Presentation is loading. Please wait.

Presentation is loading. Please wait.

UK e-Science CA Update J Jensen, STFC 31 Jan 2017.

Published byIsabella Weaver Modified over 6 years ago

Similar presentations

Presentation on theme: "UK e-Science CA Update J Jensen, STFC 31 Jan 2017."— Presentation transcript:

1 UK e-Science CA Update J Jensen, STFC 31 Jan 2017

2 Immediate Future of UK e-Science CA certs Other todos
ToC Pathfinder Immediate Future of UK e-Science CA certs Incl. SHA2 Other todos TACAR, JCS, …

3 AAAI Pathfinder

4 Executive Summary A national infrastructure pilot for authentication, authorisation, and accounting RC funded (EPSRC) Partners: EPCC, UCL, JISC, eMedLab (= Crick/UCL), Farr, ARC (= Oxford), DiRAC (UCL+Durham), GridPP, N8 (Leeds) Budget £215K, 10 months, start date Oct ‘16

5 Bkg - Technology Moonshot Non-web (and web) Access to services
JISC-led activity (+ CESNET, Painless) “eduRoam for higher level resources (e.g. ssh, web)” Production service in Assent ( Open Source implementation, IETF standard (ABFAB-WG) Non-web (and web) Access to services ssh, http, MyProxy, etc.

6 Bkg - Technology Moonshot Server side Client side Federation
ssh, Apache, MyProxy, (in theory anything that uses GSSAPI, RFC 2743) Client side Needs stuff installed - Support for Debian 8, and {CentOS, RHEL, SL} {6,7} Support for (some) MacOSs nearing completion Federation Needs a trust router (à la eduroam)

7 Bkg - Technology SAFE SAFE-SHARE
Acct mgmt used by ARCHER, DiRAC, and Hartree Developed at EPCC Partially open source - SAFE-SHARE JISC funded HAN – High Assurance Network HAN for medical/biosci (Farr, MRC) and for admin data (ADRN) AAAI for eMedLab, Cloud Infra for Microb. Gen. (CLIMB)

8 Pilot demonstrator for user communities
Project Goals Link stuff together to provide account management, authentication, authorisation, and accounting Pilot demonstrator for user communities EPSR, MR HEI service delivery Connecting to other einfra (internationally) (via a X.509 SLCS)

9 A pilot AAAI across xple sites Interoperability
Main Deliverables A pilot AAAI across xple sites ARC, N8, DiRAC, eMedLab Interoperability WLCG, ELIXIR, EUDAT, PRACE, EGI GridPP, of course! Future directions

10 WP details 0. Proj. mgmt Id mgmt pilots SAFE deployment Integration
Assent, IdP, 2-factor for eMedLab SAFE deployment Integration VO/Assent (e.g. VOMS), Assent-X.509 (GridPP) Docs & writeups Architecture, business case

11 GridPP and STFC It was agreed that STFC should fulfill GridPP’s obligations in AAAI pathfinder STFC is a member of Assent STFC already has a Moonshot infrastructure, connected to Assent One IdP connected to site AD; one SP (=ssh) connecting to SCARF cluster (working on more stuff) UK e-Science CA, HSMs, (RCauth?) for interoperation 2.83 Months of effort – Suleman Tariq (Moonshot sysadmin) Starting April 2017

12 Opportunities GridPP STFC AARC Everybody - !
National HPC/data e-I, interoperating beyond WLCG (cf. DiRAC) Considerable expertise in policy harmonisation etc. No direct change to infra(?) – main drivers are LHC STFC Additional services for facilities’ users? Fed id => connecting via nat’l AAAI AARC Pilot – connecting infrastructures Everybody - !

13 Certificates to Pathfinder
Aim for full production use of infrastructure It’s a pilot, but no test IdPs Repurpose 2A to become a SLCS CA for Pathfinder Originally intended for host Currently no live certificates under 2A (needs rekey) Use for duration of Pathfinder, e.g. till end of ‘17 Ensure IdPs can comply Use of COI

14 Other stuff

15 Could offer to host RCauth key
Infrastructure Two old HSMs One holds 2A, the other (oldest) 2B Two new HSMs Both hold 2B Could offer to host RCauth key Signing only As a redundant/performant signing service

16 Need update for boundary cases Identification of attributes
CPS Need update for boundary cases Identification of attributes Identity check – clarify video renewal? CCRs Process for setting up RAs (handover) Hosts Host certificates for IP addresses, multi-SAN Certificates to cloud hosts Policy for wildcard certs (instead of editing)

17 Other JCS – renewed SHA2 No further progress at this stage
Should still be done (getting alerts for SHA1) As you know, needs to rekey root Re-engineer DR Management, ROBAB, long-lived CRL Old HSMs are outside warranty

Download ppt "UK e-Science CA Update J Jensen, STFC 31 Jan 2017."

Similar presentations

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Project Moonshot TF-MNM. Use cases Project Moonshot 2.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Introduction Moonshot workshop 6.2.2014

Introduction Moonshot workshop
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
This document produced by Members of the Helix Nebula Partners and Consortium is licensed under a Creative Commons Attribution 3.0 Unported License. Permissions.

This document produced by Members of the Helix Nebula Partners and Consortium is licensed under a Creative Commons Attribution 3.0 Unported License. Permissions.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Similar presentations

Ads by Google