JimBasney

Information about JimBasney

Published on September 11, 2007

Author: Clown

Source: authorstream.com

Content

Deploying the TeraGrid PKIGrid Forum Korea Winter WorkshopDecember 1, 2003:  Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois [email protected] Grid-building Challenges:  Grid-building Challenges Many challenges in deploying Grids software compatibility resource discovery (information services) resource allocation accounting (charging for resource usage) performance optimization monitoring / support / helpdesk … Managing Trust for Grid Single Sign-on:  Managing Trust for Grid Single Sign-on A major Grid deployment challenge What CAs are trusted? Can a CA gain universal acceptance for single sign-on? What CA practices are acceptable? Use hierarchical CAs or cross-certification? How do users obtain and manage credentials? user enrollment, certificate renewal, private key security, … How are users authorized to use resources? How are ACLs and authorization services managed? Consider the TeraGrid as a Case Study Outline:  Outline TeraGrid Overview Globus Security Infrastructure Authentication and Authorization Proxy Credentials TeraGrid Online CAs TeraGrid Single Sign-on Grid-Mapfile Management Credential Management TeraGrid:  NCSA: Compute Intensive SDSC: Data Intensive PSC: Compute Intensive IA64 IA64 Pwr4 EV68 IA32 IA32 EV7 IA64 Sun 10 TF IA-64 128 large memory nodes 230 TB Disk Storage 3 PB Tape Storage GPFS and data mining 4 TF IA-64 DB2, Oracle Servers 500 TB Disk Storage 6 PB Tape Storage 1.1 TF Power4 6 TF EV68 71 TB Storage 0.3 TF EV7 shared-memory 150 TB Storage Server 1.25 TF IA-64 96 Viz nodes 20 TB Storage 0.4 TF IA-64 IA32 Datawulf 80 TB Storage Extensible Backplane Network LA Hub Chicago Hub IA32 Storage Server Disk Storage Cluster Shared Memory Visualization Cluster LEGEND 30 Gb/s IA64 30 Gb/s 30 Gb/s 30 Gb/s 30 Gb/s Sun Sun ANL: Visualization Caltech: Data collection analysis 40 Gb/s Backplane Router TeraGrid Additional TeraGrid Sites:  Additional TeraGrid Sites Building Something New:  One Organization (merge institutions) Very Loose Collaboration (current situation) One sysadmin team One management team Distributed machine room, centralized control e.g. Google data centers Different MPIs Hit-and-miss grid software: Globus version? Condor-G? MPICH-G2? Unique development environment Single development environment Single software stack to learn Develop here, run there Run here, store there The TeraGrid (A Grid hosting environment) Not a Grid Not a Grid, but with significant user investment, Grid applications can be developed Applications are developed for the Grid because the barriers are low and the return large Building Something New TeraGrid and CMS:  TeraGrid and CMS Data and software testing challenge test and validate analysis software 100,000,000 events Testing approach particle-detector interaction simulator (CMSIM) energy deposition in the detector ORCA (Object Reconstruction for CMS Analysis) reconstruct QCD background sample tracks and reconstructed particles, ready for analysis Computing, storage and networking 1.1M SUs on the TeraGrid now 400 processors through April 2005 1M SUs on NCSA Platinum Pentium III cluster 1.5M SUs on NCSA Tungsten Xeon cluster 1 TB for production TeraGrid simulations 400 GB for data collection on IA-32 cluster http://cmsinfo.cern.ch/ Globus Security Infrastructure:  Globus Security Infrastructure Credentials asymmetric public/private key pair X.509 certificate, signed by Certificate Authority, binds distinguished name to key pair Authentication (Who are you?) proof of possession of private key verify CA signature on X.509 certificate Authorization (What can you do?) based on distinguished name in certificate typically mapped to local account GSI Mutual Authentication:  certificatec + { secret }pubkeys + signaturec[ h( randomc, randoms, … ) ] GSI Mutual Authentication Client Server randomc certificates + randoms { h( secret ) }secret Standard SSL/TLS Protocol (summarized) GSI Mutual Authorization:  GSI Mutual Authorization What is the client authorized to do on the server? typically set by grid-mapfile Is the server trusted by the client? i.e., is the server authorized by the client? typically based on authenticated server identity matching the user’s request Client must have the ability to verify server certificates must trust certificate of the CA that signed the server’s certificate must have correct system clock How to Authorize Clients?:  How to Authorize Clients? Access Control Lists ex. Globus grid-mapfile answer 'Who can access this resource?' need to maintain many distributed ACLs Capabilities ex. SAML, X.509 PMI, VOMS, Akenti, CAS answer 'What can this person do?' don’t need to distribute ACL updates capability issuer maintains authorization database GGF OGSA Authorization WG What to Authorize?:  What to Authorize? Names can be convenient to work with but… Common names are not unique identifiers Globus Proxy Credentials:  Globus Proxy Credentials New certificate and key pair Proxy certificate signed by user’s long-term private key enter passphrase to decrypt private key Certificate has short lifetime Proxy private key remains unencrypted Authenticate with proxy credentials for the remainder of the session signs signs Proxy Delegation