myproxy and gsissh update
Download
Skip this Video
Download Presentation
MyProxy and GSISSH Update

Loading in 2 Seconds...

play fullscreen
1 / 14

MyProxy and GSISSH Update - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

MyProxy and GSISSH Update. Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign [email protected] MyProxy Logon. Authenticate to retrieve PKI credentials End Entity or Proxy Certificate

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' MyProxy and GSISSH Update' - lisandra-lopez


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
myproxy and gsissh update

MyProxy and GSISSH Update

Von WelchNational Center for Supercomputing ApplicationsUniversity of Illinois at [email protected]

National Center for Supercomputing Applications

myproxy logon
MyProxy Logon
  • Authenticate to retrieve PKI credentials
    • End Entity or Proxy Certificate
    • CA Certificates and Certificate Revocation Lists (CRLs) (http://myproxy.ncsa.uiuc.edu/trustroots)
  • Maintains the user’s PKI context
    • Users don’t need to manage long-lived credentials
    • Enables server-side monitoring and policy enforcement (ex. passphrase quality checks)
    • CA certificates and CRLs updated automatically at login
  • Integrates with existing authentication systems
    • Providing a gateway to grid authentication

National Center for Supercomputing Applications

myproxy ca
MyProxy CA
  • Issues short-lived X.509 EECs
  • Authentication via certificate, PAM, SASL/Kerberos, Pubcookie, VOMS
    • Including “renewal authentication” where trusted service authenticates and proves possession of user credential to get a new user credential
  • Name mapping via mapfile, callout, and LDAP
  • Certificate extensions specified by OpenSSL configuration file or callout
  • http://myproxy.ncsa.uiuc.edu/ca

National Center for Supercomputing Applications

ncsa slcs architecture
NCSA SLCS Architecture
  • http://security.ncsa.uiuc.edu/CA/

National Center for Supercomputing Applications

ncsa ca architecture
NCSA CA Architecture

National Center for Supercomputing Applications

myproxy ocsp support
MyProxy OCSP Support
  • Server checks certificate validity before performing delegation
    • Includes CRL and OCSP checks
    • Removes invalid credentials from repository
  • Follows recommendations in OGF CAOPS “OCSP Requirements for Grids”
  • Server can be configured to use:
    • OCSP responder in AIA extension
    • Trusted OCSP responder
  • http://myproxy.ncsa.uiuc.edu/ocsp
  • OCSP checking code contributed to Globus
    • http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4788

National Center for Supercomputing Applications

myproxy and hsms
MyProxy and HSMs
  • Prototypes
    • MyProxy repository keys protected by IBM 4758
    • MyProxy CA key protected by Aladdin eToken
  • MyProxy CA HSM support coming soon
    • To be deployed for NCSA SLCS
    • Using OpenSSL Engine interface
    • http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=349

National Center for Supercomputing Applications

myproxy and voms
MyProxy and VOMS
  • MyProxy server now understands VOMS attributes for authorization
    • For example: services with “compute element” attribute can be authorized to renew credentials
  • MyProxy developers worked with VOMS developers on GT4 compatibility issues
    • http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=345
  • http://myproxy.ncsa.uiuc.edu/voms

National Center for Supercomputing Applications

myproxy trust provisioning
MyProxy Trust Provisioning
  • MyProxy Logon can install/update trust roots in ~/.globus/certificates or $X509_CERT_DIR
    • CA certificates, signing policies, and CRLs
    • Improves client-side security via automated CA configuration and CRL updates
  • Configuration managed by MyProxy server admin
    • Maintains up-to-date “master” certificates directory on server
  • Future work
    • Bootstrap trust of myproxy-server certificate
    • Improved handling of expired CRLs
    • Java support
  • http://myproxy.ncsa.uiuc.edu/trustroots

National Center for Supercomputing Applications

myproxy server fail over
MyProxy Server Fail-Over
  • Clients try multiple server IP addresses
  • Documentation for server replication
    • http://myproxy.ncsa.uiuc.edu/failover.html
    • myproxy-replicate tool for primary-backup repository replication
    • CA server replication by partition of serial number space

National Center for Supercomputing Applications

external myproxy audit
External MyProxy Audit
  • To be conducted by Jim Kupsch from UW-Madison Computer Sciences
    • Vulnerability Assessment of Grid Software Project led by Prof. Bart Miller
    • http://www.cs.wisc.edu/condor/CondorWeek2006/presentations/kupsch_security.ppt
  • March 7 kick-off meeting at NCSA

National Center for Supercomputing Applications

gsi openssh authorization
GSI-OpenSSH Authorization
  • GSI-OpenSSH 3.8 and later support Globus Authorization callouts
    • http://www.globus.org/security/callouts/
    • Service name for callout is “ssh”
    • Tested with PRIMA/GUMS

National Center for Supercomputing Applications

java gsi sshterm
Java GSI-SSHTerm
  • Java applet/application that combines MyProxy and GSISSH functionality
    • Developed by UK NGS, NRC Canada, …
    • http://sourceforge.net/projects/gsi-sshterm/
  • Customized for TeraGrid
    • http://grid.ncsa.uiuc.edu/gsi-sshterm/

National Center for Supercomputing Applications

myproxy and gsissh on teragrid
MyProxy and GSISSH on TeraGrid
  • All TG users assigned a TERAGRID.ORG (Kerberos) username and password
    • Login to TeraGrid User Portal (https://portal.teragrid.org/)
    • Login to TeraGrid MyProxy CA to obtain a short-lived (NCSA) certificate
  • All TG sites run GSI-OpenSSH servers
    • Single sign-on via Java GSI-SSHTerm
    • http://www.teragrid.org/userinfo/access/

National Center for Supercomputing Applications

ad