120 likes | 252 Views
NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego . Shreyas Cholia NERSC, LBL. NERSC. DOE Office of Science Supercomputing Facility at LBL Multiple compute & storage systems Hopper, Franklin, Carver, Euclid, PDSF, HPSS, Global File System. NERSC CA.
E N D
NERSC Online CA UpdateTAGPMA Meeting, February 2012, San Diego Shreyas Cholia NERSC, LBL
NERSC • DOE Office of Science Supercomputing Facility at LBL • Multiple compute & storage systems • Hopper, Franklin, Carver, Euclid, PDSF, HPSS, Global File System
NERSC CA • Provides short-lived certificates to NERSC user community for convenient access to NERSC resources as well as external resources accessible via grid interfaces.
NERSC CA at a Glance • IGTF Accredited SLCS MyProxy CA • CA Cert signed by ESnet Root CA • Uses NERSC username-password to generate short lived credential (upto 11 days) • HSM - Aladdin eToken USB device • Command Line Interface: myproxy-logon -snerscca.nersc.gov -l <user> Password: • Also accessible via programmatic APIs
NERSC CA Service consult cert-mapfile for DN myproxy-logon -l“starbuck” “/CN=Joe User” joe “/CN=Jane Doe” jane “/CN=Lee Adama” apollo “/CN=Kara Thrace” starbuck Send encrypted token Online CA myproxy Server Return signed cert PAM LDAP NERSC CA cert “/CN=Kara Thrace” Validate password LDAP Server NERSC user DB Generate mapfile
Use Cases • Workflows based on Globus Gatekeeper, GridFTP, GSISSH • OSG, Atlas, STAR, Planck etc. • Climate Data Transfer over WAN • Portals - Trusted portal requests short-lived cert and uses it on your behalf • Globus online • NEWT - NERSC Web API (REST API to access NERSC • Science Gateways
Issues • Current model cannot do single-sign on across NERSC resources. • CA key expiring in 2013; • future of ESnet Root CA is uncertain. • HSM is slooooowand rejects requests under load • 10-15 seconds to sign a single request
Enabling Single Sign On • NERSC already runs a Shibboleth IDP to provide single sign-on for web resources • We'd like to use NEWT and Science Gateways via SSO • Sign in once to Shib • Enable access to grid resources via Shib token • Using Shib-Oauth-MyProxyCA (from NCSA) would allow us to use the user's Shib credentials to create a certificate. • Proposal: Expand NERSC CA scope to cover Shib authentication. Update to CP/CPS?
Shib Login • Login once to ShibOauthService using NERSC username /password • Client browser getsOAuth token. • Browser presents token to trusted web service (NEWT, Science Gateway). • Oauth assertion authorizes web service to retrieve certificate
New CA certificate and HSM • We would like to move to a more robust HSM solution. • Something that works with Shib-MyProxy CA • Reasonable performance (1 sec signing time • Does OK under load (handle multiple simultaneous requests) • Suggestions? • We need to issue a new CA cert. • Is a self-signed cert OK? • What do we need to do wrt IGTF process?