Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

Published byCamilla Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014."— Presentation transcript:

1 OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014

2 Key Initiatives Glow VO submitting certificate-free jobs – Completed the review of Glow VO – Found some issues Two kinds of submit node: PI-Managed and CHTC-managed CHTC-managed nodes were straightforward. Single policy and user management process. PI-managed nodes are diverse, dependent on PI’s practices – Made some changes to GLOW submission mechanism. Created two separate job queues. Only CHTC_managed nodes can submit jobs to Fermilab without certificates. – Most users and PIs prefer to use CHTC-managed nodes, so this is not a huge drawback – Moved into production. – Expected to benefit 607 users in Glow. – Very positive feedback from GLOW admins so far.

3 Glow VO Job Stats Number of Glideins from Glow running on all OSG sites. The dark salmon color is FNAL, not SWT2. The number of jobs running on FNAL increasing

4 Glow Glideins at FNAL during the last month Disregard data before week11. We started on FNAL at week 11 FNAL providing a significant amount of Glideins for Glow Glow Glideins at all OSG sites during the last month

5 Key Initiatives News from CILogon Basic CA – The new IGTF profile IOTA had been approved and included in the new IGTF release. – CILogon Basic CA will complete its accreditation under this profile soon. – What this means is we will soon have CILogon Basic CA as part of our standard IGTF distribution as an accredited CA. – Once the accreditation is complete, we want to push even more users to utilize this CA

6 IDM Roadmap OSG IDM Roadmap revisited before DigiCert current contract expiry – First, we will renew our contract with DigiCert for a year or two. So, no worries about sudden changes – Two questions from Lothar triggered our work: What would happen to OSG stakeholders if we stop to provide certificates? Can we get certificates somewhere other than DigiCert? – We created a short-term roadmap, OSG-doc-1185, answering these questions in detail. Please read the document for details.

7 IDM Roadmap What would happen to OSG Stakeholders if OSG stops to provide certificates? VOImpact on User CertsImpact on Host Certs LHC (Atlas, CMS, Alice)NoneYes, need 3500 certs Fermilab VONoneYes, need host certs OSG VOSome –10, 15% of users will need certs, but can switch to CILogon CA Yes, needs 100 certs DOSARSome – only 20 users. Can switch to CILogon CA Yes, Needs a small amount GLOWSome, but can switch to CILogon CA Yes, needs 100 certs

8 IDM Roadmap What would happen to OSG Stakeholders if OSG stops to provide certificates? – User certs has no impact. Few VOs dependent on OSG CA and they do not have any accreditation requirements. So, they can switch to CILogon Basic CA if needed. All other VOs can already get certs form alternative resources, Fermi KCA, CERN CA, etc. – The real issue is the host certs. Everyone is dependent on OSG CA and no VO has an alternative to get certs from.

9 IDM Roadmap Can we get certificates somewhere else? Yes: – CILogon Net HSM service – Commercial Retail CAs – InCommon Certificate Service – Operating our own Backend CA – Operating our intermediate CA

10 SolutionProsCons CILogon Net HSMSame functionality as DigiCert. No changes to OIM. Free (for 1.5 years at least). Can start using in 2 months. No changes to OIM or command line clients Uncertain future funding Commercial Retail CAs Per cert cost $10.00. automated process, issues certs in minutes. World-wide trusted CAs. Requires DNS domain ownership. Hard to prove for our site admins. Sites has to write new tools to manage hundreds of host certs InCommon Cert Service Unlimited certs for InCommon members. Getting IGTF accreditation. Not all OSG sites are members. For FNAL and BNL the membership fee would be 50K/year for 3 year subscription. Changes to command line tools Our Own BackEnd CA Same work as Digicert or CILogon NetHSM. No changes to OIM or command line clients Implementation and Maintenance costs Our Intermediate CASimilar to BackEnd CA. No changes to OIM or command line clients Implementation and Maintenance costs

11 IDM Roadmap CILogon Net HSM is the best option. We note the concern about future funding commitments. – Same set of services we get from DigiCert with minimal changes to Frontend – Started a prototype. Instantiating a new HSM service instance for OSG. Will use the same OIM invocation methods. No changes to the command line clients. If CILogon NET HSM option does not work, then we want to try to set up our own HSM service. If our own HSM does not work out, we should continue with DigiCert CA.

12 IDM Roadmap While completing the Net HSM experiment, our goal is still to eliminate user certs or make them completely hidden from users 1st step is to add an OSG Identity Provider hooked into the OIM. Soichi already had a prototype IdP working. This will be used for onboarding OSG users into OSGConnect. It will also be used for obtaining CILogon Basic certs when needed. 2 nd step is to add a username/passwd access to OIM. So anyone who just needs access to twiki, docdb, OIM, can do so without certs.

13 IDM Roadmap 3 rd step is to access storage elements without user certificates. – Similar to Traceability project, but only for storage elements We will continue to move VOs to certificate- free submission mode.

14 Operational Security Next IGTF release has lots of new things – DOEGrids CA is removed. – New DigiCert trust rots with SHA-2 certs are added – Dropping the old layout– incompatible with sha-2.

Download ppt "OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014."

Similar presentations

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Key Accomplishments and Work Plans OSG Security Team July 11, 2012.

Key Accomplishments and Work Plans OSG Security Team July 11, 2012.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
F Run II Experiments and the Grid Amber Boehnlein Fermilab September 16, 2005.

F Run II Experiments and the Grid Amber Boehnlein Fermilab September 16, 2005.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Operations Rob Quick 2/22/2012.

OSG Area Coordinators Meeting Operations Rob Quick 2/22/2012.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
OSG Security Review Mine Altunay June 19, 2008. June 19, 2008 2 Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Similar presentations

Ads by Google