1 / 16

PKI Single Sign On & Auto Provisioning

PKI Single Sign On & Auto Provisioning. Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL). Single Sign On. Web Applications http/https protocol Browser, wget clients Other Applications GridFTP, OpenDAP etc. DML, UberFTP/GridFTP clients. PKI-X509 as SSO Solution.

daphne
Download Presentation

PKI Single Sign On & Auto Provisioning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI Single Sign On &Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

  2. Single Sign On • Web Applications • http/https protocol • Browser, wget clients • Other Applications • GridFTP, OpenDAP etc. • DML, UberFTP/GridFTP clients PKI SSO

  3. PKI-X509 as SSO Solution • Online CA to issue short term credentials • Works with authentication system • E.g Shares username/password with registration system • User “logs in” to get credential • Transparent to user, downloaded on login • Clients leverage credentials transparently • User “logs out” by destroying local credentials • Same CA can be used to provide application certificates PKI SSO

  4. AuthNDB uname password PKILogin Application Server Online-CA AuthN Svc Trust Online CA Application Client + PKI Client PKI SSO

  5. AuthNDB uname password PKILogin 2. AuthN Application Server Online-CA AuthN Svc Trust Online CA 3. Short term X509 credentials 1. login User/pass 4. Access using X509 Credentials Application Client + PKI Client PKI SSO

  6. MyProxy as Online CA • Open source software from NCSA • Provides among other things Online CA capabilities • Allows plugging in of any authentication system using PAM module • Shipped with Globus Toolkit, supported on various platforms • Client package as separate deployment, including Java clients and API PKI SSO

  7. Auto-Provisioning • SSO solutions require configuration of trust-roots • Identity providers, Certification authorities • Revocation lists • Up-to-date configuration required at servers and clients • Scalability issues, e.g 8K clients • MyProxy provides auto-provisioning option • Integrated with login • Transparently updates CAs and CRLs • Can be extended to use for provisioning servers also PKI SSO

  8. MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB ProvisioningDatabase 0. Trusted CA/CRLs App Svc Application Client + PKI Client PKI SSO

  9. MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB 2. AuthN ProvisioningDatabase 0. Trusted CA/CRLs App Svc 3. Short term X509 credentials, CAs, CRLs 1. login User/pass Application Client + PKI Client PKI SSO

  10. MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB 2. AuthN ProvisioningDatabase 0. Trusted CA/CRLs App Svc 3. Short term X509 credentials, CAs, CRLs 1. login User/pass 4. Access using X509 Credentials Application Client + PKI Client PKI SSO

  11. MyProxyLogin with Provisioning Online-CA AuthN Svc AuthNDB 2. AuthN ProvisioningDatabase 0. Trusted CA/CRLs 5. Update trust roots App Svc 3. Short term X509 credentials, CAs, CRLs 1. login User/pass 4. Access using X509 Credentials Application Client + PKI Client PKI SSO

  12. Gateway Deployments • MyProxy Server • PAM module to talk to authentication mechanism • CA certificate for MyProxy Server • Provisioning database • Up-to-date list of CAs/CRLs PKI SSO

  13. Client Deployments • Client download contains • MyProxy Logon client • Bootstrap CA certificate • Application clients integrate with MyProxy • Scripts that use myproxy-logon and grid-proxy-destroy • C library level integration • Java API integration PKI SSO

  14. Application Server • Use of PKI X509 Certificates for authentication • If using SSL, no additional changes • Install trusted certificates on the application server • For automatic updates, set up task to run myproxy-logon periodically • Need to extend MyProxy to allow server only authentication to get certificates PKI SSO

  15. MyProxy Demo • MyProxy Online CA set up on plussed.mcs.anl.gov:7512 • UberFTP server set up on plussed.mcs.anl.gov to trust the above MyProxy Online CA • Instructions and sample run: • http://www-unix.mcs.anl.gov/~ranantha/esg/PKISSO.html PKI SSO

  16. Some next steps • Demo trials and feedback • MyProxy • Extend to allow server trust root provisioning • Customize MyProxy Logon Java Web Start application for ESG • Discuss integration with application servers • Integration with gateway software • Evaluate distribution with gateway software PKI SSO

More Related