UK e-Science CA and JCS Migration Status

Slides:

Advertisements

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Advertisements

Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.

IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien April 20, th APGridPMA in Taipei.

On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.

Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

The NGS Support Centre Katie Weeks. NGS Support Centre SLD Many areas to NGS Support Centre –SLD defines supported areas including: Certification Authority.

A New UK CA Portal David Meredith Jens Jensen John Kewley.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.

UK eScience CA and JANET Certificate Service David Kelsey & Jens Jensen STFC-RAL EUGridPMA Poznan, 9 Sep 2014.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

IHEP Grid CA Status Report F2F Meeting 17 Mar Computing Centre, IHEP,CAS,China.

Seifenkasten Jens Jensen Berlin PMA, Jan Jens Jensen, STFC/RAL CA processes – overview Key generation and storage (qv) Receiving requests (CSR,

DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

EGI NA3 – Web site training services University of Edinburgh (0.25 funded FTE)

David Kelsey CLRC/RAL, UK

Gridpp37 – 31/08/2016 George Ryall David Meredith

Jens Jensen EU Grid PMA, Berlin Jan 2015

J Jensen, STFC Chief Soapbox Officer 23 May 2017

P-p-pick up a Pathfinder

J Jensen, STFC hepsysman, June 2017

J Jensen, STFC Chief Soapbox Officer 23 May 2017

AEGIS Certification Authority

EDC Process Proposal Brian Brandaw Manager of IT Common Platforms

Classic X.509 AP updates (v4.1)

UGRID CA Sergii Stirenko, Oleg Alienin

UK e-Science CA Update J Jensen, STFC 31 Jan 2017.

AAAI Pathfinder J Jensen, STFC 031 Oct,

Jens Jensen, STFC Sep EUGridPMA Manchester

CS480 Cryptography and Information Security

Virtual Face to Face Meetings for ID-check

Tweaking the Certificate Lifecycle for the UK eScience CA

Jens Jensen, STFC 15 Sep GridPP39, Lancaster

APNIC Trial of Certification of IP Addresses and ASes

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Resource Certificate Profile

The Case for HLCA Revisited

MaGrid CA Self audit and update

The NGS on the Road Gillian Sinclair NGS Liaison Officer

EUGridPMA 41 and IGTF All-Hands Meeting

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

UK e-Science CA and JCS Migration Status Jens Jensen, John Kewley EUGridPMA May 2015 København

Community “UK e-Science” GridPP …? UK eScience Status 29/12/2018

Staff (alphabetically) Jens Jensen – CA manager, signing code, packaging scripts David Kelsey – representing CA with PMAs John Kewley – user support, packaging scripts David Meredith – code for caportal and CW Suleman Tariq – sysadmin and DR UK eScience Status 29/12/2018

Current Status Currently continuing as before ~1700 valid distinct host certs ~ 800 valid distinct user certs ~10 distinct robots Total issuance >37000 Still adding RAs –200 distinct operators in database Still working with JANET on migration opportunities More on this in a later slide Improving stuff CertWizard CAPortal New CP has taken effect Tidying extensions Talk Title Goes Here 29/12/2018

Renewals Old stuff still around Disaster Recovery Future directions Some SHA1s still alive, sign as SHA2 upon renewal Even a few Netscape extensions, removed upon renewal Likewise email-in-DN, ancient and deprecated Disaster Recovery Improved DR for Root (ROBAB) Improved DR for SARoNGS Already good DR for 2B (semi-online, warm spare) Future directions Likely to retire 2A (online) now Reimplement HSM? JCS migration Talk Title Goes Here 29/12/2018

Risks Not much effort Ageing HSMs Self audit Development, support, proactive stuff After the closure of NGS Trying to understand user communities (other than GridPP) Ageing HSMs No in-plan recovery, must rebuild Considered “small” HSMs Some funding made available by STFC – but need to consider future Self audit Talk Title Goes Here 29/12/2018

Original UK eScience Certificate Hierarchy Dev CA* Training CA Root 2007 CA CA 2A (online) CA 2B (offline) SLCS Toplevel SARoNGS Climate CAs RIGroup Meeting 29/12/2018

Changes in the pipeline Service certificate support (generally deprecated) Turn off OpenCA i/f Downloads of CRLs on ca.grid-support.ac.uk ~ 5200/day New PeCR scripts + maybe CertWizard CLI SHA-2 (done) Requires a port of CertWizard to jGlobus2 IPv6 Our CRLs should probably be made available to test Key-pair generation – inline in caportal Tweak certificate format for new Grid Certificate Profile (done) RIGroup Meeting 29/12/2018

When can we turn off OpenCA? Previous OpenCA Interfaces: ca.grid-support.ac.uk: for Users ca-ra.grid-support.ac.uk/ra: for RA Operators ca-ra.grid-support.ac.uk/node: for CA Operators 1 and 2 replaced with caportal, 1 with CW Lots of downloads of CRLs from ca.grid-support.ac.uk (5200/d) “New” CDPs advertised for years – since 1.32 or so!? RIGroup Meeting 29/12/2018

JCS Migration Aim is to migrate if possible Interfacing to CA Interface to QV for certificate issuance Interfacing to CA Keep caportal and CW running, interfacing to QV? Ke Identity management options – interim/future Keep existing RA network and identities (but DNs will change?) Use UKAMF (needs extra attributes – REFEDS) Use JISC Assent Migration Change DNs!? Continuing support for robots, services? UK eScience Status 29/12/2018