Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004
University of Virginia 2 NMI Testbed Activity Early project focus Testing various NMI components Integrating them with campus infrastructure Next phase: more inter-campus activities Focus on Globus However, results can be generally applicable How do we facilitate sharing of data and compute resources between campuses? Scalability and complexity issues for the Grid Security, researcher support, sharing equity issues Our focus: authentication and inter-campus trust Hence inter-campus aspects of Globus PKI
University of Virginia 3 Background: Public Key Infrastructure (PKI) A PKI uses asymmetric cryptography A pair of mathematically related keys The Public Key is published widely; Private Key is secret An X.509 Certificate is: An object signed by a Certification Authority (CA) A binding of a user’s identity to their public key An object containing attributes about the individual and the Issuing Certification Authority Critical Issues How do you trust the credential binding? How can other institutions trust it? How would trust scale in a large Grid or Grids?
University of Virginia 4 Background: Trust in a Hierarchical PKI Trust based on trusting “root” certificate User cert trust via validating cert chain to a trusted root Some issues: “root” compromise A CA per Grid v.s. a CA per school v.s. ? Researcher support Integrating existing campus credentials Root Certificate Intermediate Certificate User A Cert User C Cert User B Cert User D Cert User E Cert
University of Virginia 5 Background: Trust in a Bridge PKI Enables trust between multiple hierarchical CAs No need to reconstitute whole PKI if CA is compromised Generally uses more infrastructure than just the cross-certificate pairs Can enable trust between existing PKIs Preserves technical and political separation Logical choice for multi- campus / multi-grid systems Enable researchers to use home campus credentials Root A Mid-A User A1 User A2 Root BRoot n Mid-B User B1 Bridge CA Cross-certificate pairs
University of Virginia 6 PKI Bridge Path Validation
University of Virginia 7 Globus & Bridge Test Environment Simple bridge test environment revealed Globus can validate a bridge trust path All needed cross-certificates must be pre-loaded into /etc/grid-security/certificates Appears that all needed intermediate CA certificates must also be pre-loaded No known support for a directory mechanism to locate cross-certificates Does no appear to follow AIA URLs to obtain any needed cross or intermediate certificates A more complex real-world test is needed
University of Virginia 8 Globus PKI Integration Notes Campus CA Integration Use of Campus CAs with Globus for inter- institutional sharing of resources should be manageable Typical campus certificate profiles (e.g. PKI- lite) work well with Globus Challenges will exist for locating the needed cross-certificates and intermediate CA certificates
University of Virginia 9 Globus PKI Integration Notes Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates are generally in PKCS-12 format Globus expects raw PEM files for the certificate and the private key A file to map certificate DNs to UNIX login names must be maintained A maintenance challenge for large inter- institutional grids
University of Virginia 10 Goals for Larger Test on the NMI Testbed Grid Test the use of Globus in a real and larger bridged PKI environment Enable the use of campus CAs in inter- institutional Grids Show that one set of campus-issued credentials can work Use on a single or multiple grids Eases researcher pain (and support issues) Explore complexity issues, demonstrate scalability Create appropriate tools and documentation Prepare for Globus to leverage other activities Higher Education Bridge Certification Authority Higher Education Root Certification Authority
University of Virginia 11 Higher Education Bridge Certification Authority (HEBCA) A project of EDUCAUSE Implement a bridge for higher education based on the Federal PKI bridge model Support both campus PKIs and sector hierarchical PKIs Cross-certify with the Federal bridge (and others as appropriate) Use of HEBCA with Globus may be a natural result of this work
University of Virginia 12 US Higher Education Root CA A project of Internet2 The replacement for the CREN CA Designed to support campuses that wish to be part of a hierarchical CA CA sign’s campus CA signing certificates Expectation is to cross-certify with HEBCA at some level Campus CAs that are part of this hierarchy would also work well in a bridged Globus environment
University of Virginia 13 Current Project Status Built Testbed Bridge CA Off-line system Cross-certifications UVA: complete UAB: nearly done TACC: 50% USC: getting started /etc/grid-security Certificates, policy files, and hash links generated via scripts Gridmap file by hand
University of Virginia 14 Tool Development In addition to supporting the testbed grid via cross-certification, we plan to explore a few tools Credential converter web site that takes a PKCS-12 (as is available in most enterprise CAs) and returns the PEM files needed by Globus A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files Potentially: a CA using a Shibboleth-based RA Provide certificates for campuses that have Shibboleth but are not yet operating an enterprise CA Each campus would have its own root that would be cross- certified via the testbed bridge We should know a lot more in a few months