USCGrid KX.509& Enterprise Security

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
CN Objectives of the course To build and maintain a UNIX-based Network Systems & Servers Install Linux, fine tune the system, enable required server,
MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
USCGrid KX.509& Enterprise Security Shelley Henderson Project Manager, Grid Software USC Information.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Academic Technology Services The UCLA Grid Portal - Campus Grids and the UC Grid Joan Slottow and Prakashan Korambath Research Computing Technologies UCLA.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
The material in this presentation is the property of Fair Isaac Corporation. This material has been provided for the recipient only, and shall not be used,
USCGrid A (Very Quick) Introduction To Authn/Authz
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Masud Hasan Secue VS Hushmail Project 2.
Techy Information Anandha Gopalan September 13, 2006.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Slide 1 Experiences with NMI R2 Grids Software at Michigan Shawn McKee April 8, 2003 Internet2 Spring Meeting.
USCGrid A (Very Quick) Introduction To PubCookie
Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Grids USC Case Study Copyright Shelley Henderson This work is the intellectual property of the author. Permission is granted for this material to.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Chapter Two Clients and Servers: Who’s the Boss?.
Windows 2000 Certificate Authority By Saunders Roesser.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Derek Wright Computer Sciences Department University of Wisconsin-Madison MPI Scheduling in Condor: An.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.
General rules 1. Rule: 2. Rule: 3. Rule: 10. Rule: Ask questions ……………………. 11. Rule: I do not know your skill. If I tell you things you know, please stop.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Campus grids: e-Infrastructure within a University Mike Mineter National e-Science Centre 14 February 2006.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
HEPiX 2 nd Nov 2000 Alan Silverman Proposal to form a Large Cluster SIG Alan Silverman 2 nd Nov 2000 HEPiX – Jefferson Lab.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.
LM/NTLMv1 Retirement Hosted by LSP Services.
XXIII HTASC Meeting – CERN March 2003 LIP and the Traveling Physicist Jorge Gomes LIP - Computer Centre.
There are 5 pull-down menus. Provide your affiliation : select E-1000 in the 1 st pull-down which asks for your experiment – it is there. Provide your.
There are 5 pull-down menus. Provide your affiliation : select E-1000 in the 1 st pull-down which asks for your experiment – it is there. Provide your.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Registration StratusLab Tutorial (Orsay, France) 28 November 2012.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Role-based authentication framework for enterprise Vishal Kher Yongdae Kim Friday, November 19, 2004.
Grid Security.
Microsoft BackOffice Applications
Using the Parallel Universe beyond MPI
CSE 451: Operating Systems Spring 2005 Module 20 Distributed Systems
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Grid Security Infrastructure
Basic Setup Internet Firewall Master 7 Nodes Gigabit switch
Presentation transcript:

USCGrid KX.509& Enterprise Security

April 2003USCGrid at Internet22 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

April 2003USCGrid at Internet23 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

April 2003USCGrid at Internet24 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Q:

April 2003USCGrid at Internet25 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Q:

April 2003USCGrid at Internet26 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created? Q:

April 2003USCGrid at Internet27 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. A:

April 2003USCGrid at Internet28 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential. A:

April 2003USCGrid at Internet29 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative If your existing enterprise authentication mechanism is kerberos, the answer is KX.509. Suddenly, everyone with a kerberos credential is grid-enabled. A:

April 2003USCGrid at Internet210 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What about server certificates? Q:

April 2003USCGrid at Internet211 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative What about server certificates? Can I use kerberos to create those? Q:

April 2003USCGrid at Internet212 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative Kerberos does not affect server certificates. A:

April 2003USCGrid at Internet213 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ A:

April 2003USCGrid at Internet214 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign. A:

April 2003USCGrid at Internet215 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

April 2003USCGrid at Internet216 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC What does USC’s KX.509 setup look like? Q:

April 2003USCGrid at Internet217 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of a Beowulf cluster (more on that in a minute), A:

April 2003USCGrid at Internet218 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu, A:

April 2003USCGrid at Internet219 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom. A:

April 2003USCGrid at Internet220 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation. A:

April 2003USCGrid at Internet221 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation. Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak. A:

April 2003USCGrid at Internet222 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC The KCA runs on hpc-master.usc.edu, the head node for our 576-node 1152-cpu Beowulf cluster. A:

April 2003USCGrid at Internet223 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. Q:

April 2003USCGrid at Internet224 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate. Q:

April 2003USCGrid at Internet225 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile? Q:

April 2003USCGrid at Internet226 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile. A:

April 2003USCGrid at Internet227 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile. Each user must send an message containing a copy of his or her kx509 certificate to the USCGrid administrator: A:

April 2003USCGrid at Internet228 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC Example: almaak.usc.edu(23): source /usr/usc/nmi/default/setup.csh almaak.usc.edu(24): kinit Password for almaak.usc.edu(25): kx509 A:

April 2003USCGrid at Internet229 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC almaak.usc.edu(26): kxlist -p Service kx509/certificate issuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edu subject= /C=US/ST=California/L=Los Angeles /O=University of Southern California serial=A8 hash=e A:

April 2003USCGrid at Internet230 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC almaak.usc.edu(27): grid-proxy-info | \ mail -s "add me to grid mapfile" \ A:

April 2003USCGrid at Internet231 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC The Unix sysadmin can then add an entry to the grid mapfile using the information from grid- proxy-info : "/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley shelley A:

April 2003USCGrid at Internet232 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC How hard is it to install and maintain KX.509? Q:

April 2003USCGrid at Internet233 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. A:

April 2003USCGrid at Internet234 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, A:

April 2003USCGrid at Internet235 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. A:

April 2003USCGrid at Internet236 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. Then it runs. A:

April 2003USCGrid at Internet237 USCGrid: KX.509 & Enterprise Security Specific experience with KX.509 at USCSpecific experience with KX.509 at USC KX.509 is my favorite NMI component. You install it, no problem. Then it runs. Really. A:

April 2003USCGrid at Internet238 USCGrid: KX.509 & Enterprise Security  KX.509 as an alternative  Specific experience with KX.509 at USC  KX.509 & Campus Certificate Policies

April 2003USCGrid at Internet239 USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies What about certificate policies? Do I still have to implement certificate policies if we use KX.509? Q:

April 2003USCGrid at Internet240 USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. A:

April 2003USCGrid at Internet241 USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. In a small way, it’s harder to cross-certify because you’re ‘different’. A:

April 2003USCGrid at Internet242 USCGrid: KX.509 & Enterprise Security  KX.509 & Campus Certificate Policies KX.509 doesn’t buy you out of dealing with certificate policies. We’re working on this with ‘the security community’ – stay tuned. A:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.