180 likes | 334 Views
PSC MyProxy CA Short-Lived Credential Service. Derek Simmel <dsimmel@psc.edu> Pittsburgh Supercomputing Center TAGPMA Meeting Friday, October 16, 2009 Banff, Alberta, Canada. PSC MyProxy CA SLCS - Outline. Introduction Pittsburgh Supercomputing Center and TeraGrid Motivation
E N D
PSC MyProxy CAShort-Lived Credential Service Derek Simmel <dsimmel@psc.edu> Pittsburgh Supercomputing Center TAGPMA Meeting Friday, October 16, 2009 Banff, Alberta, Canada
PSC MyProxy CA SLCS - Outline • Introduction • Pittsburgh Supercomputing Center and TeraGrid • Motivation • Purpose of the PSC MyProxy CA SLCS • PSC PKI • Relationship among PSC CAs • PSC MyProxy CA SLCS Usage Environment • Certificate Policy / Certification Practice Statement • ID Vetting, Allocations, User Database, DNs, Authentication, Physical Security, Fault Tolerance, Data & Network Security • Incident Response Contact Information
Pittsburgh Supercomputing Centerwww.psc.edu • The Pittsburgh Supercomputing Center is a joint effort of Carnegie Mellon University and the University of Pittsburgh together with Westinghouse Electric Company. Established in 1986, PSC is supported by several federal agencies, the Commonwealth of Pennsylvania and private industry.
TeraGridwww.teragrid.org • The TeraGrid project is funded by the U.S. National Science Foundation and includes 11 partners: Indiana, LONI, NCAR, NCSA, NICS, ORNL, PSC, Purdue, SDSC, TACC & UC/ANL
PSC MyProxy CA SLCS • The TAGPMA-accredited NCSA-SLCS provides short term certificates to TeraGrid users from myproxy.teragrid.org • Users who log into the TeraGrid User Portal using their TERAGRID.ORG Kerberos principal automatically get issued a short-term certificate to initiate subsequent SSL/TLS/GSI secured tasks through the portal • TeraGrid decided to set up a secondary MyProxy CA as a backup in the event network connectivity to NCSA is lost. • PSC volunteered to host this secondary MyProxy CA • Backup TeraGrid Central Database (TGCDB) already at PSC • PSC already operates a secondary Kerberos Key Distribution Center (KDC) for TERAGRID.ORG (primary is at NCSA)
PSC PKI Certificate Authorities • PSC Root CA and PSC Hosts CA are maintained securely offline • PSC MyProxy CA online SLCS is operated in a physically secured production HPC machine room environment PSC Root CA PSC MyProxy CA PSC Hosts CA
PSC MyProxy CA SLCS • Independent backup SLCS for the TeraGrid MyProxy CA (TAGPMA-accredited NCSA SLCS) • Uses the same Registration Authority as the NCSA-SLCS • Separate but similar Certificate Subject DNs: • TeraGrid (NCSA-SLCS): • C=US, O=National Center for Supercomputing Applications,CN={NCSA Unique TeraGrid User Name String} • PSC MyProxy CA SLCS: • C=US, O=Pittsburgh Supercomputing Center,CN={NCSA Unique TeraGrid User Name String} • {NCSA Unique TeraGrid User Name String} from TGCDB
PSC MyProxy CA SLCS Usage Environment • Same User Database and usage environment as NCSA SLCS • Same Kerberos Authentication Infrastructure as NCSA SLCS (TERAGRID.ORG realm – primary at NCSA, 2ndary at PSC)
PSC MyProxy CA SLCS CP/CPS • Based largely on TAGPMA-accredited NCSA-SLCS CP/CPS • Version 1.0 available online at the PSC PKI repository • http://www.psc.edu/ca/cps/PSC-MyProxy-CA-CPCPS.pdf The current edition will also be linked to • http://www.psc.edu/ca/cps/4b2783ac.cps.pdf • OID: 1.3.6.1.4.1.26703.99.7512.1.1.1.0 • Pittsburgh Supercomputing Center (1.3.6.1.4.1.26703) • Certificate Authorities (.99) • MyProxy Certificate Authority (.7512) • Short-Lived Credential Service (.1) • Certificate Policy / Certification Practice Statement (.1) • Version (.1.0)
