1 / 28

PRAGMA-UCSD.CA: A Collaborative Framework for Advancing Grid Technologies

Strengthen alliances, drive tech advancements, and enhance infrastructure in the Pacific Rim. Explore how PRAGMA fosters global collaborations.

edwind
Download Presentation

PRAGMA-UCSD.CA: A Collaborative Framework for Advancing Grid Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRAGMA-UCSD CA Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly http://www.pragma-grid.net http://goc.pragma-grid.net

  2. Overview • PRAGMA • PRAGMA Grid • Purpose of PRAGMA-UCSD-CA • PRAGMA-UCSD CA setup • (x.y.z) references the relevant CP/CPS section number

  3. PRAGMA

  4. PRAGMA PRAGMA A Practical Collaborative Framework A Practical Collaborative Framework Strengthen Existing and Establish New Collaborations Work with Science Teams to Advance Grid Technologies and Improve the Underlying Infrastructure In the Pacific Rim and Globally Strengthen Existing and Establish New Collaborations Work with Science Teams to Advance Grid Technologies and Improve the Underlying Infrastructure In the Pacific Rim and Globally 35 institutions 14 countries http://www.pragma-grid.net http://www.pragma-grid.net

  5. PRAGMA’s Collaborative Framework EDUCATION SOFTWARE SCIENCE GRID Source: Philip Papadopoulos, Global Engagement GLEON (and CREON) – From Telescience WG • Global Lake Ecological Observatory Network (and Coral Reef) • Grassroots effort to understand lake dynamics Avian Flu Grid – From Biosciences WG • Integrates technologies for shared infrastructure PRIME : Pacific Rim Experiences for Undergraduates • Prepares globally-enabled workforce • Immersive: Research Apprenticeship; Cultural Experience PRIUS: Pacific Rim International UniverSity, Osaka University • Prepares global workforce • Within context of curriculum and research experience PRAGMA: Pacific Rim Application and Grid Middleware Assembly • Catalyzes collaborations • Applications drive technology developments OptIPuter: SAGE Ninf-G, Gfarm, Nimrod, SCMSWeb, CSF4, Naregi CA, Opal, MOGAS, Mgrid, Rocks, GAMA, Condor, Access Grid GEO, GEON DataTurbine, Inca

  6. PRAGMA Grid UZH Switzerland UZH Switzerland AIST OsakaU UTsukuba TITech Japan JLU China CNIC GUCAS China NCSA USA KISTI Korea BU USA UUtah USA LZU China LZU China SDSC USA ASGC NCHC Taiwan CUHK HongKong UPRM Puerto Rico UoHyd India CICESE Mexico ASTI Philippines UNAM Mexico NECTEC ThaiGrid Thailand HCMUT HUT IOIT-HCM Vietnam CeNAT-ITCR Costa Rica SKU UI Indonesia MIMOS USM Malaysia APAC QUT Australia BII IHPC NGO NTU Singapore UChile Chile MU Australia BESTGrid New Zealand 32 institutions in 16 countries/regions,27 compute sites (+ 9 in preparation)

  7. PRAGMA Grid Members and Teamhttp://goc.pragma-grid.net/wiki/index.php/Site_status_and_tasks • Sites • 23 sites from PRAGMA member institutions • 15 sites from Non-PRAGMA member institutions • 27 sites contributed compute clusters • Team members • 170 and growing • one management contact / site • 1~3 technical support contact / site • 1~4 application drivers / application • 1~5/Middleware development teams

  8. Why PRAGMA-UCSD CA? • PRAGMA experimental CA • Only used within PRAGMA Grid • Grid interoperation and future • Need IGTF compliant catch-all production CA • Near term • Only issue production CA when needed

  9. PRAGMA-UCSD CA Team • CA – Cindy Zheng, Mason Katz (UCSD) • RA – Mason Katz, Anoop Rajendra (UCSD) • PMA – Yoshio Tanaka (AIST) • Security Officer – Phil Papadopoulos (UCSD) • pragma-ucsd-ca@sdsc.edu reaches no more and no less than these 5 people

  10. CP/CPS • Structured as defined in RFC 3647 • http://goc.pragma-grid.net/ca/cp-cps • OID - 1.3.6.1.4.1.13230.101.2.1.0 • Set for CP/CPS (1.2) • Set for cert policy id v3 ext • Registered with IANA • Change procedure described in 9.12

  11. CA Systems • CA server is dedicated and off-line • RA server is dedicated and on-line • CA software is naregi-wp5-nas-070112

  12. Physical Security • CA and RA servers are in a lockable office • 2 keys (Cindy Zheng, Karan Bhatia) • CA server is in a locked cabin in the office • Only Cindy (CA) has the key • Access log • logged by email at pragma-ucsd-ca@sdsc.edu • Email archive is included in monthly backup

  13. CA Key and Passphrase • CA key length 2048 bits (6.1.5) • CP-CPS 6.4 describes CA key protection • Pass phrase >= 15 characters. • Only known by CA and RA. • In 2 sealed envelopes in 2 separate locked drawers in Cindy (CA) and Mason (RA)’s office. • Only Cindy and Mason have the keys to the drawers. • The sealed envelops are kept separated from the backed up private key.

