Presentation is loading. Please wait.

Presentation is loading. Please wait.

MyProxy Jim Basney Senior Research Scientist NCSA

Similar presentations

Presentation on theme: "MyProxy Jim Basney Senior Research Scientist NCSA"— Presentation transcript:

1 MyProxy Jim Basney Senior Research Scientist NCSA

2 OGF19 What is MyProxy? l An Online Certificate Authority u Issues short-lived X.509 End Entity Certificates u Avoid need for long-lived user keys l An Online Credential Repository u Issues short-lived X.509 Proxy Certificates u Long-lived private keys never leave the server l Supporting multiple authentication methods u Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS l Open Source Software u Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits u C, Java, Python, and Perl clients available u Contributions from EDG, UVA, LBL, and others l Protocol specified in GFD-E.54

3 OGF19 MyProxy Logon l Authenticate to retrieve PKI credentials u End Entity or Proxy Certificate u Trusted CA Certificates u Certificate Revocation Lists (CRLs) l MyProxy maintains the users PKI context u Users dont need to manage long-lived credentials u Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) u CA certificates & CRLs updated automatically at login l Integrates with existing authentication systems u Providing a gateway to grid authentication

4 OGF19 MyProxy Authentication l Key Passphrase l X.509 Certificate u Control credential storage, retrieval, and renewal u Supports trusted authentication and renewal services l Pluggable Authentication Modules (PAM) u Kerberos password u One Time Password (OTP) u Lightweight Directory Access Protocol (LDAP) password l Simple Authentication and Security Layer (SASL) u Kerberos ticket (SASL GSSAPI) l Pubcookie u Web Single Sign-On l Virtual Organization Membership Service (VOMS) u Attribute-based access control

5 OGF19 MyProxy Deployment Options l Users already have PKI credentials u MyProxy repository can help users manage the credentials by: l Securing private keys in a professionally managed server l Obtaining credentials when/where needed l Using credentials with MyProxy-enabled applications l Users have site logons but no PKI credentials u MyProxy CA can provide the bridge l Users need to register to obtain PKI credentials u User registration portals provide a MyProxy interface l Grid Account Management Architecture (GAMA) l Portal-Based User Registration Service (PURSE)

6 OGF19 MyProxy-enabled Applications l CoG Kit APIs ( l Grid portal toolkits u GridSphere ( u GridPort ( u OGCE ( l Authentication modules u JAAS ( u Apache ( u Pubcookie(

7 OGF19 MyProxy Documentation

8 OGF19 MyProxy Support

9 OGF19 Topics for Discussion l Credential Renewal l High Availability l Attribute Support l Web Services l Web SSO l Security Context Provisioning l User Registration l HSM Support l Audit Logging l Others?

10 OGF19 Credential Renewal l Existing MyProxy-based renewal support u EGEE Renewal Service u Condor-G l Future Work u MyProxy-based GT4 Renewal Service l Integrated with GT4 Delegation Service l Support for GRAM, WS-GRAM, RFT

11 OGF19 High Availability l Existing support u Clients retry when server is unreachable u Documentation for MyProxy CA replication u Primary-backup replication of MyProxy repository l Future Work u Robust client retry u Peer-to-peer repository replication

12 OGF19 Attribute Support l Existing support u VOMS authentication to MyProxy server u GridShib CA integration with MyProxy l Future Work u Issue credentials with VOMS assertions u SAML authentication to MyProxy server

13 OGF19 Web Services l Currently MyProxy does not provide a Web Services interface u C, Java, Perl, Python APIs l Standard Delegation Service interface is needed u For MyProxy, GT4, and EGEE delegation services

14 OGF19 Web Single Sign-on l Existing Support u MyProxy server accepts Pubcookie tokens l Future Work u Shibboleth/SAML support u Other web SSO methods?

15 OGF19 Security Context Provisioning l Existing Support u MyProxy can provision user certificates, CA certificates, and CRLs u Requires MyProxy server CA certificate to be installed l Future Work u Java client support u Zero configuration bootstrap

16 OGF19 User Registration l Existing Support u Provided by PURSE and GAMA u GridShib CA and OpenIDP l Future Work u Integration with MyProxy CA u Integration with attribute and authorization services

17 OGF19 HSM Support l Existing Prototypes u MyProxy repository using IBM 4738 u MyProxy CA using Aladdin eToken l Future Work u Full support for OpenSSL hardware engines in MyProxy CA

18 OGF19 Audit Logging l Existing Support u All MyProxy server operations are logged to syslog u Recent improvements to MyProxy CA logging to meet IGTF guidelines l Future Work u Include auditing information in issued credentials u Support standard grid logging interfaces

19 OGF19 Thank you! Questions? Comments? For more information:

Download ppt "MyProxy Jim Basney Senior Research Scientist NCSA"

Similar presentations

Ads by Google