INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
INFSO-RI Enabling Grids for E-sciencE Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI ,
\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
TAGPMA & the Bridge WG (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Activities and Applications Update - Chicago, IL.
White paper overview 2 nd eIRG meeting April, 16 th 2004 Fotis Karayannis, Editor GRNET - Greek Research & Technology Network
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
INFSO-RI Enabling Grids for E-sciencE External Projects Integration Summary – Trigger for Open Discussion Fotis Karayannis, Joanne.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
INFSO-RI Enabling Grids for E-sciencE Security Summary Åke Edlund, JRA3 4 th EGEE Conference Pisa, Italy 28 th October 2005.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE An overview of EGEE operations & support procedures Jules Wolfrat SARA.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and JSPG activities David Kelsey CCLRC/RAL.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, Security Expert, NIKHEF EGEE 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 December 2007.
David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.
APGridPMA Update Eric Yen APGridPMA August, 2014.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
Security Bob Cowles
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Ake Edlund for JRA3 EGEE EU Review (CERN) May 23-24, 2006.
INFSO-RI Enabling Grids for E-sciencE JRA3 Åke Edlund On behalf of JRA3 EGEE 8th All-activity meeting January 18-19,
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
Bob Jones EGEE Technical Director
Open Science Grid Consortium Meeting
JRA3 Introduction Åke Edlund EGEE Security Head
LCG Security Status and Issues
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
AAI in EGI Status and Evolution
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th EUGridPMA Authentication Federation Federation consists of many independent CAs –Common minimum requirements –Defined and ‘strong’ acceptance process –“reasonable” trust level, as required by relying parties –no ‘hierarchical top’ to make formal guarantees Membership –34 Identity providers (national and regional CAs) –6 Relying parties (large projects like EGEE, DEISA, SEE-GRID, OSG, LCG) and TERENA CA 1 CA 2 CA 3 CA n charter guidelines acceptance process acceptance process relying party 1 relying party n

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th The EUGridPMA Virtually complete coverage of Europe, accreditation for EGEE, DEISA, SEE-GRID, LCG, OSG,.. Actively fostered and by supported by JRA3 Green:countries and regions covered by a national CA in the EUGridPMA

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th Policy Evaluation Framework Policy evaluation based on Authentication Profiles –Authorities demonstrate compliance with these guidelines –Peer-review process within the federation to (re-) evaluate members both on entry and periodically –Codified in the Accreditation Guidelines policy since 2004 –Demonstrated in practice in ~10 new accreditations since Benefits –Reduces effort on the relying parties  single document to review and assess, applicable to all providers –Reduce cost on the identity providers  no audit statement needed by certified accountants  but participation in the federation does come with a price Ultimate decision always remains with the administrative owners (relying parties)

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th Authentication Profiles Three main Authentication Profiles (the requirement sets) common not only for Europe, but also for the Asia Pacific & Americas Certification authorities with secured infrastructure –Highly trusted by all current grid projects –Leverages national structures effectively Short-lived credential services –Leverage existing local site mechanisms –New profile to be pioneered in the Americas, but far from stable and has not yet been exposed to many relying parties Experimental Service –Jumpstart new national and regional CAs via a pilot service –Successful model in the Asia Pacific region

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th Extending Trust: the IGTF common, global best practices for trust establishment better manageability and response of the PMAs TAGPMA APGridPMA

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th IGTF Structure Each PMA can accredited authorities according to any of the valid authentication profiles (classic secured PKI, short-lived credential services, experimental) Common standards Coordinated naming (every name within the IGTF is unique) Common accreditation process Three chairs collectively represent the IGTF (formal IGTF chair rotates yearly) First IGTF Chair is from Europe …

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th IGTF, GGF and TACAR The IGTF, GGF (the CAOPS-WG) and TERENA work together to establish the global trust fabric

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th Towards common AAI in Europe A Common Authentication and Authorization Infrastructure described in the e-IRG Authorization Roadmap section collaboration with developments like eduroam™ via TERENA forae the single sign-on vision the authentication bridges, the authorization framework, on-demand user attribute discovery, all work towards this goal On a wireless mobile network while visiting abroad, then decide to lookup the data from the latest experiment your colleague in your Virtual Organization did, and run a simulation to look alternate scenarios, all that with just using your credentials (password, smartcard) only once!

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th SAC slides to follow

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th Site Access Control ingredients global issues service business logic site access control User policies VO policies Establishing Trusted Third Parties Key storage MyProxy System account creation workernode to headnode communications Access control to individual files Router port filtering DDoS protection Identities & Certificates Site policy actions & policy decisions virtualization & system accounts connectivity provisioning logging auditing

Enabling Grids for E-sciencE INFSO-RI JRA3 EU Review Input DavidG December 7 th Virtualization and System Accounts JRA3 ingredients: LCAS, LCMAPS, glexec Aim is the fully interoperable job submission chain: GT4, Condor C / BLAHP, GT Work Space Service Components part of the gLite 1.5 release

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.