Download presentation
Presentation is loading. Please wait.
1
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign jbasney@ncsa.uiuc.edu
2
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications What is MyProxy? A service for managing X.509 PKI credentials –A credential repository and certificate authority An Online Credential Repository –Issues short-lived X.509 Proxy Certificates –Long-lived private keys never leave the server An Online Certificate Authority –Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods –Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software –Included in Globus Toolkit, VDT, and CoG Kits –C, Java, Python, and Perl clients available –Contributions from EDG, UVA, LBNL, and others
3
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications MyProxy and TeraGrid MyProxy v3.4 clients in CTSS 3 myproxy.teragrid.org server –Retrieve credentials with myproxy-logon –Store credentials with myproxy-init MyProxy-based authentication –TeraGrid User Portal –TeraGrid Ticket System Software for Science Gateways –Portal-based User Registration –Web Single Sign-on
4
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications keypair MyProxy Put Client MyProxy Server certificate private key certificate requestproxy certificate chainusernamepasswordpolicy private key cert chain TLS handshake
5
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications private key MyProxy Get Client MyProxy Server certificate requestproxy certificate chainusernamepassword private key cert chain TLS handshake Grid Service X.509 cert chain
6
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications TeraGrid User Portal All TeraGrid users receive a Portal username and password –Login to https://portal.teragrid.org/ –Portal obtains credentials for resource access –Users can run myproxy-logon to obtain credentials directly from MyProxy Uses MyProxy CA with Kerberos PAM –TERAGRID.ORG Kerberos Realm –Leverages existing NCSA Online CA
7
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications gridmap CA key keypair MyProxy CA with PAM Client/Portal MyProxy Server password PAMPAM Kerberos KDC TGT certificate requestcertificate TLS handshake Grid Service X.509
8
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications TeraGrid Ticket System Uses MyProxy for certificate-based authentication –Store a credential with myproxy-init –Enter MyProxy password on Ticket System https://tickets.teragrid.org/ –Ticket System verifies certificate identity using TeraGrid grid-mapfile
9
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications private key TG Ticket System Authentication MyProxy private key myproxy-init certificate requestproxy certificate chainusernamepassword TLS handshake certificate cert chain Browser Tickets cert key password username TLS handshake X.509 cert key cert cert request password username gridmap
10
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications TeraGrid Science Gateways Community interfaces to TG resources –Web portals, desktop applications, etc. Many different approaches to user authentication MyProxy can assist with –User registration –Certificate management –Single sign-on
11
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications MyProxy and Grid Portals
12
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications User Registration Portals PURSE: Portal-based User Registration Service GAMA: Grid Account Management Architecture ESG
13
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications Trusted Portal Browser Portal User DB cert key Grid Service X.509 password username TLS handshake MyProxy X.509 cert key cert cert request username
14
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications MyProxy and Web SSO PURSE MyProxy Browser Portal A Portal B Pubcookie Login Server password cert cookie password cookie cert cookie Grid Service cookie X.509
15
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications SSO for Browser and Application Portal MyProxy Server Browser Application Authenticate password random JWS cert Grid Service X.509 password random cert
16
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications Password-based Delegation MyProxy DelegateeDelegator certificate private key password random username private key certificate username TLS handshake password random certificate certificate request certificate username password random TLS handshake certificate request certificate
17
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications Conclusion MyProxy provides credential management services for TeraGrid –myproxy.teragrid.org server –TeraGrid User Portal and Ticket System authentication MyProxy supports many credential management options for portals and web services –Requests for new functionality are invited
18
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications Thank you! Questions? Comments? For more information: jbasney@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/ http://www.globus.org/toolkit/security/myproxy/
Similar presentations
