MyProxy Jim Basney Senior Research Scientist NCSA

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

GT4 Architectural Security Review December 17th, 2004.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Grid Tech Team Certificates, Monitoring, & Firewall September 15, 2003 Chiang Mai, Thailand Allan Doyle, NASA With the help of the entire Grid Tech Team.

INFSO-RI Enabling Grids for E-sciencE EGEE and gLite Slides by: Erwin Laure EGEE Deputy Middleware Manager.

The National Grid Service and OGSA-DAI Mike Mineter

VO Support and directions in OMII-UK Steven Newhouse, Director.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

MyProxy: A Multi-Purpose Grid Authentication Service

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Public Key Infrastructure from the Most Trusted Name in e-Security.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

The MyProxy Online Credential Repository Jim Basney NCSA

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

HMA Identity Management Status

Grid accounting system

Advances in Middleware Security - a Globus perspective

MyProxy and NVO or Web SSO for Grid Portals

Public Key Infrastructure from the Most Trusted Name in e-Security

Use of MyProxy for the FusionGrid

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

MyProxy Jim Basney Senior Research Scientist NCSA

OGF19http://myproxy.ncsa.uiuc.edu/2 What is MyProxy? l An Online Certificate Authority u Issues short-lived X.509 End Entity Certificates u Avoid need for long-lived user keys l An Online Credential Repository u Issues short-lived X.509 Proxy Certificates u Long-lived private keys never leave the server l Supporting multiple authentication methods u Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS l Open Source Software u Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits u C, Java, Python, and Perl clients available u Contributions from EDG, UVA, LBL, and others l Protocol specified in GFD-E.54

OGF19http://myproxy.ncsa.uiuc.edu/3 MyProxy Logon l Authenticate to retrieve PKI credentials u End Entity or Proxy Certificate u Trusted CA Certificates u Certificate Revocation Lists (CRLs) l MyProxy maintains the users PKI context u Users dont need to manage long-lived credentials u Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) u CA certificates & CRLs updated automatically at login l Integrates with existing authentication systems u Providing a gateway to grid authentication

OGF19http://myproxy.ncsa.uiuc.edu/4 MyProxy Authentication l Key Passphrase l X.509 Certificate u Control credential storage, retrieval, and renewal u Supports trusted authentication and renewal services l Pluggable Authentication Modules (PAM) u Kerberos password u One Time Password (OTP) u Lightweight Directory Access Protocol (LDAP) password l Simple Authentication and Security Layer (SASL) u Kerberos ticket (SASL GSSAPI) l Pubcookie u Web Single Sign-On l Virtual Organization Membership Service (VOMS) u Attribute-based access control

OGF19http://myproxy.ncsa.uiuc.edu/5 MyProxy Deployment Options l Users already have PKI credentials u MyProxy repository can help users manage the credentials by: l Securing private keys in a professionally managed server l Obtaining credentials when/where needed l Using credentials with MyProxy-enabled applications l Users have site logons but no PKI credentials u MyProxy CA can provide the bridge l Users need to register to obtain PKI credentials u User registration portals provide a MyProxy interface l Grid Account Management Architecture (GAMA) l Portal-Based User Registration Service (PURSE)

OGF19http://myproxy.ncsa.uiuc.edu/6 MyProxy-enabled Applications l CoG Kit APIs ( l Grid portal toolkits u GridSphere ( u GridPort (gridport.net) u OGCE ( l Authentication modules u JAAS (myproxy.ncsa.uiuc.edu/jaas) u Apache (myproxy.ncsa.uiuc.edu/apache) u Pubcookie(myproxy.ncsa.uiuc.edu/pubcookie)

OGF19http://myproxy.ncsa.uiuc.edu/7 MyProxy Documentation

OGF19http://myproxy.ncsa.uiuc.edu/8 MyProxy Support

OGF19http://myproxy.ncsa.uiuc.edu/9 Topics for Discussion l Credential Renewal l High Availability l Attribute Support l Web Services l Web SSO l Security Context Provisioning l User Registration l HSM Support l Audit Logging l Others?

OGF19http://myproxy.ncsa.uiuc.edu/10 Credential Renewal l Existing MyProxy-based renewal support u EGEE Renewal Service u Condor-G l Future Work u MyProxy-based GT4 Renewal Service l Integrated with GT4 Delegation Service l Support for GRAM, WS-GRAM, RFT

OGF19http://myproxy.ncsa.uiuc.edu/11 High Availability l Existing support u Clients retry when server is unreachable u Documentation for MyProxy CA replication u Primary-backup replication of MyProxy repository l Future Work u Robust client retry u Peer-to-peer repository replication

OGF19http://myproxy.ncsa.uiuc.edu/12 Attribute Support l Existing support u VOMS authentication to MyProxy server u GridShib CA integration with MyProxy l Future Work u Issue credentials with VOMS assertions u SAML authentication to MyProxy server

OGF19http://myproxy.ncsa.uiuc.edu/13 Web Services l Currently MyProxy does not provide a Web Services interface u C, Java, Perl, Python APIs l Standard Delegation Service interface is needed u For MyProxy, GT4, and EGEE delegation services

OGF19http://myproxy.ncsa.uiuc.edu/14 Web Single Sign-on l Existing Support u MyProxy server accepts Pubcookie tokens l Future Work u Shibboleth/SAML support u Other web SSO methods?

OGF19http://myproxy.ncsa.uiuc.edu/15 Security Context Provisioning l Existing Support u MyProxy can provision user certificates, CA certificates, and CRLs u Requires MyProxy server CA certificate to be installed l Future Work u Java client support u Zero configuration bootstrap

OGF19http://myproxy.ncsa.uiuc.edu/16 User Registration l Existing Support u Provided by PURSE and GAMA u GridShib CA and OpenIDP l Future Work u Integration with MyProxy CA u Integration with attribute and authorization services

OGF19http://myproxy.ncsa.uiuc.edu/17 HSM Support l Existing Prototypes u MyProxy repository using IBM 4738 u MyProxy CA using Aladdin eToken l Future Work u Full support for OpenSSL hardware engines in MyProxy CA

OGF19http://myproxy.ncsa.uiuc.edu/18 Audit Logging l Existing Support u All MyProxy server operations are logged to syslog u Recent improvements to MyProxy CA logging to meet IGTF guidelines l Future Work u Include auditing information in issued credentials u Support standard grid logging interfaces

OGF19http://myproxy.ncsa.uiuc.edu/19 Thank you! Questions? Comments? For more information: