Presentation is loading. Please wait.

Presentation is loading. Please wait.

MyProxy Integration with PubCookie

Published byDora Cunningham Modified over 6 years ago

Similar presentations

Presentation on theme: "MyProxy Integration with PubCookie"— Presentation transcript:

1 MyProxy Integration with PubCookie
Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia, Charlottesville, VA **NCSA/University of Illinois, Urbana-Champaign, IL Supported by: NSF Next Generation Software (NSF NGS), NSF Middleware Initiative (NMI), San Diego Supercomputing Center

2 The Challenge I have a dream… [Security] Problem:
Opportunistically expand campus researchers’ local resources to “The Grid” [Security] Problem: Relatively little of campus is PKI-enabled Grid is (largely) PKI (GSI) Goal: Leverage existing site (campus) authentication infrastructure Approach: integrate PubCookie and MyProxy

3 PubCookie

4 Your IIS or Apache Web Server
PubCookie in Action (1) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter End-User Campus Login Server From Tom Jordon, UW-Madison

5 Your IIS or Apache Web Server
PubCookie in Action (2) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Nope End-User Campus Login Server From Tom Jordon, UW-Madison

6 Your IIS or Apache Web Server
PubCookie in Action (3) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter End-User Login Redirect Campus Login Server Logged In From Tom Jordon, UW-Madison

7 Your IIS or Apache Web Server
PubCookie in Action (4) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Yep Access Allowed End-User Redirect Campus Login Server Logged In From Tom Jordon, UW-Madison

8 Your IIS or Apache Web Server Another IIS or Apache Web Server
PubCookie in Action (5) Your IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter Authenticated to Central Login Server? -- Yep Access Allowed Another IIS or Apache Web Server PC Pubcookie Apache Module or ISAPI Filter End-User Campus Login Server Logged In From Tom Jordon, UW-Madison

9 PubCookie/MyProxy Integration
Campus Authentication Server 5 Pubcookie Login Server 4 MyProxy Server 9 (SSL) 3 Pubcookie-enabled Application Server 6 2 8 (SSL) 1 10 Grid request 7 11 Browser 12

10

11

12

13

14

15 Technical Details 3 main cookies involved in PubCookie ( Granting cookie: “contains the authenticated username and some other items” Granting cookie is signed by PubCookie login server and encrypted in symmetric key shared between app server and PubCookie login server Login cookie: “scoped to the login server and will be used on any subsequent visits by the user to the login server” Opaque to the client – only login server can decrypt Session cookie: scoped to app server Problem: granting cookie does not persist

16 Software Development No mods to the MyProxy Client
Upload creds via normal mechanism Presents the granting cookie in the “password” field Mods to MyProxy server to be able to decrypt and verify signature on pubcookie Mods to portal (uPortal) to keep the granting cookie Issue: JSR 168 does not deal well with cookies Note: we cannot use the granting cookie as the password directly

17 Cleartext in MyProxy Server?
Yes, in this instantiation We are not unique in this regard Alternative: Use the granting cookie as the basis to generate/retrieve user-specific [large] passphrase, like so….

18 PubCookie/MyProxy Integration
Campus Authentication Server Password server 5 Pubcookie Login Server 4 8 9 MyProxy Server 11 (SSL) 3 Pubcookie-enabled Application Server 6 2 10 (SSL) 1 12 Grid request 7 13 Browser 12

19 Summary Integration of PubCookie with MyProxy reduces the number of passphrases Currently pushing mods to OGCE2 and MyProxy CVS Future What about Shibboleth?

Download ppt "MyProxy Integration with PubCookie"

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West

OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.

Similar presentations

Ads by Google