J Jensen, STFC hepsysman, June 2017

Slides:



Advertisements
Similar presentations
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Advertisements

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Contrail and Federated Identity Management
WebFTS as a first WLCG/HEP FIM pilot
Federated A(A(A))I Jens Jensen hepsysman, RAL,
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop TCS SAML demo background June 16, 2015 TCS PMA.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
A New UK CA Portal David Meredith Jens Jensen John Kewley.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
WLCG Update Hannah Short, CERN Computer Security.
Gridpp37 – 31/08/2016 George Ryall David Meredith
Jens Jensen EU Grid PMA, Berlin Jan 2015
Training Demo: DuPont Vendor Clients December 2016
Soapbox of Random Stuff
CollegeSource Security Application &
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
P-p-pick up a Pathfinder
Federation made simple
Grid Security.
EDC Process Proposal Brian Brandaw Manager of IT Common Platforms
HMA Identity Management Status
UK e-Science CA Update J Jensen, STFC 31 Jan 2017.
AAAI Pathfinder J Jensen, STFC 031 Oct,
Identity Management and Authorization
Jens Jensen, STFC Sep EUGridPMA Manchester
Tweaking the Certificate Lifecycle for the UK eScience CA
Organized by governmental sector (National Institute of information )
Jens Jensen, STFC 15 Sep GridPP39, Lancaster
Identity Management and Authorization
Update on EDG Security (VOMS)
Dynamic DNS support for EGI Federated cloud
ESA Single Sign On (SSO) and Federated Identity Management
Thursday pilot session: 7-minutes
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
AARC Blueprint Architecture and Pilots
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
UK e-Science CA and JCS Migration Status
The Case for HLCA Revisited
AuthN Middleware Requests
X-Road as a Platform to Exchange MyData
A Programmer’s Guide to Secure Connections
Community AAI with Check-In
Windows Active Directory Environment
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Mike Adnson | Launch Manager,
Authentication and Authorisation for Research and Collaboration
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

J Jensen, STFC hepsysman, June 2017 Identity Management J Jensen, STFC hepsysman, June 2017

Contents Background – federated identity management Certificates (hosts, in particular) Pathfinder RCauth Future

Fed. IdM SSO: single account, used everywhere Single login: only need to log in once Federated identity: identity comes from home IdP E.g. UK Access Management Federation, eduroam, eduGAIN “superfederation”, Assent AARC project “blueprint architecture” Login is typically via portal but there is (some) tech for CLI

Host Certificates Brian: - you are all individuals! Crowd (in unison) - we are all individuals! Lone voice: - I’m not! Certificates are issued to a private key The private must not be shared … but the

A certificate contains: Multiple SANs A certificate contains: A subject name (which names the subject) The DN For hosts, the CN is the hostname Subject alternative name(s) – hereinafter “SAN” – which also name the subject E.g. email address(es) Host name(es) IP address(es)

Host Naming Example: host.example.com. has alias foo.example.com. The client accesses foo.example.com. The certificate is (usually) issued to the alias RFC 2818, section 3.1 (server identity): Client MUST check hostname (in URL) against server identity (in cert) Globus (till recently) didn’t need this because it resolved the names through DNS However, that is a security risk since DNS could be tampered with foo.example.com host.example.com … so the certificate MUST be issued to the alias…

Naming Hosts One “server” spread across multiple hosts Client calls – and sees only – foo.example.com Each host has an individual CNAME The certificate is issued to the CNAMEs because they are all individuals (Instead of getting a cert for foo.example.com. and copying it to all) (or 3 certs for foo.example.com. which is slightly less bad but still bad) foo.example.com foo.example.com foo.example.com host1.example.com host2.example.com host3.example.com

Naming Hosts Multiple servers on a single host A single host fronts multiple hosts Certificate is typically issued to the CNAME foo.example.com bar.example.com fred.example.com host.example.com Example: srm-gen.gridpp.rl.ac.uk.

Naming Hosts Multiple servers on a single host A single host fronts multiple hosts Certificate is issued with wildcard Matches {foo,bar,fred}.example.com. But also mail.example.com. Should be used with some caution (if at all) *.example.com host.example.com

Client MAY perform its own non-std check If not, client extracts SANs Back to RFC 2818 Client MAY perform its own non-std check E.g. check the server’s key If not, client extracts SANs Checks if one matches the requested hostname or IP address Iff there are no SANs, client checks CN If no alternative names are present

Supporting Multiple SANs (in Host Certs) Currently: A 500 line Perl script (lots of error checking) Which “edits” the request Must be run by CA operator Before the certificate is signed, ideally Status Error prone: both CA op and requester must coordinate RA op may not see alternative names

Supporting Multiple SANs (in Host Certs) Requester adds requested SANs to request See GridPP Wiki for instructions Must have the name in CN (typically CNAME) also in SAN (conventionally the first SAN) Have to use PeCR to submit – JK working on this Must use PKCS#10 RA op sees extra SANs and approves them …hopefully Signing system honours extra SANs? You can put anything in a request But by default almost everything is ignored!

Signing Multi-SAN Requests Introduces extra risk Typically, someone sneaking in a dodgy name Or applies for something bad in good(ish) faith Implementation Extracted and checked, and added to cert Instead of the ‘copy’ and ‘copyall’ semantics of openssl ca Help to introduce rules…? Maybe restrict to “trusted” admins (by DN) – would only work for new reqs. No bulk…? Wildcards need checking (e.g. *.example.com) Restricting domains (by admin)

Renewing Multi-SAN certs (Even) less mature Not much time/effort to develop CA Needs to copy stuff over from previous Some exploratory work in this area but less mature Some times changes are need (= CCRs) (Certificate Change Request) With PeCR it may be just as easy to apply for new?

Further Reading RFC 2818 RFC 5280 GFD.225 http://www.rfc-editor.org/rfc/rfc2818.txt RFC 5280 http://www.rfc-editor.org/rfc/rfc5280.txt GFD.225 http://www.ogf.org/documents/GFD.225.pdf

Pathfinder MICS Rcauth IOTA Federated access to certificates Pathfinder MICS Rcauth IOTA

GridPP, EGI, PRACE, EUDAT, GlobusConnect DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect  VOMS

Front End(s) Red outline = Moonshot authenticated Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificat e Interface Acct DB Status (Re)ne w Revok e Management Interface (X.509 authenticated) Service API Forget Red outline = Moonshot authenticated Black outline = certificate authenticated

CA set up by NIKHEF as an AARC pilot activity RCauth CA set up by NIKHEF as an AARC pilot activity Allows selected IdPs to get certs à la SARoNGS Will be run by EGI and EUDAT in EINFRA-12 The EUDAT one run by STFC, EGI by GRNET IOTA profile: OK for WLCG… Pathfinder will be MICS (hopefully)

Thanks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.