1 / 11

Authentication Services Overview for Science Community Collaboration

Learn about the ATF team providing certificate authorities & trust federations for secure Grid interoperability. Roles include CA Operator, Developer, Federation Liaison, Product Manager & more. Security measures include PKI, HSM, VPNs, and intrusion detection.

lclary
Download Presentation

Authentication Services Overview for Science Community Collaboration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ESnet RAF and eduroam™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory

  2. ATF Overview • Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal • Primarily focused on the Office of Science community • ATF’s principle service is a set of certificate authorities (CAs) • Policy is driven completely by the needs of the science community • Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities • the IGTF - International Grid Trust Federation • the Americas “regional” policy management authority – TAGPMA • ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners

  3. Authentication and Trust Federation Team • 3 FTEs plus heavy support from ESnet UNIX services • Plus additional support from network engineering, services, and windows support • Roles • CA Operator • Developer • Federation Liaison • Product Manager (community outreach) • Specialized system administration • PMA chairman / member • Contributor to community best practices/standards efforts • All team members have cross trained to insure continuity.

  4. PKI Certificate Authorities Overview ESnet Root CA ESnet Root CA only signs subordinate CAs NERSC Site – NIM Integration ESnet SSL/TLS FUSION (Credential Store) DOEGrids OCSP Service Future Co-hosting ESnet subordinate Certificate Authorities and Services

  5. PKI Security Environment Offline Vaulted Root CA Grid User PKI Systems Hardware Security Modules HSM Firewall Secure VLAN Internet Access controlled racks Secure Data Center Building Security LBNL Site security Intrusion Detection

  6. DOEGrids CA Usage Statistics * Report as of Jun 15, 2005

  7. RAF, eduroam™ and Internet2 interconnects Secure ID ANL PPNL NERSC Aladdin Smart Card ORNL eduroam™ ESnet RAF TERENA NL Grid realms ESnet LBNL eduroam™ eduroam™ eduroam US Internet2 DOEGrids MyProxy Crypto Card Internet2 UTK Interconnecting with eduroam™ at UTK Interconnect Grid Realms at TERENA ESnet possible secondary route for eduroam™

  8. Grid eduroam™ Experiment • Phase 0 • Use Infoblox loaded with IGTF root certificates • EAP/TLS Strong Authentication based on Grid Identity Certs • eduroam™ Authorization attributes – eduroam™ defines • TACAR or EUGridPMA repository as trust anchor • IGTF OCSP experimental service – GGF defining the service • Interconnect to eduroam™ at UTK • Grid top level interconnect • TERENA - Root • ESnet • Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA • User experience local site dependency • eduroam™ defines • Each site controls how they expose or provide a service to the community. • Develop Federation document set • Based on GGF documents Plus eduroam™ policies

  9. Next Phases • Phase 1 • Add Authorization Schema • Phase 0 plus LDAP server • Phase 2 • Add Virtual Organization Management System • Shibboleth • GGF – GridShib or other? • TF-EMC2 • Phase 0 plus VOMS servers • Phase 3 – production hardening • Implement our community’s selected solution – or ?

  10. ESnet RAF Experiment systems Possible eduroam™ backup route LDAP User Account DB phase 1+ Grid Interconnect TERENA RAF radius appliance eduroam™Internet2 Interconnect Cisco Catalyst 4000 EAPOL test bed

More Related