Presentation is loading. Please wait.

Presentation is loading. Please wait.

Giuseppe LA ROCCA INFN - Catania, Italy

Published byJeffrey Garrett Modified over 6 years ago

Similar presentations

Presentation on theme: "Giuseppe LA ROCCA INFN - Catania, Italy"— Presentation transcript:

1 Giuseppe LA ROCCA INFN - Catania, Italy giuseppe.larocca@ct.infn.it
The eTokenServer (A standard-based solution developed by INFN Catania for central provisioning of robot credentials) Giuseppe LA ROCCA INFN - Catania, Italy Catania, 15th April 2014

2 Outline Introduction to the “light-weight” crypto library
Java™ PKCS#11, Bouncy Castle and Java CoG Kits VOMS-Admin APIs v.3.0 Apache Tomcat as a Web Container JAX-RS 1.2 Java APIs using Jersey implementation The Architecture Accounting feature (with RFC proxies only) Summary and Conclusions

3 Introduction to the “light-weight” crypto library:
Java™ PKCS#11, Bouncy Castle and Java CoG Kits VOMS-Admin APIs v.3.0 Apache Tomcat as a Web Container JAX-RS 1.2 Java APIs using Jersey implementation

4 SW packages adopted The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc; It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, …) The Bouncy Castle APIs provide support for creating two kinds of X.509 certificates (ver.1 and ver.3) The Java CoG Kits APIs allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed VOMS-Admin APIs (ver. 3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services

5 Application Server Deployed on Tomcat Application Server (v7.0.27)
Caching of proxy certificates for each valid requestID (MD5SUM+vo+[fqan]+[options]): If lifetime(requestID)-12h>0  the cached proxy is sent to the Science Gateway Thread-safe access to the list of smart cards Evaluated performance of the server using Apache JMeter™ ~ 6-8 sec. Waiting time for a new proxy 20 msec. If the proxy is cached

6 Hardware Tokens To reduce the risks to have the robot certificate compromised, different CAs decided to store this new certificate on board of the Aladdin eToken USB smart cards Costs: eToken PRO 64KB € 49,00 eToken PKI Client € 15,90 eToken Shell € 2,00 The Aladdin eToken smart card can support several certificates: 4 certificates per each eToken PRO 64KB PKI Client supports maximum 16 slots! A token PIN is prompted every time the user needs to interact with the smart card

7 The Architecture The typical working scenario Some RESTFul APIs

8 The five-layer architecture of the “light-weight” standard-based crypto library

9 The typical working scenario…

10 The RESTFul API to request proxies
Creating RFC proxies Creating full-legacy proxies

11 An experimental solution to account users of Robot Certificate
Adding some user information (CN=…) for accounting aims (no security!) during the robot proxy generation process: /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=LAROCCA/CN= Only RFC proxies are supported (no legacy) The additional user’s information have to be provided by a portal:  No CN checks are implemented at VOMS level  Users could be known only by the portal Compliant with standards and security policies [1, 2]

12 Who is using the library ?
The eTokenServer service is currently used by the following different Science Gateways:

13 Any questions, comments or remarks are very welcome.
Please contact us:

Download ppt "Giuseppe LA ROCCA INFN - Catania, Italy"

Similar presentations

Building Portals to access Grid Middleware National Technical University of Athens Konstantinos Dolkas, On behalf of Andreas Menychtas.

Building Portals to access Grid Middleware National Technical University of Athens Konstantinos Dolkas, On behalf of Andreas Menychtas.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.

SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.
© Southampton City Council Sean Dawtry – Southampton City Council Implementing a PKI The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council Implementing a PKI The Southampton Pathfinder for Smart Cards in public services.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
© 2005-07 NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo

Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo
The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.

The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.
23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29

23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Grid Security in a production environment: 4 years of running www.gridpp.ac.uk Andrew McNab University of Manchester.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.

The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

Similar presentations

Ads by Google