140 likes | 223 Views
Leveraging Campus Authentication for Grid Scalability. Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004. NMI Testbed Activity. Early project focus Testing various NMI components Integrating them with campus infrastructure Next phase: more inter-campus activities
E N D
Leveraging Campus Authentication for Grid Scalability Jim JoklMarty HumphreyUniversity of Virginia Internet2 Meeting April 2004
NMI Testbed Activity • Early project focus • Testing various NMI components • Integrating them with campus infrastructure • Next phase: more inter-campus activities • Focus on Globus • However, results can be generally applicable • How do we facilitate sharing of data and compute resources between campuses? • Scalability and complexity issues for the Grid • Security, researcher support, sharing equity issues • Our focus: authentication and inter-campus trust • Hence inter-campus aspects of Globus PKI University of Virginia
Background: PublicKey Infrastructure (PKI) • A PKI uses asymmetric cryptography • A pair of mathematically related keys • The Public Key is published widely; Private Key is secret • An X.509 Certificate is: • An object signed by a Certification Authority (CA) • A binding of a user’s identity to their public key • An object containing attributes about the individual and the Issuing Certification Authority • Critical Issues • How do you trust the credential binding? • How can other institutions trust it? • How would trust scale in a large Grid or Grids? University of Virginia
Background: Trust in a Hierarchical PKI Root Certificate • Trust based on trusting “root” certificate • User cert trust via validating cert chain to a trusted root • Some issues: • “root” compromise • A CA per Grid v.s. a CA per school v.s. ? • Researcher support • Integrating existing campus credentials Intermediate Certificate Intermediate Certificate User A Cert User B Cert User D Cert User E Cert User C Cert University of Virginia
Background: Trust in a Bridge PKI Cross-certificate pairs Bridge CA • Enables trust between multiple hierarchical CAs • No need to reconstitute whole PKI if CA is compromised • Generally uses more infrastructure than just the cross-certificate pairs • Can enable trust between existing PKIs • Preserves technical and political separation • Logical choice for multi-campus / multi-grid systems • Enable researchers to use home campus credentials Root A Root B Root n Mid-A Mid-B User A1 User B1 User B1 User A2 University of Virginia
PKI Bridge Path Validation University of Virginia
Globus & Bridge Test Environment • Simple bridge test environment revealed • Globus can validate a bridge trust path • All needed cross-certificates must be pre-loaded into /etc/grid-security/certificates • Appears that all needed intermediate CA certificates must also be pre-loaded • No known support for a directory mechanism to locate cross-certificates • Does no appear to follow AIA URLs to obtain any needed cross or intermediate certificates • A more complex real-world test is needed University of Virginia
Globus PKI Integration Notes • Campus CA Integration • Use of Campus CAs with Globus for inter-institutional sharing of resources should be manageable • Typical campus certificate profiles (e.g. PKI-lite) work well with Globus • Challenges will exist for locating the needed cross-certificates and intermediate CA certificates University of Virginia
Globus PKI Integration Notes • Campus CA integration is complicated by the Globus interface • Campus CAs and OS-exported certificates are generally in PKCS-12 format • Globus expects raw PEM files for the certificate and the private key • A file to map certificate DNs to UNIX login names must be maintained • A maintenance challenge for large inter-institutional grids University of Virginia
Goals for Larger Test on the NMI Testbed Grid • Test the use of Globus in a real and larger bridged PKI environment • Enable the use of campus CAs in inter-institutional Grids • Show that one set of campus-issued credentials can work • Use on a single or multiple grids • Eases researcher pain (and support issues) • Explore complexity issues, demonstrate scalability • Create appropriate tools and documentation • Prepare for Globus to leverage other activities • Higher Education Bridge Certification Authority • Higher Education Root Certification Authority University of Virginia
Higher Education Bridge Certification Authority (HEBCA) • A project of EDUCAUSE • Implement a bridge for higher education based on the Federal PKI bridge model • Support both campus PKIs and sector hierarchical PKIs • Cross-certify with the Federal bridge (and others as appropriate) • Use of HEBCA with Globus may be a natural result of this work University of Virginia
US Higher Education Root CA • A project of Internet2 • The replacement for the CREN CA • Designed to support campuses that wish to be part of a hierarchical CA • CA sign’s campus CA signing certificates • Expectation is to cross-certify with HEBCA at some level • Campus CAs that are part of this hierarchy would also work well in a bridged Globus environment University of Virginia
Current Project Status • Built Testbed Bridge CA • Off-line system • Cross-certifications • UVA: complete • UAB: nearly done • TACC: 50% • USC: getting started • /etc/grid-security • Certificates, policy files, and hash links generated via scripts • Gridmap file by hand University of Virginia
Tool Development • In addition to supporting the testbed grid via cross-certification, we plan to explore a few tools • Credential converter web site that takes a PKCS-12 (as is available in most enterprise CAs) and returns the PEM files needed by Globus • A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files • Potentially: a CA using a Shibboleth-based RA • Provide certificates for campuses that have Shibboleth but are not yet operating an enterprise CA • Each campus would have its own root that would be cross-certified via the testbed bridge • We should know a lot more in a few months University of Virginia