Presentation is loading. Please wait.

Presentation is loading. Please wait.

APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly

Published byAdele Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly"— Presentation transcript:

1 APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly http://www.pragma-grid.net http://goc.pragma-grid.net PRAGMA-UCSD CA

2 APGrid PMA face-to-face meeting, 4/8/2008 Overview PRAGMA PRAGMA Grid Purpose of PRAGMA-UCSD-CA PRAGMA-UCSD CA setup –(x.y.z) references the relevant CP/CPS section number

3 APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA

4 APGrid PMA face-to-face meeting, 4/8/2008 Strengthen Existing and Establish New Collaborations Work with Science Teams to Advance Grid Technologies and Improve the Underlying Infrastructure In the Pacific Rim and Globally PRAGMA http://www. pragma -grid.net A Practical Collaborative Framework Strengthen Existing and Establish New Collaborations Work with Science Teams to Advance Grid Technologies and Improve the Underlying Infrastructure In the Pacific Rim and Globally PRAGMA A Practical Collaborative Framework http://www. pragma -grid.net 35 institutions 14 countries

5 APGrid PMA face-to-face meeting, 4/8/2008 EDUCATION GRID SOFTWARE SCIENCE PRAGMA’s Collaborative Framework Source: Philip Papadopoulos, Global Engagement GLEON (and CREON) – From Telescience WG –Global Lake Ecological Observatory Network (and Coral Reef) –Grassroots effort to understand lake dynamics Avian Flu Grid – From Biosciences WG –Integrates technologies for shared infrastructure PRIME : Pacific Rim Experiences for Undergraduates –Prepares globally-enabled workforce –Immersive: Research Apprenticeship; Cultural Experience PRIUS: Pacific Rim International UniverSity, Osaka University –Prepares global workforce –Within context of curriculum and research experience PRAGMA: Pacific Rim Application and Grid Middleware Assembly –Catalyzes collaborations –Applications drive technology developments OptIPuter: SAGE Ninf-G, Gfarm, Nimrod, SCMSWeb, CSF4, Naregi CA, Opal, MOGAS, Mgrid, Rocks, GAMA, Condor, Access Grid GEO, GEON DataTurbine, Inca

6 APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA Grid 32 institutions in 16 countries/regions, 27 compute sites (+ 9 in preparation) UZH Switzerland NECTEC ThaiGrid Thailand UoHyd India MIMOS USM Malaysia CUHK HongKong ASGC NCHC Taiwan HCMUT HUT IOIT-HCM Vietnam AIST OsakaU UTsukuba TITech Japan BII IHPC NGO NTU Singapore MU Australia APAC QUT Australia KISTI Korea JLU China SDSC USA CICESE Mexico UNAM Mexico UChile Chile UUtah USA NCSA USA BU USA CeNAT-ITCR Costa Rica BESTGrid New Zealand CNIC GUCAS China LZU China UPRM Puerto Rico UZH Switzerland LZU China ASTI Philippines SKU UI Indonesia

7 APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA Grid Members and Team http://goc.pragma-grid.net/wiki/index.php/Site_status_and_tasks http://goc.pragma-grid.net/wiki/index.php/Site_status_and_tasks Sites –23 sites from PRAGMA member institutions –15 sites from Non-PRAGMA member institutions –27 sites contributed compute clusters Team members –170 and growing –one management contact / site –1~3 technical support contact / site –1~4 application drivers / application –1~5/Middleware development teams

8 APGrid PMA face-to-face meeting, 4/8/2008 Why PRAGMA-UCSD CA? PRAGMA experimental CA –Only used within PRAGMA Grid Grid interoperation and future –Need IGTF compliant catch-all production CA Near term –Only issue production CA when needed

9 APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA-UCSD CA Team CA – Cindy Zheng, Mason Katz (UCSD) RA – Mason Katz, Anoop Rajendra (UCSD) PMA – Yoshio Tanaka (AIST) Security Officer – Phil Papadopoulos (UCSD) pragma-ucsd-ca@sdsc.edu reaches no more and no less than these 5 peoplepragma-ucsd-ca@sdsc.edu

10 APGrid PMA face-to-face meeting, 4/8/2008 CP/CPS Structured as defined in RFC 3647 http://goc.pragma-grid.net/ca/cp-cps OID - 1.3.6.1.4.1.13230.101.2.1.0 –Set for CP/CPS (1.2) –Set for cert policy id v3 ext –Registered with IANA –Change procedure described in 9.12

11 APGrid PMA face-to-face meeting, 4/8/2008 CA Systems CA server is dedicated and off-line RA server is dedicated and on-line CA software is naregi-wp5-nas-070112

12 APGrid PMA face-to-face meeting, 4/8/2008 Physical Security CA and RA servers are in a lockable office –2 keys (Cindy Zheng, Karan Bhatia) CA server is in a locked cabin in the office –Only Cindy (CA) has the key Access log –logged by email at pragma-ucsd-ca@sdsc.edupragma-ucsd-ca@sdsc.edu –Email archive is included in monthly backup

13 APGrid PMA face-to-face meeting, 4/8/2008 CA Key and Passphrase CA key length 2048 bits (6.1.5) CP-CPS 6.4 describes CA key protection –Pass phrase >= 15 characters. –Only known by CA and RA. –In 2 sealed envelopes in 2 separate locked drawers in Cindy (CA) and Mason (RA)’s office. Only Cindy and Mason have the keys to the drawers. –The sealed envelops are kept separated from the backed up private key.

