Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operations Management Board 19th Dec. 2013

Published byNaomi Dickerson Modified over 6 years ago

Similar presentations

Presentation on theme: "Operations Management Board 19th Dec. 2013"— Presentation transcript:

1 Operations Management Board 19th Dec. 2013
The eTokenServer (A standard-based solution developed by INFN Catania for central provisioning of robot credentials) Giuseppe LA ROCCA INFN - Catania, Italy Operations Management Board 19th Dec. 2013

2 Outline Introduction to the “light-weight” crypto library
Java™ PKCS#11, Bouncy Castle and Java CoG Kits VOMS-Admin APIs v.3.0 Apache Tomcat as a Web Container JAX-RS 1.2 Java APIs using Jersey implementation The Architecture Accounting feature (with RFC proxies only) Usage Statistics Summary and Conclusions

3 Introduction to the “light-weight” crypto library:
Java™ PKCS#11, Bouncy Castle and Java CoG Kits VOMS-Admin APIs v.3.0 Apache Tomcat as a Web Container JAX-RS 1.2 Java APIs using Jersey implementation

4 Some driving considerations …
The standard-based crypto library interface has been designed to provide seamless and secure access to computing e-Infrastructures using robot certificates The business logic of the library, deployed on top of an Apache Tomcat Application Server, combines different programming native interfaces and standards such as the: “cryptoki” Java™ Cryptographic Token Standard Interface (PKCS#11) libraries, Open source BouncyCastle libraries, Java CoG Kits APIs, VOMS-Admin APIs, RESTful technology (JSR 311).

5 SW packages adopted The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc; It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, …) The Bouncy Castle APIs provide support for creating two kinds of X.509 certificates (ver.1 and ver.3) The Java CoG Kits APIs allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed VOMS-Admin APIs (ver. 3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services

6 Application Server Deployed on Tomcat Application Server (v7.0.27)
Caching of proxy certificates for each valid requestID (MD5SUM+vo+[fqan]+[options]): If lifetime(requestID)-12h>0  the cached proxy is sent to the Science Gateway Thread-safe access to the list of smart cards Evaluated performance of the server using Apache JMeter™ ~ 6-8 sec. Waiting time for a new proxy 20 msec. If the proxy is cached

7 Hardware Tokens To reduce the risks to have the robot certificate compromised, different CAs decided to store this new certificate on board of the Aladdin eToken USB smart cards Costs: eToken PRO 64KB € 49,00 eToken PKI Client € 15,90 eToken Shell € 2,00 The Aladdin eToken smart card can support several certificates: 4 certificates per each eToken PRO 64KB PKI Client supports maximum 16 slots! A token PIN is prompted every time the user needs to interact with the smart card

8 The Architecture The typical working scenario The web interface (protected) Some statistics More info

9 The five-layer architecture of the “light-weight” standard-based crypto library

10 The typical working scenario…

11 The web interface (protected access)
Use the VOMS-Admin APIs to get the list of groups/roles

12 The web interface (protected access)

13 The web interface (protected access)

14 An experimental solution to account users of Robot Certificate
Adding some user information (CN=…) for accounting aims (no security!) during the robot proxy generation process: /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=Giuseppe La Rocca/CN= Only RFC proxies are supported (no legacy) The additional user’s information have to be provided by a portal:  No CN checks are implemented at VOMS level  Users could be known only by the portal Impact on EGI accounting is under evaluation Compliant with standards and security policies [1, 2]

15 Who is using the library ?
The eTokenServer service is currently used by the following different Science Gateways:

16 Some usage statistics …

17 Get more info … ?

18 Summary & Conclusions The eTokenServer is currently used as central service to provision robot proxy credentials to different VRCs  It provides a transparent and secure mechanism to access robot certificates installed on USB smart cards  We are available to offer the eTokenServer features as EGI catch-all service for free The business logic relies on different standards: The Cryptographic Token Interface Standard (PKCS#11) The Open source BouncyCastle Java libraries The Java CoG Kits APIs The VOMS-Admin APIs The JAX-RS 1.2 Java APIs using Jersey implementation By design the eTokenServer is compliant with the policies reported in these two documents: EUGridPMA guidelines, OperationsGuideline With the latest release the eTokenServer is now possible to account users of Robot Certificates (RFC proxies only)

19 Any questions, comments or remarks are very welcome.
Please contact us:

Download ppt "Operations Management Board 19th Dec. 2013"

Similar presentations

CHEP 2000, 10.02.2000Roberto Barbera Roberto Barbera (*) GENIUS: a Web Portal for the GRID Meeting Grid.it, Bologna, 14.02.2003 (*) work in collaboration.

CHEP 2000, Roberto Barbera Roberto Barbera (*) GENIUS: a Web Portal for the GRID Meeting Grid.it, Bologna, (*) work in collaboration.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
DataGrid is a project funded by the European Commission under contract IST-2000-25182 WP2 – R2.1 Overview of WP2 middleware as present in EDG 2.1 release.

DataGrid is a project funded by the European Commission under contract IST WP2 – R2.1 Overview of WP2 middleware as present in EDG 2.1 release.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
© 2005-07 NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo

Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo
The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.

The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.
23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29

23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.

The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
Enhanced Storage Architecture

Enhanced Storage Architecture

Similar presentations

Ads by Google