160 likes | 329 Views
PKI Single Sign On & Auto Provisioning. Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL). Single Sign On. Web Applications http/https protocol Browser, wget clients Other Applications GridFTP, OpenDAP etc. DML, UberFTP/GridFTP clients. PKI-X509 as SSO Solution.
E N D
PKI Single Sign On &Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
Single Sign On • Web Applications • http/https protocol • Browser, wget clients • Other Applications • GridFTP, OpenDAP etc. • DML, UberFTP/GridFTP clients PKI SSO
PKI-X509 as SSO Solution • Online CA to issue short term credentials • Works with authentication system • E.g Shares username/password with registration system • User “logs in” to get credential • Transparent to user, downloaded on login • Clients leverage credentials transparently • User “logs out” by destroying local credentials • Same CA can be used to provide application certificates PKI SSO
AuthNDB uname password PKILogin Application Server Online-CA AuthN Svc Trust Online CA Application Client + PKI Client PKI SSO
AuthNDB uname password PKILogin 2. AuthN Application Server Online-CA AuthN Svc Trust Online CA 3. Short term X509 credentials 1. login User/pass 4. Access using X509 Credentials Application Client + PKI Client PKI SSO
MyProxy as Online CA • Open source software from NCSA • Provides among other things Online CA capabilities • Allows plugging in of any authentication system using PAM module • Shipped with Globus Toolkit, supported on various platforms • Client package as separate deployment, including Java clients and API PKI SSO
Auto-Provisioning • SSO solutions require configuration of trust-roots • Identity providers, Certification authorities • Revocation lists • Up-to-date configuration required at servers and clients • Scalability issues, e.g 8K clients • MyProxy provides auto-provisioning option • Integrated with login • Transparently updates CAs and CRLs • Can be extended to use for provisioning servers also PKI SSO
MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB ProvisioningDatabase 0. Trusted CA/CRLs App Svc Application Client + PKI Client PKI SSO
MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB 2. AuthN ProvisioningDatabase 0. Trusted CA/CRLs App Svc 3. Short term X509 credentials, CAs, CRLs 1. login User/pass Application Client + PKI Client PKI SSO
MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB 2. AuthN ProvisioningDatabase 0. Trusted CA/CRLs App Svc 3. Short term X509 credentials, CAs, CRLs 1. login User/pass 4. Access using X509 Credentials Application Client + PKI Client PKI SSO
MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB 2. AuthN ProvisioningDatabase 0. Trusted CA/CRLs 5. Update trust roots App Svc 3. Short term X509 credentials, CAs, CRLs 1. login User/pass 4. Access using X509 Credentials Application Client + PKI Client PKI SSO
Gateway Deployments • MyProxy Server • PAM module to talk to authentication mechanism • CA certificate for MyProxy Server • Provisioning database • Up-to-date list of CAs/CRLs PKI SSO
Client Deployments • Client download contains • MyProxy Logon client • Bootstrap CA certificate • Application clients integrate with MyProxy • Scripts that use myproxy-logon and grid-proxy-destroy • C library level integration • Java API integration PKI SSO
Application Server • Use of PKI X509 Certificates for authentication • If using SSL, no additional changes • Install trusted certificates on the application server • For automatic updates, set up task to run myproxy-logon periodically • Need to extend MyProxy to allow server only authentication to get certificates PKI SSO
MyProxy Demo • MyProxy Online CA set up on plussed.mcs.anl.gov:7512 • UberFTP server set up on plussed.mcs.anl.gov to trust the above MyProxy Online CA • Instructions and sample run: • http://www-unix.mcs.anl.gov/~ranantha/esg/PKISSO.html PKI SSO
Some next steps • Demo trials and feedback • MyProxy • Extend to allow server trust root provisioning • Customize MyProxy Logon Java Web Start application for ESG • Discuss integration with application servers • Integration with gateway software • Evaluate distribution with gateway software PKI SSO