OSG PKI Transition Mine Altunay OSG Security Officer

Slides:

Advertisements

Similar presentations

DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.

Advertisements

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

17-1 Hybrid Windows/Web Interface Special Considerations for User Interface Design Internal Controls – Authentication and Authorization User ID.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Report on Attribute Certificates By Ganesh Godavari.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

OSG RA plans Doug Olson, LBNL May Contents RA, agent, sponsor layout & OU=People use case Sample web form Agent Role GridAdmin Role Questions.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Configuring Directory Certificate Services Lesson 13.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

OSG Security Review Mine Altunay December 4, 2008.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Windows 2000 Certificate Authority By Saunders Roesser.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

LIGO's Evolving Certificate Authority and Account Management Needs Warren G. Anderson University of Wisconsin-Milwaukee LIGO Scientific Collaboration.

INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

G Z LIGO's Physics at the Information Frontier Grant and OSG: Update Warren Anderson for Patrick Brady (PIF PI) OSG Executive Board Meeting Caltech.

OSG RA, DOEGrids CA features Doug Olson, LBNL August 2006.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

New OSG Virtual Organization Security Training OSG Security Team.

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.

AuthN and AuthZ in StoRM A short guide

OSG Security Kevin Hill.

David Kelsey CCLRC/RAL, UK

NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Tweaking the Certificate Lifecycle for the UK eScience CA

Introduction to Let’s Encrypt

Presentation transcript:

OSG PKI Transition Mine Altunay OSG Security Officer

The OSG PKI Transition Transition from DOEGrids CA to OSG CA. OSG CA will provide the user and host/service certificates necessary for authentication. DOEGrids CA will STOP issuing new certs or renewing existing certs mid-march Due to the number of people and certs involved and not to inconvenience people, we plan a gradual transition to OSG CA: People will apply to OSG CA as their existing certs expire. Let’s say: – You have a DOEGrids CA cert set to expire August You can still use your cert until August When you need to renew, you have to apply to OSG CA. – You have a DOEGrids CA cert set to expire December You can still use your cert until December When you need to renew, you can apply to DOEGrids or OSG CA for a renewal cert. Next year, December 2013, when you need to renew again, you have to apply to OSG CA. 11/6/122OSG PKI Transition

The OSG PKI Transition – You need a brand new certificate in April 2013, you should apply to OSG CA. – You need a brand new certificate in December 2012, you can apply to OSG CA or DOEGrids CA. We recommend applying to OSG CA. OSG CA is currently functional and providing certs. If you wish, you can obtain certs from OSG CA now. 11/6/123OSG PKI Transition

The OSG CA OSG CA has two components – Web-based Front-End service hosted at GOC OIM. This is where users will interact with the OSG CA. All of the CA services will be accessed via OIM website. End users, system admins, RA Agents/GridAdmin, basically everyone will only interact with this interface. – Back-end services provided by DigiCert CA Will perform CA services, issuance, revocation. Invisible to OSG users. You will never need to ever interact directly with DigiCert CA OSG CA services are accessible via GOC OIM web site Command line scripts designed for host/service certificates. There are no command line tools for end users. 11/6/124OSG PKI Transition

Impacts of the Transition It will have an impact on everyone who uses certs for authentication. End users, System admins, RA Agents/Grid Admins End Users: – Need to obtain certs from OSG CA. – New certificate Distinguished Name (DN) is DIFFERENT from DOEGrids CA cert DNs. – Need to register the new Certificate DN with all the services that does access control based on certs. VOMS, twikis, any VO services that uses certs (e.g. for CMS, Phedex, siteDB, twiki, etc) Check with your VO manager for a complete list. – Test the new cert, try accessing grid resources and web- resources with the new cert 11/6/125OSG PKI Transition

Impacts of the Transition System admins: – Need to obtain host and service certs from OSG CA. – If you have GridAdmin privileges, then check the impacts on the GridAdmins on the next slide. – New command line tools to request certs. Explained at lineClients lineClients – Import the new trust roots into your /etc/grid- security/certificates directory. If you get latest OSG CA bundle, this is already taken care of. – If you have access control on your services, make sure you register new user DNs with your services white list. 11/6/126OSG PKI Transition

Impacts of the Transition Registration Authority Agent (RA Agent)/GridAdmi(GA): – If you played RA Agent or GA role in DOEGrids CA, you should continue to play these roles with OSG CA. – Take the OSG RA Agent/GA training available online. – – Please let me know if you have not enrolled with OSG CA. GridAdmins – Special system admins who can request and approve host/service certificates for their domains in large numbers without any intervention, all automated. – Functionalities are preserved, but command line interface is changed 11/6/127OSG PKI Transition

Questions? 11/6/128OSG PKI GA Training