Presentation is loading. Please wait.

Presentation is loading. Please wait.

P-p-pick up a Pathfinder

Published byDomenic Ford Modified over 6 years ago

Similar presentations

Presentation on theme: "P-p-pick up a Pathfinder"— Presentation transcript:

1 P-p-pick up a Pathfinder
J Jensen, STFC GridPP38, U Sussex, Apr ‘17

2 Overview of Overview Overview of Pathfinder GridPP’s rôle and aims in the project Moonshot in action (well, pictures of) Where we are in GridPP’s task Future directions

3 Overview of Pathfinder

4 Executive Summary A national infrastructure pilot for authentication, authorisation, and accounting RC funded (EPSRC/STFC) Partners: UCL (lead), Edinburgh, JISC, Crick, Oxford, Durham, STFC, Leeds Resources DiRAC, GridPP, ARC, N8, eMedLab,… Budget £215K, 10 months, Oct ‘16 – Aug ‘17 (or thereabouts)

5 Technology Moonshot SAFE SAFE-SHARE IETF standard (ABFAB-WG, RFC 7831)
JISC-led “eduRoam for higher level resources” (RFC 7832) Assent is the infrastructure running Moonshot services SAFE Acct mgmt used by ARCHER & others Developed at EPCC SAFE-SHARE Elevated LoA for medical/biosci, secure networks eMedLab

6 A pilot AAAI across xple sites Interoperability through X.509 gateway
Main Deliverables A pilot AAAI across xple sites ARC, N8, DiRAC, eMedLab Interoperability through X.509 gateway This is GridPP’s contribution (in collab with JISC) This task March-April-May 2017 Future directions

7 DONE! WP details 0. Proj. mgmt Id mgmt pilots SAFE deployment
Assent, homeless IdP, 2-factor for eMedLab SAFE deployment Integration VO/Assent (e.g. VOMS), Assent-X.509 (GridPP) Docs & writeups Architecture, business case DONE!

8 DONE! WP details 0. Proj. mgmt Id mgmt pilots SAFE deployment
Assent, homeless IdP, 2-factor for eMedLab SAFE deployment Integration VO/Assent (e.g. VOMS), Assent-X.509 (GridPP) Docs & writeups Architecture, business case DONE!

9 GridPP’s rôle and aims in the project
Task 3.2: Assent->X.509 gw … with JISC Instead of aiming for a test CA… Aiming for a full IGTF-approved MICS BIRCH profile … ensure that certificates are useful! Proper alternative to going to RA for personal certs (Once it’s in production) => WLCG, ELIXIR, EUDAT, PRACE, EGI

10 … in action, sort of: Moonshot

11 Experiences Learning curve? Support for OS? Lots of pieces…
JISC’s documentation is much improved Support for OS? Native Debian, CentOS We are using RHEL for Pathfinder, no problem Windows supported Mac still being worked on Lots of pieces…

12 Moonshot Architecture
(

13

14 Windows Files Windows support: Moonshot-AMD64-full msi Putty: putty-ms-rel.exe

15 Still needs to know username?
ssh Still needs to know username?

16 Web Client - Browser This is the federal (= home org) id and password but it still needs it Works without credential manager but you need to type username/password When credential manager is used, it knows the username but still prompts for password You can ask the browser to remember the password … does need to use Internet Explorer

17 Web Server … REMOTE_ADDR = XXX.XXX.XXX.XXX REMOTE_USER = jj47 AUTH_TYPE = Negotiate GSS_NAME=jj47 GSS_SESSION_EXPIRATION= GSS_NAME_ATTRS_JSON={"name":"jj47","attributes":…}

18 RFC 6680 attributes User-Name: jj47 Moonshot-Host-TargetedId: jj47 Moonshot-Realm-TargetedId: Moonshot-TR-COI-TargetedId Should also carry Pathfinder authorisation attributes Task 3.1 looked at VOMS but only integrated SAFE attributes However, attributes easy to integrate at RADIUS level (and we plan something different for VOMS…)

19 Where we are in GridPP’s task

20 People Suleman Tariq STFC’s Moonshot admin
(And also sysadmin for the CA…)

21 GridPP, EGI, PRACE, EUDAT, GlobusConnect
DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect  VOMS

22 Front End(s) Red outline = Moonshot authenticated
Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificat e Interface Acct DB Status (Re)ne w Revok e Management Interface (X.509 authenticated) Service API Forget Red outline = Moonshot authenticated Black outline = certificate authenticated

23 Subtasks (high level view) (There are sub-sub-tasks as well)
Get new CA into IGTF Write CP/CPS for new CA (ongoing) Submit for review before Ljubljana meeting Eval MyProxy || Implement CA Configure as Moonshot service Link to existing HSM User status interface Set up Community-of-Interest (CoI) Document requirement for IdP to meet BIRCH reqs Ensure IdPs publish the req’d attributes Add trusted IdPs into CoI More GridPP involvement? – add instr. to wiki

24 Open Questions Can we use MyProxy as a CA or credential store (or both)? => as CA, less work req’d => as CS, all certificates are delegated Whether (and when) to rekey the CA (MUST be done to go to production) What to do about account closure (BIRCH) Could link to RCauth if meeting BIRCH level fails Nevertheless, this would be a loss Filtering acceptable IdPs (through CoI)

25 Probably not much need for SAFE in GridPP? Build a real CA
Conclusion Prototype AAAI Probably not much need for SAFE in GridPP? Build a real CA Albeit not quite production infrastructure Whether/How to do stuff across infrastructures?

26 Thanks

Download ppt "P-p-pick up a Pathfinder"

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Project Moonshot TF-MNM. Use cases Project Moonshot 2.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.

Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.

HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Similar presentations

Ads by Google