A New UK CA Portal David Meredith Jens Jensen John Kewley.

Slides:

Advertisements

Similar presentations

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

Advertisements

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

SSL Implementation Guide Onno W. Purbo

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Multiple Tiers in Action

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Website Development with PHP and MySQL Introduction.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

APACHE SERVER By Innovationframes.com »

2014 User Group Meeting - Maumee Bay Lodge and Convention Center.

Web Application Architecture: multi-tier (2-tier, 3-tier) & mvc

Linux Operations and Administration

CSCI 6962: Server-side Design and Programming

Course 201 – Administration, Content Inspection and SSL VPN

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Copyright © 2012 Accenture All Rights Reserved.Copyright © 2012 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Design Patterns Phil Smith 28 th November Design Patterns There are many ways to produce content via Servlets and JSPs Understanding the good, the.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Fall CIS 764 Database Systems Design L8. Web ….

Cullen Jennings Certificate Directory for SIP.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

1 MSCS 237 Overview of web technologies (A specific type of distributed systems)

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

Session 1 Introduction  What is RADE  Technology  Palette  Tools  Template  Combined Example  How to get RADE  Questions? RADE Applications EN-ICE-MTA.

Creating and Managing Digital Certificates Chapter Eleven.

FriendFinder Location-aware social networking on mobile phones.

ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.

FriendFinder Location-aware social networking on mobile phones.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

Industrial Control Engineering Session 1 Introduction  What is RADE  Technology  Palette  Tools  Template  Combined Example  How to get RADE 

Bob German Principal Architect Developing SharePoint Applications with MVC and Entity Framework.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Jens Jensen EU Grid PMA, Berlin Jan 2015

J Jensen, STFC hepsysman, June 2017

GOCDB New Requirements

Tweaking the Certificate Lifecycle for the UK eScience CA

Open-O Client Project Proposal

Jens Jensen, STFC 15 Sep GridPP39, Lancaster

UK e-Science CA and JCS Migration Status

A Programmer’s Guide to Secure Connections

The new EDAMIS and its security

SDMX IT Tools SDMX Registry

Presentation transcript:

A New UK CA Portal David Meredith Jens Jensen John Kewley

UK CA 2 Min Overview UK CA – Issues IGTF accredited user and certificates for the UK (other certs too – code-sign) issued in total, ~3000 currently valid, are 1691 host certs, 1243 certs processed using CertWizard. RA operator network to assert user identities (check photo IDs) to managed certificate requests (approve/reject/revoke). Personal TERENA certs not available to UK users (currently, free host certs but UK is not signed up and would have to pay personal certs and establish RA network). UK CA certs required in EGI/international scope.

Components Postgres CA DB – Holds certificates, CSRs (New and Renew requests), CRRs, RA list, RA operator details. – Does not store private keys Signing – Offline - manually extract requests from CA DB – Signs requests (CSR + UK CA cert chain signatures => Cert) – Uploads certs back into the DB Interfaces – OpenCA Portal (CA/RA ops) – crr/csr/approve/revoke/manage requests – Bespoke Scripts (CA ops) – CLI DB management – REST Server (User) – REST server used by new PECR + CertWiz – CertificateWizard (User) – GUI request/renew/revoke/manage certificates in stored in PKCS12 KeyStore file. – PECR Scripts (User) – CLI Perl client scripts to request certificates in bulk

CA DB OpenCA: /cgi-bin/pub/pki* /cgi-bin/ra/RAServer* REST Server: /csr_user_request /csr_host_request /crr_request /bulk_host_csr Cwiz PeCR Cust Certs in Standalone keyStore file (PKCS12) Current Situation Signing Machine A. CSRs B. Certs Other scripts: ‘roleChangeUtils.sh’ ‘doOpList.sh’ ‘doRa .sh’ ClientsServerOffline Certs in browser

UK OpenCA Our current version is old – Requires RH4, digest code :-( – Difficult to update to newer OpenCA due to bespoke DB changes – Want to evolve/improve our CA into the future 3 Options: 1.DB porting exercise to new off-shelf CA portal 2.Brownfield = Refactor + update current legacy OpenCA 3.Greenfield = Roll our own replacement

Refactor+Update or Roll Own? Build on existing code-base – usually end up re-developing with replacement code anyway. We want to customise our CA: Recent policy changes will allow us to generate CSR + PrivKey on the server for subsequent download as.p12 file but with no retention of private key on server. Allows us to replace current key generation in browser KeyStore (~spkac): Non standard with limited/varied browser support. Can re-use CertWiz libs to gen CSR in new portal (imagine a portal version of CertWizard for requesting certs)

/csr_user_request /csr_host_request /crr_request /bulk_host_csr Cwiz PeCR Cust /raop/* /caop/* /pub/request/* /cert_owner/renew/* Roll Own CA Portal 1.Replace OpenCA RA+CA Interfaces/scripts with a new RA-CA Portal 2.Depending on policy changes, +/- new User Portal (or just rely on CertWiz/PECR) +/- 1) 2)

New CA Portal Java/JSP, Spring MVC, Spring Security Bootstrap CSS/JavaScript lib (from Twitter) Spring Security: “a powerful and highly customizable authentication and access- control framework. Is a de-facto standard for securing Java (Web) apps. – I agree, its good, and so is Spring MVC

Spring Sec intercepts URL requests and applies different authentication filters SpringSecurityConfig.xml No cert required for: -REST URLs (use own message level authentication - PPPK) -Public pages Inject ordered Auth provider chain PTO

Auth Provider determines roles from DN CaJdbcUserDetailsService

viewRalist.jsp Role Based Content Display

New RA-CA Portal /caporta/cert_owner

/caportal/raop/searchcert

/caportal/raop/viewcert?certId=34720

/caportal/raop/searchcsr

/caportal/raop/viewcsr?requestId=

/caportal/raop/searchralist

Model (MVC) Domain Model Maps to DB tables

View (MVC) Renders the Model – no logic View

Controller (MVC) - Prepares Model for view (HashMap containing domain objs + other data) Controllers

TODO Finish RA/CA actions – RA operator actions nearly fully reproduced – CA operator actions (e.g. edit RA list, DB actions…) User interface for CSRs (NEW and RENEW) – Recently proposed policy changes means we can generate CSR+PrivKey on the server for subsequent download (e.g. as.p12 file) – Will make life far easier for me and for users