Uscgrid
Download
1 / 42

USCGrid - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

USCGrid. KX.509 & Enterprise Security. http://www.usc.edu/isd/services/uscgrid. USCGrid: KX.509 & Enterprise Security. KX.509 as an alternative Specific experience with KX.509 at USC KX.509 & Campus Certificate Policies. USCGrid: KX.509 & Enterprise Security. KX.509 as an alternative

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' USCGrid' - yahto


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Uscgrid

USCGrid

KX.509

&

Enterprise Security

http://www.usc.edu/isd/services/uscgrid


Uscgrid kx 509 enterprise security
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security1
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security2
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place?

USCGrid at Internet2


Uscgrid kx 509 enterprise security3
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid?

USCGrid at Internet2


Uscgrid kx 509 enterprise security4
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created?

USCGrid at Internet2


Uscgrid kx 509 enterprise security5
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

USCGrid at Internet2


Uscgrid kx 509 enterprise security6
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential.

USCGrid at Internet2


Uscgrid kx 509 enterprise security7
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.

Suddenly, everyone with a kerberos credential is grid-enabled.

USCGrid at Internet2


Uscgrid kx 509 enterprise security8
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What about server certificates?

USCGrid at Internet2


Uscgrid kx 509 enterprise security9
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

Q:

What about server certificates? Can I use kerberos to create those?

USCGrid at Internet2


Uscgrid kx 509 enterprise security10
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates.

USCGrid at Internet2


Uscgrid kx 509 enterprise security11
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’

USCGrid at Internet2


Uscgrid kx 509 enterprise security12
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

A:

Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign.

USCGrid at Internet2


Uscgrid kx 509 enterprise security13
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security14
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

What does USC’s KX.509 setup look like?

USCGrid at Internet2


Uscgrid kx 509 enterprise security15
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of a Beowulf cluster (more on that in a minute),

USCGrid at Internet2


Uscgrid kx 509 enterprise security16
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu,

USCGrid at Internet2


Uscgrid kx 509 enterprise security17
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom.

USCGrid at Internet2


Uscgrid kx 509 enterprise security18
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.

USCGrid at Internet2


Uscgrid kx 509 enterprise security19
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.

Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak.

USCGrid at Internet2


Uscgrid kx 509 enterprise security20
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

The KCA runs on hpc-master.usc.edu, the head node for our 576-node 1152-cpu Beowulf cluster.

USCGrid at Internet2


Uscgrid kx 509 enterprise security21
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile.

USCGrid at Internet2


Uscgrid kx 509 enterprise security22
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate.

USCGrid at Internet2


Uscgrid kx 509 enterprise security23
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile?

USCGrid at Internet2


Uscgrid kx 509 enterprise security24
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.

USCGrid at Internet2


Uscgrid kx 509 enterprise security25
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.

Each user must send an email message containing a copy of his or her kx509 certificate to the USCGrid administrator:

USCGrid at Internet2


Uscgrid kx 509 enterprise security26
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

Example:

almaak.usc.edu(23): source /usr/usc/nmi/default/setup.csh

almaak.usc.edu(24): kinit

Password for [email protected]:

almaak.usc.edu(25): kx509

USCGrid at Internet2


Uscgrid kx 509 enterprise security27
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

almaak.usc.edu(26): kxlist -p

Service kx509/certificate

issuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edu

subject= /C=US/ST=California/L=Los Angeles /O=University of Southern California [email protected]

serial=A8

hash=e6078654

USCGrid at Internet2


Uscgrid kx 509 enterprise security28
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

almaak.usc.edu(27): grid-proxy-info | \

mail -s "add me to grid mapfile" \

[email protected]

USCGrid at Internet2


Uscgrid kx 509 enterprise security29
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

The Unix sysadmin can then add an entry to the grid mapfile using the information from grid-proxy-info:

"/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley [email protected]" shelley

USCGrid at Internet2


Uscgrid kx 509 enterprise security30
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

Q:

How hard is it to install and maintain KX.509?

USCGrid at Internet2


Uscgrid kx 509 enterprise security31
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

USCGrid at Internet2


Uscgrid kx 509 enterprise security32
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it,

USCGrid at Internet2


Uscgrid kx 509 enterprise security33
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

USCGrid at Internet2


Uscgrid kx 509 enterprise security34
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

Then it runs.

USCGrid at Internet2


Uscgrid kx 509 enterprise security35
USCGrid: KX.509 & Enterprise Security

  • Specific experience with KX.509 at USC

A:

KX.509 is my favorite NMI component.

You install it, no problem.

Then it runs. Really.

USCGrid at Internet2


Uscgrid kx 509 enterprise security36
USCGrid: KX.509 & Enterprise Security

  • KX.509 as an alternative

  • Specific experience with KX.509 at USC

  • KX.509 & Campus Certificate Policies

USCGrid at Internet2


Uscgrid kx 509 enterprise security37
USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

Q:

What about certificate policies? Do I still have to implement certificate policies if we use KX.509?

USCGrid at Internet2


Uscgrid kx 509 enterprise security38
USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

USCGrid at Internet2


Uscgrid kx 509 enterprise security39
USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

In a small way, it’s harder to cross-certify because you’re ‘different’.

USCGrid at Internet2


Uscgrid kx 509 enterprise security40
USCGrid: KX.509 & Enterprise Security

  • KX.509 & Campus Certificate Policies

A:

KX.509 doesn’t buy you out of dealing with certificate policies.

We’re working on this with ‘the security community’ – stay tuned.

USCGrid at Internet2


ad