190 likes | 339 Views
KEK Grid CA. Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ. KEK Organization and History. High Energy Accelerator Research Organization (KEK) Institute of Particle and Nuclear Studies Institute of Materials Structure Science Accelerator Laboratory Applied Research Laboratory
E N D
KEK Grid CA Go Iwai The 2nd APGrid PMA Meeting at Osaka Univ.
KEK Organization and History • High Energy Accelerator Research Organization (KEK) • Institute of Particle and Nuclear Studies • Institute of Materials Structure Science • Accelerator Laboratory • Applied Research Laboratory • Computing Research Center • Radiation Science Center • Cryogenics Science Center • Mechanical engineering Center • History • National Laboratory for High Energy Physics (1971) • High Energy Accelerator Research Organization (1997) • Combined with Institute for Nuclear Study • High Energy Accelerator Research Organization • reformed as an Inter-University Research Institute Corporation (2004) The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
KEK: High Energy Accelerator Organization J-PARC B Factory LC-Test Facility Photon Factory Tokai ~60km Tsukuba Pacific Ocean Tokyo The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Issued Certificates • Host certificates • 73 certificates were issued • User certificates • 26 certificates were issued • SSL Server certificates • 1 certificate was issued • only for ICEPP (Univ. of Tokyo) and KEK The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Experiences • /Email field was troublesome and not available any more • LCG was OK • SRB-DSI does not work for any certificates including the field • Power outage because of the regular inspection of facilities requested by the government • Power backup by the generator was done with big efforts • We may stop the operation of CA for 3days in the next year • Securing private keys are essential for PKI operations • However, sometimes users copy their’s to remote sites via network and store on distributed storage systems, even on NFS servers. • Education is very important for users • Regular training should be considered The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Plan • Change on CP/CPS • Currently, SSL server certificates are issued only for ICEPP and KEK, however, LCG needs the SSL server certificates at each LCG site • C=JP, O=KEK, OU=CRC, CN=FQDN • SSL server certificates will be issued for each site • General usages are forbidden and only for usage with LCG • We assumed that applicants are existing users of KEK Computing research center • Contractors in collaborating institutes cannot be a user of us • We will change CP/CPS to allow applications from them • Existing users or the persons who are endorsed by the representative of the collaborating institute of KEK • We will have the first audit within this year. • Yoshio Tanaka will be an auditor • Thank him for his efforts • November or December? The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
End Any comment or suggestion?
CP/CPS • KEK GRID CA CP/CPS • Version: 1.0.0 • OID: 1.3.6.1.4.1.200198.1.10.2 • Conforms RFC2527 • Strongly inspired by CP/CPS’ of NAREGI CA and AIST CA • KEK GRID CP/CPS is managed by the KEK GRID PMA. • Changes in contents need to be approved by the KEK GRID PMA, as described in section 8. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
End Entities • Grid Users, Servers and Services: • Members at KEK and it’s collaborating institutes • Computing Facility at KEK and it’s collaborating institutes The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Certificate Types • User Certificate: • C=JP, O=KEK, OU=CRC, CN=Takashi Sasaki • Globus Servers: • host • C=JP, O=KEK, OU=CRC, CN=host/FQDN • Services • C=JP, O=KEK, OU=CRC, CN=ldap/FQDN • Web Servers (only for LCG at KEK CRC and ICEPP, U. of Tokyo): • C=JP, O=KEK, OU=CRC, CN=FQDN The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Identification and Authentication • Prerequisite: • The person must be an existing user of KEK CRC • One referee among KEK employees is requested • Applicants must be a member of either of the projects at KEK • User Certificate: • Subscriber must • submit in-person or mail (or FAX) the application to the user administrator. • attach a copy of his/her personal identification document with a photo. • have an interview in-person or on the video conference by the user administrator • User administrator confirms the application with the representative’s signature on it • Host and Service Certificate • An application is required to be submitted by an existing certificate user The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Certificate Restrictions • Certificate Lifetime: • 5 years for KEK GRID CA certificate • 1 year for each end entity certificate • User and server certificates should not be shared. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Certificate Revocation • Certificates are to be revoked when … • the RA receives a revocation request from a user. • the user’s key has been compromised or is suspected of being compromised. • the user information on the certificate is suspected of being incorrect. • the user lost the status of KEK CRC user • the user leaves the job or etc. • the CA private key has been compromised. • a user violates his/her obligations • as described in the CP/CPS Section 2.1.3. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Revocation Request Procedure • Revocation Request from a user • User can choose between two methods, as follows: • Command-line UI and Web-based UI using encrypted communication between the user and the RA. • The RA confirms a revocation request by using the client certificate, and accepts it. • The RA sends a revocation request to the CA located in an independent network segment. • Communications between the RA and the CA are encrypted. • The CA security officer can execute a revocation request on behalf of the user, if it is necessary. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
CRL • The KEK GRID CA will … • revoke the certificate immediately after receipt and acceptance of the revocation request. • publish the CRL on the KEK CA web site immediately. • A relying party can verify a certificate by retrieving the newest CRL on the web site. • The issued CRL is valid for 30 days. • The CRL will be reissued at least seven days before the previous one expires. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Physical Security • CA Server : • dedicated machine in a locked room • The room is located in the secure building. • only connected to the RA server via an exclusive network using a private address. • CA server cannot be reached from the Internet. • CA private key : • Protected by a FIPS 140-2 Level 3 compliant HSM. • is copied in a backup device with passphrase in a key-locked shelf. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Records Archival • Types of Archive Data: • All issued certificates and CRLs • All enrollment requests and notifications between the KEK GRID CA and users • Operation history of the CA key • Events of Interest, as described in CP/CPS 4.5.1 • login, logout, reboot, access and error logs, etc… • Other documents about the KEK GRID CA. • The retention period is 3 years. • Archived files are preserved in a key-locked shelf. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
Key Pair • The CA private key is generated by the HSM. • A user’s key pair is generated on users’ PC by using a given license ID. • The user’s private key is not generated by the CA and the RA. • Key Length: • CA Certificate: 2048 bits • End Entity: 1024 bits • License ID: • 24 characters • is provided from the RA for one-time authentication at the time of enrollment process of the user. The 2nd APGrid PMA Meeting Meeting at Osaka Univ.