grid and nren operational support tony genovese atf team esnet lawrence berkeley national laboratory
TRANSCRIPT
Grid and NREN Grid and NREN operational supportoperational support
Tony Genovese Tony Genovese ATF team ESnetATF team ESnet
Lawrence Berkeley National Lawrence Berkeley National LaboratoryLaboratory
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 22
OutlineOutline Back GroundBack Ground
• Authentication Services in GridsAuthentication Services in Grids• International Grid FederationInternational Grid Federation
Regional Grid FederationsRegional Grid Federations• TERENATERENA
International Grid Federation (IGF)International Grid Federation (IGF) Regional Policy Management Authorities (PMAs)Regional Policy Management Authorities (PMAs)
• EU Grid PMA, AP Grid PMA, The Americas Grid PMAEU Grid PMA, AP Grid PMA, The Americas Grid PMA Global Grid Forum effortsGlobal Grid Forum efforts
• Certificate Authority Operations WGCertificate Authority Operations WG How TERENA helps: Grids and NRENSHow TERENA helps: Grids and NRENS Resource LocationResource Location Authentication ProfilesAuthentication Profiles
• Why authentication profiles?Why authentication profiles?• What is in it?What is in it?• General Federation documentGeneral Federation document
If there is interest/time: Future Federations and AuthN servicesIf there is interest/time: Future Federations and AuthN services• KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS KCAs, Site Integrated Proxy services (SIPS), Site SSL/TLS support and RADIUS
Authentication Fabric (RAF)Authentication Fabric (RAF)
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 33
Current State of AffairsCurrent State of Affairs
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 44
Back GroundBack Ground Authentication Services in GridsAuthentication Services in Grids
• Grids Federations have separated the Grids Federations have separated the AuthenticationAuthentication and and AuthorizationAuthorization problems. problems.
• Resource owners are responsible for Authorization.Resource owners are responsible for Authorization. Maps Authentication token to local access. Maps Authentication token to local access.
• Authentication service providers are responsible for providing Strong Authentication service providers are responsible for providing Strong Authentication tokens (Certificates).Authentication tokens (Certificates).
International Grid FederationInternational Grid Federation• March 2003 TokyoMarch 2003 Tokyo• Promote and coordinate Regional Policy Management Authorities.Promote and coordinate Regional Policy Management Authorities.• Next meeting at GGF13 Seoul, S Korea.Next meeting at GGF13 Seoul, S Korea.• European Union Grid PMA – community lead organizationEuropean Union Grid PMA – community lead organization• Asian Pacific Grid PMAAsian Pacific Grid PMA• The Americas Grid PMAThe Americas Grid PMA
TERENATERENA• International trusted 3International trusted 3rdrd party. party.• Trust anchors for NRENSTrust anchors for NRENS
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 55
International Grid FederationInternational Grid Federation Set up in March 2003 – the Tokyo accord. Set up in March 2003 – the Tokyo accord. WWW.GridPMA.orgWWW.GridPMA.org GoalsGoals
• Promote trust peering between The Americas, European and Asian Pacific Promote trust peering between The Americas, European and Asian Pacific communities.communities.
EU Grid Policy Management Authority EU Grid Policy Management Authority • EGEE: Enabling Grids for E-science in EuropeEGEE: Enabling Grids for E-science in Europe
Asian Pacific Policy Management AuthorityAsian Pacific Policy Management Authority• APGrid: National Institute of Advanced Industrial Science and TechnologyAPGrid: National Institute of Advanced Industrial Science and Technology
The Americas Grid PMA – newThe Americas Grid PMA – new• Canada and USA (DOE)Canada and USA (DOE)
• Promotes the establishment of top level CA registries:Promotes the establishment of top level CA registries: Trusted 3Trusted 3rdrd party repositories need for establishment of trust. party repositories need for establishment of trust.
• Root CA certificates, CA repositories and CRL publishing points.Root CA certificates, CA repositories and CRL publishing points. EU Grid PMA registry – de facto (CNRS: French National Center for EU Grid PMA registry – de facto (CNRS: French National Center for
Scientific Research)Scientific Research) Asian Pacific CA registry (AP PMA)Asian Pacific CA registry (AP PMA) TERENA TACAR (TERENA Academic CA Repository)TERENA TACAR (TERENA Academic CA Repository)
• Use Global Grid Forum for publishing Standards and community best Use Global Grid Forum for publishing Standards and community best practices.practices.
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 66
Regional PMAsRegional PMAs EU Grid PMA (EU Grid PMA (www.eugridpma.orgwww.eugridpma.org))
• Represents CA and Relying parties.Represents CA and Relying parties.• 26 country level CAs, plus US members26 country level CAs, plus US members• Manages the de facto minimum CA operational requirements.Manages the de facto minimum CA operational requirements. • Manages the primary list of trusted CAs.Manages the primary list of trusted CAs.
Asian Pacific Grid PMA (Asian Pacific Grid PMA (www.apgridpma.orgwww.apgridpma.org) ) • Formed Summer of 2004Formed Summer of 2004• Represents CA and Relying parties.Represents CA and Relying parties.• 12 country level CAs, and SDSC12 country level CAs, and SDSC• Minimum operational requirement synced with EU’sMinimum operational requirement synced with EU’s
The Americas Grid PMA (The Americas Grid PMA (www.TAGPMA.orgwww.TAGPMA.org))• Started Fall 2004Started Fall 2004• Represents CA and Relying parties.Represents CA and Relying parties.• Represent CA’s from Research and Academic communities in the Represent CA’s from Research and Academic communities in the
Americas.Americas.• Investigate alternative Authentication services.Investigate alternative Authentication services.• Will produce new Minimum Operational requirements for On line CAs.Will produce new Minimum Operational requirements for On line CAs.
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 77
Global Grid ForumGlobal Grid Forum
GGF efforts are driven by our community GGF efforts are driven by our community requirements.requirements.
Developing International trust relationships has Developing International trust relationships has shown a need for common agreed upon shown a need for common agreed upon practices.practices.
Community DocumentsCommunity Documents Grid CP/CPSGrid CP/CPS Policy Management authorityPolicy Management authority PKI Disclosure statement – copy right issue ABAPKI Disclosure statement – copy right issue ABA Certificate profile – tabled – Certificate profile – tabled – resurrectedresurrected Grid common naming practices – tabledGrid common naming practices – tabled OCSP service requirementsOCSP service requirements Authentication Profiles - NewAuthentication Profiles - New
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 99
How TERENA can help: How TERENA can help: Grids and NRENsGrids and NRENs
International trusted 3International trusted 3rdrd party. party. Trust anchor publishingTrust anchor publishing Possible home for IGFPossible home for IGF
• Expanded support for global Identity operations. Expanded support for global Identity operations. Primarily a publishing model.Primarily a publishing model.
Possible coordination point for Grids and NRENsPossible coordination point for Grids and NRENs Avoid development of separate but equal services.Avoid development of separate but equal services.
Resource LocationResource Location Authentication Profiles documentAuthentication Profiles document
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1010
Resource LocationResource Location Resource location is mostly controlled by Resource location is mostly controlled by
resource owners – Sites and Grids. No common resource owners – Sites and Grids. No common publishing or access model.publishing or access model.
Each has developed solutions for their Each has developed solutions for their community. Motivation to change low.community. Motivation to change low.
Shared resources maybe an opportunity to Shared resources maybe an opportunity to develop common practices.develop common practices.• PMAs, Certificate Authorities, etcPMAs, Certificate Authorities, etc
How can we approach this problem?How can we approach this problem?• Directed publishing model – chain of websDirected publishing model – chain of webs• Rooted LDAP directory tree – Serves all players.Rooted LDAP directory tree – Serves all players.
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1111
Why Authentication Profiles?Why Authentication Profiles?
New Authentication services will fragment New Authentication services will fragment the current global trust model.the current global trust model.
Yet, we must allow for innovations in Yet, we must allow for innovations in Authentication services.Authentication services.• Classic PKI procrustean bed no longer works.Classic PKI procrustean bed no longer works.
Currently a draft GGF informational doc.Currently a draft GGF informational doc.
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1212
Authentication Profile what is in it?Authentication Profile what is in it?
Authentication Services must provide Authentication Services must provide basic information on:basic information on:• The governance of authentication service.The governance of authentication service.• A set of membership and operational A set of membership and operational
requirements.requirements.• Publishing model that Relying parties can Publishing model that Relying parties can
trust.trust.
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1313
General Federation DocumentGeneral Federation Document
1.1. Federation definition - descriptionFederation definition - description2.2. General architectureGeneral architecture3.3. Identity managementIdentity management4.4. Operational requirementsOperational requirements5.5. Site security.Site security.6.6. Publication and repository responsibilitiesPublication and repository responsibilities7.7. LiabilityLiability8.8. Financial responsibilitiesFinancial responsibilities9.9. Audits and complianceAudits and compliance10.10. Privacy and confidentialityPrivacy and confidentiality11.11. Compromise and disaster recoveryCompromise and disaster recovery12.12. Federation administrationFederation administration
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1414
New Authentication servicesNew Authentication services
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1515
New Federations and AuthN New Federations and AuthN services effortsservices efforts
SIPS - Site Integrated Proxy servicesSIPS - Site Integrated Proxy services• KCA example KCA example
Site SSL support - Host certificate serviceSite SSL support - Host certificate service• Grids and NRENs exploring separate Grids and NRENs exploring separate
solutions.solutions. RAF - RADIUS Authentication FabricRAF - RADIUS Authentication Fabric Expand scope of DOEGridsExpand scope of DOEGrids
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1616
Site Integrated Proxy servicesSite Integrated Proxy servicesKCA example KCA example
Site Kerberos KDC
Proxy generator KCA
Synopsis of steps for Grid User: Synopsis of steps for Grid User:
1.1. Register with Fermilab Register with Fermilab 1.1. Get your Fermilab VID Get your Fermilab VID 2.2. Get your Kerberos Get your Kerberos
Principal Principal 2.2. Install the Fermilab Install the Fermilab KCAKCA
certificate and signing policy; certificate and signing policy; 3.3. Install the Install the KCAKCA client software; client software;4.4. Generate proxy access GridGenerate proxy access Grid
Access Grid resources
Access Grid resources
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1717
SSL Service FederationSSL Service Federation
ESnet SSL Federation CA
Site or Organization Web servers
System Admin Synopsis of steps for System Admin: Synopsis of steps for System Admin:
Register with ESnet:Register with ESnet: 1. Get your ESnet Grid Admin account 1. Get your ESnet Grid Admin account
2. Request and self approve host 2. Request and self approve host certificates.certificates.
Replaces: Replaces: a. Self signed a. Self signed certificates b. Commercial providersb. Commercial providers Requires:Requires: The Browser providers to add the SSL CA The Browser providers to add the SSL CA
cert to their trusted list of CAs – this is to cert to their trusted list of CAs – this is to stops security warning pop-ups.stops security warning pop-ups.
February 2005February 2005 TERENA TF-EMC2TERENA TF-EMC2 1818
Radius Authentication Fabric with OTP supportRadius Authentication Fabric with OTP support
NERSC
r
ANL
r
OTP Service
ORNL
r
PNNL
OTP Service
OTP Service
OTP Service
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• es.net
Realms
R
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
r• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
ESnet RAF Federation
anl.gov
nersc.gov
pnnl.gov
ornl.gov
r RADIUS
App