Jens Jensen, STFC 15 Sep GridPP39, Lancaster

Slides:

Advertisements

Similar presentations

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Advertisements

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Contrail and Federated Identity Management

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

A New UK CA Portal David Meredith Jens Jensen John Kewley.

Gilda certificates. Certification Authority

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

New ARIN Online Features Andy Newton, Chief Engineer.

Seifenkasten Jens Jensen Berlin PMA, Jan Jens Jensen, STFC/RAL CA processes – overview Key generation and storage (qv) Receiving requests (CSR,

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.

ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

WLCG Update Hannah Short, CERN Computer Security.

Gridpp37 – 31/08/2016 George Ryall David Meredith

Jens Jensen EU Grid PMA, Berlin Jan 2015

Soapbox of Random Stuff

EGI Updates Check-in Matthew Viljoen – EGI Foundation

P-p-pick up a Pathfinder

AARC Update What’s been happening in AARC which matters for GÉANT

J Jensen, STFC hepsysman, June 2017

UK e-Science CA Update J Jensen, STFC 31 Jan 2017.

AAAI Pathfinder J Jensen, STFC 031 Oct,

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Christos Kanellopoulos

Jens Jensen, STFC Sep EUGridPMA Manchester

NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit

CheckIn: the AAI platform for EGI

AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)

& TAGPMA Twiki &

Tweaking the Certificate Lifecycle for the UK eScience CA

Identity Management and Authorization

Update on EDG Security (VOMS)

ESA Single Sign On (SSO) and Federated Identity Management

Thursday pilot session: 7-minutes

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)

AARC Blueprint Architecture and Pilots

UK e-Science CA and JCS Migration Status

Guest Identities – Milan workshop goals

David Kelsey (STFC-RAL)

Community AAI with Check-In

AAI in EGI Status and Evolution

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Jens Jensen, STFC 15 Sep. 2017 GridPP39, Lancaster Certificate Stuff Jens Jensen, STFC 15 Sep. 2017 GridPP39, Lancaster

Contents AAAI Pathfinder Multiple SANs More bkg information in presentation to dteam (Also attached to agenda) Multiple SANs More information in talk at hepsysman https://indico.cern.ch/event/592622/

AAAI Pathfinder GridPP VOMS DiRAC, ARCHER X.509 SAFE ssh IdP

AAAI Pathfinder GridPP PRACE EGI, EUDAT, Indigo DC X.509 IdP

GridPP, EGI, PRACE, EUDAT, GlobusConnect(?) DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect(?) VOMS

(links to) JISC and service AUP CRL (links to) CP and CPS Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificate Interface Acct DB Status (Re)new Revoke Management Interface (X.509 authenticated) Service API Forget

GridPP’s participation Work with Suleman Tariq CA portal (user interface) If you have an IdP in Assent, you can authenticate to https://pathfinder.stfc.ac.uk/moonshot/userreq.pl Not finished yet You can’t get a certificate (yet) Chose not to use the CTS code No VOMS in interface; expecting attrs from Moonshot

Visiony Stuff Single identity provided by home org. Or a “homeless” org. Access to both web and non-web resources Chicken and egg takeup: More resources make having an IdP more attractive Use Pathfinder to provide resources

Technical Points Moonshot requires client side libs (mech_eap.so) X.509 certificates require higher LoA Aiming for BIRCH Need for IdP to communicate “loss of traceability” Infrastructure managed private keys Should improve usability

(Main) Risks (There is a proper risk register…) Not enough IdPs… Of a sufficient LoA (IGTF BIRCH) Need to sign a contract! (little assurance in Assent itself) IdP cannot notify on loss of traceability IGTF accreditation delayed Users still manage certs through browser!

Support for added extra supplementary additional Subject alt names

Now supported via PeCR cli mode uses --san to request extra SANs Bulk mode uses extra lines in cnfiles Comma separated (no spaces) Need a recent version of PeCR, see www.ngs.ac.uk

Still a few niggles Need to pre-authorise all SANs By submitter DN Through RA (Because RA will not necessarily see the SANs during approval) Only works for NEW host requests Otherwise submitter DN is not present Need to fiddle old requests cnfiles need single names to download fixed!

Additional Credits PeCR – Robert Frank Testing – John Kewley

More information on both Pathfinder and Multi-SAN: dteam