80 likes | 215 Views
SURAGrid User/Host Certificate Authority. SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia. Schematic of SURAGrid Globus PKI Integration. F’s PKI. Campus F Grid. SURAGrid Bridge CA. E’s PKI. Campus E Grid. Cross-cert pairs. D’s PKI. A’s PKI. B’s PKI. C’s PKI.
E N D
SURAGridUser/Host Certificate Authority SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia
Schematic of SURAGrid Globus PKI Integration F’s PKI Campus F Grid SURAGrid Bridge CA E’s PKI Campus E Grid Cross-cert pairs D’s PKI A’s PKI B’s PKI C’s PKI Campus D Grid Campus A Grid Campus B Grid Campus C Grid
Shim Shim Shim Shim Site B Site C Site A Site D SURAGrid: Original Plan • Sites provide dedicated systems • Trust fabric via SURAGrid Bridge CA • Evolve to use HEBCA & USHER when ready • LDAP server(s) hold • Cross-certificate pairs • Globus policy files • Unix UID information • Unix login names using a naming convention • Shim Software • Automates grid_mapfile • Manages Unix accounts • Site Administrators • Manage their own users enabling or disabling their access to SURAGrid Bridge CA Site Admins LDAP Server
Shim Shim Site B Site A Site C Site D SURAGrid: Current Architecture • Some sites will dedicate systems, others will utilize shared resources • The Bridge CA, LDAP servers, and Site Admin infrastructure remain the same • Sites that dedicate resources will continue to use the Shim • Sites providing pieces of shared infrastructure will leverage the data in the LDAP servers as needed • Some tools are provided for grid-mapfile, cross-certs, etc Bridge CA Site Admins LDAP Server
Shim Shim Shim Site B Site Y Site A Site Z Site C Site D A year or two ago: Target Picture? Bridge CA Site Admins Bridge CA LDAP Server LDAP Server GridCA GridCA
Shim Shim Site B Site A Site C Site D Current State Site Admins InCommon Bridge CA SURAGrid USER CA LDAP Server iKey Grid User Certificate
Some Action Items for Production • InCommon Interface • Any InCommon user direct use? • A list of EPPNs of site administrators • Direct integration with SURAgrid LDAP? • Cross-certification with final keypair • https://www.pki.virginia.edu/sura-bridge/
Discussion • What else? • Enable the InCommon service as-is asap (admins are the only ones that can generate a certificate) • Soon, enable users from InCommon schools to obtain certificates whenever they want • Add in the host cert function for site admins only • More discussion in the future on what/if to integrate with LDAP (might be able to let site admins auto register user certs in ldap via checkbox) • Redo SURA iKeys • Make the SURAGrid User CA root certificate available for download • Fix the spelling “SURAgrid” – little G