Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Slides:



Advertisements
Similar presentations
Digital Certificate Installation & User Guide For Class-2 Certificates.
Advertisements

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
User Certificate Application Guide Mason Hsiung. Visit start to request your user certificatehttp://ca.grid.sinica.edu.tw.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Summer School Certificates Diego Romano & Gilda Team.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien F2F Meeting 8 th March 2010.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
Security, Authorisation and Authentication.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien April 20, th APGridPMA in Taipei.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI
Authentication, Authorisation and Security
Grid Security Jinny Chien Academia Sinica Grid Computing.
Update on EDG Security (VOMS)
NATIONAL CENTRE FOR PHYSICS PK-Grid-CA
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
Presentation transcript:

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Agenda ASGCCA Introduce The user/host certificate request RA (Registration Authority) User Responsibilities VOMS VOMS procedure ASGC VOMS services

Introduction The ASGCCA locates at Academia Sinica Grid Computing Centre in Taiwan and has been running since July It is managed by Academia Sinica Grid Computing Centre It provides X.509 certificate to support the secure environment in grid computing.

End Entity and Certificate Type End Entities: Users of Academia Sinica Grid Computing Centre Users of Domestic/International Grid-based Application/Projects Certificate Type User Certificate C=TW, O=AS, OU=GRID, CN=Joen Yi Jian Host Certificate C=TW, O=AS, OU=GRID, CN=ca.grid.sinica.edu.tw

Identification and Authentication User certificate: Subscriber must submit his/her application form sign with Request Authority’s signature via fax to ASGCCA Request Authority (RA) will contact applicant via face- to-face meeting Host certificate: Requests must be signed with a valid personal ASGCCA certificate RA will check the FQDN of the host before issuing certificate

Key Generation Private key is generated by browsers on the users’ machine. CA will never generate private key on user’s behalf. CA have no access to the users’ private key.

Key Restriction Key Length ASGCCA private key is 2048 bits User private key must have at least 1024 bits Host private key must has at least 1024 bits Pass phrase The pass phrase of CA’s private key is at least 15 characters The pass phrase of end entity’s private key is at minimum 8 characters. Protecting the pass phrase from others

Certificate Restriction Certificate Lifetime for ASGCCA certificate is five years user certificate is one year host certificate is one year User certificate should not be shared. The certificate issued by ASGCCA must not be used for financial transaction.

Certificate Revocation Circumstances for Revocation The entity’s private key is lost or suspected to be compromised. The information in the entity's certificate is suspected to be inaccurate. The entity terminate services. The entity violated its obligations.

CRL Policy CRL (Certificate Revocation List ) The lifetime of CRL is 30 days CRL is updated immediately after every revocation CRL is reissued 7 days before expiration even if there have been no revocations

Staff Contact Information Jinny Chien Phone: Fax: Mail Box: Nankang PO BOX 1-8 Taipei, Taiwan Address: 128, Sec. 2, Academic Rd., Nankang, Taipei, Taiwan 11529

Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair in browser. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate

User Certificate Request Applicant RA/CA staff CA server (Offline) CA website (Online) 1. Applicant download the application from ASGCCA website 2. RA staff confirms applicant’s identity in person 3. Applicant send the application from and fax it to CA manager 4. Applicant creates the CSR requests on CA website 5. CA manager issues the certificate on CA server (offline) and put it on CA website 6. CA manager sends the notification to applicant and applicant picks up new certificate

Host Certificate Request applicantCA website 1.Applicant gets his/her user certificate from CA manager 2.Applicant put the user certificate into the browser 3. Access the ASGCCA webpage and complete the online request 4. CA manager will issue the host certificate when received the FQDN CA manager

ASGCCA RA Qualification RA (Registration Authority) One RA per institute Permanent staff readily available on site Photo ID Work ID Officially recognized International/National ID Read CPCPS and agree to RA responsibilities

RA Responsibilities Verify user identities Assist users with CA service request and issues Inform CA if RA will leave their organization Recommend new RA Maintain RA activity records Used for RA auditing Inform CA when certificates needs to be revoked Certificate compromise User leaves institution Inform CA of changes to contact information of RA and users

ASGC RA contact

Walk Through Homepage Apply for user certificate steps r_cert.htmlhttp://ca.grid.sinica.edu.tw/certificate/request/request_use r_cert.html Apply for RA status steps htmlhttp://ca.grid.sinica.edu.tw/certificate/request/request_ra. html Apply for host certificate steps t_cert.htmlhttp://ca.grid.sinica.edu.tw/certificate/request/request_hos t_cert.html

Apply for user certificate checklist Read and understand ASGCCA CP/CPS RA’s signature on application Fax the application and send an notify to Generate CSR file via CA websiteCA website

Request a user certificate The user application process User needs to fax to CA application form Photo copies of work and official ID User creates a CSR file on the CA web server For organization outside of Taiwan, select: “TW” for country “AP” for Organization The user’s private key will be stored in the browser Use the same machine to retrieve the certificate

Authentication, Authorisation and Security 22 User Responsibilities Keep your private key secure – on USB drive only Do not share your certificate with anyone. Please contact the CA or RA if there is any question of your certificate. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

What is VOMS VOMS is a system to classify users that are part of a Virtual Organization (VO) on the base of a set of attributes that will be granted to them upon request and to include that information inside Globus-compatible proxy certificates. voms-proxy-init

The VOMS procedure Make sure you have a user certificate first. User must send a request to Provide the following items when requesting to join Twgrid or Apesci VO User name The date of request Country Which VO do you want to join (Twgrid or Apesci) The reason of join this VO Which site are you associated Please refer to the site information of APROC via VO manager will approval or deny the request. After complete, please go to the VOMS web page and fill in the registration information.

ASGC VOMS service Before you request a requirment, please read the AUP rule. AUP( Acceptable User Policy) Twgrid: Apesci : VOMS service

The End