Uscgrid
Sponsored Links
This presentation is the property of its rightful owner.
1 / 42

USCGrid PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on
  • Presentation posted in: General

USCGrid. KX.509 & Enterprise Security. http://www.usc.edu/isd/services/uscgrid. USCGrid: KX.509 & Enterprise Security. KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies. USCGrid: KX.509 & Enterprise Security. KX.509 as an alternative

Download Presentation

USCGrid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


USCGrid

KX.509

&

Enterprise Security

http://www.usc.edu/isd/services/uscgrid


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

Suddenly, everyone with a kerberos credential is grid-enabled.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What about server certificates?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What about server certificates? Can I use kerberos to create those?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

What does USC’s KX.509 setup look like?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of a Beowulf cluster (more on that in a minute),

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu,

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.

Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

The KCA runs on hpc-master.usc.edu, the head node for our 576-node 1152-cpu Beowulf cluster.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.

Each user must send an email message containing a copy of his or her kx509 certificate to the USCGrid administrator:

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Example:

almaak.usc.edu(23): source /usr/usc/nmi/default/setup.csh

almaak.usc.edu(24): kinit

Password for [email protected]:

almaak.usc.edu(25): kx509

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

almaak.usc.edu(26): kxlist -p

Service kx509/certificate

issuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edu

subject= /C=US/ST=California/L=Los Angeles /O=University of Southern California [email protected]

serial=A8

hash=e6078654

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

almaak.usc.edu(27): grid-proxy-info | \

mail -s "add me to grid mapfile" \

[email protected]

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

The Unix sysadmin can then add an entry to the grid mapfile using the information from grid-proxy-info:

"/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley [email protected]" shelley

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

How hard is it to install and maintain KX.509?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it,

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

Then it runs.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

Then it runs. Really.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

Q:

What about certificate policies? Do I still have to implement certificate policies if we use KX.509?

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

In a small way, it’s harder to cross-certify because you’re ‘different’.

USCGrid at Internet2


USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

We’re working on this with ‘the security community’ – stay tuned.

USCGrid at Internet2


  • Login