  14. Encrypted Private Key Backup • On offline media – USB drives • Kept in a locked cabinet • Only Anoop (RA) has the key

  15. CA Certificate • Lifetime 10 years (6.3.2) • End entity lifetime 1 year • BasicConstraints (7.1.2) • marked as critical • Set as CA:TRUE • KeyUsage (7.1.2) • Marked as critical • Value include keyCertSign, cRLSign

  16. Certificate Revocation • Can be requested by • Subscribers • CA, RA • Others can prove compromise or exposure of a private key. (4.9.2) • An end entity must request revocation as soon as possible, but within one working day after detection of • he/she lost or compromised the private key pertaining to the certificate, • the data in the certificate are no longer valid. (4.9.1) • Authenticate the request (4.9.3) • Verify requestor identity by phone, VTC or face-to-face • Verify reason and evidence • CA must react as soon as possible, but within one working day, to any revocation request received. (4.9.5)

  17. CRL • Lifetime is 30 days • Issued • Every 3 weeks • Or immediately after a revocation (4.9.7) • http://goc.pragma-grid.net/ca/ca-certs/baec778c.r0 • Version: x509 v2 • Message digest algorithm: SHA-1

  18. User or Host/service Certificates • Key >=1024 bit (6.1.5) • Life time 1 year (6.3.2) • User certificate • should not shared (4.5.1) • End entity passphrase (6.2.8) • 12 characters or more (enforced by Naregi-ca client software)

  19. Issue Certificates • Described in 4.1, 4.2: • User fill and email application form • RA reply • Ask for photo id (fax or in person) • arrange interview (in person or VTC) • RA Interview user with • A copy of user application • A copy of user photo id • Fill a RA check list • Upon approval, RA sign the check list and hand all to CA • RA email user an encrypted license id and user guide url • RA deliver the password to user (fax or in person) • User install Naregi-ca client software, create certificate request and email acceptID to pragma-ucsd-ca list • CA generate new certificate and email user for retrieval • CA/RA file all documents

  20. Names • Meaningful names (3.1.2) • Reasonable association to end entity • CN is FQDN • Name uniqueness (3.1.5) • List of issued certificates • Prefix and suffix • Verify host owner/administrator (3.2.2, 3.2.3) • Known organization in PRAGMA community • Verify with known contact of host organization

  21. End Entity Certificates • x509 format • Extensions (7.1) • Policy Identifier contain an OID only: 1.3.6.1.4.1.13230.101.1 • CRLDistributionPoints: URI://goc.pragma-grid.net/secure/certificates/baec778c.r0 • keyUsage marked as critical • basicConstraints set to ‘CA: false’ and marked as critical • Host certificate, a FQDN is included as a dnsName in the SubjectAlternativeName

  22. Rekey, Renew and Modification • Certificate rekey is described in 4.7: • Reason for rekey: certificate revoked or expired • Revoked – re-enroll • Expired – re-apply • 1 month before expire – request new public key • Process • same as initial enrollment and • If within 5 years of initial enrolment, face to face interview is not required • No certificate renew (4.6) • No certificate modification (4.8)

  23. Records Archive • Records archived (5.5.1) • Forms, emails etc. in enrollment process • Private keys, password • Monthly backup includes • CA and RA server backup • Mailing list archive • Retention period (5.5.2) • General: minimum 3 years • Certificates, CRLs: at least 2 years • User identity info: 5 years

  24. Audit • Described in section 8: • Accept external audit • By APGrid PMA • Self-audit of CA/RA and operation once a year • Verify CA contact list once a year

  25. Web Repositoryhttp://goc.pragma-grid.net/ca • Public accessible • CA root certificates • Certificates issued • CRL • CP/CPS • Contact info • Grant APGrid PMA and IGTF unlimited re-distribution • Internal only • Operation manuals • Canned emails • Forms • Check list • CA profiles • Only CA staff and auditors allowed access

  26. Privacy and Confidentiality • Defined in 9.3 and 9.4 • No confidential info collection • Do not provide personal info to other organizations • CA-RA communication • Secure methods (4.1, 4.2) • Face to face, signed email, skype • Inform/log changes by email to pragma-ucsd-ca@sdsc.edu

  27. Disaster Recovery • Described in 5.7 • Hardware, software, data corruption • Recover with backup asap • CA key compromise • Notify subscribers, RAs, relying parties • Revoke all issued certificates • Stop certificate/CRL distribution service • Create new key pair and rebuild the CA system

  28. Special Thanksto Yoshio Tanaka and AIST CA team Naregi-CA developer, Takuto Okuno For helping setup PRAGMA-UCSD CA APGrid PMA reviewer, Sangwan Kim APGrid PMA reviewer, Alex Wu APGrid PMA reviewer, Suriya U-ruekolan For helping review PRAGMA-UCSD CA CP/CPS

More Related