Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Contrail and Federated Identity Management
PKI Implementation in the Real World
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Summer School Certificates Diego Romano & Gilda Team.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Where are States Now? Preliminary Legal & Security Survey Results Jim Whitter National Governors’Association Center for Best Practices January 9, 2001.
IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
The NGS Support Centre Katie Weeks. NGS Support Centre SLD Many areas to NGS Support Centre –SLD defines supported areas including: Certification Authority.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
A New UK CA Portal David Meredith Jens Jensen John Kewley.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Gilda certificates. Certification Authority
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Jens Jensen EU Grid PMA, Berlin Jan 2015
Authentication, Authorisation and Security
J Jensen, STFC hepsysman, June 2017
Jens Jensen, STFC Sep EUGridPMA Manchester
Virtual Face to Face Meetings for ID-check
Tweaking the Certificate Lifecycle for the UK eScience CA
Jens Jensen, STFC 15 Sep GridPP39, Lancaster
Update on EDG Security (VOMS)
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA 30/03/2012EGI CF Munich1

Outline Certificates and The UK e-Science CA The Lifecycle of a User Certificate Some problems The CertWizard and other Improvements Future work 30/03/2012EGI CF Munich2

Authentication: Identity: who you are c.f. Passport, identity card Authorisation: What you are allowed to do c.f. Visa, or Work/Residence Permit Authentication vs Authorisation 30/03/20123EGI CF Munich

What is a CA? A CA (Certification Authority) is a trusted identity that issues and manages digital certificates (security credentials). Trusting a particular CA means that you trust the identity of its certificate holders 30/03/2012EGI CF Munich4

The UK e-Science CA The UK e-Science CA issues 13 month certificates for use by users, services and hosts from the UK e-Science Grid community. Since it follows international standards and is accredited by the IGTF, its certificates are accepted by Grids around the world. 30/03/2012EGI CF Munich5

Registration Authorities For a CA is to sign their certificate, the user's identity needs asserting This role is federated to about 60 Registration Authorities (RAs) throughout the UK The CA trusts their RA Operators to check the user's photo-id and approve their certificate requests. 30/03/2012EGI CF Munich6

Certificate Lifecycle 30/03/2012EGI CF Munich7 VALID Apply

The Apply Process 30/03/2012EGI CF Munich8 User Applies for New Certificate CA Signs RA Approves Request User and RA Meet Face to Face

The Apply Process 30/03/2012EGI CF Munich9 User Applies for New Certificate CA Signs RA Approves Request User and RA Meet Face to Face Is user entitled to a Certificate? Does PhotoID match Photocopy PhotoID and file Check PIN

Certificate Lifecycle 30/03/2012EGI CF Munich10 VALID Apply Renew EXPIRED

The Renew Process 30/03/2012EGI CF Munich11 User Applies for Certificate Renewal CA Signs RA Approves Renewal Request

Certificate Lifecycle 30/03/2012EGI CF Munich12 VALID REVOKED Apply Renew Revoke EXPIRED

Browser/OS Problems We receive many certificate problems on our helpdesk, mostly expiries or browser issues Browsers change, we can't support them all OpenCA s/w was problematic to update. 30/03/2012EGI CF Munich13

Other Problems If a user's certificate has been revoked or in the following situations: –User's address changes –User's certificate expires unexpectedly –User wants a new certificate as their old one expired some time ago Then the user must apply for a new one (requesting revocation of their old one if required). This requires visiting the RA Operator in person. 30/03/2012EGI CF Munich14

Plan 1.Duplicate existing functionality of old web interface in new CertWizard 30/03/2012EGI CF Munich15

Old Web Interface 30/03/2012EGI CF Munich16

Old vs New 30/03/2012EGI CF Munich17 CA-Sign CertWizard CA DB Browsers OpenCA https CA-Server REST BulkNew BulkRA Old New

CertWizard Platform and browser independent Automatically updating RESTful interface 30/03/2012EGI CF Munich18

30/03/2012EGI CF Munich19

30/03/2012EGI CF Munich20

Renew Certificate 30/03/2012EGI CF Munich21

Request Revocation 30/03/2012EGI CF Munich22

Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently-expired certificates 30/03/2012EGI CF Munich23

Renew Recently Expired 30/03/2012EGI CF Munich24 VALID REVOKED Apply Renew Revoke EXPIRED Recent? No Yes

Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently expired certificates 3.Permit virtual meetings (VC for example) for Re-Applications 30/03/2012EGI CF Munich25

Re-Applications 30/03/2012EGI CF Munich26 VALID REVOKED Apply Renew Revoke EXPIRED No Re-Apply Recent? Yes

The Re-Apply Process 30/03/2012EGI CF Munich27 User Applies for New Certificate CA Signs RA Approves Request User and RA Meet Virtually

Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently expired certificates 3.Permit virtual meetings (VC for example) for Re-Applications 4.Extend CertWizard to allow changing of addresses 30/03/2012EGI CF Munich28

Change requests 30/03/2012EGI CF Munich29 VALID REVOKED Apply Renew Revoke EXPIRED Recent? No Yes Re-Apply Change

Change Requests Design Options 1.Permit changing address at Renewal or as a separate Change process. 2.Should the RA Operator be involved? 3.Should the keys and expiry remain the same? 30/03/2012EGI CF Munich30

Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently expired certificates 3.Permit virtual meetings (VC for example) for Re-Applications 4.Extend CertWizard to allow changing of addresses 5.Integrate CertWizard functionality with our existing MyProxy and VOMS tools 30/03/2012EGI CF Munich31

Seamless Interworking Integrated with MyProxyUploader, our previous proxy generation tool Uploading to MyProxy servers Local Proxies Add VOMS attributes 30/03/2012EGI CF Munich32

Export/Backup 30/03/2012EGI CF Munich33

Install 30/03/2012EGI CF Munich34

Configuration CA Certificates MyProxy servers VOMS servers Your Certificate 30/03/2012EGI CF Munich35

MyProxyUploader 30/03/2012EGI CF Munich36

Local Proxy 30/03/2012EGI CF Munich37

VOMS attributes 30/03/2012EGI CF Munich38

Additional work Provide an RA Operator interface Bulk Host Certificate Request interface Support for Host Certificates in CertWizard Online CA 30/03/2012EGI CF Munich39

Summary Implemented a Certificate request tool Integrated it with our existing MyProxy tool Will allow renewal of recently-expired certificates Introduced the idea of a Re-Application Permit virtual meetings for Re-Applications Designing a Change mechanism for addresses Less hassle for Users Less work for RA Operators Looking ahead to an online CA 30/03/2012EGI CF Munich40

Acknowledgements Jens Jensen and David Meredith NGS STFC 30/03/2012EGI CF Munich41 The next NGS Seminar will be by Josh Howlett of JANET and will be entitled: "Moonshot - next generation federated identity"

Certificate Lifecycle 30/03/2012EGI CF Munich42 VALID Approved New ArchivedDeleted Renew

CSR Lifecycle 30/03/2012EGI CF Munich43 VALID Approved New Archived Deleted Renew Signing RA Approval CSRCertificate

CSR Lifecycle 30/03/2012EGI CF Munich44 Renewal Approved Archived New Deleted

Revocation Lifecycle 30/03/2012EGI CF Munich45 SUSPENDED Approved SUSPENDED RA User CA Deleted CSR Other RA Signing RA

The Revoke Process 30/03/2012EGI CF Munich46 User Makes Revocation Request CA Signs RA Makes Revocation Request Another RA makes Revocation Request RA Approves Request

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.