1. OSG PKI Transition Mine Altunay OSG Security Officer maltunay@fnal.gov

2. The OSG PKI Transition Transition from DOEGrids CA to OSG CA. OSG CA will provide the user and host/service certificates necessary for authentication. DOEGrids CA will STOP issuing new certs or renewing existing certs mid-march 2013. Due to the number of people and certs involved and not to inconvenience people, we plan a gradual transition to OSG CA: People will apply to OSG CA as their existing certs expire. Let’s say: – You have a DOEGrids CA cert set to expire August 2013. You can still use your cert until August 2013. When you need to renew, you have to apply to OSG CA. – You have a DOEGrids CA cert set to expire December 2012. You can still use your cert until December 2012. When you need to renew, you can apply to DOEGrids or OSG CA for a renewal cert. Next year, December 2013, when you need to renew again, you have to apply to OSG CA. 11/6/122OSG PKI Transition

3. The OSG PKI Transition – You need a brand new certificate in April 2013, you should apply to OSG CA. – You need a brand new certificate in December 2012, you can apply to OSG CA or DOEGrids CA. We recommend applying to OSG CA. OSG CA is currently functional and providing certs. If you wish, you can obtain certs from OSG CA now. 11/6/123OSG PKI Transition

4. The OSG CA OSG CA has two components – Web-based Front-End service hosted at GOC OIM. This is where users will interact with the OSG CA. All of the CA services will be accessed via OIM website. End users, system admins, RA Agents/GridAdmin, basically everyone will only interact with this interface. – Back-end services provided by DigiCert CA Will perform CA services, issuance, revocation. Invisible to OSG users. You will never need to ever interact directly with DigiCert CA OSG CA services are accessible via GOC OIM web site Command line scripts designed for host/service certificates. There are no command line tools for end users. 11/6/124OSG PKI Transition

5. Impacts of the Transition It will have an impact on everyone who uses certs for authentication. End users, System admins, RA Agents/Grid Admins End Users: – Need to obtain certs from OSG CA. – New certificate Distinguished Name (DN) is DIFFERENT from DOEGrids CA cert DNs. – Need to register the new Certificate DN with all the services that does access control based on certs. VOMS, twikis, any VO services that uses certs (e.g. for CMS, Phedex, siteDB, twiki, etc) Check with your VO manager for a complete list. – Test the new cert, try accessing grid resources and web- resources with the new cert 11/6/125OSG PKI Transition

6. Impacts of the Transition System admins: – Need to obtain host and service certs from OSG CA. – If you have GridAdmin privileges, then check the impacts on the GridAdmins on the next slide. – New command line tools to request certs. Explained at https://twiki.grid.iu.edu/bin/view/Operations/OSGPKICommand lineClients https://twiki.grid.iu.edu/bin/view/Operations/OSGPKICommand lineClients – Import the new trust roots into your /etc/grid- security/certificates directory. If you get latest OSG CA bundle, this is already taken care of. – If you have access control on your services, make sure you register new user DNs with your services white list. 11/6/126OSG PKI Transition

7. Impacts of the Transition Registration Authority Agent (RA Agent)/GridAdmi(GA): – If you played RA Agent or GA role in DOEGrids CA, you should continue to play these roles with OSG CA. – Take the OSG RA Agent/GA training available online. – https://twiki.grid.iu.edu/bin/view/Security/OSGPKITraining – Please let me know if you have not enrolled with OSG CA. GridAdmins – Special system admins who can request and approve host/service certificates for their domains in large numbers without any intervention, all automated. – Functionalities are preserved, but command line interface is changed 11/6/127OSG PKI Transition

8. Questions? 11/6/128OSG PKI GA Training