1 / 12

DOEGrids DOE’s PKI service for Grids

www.DOEGrids.org DOE’s PKI service for Grids. Tony J. Genovese Malaga, Spain November 2003. Outline. Grids AuthN/AuthZ model International Grid Federation efforts DOEGrids Federation Experimental OCSP service. Grids AuthN/AuthZ. Separate the two problems

grant-davenport
Download Presentation

DOEGrids DOE’s PKI service for Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.DOEGrids.orgDOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003

  2. Outline • Grids AuthN/AuthZ model • International Grid Federation efforts • DOEGrids Federation • Experimental OCSP service

  3. Grids AuthN/AuthZ • Separate the two problems • First focus on solving identity • Harmonize identities policies • Standard efforts: GGF, Grid PMA • Grid identity Federations: EDG, Cross Grid, DOEGrids • Other federations: TERENA, EGEE, eInfrastructure? • Authorization still research topic • Individual grids developing own polices • VOMS, Proxy services

  4. International Grid Federation • WWW.GridPMA.org • Informal confederation • Representatives from Major Grid PMAs • European Data Grid and Cross Grid PMA • NCSA Alliance • DOEGrids PMA • NASA Information Power Grid • TERENA • Asian Pacific PMA • AIST, Japan • SDSC, USA • KISTI, Korea • BII, Singapore • Kasetsart Univ., Thailand • CAS, China

  5. DOEGrids Federation • Managed by multiple stake holders • 15 member Policy Management Authority Representing DOE and NSF • PMA Responsible for Certificate Policy and Certification Practice statement • PMA Manages operator relationship • Operator: ESnet at Lawrence Berkeley National Laboratory • Peers with European Data Grid PMA and the Cross Grid project • 20+ Registration Authority Agents

  6. DOEGrids community * Includes DOESG transitioned Certificates

  7. DOEGrids usage

  8. General PKI Service Architecture ESnet Root CA ESnet only signs subordinate CAs Certificate Authority links WWW.ES.net/CA WWW.DOEGrids.org/CA DOEGrids VO support Integrated Site AuthN K/X509 (FNAL) NERSC NIM Integration Virtual Secure Card (SLAC) ESnet subordinate Certificate Authorities and proposed CAs

  9. DOEGrids Physical Security Architecture Vaulted Root CA

  10. DOEGrids PKI roles • Policy Management Authority • Manages PKI policies • Security Officer • Manages PKI infrastructure • Responsible for implementing PKI policies • Registration Authority • Represents VO on PMA • Responsible for identity vetting of VO members • Registration Agent • Delegated identity vetting from RA • Grid Administrator (new) • Delegated by Agent to issue Service Certificates

  11. Grid Admin Role Grid Admin Server Cert Interface Provide PKCS#10 Server Request and submit SSL Client Authentication Using DOEGrids CA certificate failed Authentication Error successful GridAdmin LDAP Request Validation & Authorization process against GridAdmin LDAP Successful? No Authorization Error Yes Issue Server Certificate

  12. Experimental OCSP service Machine B Machine A OCSP Service *edg-fetch-crl-cron downloads all the CRLs listed on EDG website into /opt/edg/certificates folder OCSP Service OCSP Admin Interface *postcrl_ocsp checks if the file is new for every CRL file ( *.r0)under /opt/edg/certificates folder Parse the CRL file and filter only base64 encoded CRL portion. *OCSP Service LDAP Apply URL encoding logic Post this CRL data into OCSP Service Admin interface (SSL Client Authentication *All the CA certificates listed on http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html has been installed with OCSP Service * edg-fetch-crl-cron & postcrl_ocsp are cron job runs every night

More Related