Protocol:  Proxy Delegation Protocol Delegator Delegatee generate new key pair proxy certificate request sign certificate with proxy private key Proxy A signs signs Proxy B signs Proxy B Proxy B Proxy A TeraGrid PKI:  TeraGrid PKI A single TeraGrid Certificate Authority is not feasible many sites already have a CA distributed model is preferable for Grids TeraGrid PMA evaluates CA trust for interoperability, all TeraGrid sites should accept TeraGrid approved CAs TeraGrid PMA distributes trusted CA certificates to users and administrators TeraGrid Online CAs:  TeraGrid Online CAs An Online CA allows users to authenticate and obtain PKI credentials immediately without requiring the user to visit a registration authority, fax a copy of an institutional ID, etc. without requiring the CA operator to manually approve each request leveraging the site’s existing relationship with its users Online CAs can return long-term or short-term credentials: users contact the online CA infrequently to obtain / renew long-term (1+ year) certificates, or users contact the online CA daily to obtain short-term (12 hour) credentials TeraGrid includes examples of both types of online CAs CACL:  CACL NCSA and SDSC have online CAs that return long-term credentials OpenSSL-based CACL online CA software developed at SDSC at NCSA, online CA recently replaced offline CA Users login to NCSA or SDSC cluster and run a command to obtain 2-4 year credentials credentials stored in ~/.globus as usual requires users to manage their long-term key and certificate files For more information: http://www.npaci.edu/CA/ http://grid.ncsa.uiuc.edu/ca/ KCA:  KCA PSC runs a Kerberized online CA (KCA) Users obtain short-term (12 hour) Kerberos tickets at login KCA command allows users to authenticate with Kerberos ticket to obtain Globus credentials KCA credentials have short lifetime equal to Kerberos ticket lifetime stored unencrypted in /tmp to be used like Globus proxy credentials No need to issue CRLs as there are no long-term certificates to revoke For more information: http://www.citi.umich.edu/projects/kerb_pki/ http://www.psc.edu/certificate-authority/ TeraGrid Account Creation:  TeraGrid Account Creation US National Science Foundation committees evaluate research proposals and allocate TeraGrid resources to scientists Allocation info is entered into TeraGrid Accounting Database Account creation requests sent to sites via TeraGrid Account Transaction System Scientist receives account information in the mail includes username(s) and initial password(s) for the site(s) TeraGrid Grid Single Sign-on:  TeraGrid Grid Single Sign-on Users can access all TeraGrid resources using their Grid proxy credentials using GSISSH, GRAM, and GridFTP no need to remember different usernames and passwords For users with no PKI certificate request a certificate from a TeraGrid CA TeraGrid Account Transaction System adds user’s distinguished name to grid-mapfiles (planned) For users that already have a PKI certificate issuing CA must be trusted by TeraGrid sites gx-map command allows users to add additional distinguished names to grid-mapfiles GX-Map:  GX-Map A Globus grid-mapfile management tool Allows users to add distinguished names to the grid-mapfile mapped only to that user’s account Similar to adding SSH Authorized Keys For more information: http://www.sdsc.edu/~kst/gx-map '/C=US/O=NCSA/CN=Jim Basney' jbasney '/C=US/O=NPACI/OU=SDSC/CN=Keith Thompson' kst '/C=US/O=PSC/CN=dsimmel' dsimmel '/DC=org/DC=doegrids/CN=Sandra Bittner ' bittner … '/C=UK/O=eScience/CN=Joe User' juser Credential Management:  Credential Management TeraGrid users can store their credentials in an online MyProxy repository credentials encrypted with the user’s passphrase users can retrieve delegated proxy credentials from the online repository when/where needed MyProxy provides credential mobility users need not manually copy certificate and key files between machines long-term keys protected on the MyProxy server For more information: http://myproxy.ncsa.uiuc.edu/ Credential Renewal:  Credential Renewal Unsolved problem for TeraGrid Long-lived tasks or services need credentials task lifetime is difficult to predict Don’t want to delegate long-lived credentials fear of compromise Instead, renew credentials as needed during the task’s lifetime renewal service provides a single point of monitoring and control renewal policy can be modified at any time for example, disable renewals if compromise is detected or suspected Possible solutions using MyProxy EDG Proxy Renewal Service Condor-G with GRAM proxy refresh Managing Multiple Credentials:  Managing Multiple Credentials Will a single identity credential per user suffice? Difficult to achieve trust in a single CA across many organizations Advanced services require authorization credentials Pieces of a solution Credential negotiation protocols (WS-SecurityPolicy, …) Online credential services Want to retain single sign-on and ease-of-use Summary:  Summary TeraGrid has deployed a PKI for single sign-on via the Globus Security Infrastructure Online CAs (CACL, KCA) user control of grid-mapfile authorization (gx-map) online credential repository (MyProxy) Ongoing work credential renewal ranaging multiple credentials Thank you! Any questions? Jim Basney andlt;[email protected];

