1 / 28

IdM Campus Developers Meeting 12/05/07

OIT/CIT Security, Identity Management Team. IdM Campus Developers Meeting 12/05/07. Kerberos authentication servers (KDCs) move from AIX to Linux environment CUWebAuth 2.0 and K4-K5 Upgrade I2 Grouper rollout plans and Permit Server retirement Active Directory plans Questions?.

jaafar
Download Presentation

IdM Campus Developers Meeting 12/05/07

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OIT/CIT Security, Identity Management Team IdM Campus Developers Meeting 12/05/07 • Kerberos authentication servers (KDCs) move from AIX to Linux environment • CUWebAuth 2.0 and K4-K5 Upgrade • I2 Grouper rollout plans and Permit Server retirement • Active Directory plans • Questions?

  2. Kerberos server changes Jan/Feb 2008 • Kerberos authentication servers (KDCs) from AIX to Linux environment. • Combines the need to replace aging hardware with CIT's planned retirement of AIX support. • Time to prepare if you maintain services that use CIT's authentication service (Kerberos) or manage firewalls on Cornell campus networks. • Service owners will need to check certain system configurations and test their applications during December and the first week of January. • GuestID and ApplicantID authentication services are NOT impacted by this change.

  3. Special Note • The Kerberos servers are having their IP addresses changed in order to move them to a separate subnet. • We are using this opportunity to begin putting our authentication servers on a separate subnet which can be locked down more tightly than the one the KDC's are on now. • The idea is to designate this subnet as one with tighter security requirements as opposed to forcing all the services on the current net to conform to the higher requirements.

  4. Key Dates • 11/29/07 - CIT makes test instance available for campus testing • 11/29/07 to 01/06/08 - Service owners do testing and configuration • 01/06/08 - CIT moves primary Kerberos authentication server (KDC) to Linux • 02/07/08 - CIT moves secondary KDC to Linux

  5. Steps that service owners need to complete by 1/6/08 • Make sure applications using CIT's authentication service are configured to use the hostnames for both the primary and secondary KDCs: kerberos.cit.cornell.edu and kerberos2.cit.cornell.edu        o For Windows: krb5.ini and krb.con        o For Linux, AIX, Solaris, and other Unix clones: krb5.conf and krb.conf. These are usually in /etc        o Do not swap the order of the KDC's in the conf files • Make sure applications are NOT using the hardware names Zodiac1 or Zodiac2, or the IP addresses for those servers (132.236.61.52 and 132.236.228.25). If they are, re-configure them with the names in step 1 instead. • Add this new IP address to any firewall, ipsec, or ipfilter rules allowing traffic to the current KDCs: 132.236.200.0/24 (This is in addition to the IP addresses for the current KDCs 132.236.61.52 and 132.236.228.25. 4) Verify test instances of your applications against the test KDCs:      kerberos.test.login.cornell.edu      kerberos2.test.login.cornell.edu   Make sure authentication is working. If you experience any   problems, report them to idmgmt@cornell.edu After February 7, 2008, when the cutover to the new KDCs should be complete, campus service owners and network administrators can safely modify rules to disallow the old KDCs.

  6. Steps that CIT will be taking to ensure as smooth a cutover as possible • CIT will modify CIT-maintained ACLs to allow traffic from the new KDCs and will notify network administrators. After Feb. 7, 2008, when the cutover to the new KDCs should be complete, CIT will modify ACLs to disallow the old KDCs and will notify network administrators. • CIT will test whether the change will be transparent for the standard Windows and Macintosh firewall configurations. • CIT will monitor logs on the secondary KDC after the cutover of the primary KDC to identify applications that have not yet been configured for the new KDCs. CIT will contact the individuals responsible for these hosts to help them make the necessary changes. • CIT will send additional communications and reminders as key dates approach. • CIT will send general campus communications regarding the change and what people can expect on each cutover date. • Still awake? This information available at http://identity.cit.cornell.edu/KDC_move/index.html

  7. Jan. 15, ‘08 - CUWAL2 available for early testing * Jan. 15, ’08 -CUWebLogin server         o Completed internal testing.          o Ready for user testing.          o Features available...                + Basic login page.                + Proxy support (KPA equivalent).          o Features missing...                + HA.                + U/I approval                + Security Audit * Jan. 15, ’08 -CUWebAuth for Apache/Solaris         o Features available...                + Proxy support (KPA equivalent)                + POST data          o Features missing...                + Permit/Grouper support                + HA.                + Security Audit

