1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.

Slides:

Advertisements

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

GT 4 Security Goals & Plans Sam Meder

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

Experience Building and Supporting Secure Ad Hoc Collaborations Deb Agarwal Lawrence Berkeley National Laboratory Ad Hoc Collaboration - Internet2 Fall.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Public Key Infrastructure from the Most Trusted Name in e-Security.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Technical Introduction to caGrid Service Development caGrid 1.3 Justin Permar caGrid Knowledge Center

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Cancer Bioinformatics Grid (caBIG) CANS 2006 Chicago, Illinois Shannon Hastings Department of Biomedical Informatics Ohio State University.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Configuring Directory Certificate Services Lesson 13.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Building Security into Your System Bill Major Gregory Ponto.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Grid Trust Service (GTS). Problem How does the grid clients/services know which CA certificates to trust? Should I trust this CA?

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

CaGrid Overview and Core Services caGrid Knowledge Center February 2011.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Web Services Security Patterns Alex Mackman CM Group Ltd

Enabling Grids for E-sciencE Software installation and setup Viet Tran Institute of Informatics Slovakia.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Security Solutions Rachana Ananthakrishnan University of Chicago.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Security in Research Computing John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing.

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

THE STEPS TO MANAGE THE GRID

SharePoint Online Hybrid – Configure Outbound Search

Office 365 Identity Management

SharePoint Online Authentication Patterns

AD FS Installation Active Directory Federation Services (AD FS) 7.1

Presentation transcript:

1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011

caGrid Organization 2

Security Services 3

Dorian Identity Provider Creation and management of user accounts Issue Security Assertion Markup Language (SAML) Assertions as proof of authentication Certificate Authority to sign SAML Assertions Identify Federation Service Manages trusted identity providers Manages Grid users Manages host certificates Issues Grid credentials (X.509 Certificates) Manages internal Dorian groups (i.e., Dorian administrators)

GTS Details The Grid Trust Service (GTS) is a caGrid service enabling the provisioning and management of a grid trust fabric. The features of the GTS can be summarized as follows: It provides a complete Grid enabled federated solution for registering and managing trusted certificate authorities and their certificate revocation lists (CRLs). It allows the definition and management of levels of assurance, allowing Grid administrators to group CAs appropriately into levels of assurance. Supports retrieval of the current state of the trust fabric

GTS Details (2) GTS services can be federated or “chained” in a fashion that is similar to DNS on the Internet

Grid of Grids

SyncGTS The SyncGTS Service: Is installed by the caGrid installer to every grid container. Is responsible for keeping the local trust store for each client and service updated. Thus, every Grid node has an up-to-date view of the trust fabric, including a current list of trusted CAs and corresponding CRLs The local trust store is the ~/.globus/certificates directory SyncGTS can be run manually or from cron.

SyncGTS API public static boolean synchronizeOnce(String syncDescriptionFile) { boolean success = false; try { //Load Sync Description SyncDescription description = (SyncDescription) Utils.deserializeDocument(syncDescriptionFile, SyncDescription.class); //Sync with the Trust Fabric Once SyncGTS.getInstance().syncOnce(description); success = true; } catch (Exception e) { e.printStackTrace(); } return success; } Form more details see 9

Grid Authentication Collaboration 10

GTS / Dorian Circular Dependency Complicates Grid Installation 11

Credential Delegation Service (CDS) CDS allows a grid user to delegate their grid credentials to other users and services that can perform grid actions as the original user. A service is able to request a delegated credential from CDS. The service uses the delegated credential to request other services. Nothing forces a service to use a delegated credential. CDS can also be used to delegate a credential to a gridGrouper group. CDS protocol keeps private keys private 12

Credential Delegation Service (CDS) 13

CDS Use 14