1 SURAGrid User/Host Certificate Authority SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia.

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

MyProxy: A Multi-Purpose Grid Authentication Service

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Development & Implementation of an Inter-institutional Multi-purpose Grid SURAgrid at Internet2 Members’ Meeting, September 2005 Mary Fran Yafchak, SURA.

PKI Administration Using EJBCA and OpenCA

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Authentication, Authorization, & Identity Issues.

1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

WSU A Symphony in Four Movements. A Century of Controlled Flight.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

1 Grids and PKI Bridges (Globus Toolkit) EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Shelley Henderson - USC Jim Jokl - Virginia.

Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.

HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

SURAgrid Account Mgmt Tool Case Study: Kennesaw State University Graduate Research Assistant – Kennesaw State University.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

CAMP PKI UPDATE August 2002 Jim Jokl

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,

PKI Activities at Virginia September 2000 Jim Jokl

Grid Infrastructure group (Charlotte): Barry Wilkinson Jeremy Villalobos Nikul Suthar Keyur Sheth Department of Computer Science UNC-Charlotte March 16,

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Southeastern Universities Research Association (SURA) - Intro for Fed/Ed 18 Mary Fran Yafchak Senior Program Manager, IT

Portal Update Plan Ashok Adiga (512)

December 17, 2015 A Secure VO Software for ATLAS Grid User Management Dantong Yu Brookhaven National Lab.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Security Solutions Rachana Ananthakrishnan University of Chicago.

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

OSG PKI Transition Mine Altunay OSG Security Officer

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

UCTrust Integration for UC Grid David Walker University of California, Davis ucdavis.edu Kejian Jin University of California, Los Angeles kjin.

USHER U.S. Higher Education Root Certificate Authority

Inter-institutional Trust Fabric Overview and Synergies

Fed/ED December 2007 Jim Jokl University of Virginia

Adding Computational Resources to SURAgrid (the document) September 27, 2007 Mary Trauner SURA Consultant.

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Presentation transcript:

1 SURAGrid User/Host Certificate Authority SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia

2 Schematic of SURAGrid Globus PKI Integration Campus E Grid A’s PKI SURAGrid Bridge CA Campus B Grid Campus C Grid Campus D Grid Campus A Grid Campus F Grid B’s PKI C’s PKI Cross-cert pairs D’s PKI E’s PKI F’s PKI

3 SURAGrid: Original Plan  Sites provide dedicated systems Trust fabric via SURAGrid Bridge CA  Evolve to use HEBCA & USHER when ready LDAP server(s) hold  Cross-certificate pairs  Globus policy files  Unix UID information  Unix login names using a naming convention Shim Software  Automates grid_mapfile  Manages Unix accounts Site Administrators  Manage their own users enabling or disabling their access to SURAGrid Bridge CA LDAP Server Shim Site B Shim Site C Shim Site A Shim Site D Site Admins

4 SURAGrid: Current Architecture  Some sites will dedicate systems, others will utilize shared resources The Bridge CA, LDAP servers, and Site Admin infrastructure remain the same Sites that dedicate resources will continue to use the Shim Sites providing pieces of shared infrastructure will leverage the data in the LDAP servers as needed  Some tools are provided for grid-mapfile, cross-certs, etc Bridge CA LDAP Server Shim Site B Site C Shim Site A Site D Site Admins

5 A year or two ago: Target Picture? Bridge CA LDAP Server Shim Site Y Site C Shim Site A Site D Site Admins Bridge CA LDAP Server GridCA Shim Site B Site Z

6 Current State Bridge CA LDAP Server Shim Site B Site C Shim Site A Site D Site Admins SURAGrid USER CA InCommon iKey Grid User Certificate

Some Action Items for Production  InCommon Interface Any InCommon user direct use? A list of EPPNs of site administrators  Direct integration with SURAgrid LDAP?  Cross-certification with final keypair  7

Discussion  What else? 1. Enable the InCommon service as-is asap (admins are the only ones that can generate a certificate) 2. Soon, enable users from InCommon schools to obtain certificates whenever they want 3. Add in the host cert function for site admins only 4. More discussion in the future on what/if to integrate with LDAP (might be able to let site admins auto register user certs in ldap via checkbox) 5. Redo SURA iKeys 6. Make the SURAGrid User CA root certificate available for download 7. Fix the spelling “SURAgrid” – little G 8