Related presentations


Other presentations created by Clown

nano technology presentation
30. 08. 2007
0 views

nano technology presentation

TC2000 Presentation AAII
22. 04. 2008
0 views

TC2000 Presentation AAII

chapter 28 notes
17. 04. 2008
0 views

chapter 28 notes

dacorogna
13. 04. 2008
0 views

dacorogna

CH6Slides
09. 04. 2008
0 views

CH6Slides

WHERE DOES WEATHER COME FROM
07. 04. 2008
0 views

WHERE DOES WEATHER COME FROM

ISSJS
30. 03. 2008
0 views

ISSJS

PeakOil
27. 03. 2008
0 views

PeakOil

Scales and Questionnaire Tips
05. 11. 2007
0 views

Scales and Questionnaire Tips

sasaki
17. 06. 2007
0 views

sasaki

Political Cartoons
17. 06. 2007
0 views

Political Cartoons

principles of restoration
17. 06. 2007
0 views

principles of restoration

Revolutionary War Powerpoint
28. 02. 2008
0 views

Revolutionary War Powerpoint

4 How to never get sick again
13. 12. 2007
0 views

4 How to never get sick again

03 RFID
29. 02. 2008
0 views

03 RFID

ch 08 international issues
27. 09. 2007
0 views

ch 08 international issues

MHP in Germany sto v1
12. 10. 2007
0 views

MHP in Germany sto v1

Wireless Broadband Korea Kim
11. 09. 2007
0 views

Wireless Broadband Korea Kim

Grade 105 Presentation
02. 10. 2007
0 views

Grade 105 Presentation

Dongxian He APAN 2004
11. 10. 2007
0 views

Dongxian He APAN 2004

OWASP Denver Nov 06 presentation
30. 08. 2007
0 views

OWASP Denver Nov 06 presentation

2004 religion Killen Shibley
30. 08. 2007
0 views

2004 religion Killen Shibley

allied partnerships 170505051319
30. 08. 2007
0 views

allied partnerships 170505051319

Satellite Broadcast
30. 08. 2007
0 views

Satellite Broadcast

vslive2005 keynote
28. 11. 2007
0 views

vslive2005 keynote

ADSL QoS
29. 11. 2007
0 views

ADSL QoS

RestaurantsKitchens
07. 12. 2007
0 views

RestaurantsKitchens

Othello 1
01. 11. 2007
0 views

Othello 1

LITERACY CENTERS FOR COACHES
05. 11. 2007
0 views

LITERACY CENTERS FOR COACHES

TKaM jeopardy
05. 11. 2007
0 views

TKaM jeopardy

HR XML Seminaire 16 11 2005
30. 08. 2007
0 views

HR XML Seminaire 16 11 2005

Mangenot1 2
02. 11. 2007
0 views

Mangenot1 2

PDC Review Jay 041118
26. 11. 2007
0 views

PDC Review Jay 041118

ks4 where energy
18. 12. 2007
0 views

ks4 where energy

aula voip
28. 12. 2007
0 views

aula voip

Chapter 7
28. 11. 2007
0 views

Chapter 7

Web CT Student Orient
10. 12. 2007
0 views

Web CT Student Orient

ch7S07govt2302
01. 01. 2008
0 views

ch7S07govt2302

Philadelphia FryODiesel
07. 01. 2008
0 views

Philadelphia FryODiesel

Hafner Eco Eng pres1
03. 01. 2008
0 views

Hafner Eco Eng pres1

psy203s authoritarian
30. 08. 2007
0 views

psy203s authoritarian

MMS Spoofing
30. 08. 2007
0 views

MMS Spoofing

WTFD New
01. 10. 2007
0 views

WTFD New

Presentación Cilca 2005
14. 11. 2007
0 views

Presentación Cilca 2005

rtbbntalk
15. 11. 2007
0 views

rtbbntalk

Chapter32
24. 12. 2007
0 views

Chapter32

Homeland Security Congressional
05. 01. 2008
0 views

Homeland Security Congressional

Recursion
07. 01. 2008
0 views

Recursion

CNOMMeetingICC2006
21. 11. 2007
0 views

CNOMMeetingICC2006

