1 / 8

SURAGrid User/Host Certificate Authority

SURAGrid User/Host Certificate Authority. SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia. Schematic of SURAGrid Globus PKI Integration. F’s PKI. Campus F Grid. SURAGrid Bridge CA. E’s PKI. Campus E Grid. Cross-cert pairs. D’s PKI. A’s PKI. B’s PKI. C’s PKI.

Download Presentation

SURAGrid User/Host Certificate Authority

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SURAGridUser/Host Certificate Authority SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia

  2. Schematic of SURAGrid Globus PKI Integration F’s PKI Campus F Grid SURAGrid Bridge CA E’s PKI Campus E Grid Cross-cert pairs D’s PKI A’s PKI B’s PKI C’s PKI Campus D Grid Campus A Grid Campus B Grid Campus C Grid

  3. Shim Shim Shim Shim Site B Site C Site A Site D SURAGrid: Original Plan • Sites provide dedicated systems • Trust fabric via SURAGrid Bridge CA • Evolve to use HEBCA & USHER when ready • LDAP server(s) hold • Cross-certificate pairs • Globus policy files • Unix UID information • Unix login names using a naming convention • Shim Software • Automates grid_mapfile • Manages Unix accounts • Site Administrators • Manage their own users enabling or disabling their access to SURAGrid Bridge CA Site Admins LDAP Server

  4. Shim Shim Site B Site A Site C Site D SURAGrid: Current Architecture • Some sites will dedicate systems, others will utilize shared resources • The Bridge CA, LDAP servers, and Site Admin infrastructure remain the same • Sites that dedicate resources will continue to use the Shim • Sites providing pieces of shared infrastructure will leverage the data in the LDAP servers as needed • Some tools are provided for grid-mapfile, cross-certs, etc Bridge CA Site Admins LDAP Server

  5. Shim Shim Shim Site B Site Y Site A Site Z Site C Site D A year or two ago: Target Picture? Bridge CA Site Admins Bridge CA LDAP Server LDAP Server GridCA GridCA

  6. Shim Shim Site B Site A Site C Site D Current State Site Admins InCommon Bridge CA SURAGrid USER CA LDAP Server iKey Grid User Certificate

  7. Some Action Items for Production • InCommon Interface • Any InCommon user direct use? • A list of EPPNs of site administrators • Direct integration with SURAgrid LDAP? • Cross-certification with final keypair • https://www.pki.virginia.edu/sura-bridge/

  8. Discussion • What else? • Enable the InCommon service as-is asap (admins are the only ones that can generate a certificate) • Soon, enable users from InCommon schools to obtain certificates whenever they want • Add in the host cert function for site admins only • More discussion in the future on what/if to integrate with LDAP (might be able to let site admins auto register user certs in ldap via checkbox) • Redo SURA iKeys • Make the SURAGrid User CA root certificate available for download • Fix the spelling “SURAgrid” – little G

More Related