An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
MyProxy Jim Basney Senior Research Scientist NCSA
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
High Performance Louisiana State University - LONI HPC Enablement Workshop – LaTech University,
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
Part 9: MyProxy Pragmatics This presentation and lab ends the GRIDS Center agenda Q: When do we convene again tomorrow?
Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.
The MyProxy Online Credential Repository Jim Basney NCSA
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
1 st Generation of Grid portals. 1st Generation Portals The first generation of Grid portals mainly used a three-tier architecture:
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
National Energy Research Scientific Computing Center (NERSC) Visportal : interface to grid enabled NERC resources Cristina Siegerist NERSC Center Division,
1 Egrid portal Stefano Cozzini and Angelo Leto. 2 Egrid portal Based on P-GRADE Portal 2.3 –LCG-2 middleware support: broker, CEs, SEs, BDII –MyProxy.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Introduction to Portals.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
Authentication, Authorisation and Security
Grid Security.
1st Generation of Grid portals
Grid School Module 4: Grid Security
MyProxy Integration with PubCookie
Use of MyProxy for the FusionGrid
Presentation transcript:

An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University of Illinois Marty Humphrey Department of Computer Science, University of Virginia

Goals: Implement an OGSI credential repository service  Open Grid Services Infrastructure v1.0, June 2003 Leverage OGSI capabilities where possible  Manage credentials with a stateful OGSI service  Use OGSI/GT3 security mechanisms

MyProxy credential repository: Secure credential storage  Encrypted keys never leave repository Convenient credential access  Retrieve proxy credentials when/where needed Flexible credential management  Store multiple credentials with access policies Implemented using GT2 GSI libraries

Credential mobility: myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.orgca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy

Grid portals: CHEF portal MyProxy server GridFTP server Login Fetch proxy Access data

Proxy renewal: MyProxy server Workload management system Submit job Globus gatekeeper Submit job Fetch proxy Refresh proxy

Long-term credential storage: MyProxy server Accounting system Certificate authority Request account Username, password Obtain user’s certificate Load user’s credentials Retrieve proxy Change password

OGSI CredentialManager: CredentialManager implemented using standard GridService methods plus getProxy() method Credential information published via serviceData Service implemented in ~500 LOC using GT3  Compare with ~5000 LOC for GT2 MyProxy

Storing a credential: CredentialManagerFactoryServiceClient createService(l, e) l = proxy lifetime e = (name, password, max. retrieve lifetime) p = delegated GSI proxy sd = (name, lifetime) instance e, p WS-SecureConversation with GSI proxy delegation IndexService publish(sd)

CredentialManager instance persistent properties: Credential  Private key, encrypted with user password  Certificate chain Credential name Credential policies  Maximum lifetime of retrieved proxies

Retrieving a credential: IndexServiceClient GSH = query(name) CredentialManager instance proxy cert = getProxy(c, p, l) c = proxy cert request p = password l = requested proxy lifetime

CredentialManager operations: MyProxyOGSI CredentialManager Store proxy in repository Create persistent service instance containing proxy Remove proxy from repository Destroy service instance Retrieve proxy by name and password Locate instance by name using IndexService, then retrieve proxy

Access control: MyProxyOGSI CredentialManager accepted_credentials authorized_retrievers Per-credential authorization Per-instance authorization not provided

Credential renewal: CredentialManager ManagedJobFactoryService getStartedJobsSD() ManagedJobService findServiceData()

Renewal implementation: Store unencrypted credential with CredentialManager CM periodically queries ManagedJobFactoryService for GSHs of ManagedJobService instance CM then queries ManagedJobService service data for user credentials nearing expiration  Modified ManagedJobService publishes credential info in service data CM calls any method of ManagedJobService with delegation-enabled GT3 WS-SecureConversation to refresh credential

Password-enabled PKI: Currently authenticate service via SSL certificate, client via password  Requires trusted PKI setup on client-side Better to use a secure password-authenticated key exchange protocol (EKE, SPEKE, SRP, etc.)  Avoids requirement of PKI setup on client side  Need WS-Security bindings One-time passwords even better! passwords good, PKI bad?

Work in progress: WSRF.NET prototyping WS-Trust IETF SACRED 

Questions? For more information: Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.