Presentation is loading. Please wait.

Presentation is loading. Please wait.

20-21 January 2005 Athens, 20-21 January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, 2005 - NTUA, Athens Kanellopoulos.

Published byDamon Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "20-21 January 2005 Athens, 20-21 January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, 2005 - NTUA, Athens Kanellopoulos."— Presentation transcript:

1 20-21 January 2005 Athens, 20-21 January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, 2005 - NTUA, Athens Kanellopoulos Christos (skanct@physics.auth.gr) HellasGrid CA Manager

2 20-21 January 2005 Athens, 20-21 January 2005 PKI and Grids The primary needs for a grid security infrastructure are: –Secure communication (authenticated and perhaps confidential) between the grid elements. –Support security across organizational boundaries –Single Sign On, including delegation of credentials Central concept in the GSI authentication is the Certification Authority and the Certificate

3 20-21 January 2005 Athens, 20-21 January 2005 Grid Certificate is encoded in the X.509 certificate format Includes 4 primary pieces of information: –A subject name –The public key –The identity of the CA –The digital signature of the named CA Is nothing more than a “passport”. Important: The certificate is used only to authenticate (identify) entities on the Grid.

4 20-21 January 2005 Athens, 20-21 January 2005 Grid CA The CA is a trusted 3rd party that is used to certify the link between the public key and the subject in the certificate. is usually a CA at national level Its purpose is to sign certificates for individual who are to access Grid resources, hosts or services In order for a Grid CA to be accepted with the current Globus based european infrastructure, it must be first accredited by the euGridPMA

5 20-21 January 2005 Athens, 20-21 January 2005 CACG and euGridPMA CACG was established by the FP5 projects DataGrid & CrossGrid and included other project worldwide as a need to facilitate the deployment of international testbeds for Grid computing by having a commonly recognized way to assert identities. The group was chartered to: –Coordinate the CA infrastructure for CrossGrid and DataGrid. –Make recommendation to relying parties within the programs regarding the acceptance of the certificates issued by the participating CAs

6 20-21 January 2005 Athens, 20-21 January 2005 euGridPMA evolution of CACG to a panEuropean body of Grid CA managers, endorsed by the eIRG (thanks much to the efforts of GRNET). 34 members from Europe, North America and Asia

7 20-21 January 2005 Athens, 20-21 January 2005 euGridPMA The PMA is responsible to: –Define and issue minimum requirements and best practice documents; these minimum requirements may govern any aspect of the certificate issuance –Maintain and revise these documents –Accredit authorities in respect to the minimum requirements –Be primarily concerned with Grid communities in Europe and their external partners –Foster trust relations for authentication purposes within the context of interorganizational resource sharing.

8 20-21 January 2005 Athens, 20-21 January 2005 Towards a GlobalGridPMA On June 2004 a new Grid PMA was created in the Asia-Pacific Region (APGridPMA) and was presented at the euGridPMA meeting that took place on September. On November 2004 another Grid PMA was created that covers America (TAGPMA). It will be presented in the meeting next week.

9 20-21 January 2005 Athens, 20-21 January 2005 Towards a GlobalGridPMA Need to establish trust at the PMA level Coordination of the minimum requirements across PMAs Need to establish a global PMA.

10 20-21 January 2005 Athens, 20-21 January 2005 HellasGrid CA Was created during the 1st quarter 2002 On May 2002 started the procedure of acceptance by the CACG Acceptance on October 2002 after a 5 month review. From the beginning the scope was to serve any grid projects within Greece in need for certificates Active participation in euGridPMA and GGF CA-Ops WG.

11 20-21 January 2005 Athens, 20-21 January 2005 HellasGrid Certificates Entities involved in the certificate life cycle: –CA: Certification Authority. It’s purpose is to sign certificates, revoke certificates, renew certificates, issue crls, operate repository, operate ca web site, maintain and revise the HellasGrid CP/CPS –RA: Authenticate user requests (certificate requests, revocation requests, renewal requests), communicate directly with the user, forward authenticated requests to the CA, keep a log of each action taken. –End entities: certificate, renewal, revocation requests, accept and follow the CP/CPS guidelines

12 20-21 January 2005 Athens, 20-21 January 2005 HellasGrid Certificate Issuance Current situation: –AUTH provides both CA and the RA for the whole Greece. (the users communicate directly with the CA HellasGrid CA CrossGrid user @ AUTH GridLab user @ NTUA CrossGrid user @ DEMO EGEE user @ GRNET

13 20-21 January 2005 Athens, 20-21 January 2005 Certificates for physical person –The user creates the certificate request on his/her workstation via grid-cert-request –The user sends the certificate request to hellasgrid-ca@grid.auth.gr hellasgrid-ca@grid.auth.gr –The CA must receive a fax from the supervisor of the user in which it is be stated that the user is member of the institute. – The on duty CA Manager will contact the supervisor via phone call to verify the fax. – The signed certificate is sent to the user who has 7 working days to sent a signed e-mail at hellasgrid-ca@grid.auth.gr stating the acceptance of the CP/CPS hellasgrid-ca@grid.auth.gr

14 20-21 January 2005 Athens, 20-21 January 2005 Certificates for servers/service – The user creates the certificate request on his/her workstation via grid-cert-request – The user sends the certificate request at hellasgrid-ca@grid.auth.gr via signed e-mail. hellasgrid-ca@grid.auth.gr – The signed certificate is sent to the user who has 7 working days to sent a signed e-mail at hellasgrid-ca@grid.auth.gr stating the acceptance of the CP/CPS hellasgrid-ca@grid.auth.gr

15 20-21 January 2005 Athens, 20-21 January 2005 HellasGrid Certificate Issuance The service is operational for 3 years … But there are drawbacks: –A lot of bureaucracy is involved – Does not scale!

16 20-21 January 2005 Athens, 20-21 January 2005 Distributed RA scheme Create distributed RAs that will serve all the locations At least 1 area of: –Crete –Patra –Aegean –Athens –Ioannina –Thessaloniki 1 RA at each Institute as user base grows. CA RA CreteAthensAegean Helpdesk

17 20-21 January 2005 Athens, 20-21 January 2005 CA CA Portal The players… RA Subscriber

18 20-21 January 2005 Athens, 20-21 January 2005 CA 1.User generates a key pair. Private key must be 1024 or 2048 bits long and protected by strong pass phrase (>= 12 chars..) RA CA Portal

19 20-21 January 2005 Athens, 20-21 January 2005 CA 2. If user hasn’t identified herself to the RA within the last 3 years, she must appear personally and present her photo ID or passport along with formal papers which state her affiliation. RA CA Portal (2)

20 20-21 January 2005 Athens, 20-21 January 2005 CA (3) 3.RA authenticates himself in the CA portal and enters the user information (name, e-mail, affiliation) in the Register Form 4.the portal generates a 10 digit number and the first 5 digits are shown to the RA. 5.The RA prints the 5 digit number and gives it to the user. 6.The rest 5 digits are sent to the registered e-mail address. 7.An SHA1 hash of the 10 digit number is kept in the database along with the user information RA CA Portal (2) (4) (5) (6)

21 20-21 January 2005 Athens, 20-21 January 2005 CA 8.The user has 2 working days, to go to the CA portal and authenticate herself using the 10 digit number. If the user already has a valid HellasGrid certificate then see can access the portal at any time (a new 10 digit number will be generated) 9.The user submits her CSR using the form provided. A SHA1 hash will be generated the moment the user submits the form and it will be sent via e-mail to the corresponding RA and the CA, while it will also be saved in the database. 10.The CSR request will appear in the “Pending Section” of the RA that initially identified/authenticated the user. It is up to the RA to check if the CSR should be approved. RA CA Portal (9) (10)

22 20-21 January 2005 Athens, 20-21 January 2005 CA 11.If the CSR is approved, it will appear to the CA as a “Certificate Pending for Signature” 12.The CA signs offline the certificate and submits the signed certificate in the portal. 13.The RA Manager is notified about the new certificate via e-mail. 14.The RA Manager informs the user via e-mail that her certificate is ready to be downloaded from the CA portal. RA CA Portal (11), (12) (13) (14)

23 20-21 January 2005 Athens, 20-21 January 2005 CA 15The user access the portal and authenticates herself using the 10 digit number. She is now able to download her new certificate. The user is asked if she wants her certificate to be published in the public directory. 16 Within 5 working days the user must send a signed e-mail to the RA Manager and the CA Manager stating that she adheres to the CP/CPS under which her certificate was signed. RA CA Portal (16) (15)

24 20-21 January 2005 Athens, 20-21 January 2005 - The requestor must already have a valid HellasGrid CA certificate before requesting a server or service certificate; - The submission of the certificate request can be done either via a web interface or via e-mail. Host/Service Cert Request

25 20-21 January 2005 Athens, 20-21 January 2005 - Case 1: Web interface - The user will have first to import her certificate in the browser in order to be authenticated “automatically” by the CA portal; - upon successful authentication the user will be able to submit the certificate request via a web based form; -The corresponding RA checks the users affiliation, the DNS name in the csr and the naming scheme. Host/Service Cert Request

26 20-21 January 2005 Athens, 20-21 January 2005 - Case 2: Email submission - The user will send an e-mail signed by her certificate to seegrid-ra@grid.auth.gr with the certificate requests attached. - The certificate request will be forwarded to the appropriate RA -The corresponding RA checks the users affiliation, the DNS name in the csr and the naming scheme. Host/Service Cert Request

27 20-21 January 2005 Athens, 20-21 January 2005 - If the RA approves the request, the certificate will be signed by the CA, uploaded in the portal and the RA is notified; -The RA notifies the user about her new certificate(s). -The user accesses the portal and downloads her certificate(s) (need to import her certificate in the browser first in order to be authenticated) -Within 5 working days the user must send a signed e-mail to the RA Manager and the CA Manager stating that she will adhere to the CP/CPS under which her certificate was signed. Host/Service Cert Request

28 20-21 January 2005 Athens, 20-21 January 2005 MyProxy Service  Normal life time for a grid-proxy is 12h. This not suitable for running long time jobs.  This behavior can be overridden using the flag -valid (NOT secure as Grid proxies are stored in /tmp)

29 20-21 January 2005 Athens, 20-21 January 2005 MyProxy Service  The MyProxy service is an Online Credential Store  The proxy certificates are stored in a remote system and can be retrieved whenever and wherever one needs them. No need to manage private and public certificates on User Interfaces.

30 20-21 January 2005 Athens, 20-21 January 2005 MyProxy Service  Since November 2004 AUTH has been operating a myproxy service located at myproxy.grid.auth.gr  The service is hosted on a stand alone server which is monitored 24/7 with HIDS and NIDS

31 20-21 January 2005 Athens, 20-21 January 2005 Authorization Services  AUTH will provide VO services for the HellasGrid/EGEE-SEE region based on VOMS  The first server will be operational by the end of January 2005.  The service is hosted on a stand alone server which is monitored 24/7 with HIDS and NIDS

32 20-21 January 2005 Athens, 20-21 January 2005 VOMS Features  Single login using voms-proxy-init only at the beginning of the session (was grid-proxy-init)  Expiration time: the authorization information is only valid for a limited period of time as the proxy certificate itself  Backward compatibility: the extra VO related information is in the user's proxy certificate, which can be still used with non VOMS-aware services  Multiple VOs: the user may "log-in" into multiple VOs and create an aggregate proxy certificate, which enables her to access resources in any of them

33 20-21 January 2005 Athens, 20-21 January 2005 The End. Questions?

Download ppt "20-21 January 2005 Athens, 20-21 January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, 2005 - NTUA, Athens Kanellopoulos."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
CAs, RAs & PMAs CAs, RAs & PMAs Roberto Cecchini INFN CA Manager EUIndiaGrid kick-off Trieste, 19/10/06.

CAs, RAs & PMAs CAs, RAs & PMAs Roberto Cecchini INFN CA Manager EUIndiaGrid kick-off Trieste, 19/10/06.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Similar presentations

Ads by Google