OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

ATC Conference Call January 10, 2008 Thank you for joining the call. We will start the call shortly. Please enter * 6 to mute your line and # 6 to unmute.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

May 9, 2008 Reorganization of the OSG Project The existing project organization chart was put in place at the beginning of It has worked very well.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

LHC Experiment Dashboard Main areas covered by the Experiment Dashboard: Data processing monitoring (job monitoring) Data transfer monitoring Site/service.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

Integration and Sites Rob Gardner Area Coordinators Meeting 12/4/08.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Configuring Directory Certificate Services Lesson 13.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

OSG Area Coordinators Meeting Proposal Chander Sehgal Fermilab

OSG Project Manager Report for OSG Council Meeting OSG Project Manager Report for OSG Council Meeting October 14, 2008 Chander Sehgal.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

ESnet PKI Developed for the DOE Science Grid and SciDAC.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

OSG PKI Transition: Transition Phase Report Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Grid Operations Lessons Learned Rob Quick Open Science Grid Operations Center - Indiana University.

SharePoint Administrative Communications Planning: Dynamic User Notifications for Upgrades, Migrations, Testing, … PRESENTED BY ROBERT FREEMAN (

9 Oct Overview Resource & Project Management Current Initiatives  Generate SOWs  8 written and 6 remain;  drafts will be complete next week 

The OSG and Grid Operations Center Rob Quick Open Science Grid Operations Center - Indiana University ATLAS Tier 2-Tier 3 Meeting Bloomington, Indiana.

INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Grid Technology CERN IT Department CH-1211 Geneva 23 Switzerland t DBCF GT Upcoming Features and Roadmap Ricardo Rocha ( on behalf of the.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

OSG Area Coordinator’s Report: Workload Management March 25 th, 2010 Maxim Potekhin BNL

18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK

Area Coordinator Report for Operations Rob Quick 4/10/2008.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

David Adams ATLAS ATLAS Distributed Analysis (ADA) David Adams BNL December 5, 2003 ATLAS software workshop CERN.

David Adams ATLAS ADA: ATLAS Distributed Analysis David Adams BNL December 15, 2003 PPDG Collaboration Meeting LBL.

EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

The Great Migration: From Pacman to RPMs Alain Roy OSG Software Coordinator.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

OSG PKI Transition Mine Altunay OSG Security Officer

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

Open Science Grid Configuring RSV OSG Resource & Service Validation Thomas Wang Grid Operations Center (OSG-GOC) Indiana University.

Tweaking the Certificate Lifecycle for the UK eScience CA

Leigh Grundhoefer Indiana University

MORE ON ARCHITECTURES The main reasons for using an architecture are maintainability and performance. We want to structure the software into reasonably.

Presentation transcript:

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research

OSG AHM, March 13, 2013 Key Message DOE Grids CA stops issuing new certificates March 23 rd, (in 10 days) VOs should already have: 1) Enrolled with new OSG PKI 2) Be ready to handle new user identities 3) Updated documentation and processes 2

OSG AHM, March 13, 2013 Project Overview and Goals DOE/ESnet has announced shutdown of DOE Grids CA. OSG is transitioning that CA functionality to an OSG service. In coordination with ESnet, project goal is to manage a smooth transition of PKI functionality to the new OSG service. 3

OSG AHM, March 13, 2013 Community-wide Responsibilities Previously ESnet and now OSG, will set policy and process, and provide mechanism to issue certificates. VO and RPs continue to vet their user communities and authorize based on certificates. 4

OSG AHM, March 13, 2013 What VOs need to do… Enroll RAs with OSG PKI  Be prepared to handle changing user identities (DNs) Update documentation and internal processes 5

OSG AHM, March 13, 2013 Resources OSG PKI Service: idmanager.opensciencegrid.org Manuals, how-tos, experiences: Tomorrow:  9:45am: Security for administrators, RA, GA IT- 159  Also:  11:00am: Ask the Experts IT-152 6

OSG AHM, March 13, 2013 Status PKI is in operations –  39 VOs registered  Issued 300+ user certificates  Handled 350+ host requests (some for up to 50 certificates) Web and command-line clients We are listening and learning what’s missing/wrong in new PKI. 7

OSG AHM, March 13, 2013 Next Steps Expect more missing features exposed as 23 rd approaches and passes. OSG PKI works at strong level (IGTF) to enable collaboration with EU and others. There is room for other solutions (e.g. CILogon) for those with lower security needs. 8

OSG AHM, March 13, 2013 Lessons Learned Not going to cover today, will include in slides. 9

