Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

Slides:

Advertisements

Similar presentations

EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.

Advertisements

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

1 Database Driven Web Application Clients Application Servers including web servers Database Server Traditional client-server (2-tier architecture): client:

MyProxy: A Multi-Purpose Grid Authentication Service

Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005.

VxWorks Real-Time Kernel Connectivity

Authorizing Access to Services at Penn State University

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

PKI Administration Using EJBCA and OpenCA

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Digital Certificate Service Monitoring Services Module Chrysa Papagianni.

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias

Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.

Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.

Jun Peng Stanford University – Department of Civil and Environmental Engineering Nov 17, 2000 DISSERTATION PROPOSAL A Software Framework for Collaborative.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Configuring Active Directory Certificate Services Lesson 13.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.

Article: Source Code Review Systems Author: Jason Remillard Presenter: Joe Borosky Class: Principles and Applications of Software Design Date: 11/2/2005.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Introduction to Internet Programming (Web Based Application)

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Customer Service and Support Sutherland Global Services Consultant Learning Services Microsoft Store.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

Tech Terminology for non-technical people Tim Bornholtz 2006 Annual Conference.

Website Design Lecture 1. Outline Introduction to the module Outline of the Assessment Schedule Lecture Static XHTML, client side and server side Why.

Configuring Directory Certificate Services Lesson 13.

Nov 1, 2000Site report DESY1 DESY Site Report Wolfgang Friebel DESY Nov 1, 2000 HEPiX Fall

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

PKI Activities at Virginia September 2000 Jim Jokl

Windows 2000 Certificate Authority By Saunders Roesser.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.

CS 4720 Dynamic Web Applications CS 4720 – Web & Mobile Systems.

John Douglass, Developer Ron Hutchins, Dir. Engineering Herbert Baines, Dir. InfoSec.

Capabilities of Software. Object Linking & Embedding (OLE) OLE allows information to be shared between different programs For example, a spreadsheet created.

240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

Cybersecurity Computer Science Innovations, LLC. Certificates Generate Public and Private Key Sign the Public Key with a CA Private Key Append the Cert.

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

PAPI 2 Distributed trust model and AA interoperability.

A New UK CA Portal David Meredith Jens Jensen John Kewley.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TM Vienna v2.0. TM An Overview of Vienna v2.0 Vienna 2.0 was designed to address issues that exist with test management and execution software available.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Breeda Herlihy, IR Manager, UCC Library. UCC selected DSpace in 2008 Software selection group Staff from Library IT, Computer Centre, Special Collections,

PHP stands for …….. “PHP Hypertext Pre-processor” and is a server-side scripting language like ASP. PHP scripts are executed on the server PHP supports.

9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

Microsoft dynamics Axapta training institute Contact US: Magnific training

Jens Jensen, STFC Sep EUGridPMA Manchester

Tweaking the Certificate Lifecycle for the UK eScience CA

Client Certs -- the old-new thing

OpenCA Maria Lizarraga.

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

asset: Academic Survey System & Evaluation Tool

Microsoft Virtual Academy

UK e-Science CA and JCS Migration Status

Database Management Systems

Presentation transcript:

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory

Jens G Jensen UK e-Science A talk in three parts Part one being about Baltimore uniCert Part two, being the second part, about pyCA Part three, being the third and final part, about the Java based solution that we’re working on

Jens G Jensen UK e-Science Part one Baltimore uniCert

Jens G Jensen UK e-Science Baltimore uniCert Spent a day talking with Baltimore techies We haven’t actually tested it yet… …so presentation will be salvo errore et omissione… You can get more information from the Baltimore web site (but will have to register to get it  ) And we also know people you can ask…

Jens G Jensen UK e-Science uniCert, technical requirements Root CA is online – works with FIPS 140 level 3 or 4 HSM Must use Oracle as underlying database (comes with licence) CA Operator (see later) must run on Microsoft Windows All other parts of the CA run on Solaris (two boxes required)

Jens G Jensen UK e-Science uniCert, terminology “CA” – refers to online signing system “RA” – refers to online request management system “RA Operator” (“RAO”) – the (human) RA “CA Operator” (“CAO”) – the signing module “ARM” – advanced registration module – sort of an “automated RAO”

Jens G Jensen UK e-Science Schematics CA RA CAO RAX dB Web RAO User Web interface Cert Status Service ARM CMP SQL

Jens G Jensen UK e-Science uniCert, additional comments Can modify contents of certificates easily Point-and-click CA “policies” – also very easy to manage sub-CAs with different policies Can have different policies for different RAs Can do automatic renewal (on old keys) Cannot do automatic re-key (i.e. re-key is like initial request – have to go through RAs again)

Jens G Jensen UK e-Science Baltimore Tech I quote: “Full development roadmap and commitment” Standard protocols used whenever possible (CMP, OCSP, LDAP, SQL) – not for RAO, though 30 day evaluation licence available (of course this requires 30 consecutive days of my time…)

Jens G Jensen UK e-Science uniCert in e-Science? We decided not to evaluate it for now… …too much work to migrate from existing solution (uniCert mostly assumes you start from scratch) …too much work to adopt “weird” UK namespace requirements (OU and L identify RA) – may be possible with ARM but will probably be a lot of work

Jens G Jensen UK e-Science Part two pyCA

Jens G Jensen UK e-Science Overview Written in python Runs as CGI programs under Apache Front end to OpenSSL LDAP support Not being actively developed at the moment – the author “does not have time but will bugfix”

Jens G Jensen UK e-Science (Default) Certificate Hierarchy certs Auth certs Server certs Code signing CA Auth CA Server CA Code Signing CA ROOT CA

Jens G Jensen UK e-Science Part three UK e-Science Java solution

Jens G Jensen UK e-Science Overview Submits request to our current OpenCA system Written in Java as signed applets Crypto based on the BouncyCastle and jcetaglib libraries Still under development

Jens G Jensen UK e-Science Obligatory Diagram Request Applet Cert Applet Online OpenCA Web User interface Offline signing system CAUser’s computer thingy Private key cert & key

Jens G Jensen UK e-Science PCKS#12 Problems using KeyStore class from applet – not from java application –Applet complains of invalid signature on provider –Problem is with JCE 1.4, works with 1.3 The KeyStore class is used to generate the PKCS#12 file

Jens G Jensen UK e-Science Browser support Browsers generally come equipped with JCE 1.1 or similar Currently users must install 1.4

Jens G Jensen UK e-Science Portability Not very… Written to take some of e-Science’s peculiarities into account –Namespace: OU and L, requirements on name forms Written to submit requests into OpenCA In the (near) future, can provide more generally useful CA software

Jens G Jensen UK e-Science Future developments Need to review the code, and clean it up Can replace OpenCA: since applets provide the user friendly interface, no need for OpenCA –Plan to replace system with a simpler Apache/mod_ssl/Perl-CGI/OpenSSL system using a PostgreSQL database Produce general non-eScience software?