Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Slides:

Advertisements

Similar presentations

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

Advertisements

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Configuring Active Directory Certificate Services Lesson 13.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

Configuring Directory Certificate Services Lesson 13.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Introduction of NAREGI-CA National Institute of Informatics JAPAN Toshiyuki Kataoka, July 19, 2006 APAN Grid-Middleware Workshop, Singapore.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

KEK GRID CA Takashi Sasaki Computing Research Center KEK.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

Key management issues in PGP

UGRID CA Sergii Stirenko, Oleg Alienin

Guidelines for auditing Grid CAs

جايگاه گواهی ديجيتالی در ايران

MaGrid CA Self audit and update

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

BG.ACAD CA Self-audit report 2018

Presentation transcript:

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.2 KEK Organization and History High Energy Accelerator Research Organization (KEK)High Energy Accelerator Research Organization (KEK) –Institute of Particle and Nuclear Studies –Institute of Materials Structure Science –Accelerator Laboratory –Applied Research Laboratory Computing Research CenterComputing Research Center Radiation Science CenterRadiation Science Center Cryogenics Science CenterCryogenics Science Center Mechanical engineering CenterMechanical engineering Center HistoryHistory –National Laboratory for High Energy Physics (1971) –High Energy Accelerator Research Organization (1997) Combined with Institute for Nuclear StudyCombined with Institute for Nuclear Study –High Energy Accelerator Research Organization reformed as an Inter-University Research Institute Corporation (2004)reformed as an Inter-University Research Institute Corporation (2004)

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.3 KEK: High Energy Accelerator Organization J-PARC B Factory Photon Factory LC-Test Facility Tokyo Tsukuba Tokai ~60km PacificOcean

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.4 Issued Certificates Host certificatesHost certificates –73 certificates were issued User certificatesUser certificates –26 certificates were issued SSL Server certificatesSSL Server certificates –1 certificate was issued –only for ICEPP (Univ. of Tokyo) and KEK

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.5Experiences / field was troublesome and not available any more/ field was troublesome and not available any more –LCG was OK –SRB-DSI does not work for any certificates including the field Power outage because of the regular inspection of facilities requested by the governmentPower outage because of the regular inspection of facilities requested by the government –Power backup by the generator was done with big efforts –We may stop the operation of CA for 3days in the next year Securing private keys are essential for PKI operationsSecuring private keys are essential for PKI operations –However, sometimes users copy their’s to remote sites via network and store on distributed storage systems, even on NFS servers. –Education is very important for users Regular training should be consideredRegular training should be considered

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.6Plan Change on CP/CPSChange on CP/CPS –Currently, SSL server certificates are issued only for ICEPP and KEK, however, LCG needs the SSL server certificates at each LCG site C=JP, O=KEK, OU=CRC, CN=FQDNC=JP, O=KEK, OU=CRC, CN=FQDN SSL server certificates will be issued for each siteSSL server certificates will be issued for each site General usages are forbidden and only for usage with LCGGeneral usages are forbidden and only for usage with LCG –We assumed that applicants are existing users of KEK Computing research center Contractors in collaborating institutes cannot be a user of usContractors in collaborating institutes cannot be a user of us We will change CP/CPS to allow applications from themWe will change CP/CPS to allow applications from them –Existing users or the persons who are endorsed by the representative of the collaborating institute of KEK We will have the first audit within this year.We will have the first audit within this year. –Yoshio Tanaka will be an auditor Thank him for his effortsThank him for his efforts –November or December?

Computing Research Center, High Energy Accelerator Organization (KEK) End Any comment or suggestion?

Computing Research Center, High Energy Accelerator Organization (KEK) For backups

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.9CP/CPS KEK GRID CA CP/CPSKEK GRID CA CP/CPS –Version: –OID: –Conforms RFC2527 –Strongly inspired by CP/CPS’ of NAREGI CA and AIST CA KEK GRID CP/CPS is managed by the KEK GRID PMA.KEK GRID CP/CPS is managed by the KEK GRID PMA. –Changes in contents need to be approved by the KEK GRID PMA, as described in section 8.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.10 End Entities Grid Users, Servers and Services:Grid Users, Servers and Services: –Members at KEK and it’s collaborating institutes –Computing Facility at KEK and it’s collaborating institutes