14 APGrid PMA face-to-face meeting, 4/8/2008 Encrypted Private Key Backup On offline media – USB drives Kept in a locked cabinet Only Anoop (RA) has the key

15 APGrid PMA face-to-face meeting, 4/8/2008 CA Certificate Lifetime 10 years (6.3.2) End entity lifetime 1 year BasicConstraints (7.1.2) –marked as critical –Set as CA:TRUE KeyUsage (7.1.2) –Marked as critical –Value include keyCertSign, cRLSign

16 APGrid PMA face-to-face meeting, 4/8/2008 Certificate Revocation Can be requested by –Subscribers –CA, RA –Others can prove compromise or exposure of a private key. (4.9.2) An end entity must request revocation as soon as possible, but within one working day after detection of –he/she lost or compromised the private key pertaining to the certificate, –the data in the certificate are no longer valid. (4.9.1) Authenticate the request (4.9.3) –Verify requestor identity by phone, VTC or face-to-face –Verify reason and evidence CA must react as soon as possible, but within one working day, to any revocation request received. (4.9.5)

17 APGrid PMA face-to-face meeting, 4/8/2008 CRL Lifetime is 30 days Issued –Every 3 weeks –Or immediately after a revocation (4.9.7) http://goc.pragma-grid.net/ca/ca- certs/baec778c.r0http://goc.pragma-grid.net/ca/ca- certs/baec778c.r0 Version: x509 v2 Message digest algorithm: SHA-1

18 APGrid PMA face-to-face meeting, 4/8/2008 User or Host/service Certificates Key >=1024 bit (6.1.5) Life time 1 year (6.3.2) User certificate –should not shared (4.5.1) End entity passphrase (6.2.8) –12 characters or more (enforced by Naregi-ca client software)

19 APGrid PMA face-to-face meeting, 4/8/2008 Issue Certificates Described in 4.1, 4.2: –User fill and email application form –RA reply Ask for photo id (fax or in person) arrange interview (in person or VTC) –RA Interview user with A copy of user application A copy of user photo id Fill a RA check list –Upon approval, RA sign the check list and hand all to CA –RA email user an encrypted license id and user guide url –RA deliver the password to user (fax or in person) –User install Naregi-ca client software, create certificate request and email acceptID to pragma-ucsd-ca list –CA generate new certificate and email user for retrieval –CA/RA file all documents

20 APGrid PMA face-to-face meeting, 4/8/2008 Names Meaningful names (3.1.2) –Reasonable association to end entity –CN is FQDN Name uniqueness (3.1.5) –List of issued certificates –Prefix and suffix Verify host owner/administrator (3.2.2, 3.2.3) –Known organization in PRAGMA community –Verify with known contact of host organization

21 APGrid PMA face-to-face meeting, 4/8/2008 End Entity Certificates x509 format Extensions (7.1) –Policy Identifier contain an OID only: 1.3.6.1.4.1.13230.101.1 –CRLDistributionPoints: URI://goc.pragma- grid.net/secure/certificates/baec778c.r0 –keyUsage marked as critical –basicConstraints set to ‘CA: false’ and marked as critical –Host certificate, a FQDN is included as a dnsName in the SubjectAlternativeName

22 APGrid PMA face-to-face meeting, 4/8/2008 Rekey, Renew and Modification Certificate rekey is described in 4.7: –Reason for rekey: certificate revoked or expired Revoked – re-enroll Expired – re-apply 1 month before expire – request new public key –Process same as initial enrollment and If within 5 years of initial enrolment, face to face interview is not required No certificate renew (4.6) No certificate modification (4.8)

23 APGrid PMA face-to-face meeting, 4/8/2008 Records Archive Records archived (5.5.1) –Forms, emails etc. in enrollment process –Private keys, password –Monthly backup includes CA and RA server backup Mailing list archive Retention period (5.5.2) –General: minimum 3 years –Certificates, CRLs: at least 2 years –User identity info: 5 years

24 APGrid PMA face-to-face meeting, 4/8/2008 Audit Described in section 8: –Accept external audit –By APGrid PMA –Self-audit of CA/RA and operation once a year Verify CA contact list once a year

