110 likes | 123 Views
Learn about the ATF team providing certificate authorities & trust federations for secure Grid interoperability. Roles include CA Operator, Developer, Federation Liaison, Product Manager & more. Security measures include PKI, HSM, VPNs, and intrusion detection.
E N D
ESnet RAF and eduroam™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory
ATF Overview • Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal • Primarily focused on the Office of Science community • ATF’s principle service is a set of certificate authorities (CAs) • Policy is driven completely by the needs of the science community • Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities • the IGTF - International Grid Trust Federation • the Americas “regional” policy management authority – TAGPMA • ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners
Authentication and Trust Federation Team • 3 FTEs plus heavy support from ESnet UNIX services • Plus additional support from network engineering, services, and windows support • Roles • CA Operator • Developer • Federation Liaison • Product Manager (community outreach) • Specialized system administration • PMA chairman / member • Contributor to community best practices/standards efforts • All team members have cross trained to insure continuity.
PKI Certificate Authorities Overview ESnet Root CA ESnet Root CA only signs subordinate CAs NERSC Site – NIM Integration ESnet SSL/TLS FUSION (Credential Store) DOEGrids OCSP Service Future Co-hosting ESnet subordinate Certificate Authorities and Services
PKI Security Environment Offline Vaulted Root CA Grid User PKI Systems Hardware Security Modules HSM Firewall Secure VLAN Internet Access controlled racks Secure Data Center Building Security LBNL Site security Intrusion Detection
DOEGrids CA Usage Statistics * Report as of Jun 15, 2005
RAF, eduroam™ and Internet2 interconnects Secure ID ANL PPNL NERSC Aladdin Smart Card ORNL eduroam™ ESnet RAF TERENA NL Grid realms ESnet LBNL eduroam™ eduroam™ eduroam US Internet2 DOEGrids MyProxy Crypto Card Internet2 UTK Interconnecting with eduroam™ at UTK Interconnect Grid Realms at TERENA ESnet possible secondary route for eduroam™
Grid eduroam™ Experiment • Phase 0 • Use Infoblox loaded with IGTF root certificates • EAP/TLS Strong Authentication based on Grid Identity Certs • eduroam™ Authorization attributes – eduroam™ defines • TACAR or EUGridPMA repository as trust anchor • IGTF OCSP experimental service – GGF defining the service • Interconnect to eduroam™ at UTK • Grid top level interconnect • TERENA - Root • ESnet • Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA • User experience local site dependency • eduroam™ defines • Each site controls how they expose or provide a service to the community. • Develop Federation document set • Based on GGF documents Plus eduroam™ policies
Next Phases • Phase 1 • Add Authorization Schema • Phase 0 plus LDAP server • Phase 2 • Add Virtual Organization Management System • Shibboleth • GGF – GridShib or other? • TF-EMC2 • Phase 0 plus VOMS servers • Phase 3 – production hardening • Implement our community’s selected solution – or ?
ESnet RAF Experiment systems Possible eduroam™ backup route LDAP User Account DB phase 1+ Grid Interconnect TERENA RAF radius appliance eduroam™Internet2 Interconnect Cisco Catalyst 4000 EAPOL test bed