Uscgrid
This presentation is the property of its rightful owner.
Sponsored Links
1 / 42

USCGrid PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

USCGrid. KX.509 & Enterprise Security. http://www.usc.edu/isd/services/uscgrid. USCGrid: KX.509 & Enterprise Security. KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies. USCGrid: KX.509 & Enterprise Security. KX.509 as an alternative

Download Presentation

USCGrid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Uscgrid

USCGrid

KX.509

&

Enterprise Security

http://www.usc.edu/isd/services/uscgrid


Uscgrid kx 509 enterprise security

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security1

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security2

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place?

USCGrid at Internet2


Uscgrid kx 509 enterprise security3

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid?

USCGrid at Internet2


Uscgrid kx 509 enterprise security4

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created?

USCGrid at Internet2


Uscgrid kx 509 enterprise security5

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

USCGrid at Internet2


Uscgrid kx 509 enterprise security6

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential.

USCGrid at Internet2


Uscgrid kx 509 enterprise security7

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

Suddenly, everyone with a kerberos credential is grid-enabled.

USCGrid at Internet2


Uscgrid kx 509 enterprise security8

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What about server certificates?

USCGrid at Internet2


Uscgrid kx 509 enterprise security9

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What about server certificates? Can I use kerberos to create those?

USCGrid at Internet2


Uscgrid kx 509 enterprise security10

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates.

USCGrid at Internet2


Uscgrid kx 509 enterprise security11

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’

USCGrid at Internet2


Uscgrid kx 509 enterprise security12

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign.

USCGrid at Internet2


Uscgrid kx 509 enterprise security13

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security14

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

What does USC’s KX.509 setup look like?

USCGrid at Internet2


Uscgrid kx 509 enterprise security15

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of a Beowulf cluster (more on that in a minute),

USCGrid at Internet2


Uscgrid kx 509 enterprise security16

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu,

USCGrid at Internet2


Uscgrid kx 509 enterprise security17

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom.

USCGrid at Internet2


Uscgrid kx 509 enterprise security18

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.

USCGrid at Internet2


Uscgrid kx 509 enterprise security19

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.

Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak.

USCGrid at Internet2


Uscgrid kx 509 enterprise security20

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

The KCA runs on hpc-master.usc.edu, the head node for our 576-node 1152-cpu Beowulf cluster.

USCGrid at Internet2


Uscgrid kx 509 enterprise security21

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile.

USCGrid at Internet2


Uscgrid kx 509 enterprise security22

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate.

USCGrid at Internet2


Uscgrid kx 509 enterprise security23

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile?

USCGrid at Internet2


Uscgrid kx 509 enterprise security24

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.

USCGrid at Internet2


Uscgrid kx 509 enterprise security25

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.

Each user must send an email message containing a copy of his or her kx509 certificate to the USCGrid administrator:

USCGrid at Internet2


Uscgrid kx 509 enterprise security26

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Example:

almaak.usc.edu(23): source /usr/usc/nmi/default/setup.csh

almaak.usc.edu(24): kinit

Password for [email protected]:

almaak.usc.edu(25): kx509

USCGrid at Internet2


Uscgrid kx 509 enterprise security27

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

almaak.usc.edu(26): kxlist -p

Service kx509/certificate

issuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edu

subject= /C=US/ST=California/L=Los Angeles /O=University of Southern California [email protected]

serial=A8

hash=e6078654

USCGrid at Internet2


Uscgrid kx 509 enterprise security28

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

almaak.usc.edu(27): grid-proxy-info | \

mail -s "add me to grid mapfile" \

[email protected]

USCGrid at Internet2


Uscgrid kx 509 enterprise security29

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

The Unix sysadmin can then add an entry to the grid mapfile using the information from grid-proxy-info:

"/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley [email protected]" shelley

USCGrid at Internet2


Uscgrid kx 509 enterprise security30

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

How hard is it to install and maintain KX.509?

USCGrid at Internet2


Uscgrid kx 509 enterprise security31

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

USCGrid at Internet2


Uscgrid kx 509 enterprise security32

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it,

USCGrid at Internet2


Uscgrid kx 509 enterprise security33

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

USCGrid at Internet2


Uscgrid kx 509 enterprise security34

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

Then it runs.

USCGrid at Internet2


Uscgrid kx 509 enterprise security35

USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

Then it runs. Really.

USCGrid at Internet2


Uscgrid kx 509 enterprise security36

USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security37

USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

Q:

What about certificate policies? Do I still have to implement certificate policies if we use KX.509?

USCGrid at Internet2


Uscgrid kx 509 enterprise security38

USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

USCGrid at Internet2


Uscgrid kx 509 enterprise security39

USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

In a small way, it’s harder to cross-certify because you’re ‘different’.

USCGrid at Internet2


Uscgrid kx 509 enterprise security40

USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

We’re working on this with ‘the security community’ – stay tuned.

USCGrid at Internet2


  • Login