Presentation is loading. Please wait.

Presentation is loading. Please wait.

J Jensen, STFC hepsysman, June 2017

Published byAshlie Goodwin Modified over 6 years ago

Similar presentations

Presentation on theme: "J Jensen, STFC hepsysman, June 2017"— Presentation transcript:

1 J Jensen, STFC hepsysman, June 2017
Identity Management J Jensen, STFC hepsysman, June 2017

2 Contents Background – federated identity management Certificates (hosts, in particular) Pathfinder RCauth Future

3 Fed. IdM SSO: single account, used everywhere
Single login: only need to log in once Federated identity: identity comes from home IdP E.g. UK Access Management Federation, eduroam, eduGAIN “superfederation”, Assent AARC project “blueprint architecture” Login is typically via portal but there is (some) tech for CLI

4 Host Certificates Brian: - you are all individuals!
Crowd (in unison) - we are all individuals! Lone voice: - I’m not! Certificates are issued to a private key The private must not be shared … but the

5 A certificate contains:
Multiple SANs A certificate contains: A subject name (which names the subject) The DN For hosts, the CN is the hostname Subject alternative name(s) – hereinafter “SAN” – which also name the subject E.g. address(es) Host name(es) IP address(es)

6 Host Naming Example: host.example.com. has alias foo.example.com.
The client accesses foo.example.com. The certificate is (usually) issued to the alias RFC 2818, section 3.1 (server identity): Client MUST check hostname (in URL) against server identity (in cert) Globus (till recently) didn’t need this because it resolved the names through DNS However, that is a security risk since DNS could be tampered with foo.example.com host.example.com … so the certificate MUST be issued to the alias…

7 Naming Hosts One “server” spread across multiple hosts
Client calls – and sees only – foo.example.com Each host has an individual CNAME The certificate is issued to the CNAMEs because they are all individuals (Instead of getting a cert for foo.example.com. and copying it to all) (or 3 certs for foo.example.com. which is slightly less bad but still bad) foo.example.com foo.example.com foo.example.com host1.example.com host2.example.com host3.example.com

8 Naming Hosts Multiple servers on a single host
A single host fronts multiple hosts Certificate is typically issued to the CNAME foo.example.com bar.example.com fred.example.com host.example.com Example: srm-gen.gridpp.rl.ac.uk.

9 Naming Hosts Multiple servers on a single host
A single host fronts multiple hosts Certificate is issued with wildcard Matches {foo,bar,fred}.example.com. But also mail.example.com. Should be used with some caution (if at all) *.example.com host.example.com

10 Client MAY perform its own non-std check If not, client extracts SANs
Back to RFC 2818 Client MAY perform its own non-std check E.g. check the server’s key If not, client extracts SANs Checks if one matches the requested hostname or IP address Iff there are no SANs, client checks CN If no alternative names are present

11 Supporting Multiple SANs (in Host Certs)
Currently: A 500 line Perl script (lots of error checking) Which “edits” the request Must be run by CA operator Before the certificate is signed, ideally Status Error prone: both CA op and requester must coordinate RA op may not see alternative names

12 Supporting Multiple SANs (in Host Certs)
Requester adds requested SANs to request See GridPP Wiki for instructions Must have the name in CN (typically CNAME) also in SAN (conventionally the first SAN) Have to use PeCR to submit – JK working on this Must use PKCS#10 RA op sees extra SANs and approves them …hopefully Signing system honours extra SANs? You can put anything in a request But by default almost everything is ignored!

13 Signing Multi-SAN Requests
Introduces extra risk Typically, someone sneaking in a dodgy name Or applies for something bad in good(ish) faith Implementation Extracted and checked, and added to cert Instead of the ‘copy’ and ‘copyall’ semantics of openssl ca Help to introduce rules…? Maybe restrict to “trusted” admins (by DN) – would only work for new reqs. No bulk…? Wildcards need checking (e.g. *.example.com) Restricting domains (by admin)

14 Renewing Multi-SAN certs
(Even) less mature Not much time/effort to develop CA Needs to copy stuff over from previous Some exploratory work in this area but less mature Some times changes are need (= CCRs) (Certificate Change Request) With PeCR it may be just as easy to apply for new?

15 Further Reading RFC 2818 RFC 5280 GFD.225
RFC 5280 GFD.225

16 Pathfinder MICS Rcauth IOTA
Federated access to certificates Pathfinder MICS Rcauth IOTA

17 GridPP, EGI, PRACE, EUDAT, GlobusConnect
DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect  VOMS

18 Front End(s) Red outline = Moonshot authenticated
Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificat e Interface Acct DB Status (Re)ne w Revok e Management Interface (X.509 authenticated) Service API Forget Red outline = Moonshot authenticated Black outline = certificate authenticated

19 CA set up by NIKHEF as an AARC pilot activity
RCauth CA set up by NIKHEF as an AARC pilot activity Allows selected IdPs to get certs à la SARoNGS Will be run by EGI and EUDAT in EINFRA-12 The EUDAT one run by STFC, EGI by GRNET IOTA profile: OK for WLCG… Pathfinder will be MICS (hopefully)

20 Thanks

Download ppt "J Jensen, STFC hepsysman, June 2017"

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Contrail and Federated Identity Management

Contrail and Federated Identity Management
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop https://www.digicert.com/sso TCS SAML demo background June 16, 2015 TCS PMA.

Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop TCS SAML demo background June 16, 2015 TCS PMA.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065 B2ACCESS LSDMA.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

Similar presentations

Ads by Google