25 APGrid PMA face-to-face meeting, 4/8/2008 Web Repository http://goc.pragma-grid.net/ca http://goc.pragma-grid.net/ca Public accessible –CA root certificates –Certificates issued –CRL –CP/CPS –Contact info Grant APGrid PMA and IGTF unlimited re-distribution Internal only –Operation manuals –Canned emails –Forms –Check list –CA profiles Only CA staff and auditors allowed access

26 APGrid PMA face-to-face meeting, 4/8/2008 Privacy and Confidentiality Defined in 9.3 and 9.4 –No confidential info collection –Do not provide personal info to other organizations CA-RA communication –Secure methods (4.1, 4.2) Face to face, signed email, skype –Inform/log changes by email to pragma-ucsd-ca@sdsc.edu

27 APGrid PMA face-to-face meeting, 4/8/2008 Disaster Recovery Described in 5.7 –Hardware, software, data corruption Recover with backup asap –CA key compromise Notify subscribers, RAs, relying parties Revoke all issued certificates Stop certificate/CRL distribution service Create new key pair and rebuild the CA system

28 APGrid PMA face-to-face meeting, 4/8/2008 Special Thanks to Yoshio Tanaka and AIST CA team Naregi-CA developer, Takuto Okuno For helping setup PRAGMA-UCSD CA APGrid PMA reviewer, Sangwan Kim APGrid PMA reviewer, Alex Wu APGrid PMA reviewer, Suriya U-ruekolan For helping review PRAGMA-UCSD CA CP/CPS

Download ppt "APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly"

Similar presentations

PRAGMA – TeraGrid – AIST Interoperation Testing Philip Papadopoulos.

PRAGMA – TeraGrid – AIST Interoperation Testing Philip Papadopoulos.
PRAGMA 17 (10/29/2009) Resources Group Pacific Rim Application and Grid Middleware Assembly Resources.

PRAGMA 17 (10/29/2009) Resources Group Pacific Rim Application and Grid Middleware Assembly Resources.
Resources WG Update PRAGMA 9 Hyderabad. Status (in 1 slide) Applications QMMD (AIST) Savannah (MU) iGAP (SDSC, AIST) Middleware Gfarm (AIST) Community.

Resources WG Update PRAGMA 9 Hyderabad. Status (in 1 slide) Applications QMMD (AIST) Savannah (MU) iGAP (SDSC, AIST) Middleware Gfarm (AIST) Community.
Resource WG Update PRAGMA 14 Mason Katz, Yoshio Tanaka, Cindy Zheng.

Resource WG Update PRAGMA 14 Mason Katz, Yoshio Tanaka, Cindy Zheng.
PRAGMA 15 (10/24/2008) Resources Group Pacific Rim Application and Grid Middleware Assembly Resources.

PRAGMA 15 (10/24/2008) Resources Group Pacific Rim Application and Grid Middleware Assembly Resources.
Resource WG Update PRAGMA 14 Mason Katz, Yoshio Tanaka, Cindy Zheng.

Resource WG Update PRAGMA 14 Mason Katz, Yoshio Tanaka, Cindy Zheng.
Resource WG PRAGMA Mason Katz, Yoshio Tanaka, Cindy Zheng.

Resource WG PRAGMA Mason Katz, Yoshio Tanaka, Cindy Zheng.
Cindy Zheng, PRAGMA 8, Singapore, 5/3-4/2005 Status of PRAGMA Grid Testbed & Routine-basis Experiments Cindy Zheng Pacific Rim Application and Grid Middleware.

Cindy Zheng, PRAGMA 8, Singapore, 5/3-4/2005 Status of PRAGMA Grid Testbed & Routine-basis Experiments Cindy Zheng Pacific Rim Application and Grid Middleware.
Resource/data WG Summary Yoshio Tanaka Mason Katz.

Resource/data WG Summary Yoshio Tanaka Mason Katz.
2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09:00 - 17:20 # Participants: 26.

2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 09: :20 # Participants: 26.
Cindy Zheng, SC2006, 11/12/2006 Cindy Zheng PRAGMA Grid Testbed Coordinator P acific R im A pplication and G rid M iddleware A ssembly San Diego Supercomputer.

Cindy Zheng, SC2006, 11/12/2006 Cindy Zheng PRAGMA Grid Testbed Coordinator P acific R im A pplication and G rid M iddleware A ssembly San Diego Supercomputer.
ACOMP, 3/15/2007 Cindy Zheng Peter Arzberger Philip Papadopoulos Mason Katz P acific R im A pplication and G rid M iddleware A ssembly University of California,

ACOMP, 3/15/2007 Cindy Zheng Peter Arzberger Philip Papadopoulos Mason Katz P acific R im A pplication and G rid M iddleware A ssembly University of California,
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
PRAGMA19 – PRAGMA 20 Collaborative Activities Resources Working Group.

PRAGMA19 – PRAGMA 20 Collaborative Activities Resources Working Group.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Similar presentations

Ads by Google