Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens Jensen, STFC 15 Sep GridPP39, Lancaster

Published byGeorgina Heath Modified over 6 years ago

Similar presentations

Presentation on theme: "Jens Jensen, STFC 15 Sep GridPP39, Lancaster"— Presentation transcript:

1 Jens Jensen, STFC 15 Sep. 2017 GridPP39, Lancaster
Certificate Stuff Jens Jensen, STFC 15 Sep. 2017 GridPP39, Lancaster

2 Contents AAAI Pathfinder Multiple SANs
More bkg information in presentation to dteam (Also attached to agenda) Multiple SANs More information in talk at hepsysman

3 AAAI Pathfinder GridPP VOMS DiRAC, ARCHER X.509 SAFE ssh IdP

4 AAAI Pathfinder GridPP PRACE EGI, EUDAT, Indigo DC X.509 IdP

5 GridPP, EGI, PRACE, EUDAT, GlobusConnect(?)
DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect(?)  VOMS

6 (links to) JISC and service AUP CRL (links to) CP and CPS
Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificate Interface Acct DB Status (Re)new Revoke Management Interface (X.509 authenticated) Service API Forget

7 GridPP’s participation
Work with Suleman Tariq CA portal (user interface) If you have an IdP in Assent, you can authenticate to Not finished yet You can’t get a certificate (yet) Chose not to use the CTS code No VOMS in interface; expecting attrs from Moonshot

8 Visiony Stuff Single identity provided by home org.
Or a “homeless” org. Access to both web and non-web resources Chicken and egg takeup: More resources make having an IdP more attractive Use Pathfinder to provide resources

9 Technical Points Moonshot requires client side libs (mech_eap.so)
X.509 certificates require higher LoA Aiming for BIRCH Need for IdP to communicate “loss of traceability” Infrastructure managed private keys Should improve usability

10 (Main) Risks (There is a proper risk register…) Not enough IdPs…
Of a sufficient LoA (IGTF BIRCH) Need to sign a contract! (little assurance in Assent itself) IdP cannot notify on loss of traceability IGTF accreditation delayed Users still manage certs through browser!

11 Support for added extra supplementary additional
Subject alt names

12 Now supported via PeCR cli mode uses --san to request extra SANs
Bulk mode uses extra lines in cnfiles Comma separated (no spaces) Need a recent version of PeCR, see

13 Still a few niggles Need to pre-authorise all SANs
By submitter DN Through RA (Because RA will not necessarily see the SANs during approval) Only works for NEW host requests Otherwise submitter DN is not present Need to fiddle old requests cnfiles need single names to download fixed!

14 Additional Credits PeCR – Robert Frank Testing – John Kewley

15 More information on both Pathfinder and Multi-SAN: dteam

Download ppt "Jens Jensen, STFC 15 Sep GridPP39, Lancaster"

Similar presentations

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)

Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
Oxford University e-Science Centre 1 Managing Access 4 Dec. 2002 Managing Access to Resources on the Grid 4 December 2002.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015

AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015

Similar presentations

Ads by Google