Presentation is loading. Please wait.

Presentation is loading. Please wait.

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,"— Presentation transcript:

1 GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia, Charlottesville, VA **NCSA/University of Illinois, Urbana-Champaign, IL Supported by: NSF Next Generation Software (NSF NGS), NSF Middleware Initiative (NMI), San Diego Supercomputing Center

2 GGF15 Workshop The Challenge I have a dream… Opportunistically expand campus researchers’ local resources to “The Grid” [Security] Problem: Relatively little of campus is PKI-enabled Grid is (largely) PKI (GSI) Goal: Leverage existing site (campus) authentication infrastructure Approach: integrate PubCookie and MyProxy

3 GGF15 Workshop PubCookie

4 GGF15 Workshop PubCookie in Action (1) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter From Tom Jordon, UW-Madison

5 GGF15 Workshop PubCookie in Action (2) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Nope From Tom Jordon, UW-Madison

6 GGF15 Workshop Logged In PubCookie in Action (3) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Redirect Login From Tom Jordon, UW-Madison

7 GGF15 Workshop Logged In PubCookie in Action (4) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Redirect Authenticated to Central Login Server? -- Yep Access Allowed From Tom Jordon, UW-Madison

8 GGF15 Workshop Logged In PubCookie in Action (5) Your IIS or Apache Web Server Campus Login Server End-User PC Pubcookie Apache Module or ISAPI Filter Another IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- YepAccess Allowed From Tom Jordon, UW-Madison

9 GGF15 Workshop PubCookie/MyProxy Integration Browser Pubcookie Login Server Campus Authentication Server 1 2 3 4 5 6 7 MyProxy Server 8 (SSL) 9 (SSL) 10 Grid request 11 12 Pubcookie- enabled Application Server

10 GGF15 Workshop

11

12

13

14

15 Technical Details 3 main cookies involved in PubCookie (http://www.pubcookie.org/docs/how-pubcookie-works.html) Granting cookie: “contains the authenticated username and some other items” Granting cookie is signed by PubCookie login server and encrypted in symmetric key shared between app server and PubCookie login server Login cookie: “scoped to the login server and will be used on any subsequent visits by the user to the login server” Opaque to the client – only login server can decrypt Session cookie: scoped to app server Problem: granting cookie does not persist

16 GGF15 Workshop Software Development No mods to the MyProxy Client Upload creds via normal mechanism Presents the granting cookie in the “password” field Mods to MyProxy server to be able to decrypt and verify signature on pubcookie Mods to portal (uPortal) to keep the granting cookie Issue: JSR 168 does not deal well with cookies Note: we cannot use the granting cookie as the password directly

17 GGF15 Workshop Cleartext in MyProxy Server? Yes, in this instantiation We are not unique in this regard Alternative: Use the granting cookie as the basis to generate/retrieve user-specific [large] passphrase, like so….

18 GGF15 Workshop PubCookie/MyProxy Integration Browser Pubcookie Login Server Campus Authentication Server 1 2 3 4 5 6 7 MyProxy Server 10 (SSL) 11 (SSL) 12 Grid request 13 12 Pubcookie- enabled Application Server Password server 8 9

19 GGF15 Workshop Summary Integration of PubCookie with MyProxy reduces the number of passphrases Currently pushing mods to OGCE2 and MyProxy CVS Future What about Shibboleth?

Download ppt "GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,"

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Using the Collaborative Tools in NEESgrid Charles Severance University of Michigan.

Using the Collaborative Tools in NEESgrid Charles Severance University of Michigan.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Similar presentations

Ads by Google