Client Authentication & Authorization for GENI XMPP Messaging Service Anirban Mandal, Shu Huang, Ilia Baldine (RENCI) Rudra Dutta (NSCU) GEC14 I&M Session.

Slides:



Advertisements
Similar presentations
An Instrumentation and Measurement Architecture Supporting Multiple Control Monitoring Frameworks XXX Brazilian Symposium on Computer Networks and Distributed.
Advertisements

Data-Intensive Cloud Control for GENI GEC 8 demo Orca control framework July 20, 2010 Michael Zink, Prashant Shenoy, Jim Kurose, David Irwin and Emmanuel.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
GIMI I&M and Monitoring Mike Zink, Max Ott, Ilya Baldine University of Massachusetts Amherst GEC 18, Brooklyn, October 27 st 1.
Sponsored by the National Science Foundation IMF: XML Messaging Service GEC 13 Demo Lead PI: Rudra Dutta Co-PI: George Rouskas Students: Ashutosh Grewal,
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Building OMF 6.0 Resource Controllers for OpenFlow support 23/01/2013 OpenLab Plugfest Paris.
Report on Attribute Certificates By Ganesh Godavari.
SWIM WEB PORTAL by Dipti Aswath SWIM Meeting ORNL Oct 15-17, 2007.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
WP4 Security Update For WP4: David Groep
Sponsored by the National Science Foundation netKarma Spiral 2 Year-end Project Review Indiana University Beth Plale (PI) School of Informatics and Computing.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Deploying Experiments with Raven Scott Baker SB-Software John H. Hartman University of Arizona.
Sponsored by the National Science Foundation GIMI/LabWiki Tutorial Mike Zink, Divyashri Bhat, Cong Wang, Thierry Rakotoarivelo GEC20 March 22 nd 2014,
Andy Bavier, PlanetWorks Scott Baker, SB-Software July 27, 2011.
Sponsored by the National Science Foundation Campus/Experiment Topics in Monitoring and I&M GENI Engineering Conference 15 Houston, TX Sarah Edwards Chaos.
V I SE P ROJECT R EPORT J ULY 2 ND, 2009 David Irwin, Michael Zink, Prashant Shenoy, Navin Sharma, Deepak Ganesan, Jim Kurose.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Digital Object Architecture
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Jolyon White GEC9, 4 th November 2010 OMF Aggregate Manager API.
Towards Establishing a Local ORCA Instance Shade EL-Hadik Deniz Gurkan University of Houston 7th GENI Engineering Conference 03/16/2010 GEC7 – ORCA-D.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.
Resource Representations in GENI: A path forward Ilia Baldine, Yufeng Xin Renaissance Computing Institute,
Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.
Sponsored by the National Science Foundation 1 Status of functions and features planned for Spiral 3 –On track with plan At GEC 10 demo: –IMF’s PSM and.
Sponsored by the National Science Foundation GENI Exploring Networks of the Future
Sponsored by the National Science Foundation GENI I&M and Monitoring GENI Engineering Conference 14 Boston, MA Sarah Edwards Chaos Golubitsky Jeanne Ohren.
Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23,
Sponsored by the National Science Foundation LabWiki Tutorial (OMF/OML) Divya Bhat, Mike Zink, Pieter Becue, Brecht Vermeulen GEC20 July 8 th 2014, Ghent,
GIMI I&M and Monitoring Mike Zink University of Massachusetts Amherst GEC 15, Houston, October 23 rd 1.
Sponsored by the National Science Foundation GEC17: GENI Instrumentation and Measurement Sessions Sun. July 21, Mon. July 22, 2013 Marshall Brinn, Jeanne.
Sponsored by the National Science Foundation Cluster D Working Meetings GENI Engineering Conference 5 Seattle, WA July ,
GIMI Update Mike Zink University of Massachusetts Amherst GEC 13, Los Angeles, March 13 th 1.
GeniDesktop : The GEMINI Portal (and more) Hussam Nasir University of Kentucky.
Resource representations in GENI workshops (GEC[78]) Ilia Baldine.
Sponsored by the National Science Foundation Introduction to GENI Architecture: Federated Trust Perspective Marshall Brinn, GPO GEC20: June 24, 2014.
D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.
Data-Intensive Cloud Control for GENI GEC 10 Orca control framework March 15 th, 2011 Michael Zink, Prashant Shenoy, Jim Kurose, David Irwin and Emmanuel.
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Sponsored by the National Science Foundation 1 Nov 4, 2010 Cluster-D Mtg at GEC9 Tue, Nov 2, 12noon – 4:30pm Meeting Chair: Ilia Baldine (RENCI) –System.
LAMP and INSTOOLS A configuration overview 118/05/2012 Raphael Dourado.
Avaya Communicator for Web Demo Installation
Experimental Control Tools for ORCA Control Framework Anirban Mandal Renaissance Computing Institute (RENCI)
External Messaging Services. Page 2 External Messaging: Extends the power of Presence and Instant Messaging outside corporate Network Provided only to.
Data-Intensive Cloud Control for GENI Cluster D Session July 20 th, 2010.
Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.
GIMI Tutorial GIMI Team GEC 16, Salt Lake City, March 19 th 1.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
Current GEMINI use of instrumentize script to initialize & configure services Hussam Nasir University of Kentucky.
Sponsored by the National Science Foundation 1 Nov 4, 2010 WiMAX Deployment Roadmap for Spiral 3 Harry Mussman (GPO) Includes the following goals and milestones.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.
GIMI Update Mike Zink University of Massachusetts Amherst GEC 14, Boston, July 9 th 1.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Complete 1z0-161 Exam Dumps - Pass In 24 Hours - Dumps4download.us
Encrypted Database Final Presentation
ECE 671 – Lecture 14 Final Project Ideas.
Presentation transcript:

