Managing Grid Credentials

Similar documents
Using the MyProxy Online Credential Repository

Deploying the TeraGrid PKI

Leveraging the InCommon Federation to access the NSF TeraGrid

GSI Online Credential Retrieval Requirements. Jim Basney

A Roadmap for Integration of Grid Security with One-Time Passwords

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

CILogon Project

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Troubleshooting Grid authentication from the client side

Federated Services for Scientists Thursday, December 9, p.m. EST

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

A Hardware-secured Credential Repository for Grid PKIs

Hardware Tokens in META Centre

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Pittsburgh Supercomputing Center MyProxy Certificate Authority Short Lived Credential Service (PSC MyProxy CA)

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Globus Toolkit Firewall Requirements. Abstract

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Using MATLAB on the TeraGrid. Nate Woody, CAC John Kotwicki, MathWorks Susan Mehringer, CAC

Federated access to Grid resources

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

UNICORE Globus: Interoperability of Grid Infrastructures

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

Credential Wallets: A Classification of Credential Repositories Highlighting MyProxy

Inca as Monitoring. Kavin Kumar Palanisamy Indiana University Bloomington

Performance of Cryptographic Protocols for High-Performance, High-Bandwidth and High-Latency Grid Systems

Michigan Grid Research and Infrastructure Development (MGRID)

Globus GTK and Grid Services

TeamUSA Portal Games Delegation Management Instructions

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

Experiences using Bridge CAs for Grids Jim Jokl a, Jim Basney b, and Marty Humphrey a

Grid Security Infrastructure

DIRAC Distributed Secure Framework

Grid Security: The Globus Perspective

KEY DISTRIBUTION AND USER AUTHENTICATION

Development of new security infrastructure design principles for distributed computing systems based on open protocols

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

Managing Certificates

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

SA1 CILogon pilot - motivation and setup

Certification Authority

UCLA Grid Portal (UGP) A Globus Incubator Project

Network Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004

EUROPEAN MIDDLEWARE INITIATIVE

Gridbus Portlets -- USER GUIDE -- GRIDBUS PORTLETS 1 1. GETTING STARTED 2 2. AUTHENTICATION 3 3. WORKING WITH PROJECTS 4

DIRAC distributed secure framework

GLOBUS TOOLKIT SECURITY

Network Security Essentials

CalHEERS Enroller Portal Job Aid Certified Enrollment Partners

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

glite Grid Services Overview

New open source CA development as Grid research platform.

User Authentication Principles and Methods

Troubleshooting Grid authentication from the client side

Building Blocks for a Simple TeraGrid Science Gateway

UGP and the UC Grid Portals

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Kerberized Certificate Issuance Protocol (KX509)

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Policy Based Dynamic Negotiation for Grid Services Authorization

Network Device Provisioning

Cryptography and Network Security

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Creating a MyAlberta Digital ID for Business Account

70-742: Identity in Windows Server Course Overview

unsuccessful attempts.

}w!"#$%&'()+,-./012345<ya

Globus Toolkit 4 Execution Management. Alexandra Jimborean International School of Informatics Hagenberg, 2009

Nancy Wilkins-Diehr San Diego Supercomputer Center (SDSC) University of California at San Diego

Common Access Card for Xerox VersaLink Printers

COMPUTE CANADA GLOBUS PORTAL

Grid Computing Security

CA-based Trust Issues for Grid Authentication and Identity Delegation

Network Security: Kerberos. Tuomas Aura

COVERED CALIFORNIA ENROLLMENT ASSISTANCE PROGRAM

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

Introduction to Programming and Computing for Scientists

MyDHFL Access 24*7. How does this work?

by Amy E. Smith, ShiuFun Poon, and John Wray

Getting Started with XSEDE. Dan Stanzione

How to Set Up External CA VPN Certificates

NMI Component Testing Guidelines Pertaining to: NMI Release 1 (released May 7, 2002)

Digital Certificates Demystified

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

A VO-friendly, Community-based Authorization Framework

OGCE User Guide for OGCE Release 1

Kepler and Grid Systems -- Early Efforts --

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

XSEDE Canonical Use Case 4 Interactive Login

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

User Authentication. Modified By: Dr. Ramzi Saifan

GAMA: Grid Account Management Architecture

Transcription:

