Using the MyProxy Online Credential Repository

Similar documents
Managing Grid Credentials

Deploying the TeraGrid PKI

GSI Online Credential Retrieval Requirements. Jim Basney

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

CILogon Project

Credentials Management for Authentication in a Grid-Based E-Learning Platform

A Roadmap for Integration of Grid Security with One-Time Passwords

GLOBUS TOOLKIT SECURITY

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Leveraging the InCommon Federation to access the NSF TeraGrid

Network Security Essentials

Hardware Tokens in META Centre

Guidelines on non-browser access

An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Federated Services for Scientists Thursday, December 9, p.m. EST

MyProxy Server Installation

KEY DISTRIBUTION AND USER AUTHENTICATION

A Hardware-secured Credential Repository for Grid PKIs

Globus Toolkit Firewall Requirements. Abstract

OGCE User Guide for OGCE Release 1

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

Managing Certificates

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

User Authentication Principles and Methods

OpenIAM Identity and Access Manager Technical Architecture Overview

Globus GTK and Grid Services

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

GSI-based Security for Web Services

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

Grid Security: The Globus Perspective

IBM. Security Digital Certificate Manager. IBM i 7.1

CPSC 467b: Cryptography and Computer Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Radius, LDAP, Radius, Kerberos used in Authenticating Users

CA-based Trust Issues for Grid Authentication and Identity Delegation

SAML-Based SSO Solution

Information Security CS 526

Security Digital Certificate Manager

XSEDE Canonical Use Case 4 Interactive Login

Salesforce1 Mobile Security White Paper. Revised: April 2014

Grid Security Infrastructure

Digital Certificates Demystified

GAMA: Grid Account Management Architecture

Identity Provider for SAP Single Sign-On and SAP Identity Management

U.S. E-Authentication Interoperability Lab Engineer

ACS 5.x: LDAP Server Configuration Example

CERN Certification Authority

SAML-Based SSO Solution

Credential Wallets: A Classification of Credential Repositories Highlighting MyProxy

Axway Validation Authority Suite

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Network Device Provisioning

SA1 CILogon pilot - motivation and setup

WHITE PAPER. Authentication and Encryption Design

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

CSE 565 Computer Security Fall 2018

How to Configure Authentication and Access Control (AAA)

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Classification and Characterization of Core Grid Protocols for Global Grid Computing

FAQ. General Information: Online Support:

IBM i Version 7.2. Security Digital Certificate Manager IBM

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Certificate Management

But where'd that extra "s" come from, and what does it mean?

Cryptography and Network Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Installation and Administration

Lotus IBM WebShere Portal 6 Deployment and Administration.

An Exploration of Grid Computing to be Utilized in Teaching and Research at TU

Introduction to SciTokens

Kerberized Certificate Issuance Protocol (KX509)

Key Management and Distribution

Radius, LDAP, Radius used in Authenticating Users

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Experiences using Bridge CAs for Grids Jim Jokl a, Jim Basney b, and Marty Humphrey a

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

DoD Common Access Card Authentication. Feature Description

Managing External Identity Sources

Data encryption & security. An overview

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

GROWL Scripts and Web Services

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

UGP and the UC Grid Portals

Odette CA Help File and User Manual

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

SOA Software Policy Manager Agent v6.1 for WebSphere Application Server Installation Guide

MU2b Authentication, Authorization and Accounting Questions Set 2

Securing ArcGIS Services

Transcription:

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu

What is MyProxy? Independent Globus Toolkit add-on since 2000 Included in Globus Toolkit 4.0 A service for securing private keys Keys stored encrypted with user-chosen password Keys never leave the MyProxy server A service for retrieving proxy credentials A commonly-used service for grid portal security Integrated with OGCE, GridSphere, and GridPort September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 2

PKI Overview Public Key Cryptography Sign with private key, verify signature with public key Encrypt with public key, decrypt with private key Key Distribution signs Issuer: CA Subject: CA Who does a public key belong to? Certification Authority (CA) verifies user s identity and signs certificate Certificate is a document that binds the user s identity to a public key Issuer: CA Subject: Jim Authentication Signature [ h ( random, ) ] September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 3

Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys signs signs signs CA User Proxy A Proxy B September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 4

Proxy Delegation Delegator Delegatee 2 Proxy certificate request 1 Generate new key pair 3 Sign new proxy certificate Proxy 4 Proxy Proxy September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 5

MyProxy System Architecture MyProxy client Store proxy Retrieve proxy MyProxy server Proxy delegation over private TLS channel Credential repository September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 6

MyProxy: Credential Mobility tg-login.ncsa.teragrid.org Obtain certificate Store proxy ca.ncsa.uiuc.edu tg-login.caltech.teragrid.org myproxy.teragrid.org tg-login.sdsc.teragrid.org Retrieve proxy tg-login.uc.teragrid.org September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 7

MyProxy and Grid Portals MyProxy server Login Portal Fetch proxy Access data GridFTP server September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 8

MyProxy: User Registration Request account Set username/password Registration portal Obtain user certificate Certificate authority Load user s credentials Login with username/password Grid portal Retrieve proxy MyProxy server PURSE: Portal-based User Registration Service GAMA: Grid Account Management Architecture ESG September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 9

MyProxy: Key Upload/Download Provides ability to store and retrieve keys and certificates directly over the network Encrypted keys transferred over SSL/TLS encrypted channel In contrast to using proxy delegation Allows storing end-entity credentials Key retrieval must be explicitly enabled by server administrator and key owner September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 10

