Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Simo Niskala Teemu Pasanen
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Module 9: Fundamentals of Securing Network Communication.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.
The MyProxy Online Credential Repository Jim Basney NCSA
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Creating and Managing Digital Certificates Chapter Eleven.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
Feb 2-4, 2004LNCC Workshop on Computational Grids & Apps Middleware for Production Grids Jim Basney Senior Research Scientist Grid and Security Technologies.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
1 Example security systems n Kerberos n Secure shell.
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Authentication, Authorisation and Security
Grid Security.
Radius, LDAP, Radius used in Authenticating Users
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid Security Infrastructure
Presentation transcript:

Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois

Deploying the TeraGrid PKI, GFK Winter Workshop Grid-building Challenges Many challenges in deploying Grids –software compatibility –resource discovery (information services) –resource allocation –accounting (charging for resource usage) –performance optimization –monitoring / support / helpdesk –…

Deploying the TeraGrid PKI, GFK Winter Workshop Managing Trust for Grid Single Sign-on A major Grid deployment challenge What CAs are trusted? –Can a CA gain universal acceptance for single sign-on? –What CA practices are acceptable? –Use hierarchical CAs or cross-certification? How do users obtain and manage credentials? –user enrollment, certificate renewal, private key security, … How are users authorized to use resources? –How are ACLs and authorization services managed? Consider the TeraGrid as a Case Study

Deploying the TeraGrid PKI, GFK Winter Workshop Outline TeraGrid Overview Globus Security Infrastructure –Authentication and Authorization –Proxy Credentials TeraGrid Online CAs TeraGrid Single Sign-on Grid-Mapfile Management Credential Management

Deploying the TeraGrid PKI, GFK Winter Workshop NCSA: Compute IntensiveSDSC: Data IntensivePSC: Compute Intensive IA64 Pwr4 EV68 IA32 EV7 IA64 Sun 10 TF IA large memory nodes 230 TB Disk Storage 3 PB Tape Storage GPFS and data mining 4 TF IA-64 DB2, Oracle Servers 500 TB Disk Storage 6 PB Tape Storage 1.1 TF Power4 6 TF EV68 71 TB Storage 0.3 TF EV7 shared-memory 150 TB Storage Server 1.25 TF IA Viz nodes 20 TB Storage 0.4 TF IA-64 IA32 Datawulf 80 TB Storage Extensible Backplane Network LA Hub Chicago Hub IA32 Storage Server Disk Storage Cluster Shared Memory Visualization Cluster LEGEND 30 Gb/s IA64 30 Gb/s Sun ANL: VisualizationCaltech: Data collection analysis 40 Gb/s Backplane Router TeraGrid

Deploying the TeraGrid PKI, GFK Winter Workshop Additional TeraGrid Sites

Deploying the TeraGrid PKI, GFK Winter Workshop One Organization (merge institutions) Very Loose Collaboration (current situation) One sysadmin team One management team Distributed machine room, centralized control e.g. Google data centers Different MPIs Hit-and-miss grid software: Globus version? Condor-G? MPICH-G2? Unique development environment Single development environment Single software stack to learn Develop here, run there Run here, store there The TeraGrid (A Grid hosting environment) Not a Grid Not a Grid, but with significant user investment, Grid applications can be developed Applications are developed for the Grid because the barriers are low and the return large Building Something New

Deploying the TeraGrid PKI, GFK Winter Workshop TeraGrid and CMS Data and software testing challenge –test and validate analysis software 100,000,000 events Testing approach –particle-detector interaction simulator (CMSIM) energy deposition in the detector –ORCA (Object Reconstruction for CMS Analysis) reconstruct QCD background sample –tracks and reconstructed particles, ready for analysis Computing, storage and networking –1.1M SUs on the TeraGrid now 400 processors through April 2005 –1M SUs on NCSA Platinum Pentium III cluster –1.5M SUs on NCSA Tungsten Xeon cluster –1 TB for production TeraGrid simulations 400 GB for data collection on IA-32 cluster

Deploying the TeraGrid PKI, GFK Winter Workshop Globus Security Infrastructure Credentials –asymmetric public/private key pair –X.509 certificate, signed by Certificate Authority, binds distinguished name to key pair Authentication (Who are you?) –proof of possession of private key –verify CA signature on X.509 certificate Authorization (What can you do?) –based on distinguished name in certificate –typically mapped to local account

Deploying the TeraGrid PKI, GFK Winter Workshop certificate c + { secret } pubkey s + signature c [ h( random c, random s, … ) ] GSI Mutual Authentication ClientServer random c certificate s + random s { h( secret ) } secret Standard SSL/TLS Protocol (summarized)

Deploying the TeraGrid PKI, GFK Winter Workshop GSI Mutual Authorization What is the client authorized to do on the server? –typically set by grid-mapfile Is the server trusted by the client? –i.e., is the server authorized by the client? –typically based on authenticated server identity matching the user’s request Client must have the ability to verify server certificates –must trust certificate of the CA that signed the server’s certificate –must have correct system clock

Deploying the TeraGrid PKI, GFK Winter Workshop How to Authorize Clients? Access Control Lists –ex. Globus grid-mapfile –answer “Who can access this resource?” –need to maintain many distributed ACLs Capabilities –ex. SAML, X.509 PMI, VOMS, Akenti, CAS –answer “What can this person do?” –don’t need to distribute ACL updates –capability issuer maintains authorization database GGF OGSA Authorization WG

Deploying the TeraGrid PKI, GFK Winter Workshop What to Authorize? KeysNames Examples:SSH, PGP, SPKIX.509 PKI, GSI Trusted Third Party? NoneCA signs certificates Cost of re-keying? Update ACLs with new public key Obtain new certificate Names can be convenient to work with but… Common names are not unique identifiers

Deploying the TeraGrid PKI, GFK Winter Workshop Globus Proxy Credentials New certificate and key pair Proxy certificate signed by user’s long-term private key –enter passphrase to decrypt private key Certificate has short lifetime Proxy private key remains unencrypted Authenticate with proxy credentials for the remainder of the session CAUser Proxy signs

Deploying the TeraGrid PKI, GFK Winter Workshop Proxy Delegation Protocol DelegatorDelegatee generate new key pair proxy certificate request sign certificate with proxy private key CAUser Proxy A signs Proxy B signs Proxy B Proxy B Proxy A

Deploying the TeraGrid PKI, GFK Winter Workshop TeraGrid PKI A single TeraGrid Certificate Authority is not feasible –many sites already have a CA –distributed model is preferable for Grids TeraGrid PMA evaluates CA trust –for interoperability, all TeraGrid sites should accept TeraGrid approved CAs –TeraGrid PMA distributes trusted CA certificates to users and administrators

Deploying the TeraGrid PKI, GFK Winter Workshop TeraGrid Online CAs An Online CA allows users to authenticate and obtain PKI credentials immediately –without requiring the user to visit a registration authority, fax a copy of an institutional ID, etc. –without requiring the CA operator to manually approve each request –leveraging the site’s existing relationship with its users Online CAs can return long-term or short-term credentials: –users contact the online CA infrequently to obtain / renew long-term (1+ year) certificates, or –users contact the online CA daily to obtain short-term (12 hour) credentials –TeraGrid includes examples of both types of online CAs

Deploying the TeraGrid PKI, GFK Winter Workshop CACL NCSA and SDSC have online CAs that return long-term credentials –OpenSSL-based CACL online CA software developed at SDSC –at NCSA, online CA recently replaced offline CA Users login to NCSA or SDSC cluster and run a command to obtain 2-4 year credentials –credentials stored in ~/.globus as usual –requires users to manage their long-term key and certificate files For more information: – –

Deploying the TeraGrid PKI, GFK Winter Workshop KCA PSC runs a Kerberized online CA (KCA) Users obtain short-term (12 hour) Kerberos tickets at login KCA command allows users to authenticate with Kerberos ticket to obtain Globus credentials –KCA credentials have short lifetime equal to Kerberos ticket lifetime –stored unencrypted in /tmp to be used like Globus proxy credentials No need to issue CRLs as there are no long- term certificates to revoke For more information: – –

Deploying the TeraGrid PKI, GFK Winter Workshop TeraGrid Account Creation US National Science Foundation committees evaluate research proposals and allocate TeraGrid resources to scientists Allocation info is entered into TeraGrid Accounting Database Account creation requests sent to sites –via TeraGrid Account Transaction System Scientist receives account information in the mail –includes username(s) and initial password(s) for the site(s)

Deploying the TeraGrid PKI, GFK Winter Workshop TeraGrid Grid Single Sign-on Users can access all TeraGrid resources using their Grid proxy credentials –using GSISSH, GRAM, and GridFTP –no need to remember different usernames and passwords For users with no PKI certificate –request a certificate from a TeraGrid CA –TeraGrid Account Transaction System adds user’s distinguished name to grid-mapfiles (planned) For users that already have a PKI certificate –issuing CA must be trusted by TeraGrid sites –gx-map command allows users to add additional distinguished names to grid-mapfiles

Deploying the TeraGrid PKI, GFK Winter Workshop GX-Map A Globus grid-mapfile management tool Allows users to add distinguished names to the grid-mapfile –mapped only to that user’s account Similar to adding SSH Authorized Keys For more information: – “/C=US/O=NCSA/CN=Jim Basney” jbasney “/C=US/O=NPACI/OU=SDSC/CN=Keith Thompson” kst “/C=US/O=PSC/CN=dsimmel” dsimmel “/DC=org/DC=doegrids/CN=Sandra Bittner " bittner … “/C=UK/O=eScience/CN=Joe User” juser

Deploying the TeraGrid PKI, GFK Winter Workshop Credential Management TeraGrid users can store their credentials in an online MyProxy repository –credentials encrypted with the user’s passphrase –users can retrieve delegated proxy credentials from the online repository when/where needed MyProxy provides credential mobility –users need not manually copy certificate and key files between machines –long-term keys protected on the MyProxy server For more information: –

Deploying the TeraGrid PKI, GFK Winter Workshop Credential Renewal Unsolved problem for TeraGrid Long-lived tasks or services need credentials –task lifetime is difficult to predict Don’t want to delegate long-lived credentials –fear of compromise Instead, renew credentials as needed during the task’s lifetime –renewal service provides a single point of monitoring and control –renewal policy can be modified at any time –for example, disable renewals if compromise is detected or suspected Possible solutions using MyProxy –EDG Proxy Renewal Service –Condor-G with GRAM proxy refresh

Deploying the TeraGrid PKI, GFK Winter Workshop Managing Multiple Credentials Will a single identity credential per user suffice? –Difficult to achieve trust in a single CA across many organizations –Advanced services require authorization credentials Pieces of a solution –Credential negotiation protocols (WS-SecurityPolicy, …) –Online credential services Want to retain single sign-on and ease-of-use

Deploying the TeraGrid PKI, GFK Winter Workshop Summary TeraGrid has deployed a PKI for single sign-on via the Globus Security Infrastructure –Online CAs (CACL, KCA) –user control of grid-mapfile authorization (gx-map) –online credential repository (MyProxy) Ongoing work –credential renewal –managing multiple credentials Thank you! Any questions? Jim Basney

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.