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.11 Certificate Types User Certificate:User Certificate: –C=JP, O=KEK, OU=CRC, CN=Takashi Sasaki Globus Servers:Globus Servers: –host C=JP, O=KEK, OU=CRC, CN=host/FQDNC=JP, O=KEK, OU=CRC, CN=host/FQDN –Services C=JP, O=KEK, OU=CRC, CN=ldap/FQDNC=JP, O=KEK, OU=CRC, CN=ldap/FQDN Web Servers (only for LCG at KEK CRC and ICEPP, U. of Tokyo):Web Servers (only for LCG at KEK CRC and ICEPP, U. of Tokyo): –C=JP, O=KEK, OU=CRC, CN=FQDN

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.12 Identification and Authentication Prerequisite:Prerequisite: –The person must be an existing user of KEK CRC One referee among KEK employees is requestedOne referee among KEK employees is requested Applicants must be a member of either of the projects at KEKApplicants must be a member of either of the projects at KEK User Certificate:User Certificate: –Subscriber must submit in-person or mail (or FAX) the application to the user administrator.submit in-person or mail (or FAX) the application to the user administrator. attach a copy of his/her personal identification document with a photo.attach a copy of his/her personal identification document with a photo. have an interview in-person or on the video conference by the user administratorhave an interview in-person or on the video conference by the user administrator –User administrator confirms the application with the representative’s signature on it Host and Service CertificateHost and Service Certificate – An application is required to be submitted by an existing certificate user

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.13 Certificate Restrictions Certificate Lifetime:Certificate Lifetime: –5 years for KEK GRID CA certificate –1 year for each end entity certificate User and server certificates should not be shared.User and server certificates should not be shared.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.14 Certificate Revocation Certificates are to be revoked when …Certificates are to be revoked when … –the RA receives a revocation request from a user. –the user’s key has been compromised or is suspected of being compromised. –the user information on the certificate is suspected of being incorrect. –the user lost the status of KEK CRC user the user leaves the job or etc.the user leaves the job or etc. –the CA private key has been compromised. –a user violates his/her obligations as described in the CP/CPS Section as described in the CP/CPS Section

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.15 Revocation Request Procedure Revocation Request from a userRevocation Request from a user – User can choose between two methods, as follows: Command-line UI and Web-based UI using encrypted communication between the user and the RA.Command-line UI and Web-based UI using encrypted communication between the user and the RA. –The RA confirms a revocation request by using the client certificate, and accepts it. –The RA sends a revocation request to the CA located in an independent network segment. Communications between the RA and the CA are encrypted. Communications between the RA and the CA are encrypted. The CA security officer can execute a revocation request on behalf of the user, if it is necessary.The CA security officer can execute a revocation request on behalf of the user, if it is necessary.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.16CRL The KEK GRID CA will …The KEK GRID CA will … –revoke the certificate immediately after receipt and acceptance of the revocation request. –publish the CRL on the KEK CA web site immediately. A relying party can verify a certificate by retrieving the newest CRL on the web site. A relying party can verify a certificate by retrieving the newest CRL on the web site. The issued CRL is valid for 30 days.The issued CRL is valid for 30 days. The CRL will be reissued at least seven days before the previous one expires.The CRL will be reissued at least seven days before the previous one expires.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.17 Physical Security CA Server :CA Server : –dedicated machine in a locked room The room is located in the secure building.The room is located in the secure building. only connected to the RA server via an exclusive network using a private address.only connected to the RA server via an exclusive network using a private address. CA server cannot be reached from the Internet.CA server cannot be reached from the Internet. CA private key :CA private key : –Protected by a FIPS Level 3 compliant HSM. –is copied in a backup device with passphrase in a key- locked shelf.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.18 Records Archival Types of Archive Data:Types of Archive Data: –All issued certificates and CRLs –All enrollment requests and notifications between the KEK GRID CA and users –Operation history of the CA key Events of Interest, as described in CP/CPS 4.5.1Events of Interest, as described in CP/CPS login, logout, reboot, access and error logs, etc…login, logout, reboot, access and error logs, etc… – Other documents about the KEK GRID CA. The retention period is 3 years. The retention period is 3 years. Archived files are preserved in a key-locked shelf. Archived files are preserved in a key-locked shelf.

2006/10/15The 2nd APGrid PMA Meeting Meeting at Osaka Univ.19 Key Pair The CA private key is generated by the HSM.The CA private key is generated by the HSM. A user’s key pair is generated on users’ PC by using a given license ID.A user’s key pair is generated on users’ PC by using a given license ID. –The user’s private key is not generated by the CA and the RA. Key Length:Key Length: –CA Certificate: 2048 bits –End Entity: 1024 bits License ID:License ID: – 24 characters –is provided from the RA for one-time authentication at the time of enrollment process of the user.