Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
APACHE SERVER By Innovationframes.com »
Public Key Infrastructure from the Most Trusted Name in e-Security.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
魂▪創▪通魂▪創▪通 Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Pakiti.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.
Distribution Repository Structure David Groep,
Providing secure mobile access to information servers with temporary certificates Diego R. López
Grid Access Toolkit for MS Windows Daniel Kouřil CESNET, MWSG meeting, Jun
Linux Operations and Administration
Remote Access Usages. Remote Desktop Remote desktop technology makes it possible to view another computer's desktop on your computer. This means you can.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
EGI-InSPIRE RI EGI-InSPIRE RI A new “lightweight” Crypto Library for supporting an Advanced Grid Authentication Process.
EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Supporting Distributed Computing Infrastructures Torsten Antoni, KIT
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI TS8.10 A new approach to Computing Availability/Reliability reports for EGI.
EGI-InSPIRE RI EGI Webinar EGI-InSPIRE RI Porting your application to the EGI Federated Cloud 17 Feb
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI UMD Roadmap Steven Newhouse 14/09/2010.
JAVA CARD Presented by: MAYA RAJ U C A S,PATHANAMTHITTA.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
EMI is partially funded by the European Commission under Grant Agreement RI caNl++ caNl++ team University Of Oslo 5th EMI AHM, Budapest.
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
EGI-InSPIRE RI Pakiti Michal Prochazka, (Daniel Kouril)
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Software Repository Progress Report Kostas Koumantaros et al, GRNET 7/3/2016.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI APEL Regional Accounting Alison Packer (STFC) Iván Díaz Álvarez (CESGA) APEL.
EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE Software provisioning and HTC Solution Peter Solagna Senior Operations Manager.
Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Data Management Interface: CDMI for CMF Ilja Livenson PDC KTH.
Alain Bethuyne Web Security Architect BNPParibas Fortis
Contents Software components All users in one location:
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.
Module Overview Installing and Configuring a Network Policy Server
Tweaking the Certificate Lifecycle for the UK eScience CA
Chapter 3: Windows7 Part 4.
Unit 27: Network Operating Systems
Utilize Group Policy Terminal Server Settings
Thor: The Hybrid Online Repository
Public Key Infrastructure from the Most Trusted Name in e-Security
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Presentation transcript:

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET EGI TF 2011

EGI-InSPIRE RI PKCS11 Widely accepted standard to access security devices A general API hiding implementation details of the actual token HW (smart cards), SW (soft token) Usually configured at run time Supported by wide range of applications

EGI-InSPIRE RI Use-cases to Address Single credentials repository on a desktop A remotely available credentials Management of IGTF anchors

EGI-InSPIRE RI Desktop credentials locations Users are often required to handle files with certs One repository for all applications A single place to secure and manage Mozilla‘s NSS soft token PKCS11 available with every Firefox/Thunderbird installation We’re on grid though

EGI-InSPIRE RI NSS for VOMS Voms with PKCS11 support should be part of EMI2 Seamless access to browser credentials for users with e.g. TCS credentials Creds do not need to be stored in files

EGI-InSPIRE RI IGTF Anchors

EGI-InSPIRE RI

EGI-InSPIRE RI IGTF Anchors PKCS11 token providing a list of CAs and describing they trust level Interface to local ca directory /etc/grid-security/certificates Populated and maintained either manually or by a package (Debian, Ubuntu, …)

EGI-InSPIRE RI MyProxy PKCS11 Access to credentials in Myproxy server Credentials must be loaded before Usable by any PKCS11-enabled application Thunderbird, browsers, VPN clients voms-proxy-init Creds aren’t stored in the application

EGI-InSPIRE RI Remote Smart Card Two modes possible Smart card Full support of PKCS11 abstraction Requires changes on the MyProxy server Repository Simpler, less secure (creds are transmitted to the client) No server modifications

EGI-InSPIRE RI Conclusions PKCS11 modules to improve users‘ experience Support in any PKCS11 applications Not grid specific Available from el/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.