  8. March 15, ’08 - CUWAL2 Go Live * Feb. 15, ’08 - CUWAL2 Beta 2 o Fail over up and running * March 01, ’08 – CUWebLogin Release Candidate o U/I has been vetted and approved by appropriate channels o Security Audit completed * March 01, ’08 -CUWebAuth Release Candidate  o Permit/Grouper support o Security Audit completed * March 15, ’08 -CUWebLogin and CUWebAuth Go Live

  9. Where Are We Now? A whole bunch of stuff happens (see previous slides) Campus Rollout Complete PS Student Launch You Are Here K4 Shutdown Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun 2008 Discretionary migration window

  10. Grouper Update • Permit migration application is written and tested against the complete permit database including the 190,000+ cu.alumni permit. • LDAP Provisioning connector tested. Still some issues to iron out wrt large permits like cu.alumni.

  11. Grouper Update cont’d • Performance release from Internet2 released before Christmas. • Permitg, the permit shim, is ready for load testing. • Currently Grouper is being used in production at Brown and Duke.

  12. Grouper update cont’d • End to end testing through each of the three gates and along all paths completed about a month ago. • Paths and gates? (See next slide)

  13. Grouper Update cont’d • Now in the process of moving everything to test environment. • Load test plan is done. • A few minor details to iron out before load testing. • Deployment: January/February 2008? We’ll give you plenty of notice! • You won’t have to do anything except help us test.

  14. Grouper org tree • Goals • Institutional view + local flexibility • Consistency in naming convention for common demographic groups and business functions • Mechanism for delegating admin rights for group management • Solution • Use view developed by Institutional Planning and Research • Define limited set of unit stems, substems and groups

  15. Example using CALS • cu:cuunits:cals • :admin • :admin:[finance] • :admin:[facilities] • :admin:[it] • :admin:[hr] • :admin:[bsc] • :[staff]

  16. Example using CALS • cu:cuunits:cals • :acadsvcs • :staff:[nonacad] • :staff:[acad] • :staff:[faculty] • :[students]

  17. Example using CALS • cu:cuunits:cals • xxx:[yyy] - local units define substem and group

  18. Assigning unit admins • Communication with ITMC rep and IT Security liaison • Request to name two primary administrators for unit • Recommend ITMC rep or IT security liaison as one administrator

  19. Unit admin role • Delegate rights to others in the unit as appropriate • Developing, maintaining standards for naming below the unit level • Developing consistent criteria for membership in groups common to all units • Requesting replacement admins as needed

  20. Active Directory Plans • CIT Senior Management Group approval • Move forward with project initiation plan • 1 FTE for Identity Management to support service, contingent on approval of plan • Planning progress • Interviews with steering committee members complete • Draft requirements document and draft initiation plan due to steering committee and CIT stakeholders Dec.6

  21. Requirements: highlights • Flexibility • In service offerings (OU, child domain, other) • Client support • Windows, Mac, Unix, mobile • Remote and roaming users • Service offerings must be clearly described so customers can make the right choice • People who don’t qualify for a NetID need access

  22. Requirements: highlights • Service must accommodate existing services which potential customers have already implemented: SMS, DFS, Configuration Manager, WSUS • Common thread in interviews was interest in future use of smart cards • Active Directory governance group

  23. Active Directory next steps • Availability of first version of requirements document to campus in December • Completion and submission of initiation plan with assistance from CIT-assigned project manager in January • Quarterly AD SIG start up in January – discuss requirements at first meeting • Approval and identification of start date

  24. Active Directory – keeping in touch • Subscribe to activedir-l • Watch for SIG meeting announcements and other news on discussion list

  25. AD project steering committee • Brian Roma – Alumni Affairs • Jason Seymour – ECE • Keene Silfer – University Libraries • Dan Elswit/Tom Dunn (primary & backup) – CALS • Karlis Musa/David Bosch (primary & backup) – Cornell Nanoscale Facility • Kevin Baradet – JGSM • William Law – Theory Center • Philip Halcomb – Mann Library • Kim Burlingame – CISER • Shijie Yang – Wilson Synchrotron

  26. http://identity.cit.cornell.edu/projects/index.html

  27. Identity Management aadssupport@cornell.edu

More Related