P-p-pick up a Pathfinder J Jensen, STFC GridPP38, U Sussex, Apr ‘17

Overview of Overview Overview of Pathfinder GridPP’s rôle and aims in the project Moonshot in action (well, pictures of) Where we are in GridPP’s task Future directions

Overview of Pathfinder

Executive Summary A national infrastructure pilot for authentication, authorisation, and accounting RC funded (EPSRC/STFC) Partners: UCL (lead), Edinburgh, JISC, Crick, Oxford, Durham, STFC, Leeds Resources DiRAC, GridPP, ARC, N8, eMedLab,… Budget £215K, 10 months, Oct ‘16 – Aug ‘17 (or thereabouts)

Technology Moonshot SAFE SAFE-SHARE IETF standard (ABFAB-WG, RFC 7831) JISC-led “eduRoam for higher level resources” (RFC 7832) Assent is the infrastructure running Moonshot services SAFE Acct mgmt used by ARCHER & others Developed at EPCC SAFE-SHARE Elevated LoA for medical/biosci, secure networks eMedLab

A pilot AAAI across xple sites Interoperability through X.509 gateway Main Deliverables A pilot AAAI across xple sites ARC, N8, DiRAC, eMedLab Interoperability through X.509 gateway This is GridPP’s contribution (in collab with JISC) This task March-April-May 2017 Future directions

DONE! WP details 0. Proj. mgmt Id mgmt pilots SAFE deployment Assent, homeless IdP, 2-factor for eMedLab SAFE deployment Integration VO/Assent (e.g. VOMS), Assent-X.509 (GridPP) Docs & writeups Architecture, business case DONE!

DONE! WP details 0. Proj. mgmt Id mgmt pilots SAFE deployment Assent, homeless IdP, 2-factor for eMedLab SAFE deployment Integration VO/Assent (e.g. VOMS), Assent-X.509 (GridPP) Docs & writeups Architecture, business case DONE!

GridPP’s rôle and aims in the project Task 3.2: Assent->X.509 gw … with JISC Instead of aiming for a test CA… Aiming for a full IGTF-approved MICS BIRCH profile … ensure that certificates are useful! Proper alternative to going to RA for personal certs (Once it’s in production) => WLCG, ELIXIR, EUDAT, PRACE, EGI

… in action, sort of: Moonshot

Experiences Learning curve? Support for OS? Lots of pieces… JISC’s documentation is much improved Support for OS? Native Debian, CentOS We are using RHEL for Pathfinder, no problem Windows supported Mac still being worked on Lots of pieces…

Moonshot Architecture (https://wiki.moonshot.ja.net/display/Moonshot/Overview+of+Moonshot+Components)

Windows Files Windows support: Moonshot-AMD64-full-1-0-86-0.msi Putty: putty-ms-rel.exe

Still needs to know username? ssh Still needs to know username?

Web Client - Browser This is the federal (= home org) id and password but it still needs it Works without credential manager but you need to type username/password When credential manager is used, it knows the username but still prompts for password You can ask the browser to remember the password … does need to use Internet Explorer

Web Server … REMOTE_ADDR = XXX.XXX.XXX.XXX REMOTE_USER = jj47 AUTH_TYPE = Negotiate GSS_NAME=jj47 GSS_SESSION_EXPIRATION=1491420326 GSS_NAME_ATTRS_JSON={"name":"jj47","attributes":…}

RFC 6680 attributes User-Name: jj47 Moonshot-Host-TargetedId: jj47 Moonshot-Realm-TargetedId: 1d536c5a-ff4c-5dfb-8ed0-08e618c22ab9@stfc.ac.uk Moonshot-TR-COI-TargetedId 108328f4-c077-51e2-9b0c-5ecb1c2403f2@stfc.ac.uk Should also carry Pathfinder authorisation attributes Task 3.1 looked at VOMS but only integrated SAFE attributes However, attributes easy to integrate at RADIUS level (and we plan something different for VOMS…)

Where we are in GridPP’s task

People Suleman Tariq STFC’s Moonshot admin (And also sysadmin for the CA…)

GridPP, EGI, PRACE, EUDAT, GlobusConnect DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect  VOMS

Front End(s) Red outline = Moonshot authenticated Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificat e Interface Acct DB Status (Re)ne w Revok e Management Interface (X.509 authenticated) Service API Forget Red outline = Moonshot authenticated Black outline = certificate authenticated

Subtasks (high level view) (There are sub-sub-tasks as well) Get new CA into IGTF Write CP/CPS for new CA (ongoing) Submit for review before Ljubljana meeting Eval MyProxy || Implement CA Configure as Moonshot service Link to existing HSM User status interface Set up Community-of-Interest (CoI) Document requirement for IdP to meet BIRCH reqs Ensure IdPs publish the req’d attributes Add trusted IdPs into CoI More GridPP involvement? – add instr. to wiki

Open Questions Can we use MyProxy as a CA or credential store (or both)? => as CA, less work req’d => as CS, all certificates are delegated Whether (and when) to rekey the CA (MUST be done to go to production) What to do about account closure (BIRCH) Could link to RCauth if meeting BIRCH level fails Nevertheless, this would be a loss Filtering acceptable IdPs (through CoI)

Probably not much need for SAFE in GridPP? Build a real CA Conclusion Prototype AAAI Probably not much need for SAFE in GridPP? Build a real CA Albeit not quite production infrastructure Whether/How to do stuff across infrastructures?

Thanks