Operations Management Board 19th Dec. 2013

Slides:



Advertisements
Similar presentations
CHEP 2000, Roberto Barbera Roberto Barbera (*) GENIUS: a Web Portal for the GRID Meeting Grid.it, Bologna, (*) work in collaboration.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
DataGrid is a project funded by the European Commission under contract IST WP2 – R2.1 Overview of WP2 middleware as present in EDG 2.1 release.
Secure Lync mobile Authentication
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo
The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.
23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
Enhanced Storage Architecture
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
Mirek Sztajno SQL Server Security PM
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Application Porting INFN Giuseppe.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
EGI-InSPIRE RI EGI-InSPIRE RI A new “lightweight” Crypto Library for supporting an Advanced Grid Authentication Process.
EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum
How to integrate EGI portals with Identity Federations Roberto Barbera Univ. of Catania and INFN EGI Technical Forum – Prague,
Storing digital assets on Grid/EGI FedCloud with gLibrary Giuseppe La Rocca, INFN DARIAH ERIC.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
The Catania Grid Engine Mr. Riccardo Rotondo Consortium GARR, Rome, Italy
REST API to develop application for mobile devices Mario Torrisi Dipartimento di Fisica e Astronomia – Università degli Studi.
Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA
The eCSG Mobile App Mario Torrisi INFN – Division of Catania 24 June 2013 Webinar on the eCSG 1.
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
Co-ordination & Harmonisation of Advanced e-INfrastructures CHAIN Worldwide Interoperability Test Roberto Barbera – Univ. of Catania and INFN Diego Scardaci.
Web and mobile access to digital repositories Mario Torrisi National Institute of Nuclear Physics – Division of
Sistema di Autenticazione e Autorizzazione per Science Gateway basato su Shibboleth M. Fargetta Consorzio.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
Some considerations and ideas for the (next) future Roberto Barbera University of Catania and INFN IWSG’10.
Servizi di AAI e job management per Science Gateway basati su standard D. Scardaci INFN Catania.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Data Management Interface: CDMI for CMF Ilja Livenson PDC KTH.
Giuseppe LA ROCCA INFN - Catania, Italy
GWAS-TOOL – Final report
StoRM: a SRM solution for disk based storage systems
RSA Laboratories’ PKCS Series - a Tutorial
POW MND section.
Grid accounting system
CHAIN-REDS computing solutions for Virtual Research Communities CHAIN-REDS Workshop – 11 December 2013 Roberto Barbera – University of Catania and.
Riccardo Rotondo INFN Catania – Italy
Accounting Requirements
Q&A about Science Gateways
GSAF Grid Storage Access Framework
GSAF Grid Storage Access Framework
Status report of the LToS platform
Secure Enterprise Technology Initiatives e-Provisioning Group
NAAS 2.0 Features and Enhancements
Elisa Ingrà – Consortium GARR
Public Key Infrastructure from the Most Trusted Name in e-Security
The SADE mini-project of the EGI DARIAH Competence Centre
Installation & User Guide
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Grid Engine Riccardo Rotondo
Grid Engine Diego Scardaci (INFN – Catania)
a middleware implementation
JAAS AuthN Tokens in uPortal and Beyond
Emir Imamagić University Computing Centre (Srce)
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Operations Management Board 19th Dec. 2013 The eTokenServer (A standard-based solution developed by INFN Catania for central provisioning of robot credentials) Giuseppe LA ROCCA INFN - Catania, Italy giuseppe.larocca@ct.infn.it Operations Management Board 19th Dec. 2013

Outline Introduction to the “light-weight” crypto library Java™ PKCS#11, Bouncy Castle and Java CoG Kits VOMS-Admin APIs v.3.0 Apache Tomcat 7.0.27 as a Web Container JAX-RS 1.2 Java APIs using Jersey implementation The Architecture Accounting feature (with RFC proxies only) Usage Statistics Summary and Conclusions

Introduction to the “light-weight” crypto library: Java™ PKCS#11, Bouncy Castle and Java CoG Kits VOMS-Admin APIs v.3.0 Apache Tomcat 7.0.27 as a Web Container JAX-RS 1.2 Java APIs using Jersey implementation

Some driving considerations … The standard-based crypto library interface has been designed to provide seamless and secure access to computing e-Infrastructures using robot certificates The business logic of the library, deployed on top of an Apache Tomcat Application Server, combines different programming native interfaces and standards such as the: “cryptoki” Java™ Cryptographic Token Standard Interface (PKCS#11) libraries, Open source BouncyCastle libraries, Java CoG Kits APIs, VOMS-Admin APIs, RESTful technology (JSR 311).

SW packages adopted The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc; It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, …) The Bouncy Castle APIs provide support for creating two kinds of X.509 certificates (ver.1 and ver.3) The Java CoG Kits APIs allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed VOMS-Admin APIs (ver. 3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services

Application Server Deployed on Tomcat Application Server (v7.0.27) Caching of proxy certificates for each valid requestID (MD5SUM+vo+[fqan]+[options]): If lifetime(requestID)-12h>0  the cached proxy is sent to the Science Gateway Thread-safe access to the list of smart cards Evaluated performance of the server using Apache JMeter™ ~ 6-8 sec. Waiting time for a new proxy 20 msec. If the proxy is cached

Hardware Tokens To reduce the risks to have the robot certificate compromised, different CAs decided to store this new certificate on board of the Aladdin eToken USB smart cards Costs: eToken PRO 64KB € 49,00 eToken PKI Client € 15,90 eToken Shell € 2,00 The Aladdin eToken smart card can support several certificates: 4 certificates per each eToken PRO 64KB PKI Client supports maximum 16 slots! A token PIN is prompted every time the user needs to interact with the smart card

The Architecture The typical working scenario The web interface (protected) Some statistics More info

The five-layer architecture of the “light-weight” standard-based crypto library

The typical working scenario…

The web interface (protected access) Use the VOMS-Admin APIs to get the list of groups/roles

The web interface (protected access)

The web interface (protected access)

An experimental solution to account users of Robot Certificate Adding some user information (CN=…) for accounting aims (no security!) during the robot proxy generation process: /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=Giuseppe La Rocca/CN=1388930209 Only RFC proxies are supported (no legacy) The additional user’s information have to be provided by a portal:  No CN checks are implemented at VOMS level  Users could be known only by the portal Impact on EGI accounting is under evaluation Compliant with standards and security policies [1, 2]

Who is using the library ? The eTokenServer service is currently used by the following different Science Gateways:

Some usage statistics …

Get more info … ?

Summary & Conclusions The eTokenServer is currently used as central service to provision robot proxy credentials to different VRCs  It provides a transparent and secure mechanism to access robot certificates installed on USB smart cards  We are available to offer the eTokenServer features as EGI catch-all service for free The business logic relies on different standards: The Cryptographic Token Interface Standard (PKCS#11) The Open source BouncyCastle Java libraries The Java CoG Kits APIs The VOMS-Admin APIs The JAX-RS 1.2 Java APIs using Jersey implementation By design the eTokenServer is compliant with the policies reported in these two documents: EUGridPMA guidelines, OperationsGuideline With the latest release the eTokenServer is now possible to account users of Robot Certificates (RFC proxies only)

Any questions, comments or remarks are very welcome. Please contact us: giuseppe.larocca@ct.infn.it salvatore.monforte@ct.infn.it diego.scardaci@ct.infn.it

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.