Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Project Moonshot February Background Project Moonshot 2.
John Chapman, Janet Fall 2012 Internet 2 Member Meeting 3 October 2012 Trust me, I’m an engineer: Engineering trust using a Trust Router infrastructure.
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WebFTS as a first WLCG/HEP FIM pilot
Widely Distributed Access Management Tom Barton University of Chicago.
Project Moonshot TF-MNM. Use cases Project Moonshot 2.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
Introduction Moonshot workshop
Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
General rules 1. Rule: 2. Rule: 3. Rule: 10. Rule: Ask questions ……………………. 11. Rule: I do not know your skill. If I tell you things you know, please stop.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:
Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
To provide the world with a next generation storage platform for unstructured data, enabling deployment of mobile applications, virtualization solutions,
IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.
Information Initiative Center, Hokkaido University North 11, West 5, Sapporo , Japan Tel, Fax: Management.
Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik. May 2012 David Orrell, Eduserv.
Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.
Project Moonshot Daniel Kouřil EGI Technical Forum
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.
CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López
Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Arklio Studija 2007 File: / / Page 1 Automated web application testing using Selenium
Web and Proxy Server.
Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS.
Using Umbrella with other technologies at Diamond
P-p-pick up a Pathfinder
The Jisc Moonshot Primer
Federation made simple
Grades4sure PDF Dumps CompTIA Security + Certification Exam
HMA Identity Management Status
UK e-Science CA Update J Jensen, STFC 31 Jan 2017.
AAAI Pathfinder J Jensen, STFC 031 Oct,
Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Web Portal Project.
European AFS & Kerberos Conference 2010
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
Matthijs Gates Senior Program Manager Microsoft
DHCP, DNS, Client Connection, Assignment 1 1.3
Thursday pilot session: 7-minutes
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Leigh Grundhoefer Indiana University
Single Sign-on with Kerberos
Chapter 2: The Linux System Part 1
Mechanisms for Distributed Global Authentication David R Newman.
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Open Automation Software
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka

Project Moonshot

Moonshot technologies Moonshot builds on the eduroam technologies EAP (RFC 3748): strong mutual authentication RADIUS (RFC 2865): federation between domains To this, Moonshot adds SAML, for rich authorisation semantics Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems 3

Deployment requirements Many organisations are nearly Moonshot-ready today A connection to eduroam A RADIUS server (any modern RADIUS product should support pre- production testing today). There is also an experimental capability to integrate FreeRADIUS with the Shibboleth IdP Moonshot client and server plug-in Linux: packaging available for Debian & RHEL; Scientific Linux soon Windows: native support using prototype plugin Mac: Packaging complete for Snow Leopard and Lion Moonshot Identity Selector to facilitate the selection of an identity to use, for GUI environments (Windows, Mac & Linux) 4

Architecture 5 SSH clientSSH serverRADIUS server (2) SSH negotiation(4) RADIUS (3) Authentication (1) Credentialing (5) Attributes (6) SSH session OpenSSH used as example of application; many others also apply

Application support Most modern applications use at least one of the security APIs supported by Moonshot Correctly written applications will ‘just work’ without modification or recompilation Less correctly written applications may require minor modifications Project Moonshot is testing applications and sending patches upstream 6

PuTTY  OpenSSH 7

8 IE  Apache

9 Outlook 2010  Exchange 2010

Examples of other tested scenarios OpenSSH client  OpenSSH server (GSS) OpenLDAP client  OpenLDAP server (SASL) OpenLDAP client (GSS)  Windows Active Directory (SSPI) Firefox  Apache (GSS) Internet Explorer  IIS (SSPI) MyProxy client  MyProxy server (SASL) Adium  Jabberd (SASL) Console authentication using PAM/GSS on Linux and SSPI on Windows 10

Standardisation The architecture is currently being standardised within the IETF’s ‘Abfab’ working group. See for documentshttps://datatracker.ietf.org/wg/abfab The key documents are draft-ietf-abfab-arch describing the high-level architecturedraft-ietf-abfab-arch draft-ietf-abfab-gss-eap describing the core “GSS EAP” technologydraft-ietf-abfab-gss-eap draft-ietf-abfab-aaa-saml describing the use of SAMLdraft-ietf-abfab-aaa-saml

Get involved! The project is Janet-led initiative, with contributions from GÉANT and others Case studies can be found at describes installing, configuring and using Moonshot. An installable Live DVD (Debian-based) is available, in addition to Debian, CENTOS and Scientific Linux packages is our community mailing list We also have a Jabber room at

Technology pilot 1.To test the suitability of the Moonshot technology for deployment, focusing on e-Research use cases 1.To identity what further work is needed to support the wider community’s use of the technology 2.To plan, implement or support this additional work 13

Current status Pilot sites connected to Janet’s eduroam infrastructure Software ready for pre-production testing only Production-quality environment due imminently IETF standardisation approaching completion - the core documents approaching Last Call status so likely to be complete by H On-going discussions with OS and application vendors 14

Future plans Project Moonshot 15

The next six months The primary activities will be Continuation of existing Technology Pilot Improvement and refinement of core software Out-reach to other stakeholders Development the final element needed for a production-ready service Completion of standardisation 16

Conclusions Moonshot provides a standardised next-generation identity & trust technology Moonshot builds on widely deployed technologies and infrastructure Moonshot provides a cross-platform implementation ready for pre- production testing Moonshot will provide the trust & identity platform for Janet’s services 17

Federated Access to NFS

NFSv4 Distributed file system – Successor of version 1-3, IETF standards – Several implementations available Security implemented using GSS-API – User-space daemons and kernel Authentication of – Mounts (machine) – Access to data (user)

Moonshot in NFSv4 Adaptations to NFSv4 daemons – Both client and server had to be changed – Worked around the Kerberos dependency Kernel code still requires „Kerberos“ – Moonshot adaptations pretends Kerberos – User space tools specify Kerberos Stability of code not sufficient – Caching of GSS contexts causes troubles

Pilot NFSv4 Deployment EGI Radius server – Accepts any IGTF certificate, including RFC proxies – Returns (canonized) DN as the username NFSv4 server – Via the EGI Radius it accepts any user with IGTF credential – No automated username mapping at the moment NFSv4 clients – Source code available from github – Moonshot-proxy-init to create proxy certs

Possible Scenarios Gridified remote file system – Users with IGTF credentials can share data – Single identity domain Federated remote file system – Users with eduroam credentials can share data – Possibly multiple identity domains Scenarios could be combined – Ideally utilizing additional attributes for authZ

Q & A Project Moonshot 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.