OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

OSG RA plans Doug Olson, LBNL May Contents RA, agent, sponsor layout & OU=People use case Sample web form Agent Role GridAdmin Role Questions.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

J OINING OSG Suchandra Thapa Computation Institute University of Chicago.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

LIGO's Evolving Certificate Authority and Account Management Needs Warren G. Anderson University of Wisconsin-Milwaukee LIGO Scientific Collaboration.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

Fermilab / FermiGrid / FermiCloud Security Update Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Keith Chadwick Grid.

Open Science Grid Security Activities D. Olson, LBNL OSG Deputy Security Officer For the OSG Security Team: M. Altunay, FNAL, OSG Security Officer, D.O.,

OSG PKI Transition Mine Altunay OSG Security Officer

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Running User Jobs In the Grid without End User Certificates - Assessing Traceability Anand Padmanabhan CyberGIS Center for Advanced Digital and Spatial.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

New OSG Virtual Organization Security Training OSG Security Team.

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

WLCG Update Hannah Short, CERN Computer Security.

Tweaking the Certificate Lifecycle for the UK eScience CA

Jens Jensen, STFC 15 Sep GridPP39, Lancaster

Update on EDG Security (VOMS)

Presentation transcript:

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015

Updates On OSG CA OSG CA functions and serves our community well. In last year, we have issued  1067 user certificates to 44 different VOs.  6261 host certificates to 28 VOs. There will be some changes to OSG CA  Impact on end users will be minimal to zero.  Some impact on Site admins who manage host certs OSG will continue the OSG CA service. No disruption to the service All users will continue to obtain their certificates in the same manner as before.

March 24, 2015 OSG CA Change OSG CA has two main components:  The OIM Frontend that handles all the user interface and certificate workflows  The Backend that cryptographically signs the certificate requests. This is currently DigiCert CA. OIM Frontend invokes DigiCert API and sends the requests. We are changing the Backend only  From DigiCert to CILogon HSM service. We are not making any changes to the OIM Frontend. Users will still see the same interface and they will do the same actions to obtain certificates

March 24, 2015 DigiCert CA CILogon HSM API Call Backend CA OIM Frontend Cert request RA and Sponsor approval Create a “cert req” file Send “cert req” file to Backend CA Signed cert Retrieve cert

March 24, 2015 Scope of the Change User interface, certificate workflows (steps taken to obtain a certificate), and OSG policies will remain the same The OIM makes some API calls to the Backend Provider. These calls will be changed. The user will have a new certificate DN. This will be the only apparent difference to the user that we changed the backend provider.

March 24, 2015 Motivation For the Change CILogon HSM is offered by XSEDE. Allows us to collaborate with a major peer grid and share resources. In return XSEDE asked OSG to function as a backup CA for XSEDE resources, which we agreed.

March 24, 2015 Impact on End Users The only visible change to the user is his/her new certificate Distinguished Name. The new DN will be:  /DC=org/DC=opensciencegrid/O=Open Science Grid/OU=People/CN=Mine Altunay. The users will have to register the new DN with VOMS servers. BUT: To ease the pain, we plan to automate this process and register the new DNs ahead of time. So the end users will NOT have to take any action. In other words, when certificates expire, users will renew their certs just like in the past and continue with their work.

March 24, 2015 Impact on Site Admins They will receive new host certs as their existing certs expire. The mechanism to obtain the certs remain the SAME If they are an ITB site, we will ask them to help us test the certs before we switch to production If the service DN is registered by another service, then the site admin must notify the corresponding service owners. E.g. GUMS service registers the DN of VOMS servers.

March 24, 2015 Impact of the Change The impact of this change on our users will be smaller than our transition from DOEGrids CA to OSG CA. In the former transition, we also build the OIM frontend and defined the user workflows. Changed the way the end users receives certificates. In this transition, the frontend remains the same. The users will use the same process and mechanisms to obtain certificates

March 24, 2015 Timeline Our current contract with DigiCert CA will end June We will start transitioning our users starting January Our ITB sites and VO services should test the new certificates starting April 2015 through July All OSG software will be tested during the ITB stack VOs should test any VO specific software that is not included in the OSG Stack.

March 24, 2015 Updates on Federated Identities What do Federated Identities mean?  Similar to how passports work. You have one passport from your country, but when you travel, all other countries recognizes your passport. You do not have to get a new passport from each country you visited.  Federated Identities work the same way.  When you have an identity token from your home organization, you can use this token to access other institutions.  For example, you logged into Fermilab services domain. It will issue an access token (cookie, cert, or etc). You can use this token to access CERN

March 24, 2015 Federated Identities How does Federated Identities help the end user  You do not have to create a new account with every single institution that you need access to.  You have a single account with your home organization. And, your home org sends this info to other organizations if you need to access them. Requires a coordination between the organizations, they need to know who they trust and which access tokens they will get from them

March 24, 2015 Benefits of Federated Identities OSG infrastructure is mainly built on certificates. CILogon Basic CA is a Certificate Provider who works with Federated Identities  CILogon Basic CA can issue fully-automated certificates  User goes to CILogon Basic website, selects his home organization. CILogon forwards the user to its home to authenticate itself. Once the user authenticates, his browser is redirected to CILogon website and the user obtains a certificate.

March 24, 2015 CILogon Basic CA

March 24, 2015 CILogon Basic CA

March 24, 2015 CILogon Basic CA

March 24, 2015 CILogon Basic CA Fully IGTF accredited. You can obtain certificates from this CA and use it on OSG Can access to grid sites and OSG twiki, docdb, etc Over 130 organizations directly collaborate with CILogon, so their users can get automated certificates Fermilab is one of the strong collaborators, allowing all users to get these certs.

March 24, 2015 CILogon Basic CA How is that different than OSG CA  Much faster, fully automated CA  Identity vetting is fully automated. User is authenticated by his home org.  With OSG CA identity vetting is a manual step; create a ticket, route this to a sponsor who knows the requestor, check the user’s identity, approve the request, then issue the cert. Can take a few days.  We encourage all our users to try the new CILogon Basic CA One Final point: CILogon project has multiple services. Basic CA is different than the HSM service we talked about before.