Download presentation
Presentation is loading. Please wait.
Published byGregory Harrison Modified over 8 years ago
1
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney, Von Welch
2
February, 2012 ISGC 2012 Current Status of Identity Management in OSG OSG trusts IGTF accredited CAs + 2 TeraGrid CAs DOEGrids CA for issuing personal and service certificates OSG does not run its own CA. Runs a Registration Authority for handling requests. Certificates are issued by DOEGrids CA
3
February, 2012 ISGC 2012 OSG Trust Model: Current Identity Vetting Workflow 3
4
February, 2012 ISGC 2012 Challenges, Needs DOEGrids CA ramping down its services Announced that it will transitioning services to the OSG OSG created a Roadmap[1] on how to implement and provide these services We will focus on the “Roadmap” Requirements Evaluated Options Decision Current Status 4 [1] http://osg-docdb.opensciencegrid.org/0010/001077/001/OSG-Idm-CA-Replacment-v12.pdf
5
February, 2012 ISGC 2012 OSG ID Roadmap Requirements 1.Certificates must work with VDT 2.LHC interoperability/IGTF Accreditation 3.Ability to provide certificates to 3000+ OSG users distributed across the USA, vetted by 36 registration authorities agents 4.Ability to provide host certificates for 300+ gatekeepers plus 8000+ worker nodes to 40 grid administrators at roughly 80 OSG sites 5.Ability to sustain operation into the foreseeable future 5
6
February, 2012 ISGC 2012 Evaluated Options CILogon CA Basic issues user certificates based on authentication of users via the InCommon identity federation No IGTF accreditation No host certificates CILogon Silver issues user certificates based on authentication of users via the InCommon identity federation IGTF accreditation Not operational yet 6
7
February, 2012 ISGC 2012 Evaluated Options InCommon CA Provides user and host certificates to InCommon subscribers No IGTF accreditation Only 52 out of 92 OSG institutions are members of InCommon NCSA CA, Planned XSEDE CA, Globus Online CA Too many unknowns about the future plans 7
8
February, 2012 ISGC 2012 Evaluated Options CERN CA Provides user certificates to LHC members IGTF accredited. No host certs Works for US-LHC user certificates Fermi KCA Serves only Fermilab users IGTF Accredited No host certificates 8
9
February, 2012 ISGC 2012 Evaluated Options OSG CA– From Scratch A new CA deployed at an appropriate OSG site funded and staffed by OSG and under OSG control. Viable, but costly. Specialized hardware and skills to operate (HSM), no economy of scale Migrating DOEGrids CA to OSG Transfer control and operations of the doegrids.org domain to OSG DOEgrids CA software is EOL. Upgrading to new CA software has more unknowns. More risky than building from scratch. 9
10
February, 2012 ISGC 2012 Evaluated Options DigiCert CA IGTF accredited Meets user and host requirements 10
11
February, 2012 ISGC 2012 The Decision Found DigiCert CA to be the viable option, decided to continue with a pilot study OSG/DigiCert partnership is trail-blazing commercial/research collaboration Pilot Study 3 months pilot study Tested against VDT; Tested UI and API against OSG workflows Risk assessment and contingency planning started No major problems identified Decided to move onto the next phase with DigiCert 11
12
February, 2012 ISGC 2012 Next Steps Planning and Transitioning Develop a plan and timeline for the development, deployment and transition of services Deployment and transition will continue until the end of 2012 Planned services OSG provided front end services Digicert provided back end CA services Integration between OSG front end and Digicert APIs 12
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.