OSG AHM, March 13, 2013 Contributors to the Transition Mine Altunay, Jim Basney, Tim Cartwright, Alain Deximo, Jeremy Fischer, Soichi Hayashi, John Hover, Viplav Khadke, Christiane A. Ludescher-Furth, Ruth Pordes, Rohan Mathure, Robert Quick, Alain Roy, Chander Sehgal, Mátyás Selmeci, Anthony Tiradani, and John Volmer Also thanks to Dhiva Muruganantham and Lauren Rotman of ESnet 10

OSG AHM, March 13, 2013 Conclusion DOE Grids CA stops issuing new certificates March 23 rd, (in 10 days) VOs should already have: 1) Enrolled with new OSG PKI 2) Be ready to handle new user identities 3) Updated documentation and processes 11

Lessons Learned 12

OSG AHM, March 13, 2013 Project Phases Project was divided into Pilot, Planning, Development, Deployment and Transition Phases Allowed for good checkpoints on project Perhaps a couple phases too many?  Hard to get management engaged to review five times. One phase too short at one month 13

OSG AHM, March 13, 2013 Underestimated VO role in transition VO is responsible for both for vetting when users enroll in PKI and consuming certificates when used. We should have had focused effort on VO impact and communication of that from the project start. In particular, FNAL was central to many VOs. 14

OSG AHM, March 13, 2013 VO Engagement Critical Communication via twiki, weekly calls, list. Worked well with those that engaged. Needed more effort to engage with those that didn’t engage.  Both VOs and other OSG project teams.  Not enough budgeted effort to communication. 15

OSG AHM, March 13, 2013 Collaboration with ESnet was Critical Coordinated communications between two organizations. Access to historical data about PKI usage. Deep insights as to how the PKI was used. 16

OSG AHM, March 13, 2013 We don’t know how OSG uses PKI… DOE Grids CA was around for 10+ years with web and HTTP/REST interfaces Plethora of usage patterns, client tools We still don’t know how PKI is used by all parties. 17

OSG AHM, March 13, 2013 Use of Browser PKI Functionality DOE Grids PKI used the browser heavily to generate/renew keys. This caused lots of browser version dependencies and issues Following CILogon, OSG PKI implemented key generation in OIM. Seems to have worked out well. 18

OSG AHM, March 13, 2013 Everything is a VO? Treating sites (Argonne, ORNL, etc.) as VOs seems to be working well. We initially thought of host certificates requests as being an issue of domain (e.g. uiuc.edu) and not VO. This was probably wrong, and these requests should have been VO-centric. 19

OSG AHM, March 13, 2013 DigiCert (Commercial vendor) Relationship Nomenclature was different and took time to work through. Policy agreements were time consuming. Contract was complicated. Should have budgeted more time for all the above. 20

OSG AHM, March 13, 2013 Separation of Web (HTTPS) and Grid Certificates By focusing our relationship with DigiCert on Grid certificates and using a separate CA that doesn’t issue certificates trusted by browser, we made life much easier for all.  Only have to meet IGTF policies and not CAB Forum policies – much lower bar. Downside is OSG PKI certificates are not good web server certificates. 21

OSG AHM, March 13, 2013 Bulk Request is a very special case Bulk request of host certificates is not something PKIs outside of the Grid support. Was a source of a lot of interaction issues with DigiCert. Lots of tricky details. Should have scheduled more time and effort for this specific case. 22

OSG AHM, March 13, 2013 Audit We are now undergoing our first self- audit with DigiCert.  This is a normal annual event. Audit is based on policy. Questions indicate some different interpretations of policy.  Will be worked out. Having a test audit prior to implementation would have been useful. 23

OSG AHM, March 13, 2013 If I could budget over… I would add effort for: Use case documentation & requirements QA/Testing Documentation Communication/VO engagement Policy/legal/contracts 24

OSG AHM, March 13, 2013 CLI Client Development During development of CLI clients, a release often and early approach would have been nice.  Community wants RPMs not head-of-SVN. OSG doesn’t do software development, they do integration. Have limited release, testing, etc. Should have established own SW processes as independent team.  And then wound down after transition. 25

OSG AHM, March 13, 2013 Panda/Gridsite issue When ATLAS started testing, discovered show-stopping problem with Panda. Turns out Panda is not represented in the OSG test bed (ITB) Gridsite (a Panda component) is known to be picky about PKI implementation. Should have been hit early and often with new PKI. 26

OSG AHM, March 13, 2013 Using a Commercial CA Use of a commercial CA for a backend is a new model and was somewhat controversial. I still have no doubt it was the right choice. OSG deploying and operating a CA with all the IGTF requirements would easily have been more expensive. 27

OSG AHM, March 13, 2013 Lessons Learned Caveat It’s not over yet, we certainly have more lessons to learn. 28

OSG AHM, March 13, 2013 OSG PKI Reports Pilot Phase  Planning Phase  Development and Deployment Phases  Transition Phase  29