participant Identity Management Overview (MPIM)

Role of Account Management at ERCOT Market Participant Identity Management Overview (MPIM)
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
OSG RA plans Doug Olson, LBNL May 2006. 2 Contents RA, agent, sponsor layout & OU=People use case Sample web form Agent Role GridAdmin Role Questions.

OSG RA plans Doug Olson, LBNL May Contents RA, agent, sponsor layout & OU=People use case Sample web form Agent Role GridAdmin Role Questions.

Similar presentations

Ads by Google