airforce camp brief 1
23. 12. 2007
0 views

airforce camp brief 1

favourites
26. 06. 2007
0 views

favourites

Presentation Atelier Bangkok2
31. 12. 2007
0 views

Presentation Atelier Bangkok2

kerala piravi06
26. 06. 2007
0 views

kerala piravi06

jim quinn
26. 06. 2007
0 views

jim quinn

ioc report
26. 06. 2007
0 views

ioc report

Good Movies
26. 06. 2007
0 views

Good Movies

Generation Gap Trivia
26. 06. 2007
0 views

Generation Gap Trivia

gates
26. 06. 2007
0 views

gates

Fulbright Movies
26. 06. 2007
0 views

Fulbright Movies

food and menus
26. 06. 2007
0 views

food and menus

lecture32
07. 10. 2007
0 views

lecture32

Astra Sales Kit 3 1 06
03. 01. 2008
0 views

Astra Sales Kit 3 1 06

KALEB
26. 06. 2007
0 views

KALEB

milestone6 action
27. 11. 2007
0 views

milestone6 action

game consoles edit
26. 06. 2007
0 views

game consoles edit

303lec13
30. 08. 2007
0 views

303lec13

Fabric Spade Amalgam Chief
26. 06. 2007
0 views

Fabric Spade Amalgam Chief

FY2006 Tourism Media Plan
26. 06. 2007
0 views

FY2006 Tourism Media Plan

F303 Class 18
30. 08. 2007
0 views

F303 Class 18

political humor
17. 06. 2007
0 views

political humor

regional dialects
17. 06. 2007
0 views

regional dialects

Quantifying Quality MASTER
17. 06. 2007
0 views

Quantifying Quality MASTER

PS270Lect14
17. 06. 2007
0 views

PS270Lect14

prosestyles
17. 06. 2007
0 views

prosestyles

2091ppt
14. 12. 2007
0 views

2091ppt

rosary
17. 06. 2007
0 views

rosary

rhetorical devices
17. 06. 2007
0 views

rhetorical devices

Research Paper
17. 06. 2007
0 views

Research Paper

Relationships Presentation
17. 06. 2007
0 views

Relationships Presentation

relationships
17. 06. 2007
0 views

relationships

Polyamory 101class
17. 06. 2007
0 views

Polyamory 101class

Hobbes and Locke
30. 08. 2007
0 views

Hobbes and Locke

fastook no movies
26. 06. 2007
0 views

fastook no movies

En Jean Delion Stigma
02. 01. 2008
0 views

En Jean Delion Stigma

Forbrugeren 2008 1
26. 06. 2007
0 views

Forbrugeren 2008 1

FairTrade
16. 11. 2007
0 views

FairTrade

dyna202 5509
05. 11. 2007
0 views

dyna202 5509

recipes
05. 12. 2007
0 views

recipes

NatureAreaTrees
30. 08. 2007
0 views

NatureAreaTrees

CRAY
11. 09. 2007
0 views

CRAY

enum 6
11. 09. 2007
0 views

enum 6

05 ncs courses
12. 03. 2008
0 views

05 ncs courses

20020913 Moon Soo Kang
11. 09. 2007
0 views

20020913 Moon Soo Kang

epomodule
08. 11. 2007
0 views

epomodule

goetz vortragenergie2302
22. 11. 2007
0 views

goetz vortragenergie2302

The Black Power 000
30. 08. 2007
0 views

The Black Power 000

Security Engineering In Vista
30. 08. 2007
0 views

Security Engineering In Vista

FA05 cs294 5 lecture 6 final
20. 11. 2007
0 views

FA05 cs294 5 lecture 6 final

etherb
01. 01. 2008
0 views

etherb

SDE Presentation
30. 08. 2007
0 views

SDE Presentation

AFuelsCall1 032305
26. 02. 2008
0 views

AFuelsCall1 032305

11th meeting Shuji Shimizu
09. 10. 2007
0 views

11th meeting Shuji Shimizu

2 Fleet Manegement
23. 11. 2007
0 views

2 Fleet Manegement

Biophysics GYoon
04. 01. 2008
0 views

Biophysics GYoon