Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks PASSTORE: safe certs & password management.

Published byImogen Day Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks PASSTORE: safe certs & password management."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks PASSTORE: safe certs & password management for Grid hosts Stefano Dal Pra INFN stefano.dalpra@pd.infn.it

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 2 The problem A comfortable practice to manage Grid certificates for hosts would be to keep them all in a local host and scp them as needed –In case of security incident at site level, all certs may become compromised at once. –CA explicitly requires to keep two separete copies for each cert/key pair in a place not reachable via network A secure practice would be to keep them on two pendrives or similar devices –Difficult to maintain them syncronized –Extreme care needed for safe management (stoling content may be quite easy)‏

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 3 The passtore solution Keep certs/keys and passwords on a single host with: –Two HD in RAID1 (two separate copies for each file)‏ –Mysql DB using AES (simmetric) encryption –Private IP, Network interface down  only direct console access or through Avocent or alike (video stream directly from graphic card)‏ –Iptables, no rules, policy DROP (no traffic allowed)‏ –direct Network connection with another host who masquerades him When passtore needs to scp a file it: –Activates proper iptables rule ( passtore,ssh --> target )‏ –Activates network –Performs actual scp –Deactivates iptables rule and network

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 4 The passtore solution (2) Use a python Command Line tool to: –add/show/update passwords for user@ : –Produces cert requests (and stores the private key in encrypted form)‏ –Query for status of stored certificates  Validity dates  Verify that Private key matches its certificate  Prevents insertion of nonmatching certs –copy the cert request file to the operator's host, who will mail it to the CA –Gets the new released certificate from operator's host and stores it in the DB –copy a couple key/cert to the target host (only)‏

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 5 Further details... See https://forge.cnaf.infn.it/projects/passtore/https://forge.cnaf.infn.it/projects/passtore/ –Svn source repository –Reserved access –Write to stefano.dalpra@pd.infn.it if interestedstefano.dalpra@pd.infn.it Thanks for attention

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 6 Key points Passtore is NEVER network reachable –Network gets activated for the strictly needed time only –Connection started ONLY from passtore to target host User cannot (directly) take a copy of a private key –When copying to Grid host passtore knows remote password Examples (next slide)‏

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks PASSTORE: safe certs & password management."

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
© 2012 All rights reserved to Ceedo. Enhanced Mobility with Tighter Security.

© 2012 All rights reserved to Ceedo. Enhanced Mobility with Tighter Security.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial How to get started.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial How to get started.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
All rights reserved © 2005, Alcatel Risk Awareness in Enterprise IT Processes and Networks  Dr. Stephan Rupp.

All rights reserved © 2005, Alcatel Risk Awareness in Enterprise IT Processes and Networks  Dr. Stephan Rupp.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
魂▪創▪通魂▪創▪通 2013. 11. 15. Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.

魂▪創▪通魂▪創▪通 Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Release Process Maria Alandes Pradillo.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Release Process Maria Alandes Pradillo.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Introduction to R-GMA: Relational Grid Monitoring Architecture.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Romanian SA1 report Alexandru Stanciu ICI.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Romanian SA1 report Alexandru Stanciu ICI.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Spyros Kopsidas Center for Research and.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Spyros Kopsidas Center for Research and.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks C. Loomis (CNRS/LAL) M.-E. Bégin (SixSq.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks C. Loomis (CNRS/LAL) M.-E. Bégin (SixSq.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite IPv6 compliance project tests Further.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite IPv6 compliance project tests Further.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google