Presentation is loading. Please wait.

Presentation is loading. Please wait.

WebFTS as a first WLCG/HEP FIM pilot

Published byLauren Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "WebFTS as a first WLCG/HEP FIM pilot"— Presentation transcript:

1

2 WebFTS as a first WLCG/HEP FIM pilot
Andrea Manzi Andrey Kiryanov 8th FIM4R meeting

3 WebFTS as a first WLCG/HEP FIM pilot
What is WebFTS? Web based tool to transfer files between grid/cloud storages Modular protocol support gsiftp, http(s), xrootd and srm Cloud extensions: dropbox, CERNBox Initial development funded by WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

4 WebFTS as a first WLCG/HEP FIM pilot
Based on FTS3 FTS3 is the service responsible for distributing the majority of LHC data across the WLCG infrastructure Low level data movement service, responsible for moving sets of files from one site to another while allowing participating sites to control the network resource usage Used by LHC VOs + many others VOs part of EGI ~20PB monthly transfer volume / ~2.2M files per day (WLCG) WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

5 WebFTS as a first WLCG/HEP FIM pilot
“X509 free” access X509 delegation is needed to let WebFTS access the grid on users behalf Users make private key available to browser Not available via browser API We are trying to replace user certificate delegation with transparent access via Identity Federation (pilot project for WLCG) The same technology may be used for other types of services, e.g. job submission. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

6 WebFTS as a first WLCG/HEP FIM pilot
WebFTS pilot WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

7 Architecture Slide adapted from Romain Wartel, GDB Sept 2014 IOTA CA
STS IdP IdP IdP IdP CERN SSO VOMS X.509 VOMS SAML SAML Redirect WAYF Credentials Attributes WebFTS Grid Storage Element X.509 VOMS Web Slide adapted from Romain Wartel, GDB Sept 2014

8 WebFTS as a first WLCG/HEP FIM pilot
eduGAIN Built on existing federations and infrastructures CERN participates in eduGAIN via SWITCHaai Many NRENs participate in eduGAIN too WebFTS as a first WLCG/HEP FIM pilot 04/02/2015 8

9 WebFTS as a first WLCG/HEP FIM pilot
IdF and CERN SSO CERN SSO service is based on Microsoft’s ADFS (Active Directory Federation Services) In order to benefit from SSO our web server (Apache) needs a special plug-in: Shibboleth –supported by CERN, widespread solution, supports all possible standards, but not easy to configure. Mellon – pure SAML2 SP. First integration done via some development versions. Since last week a specific package has been distributed by CERN for SL5/6, so it’s also officially supported. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

10 What happens when you log-in to SSO?
Web browser HTTP session SSO Apache Auth request (redirect) Auth. SAML SSO plug-in SAML Assertion SAML = Security Assertion Markup Language SAML Assertion is essentially a signed list of attributes (name, , etc.) WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

11 WebFTS as a first WLCG/HEP FIM pilot
STS Security Token Service (STS) consumes SAML2 assertions and produces X.509 credentials in return. STS is an implementation of WS-Trust OASIS standard and it speaks SOAP. This functionality is based on so-called IOTA CA (Identifier-Only Trust Assurance Certification Authority) that issues short-living (days) X.509 certificates. At CERN we can get such certificates from “CERN CA” (which is NOT “CERN Grid CA”) – the same that signs EduRoam certificates. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

12 What’s in all this for WebFTS?
STS Web browser FTS3 REST API X.509 certificate SAML2 Assertion (JavaScript context) IOTA CA SAML2 Assertion Auth request SSO Apache Auth request (redirect) Auth. SAML2 SAML2 Assertion SSO plug-in WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

13 WebFTS as a first WLCG/HEP FIM pilot
Next steps The way STS issues certificates has to change. Basically STS has more than one mode of operation: It can generate a key pair, sign it with a CA, and send both certificate and private key back to us. This is what is used right now, but this is wrong because private key is transmitted over the network. It can generate a proxy certificate (with or without VOMS extensions) based on a public key provided from our side. This is more secure but this requires changes in the delegation code on WebFTS side ( ongoing ) VOMS integration is implemented by FTS now. Waiting for STS VOMS integration. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

14 WebFTS as a first WLCG/HEP FIM pilot
Open Issues Above all we have to convince sites to trust IOTA-profile CAs. It has to be discussed at the level of Infrastructures: EGI, WLCG, .. How we associate different identities of the same user (e.g. normal X.509 certificate and IdF) ? Now we manually map the X509 user credentials with IOTA CA DN on the VOMS ( as alias) But how to guarantee this DN to be unique? WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

15 WebFTS as a first WLCG/HEP FIM pilot
Open Issues[ii] STS RA for the IOTA CA should use an eduGAIN persistent identifier attribute to ask for a unique DN Which attributes can be consider persistent and unique in eduGAIN? Looks like the eduPersonPrincipalName can be reassigned according to local policy.. Can we use SAML2 Persistent Identifier ? And are all eduGAIN IdPs providing it? What about a combination of attributes? WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

16 What we have achieved so far?
IdF-enabled WebFTS is a working prototype available at only few testing Storage Elements have IOTA CA configured This is an important step towards “X.509-free” access to Grid resources. As said the same technology may be used for other types of services WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

17 WebFTS as a first WLCG/HEP FIM pilot
Questions? WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

Download ppt "WebFTS as a first WLCG/HEP FIM pilot"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.

18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Similar presentations

Ads by Google