GSI Online Credential Retrieval Requirements. Jim Basney

Similar documents
Using the MyProxy Online Credential Repository

Managing Grid Credentials

Deploying the TeraGrid PKI

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

A Roadmap for Integration of Grid Security with One-Time Passwords

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

GLOBUS TOOLKIT SECURITY

Credentials Management for Authentication in a Grid-Based E-Learning Platform

XSEDE Canonical Use Case 4 Interactive Login

Hardware Tokens in META Centre

Grid Security: The Globus Perspective

User Authentication Principles and Methods

Troubleshooting Grid authentication from the client side

Radius, LDAP, Radius used in Authenticating Users

Grid Computing Security

A Hardware-secured Credential Repository for Grid PKIs

Globus GTK and Grid Services

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

SA1 CILogon pilot - motivation and setup

review of the potential methods

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Leveraging the InCommon Federation to access the NSF TeraGrid

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

Credential Wallets: A Classification of Credential Repositories Highlighting MyProxy

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Guidelines on non-browser access

DIRAC Distributed Secure Framework

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Federated Services for Scientists Thursday, December 9, p.m. EST

U.S. E-Authentication Interoperability Lab Engineer

A Dynamic and Flexible Security Framework for Large Scale Distributed Systems. SUMMARY 1. Introduction... 2

Trusted Intermediaries

AIT 682: Network and Systems Security

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Cloud Access Manager Overview

UNICORE Globus: Interoperability of Grid Infrastructures

Integrating AirWatch and VMware Identity Manager

BlackBerry Dynamics Security White Paper. Version 1.6

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Cryptography and Network Security

An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b

CPSC 467b: Cryptography and Computer Security

Syllabus: The syllabus is broadly structured as follows:

DIRAC distributed secure framework

Network Security: Kerberos. Tuomas Aura

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

Network Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

Integrating a directory server

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

Guide to Windows 2000 Kerberos Settings

Integrate the Cisco Identity Services Engine

Single Sign-On Showdown

Securing ArcGIS Services

KEY DISTRIBUTION AND USER AUTHENTICATION

Create Decryption Policies to Control HTTPS Traffic

CA-based Trust Issues for Grid Authentication and Identity Delegation

Dell One Identity Cloud Access Manager 8.0. Overview

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Network Security Essentials

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

/****************************************************************************\ DAS Release for Solaris, Linux, and Windows

Distributed Data Management with Storage Resource Broker in the UK

A PKI For IDR Public Key Infrastructure and Number Resource Certification

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Apple Inc. Certification Authority Certification Practice Statement

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Authentication Handshakes

Pittsburgh Supercomputing Center MyProxy Certificate Authority Short Lived Credential Service (PSC MyProxy CA)

EUROPEAN MIDDLEWARE INITIATIVE

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

VMware Tunnel Guide for Windows

Kerberos and Single Sign On with HTTP

CSC 474/574 Information Systems Security

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

GENOA Transformer Pre-Install Checklist

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Design and development of a distributed, secure and resilient vault management system

Kerberized Certificate Issuance Protocol (KX509)

A AAAA Model to Support Science Gateways with Community Accounts

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

CA SiteMinder Federation

LDAP Directory Integration

Transcription:

GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/

Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify Authorization Retrieve Credential

Motivation for OCR Credential management Securely manage credential files on user s behalf Ease use of multiple credentials Credential translation Single sign-on to multiple authentication mechanisms and domains Credential renewal by trusted services Alternative to delegating long-lived proxies Indirect credential delegation Example: web portals

OCR Examples Service MyProxy K5Cert Auth Method Password Kerberos Credential X509 user proxy K5 CA issued X509 cert CAS GSI X509 community proxy GSIklog SSLK5 GSI SSL AFS token Kerberos ticket Kerberos KDC AS_REQ+preauth Kerberos ticket CA OOB or IAK CA issued X509 certificate

OCR Implementations Online Credential Authority Examples: Online CA, Kerberos KDC Creates credentials on demand Vulnerability of authority s private key a concern Encrypted credential repository Credentials stored encrypted in the repository Credentials may be opaque to protocol and repository Requires client to decrypt credentials on receipt Delegating credential repository Unencrypted credential stored in repository Server delegates credential to client

Proposed GGF Activity OCR Requirements document What OCR services are needed for Grids? OCR Framework document Address policy issues of credential repositories, credential translation, credential renewal Recommendations for interoperability OCR Protocol document Define an OCR protocol framework that enables interoperability between different types of OCR services Share mechanisms between OCR implementations (auditing, delegation tracing, event notification, etc.)

Standards Activity IETF SACRED WG Credential format MUST be opaque to the protocol Protocol MUST NOT force credentials to be present in clear text on the server IETF PKIX WG Online Certificate Authorities Certificate request may include Initial Authentication Key

Protocol Requirements Mutual authentication Client-side configuration required to authenticate server Multiple authentication mechanisms Password, GSI, Kerberos Delegate different credential types X509 cert, X509 proxy, Kerberos ticket Client can choose among available credentials Query available credentials and choose Request credential that meets specification Administrative protocols Credential upload and remove Authorization control (user, administrator, and community) OGSA-compliant

OCR Issues Authorization Restricted delegation Delegation tracing across multiple mechanisms Audit trail Notification services Compatibility with site security policies Availability/Replication

Discussion Is there a need for OCR services in the Grid? If so, what types of OCR services are needed? Will production Grid policies allow OCR services? Centralized key storage Transitive trust Is there interest in GGF OCR activity? Any comments on requirements draft? Other comments or discussion topics?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback