nersc online ca update tagpma meeting, february 2012, san diego
Post on 22-Feb-2016
45 Views
Preview:
DESCRIPTION
TRANSCRIPT
NERSC Online CA UpdateTAGPMA Meeting,
February 2012, San Diego
Shreyas CholiaNERSC, LBL
NERSC
• DOE Office of Science Supercomputing Facility at LBL
• Multiple compute & storage systems– Hopper, Franklin, Carver, Euclid, PDSF,
HPSS, Global File System
NERSC CA
• Provides short-lived certificates to NERSC user community for convenient access to NERSC resources as well as external resources accessible via grid interfaces.
3
NERSC CA at a Glance
• IGTF Accredited SLCS MyProxy CA• CA Cert signed by ESnet Root CA• Uses NERSC username-password to
generate short lived credential (upto 11 days)• HSM - Aladdin eToken USB device• Command Line Interface:
myproxy-logon -s nerscca.nersc.gov -l <user>Password:
• Also accessible via programmatic APIs
4
NERSC CA Service
myproxy-logon
-l “starbuck”
Online CA myproxy Server
PAM LDAP
Send encryptedtoken
LDAPServer
Validate password
“/CN=Joe User” joe “/CN=Jane Doe” jane “/CN=Lee Adama” apollo “/CN=Kara Thrace” starbuck
consultcert-mapfilefor DN
Return signed cert
NERSC user DBGeneratemapfile
NERSC CA cert“/CN=Kara Thrace”
6
Use Cases
• Workflows based on Globus Gatekeeper, GridFTP, GSISSH – OSG, Atlas, STAR, Planck etc.– Climate Data Transfer over WAN
• Portals - Trusted portal requests short-lived cert and uses it on your behalf– Globus online– NEWT - NERSC Web API (REST API to access
NERSC– Science Gateways
Issues
• Current model cannot do single-sign on across NERSC resources.
• CA key expiring in 2013; – future of ESnet Root CA is uncertain.
• HSM is slooooow and rejects requests under load– 10-15 seconds to sign a single request
7
Enabling Single Sign On
• NERSC already runs a Shibboleth IDP to provide single sign-on for web resources
• We'd like to use NEWT and Science Gateways via SSO– Sign in once to Shib– Enable access to grid resources via Shib token
• Using Shib-Oauth-MyProxy CA (from NCSA) would allow us to use the user's Shib credentials to create a certificate.
• Proposal: Expand NERSC CA scope to cover Shib authentication. Update to CP/CPS?
8
Shib Login
• Login once to Shib Oauth Service using NERSC username /password
• Client browser gets OAuth token.
• Browser presents token to trusted web service (NEWT, Science Gateway).
• Oauth assertion authorizes web service to retrieve certificate
9
Design 1
10
Design 2
11
New CA certificate and HSM
• We would like to move to a more robust HSM solution.– Something that works with Shib-MyProxy CA– Reasonable performance (1 sec signing time– Does OK under load (handle multiple
simultaneous requests)– Suggestions?
• We need to issue a new CA cert. – Is a self-signed cert OK?– What do we need to do wrt IGTF process?
12
top related