Credential Renewal Long-lived jobs or services need credentials Task lifetime is difficult to predict Don t want to delegate long-lived credentials Fear of compromise Instead, renew credentials as needed during the job s lifetime Renewal service provides a single point of monitoring and control Renewal policy can be modified at any time Disable renewals if compromise is detected or suspected Disable renewals when jobs complete September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 11

MyProxy: Credential Renewal Submit job Condor-G / Renewal Service Submit job Refresh proxy Globus gatekeeper Retrieve proxy MyProxy server Daniel Kouril and Jim Basney, "A Credential Renewal Service for Long-Running Jobs," 6th IEEE/ACM International Workshop on Grid Computing (Grid 2005), Seattle, WA, November 13-14, 2005. September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 12

MyProxy Authentication Key Passphrase X.509 Certificate Used for credential renewal Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI) September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 13

One Time Passwords (OTP) Protect against stolen passwords Hardware token generates OTP Authenticate with OTP alone or combined with key passphrase Tested with CryptoCard tokens at NCSA Compatible with existing MyProxy clients September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 14

Managing Trust Roots Address challenge of keeping trust root configuration up-to-date across machines CA certificates and CRLs User s trust roots can differ from site s myproxy-logon -T Synchronizes contents of ~/.globus/certificates with MyProxy server September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 15

MyProxy CA MyProxy server issues short-lived certificates to authenticated clients Leverage MyProxy authentication mechanisms Compatible with existing MyProxy clients Avoid managing long-lived user keys Server can function as both CA and repository Issue certificate if no credentials found for user Coming soon! September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 16

MyProxy and Pubcookie Combine web and grid single sign-on Authenticate to MyProxy with Pubcookie granting cookie Coming soon! Pubcookie Login Server Redirect to authenticate and obtain granting cookie Verify login Campus Authentication Server Browser Web Application Server Retrieve proxy MyProxy server Jonathan Martin, Jim Basney, and Marty Humphrey, "Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy," 2005 International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, 2005. September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 17

MyProxy Security Keys encrypted with user-chosen passwords Server enforces password quality Passwords are not stored Dedicated server less vulnerable than desktop and general-purpose systems Professionally managed, monitored, locked down Users retrieve short-lived credentials Generating new proxy keys for every session All server operations logged to syslog Caveat: Private key database is an attack target Compare with status quo September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 18

Hardware-Secured MyProxy Protect keys in tamper-resistant cryptographic hardware Retrieve proxy MyProxy Server Proxy request Proxy certificate IBM 4758 PKCS#11 Experimental M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004. September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 19

MyProxy CoG Clients Commodity Grid (CoG) Kits Provide portable (Java, Python, and Perl) MyProxy client tools & APIs Windows support For more information: http://www.cogkit.org/ September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 20

MyProxy Commands myproxy-init: store proxy myproxy-logon: retrieve proxy myproxy-info: query stored credentials myproxy-destroy: remove credential myproxy-change-pass-phrase: change password encrypting private key myproxy-store: store credential myproxy-retrieve: retrieve credential September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 21

MyProxy Installation (Unix) Included in GT 4.0 $ make gsi-myproxy; make install As an add-on component to GT 3.x $ gpt-build myproxy*.tar.gz <flavor> Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu Set Globus Toolkit environment $. $GLOBUS_LOCATION/etc/globus-user-env.sh Client installation/configuration complete! September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 22

MyProxy Server Administration Install server certificate and CA certificate(s) Configure /etc/myproxy-server.config policy Template provided with examples Optionally: Configure password quality enforcement Install cron script to delete expired credentials Install boot script and start server Example boot script provided Use myproxy-admin commands to manage server Reset passwords, query repository, lock credentials September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 23

MyProxy Server Policies Who can store credentials? Restrict to specific users or CAs Restrict to administrator only Who can retrieve credentials? Allow anyone with correct password Allow only trusted services / portals Maximum lifetime of retrieved credentials server-wide and per-credential September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 24

MyProxy Server Replication Primary/Secondary model (like Kerberos) If primary is down, fail-over to secondary for credential retrieval Store, delete, and change passphrase on primary only Client-side fail-over under development Simple configuration Run myproxy-replicate via cron Alternatively, use rsync over ssh Coming soon! September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 25

MyProxy and Standards MyProxy protocol specification submitted to GGF recommendations track Currently under steering group review MyProxy uses: IETF RFC 2246: Transport Layer Security (TLS) Protocol Version 1.0 IETF RFC 3820: Internet X.509 PKI Proxy Certificate Profile DCE RFC 86.0: Pluggable Authentication Modules (PAM) IETF RFC 2222: Simple Authentication and Security Layer (SASL) September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 26

Related Work GT4 Delegation Service Protocol based on WS-Trust and WSRF UVA CredEx WS-Trust credential exchange service SACRED (RFC 3767) Credential Repository http://sacred.sf.net/ Kerberized Online CA (KX.509/KCA) Kerberos -> PKI Kerberos PKINIT PKI -> Kerberos September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 27

MyProxy Community MyProxy is an open source, community project Many contributions from outside NCSA myproxy-users@ncsa.uiuc.edu mailing list Bug tracking: http://bugzilla.ncsa.uiuc.edu/ Anonymous CVS access :pserver:anonymous@cvs.ncsa.uiuc.edu:/cvs/myproxy Contributions welcome! Feature requests, bug reports, patches, etc. September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 28

Thank you! Questions/Comments? Contact: jbasney@ncsa.uiuc.edu September 6, 2005 http://myproxy.ncsa.uiuc.edu/ 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback