Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.

Published byGwendolyn Harris Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory."— Presentation transcript:

1 Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory

2 February 2005 TERENA TF-EMC2 1 Outline Back Ground Back Ground Authentication Services in GridsAuthentication Services in Grids International Grid FederationInternational Grid Federation Regional Grid Federations Regional Grid Federations TERENATERENA International Grid Federation (IGF) International Grid Federation (IGF) Regional Policy Management Authorities (PMAs) Regional Policy Management Authorities (PMAs) EU Grid PMA, AP Grid PMA, The Americas Grid PMAEU Grid PMA, AP Grid PMA, The Americas Grid PMA Global Grid Forum efforts Global Grid Forum efforts Certificate Authority Operations WGCertificate Authority Operations WG How TERENA helps: Grids and NRENS How TERENA helps: Grids and NRENS Resource Location Resource Location Authentication Profiles Authentication Profiles Why authentication profiles?Why authentication profiles? What is in it?What is in it? General Federation documentGeneral Federation document If there is interest/time: Future Federations and AuthN services If there is interest/time: Future Federations and AuthN services KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS Authentication Fabric (RAF)KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS Authentication Fabric (RAF)

3 February 2005 TERENA TF-EMC2 2 Current State of Affairs

4 February 2005 TERENA TF-EMC2 3 Back Ground Authentication Services in Grids Authentication Services in Grids Grids Federations have separated the Authentication and Authorization problems.Grids Federations have separated the Authentication and Authorization problems. Resource owners are responsible for Authorization.Resource owners are responsible for Authorization. Maps Authentication token to local access. Maps Authentication token to local access. Authentication service providers are responsible for providing Strong Authentication tokens (Certificates).Authentication service providers are responsible for providing Strong Authentication tokens (Certificates). International Grid Federation International Grid Federation March 2003 TokyoMarch 2003 Tokyo Promote and coordinate Regional Policy Management Authorities.Promote and coordinate Regional Policy Management Authorities. Next meeting at GGF13 Seoul, S Korea.Next meeting at GGF13 Seoul, S Korea. European Union Grid PMA – community lead organizationEuropean Union Grid PMA – community lead organization Asian Pacific Grid PMAAsian Pacific Grid PMA The Americas Grid PMAThe Americas Grid PMA TERENA TERENA International trusted 3 rd party.International trusted 3 rd party. Trust anchors for NRENSTrust anchors for NRENS

5 February 2005 TERENA TF-EMC2 4 International Grid Federation Set up in March 2003 – the Tokyo accord. WWW.GridPMA.org Set up in March 2003 – the Tokyo accord. WWW.GridPMA.orgWWW.GridPMA.org Goals Goals Promote trust peering between The Americas, European and Asian Pacific communities.Promote trust peering between The Americas, European and Asian Pacific communities. EU Grid Policy Management Authority EU Grid Policy Management Authority EGEE: Enabling Grids for E-science in EuropeEGEE: Enabling Grids for E-science in Europe Asian Pacific Policy Management Authority Asian Pacific Policy Management Authority APGrid: National Institute of Advanced Industrial Science and Technology APGrid: National Institute of Advanced Industrial Science and Technology The Americas Grid PMA – new The Americas Grid PMA – new Canada and USA (DOE)Canada and USA (DOE) Promotes the establishment of top level CA registries:Promotes the establishment of top level CA registries: Trusted 3 rd party repositories need for establishment of trust. Trusted 3 rd party repositories need for establishment of trust. Root CA certificates, CA repositories and CRL publishing points.Root CA certificates, CA repositories and CRL publishing points. EU Grid PMA registry – de facto (CNRS: French National Center for Scientific Research) EU Grid PMA registry – de facto (CNRS: French National Center for Scientific Research) Asian Pacific CA registry (AP PMA) Asian Pacific CA registry (AP PMA) TERENA TACAR (TERENA Academic CA Repository) TERENA TACAR (TERENA Academic CA Repository) Use Global Grid Forum for publishing Standards and community best practices.Use Global Grid Forum for publishing Standards and community best practices.

6 February 2005 TERENA TF-EMC2 5 Regional PMAs EU Grid PMA (www.eugridpma.org) EU Grid PMA (www.eugridpma.org)www.eugridpma.org Represents CA and Relying parties.Represents CA and Relying parties. 26 country level CAs, plus US members26 country level CAs, plus US members Manages the de facto minimum CA operational requirements.Manages the de facto minimum CA operational requirements. Manages the primary list of trusted CAs.Manages the primary list of trusted CAs. Asian Pacific Grid PMA (www.apgridpma.org) Asian Pacific Grid PMA (www.apgridpma.org)www.apgridpma.org Formed Summer of 2004Formed Summer of 2004 Represents CA and Relying parties.Represents CA and Relying parties. 12 country level CAs, and SDSC12 country level CAs, and SDSC Minimum operational requirement synced with EU’sMinimum operational requirement synced with EU’s The Americas Grid PMA (www.TAGPMA.org) The Americas Grid PMA (www.TAGPMA.org)www.TAGPMA.org Started Fall 2004Started Fall 2004 Represents CA and Relying parties.Represents CA and Relying parties. Represent CA’s from Research and Academic communities in the Americas.Represent CA’s from Research and Academic communities in the Americas. Investigate alternative Authentication services.Investigate alternative Authentication services. Will produce new Minimum Operational requirements for On line CAs.Will produce new Minimum Operational requirements for On line CAs.

7 February 2005 TERENA TF-EMC2 6 Global Grid Forum GGF efforts are driven by our community requirements. GGF efforts are driven by our community requirements. Developing International trust relationships has shown a need for common agreed upon practices. Developing International trust relationships has shown a need for common agreed upon practices. Community Documents Community Documents Grid CP/CPS Grid CP/CPS Policy Management authority Policy Management authority PKI Disclosure statement – copy right issue ABA PKI Disclosure statement – copy right issue ABA Certificate profile – tabled – resurrected Certificate profile – tabled – resurrected Grid common naming practices – tabled Grid common naming practices – tabled OCSP service requirements OCSP service requirements Authentication Profiles - New Authentication Profiles - New

8 February 2005 TERENA TF-EMC2 7 TERENA

9 February 2005 TERENA TF-EMC2 8 How TERENA can help: Grids and NRENs International trusted 3 rd party. International trusted 3 rd party. Trust anchor publishing Trust anchor publishing Possible home for IGF Possible home for IGF Expanded support for global Identity operations. Primarily a publishing model.Expanded support for global Identity operations. Primarily a publishing model. Possible coordination point for Grids and NRENs Possible coordination point for Grids and NRENs Avoid development of separate but equal services. Avoid development of separate but equal services. Resource Location Resource Location Authentication Profiles document Authentication Profiles document

10 February 2005 TERENA TF-EMC2 9 Resource Location Resource location is mostly controlled by resource owners – Sites and Grids. No common publishing or access model. Resource location is mostly controlled by resource owners – Sites and Grids. No common publishing or access model. Each has developed solutions for their community. Motivation to change low. Each has developed solutions for their community. Motivation to change low. Shared resources maybe an opportunity to develop common practices. Shared resources maybe an opportunity to develop common practices. PMAs, Certificate Authorities, etcPMAs, Certificate Authorities, etc How can we approach this problem? How can we approach this problem? Directed publishing model – chain of websDirected publishing model – chain of webs Rooted LDAP directory tree – Serves all players.Rooted LDAP directory tree – Serves all players.

11 February 2005 TERENA TF-EMC2 10 Why Authentication Profiles? New Authentication services will fragment the current global trust model. New Authentication services will fragment the current global trust model. Yet, we must allow for innovations in Authentication services. Yet, we must allow for innovations in Authentication services. Classic PKI procrustean bed no longer works.Classic PKI procrustean bed no longer works. Currently a draft GGF informational doc. Currently a draft GGF informational doc.

12 February 2005 TERENA TF-EMC2 11 Authentication Profile what is in it? Authentication Services must provide basic information on: Authentication Services must provide basic information on: The governance of authentication service.The governance of authentication service. A set of membership and operational requirements.A set of membership and operational requirements. Publishing model that Relying parties can trust.Publishing model that Relying parties can trust.

13 February 2005 TERENA TF-EMC2 12 General Federation Document 1. Federation definition - description 2. General architecture 3. Identity management 4. Operational requirements 5. Site security. 6. Publication and repository responsibilities 7. Liability 8. Financial responsibilities 9. Audits and compliance 10. Privacy and confidentiality 11. Compromise and disaster recovery 12. Federation administration

14 February 2005 TERENA TF-EMC2 13 New Authentication services

15 February 2005 TERENA TF-EMC2 14 New Federations and AuthN services efforts SIPS - Site Integrated Proxy services KCA exampleKCA example Site SSL support - Host certificate service Site SSL support - Host certificate service Grids and NRENs exploring separate solutions.Grids and NRENs exploring separate solutions. RAF - RADIUS Authentication Fabric RAF - RADIUS Authentication Fabric Expand scope of DOEGrids Expand scope of DOEGrids

16 February 2005 TERENA TF-EMC2 15 Site Integrated Proxy services KCA example Site Kerberos KDC Proxy generator KCA Synopsis of steps for Grid User: 1.Register with Fermilab 1.Get your Fermilab VID 2.Get your Kerberos Principal 2.Install the Fermilab KCA certificate and signing policy; 3.Install the KCA client software; 4.Generate proxy access Grid Access Grid resources

17 February 2005 TERENA TF-EMC2 16 SSL Service Federation ESnet SSL Federation CA Site or Organization Web servers System Admin Synopsis of steps for System Admin: Register with ESnet: 1. Get your ESnet Grid Admin account 1. Get your ESnet Grid Admin account 2. Request and self approve host certificates. Replaces: a. Self signed a. Self signed certificates b. Commercial providers b. Commercial providers Requires: Requires: The Browser providers to add the SSL CA cert to their trusted list of CAs – this is to stops security warning pop-ups. The Browser providers to add the SSL CA cert to their trusted list of CAs – this is to stops security warning pop-ups.

18 February 2005 TERENA TF-EMC2 17 Radius Authentication Fabric with OTP support NERSC r ANL r OTP Service ORNL r PNNL OTP Service anl.gov nersc.gov pnnl.gov ornl.gov es.net Realms R anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov r RADIUS App

19 February 2005 TERENA TF-EMC2 18 Offline Vaulted Root CA HSM Secure Data Center Building Security LBNL Site security Hardware Security Modules Access controlled racks PKI Systems Internet Fire Wall Intrusion Detection Grid User DOEGrids PKI Security

Download ppt "Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.

Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.
Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003.

DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.

National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
CA-OPS Authentication Profiles Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.

CA-OPS Authentication Profiles Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
1 Digital Credential for Higher Education John Gardiner 202-973-6618 August 11, 2004.

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

Similar presentations

Ads by Google