USCGrid KX.509& Enterprise Security Shelley Henderson Project Manager, Grid Software USC Information.

Slides:

Advertisements

Similar presentations

Experiences in Middleware Deployment: Teach a man to fish… Mary Fran Yafchak NMI Integration Testbed Manager SURA IT Program Coordinator.

Advertisements

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Administrative Data and Curricular Support: The Sum is Greater Than the Parts NERCOMP 2004 Copyright Bret Ingerman, Daniel Green, and Beth DuPont, 2004.

What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.

EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

ITS -- Yale University Shutting Down Insecure Telnet and FTP (A Success Story) Chuck Powell Director, Workstation Support Services Yale University

Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges This work is the intellectual property of the author. Permission.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

USCGrid KX.509& Enterprise Security

Migrating to uPortal 2 at UBC Paul Zablosky University of British Columbia Copyright Paul Zablosky This work is the intellectual property of the.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.

Making the Pieces Fit Together Barbara Draude, Director, Academic and Instructional Technology Services Middle Tennessee State University Lisa Rogers,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

1 EDUCAUSE 2002 IT Support Community Training Model University of Colorado at Boulder.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Jeff McKinney Exchange to Mirapoint Migration January 11, 2006 Securing Exchange to Mirapoint Jeff McKinney University of Maryland Dept of Electrical.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.

Copyright Tim Antonowicz, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Unified Messaging at Williams College A Cost Model Analysis By Mark Berman Copyright Mark Berman, This work is the intellectual property of the author.

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.

Stanford’s Patch Management Project   Ced Bennett May 17, 2004 Copyright Cedric Bennett This work is the intellectual property of the author. Permission.

Sharing Information and Controlling Content: Continuing Challenges for Higher Education Susanna Frederick Fischer Assistant Professor Columbus School of.

© 2005 Windelberg Consulting, LLC Automating Paul Revere: Notification Systems Are Coming Marjorie Windelberg, Ph.D. Windelberg Consulting, LLC At the.

NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.

Welcome to CAMP: Charting Your Authentication Roadmap Mike Grady Senior Technology Architect and Strategist Campus Information Technologies and Educational.

Grids USC Case Study Copyright Shelley Henderson This work is the intellectual property of the author. Permission is granted for this material to.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.

Copyright © 2003, The University of Texas at Austin. This work is the intellectual property of the author. Permission is granted for this material to be.

©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham

Integration is Critical for Success Curriculum Course Delivery Ongoing Support Instructor & Learner.

1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Copyright © 2011 Rachel Fourny. This work is the intellectual property of Rachel Fourny. Permission is granted for this material to be shared for non-commercial,

WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.

© Scottsdale Community College Leveraging the Power of E-Learning Taking your course to a higher level Presented by Sidne Tate Director, Instructional.

Resources to CAMP: Charting Your Authentication Roadmap.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

Registration StratusLab Tutorial (Orsay, France) 28 November 2012.

University of Southern California Identity and Access Management (IAM)

SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005

Julian Hooker Assistant Managing Director Educause Southwest

Applications of Virtualization & Automation

Identity and Access Management:

Federating with NIH, NSF, and the National Student Clearinghouse

Designing a Web-Based Student Portfolio System

University of Southern California Identity and Access Management (IAM)

Project for OnLine Instructional Support (POLIS)

Open Source Web Initial Sign-On Packages

myIS.neu.edu – presentation screen shots accompany:

An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.

Grid Security Infrastructure

Enabling Applications to Use Your IdMS

Presentation transcript:

USCGrid KX.509& Enterprise Security Shelley Henderson Project Manager, Grid Software USC Information Services Copyright Shelley Henderson This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

November 2003NMI Integration Workshop - KX.5092 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

November 2003NMI Integration Workshop - KX.5093 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

November 2003NMI Integration Workshop - KX.5094 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Q:

November 2003NMI Integration Workshop - KX.5095 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Q:

November 2003NMI Integration Workshop - KX.5096 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created? Q:

November 2003NMI Integration Workshop - KX.5097 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. A:

November 2003NMI Integration Workshop - KX.5098 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential. A:

November 2003NMI Integration Workshop - KX.5099 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. Suddenly, everyone with a kerberos credential is grid-enabled. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is not kerberos, the answer may be a proposed follow-up to KX.509, a general credential convertor. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What about server certificates? Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What about server certificates? Can I use kerberos to create those? Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative Kerberos does not affect server certificates. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC What does USC’s KX.509 setup look like? Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of a Beowulf cluster (more on that in a minute), A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu, A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation. Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC The KCA runs on hpc-master.usc.edu, the head node for our gajillion-node Beowulf cluster. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate. Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile? Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile. Each user must send an message containing a copy of his or her kx509 certificate to the USCGrid administrator. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Example: almaak.usc.edu(23): source /usr/usc/nmi/default/setup.csh almaak.usc.edu(24): kinit Password for almaak.usc.edu(25): kx509 A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC almaak.usc.edu(26): kxlist -p Service kx509/certificate issuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edu subject= /C=US/ST=California/L=Los Angeles /O=University of Southern California serial=A8 hash=e A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC almaak.usc.edu(27): grid-proxy-info | \ mail -s "add me to grid mapfile" \ A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC The Unix sysadmin can then add an entry to the grid mapfile using the information from grid-proxy-info : "/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley shelley A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC How hard is it to install and maintain KX.509? Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. Then it runs. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. Then it runs. Really. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies What about certificate policies? Do I still have to implement certificate policies if we use KX.509? Q:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. In a small way, it’s harder to cross-certify because you’re ‘different’. A:

November 2003NMI Integration Workshop - KX USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. We’re working on this with ‘the security community’ – stay tuned. A:

November 2003NMI Integration Workshop - KX Disclaimer I would like to thank everyone involved in the USC NMI effort, and disclaim any credit for all the good stuff that’s been done. I’m just a project manager; I don’t do any useful work! I would like to thank everyone involved in the USC NMI effort, and disclaim any credit for all the good stuff that’s been done. I’m just a project manager; I don’t do any useful work!