Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
Agenda ASGCCA Introduce The user/host certificate request RA (Registration Authority) User Responsibilities VOMS VOMS procedure ASGC VOMS services
Introduction The ASGCCA locates at Academia Sinica Grid Computing Centre in Taiwan and has been running since July It is managed by Academia Sinica Grid Computing Centre It provides X.509 certificate to support the secure environment in grid computing.
End Entity and Certificate Type End Entities: Users of Academia Sinica Grid Computing Centre Users of Domestic/International Grid-based Application/Projects Certificate Type User Certificate C=TW, O=AS, OU=GRID, CN=Joen Yi Jian Host Certificate C=TW, O=AS, OU=GRID, CN=ca.grid.sinica.edu.tw
Identification and Authentication User certificate: Subscriber must submit his/her application form sign with Request Authority’s signature via fax to ASGCCA Request Authority (RA) will contact applicant via face- to-face meeting Host certificate: Requests must be signed with a valid personal ASGCCA certificate RA will check the FQDN of the host before issuing certificate
Key Generation Private key is generated by browsers on the users’ machine. CA will never generate private key on user’s behalf. CA have no access to the users’ private key.
Key Restriction Key Length ASGCCA private key is 2048 bits User private key must have at least 1024 bits Host private key must has at least 1024 bits Pass phrase The pass phrase of CA’s private key is at least 15 characters The pass phrase of end entity’s private key is at minimum 8 characters. Protecting the pass phrase from others
Certificate Restriction Certificate Lifetime for ASGCCA certificate is five years user certificate is one year host certificate is one year User certificate should not be shared. The certificate issued by ASGCCA must not be used for financial transaction.
Certificate Revocation Circumstances for Revocation The entity’s private key is lost or suspected to be compromised. The information in the entity's certificate is suspected to be inaccurate. The entity terminate services. The entity violated its obligations.
CRL Policy CRL (Certificate Revocation List ) The lifetime of CRL is 30 days CRL is updated immediately after every revocation CRL is reissued 7 days before expiration even if there have been no revocations
Staff Contact Information Jinny Chien Phone: Fax: Mail Box: Nankang PO BOX 1-8 Taipei, Taiwan Address: 128, Sec. 2, Academic Rd., Nankang, Taipei, Taiwan 11529
Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair in browser. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate
User Certificate Request Applicant RA/CA staff CA server (Offline) CA website (Online) 1. Applicant download the application from ASGCCA website 2. RA staff confirms applicant’s identity in person 3. Applicant send the application from and fax it to CA manager 4. Applicant creates the CSR requests on CA website 5. CA manager issues the certificate on CA server (offline) and put it on CA website 6. CA manager sends the notification to applicant and applicant picks up new certificate
Host Certificate Request applicantCA website 1.Applicant gets his/her user certificate from CA manager 2.Applicant put the user certificate into the browser 3. Access the ASGCCA webpage and complete the online request 4. CA manager will issue the host certificate when received the FQDN CA manager
ASGCCA RA Qualification RA (Registration Authority) One RA per institute Permanent staff readily available on site Photo ID Work ID Officially recognized International/National ID Read CPCPS and agree to RA responsibilities
RA Responsibilities Verify user identities Assist users with CA service request and issues Inform CA if RA will leave their organization Recommend new RA Maintain RA activity records Used for RA auditing Inform CA when certificates needs to be revoked Certificate compromise User leaves institution Inform CA of changes to contact information of RA and users
ASGC RA contact
Walk Through Homepage Apply for user certificate steps r_cert.htmlhttp://ca.grid.sinica.edu.tw/certificate/request/request_use r_cert.html Apply for RA status steps htmlhttp://ca.grid.sinica.edu.tw/certificate/request/request_ra. html Apply for host certificate steps t_cert.htmlhttp://ca.grid.sinica.edu.tw/certificate/request/request_hos t_cert.html
Apply for user certificate checklist Read and understand ASGCCA CP/CPS RA’s signature on application Fax the application and send an notify to Generate CSR file via CA websiteCA website
Request a user certificate The user application process User needs to fax to CA application form Photo copies of work and official ID User creates a CSR file on the CA web server For organization outside of Taiwan, select: “TW” for country “AP” for Organization The user’s private key will be stored in the browser Use the same machine to retrieve the certificate
Authentication, Authorisation and Security 22 User Responsibilities Keep your private key secure – on USB drive only Do not share your certificate with anyone. Please contact the CA or RA if there is any question of your certificate. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.
What is VOMS VOMS is a system to classify users that are part of a Virtual Organization (VO) on the base of a set of attributes that will be granted to them upon request and to include that information inside Globus-compatible proxy certificates. voms-proxy-init
The VOMS procedure Make sure you have a user certificate first. User must send a request to Provide the following items when requesting to join Twgrid or Apesci VO User name The date of request Country Which VO do you want to join (Twgrid or Apesci) The reason of join this VO Which site are you associated Please refer to the site information of APROC via VO manager will approval or deny the request. After complete, please go to the VOMS web page and fill in the registration information.
ASGC VOMS service Before you request a requirment, please read the AUP rule. AUP( Acceptable User Policy) Twgrid: Apesci : VOMS service
The End