IdM Campus Developers Meeting 12/05/07

Kerberos authentication servers (KDCs) move from AIX to Linux environmentCUWebAuth 2.0 and K4-K5 UpgradeI2 Grouper rollout plans and Permit Server retirement Active Directory plansQuestions?

OIT/CIT Security, Identity Management Team

Kerberos server changes Jan/Feb 2008

Kerberos authentication servers (KDCs) from AIX to Linux environment.Combines the need to replace aging hardware with CIT's planned retirement of AIX support.Time to prepare if you maintain services that use CIT's authentication service (Kerberos) or manage firewalls on Cornell campus networks. Service owners will need to check certain system configurations and test their applications during December and the first week of January.GuestID and ApplicantID authentication services are NOT impacted by this change.

Special NoteThe Kerberos servers are having their IP addresses changed in order to move them to a separate subnet. We are using this opportunity to begin putting our authentication servers on a separate subnet which can be locked down more tightly than the one the KDC's are on now. The idea is to designate this subnet as one with tighter security requirements as opposed to forcing all the services on the current net to conform to the higher requirements.

Key Dates11/29/07 - CIT makes test instance available for campus testing 11/29/07 to 01/06/08 - Service owners do testing and configuration 01/06/08 - CIT moves primary Kerberos authentication server (KDC) to Linux02/07/08 - CIT moves secondary KDC to Linux

Steps that service owners need to complete

by 1/6/08 1) Make sure applications using CIT's authentication service are

configured to use the hostnames for both the primary and secondary KDCs: kerberos.cit.cornell.edu and kerberos2.cit.cornell.edu        o For Windows: krb5.ini and krb.con        o For Linux, AIX, Solaris, and other Unix clones: krb5.conf and krb.conf. These are usually in /etc        o Do not swap the order of the KDC's in the conf files

2) Make sure applications are NOT using the hardware names Zodiac1 or Zodiac2, or the IP addresses for those servers (132.236.61.52 and 132.236.228.25). If they are, re-configure them with the names in step 1 instead.

3) Add this new IP address to any firewall, ipsec, or ipfilter rules allowing traffic to the current KDCs: 132.236.200.0/24

(This is in addition to the IP addresses for the current KDCs 132.236.61.52 and 132.236.228.25.

4) Verify test instances of your applications against the test KDCs:      kerberos.test.login.cornell.edu      kerberos2.test.login.cornell.edu   Make sure authentication is working. If you experience any   problems, report them to idmgmt@cornell.edu

After February 7, 2008, when the cutover to the new KDCs should be complete, campus service owners and network administrators can safely modify rules to disallow the old KDCs.

Steps that CIT will be taking to ensure as smooth a cutover as

possible CIT will modify CIT-maintained ACLs to allow traffic from the new KDCs and will notify network administrators. After Feb. 7, 2008, when the cutover to the new KDCs should be complete, CIT will modify ACLs to disallow the old KDCs and will notify network administrators. CIT will test whether the change will be transparent for the standard Windows and Macintosh firewall configurations.CIT will monitor logs on the secondary KDC after the cutover of the primary KDC to identify applications that have not yet been configured for the new KDCs. CIT will contact the individuals responsible for these hosts to help them make the necessary changes.CIT will send additional communications and reminders as key dates approach.CIT will send general campus communications regarding the change and what people can expect on each cutover date. Still awake? This information available at

http://identity.cit.cornell.edu/KDC_move/index.html

Jan. 15, ‘08 - CUWAL2 available for early testing

* Jan. 15, ’08 - CUWebLogin server          o Completed internal testing.          o Ready for user testing.          o Features available...                + Basic login page.                + Proxy support (KPA equivalent).          o Features missing...                + HA.                + U/I approval                + Security Audit

* Jan. 15, ’08 - CUWebAuth for Apache/Solaris          o Features available...                + Proxy support (KPA equivalent)                + POST data          o Features missing...                + Permit/Grouper support                + HA.                + Security Audit

March 15, ’08 - CUWAL2 Go Live * Feb. 15, ’08 - CUWAL2 Beta 2

o Fail over up and running* March 01, ’08 – CUWebLogin Release Candidate

o U/I has been vetted and approved by appropriate channels

o Security Audit completed * March 01, ’08 - CUWebAuth Release Candidate

  o Permit/Grouper support o Security Audit completed * March 15, ’08 - CUWebLogin and CUWebAuth Go

Live         

Feb Mar Apr May Jun

Where Are We Now?

Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan

PS Stu

dent

Lau

nch

K4 Shu

tdow

n

Discretionary migration window

2008

Campu

s Roll

out C

omple

te

You A

re H

ere

A who

le bu

nch

of st

uff h

appe

ns (s

ee p

revio

us sl

ides)

Grouper Update

Permit migration application is written and tested against the complete permit database including the 190,000+ cu.alumni permit.LDAP Provisioning connector tested. Still some issues to iron out wrt large permits like cu.alumni.

Grouper Update cont’d

Performance release from Internet2 released before Christmas.Permitg, the permit shim, is ready for load testing.Currently Grouper is being used in production at Brown and Duke.

Grouper update cont’d

End to end testing through each of the three gates and along all paths completed about a month ago.Paths and gates? (See next slide)

Grouper Update cont’dNow in the process of moving everything to test environment.Load test plan is done.A few minor details to iron out before load testing.Deployment: January/February 2008? We’ll give you plenty of notice!You won’t have to do anything except help us test.

Grouper org treeGoals Institutional view + local flexibility Consistency in naming convention for common

demographic groups and business functions Mechanism for delegating admin rights for

group management

Solution Use view developed by Institutional Planning

and Research Define limited set of unit stems, substems and

groups

Example using CALS

cu:cuunits:cals :admin :admin:[finance] :admin:[facilities] :admin:[it] :admin:[hr] :admin:[bsc] :[staff]

Example using CALS

cu:cuunits:cals :acadsvcs :staff:[nonacad] :staff:[acad] :staff:[faculty] :[students]

Example using CALS

cu:cuunits:cals xxx:[yyy] - local units define substem and

group

Assigning unit admins

Communication with ITMC rep and IT Security liaisonRequest to name two primary administrators for unitRecommend ITMC rep or IT security liaison as one administrator

Unit admin role

Delegate rights to others in the unit as appropriateDeveloping, maintaining standards for naming below the unit levelDeveloping consistent criteria for membership in groups common to all unitsRequesting replacement admins as needed

Active Directory Plans

CIT Senior Management Group approval Move forward with project initiation plan 1 FTE for Identity Management to support service,

contingent on approval of plan

Planning progress Interviews with steering committee members

complete Draft requirements document and draft initiation

plan due to steering committee and CIT stakeholders Dec.6

Requirements: highlightsFlexibility In service offerings (OU, child domain, other) Client support

Windows, Mac, Unix, mobile Remote and roaming users

Service offerings must be clearly described so customers can make the right choicePeople who don’t qualify for a NetID need access

Requirements: highlights

Service must accommodate existing services which potential customers have already implemented: SMS, DFS, Configuration Manager, WSUSCommon thread in interviews was interest in future use of smart cardsActive Directory governance group

Active Directory next stepsAvailability of first version of requirements document to campus in DecemberCompletion and submission of initiation plan with assistance from CIT-assigned project manager in JanuaryQuarterly AD SIG start up in January – discuss requirements at first meetingApproval and identification of start date

Active Directory – keeping in touch

Subscribe to activedir-lWatch for SIG meeting announcements and other news on discussion list

AD project steering committee

Brian Roma – Alumni AffairsJason Seymour – ECEKeene Silfer – University LibrariesDan Elswit/Tom Dunn (primary & backup) – CALSKarlis Musa/David Bosch (primary & backup) – Cornell Nanoscale FacilityKevin Baradet – JGSMWilliam Law – Theory CenterPhilip Halcomb – Mann LibraryKim Burlingame – CISERShijie Yang – Wilson Synchrotron

http://identity.cit.cornell.edu/projects/index.html

Identity Management

aadssupport@cornell.edu