Jens Jensen EU Grid PMA, Berlin Jan 2015

Slides:



Advertisements
Similar presentations
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Advertisements

Template Profile Jens Jensen, STFC RAL GridNet2/ UK e-Science CA OGF22 Boston.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.
Contrail and Federated Identity Management
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
A New UK CA Portal David Meredith Jens Jensen John Kewley.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
UK eScience CA and JANET Certificate Service David Kelsey & Jens Jensen STFC-RAL EUGridPMA Poznan, 9 Sep 2014.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Seifenkasten Jens Jensen Berlin PMA, Jan Jens Jensen, STFC/RAL CA processes – overview Key generation and storage (qv) Receiving requests (CSR,
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.
David Kelsey CLRC/RAL, UK
Gridpp37 – 31/08/2016 George Ryall David Meredith
P-p-pick up a Pathfinder
J Jensen, STFC hepsysman, June 2017
J Jensen, STFC Chief Soapbox Officer 23 May 2017
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
UGRID CA Sergii Stirenko, Oleg Alienin
UK e-Science CA Update J Jensen, STFC 31 Jan 2017.
AAAI Pathfinder J Jensen, STFC 031 Oct,
Jens Jensen, STFC Sep EUGridPMA Manchester
Virtual Face to Face Meetings for ID-check
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Tweaking the Certificate Lifecycle for the UK eScience CA
Organized by governmental sector (National Institute of information )
Jens Jensen, STFC 15 Sep GridPP39, Lancaster
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
UK e-Science CA and JCS Migration Status
The Case for HLCA Revisited
MaGrid CA Self audit and update
AuthN Middleware Requests
Non-Resident Tuition Exception
Preventing Privilege Escalation
The JISC Core Middleware Call
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau
BG.ACAD CA Self-audit report 2018
Presentation transcript:

Jens Jensen EU Grid PMA, Berlin Jan 2015 UK e-Science CA update Jens Jensen EU Grid PMA, Berlin Jan 2015

Great Leap Forward - Overview New CA code: CertWizard, caportal CertWizard meant to support workflow (unlike browsers) caportal: browser support via javascript 3x Command line client (& bulk) support One part of CA, CertSorcerer (IC), Manchester New CP/CPS – rewrite everything Except data protection Common Policy for all CAs Short CPS

Auto-checks your certificate status; rekey post expiry

Request and key generated in javascript and pasted into and out of files

Great Leap Forward - Overview Modernise extensions (We had nsCertType and MD5-signed CRLs) Support post-expiry rekeying Re-engineer BC/DR Close off OpenCA-based code (old) For: Users, RAs, CA ops Address issues found in self audits (September 2009), January 2014 C/D were cert and CRL profile (GFD.225)

Great Leap Forward - Overview Address HSM (lack of) support Expensive, no strong business case Considered buying new HSM 2A is generated in HSM, 2B is imported (Case for discontinuing 2A?) 2A online, 2B semi-online SARoNGS  IOTA SARoNGS is generated in HSM, too; may rekey Number of RAs non-decreasing

An opportunity to migrate certificates to JCS JCS - Overview An opportunity to migrate certificates to JCS Online signing Certificate issuances becomes S.E.P. Not a takeover, but a collaboration between STFC and JANET to do it if it can be done

JISC (JANET) Certificate Service JCS - Overview JISC (JANET) Certificate Service Migrate CA to JCS – if possible Need to support Personal certificates – how are users authenticated Host certificates – at a cost of £0/cert Service certificates – still needed? Robot certs – <10 distinct robots Need graceful migration DNs will change, though Discussions started 1 year ago

Timescale for full handover JCS - Overview Timescale for full handover If successful, could terminate UK e-Science CA by ~Jan 2018 (estimate) JCS already active but not doing UK e-Science UK e-Science CA will continue as long as needed At least for the time being But lack of funding makes JCS attractive

Eventually should have UKAMF identity(?) Other methods JCS – Identity Mgmt Eventually should have UKAMF identity(?) Need for CN and email for personal Other methods Interim: use existing RAs? (and current identity papers) Will mean DN migration (subst root?) Need something different for hosts Will we use Moonshot at some point? Need a suitable COI defined (and trustrouter)

Investigating linking UK e-Science CA to JCS JCS - Overview Investigating linking UK e-Science CA to JCS Trust/Link, CA’s API Continue support via CW, CAPortal Online signing (DNs will change?)

Stakeholder communication Migration Issues Stakeholder communication GridPP (and other RPs), PMA, TAG, Migration Support all types of certificates Support existing interfaces Support bulk requests Processes change Changes of names (cf. RA migration discussion) Cost of obtaining certificates

Future Perspectives: Either Or (or in between) Still running a CA by 2020… As long as GridPP needs it People migrating to JCS, or switch to federations? What is the role of SARoNGS? Everything handed over Terminated by (say) 2018 CA Emeritus…

Draft Timescale (Separate)

GridPP and DiRAC and bears, oh my Group management and authorisation UK e-I Sec & AM WG GridPP and DiRAC and bears, oh my Shibboleth and Proxy and bears, oh my Group management and authorisation Documented by AC New bioinformatics – need AAI

September 2009

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.