National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

MyProxy Jim Basney Senior Research Scientist NCSA

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

MyProxy: A Multi-Purpose Grid Authentication Service

Deploying and Managing Active Directory Certificate Services

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Grid Security. Typical Grid Scenario Users Resources.

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Long Term Ecological Research Network Information System LTER Grid Pilot Study LTER Information Manager’s Meeting Montreal, Canada 4-7 August 2005 Mark.

Configuring Directory Certificate Services Lesson 13.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

The MyProxy Online Credential Repository Jim Basney NCSA

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.

Security CET September 27, 2006 GGF Security for Open Science Project Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley.

Security Solutions Rachana Ananthakrishnan University of Chicago.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney, Terry Fleury, Von Welch TeraGrid Round Table Update May 21, 2009.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

Security for Open Science

IBM Certified WAS 8.5 Administrator

A Grid Authorization Model for Science Gateways

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Presentation transcript:

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

National Center for Supercomputing Applications MyProxy Logon Authenticate to retrieve PKI credentials –End Entity or Proxy Certificate –CA Certificates and Certificate Revocation Lists (CRLs) ( Maintains the user’s PKI context –Users don’t need to manage long-lived credentials –Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) –CA certificates and CRLs updated automatically at login Integrates with existing authentication systems –Providing a gateway to grid authentication

National Center for Supercomputing Applications MyProxy CA Issues short-lived X.509 EECs Authentication via certificate, PAM, SASL/Kerberos, Pubcookie, VOMS –Including “renewal authentication” where trusted service authenticates and proves possession of user credential to get a new user credential Name mapping via mapfile, callout, and LDAP Certificate extensions specified by OpenSSL configuration file or callout

National Center for Supercomputing Applications MyProxy and IGTF SLCS Profile Recent modifications to MyProxy CA based on IGTF SLCS Profile recommendations: –Log all certificate requests –Archive all issued certificates –Use 1024 bit keys –Use SHA1 instead of MD5 –Set recommended certificate extensions NCSA SLCS undergoing TAGPMA review

National Center for Supercomputing Applications NCSA SLCS Architecture

National Center for Supercomputing Applications NCSA CA Architecture

National Center for Supercomputing Applications MyProxy OCSP Support Server checks certificate validity before performing delegation –Includes CRL and OCSP checks –Removes invalid credentials from repository Follows recommendations in OGF CAOPS “OCSP Requirements for Grids” Server can be configured to use: –OCSP responder in AIA extension –Trusted OCSP responder OCSP checking code contributed to Globus –

National Center for Supercomputing Applications MyProxy and HSMs Prototypes –MyProxy repository keys protected by IBM 4758 –MyProxy CA key protected by Aladdin eToken MyProxy CA HSM support coming soon –To be deployed for NCSA SLCS –Using OpenSSL Engine interface – 49

National Center for Supercomputing Applications MyProxy and VOMS MyProxy server now understands VOMS attributes for authorization –For example: services with “compute element” attribute can be authorized to renew credentials MyProxy developers worked with VOMS developers on GT4 compatibility issues – 45

National Center for Supercomputing Applications MyProxy Trust Provisioning MyProxy Logon can install/update trust roots in ~/.globus/certificates or $X509_CERT_DIR –CA certificates, signing policies, and CRLs –Improves client-side security via automated CA configuration and CRL updates Configuration managed by MyProxy server admin –Maintains up-to-date “master” certificates directory on server Future work –Bootstrap trust of myproxy-server certificate –Improved handling of expired CRLs –Java support

National Center for Supercomputing Applications MyProxy Server Fail-Over Clients try multiple server IP addresses Documentation for server replication – –myproxy-replicate tool for primary-backup repository replication –CA server replication by partition of serial number space

National Center for Supercomputing Applications External MyProxy Audit To be conducted by Jim Kupsch from UW-Madison Computer Sciences –Vulnerability Assessment of Grid Software Project led by Prof. Bart Miller – 6/presentations/kupsch_security.ppt March 7 kick-off meeting at NCSA

National Center for Supercomputing Applications GSI-OpenSSH Authorization GSI-OpenSSH 3.8 and later support Globus Authorization callouts – –Service name for callout is “ssh” –Tested with PRIMA/GUMS

National Center for Supercomputing Applications Java GSI-SSHTerm Java applet/application that combines MyProxy and GSISSH functionality –Developed by UK NGS, NRC Canada, … – Customized for TeraGrid –

National Center for Supercomputing Applications MyProxy and GSISSH on TeraGrid All TG users assigned a TERAGRID.ORG (Kerberos) username and password –Login to TeraGrid User Portal ( –Login to TeraGrid MyProxy CA to obtain a short- lived (NCSA) certificate All TG sites run GSI-OpenSSH servers –Single sign-on via Java GSI-SSHTerm –