1 / 14

Leveraging Campus Authentication for Grid Scalability

This presentation discusses the integration of campus authentication with Globus for inter-campus trust and sharing of data and compute resources. It explores the use of PKI, trust in a hierarchical PKI root certificate, and the use of a bridge PKI. The goal is to enable the use of campus-issued credentials in inter-institutional grids and demonstrate scalability and complexity issues.

freund
Download Presentation

Leveraging Campus Authentication for Grid Scalability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leveraging Campus Authentication for Grid Scalability Jim JoklMarty HumphreyUniversity of Virginia Internet2 Meeting April 2004

  2. NMI Testbed Activity • Early project focus • Testing various NMI components • Integrating them with campus infrastructure • Next phase: more inter-campus activities • Focus on Globus • However, results can be generally applicable • How do we facilitate sharing of data and compute resources between campuses? • Scalability and complexity issues for the Grid • Security, researcher support, sharing equity issues • Our focus: authentication and inter-campus trust • Hence inter-campus aspects of Globus PKI University of Virginia

  3. Background: PublicKey Infrastructure (PKI) • A PKI uses asymmetric cryptography • A pair of mathematically related keys • The Public Key is published widely; Private Key is secret • An X.509 Certificate is: • An object signed by a Certification Authority (CA) • A binding of a user’s identity to their public key • An object containing attributes about the individual and the Issuing Certification Authority • Critical Issues • How do you trust the credential binding? • How can other institutions trust it? • How would trust scale in a large Grid or Grids? University of Virginia

  4. Background: Trust in a Hierarchical PKI Root Certificate • Trust based on trusting “root” certificate • User cert trust via validating cert chain to a trusted root • Some issues: • “root” compromise • A CA per Grid v.s. a CA per school v.s. ? • Researcher support • Integrating existing campus credentials Intermediate Certificate Intermediate Certificate User A Cert User B Cert User D Cert User E Cert User C Cert University of Virginia

  5. Background: Trust in a Bridge PKI Cross-certificate pairs Bridge CA • Enables trust between multiple hierarchical CAs • No need to reconstitute whole PKI if CA is compromised • Generally uses more infrastructure than just the cross-certificate pairs • Can enable trust between existing PKIs • Preserves technical and political separation • Logical choice for multi-campus / multi-grid systems • Enable researchers to use home campus credentials Root A Root B Root n Mid-A Mid-B User A1 User B1 User B1 User A2 University of Virginia

  6. PKI Bridge Path Validation University of Virginia

  7. Globus & Bridge Test Environment • Simple bridge test environment revealed • Globus can validate a bridge trust path • All needed cross-certificates must be pre-loaded into /etc/grid-security/certificates • Appears that all needed intermediate CA certificates must also be pre-loaded • No known support for a directory mechanism to locate cross-certificates • Does no appear to follow AIA URLs to obtain any needed cross or intermediate certificates • A more complex real-world test is needed University of Virginia

  8. Globus PKI Integration Notes • Campus CA Integration • Use of Campus CAs with Globus for inter-institutional sharing of resources should be manageable • Typical campus certificate profiles (e.g. PKI-lite) work well with Globus • Challenges will exist for locating the needed cross-certificates and intermediate CA certificates University of Virginia

  9. Globus PKI Integration Notes • Campus CA integration is complicated by the Globus interface • Campus CAs and OS-exported certificates are generally in PKCS-12 format • Globus expects raw PEM files for the certificate and the private key • A file to map certificate DNs to UNIX login names must be maintained • A maintenance challenge for large inter-institutional grids University of Virginia

  10. Goals for Larger Test on the NMI Testbed Grid • Test the use of Globus in a real and larger bridged PKI environment • Enable the use of campus CAs in inter-institutional Grids • Show that one set of campus-issued credentials can work • Use on a single or multiple grids • Eases researcher pain (and support issues) • Explore complexity issues, demonstrate scalability • Create appropriate tools and documentation • Prepare for Globus to leverage other activities • Higher Education Bridge Certification Authority • Higher Education Root Certification Authority University of Virginia

  11. Higher Education Bridge Certification Authority (HEBCA) • A project of EDUCAUSE • Implement a bridge for higher education based on the Federal PKI bridge model • Support both campus PKIs and sector hierarchical PKIs • Cross-certify with the Federal bridge (and others as appropriate) • Use of HEBCA with Globus may be a natural result of this work University of Virginia

  12. US Higher Education Root CA • A project of Internet2 • The replacement for the CREN CA • Designed to support campuses that wish to be part of a hierarchical CA • CA sign’s campus CA signing certificates • Expectation is to cross-certify with HEBCA at some level • Campus CAs that are part of this hierarchy would also work well in a bridged Globus environment University of Virginia

  13. Current Project Status • Built Testbed Bridge CA • Off-line system • Cross-certifications • UVA: complete • UAB: nearly done • TACC: 50% • USC: getting started • /etc/grid-security • Certificates, policy files, and hash links generated via scripts • Gridmap file by hand University of Virginia

  14. Tool Development • In addition to supporting the testbed grid via cross-certification, we plan to explore a few tools • Credential converter web site that takes a PKCS-12 (as is available in most enterprise CAs) and returns the PEM files needed by Globus • A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files • Potentially: a CA using a Shibboleth-based RA • Provide certificates for campuses that have Shibboleth but are not yet operating an enterprise CA • Each campus would have its own root that would be cross-certified via the testbed bridge • We should know a lot more in a few months University of Virginia

More Related