1 / 12

NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego

NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego . Shreyas Cholia NERSC, LBL. NERSC. DOE Office of Science Supercomputing Facility at LBL Multiple compute & storage systems Hopper, Franklin, Carver, Euclid, PDSF, HPSS, Global File System. NERSC CA.

sarai
Download Presentation

NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NERSC Online CA UpdateTAGPMA Meeting, February 2012, San Diego Shreyas Cholia NERSC, LBL

  2. NERSC • DOE Office of Science Supercomputing Facility at LBL • Multiple compute & storage systems • Hopper, Franklin, Carver, Euclid, PDSF, HPSS, Global File System

  3. NERSC CA • Provides short-lived certificates to NERSC user community for convenient access to NERSC resources as well as external resources accessible via grid interfaces.

  4. NERSC CA at a Glance • IGTF Accredited SLCS MyProxy CA • CA Cert signed by ESnet Root CA • Uses NERSC username-password to generate short lived credential (upto 11 days) • HSM - Aladdin eToken USB device • Command Line Interface: myproxy-logon -snerscca.nersc.gov -l <user> Password:  • Also accessible via programmatic APIs

  5. NERSC CA Service consult cert-mapfile for DN myproxy-logon -l“starbuck” “/CN=Joe User” joe “/CN=Jane Doe” jane “/CN=Lee Adama” apollo “/CN=Kara Thrace” starbuck Send encrypted token Online CA myproxy Server Return signed cert PAM LDAP NERSC CA cert “/CN=Kara Thrace” Validate password LDAP Server NERSC user DB Generate mapfile

  6. Use Cases • Workflows based on Globus Gatekeeper, GridFTP, GSISSH • OSG, Atlas, STAR, Planck etc. • Climate Data Transfer over WAN • Portals - Trusted portal requests short-lived cert and uses it on your behalf • Globus online • NEWT - NERSC Web API (REST API to access NERSC • Science Gateways

  7. Issues • Current model cannot do single-sign on across NERSC resources. • CA key expiring in 2013; • future of ESnet Root CA is uncertain. • HSM is slooooowand rejects requests under load • 10-15 seconds to sign a single request

  8. Enabling Single Sign On • NERSC already runs a Shibboleth IDP to provide single sign-on for web resources • We'd like to use NEWT and Science Gateways via SSO • Sign in once to Shib • Enable access to grid resources via Shib token • Using Shib-Oauth-MyProxyCA (from NCSA) would allow us to use the user's Shib credentials to create a certificate. • Proposal: Expand NERSC CA scope to cover Shib authentication. Update to CP/CPS?

  9. Shib Login • Login once to ShibOauthService using NERSC username /password • Client browser getsOAuth token. • Browser presents token to trusted web service (NEWT, Science Gateway). • Oauth assertion authorizes web service to retrieve certificate

  10. Design 1

  11. Design 2

  12. New CA certificate and HSM • We would like to move to a more robust HSM solution. • Something that works with Shib-MyProxy CA • Reasonable performance (1 sec signing time • Does OK under load (handle multiple simultaneous requests) • Suggestions? • We need to issue a new CA cert.  • Is a self-signed cert OK? • What do we need to do wrt IGTF process?

More Related