Download presentation
Presentation is loading. Please wait.
Published byMarlene Grant Modified over 9 years ago
1
USCGrid KX.509& Enterprise Security http://www.usc.edu/uscgrid http://www.usc.edu/authx Shelley Henderson Project Manager, Grid Software USC Information Services shelley@usc.edu Copyright Shelley Henderson 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
November 2003NMI Integration Workshop - KX.5092 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies
3
November 2003NMI Integration Workshop - KX.5093 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies
4
November 2003NMI Integration Workshop - KX.5094 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Q:
5
November 2003NMI Integration Workshop - KX.5095 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Q:
6
November 2003NMI Integration Workshop - KX.5096 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created? Q:
7
November 2003NMI Integration Workshop - KX.5097 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. A:
8
November 2003NMI Integration Workshop - KX.5098 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential. A:
9
November 2003NMI Integration Workshop - KX.5099 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. Suddenly, everyone with a kerberos credential is grid-enabled. A:
10
November 2003NMI Integration Workshop - KX.50910 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative If your existing enterprise authentication mechanism is not kerberos, the answer may be a proposed follow-up to KX.509, a general credential convertor. A:
11
November 2003NMI Integration Workshop - KX.50911 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative What about server certificates? Q:
12
November 2003NMI Integration Workshop - KX.50912 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative What about server certificates? Can I use kerberos to create those? Q:
13
November 2003NMI Integration Workshop - KX.50913 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Kerberos does not affect server certificates. A:
14
November 2003NMI Integration Workshop - KX.50914 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ A:
15
November 2003NMI Integration Workshop - KX.50915 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign. A:
16
November 2003NMI Integration Workshop - KX.50916 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies
17
November 2003NMI Integration Workshop - KX.50917 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC What does USC’s KX.509 setup look like? Q:
18
November 2003NMI Integration Workshop - KX.50918 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of a Beowulf cluster (more on that in a minute), A:
19
November 2003NMI Integration Workshop - KX.50919 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu, A:
20
November 2003NMI Integration Workshop - KX.50920 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom. A:
21
November 2003NMI Integration Workshop - KX.50921 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation. A:
22
November 2003NMI Integration Workshop - KX.50922 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation. Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak. A:
23
November 2003NMI Integration Workshop - KX.50923 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC The KCA runs on hpc-master.usc.edu, the head node for our gajillion-node Beowulf cluster. A:
24
November 2003NMI Integration Workshop - KX.50924 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. Q:
25
November 2003NMI Integration Workshop - KX.50925 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate. Q:
26
November 2003NMI Integration Workshop - KX.50926 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile? Q:
27
November 2003NMI Integration Workshop - KX.50927 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile. A:
28
November 2003NMI Integration Workshop - KX.50928 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile. Each user must send an email message containing a copy of his or her kx509 certificate to the USCGrid administrator. A:
29
November 2003NMI Integration Workshop - KX.50929 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Example: almaak.usc.edu(23): source /usr/usc/nmi/default/setup.csh almaak.usc.edu(24): kinit Password for shelley@ISD.USC.EDU: almaak.usc.edu(25): kx509 A:
30
November 2003NMI Integration Workshop - KX.50930 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC almaak.usc.edu(26): kxlist -p Service kx509/certificate issuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edu subject= /C=US/ST=California/L=Los Angeles /O=University of Southern California /OU=usc.edu/CN=ucs/USERID=ucs/Email=ucs@USC.EDU serial=A8 hash=e6078654 A:
31
November 2003NMI Integration Workshop - KX.50931 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC almaak.usc.edu(27): grid-proxy-info | \ mail -s "add me to grid mapfile" \ sysadmin@usc.edu A:
32
November 2003NMI Integration Workshop - KX.50932 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC The Unix sysadmin can then add an entry to the grid mapfile using the information from grid-proxy-info : "/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley /USERID=shelley/Email=shelley@USC.EDU" shelley A:
33
November 2003NMI Integration Workshop - KX.50933 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC How hard is it to install and maintain KX.509? Q:
34
November 2003NMI Integration Workshop - KX.50934 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. A:
35
November 2003NMI Integration Workshop - KX.50935 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, A:
36
November 2003NMI Integration Workshop - KX.50936 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. A:
37
November 2003NMI Integration Workshop - KX.50937 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. Then it runs. A:
38
November 2003NMI Integration Workshop - KX.50938 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. Then it runs. Really. A:
39
November 2003NMI Integration Workshop - KX.50939 USCGrid: KX.509 & Enterprise Security KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies
40
November 2003NMI Integration Workshop - KX.50940 USCGrid: KX.509 & Enterprise Security KX.509 & Campus Certificate Policies What about certificate policies? Do I still have to implement certificate policies if we use KX.509? Q:
41
November 2003NMI Integration Workshop - KX.50941 USCGrid: KX.509 & Enterprise Security KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. A:
42
November 2003NMI Integration Workshop - KX.50942 USCGrid: KX.509 & Enterprise Security KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. In a small way, it’s harder to cross-certify because you’re ‘different’. A:
43
November 2003NMI Integration Workshop - KX.50943 USCGrid: KX.509 & Enterprise Security KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. We’re working on this with ‘the security community’ – stay tuned. A:
44
November 2003NMI Integration Workshop - KX.50944 Disclaimer I would like to thank everyone involved in the USC NMI effort, and disclaim any credit for all the good stuff that’s been done. I’m just a project manager; I don’t do any useful work! I would like to thank everyone involved in the USC NMI effort, and disclaim any credit for all the good stuff that’s been done. I’m just a project manager; I don’t do any useful work!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.