MyProxy Integration with PubCookie

Slides:



Advertisements
Similar presentations
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Advertisements

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West
Session 11: Security with ASP.NET
Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
USCGrid A (Very Quick) Introduction To PubCookie
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Module 11: Securing a Microsoft ASP.NET Web Application.
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.
Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Beavercreek High School BYOD Student Training: Wi-Fi Login and Authentication Portal.
Introduction to the PKI Issues at UW Madison Presented to ITC on Friday, 3/18/2005 Tom Jordan Systems Engineer,
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
Your IT Support Partner
Open OnDemand: Open Source General Purpose HPC Portal
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
Authentication, Authorisation and Security
Grid Security.
CAS and Web Single Sign-on at UConn
Grid accounting system
Security for Open Science
MyProxy and NVO or Web SSO for Grid Portals
MIS Professor Sandvig MIS 324 Professor Sandvig
Kerberos.
Grid School Module 4: Grid Security
Open Source Web Initial Sign-On Packages
OGCE Portal Applications for Grid Computing
Central Authentication Service
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
Federated Environments and Incident Response: The Worst of Both Worlds
Use of MyProxy for the FusionGrid
A Grid Authorization Model for Science Gateways
Management Application for all segments
Key Distribution Reference: Pfleeger, Charles P., Security in Computing, 2nd Edition, Prentice Hall, /18/2019 Ref: Pfleeger96, Ch.4.
JAAS AuthN Tokens in uPortal and Beyond
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Getting Started With LastPass Enterprise
Presentation transcript:

MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia, Charlottesville, VA **NCSA/University of Illinois, Urbana-Champaign, IL Supported by: NSF Next Generation Software (NSF NGS), NSF Middleware Initiative (NMI), San Diego Supercomputing Center

The Challenge I have a dream… [Security] Problem: Opportunistically expand campus researchers’ local resources to “The Grid” [Security] Problem: Relatively little of campus is PKI-enabled Grid is (largely) PKI (GSI) Goal: Leverage existing site (campus) authentication infrastructure Approach: integrate PubCookie and MyProxy

PubCookie

Your IIS or Apache Web Server PubCookie in Action (1) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter End-User Campus Login Server From Tom Jordon, UW-Madison

Your IIS or Apache Web Server PubCookie in Action (2) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Nope End-User Campus Login Server From Tom Jordon, UW-Madison

Your IIS or Apache Web Server PubCookie in Action (3) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter End-User Login Redirect Campus Login Server Logged In From Tom Jordon, UW-Madison

Your IIS or Apache Web Server PubCookie in Action (4) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Yep Access Allowed End-User Redirect Campus Login Server Logged In From Tom Jordon, UW-Madison

Your IIS or Apache Web Server Another IIS or Apache Web Server PubCookie in Action (5) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Yep Access Allowed Another IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter End-User Campus Login Server Logged In From Tom Jordon, UW-Madison

PubCookie/MyProxy Integration Campus Authentication Server 5 Pubcookie Login Server 4 MyProxy Server 9 (SSL) 3 Pubcookie-enabled Application Server 6 2 8 (SSL) 1 10 Grid request 7 11 Browser 12

Technical Details 3 main cookies involved in PubCookie (http://www.pubcookie.org/docs/how-pubcookie-works.html) Granting cookie: “contains the authenticated username and some other items” Granting cookie is signed by PubCookie login server and encrypted in symmetric key shared between app server and PubCookie login server Login cookie: “scoped to the login server and will be used on any subsequent visits by the user to the login server” Opaque to the client – only login server can decrypt Session cookie: scoped to app server Problem: granting cookie does not persist

Software Development No mods to the MyProxy Client Upload creds via normal mechanism Presents the granting cookie in the “password” field Mods to MyProxy server to be able to decrypt and verify signature on pubcookie Mods to portal (uPortal) to keep the granting cookie Issue: JSR 168 does not deal well with cookies Note: we cannot use the granting cookie as the password directly

Cleartext in MyProxy Server? Yes, in this instantiation We are not unique in this regard Alternative: Use the granting cookie as the basis to generate/retrieve user-specific [large] passphrase, like so….

PubCookie/MyProxy Integration Campus Authentication Server Password server 5 Pubcookie Login Server 4 8 9 MyProxy Server 11 (SSL) 3 Pubcookie-enabled Application Server 6 2 10 (SSL) 1 12 Grid request 7 13 Browser 12

Summary Integration of PubCookie with MyProxy reduces the number of passphrases Currently pushing mods to OGCE2 and MyProxy CVS Future What about Shibboleth?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.