Client Authentication & Authorization for GENI XMPP Messaging Service Anirban Mandal, Shu Huang, Ilia Baldine (RENCI) Rudra Dutta (NSCU) GEC14 I&M Session Boston, MA, July 2012

Client Authentication and Credential Verification for GENI Messaging Service Authentication using GENI certs Verification of GENI XMLSEC credentials PubSub entities inside slice PubSub entities outside slice (eg. CF entities) Clients Users Clients Credentials are generated using GPO OMNI/gcf tool entrusting specific rights to client certs Eg. pub_measurements/polatis, sub_measurements

Client Authentication Client certificates issued by OMNI/gcf tool Use SASL External authentication on XMPP server Mostly one-time configuration of XMPP server –CH certificate needs to be inserted in server’s client truststore JID of the client must match the CN in certificate –Client accounts are created on the server by XMPP pub/sub clients on-the-fly “Can a client authenticate with the XMPP server using authentication mechanisms advertised by the XMPP server using GENI certificates ?” Authentication using GENI certs OMNI/gcf (gen_certs) $ python26 gen-certs.py -u anirban Y/N

Client Authorization (credential verification) [1/2] Two issues –How client credentials are generated ? –How client credentials are verified on the XMPP server during pub/sub actions ? Credential generation –Extended OMNI/gcf tool to generate GENI XMLSEC credentials for pub/sub actions “ Does an already authenticated client have credentials (rights) to publish and subscribe to a pubsub node ? ” OMNI/gcf (xmppcred) Client cert CH cert XMPP server cert-keypair XMPP server cert-keypair rights namespace rights namespace Client XMLSEC credentials Client XMLSEC credentials $ python26 xmppcred.py xmpp-key.pem xmpp-cert.pem anirban-cert.pem \ ch-cert.pem measurements/polatis measurements/infinera

Client Authorization (credential verification) [2/2] Credential verification –Extended Openfire XMPP server pubsub code to enable credential verification –Existing pubsub policy code ( canPublish / canSubscribe ) in Openfire is augmented with GENI credential verification –On a pubsub action, client credentials are pulled from a location configurable on the XMPP server based on clients JID –Rights are extracted from the pubsub node that the client is trying to pubsub to and are passed to the verification code –pubsub action goes through only if credential is verified on the server “ Does an already authenticated client have credentials (rights) to publish and/or subscribe to a pubsub node ? ” Client XMLSEC credentials Client XMLSEC credentials For eg. Publishing to “measurements/polatis/renci” pubsub node will succeed if client has “pub_measurements/polatis” rights in the client credential Verification of GENI XMLSEC credentials authenticated clients / users pubsub Y/N

XMPP Messaging Service Use Case: Publishing and Subscribing ORCA Slice Manifests Authentication using GENI certs Verification of pubsub creds Manifest Subscriber client subscribes to relevant slice manifests (can be used for monitoring) ORCA Service Manager publishes slice manifests as each slice evolves Select relevant slice Manifest appears here Manifest Subscriber Client ORCA Federation

XMPP Messaging Service Use Case: OMF EC and RC Shown OMF components (EC and RC) communicating through an XMPP messaging Service [GENI IMF demos at GEC13-14] EC and RC can run on distinct VMs on the same slice or on different slices EC and RC authenticate against an XMPP server using GENI certs EC-RC communication messages are published by RC to a Repository topic – a pubsub node [uses auth/auth] Repository service subscribes to this topic & stores messages in a MySQL database [uses auth/auth] * Work done by Ahmet Babaoglu, Ashutosh Grewal, Rudra NCSU as part of GENI IMF