Subscriber ID Vetting • (NCSA) TeraGrid Allocations staff are Registration Authorities • Enroll users • Assign unique distinguished names • Create Kerberos accounts with unique usernames • http://www.teragrid.org/userinfo/access/index.php • Vetting is either • in person (TeraGrid site employees) • by professional peer review (project Principal Investigators) • by direct personal contact of a PI (PI project members), or • by (NCSA) TeraGrid allocations staff members (project accounts) • Initial passwords are distributed only by U.S. postal mail
TeraGrid Project Allocation Peer Review • Proposals for TeraGrid Project allocations by Principal Investigators (PIs) are peer-reviewed according to NSF TeraGrid CyberInfrastructure Partnership process • http://www.ci-partnership.org/Allocations/ • This is the same process that has been used for 20+ years for access to NSF supercomputing resources
Entries for: Authorized PSC Employees PIs for peer-reviewed projects Project members specified by PIs Containing: Legal Name Unique Common Name Legal name plus serial number in case of name conflict Unique Kerberos principal / Unix login name Default password Postal address TeraGrid Central Database (TGCDB)
Distinguished Names • PSC MyProxy CA DN: • C=US, O=Pittsburgh Supercomputing Center, CN=PSC MyProxy CA • Subscriber (TeraGrid User) DNs: • C=US, O=Pittsburgh Supercomputing Center, CN=User Name # • Example: • C=US, O=Pittsburgh Supercomputing Center, CN=Jim Marsteller 2 • User DNs for both the NCSA-SLCS and PSC MyProxy CA SLCS are already registered at TeraGrid sites • Account generation process pushes SLCS DNs out to TeraGrid sites automatically through accounting infrastructure (AMIE)
User Authentication • All certificate requests authenticated via Kerberos 5 • Authentication service for TeraGrid users and TeraGrid site staff to access TeraGrid HPC systems, storage, and web services • Monitoring processes in place to detect disclosure of Kerberos passwords • NCSA hosts the primary TERAGRID.ORG KDC • PSC (among other TeraGrid sites) hosts a secondary KDC • myproxy.teragrid.org (NCSA-SLCS) and PSC MyProxy CA SLCS authenticate to the same TERAGRID.ORG Kerberos realm • Certificates are issued with a Common Name corresponding to Kerberos principal name in the TeraGrid Central Database • TGCDB is replicated at PSC for fault tolerance
Physical Security • The PSC HPC production systems machine room is a highly-secured industrial facility (Westinghouse Energy Center) located 11 miles from the main PSC staff offices. Site security personnel monitor the facility 24x7x365 via video surveillance and frequent patrols. • Authorized PSC personnel must use two-factor authentication (keycard + unique secret key code entry) to gain access to the facility. All entries to and exits from the building and machine room are logged.
Hardware Security Modules • SafeNet ProtectServer Gold, hardware v66.00, firmware v2.07 • U.S. FIPS 140-2 Level 3 certified (FIPS certificate #1137) • To provide fault tolerance, PSC MyProxy CA private keys will be replicated on two identical cryptographic Hardware Security Modules, one on each of two identical hosts installed in the secured PSC HPC production systems machine room. One host will automatically continue service if the other fails.
Network Security • Dedicated network behind proprietary hardware firewall • Linux Kernel Server Firewall (iptables) • Open ports: SSH, MyProxy • Remote login via SSH with CryptoCard One-Time-Password (OTP) hardware token authentication • Restricted by firewall to connections from select PSC administrative hosts • Network-based Intrusion Detection
Incident Response Contact Information • PSC Hotline: +1 800-221-1641 • PSC Information Security Officer • Jim Marsteller <jam@psc.edu>Information Security OfficerPittsburgh Supercomputing Center300 South Craig StreetPittsburgh, PA 15213U.S.A.+1 412-268-4960 • Inquiries regarding certificates issued by the PSC PKI • <ca-admin@psc.edu> • General inquiries: <remarks@psc.edu>