1 / 26

GridShib and MyProxy Grid Credential Management and Identity Federation

GridShib and MyProxy Grid Credential Management and Identity Federation. Von Welch NCSA vwelch@ncsa.uiuc.edu. Plug - Longer Talks. Wed @ 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel. GridShib. dev.Globus Incubator Project Collaborative between NCSA and U. Chicago

sean-fuller
Download Presentation

GridShib and MyProxy Grid Credential Management and Identity Federation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GridShib and MyProxyGrid Credential Management and Identity Federation Von WelchNCSAvwelch@ncsa.uiuc.edu

  2. Plug - Longer Talks Wed @ 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel http://myproxy.ncsa.uiuc.edu/

  3. GridShib • dev.Globus Incubator Project • Collaborative between NCSA and U. Chicago • GridShib is a project funded by the NSF Middleware Initiative • NMI awards 0438424 and 0438385 • Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. • Also many thanks to Internet2 Shibboleth Project http://myproxy.ncsa.uiuc.edu/

  4. What is GridShib? • Allows Shibboleth interoperability and SAML functionality in the Globus Toolkit • Allows GT to parse SAML attributes and use for authorization • Allows portals to embed Shibboleth attributes in Grid credentials • Allows conversion of Shibboleth authentication to Grid credentials http://myproxy.ncsa.uiuc.edu/

  5. Software Components • GridShib for Globus Toolkit • GridShib for Shibboleth • Includes GridShib Certificate Registry • GridShib Certificate Authority • GridShib SAML Tools http://myproxy.ncsa.uiuc.edu/

  6. GridShib for GT 0.5 • GridShib for GT 0.5 announced Nov 30 • Compatible with both GT4.0 and GT4.1 • GT4.1 introduces powerful authz framework • Separate binaries for each GT version • Source build auto-senses target GT platform • New identity-based authorization feature • Uses grid-mapfile instead of DN ACLs • Logging enhancements • Bug fixes http://myproxy.ncsa.uiuc.edu/

  7. GridShib for GT 0.5.1 • GridShib for GT 0.5.1 (expected any day now) • Combined VOMS/SAML attribute to account mapping • As with the current gridmap situation, GT4.0.x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks • To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML http://myproxy.ncsa.uiuc.edu/

  8. GridShib for GT 0.6 • GridShib for GT 0.6 (expected March 2007) • Full-featured attribute push PIP • Compatible with current GridShib Attribute Tools • More powerful attribute-based authz policies • Allow unique issuer in authz policy rules http://myproxy.ncsa.uiuc.edu/

  9. GridShib SAML Tools • Current version 0.1.2 • Self-issues a SAML assertion with up to two statements • Optionally binds this assertion to an X.509 proxy certificate • Supports both SAML AuthenticationStatement and AttributeStatement • Separates the issuing of the SAML from the binding of the SAML http://myproxy.ncsa.uiuc.edu/

  10. GridShib SAML Tools 0.2.0 • Target release date: February 2007 • Same command-line interface as v0.1.x (but with more options) • Leverages Shibboleth Attribute Resolver to support more complicated attribute requirements • Support for nested SSO Response • Enhanced logging • Java API for Portal developers http://myproxy.ncsa.uiuc.edu/

  11. GridShib for Shib Versions • GridShib for Shib 0.5.1 • Announced Aug 8, 2006 • GridShib for Shib 0.6 • Expected Jan 2007 • Will include SAML Issuer Tool (derived from Shib resolvertest tool) http://myproxy.ncsa.uiuc.edu/

  12. GridShib for Shib 0.6 • GridShib for Shib 0.6 (expected April 2007) • Core (already included in 0.5) • Requires Shib IdP • Includes basic plugins and handlers • Certificate Registry (already included in 0.5) • Requires GridShib for Shib Core • Includes Derby embedded database • SAML Tools (new in 0.6) • Requires GridShib for Shib Core • Includes SAML Issuer Tool and SAML X.509 Binding Tool http://myproxy.ncsa.uiuc.edu/