Managing Grid Credentials Jim Basney <jbasney@ncsa.uiuc.edu> http://www.ncsa.uiuc.edu/~jbasney/ Senior Research Scientist Grid and Security Technologies National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

Credential Issuers Offline Certificate Authority Online Certificate Authority Online Credential Repository

Globus Simple CA Included in NMIR5 Provides a simple offline certificate authority Users email certificate requests that CA operator signs and returns Integrated with MyProxy http://www.globus.org/security/simple-ca.html

Other Offline CA Options OpenCA Full-featured, open source, OpenSSL-based offline CA http://www.openca.org/ Commercial CAs

KCA Included in NMIR5 Online certificate authority for Kerberos sites Authenticate with Kerberos ticket to retrieve certificate with same lifetime as ticket http://www.citi.umich.edu/projects/kerb_pki/

CACL Online certificate authority supporting username + password authentication Users retrieve long-lived certificates Used by SDSC and NCSA for TeraGrid http://www.npaci.edu/ca/

Globus Certificate Service Online certificate authority with no identity verification Third-party ID verification is over-rated! No need to duplicate ID verification already performed when setting up authorizations http://gcs.globus.org:8080/

CAcert Online CA Free, comunity, non-profit CA Uses web of trust to recruit registration authorities for optional identity verification http://www.cacert.org/

MyProxy Online Credential Repository Included in NMIR5 Stores proxy and end-entity credentials, encrypted with user-chosen passphrase Users retrieve proxy credentials via delegation keys never leave repository http://myproxy.ncsa.uiuc.edu/

MyProxy and Credential Mobility tg-login.ncsa.teragrid.org Obtain certificate Store proxy ca.ncsa.uiuc.edu tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org Retrieve proxy myproxy.teragrid.org tg-login.uc.teragrid.org

Credential Distribution via MyProxy Integration with Globus Simple CA enables myproxy-admin-adduser command Load user credentials into the repository and distribute username + password Eliminate certificate request step Users retrieve proxies from MyProxy when needed

Credential Distribution via MyProxy Request account Username, password Accounting system Obtain user s certificate Certificate authority Load user s credentials Retrieve proxy Change password MyProxy server

MyProxy and Grid Portals MyProxy server Login CHEF portal Fetch proxy Access data GridFTP server

MyProxy and Credential Renewal Submit job Workload management system Submit job Refresh proxy Globus gatekeeper Fetch proxy MyProxy server

MyProxy Credential Renewal with Condor-G Support added in Condor-G 6.7.0 Include MyProxy information in Condor-G job submission file Condor-G retrieves fresh proxies on demand from MyProxy and delegates them to running jobs

MyProxy for OGSI CredentialManagerFactory CredentialManager Instance CredentialManager Instance http://myproxy.ncsa.uiuc.edu/ogsa/

Hardware-Secured MyProxy Retrieve proxy MyProxy Server Proxy request Proxy certificate IBM 4758 M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid, April 2004.

Grid Logon Initialize grid security environment with secure password protocol Retrieve proxy credentials, CA certificates, CRLs, and authorization credentials Proposed work: http://www.ncsa.uiuc.edu/~jbasney/ grid-logon.pdf

SACRED IETF proposed standard for online credential repositories RFC 3767: Securely Available Credentials Protocol Open source implementation in progress by NCSA MyProxy team and Brigham Young University Internet Security Research Lab http://sacred.sf.net/

One-Time Passwords Captured passwords represent a significant ongoing security risk. Goal: Limit lifetime of vulnerable credentials Integrate with grid security via online certificate authorities and credential repositories MyProxy OTP support in progress (early version available)

Digital Signatures Long-lifetime signing keys Integration with existing software (PKCS11, CryptoAPI)? Key management issues MyProxy support for digital signatures is planned (August 2004)

Portal Authentication MyProxy KX.509/KCA and KCT Shibboth WebISO / Cosign / Pubcookie

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback