Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006."— Presentation transcript:

1 Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006

2 D. Olson, NIST PKI Workshop2 Contents OSG Why we use X.509 PKI How we use it What’s wrong with it

3 5 April 2006D. Olson, NIST PKI Workshop3

4 5 April 2006D. Olson, NIST PKI Workshop4 www.opensciencegrid.org 21 registered Scientific Virtual Organizations 51 Compute resources, 6 Storage resources (~ 20 additional on integration grid) O(1000) running and O(1000) pending jobs (low usage due to growing pains) Strongest driver today is LHC science program. Many other science programs are also users and participants. Interoperation with EGEE, Teragrid, numerous regional & campus grids. 85% of DOEGrids PKI certificates, ~ 1000 OU=People, 3000 OU=Services

5 5 April 2006D. Olson, NIST PKI Workshop5 Why do we use PKI? Globus GSI We have built and are growing a grid and use whatever security infrastructure is available and practical. Interoperability with the world-wide open science community is essential. –This means Globus pre-WS GSI (& WS GSI) X.509 –Additional supporting infrastructure has been deployed: VOMS, GUMS, Prima, CA/CRL distribution IGTF –And ….. IGTF RA human infrastructure is functioning

6 5 April 2006D. Olson, NIST PKI Workshop6 How do we use PKI? DOEGrids PKI operated by ESnet is our primary provider. –There is a KCA at Fermilab operating as an SLCS for person certificates, for registered Fermilab computer users. We operate the distributed human RA network to authenticate requests. Signed email & telephone. End Entities hold private keys. OU=Services certs used as SSL certs for host & service identification. Virtual Organizations (VOs) manage users via VOMS servers, using DN of EE and issuer as identifier, and holding additional attributes for authorization.

7 5 April 2006D. Olson, NIST PKI Workshop7 How do we use PKI? (Validation, AuthZ) Certificate validation during grid transaction –Proxy certificates (now some RFC exists) –Trusted CAs & CRL URLs downloaded from VDT –CRL updates using EDG tools on each resource Resource authZ –“Recommended” means is to do Role Based AuthZ by use of Prima & GUMS to interpret VOMS extended proxy certs and map to local UID/GID based on attributes signed by VOMS server. –Many sites use classic pre-WS GSI and tools to download gridmap-file entries from VOMS servers

8 5 April 2006D. Olson, NIST PKI Workshop8 What is wrong with it Incomplete infrastructure for managing user private keys –Just files in users home directory(ies) –Myproxy helps - substitution of private key/passphrase with username/password (huh???) X.509 needs mapping to resource security infrastructure (uid/gid) –Gridmap-file – but proxy does not follow process group, except for reliance upon same uid and it is common practice to map entire VO to single uid. –Ownership of long lived data??? Use short lived proxies to allow single sign-on –then do credential renewal to get long enough lifetime Revocation is cumbersome & slow –Symmetric with initial authentication & certificate issuance

Download ppt "Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.

Similar presentations

Ads by Google