Company LOGO January 24 th, 2007 PC Manager Meeting

Today  Updates  Next Meeting  Training  License  Jinitiator Upgrade  Meeting Maker  Windows Policy  Security  get_cert Replacement, A Look At NetIDMgr– Jack Schmidt

Next Meeting  February 28th  Key Management Service

Training Update  Understanding and Using Digital Certificates (PKI) Feb 15th, 2007 Understanding and Using Digital Certificates (PKI) Feb 15th, 2007  Excel 2003: Advanced Feb. 27 & March 1, 2007 (am only) Excel 2003: Advanced Feb. 27 & March 1, 2007 (am only)  Word 2003: Advanced Feb. 27 & March 1, 2007 (pm only) Word 2003: Advanced Feb. 27 & March 1, 2007 (pm only)

Licensing  EA Training vouchers expire March/April  FNAL Website:  Help redeeming Training Vouchers: Div/SecDaysDiv/SecDays AD16D00 MIS5ESH1 CD17FESS4 CDF1PPD4 TD5

Jinitiator  Update required for DST compliance Feb/Mar 2007 timeframe  See PC Manager archives for detailed .  MIS package available for download or via SMS  Instructions available at:

Meeting Maker MMCO  Microsoft DST patch (KB928388) breaks Outlook connector  The error displayed is "Cannot connect to current session“  Working with vendor. Don’t install DST patch on systems with outlook connector for now.  If the DST patch is already installed on your computer it can be uninstalled to return MMCO functionality.

Meeting Maker 8.6  MM Upgrade mandatory?  Does it correct DST problem with MMCO?  Required for DST time change?  Full upgrade:  MM server, MM Native client, MM web server, MM MMCO server, MM MMCO client  MM Upgrade changes Sync tool. Requires a new server with a Web component and database component  Working with Meeting Maker and Notify link to answer questions.

Windows Policy Committee  Vista Update  Updating baseline  KMS up and validating systems!  Working out issues (documentation, SRV records)  Testing new GPOs in Fermibeta  Vista-users mail list  Next Meeting Feb 7 th 1:30-2:30pm, WH5SW

Security Updates  MANDATORY Patches:  MS  Due Date:  RECOMMENDED Patches:  Due Date:  The following is a link to the January Microsoft list of critical and important patches. bulletin/ms07-jan.mspx bulletin/ms07-jan.mspx

Security Updates  New Fermi Windows CD available soon!

Main Topic  NetIDMgr – Jack Schmidt

Agenda  Background  Definitions  Requirements  Solution  Demo  Rollout

Background  Kerberos has provided good central supported service for telnet, ftp, etc  Unfortunately many applications are unlikely to be Kerberized  Multiplicity of passwords not solved by Kerberos, still need some single sign on mechanism for applications  We need to choose a mechanism to establish identity for other apps

Definitions (sorry)  Public Key Encryption  Asymmetric encryption: public key and private key  PKI Public Key Infrastructure  A system of public key encryption using digital certificates from Certificate Authorities that verify and authenticate the validity of each party involved in an electronic transaction.  Digital Certificate  Includes your name, serial number, expiration dates, your public key, digital signature of the CA

Definitions  CA: Certificate Authority  verify the identity of entities and issue digital certificates attesting to that identity.  X.509 is the international standard for Digital Certificates (not all conform)

Definitions  KCA: Kerberos Certificate Authority  Leverages Kerberos authentication infrastructure  Short-lived (current ticket lifetime up to 7 days)  Requires FNAL realm Kerberos principal  kx509 is a client program that talks to the KCA to obtain a short-lived X.509 certificate

Motivation To Use Certificates  Single sign on for applications  Eliminate application passwords in clear  Attacks are moving more toward applications rather than OS  Central revocation of authorization  Allows centralized auditing of user accounts  Next slide indicates scope of problem with clear passwords

Inbound passwords in clear text

Benefits  KCA Certs  Strong identity verification  Read or publish information  User privileges can be revoked  No password vulnerability  Restricts usage to FNAL only  Requires frequent renewal

Strategy  Move to single sign on by adopting certificates for all applications  Build get_cert tools for each OS

Get_cert  Windows users find current implementation a bit klunky  Issue with logon name

Replacement Tool Requirements  On login to FERMI domain or via  Automatically get FNAL.GOV ticket  Automatically get KCA certificate and load into supported browsers*  Use existing krb5.conf  One place to change passwords  Ease of credential renew  Code must be supportable

Solution  Pay Company to build new tool  Use existing NetIDMgr/KFW software  Create kca plugin  Comes with AFS plugin!  Maintained Opensource  W2000/XP/Vista support  Terminal Server support

Take a spin…

Rollout  FNAL package available on pseekits \\pseekits\desktoptools\netidmgr  SMS package available for distribution  Requires AFS  MSI can be installed via SMS  Issue if existing version installed via.EXE

AFS Tip!  Don’t mount drives via AFS Control Panel!  Map Network Drive and UNC path \\afs\fnal.gov \\afs\fnal.gov

References  Cd-doc CD Briefing on SSL Certificates, March 2006, Mark Leininger & Jack Schmidt Cd-doc-1380  NetIDMgr User Documentation (pdf) NetIDMgr User Documentationpdf  Kerberos For Windows Kerberos For Windows  OpenAFS for Windows OpenAFS for Windows