Grid and NREN Grid and NREN operational supportoperational support

Tony Genovese Tony Genovese ATF team ESnetATF team ESnet

Lawrence Berkeley National Lawrence Berkeley National LaboratoryLaboratory

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 22

OutlineOutline Back GroundBack Ground

• Authentication Services in GridsAuthentication Services in Grids• International Grid FederationInternational Grid Federation

Regional Grid FederationsRegional Grid Federations• TERENATERENA

International Grid Federation (IGF)International Grid Federation (IGF) Regional Policy Management Authorities (PMAs)Regional Policy Management Authorities (PMAs)

• EU Grid PMA, AP Grid PMA, The Americas Grid PMAEU Grid PMA, AP Grid PMA, The Americas Grid PMA Global Grid Forum effortsGlobal Grid Forum efforts

• Certificate Authority Operations WGCertificate Authority Operations WG How TERENA helps: Grids and NRENSHow TERENA helps: Grids and NRENS Resource LocationResource Location Authentication ProfilesAuthentication Profiles

• Why authentication profiles?Why authentication profiles?• What is in it?What is in it?• General Federation documentGeneral Federation document

If there is interest/time: Future Federations and AuthN servicesIf there is interest/time: Future Federations and AuthN services• KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS

Authentication Fabric (RAF)Authentication Fabric (RAF)

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 33

Current State of AffairsCurrent State of Affairs

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 44

Back GroundBack Ground Authentication Services in GridsAuthentication Services in Grids

• Grids Federations have separated the Grids Federations have separated the AuthenticationAuthentication and and AuthorizationAuthorization problems. problems.

• Resource owners are responsible for Authorization.Resource owners are responsible for Authorization. Maps Authentication token to local access. Maps Authentication token to local access.

• Authentication service providers are responsible for providing Strong Authentication service providers are responsible for providing Strong Authentication tokens (Certificates).Authentication tokens (Certificates).

International Grid FederationInternational Grid Federation• March 2003 TokyoMarch 2003 Tokyo• Promote and coordinate Regional Policy Management Authorities.Promote and coordinate Regional Policy Management Authorities.• Next meeting at GGF13 Seoul, S Korea.Next meeting at GGF13 Seoul, S Korea.• European Union Grid PMA – community lead organizationEuropean Union Grid PMA – community lead organization• Asian Pacific Grid PMAAsian Pacific Grid PMA• The Americas Grid PMAThe Americas Grid PMA

TERENATERENA• International trusted 3International trusted 3rdrd party. party.• Trust anchors for NRENSTrust anchors for NRENS

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 55

International Grid FederationInternational Grid Federation Set up in March 2003 – the Tokyo accord. Set up in March 2003 – the Tokyo accord. WWW.GridPMA.orgWWW.GridPMA.org GoalsGoals

• Promote trust peering between The Americas, European and Asian Pacific Promote trust peering between The Americas, European and Asian Pacific communities.communities.

EU Grid Policy Management Authority EU Grid Policy Management Authority • EGEE: Enabling Grids for E-science in EuropeEGEE: Enabling Grids for E-science in Europe

Asian Pacific Policy Management AuthorityAsian Pacific Policy Management Authority• APGrid: National Institute of Advanced Industrial Science and TechnologyAPGrid: National Institute of Advanced Industrial Science and Technology

The Americas Grid PMA – newThe Americas Grid PMA – new• Canada and USA (DOE)Canada and USA (DOE)

• Promotes the establishment of top level CA registries:Promotes the establishment of top level CA registries: Trusted 3Trusted 3rdrd party repositories need for establishment of trust. party repositories need for establishment of trust.

• Root CA certificates, CA repositories and CRL publishing points.Root CA certificates, CA repositories and CRL publishing points. EU Grid PMA registry – de facto (CNRS: French National Center for EU Grid PMA registry – de facto (CNRS: French National Center for

Scientific Research)Scientific Research) Asian Pacific CA registry (AP PMA)Asian Pacific CA registry (AP PMA) TERENA TACAR (TERENA Academic CA Repository)TERENA TACAR (TERENA Academic CA Repository)

• Use Global Grid Forum for publishing Standards and community best Use Global Grid Forum for publishing Standards and community best practices.practices.

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 66

Regional PMAsRegional PMAs EU Grid PMA (EU Grid PMA (www.eugridpma.orgwww.eugridpma.org))

• Represents CA and Relying parties.Represents CA and Relying parties.• 26 country level CAs, plus US members26 country level CAs, plus US members• Manages the de facto minimum CA operational requirements.Manages the de facto minimum CA operational requirements. • Manages the primary list of trusted CAs.Manages the primary list of trusted CAs.

Asian Pacific Grid PMA (Asian Pacific Grid PMA (www.apgridpma.orgwww.apgridpma.org) ) • Formed Summer of 2004Formed Summer of 2004• Represents CA and Relying parties.Represents CA and Relying parties.• 12 country level CAs, and SDSC12 country level CAs, and SDSC• Minimum operational requirement synced with EU’sMinimum operational requirement synced with EU’s

The Americas Grid PMA (The Americas Grid PMA (www.TAGPMA.orgwww.TAGPMA.org))• Started Fall 2004Started Fall 2004• Represents CA and Relying parties.Represents CA and Relying parties.• Represent CA’s from Research and Academic communities in the Represent CA’s from Research and Academic communities in the

Americas.Americas.• Investigate alternative Authentication services.Investigate alternative Authentication services.• Will produce new Minimum Operational requirements for On line CAs.Will produce new Minimum Operational requirements for On line CAs.

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 77

Global Grid ForumGlobal Grid Forum

GGF efforts are driven by our community GGF efforts are driven by our community requirements.requirements.

Developing International trust relationships has Developing International trust relationships has shown a need for common agreed upon shown a need for common agreed upon practices.practices.

Community DocumentsCommunity Documents Grid CP/CPSGrid CP/CPS Policy Management authorityPolicy Management authority PKI Disclosure statement – copy right issue ABAPKI Disclosure statement – copy right issue ABA Certificate profile – tabled – Certificate profile – tabled – resurrectedresurrected Grid common naming practices – tabledGrid common naming practices – tabled OCSP service requirementsOCSP service requirements Authentication Profiles - NewAuthentication Profiles - New

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 88

TERENATERENA

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 99

How TERENA can help: How TERENA can help: Grids and NRENsGrids and NRENs

International trusted 3International trusted 3rdrd party. party. Trust anchor publishingTrust anchor publishing Possible home for IGFPossible home for IGF

• Expanded support for global Identity operations. Expanded support for global Identity operations. Primarily a publishing model.Primarily a publishing model.

Possible coordination point for Grids and NRENsPossible coordination point for Grids and NRENs Avoid development of separate but equal services.Avoid development of separate but equal services.

Resource LocationResource Location Authentication Profiles documentAuthentication Profiles document

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1010

Resource LocationResource Location Resource location is mostly controlled by Resource location is mostly controlled by

resource owners – Sites and Grids. No common resource owners – Sites and Grids. No common publishing or access model.publishing or access model.

Each has developed solutions for their Each has developed solutions for their community. Motivation to change low.community. Motivation to change low.

Shared resources maybe an opportunity to Shared resources maybe an opportunity to develop common practices.develop common practices.• PMAs, Certificate Authorities, etcPMAs, Certificate Authorities, etc

How can we approach this problem?How can we approach this problem?• Directed publishing model – chain of websDirected publishing model – chain of webs• Rooted LDAP directory tree – Serves all players.Rooted LDAP directory tree – Serves all players.

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1111

Why Authentication Profiles?Why Authentication Profiles?

New Authentication services will fragment New Authentication services will fragment the current global trust model.the current global trust model.

Yet, we must allow for innovations in Yet, we must allow for innovations in Authentication services.Authentication services.• Classic PKI procrustean bed no longer works.Classic PKI procrustean bed no longer works.

Currently a draft GGF informational doc.Currently a draft GGF informational doc.

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1212

Authentication Profile what is in it?Authentication Profile what is in it?

Authentication Services must provide Authentication Services must provide basic information on:basic information on:• The governance of authentication service.The governance of authentication service.• A set of membership and operational A set of membership and operational

requirements.requirements.• Publishing model that Relying parties can Publishing model that Relying parties can

trust.trust.

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1313

General Federation DocumentGeneral Federation Document

1.1. Federation definition - descriptionFederation definition - description2.2. General architectureGeneral architecture3.3. Identity managementIdentity management4.4. Operational requirementsOperational requirements5.5. Site security.Site security.6.6. Publication and repository responsibilitiesPublication and repository responsibilities7.7. LiabilityLiability8.8. Financial responsibilitiesFinancial responsibilities9.9. Audits and complianceAudits and compliance10.10. Privacy and confidentialityPrivacy and confidentiality11.11. Compromise and disaster recoveryCompromise and disaster recovery12.12. Federation administrationFederation administration

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1414

New Authentication servicesNew Authentication services

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1515

New Federations and AuthN New Federations and AuthN services effortsservices efforts

SIPS - Site Integrated Proxy servicesSIPS - Site Integrated Proxy services• KCA example KCA example

Site SSL support - Host certificate serviceSite SSL support - Host certificate service• Grids and NRENs exploring separate Grids and NRENs exploring separate

solutions.solutions. RAF - RADIUS Authentication FabricRAF - RADIUS Authentication Fabric Expand scope of DOEGridsExpand scope of DOEGrids

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1616

Site Integrated Proxy servicesSite Integrated Proxy servicesKCA example KCA example

Site Kerberos KDC

Proxy generator KCA

Synopsis of steps for Grid User: Synopsis of steps for Grid User:

1.1. Register with Fermilab Register with Fermilab 1.1. Get your Fermilab VID Get your Fermilab VID 2.2. Get your Kerberos Get your Kerberos

Principal Principal 2.2. Install the Fermilab Install the Fermilab KCAKCA

certificate and signing policy; certificate and signing policy; 3.3. Install the Install the KCAKCA client software; client software;4.4. Generate proxy access GridGenerate proxy access Grid

Access Grid resources

Access Grid resources

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1717

SSL Service FederationSSL Service Federation

ESnet SSL Federation CA

Site or Organization Web servers

System Admin Synopsis of steps for System Admin: Synopsis of steps for System Admin:

Register with ESnet:Register with ESnet: 1. Get your ESnet Grid Admin account 1. Get your ESnet Grid Admin account

2. Request and self approve host 2. Request and self approve host certificates.certificates.

Replaces: Replaces: a. Self signed a. Self signed certificates b. Commercial providersb. Commercial providers Requires:Requires: The Browser providers to add the SSL CA The Browser providers to add the SSL CA

cert to their trusted list of CAs – this is to cert to their trusted list of CAs – this is to stops security warning pop-ups.stops security warning pop-ups.

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1818

Radius Authentication Fabric with OTP supportRadius Authentication Fabric with OTP support

NERSC

r

ANL

r

OTP Service

ORNL

r

PNNL

OTP Service

OTP Service

OTP Service

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• es.net

Realms

R

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

r• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

• anl.gov

• nersc.gov

• pnnl.gov

• ornl.gov

ESnet RAF Federation

anl.gov

nersc.gov

pnnl.gov

ornl.gov

r RADIUS

App

February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1919

Offline Vaulted Root CA

HSM

Secure Data Center

Building Security

LBNL Site security

Hardware Security Modules

Access controlled racks

PKI Systems

Internet

Fire Wall

Intrusion Detection

Grid User

DOEGrids PKI SecurityDOEGrids PKI Security