  13. GridShib CA 0.3 • Substantial improvement over version 0.2 • More robust protocol • Installation of trusted CAs at the client • Pluggable back-end CAs • Uses an openssl-based CA by default • A module to use a MyProxy CA is included • Certificate registry functionality • A module that auto-registers DNs with myVocs http://myproxy.ncsa.uiuc.edu/

  14. GridShib CA 0.4 • Target release: March 2007 • Fall back to default SSLSocketFactory on error (Bug 4875) [1] • Create CA with domain name componements (Bug 4887) [2] • Register certificate on the front channel with GridShib for Shibboleth Certificate Registry • Integrate GridShib SAML Tools to bind simple attribute assertion to EEC • Bind IdP entityID to SIA extension • Handle creating DN from mix of atttributes (Bug 4889) [3] http://myproxy.ncsa.uiuc.edu/

  15. What is MyProxy? • An Online Certificate Authority • Issues short-lived X.509 End Entity Certificates • Avoid need for long-lived user keys • An Online Credential Repository • Issues short-lived X.509 Proxy Certificates • Long-lived private keys never leave the server • Supporting multiple authentication methods • Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS • Open Source Software • Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits • C, Java, Python, and Perl clients available • Contributions from EDG, UVA, LBL, and others • Protocol specified in GFD-E.54 http://myproxy.ncsa.uiuc.edu/

  16. Credential Renewal High Availability Attribute Support Web Services Web SSO Security Context Provisioning User Registration HSM Support Audit Logging Others? Topics for Discussion http://myproxy.ncsa.uiuc.edu/

  17. Credential Renewal • Existing MyProxy-based renewal support • EGEE Renewal Service • Condor-G • Future Work • MyProxy-based GT4 Renewal Service • Integrated with GT4 Delegation Service • Support for GRAM, WS-GRAM, RFT http://myproxy.ncsa.uiuc.edu/

  18. High Availability • Existing support • Clients retry when server is unreachable • Documentation for MyProxy CA replication • Primary-backup replication of MyProxy repository • Future Work • Robust client retry • Peer-to-peer repository replication http://myproxy.ncsa.uiuc.edu/

  19. Attribute Support • Existing support • VOMS authentication to MyProxy server • GridShib CA integration with MyProxy • Future Work • Issue credentials with VOMS assertions • SAML authentication to MyProxy server http://myproxy.ncsa.uiuc.edu/

  20. Web Services • Currently MyProxy does not provide a Web Services interface • C, Java, Perl, Python APIs • Standard Delegation Service interface is needed • For MyProxy, GT4, and EGEE delegation services http://myproxy.ncsa.uiuc.edu/

  21. Web Single Sign-on • Existing Support • MyProxy server accepts Pubcookie tokens • Future Work • Shibboleth/SAML support • Other web SSO methods? http://myproxy.ncsa.uiuc.edu/

  22. Security Context Provisioning • Existing Support • MyProxy can provision user certificates, CA certificates, and CRLs • Requires MyProxy server CA certificate to be installed • Future Work • Java client support • Zero configuration bootstrap http://myproxy.ncsa.uiuc.edu/

  23. User Registration • Existing Support • Provided by PURSE and GAMA • GridShib CA and OpenIDP • Future Work • Integration with MyProxy CA • Integration with attribute and authorization services http://myproxy.ncsa.uiuc.edu/

  24. HSM Support • Existing Prototypes • MyProxy repository using IBM 4738 • MyProxy CA using Aladdin eToken • Future Work • Full support for OpenSSL hardware engines in MyProxy CA http://myproxy.ncsa.uiuc.edu/

  25. Audit Logging • Existing Support • All MyProxy server operations are logged to syslog • Recent improvements to MyProxy CA logging to meet IGTF guidelines • Future Work • Include auditing information in issued credentials • Support standard grid logging interfaces http://myproxy.ncsa.uiuc.edu/

  26. Thank you Reminder: Wed @ 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel For more information:vwelch@ncsa.uiuc.eduhttp://myproxy.ncsa.uiuc.edu/http://gridshib.globus.org http://myproxy.ncsa.uiuc.edu/

More Related