190 likes | 277 Views
Grid and NREN operational support. Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory. Outline. Back Ground Authentication Services in Grids International Grid Federation Regional Grid Federations TERENA International Grid Federation (IGF)
E N D
Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory
Outline • Back Ground • Authentication Services in Grids • International Grid Federation • Regional Grid Federations • TERENA • International Grid Federation (IGF) • Regional Policy Management Authorities (PMAs) • EU Grid PMA, AP Grid PMA, The Americas Grid PMA • Global Grid Forum efforts • Certificate Authority Operations WG • How TERENA helps: Grids and NRENS • Resource Location • Authentication Profiles • Why authentication profiles? • What is in it? • General Federation document • If there is interest/time: Future Federations and AuthN services • KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS Authentication Fabric (RAF) TERENA TF-EMC2
Current State of Affairs TERENA TF-EMC2
Back Ground • Authentication Services in Grids • Grids Federations have separated the Authentication and Authorization problems. • Resource owners are responsible for Authorization. • Maps Authentication token to local access. • Authentication service providers are responsible for providing Strong Authentication tokens (Certificates). • International Grid Federation • March 2003 Tokyo • Promote and coordinate Regional Policy Management Authorities. • Next meeting at GGF13 Seoul, S Korea. • European Union Grid PMA – community lead organization • Asian Pacific Grid PMA • The Americas Grid PMA • TERENA • International trusted 3rd party. • Trust anchors for NRENS TERENA TF-EMC2
International Grid Federation • Set up in March 2003 – the Tokyo accord. WWW.GridPMA.org • Goals • Promote trust peering between The Americas, European and Asian Pacific communities. • EU Grid Policy Management Authority • EGEE: Enabling Grids for E-science in Europe • Asian Pacific Policy Management Authority • APGrid: National Institute of Advanced Industrial Science and Technology • The Americas Grid PMA – new • Canada and USA (DOE) • Promotes the establishment of top level CA registries: • Trusted 3rd party repositories need for establishment of trust. • Root CA certificates, CA repositories and CRL publishing points. • EU Grid PMA registry – de facto (CNRS: French National Center for Scientific Research) • Asian Pacific CA registry (AP PMA) • TERENA TACAR (TERENA Academic CA Repository) • Use Global Grid Forum for publishing Standards and community best practices. TERENA TF-EMC2
Regional PMAs • EU Grid PMA (www.eugridpma.org) • Represents CA and Relying parties. • 26 country level CAs, plus US members • Manages the de facto minimum CA operational requirements. • Manages the primary list of trusted CAs. • Asian Pacific Grid PMA (www.apgridpma.org) • Formed Summer of 2004 • Represents CA and Relying parties. • 12 country level CAs, and SDSC • Minimum operational requirement synced with EU’s • The Americas Grid PMA (www.TAGPMA.org) • Started Fall 2004 • Represents CA and Relying parties. • Represent CA’s from Research and Academic communities in the Americas. • Investigate alternative Authentication services. • Will produce new Minimum Operational requirements for On line CAs. TERENA TF-EMC2
Global Grid Forum • GGF efforts are driven by our community requirements. • Developing International trust relationships has shown a need for common agreed upon practices. • Community Documents • Grid CP/CPS • Policy Management authority • PKI Disclosure statement – copy right issue ABA • Certificate profile – tabled – resurrected • Grid common naming practices – tabled • OCSP service requirements • Authentication Profiles - New TERENA TF-EMC2
TERENA TERENA TF-EMC2
How TERENA can help: Grids and NRENs • International trusted 3rd party. • Trust anchor publishing • Possible home for IGF • Expanded support for global Identity operations. Primarily a publishing model. • Possible coordination point for Grids and NRENs • Avoid development of separate but equal services. • Resource Location • Authentication Profiles document TERENA TF-EMC2
Resource Location • Resource location is mostly controlled by resource owners – Sites and Grids. No common publishing or access model. • Each has developed solutions for their community. Motivation to change low. • Shared resources maybe an opportunity to develop common practices. • PMAs, Certificate Authorities, etc • How can we approach this problem? • Directed publishing model – chain of webs • Rooted LDAP directory tree – Serves all players. TERENA TF-EMC2
Why Authentication Profiles? • New Authentication services will fragment the current global trust model. • Yet, we must allow for innovations in Authentication services. • Classic PKI procrustean bed no longer works. • Currently a draft GGF informational doc. TERENA TF-EMC2
Authentication Profile what is in it? • Authentication Services must provide basic information on: • The governance of authentication service. • A set of membership and operational requirements. • Publishing model that Relying parties can trust. TERENA TF-EMC2
General Federation Document • Federation definition - description • General architecture • Identity management • Operational requirements • Site security. • Publication and repository responsibilities • Liability • Financial responsibilities • Audits and compliance • Privacy and confidentiality • Compromise and disaster recovery • Federation administration TERENA TF-EMC2
New Authentication services TERENA TF-EMC2
New Federations and AuthN services efforts SIPS - Site Integrated Proxy services • KCA example • Site SSL support - Host certificate service • Grids and NRENs exploring separate solutions. • RAF - RADIUS Authentication Fabric • Expand scope of DOEGrids TERENA TF-EMC2
Site Integrated Proxy servicesKCA example Site Kerberos KDC • Synopsis of steps for Grid User: • Register with Fermilab • Get your Fermilab VID • Get your Kerberos Principal • Install the Fermilab KCA certificate and signing policy; • Install the KCA client software; • Generate proxy access Grid Access Grid resources Proxy generator KCA TERENA TF-EMC2
SSL Service Federation • Synopsis of steps for System Admin: • Register with ESnet: • 1. Get your ESnet Grid Admin account • 2. Request and self approve host certificates. • Replaces: • a. Self signed certificates • b. Commercial providers • Requires: • The Browser providers to add the SSL CA cert to their trusted list of CAs – this is to stops security warning pop-ups. System Admin ESnet SSL Federation CA Site or Organization Web servers TERENA TF-EMC2
r RADIUS Radius Authentication Fabric with OTP support ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov Realms • anl.gov • nersc.gov • pnnl.gov • ornl.gov • es.net R ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r App TERENA TF-EMC2
DOEGrids PKI Security Offline Vaulted Root CA Grid User PKI Systems Hardware Security Modules HSM Fire Wall Internet Access controlled racks Secure Data Center Building Security LBNL Site security TERENA TF-EMC2 Intrusion Detection