idm campus developers meeting 12/05/07
DESCRIPTION
OIT/CIT Security, Identity Management Team. IdM Campus Developers Meeting 12/05/07. Kerberos authentication servers (KDCs) move from AIX to Linux environment CUWebAuth 2.0 and K4-K5 Upgrade I2 Grouper rollout plans and Permit Server retirement Active Directory plans Questions?. - PowerPoint PPT PresentationTRANSCRIPT
IdM Campus Developers Meeting 12/05/07
Kerberos authentication servers (KDCs) move from AIX to Linux environmentCUWebAuth 2.0 and K4-K5 UpgradeI2 Grouper rollout plans and Permit Server retirement Active Directory plansQuestions?
OIT/CIT Security, Identity Management Team
Kerberos server changes Jan/Feb 2008
Kerberos authentication servers (KDCs) from AIX to Linux environment.Combines the need to replace aging hardware with CIT's planned retirement of AIX support.Time to prepare if you maintain services that use CIT's authentication service (Kerberos) or manage firewalls on Cornell campus networks. Service owners will need to check certain system configurations and test their applications during December and the first week of January.GuestID and ApplicantID authentication services are NOT impacted by this change.
Special NoteThe Kerberos servers are having their IP addresses changed in order to move them to a separate subnet. We are using this opportunity to begin putting our authentication servers on a separate subnet which can be locked down more tightly than the one the KDC's are on now. The idea is to designate this subnet as one with tighter security requirements as opposed to forcing all the services on the current net to conform to the higher requirements.
Key Dates11/29/07 - CIT makes test instance available for campus testing 11/29/07 to 01/06/08 - Service owners do testing and configuration 01/06/08 - CIT moves primary Kerberos authentication server (KDC) to Linux02/07/08 - CIT moves secondary KDC to Linux
Steps that service owners need to complete
by 1/6/08 1) Make sure applications using CIT's authentication service are
configured to use the hostnames for both the primary and secondary KDCs: kerberos.cit.cornell.edu and kerberos2.cit.cornell.edu o For Windows: krb5.ini and krb.con o For Linux, AIX, Solaris, and other Unix clones: krb5.conf and krb.conf. These are usually in /etc o Do not swap the order of the KDC's in the conf files
2) Make sure applications are NOT using the hardware names Zodiac1 or Zodiac2, or the IP addresses for those servers (132.236.61.52 and 132.236.228.25). If they are, re-configure them with the names in step 1 instead.
3) Add this new IP address to any firewall, ipsec, or ipfilter rules allowing traffic to the current KDCs: 132.236.200.0/24
(This is in addition to the IP addresses for the current KDCs 132.236.61.52 and 132.236.228.25.
4) Verify test instances of your applications against the test KDCs: kerberos.test.login.cornell.edu kerberos2.test.login.cornell.edu Make sure authentication is working. If you experience any problems, report them to [email protected]
After February 7, 2008, when the cutover to the new KDCs should be complete, campus service owners and network administrators can safely modify rules to disallow the old KDCs.
Steps that CIT will be taking to ensure as smooth a cutover as
possible CIT will modify CIT-maintained ACLs to allow traffic from the new KDCs and will notify network administrators. After Feb. 7, 2008, when the cutover to the new KDCs should be complete, CIT will modify ACLs to disallow the old KDCs and will notify network administrators. CIT will test whether the change will be transparent for the standard Windows and Macintosh firewall configurations.CIT will monitor logs on the secondary KDC after the cutover of the primary KDC to identify applications that have not yet been configured for the new KDCs. CIT will contact the individuals responsible for these hosts to help them make the necessary changes.CIT will send additional communications and reminders as key dates approach.CIT will send general campus communications regarding the change and what people can expect on each cutover date. Still awake? This information available at
http://identity.cit.cornell.edu/KDC_move/index.html
Jan. 15, ‘08 - CUWAL2 available for early testing
* Jan. 15, ’08 - CUWebLogin server o Completed internal testing. o Ready for user testing. o Features available... + Basic login page. + Proxy support (KPA equivalent). o Features missing... + HA. + U/I approval + Security Audit
* Jan. 15, ’08 - CUWebAuth for Apache/Solaris o Features available... + Proxy support (KPA equivalent) + POST data o Features missing... + Permit/Grouper support + HA. + Security Audit
March 15, ’08 - CUWAL2 Go Live * Feb. 15, ’08 - CUWAL2 Beta 2
o Fail over up and running* March 01, ’08 – CUWebLogin Release Candidate
o U/I has been vetted and approved by appropriate channels
o Security Audit completed * March 01, ’08 - CUWebAuth Release Candidate
o Permit/Grouper support o Security Audit completed * March 15, ’08 - CUWebLogin and CUWebAuth Go
Live
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stu
dent
Lau
nch
K4 Shu
tdow
n
Discretionary migration window
2008
Campu
s Roll
out C
omple
te
You A
re H
ere
A who
le bu
nch
of st
uff h
appe
ns (s
ee p
revio
us sl
ides)
Grouper Update
Permit migration application is written and tested against the complete permit database including the 190,000+ cu.alumni permit.LDAP Provisioning connector tested. Still some issues to iron out wrt large permits like cu.alumni.
Grouper Update cont’d
Performance release from Internet2 released before Christmas.Permitg, the permit shim, is ready for load testing.Currently Grouper is being used in production at Brown and Duke.
Grouper update cont’d
End to end testing through each of the three gates and along all paths completed about a month ago.Paths and gates? (See next slide)
Grouper Update cont’dNow in the process of moving everything to test environment.Load test plan is done.A few minor details to iron out before load testing.Deployment: January/February 2008? We’ll give you plenty of notice!You won’t have to do anything except help us test.
Grouper org treeGoals Institutional view + local flexibility Consistency in naming convention for common
demographic groups and business functions Mechanism for delegating admin rights for
group management
Solution Use view developed by Institutional Planning
and Research Define limited set of unit stems, substems and
groups
Example using CALS
cu:cuunits:cals :admin :admin:[finance] :admin:[facilities] :admin:[it] :admin:[hr] :admin:[bsc] :[staff]
Example using CALS
cu:cuunits:cals :acadsvcs :staff:[nonacad] :staff:[acad] :staff:[faculty] :[students]
Assigning unit admins
Communication with ITMC rep and IT Security liaisonRequest to name two primary administrators for unitRecommend ITMC rep or IT security liaison as one administrator
Unit admin role
Delegate rights to others in the unit as appropriateDeveloping, maintaining standards for naming below the unit levelDeveloping consistent criteria for membership in groups common to all unitsRequesting replacement admins as needed
Active Directory Plans
CIT Senior Management Group approval Move forward with project initiation plan 1 FTE for Identity Management to support service,
contingent on approval of plan
Planning progress Interviews with steering committee members
complete Draft requirements document and draft initiation
plan due to steering committee and CIT stakeholders Dec.6
Requirements: highlightsFlexibility In service offerings (OU, child domain, other) Client support
Windows, Mac, Unix, mobile Remote and roaming users
Service offerings must be clearly described so customers can make the right choicePeople who don’t qualify for a NetID need access
Requirements: highlights
Service must accommodate existing services which potential customers have already implemented: SMS, DFS, Configuration Manager, WSUSCommon thread in interviews was interest in future use of smart cardsActive Directory governance group
Active Directory next stepsAvailability of first version of requirements document to campus in DecemberCompletion and submission of initiation plan with assistance from CIT-assigned project manager in JanuaryQuarterly AD SIG start up in January – discuss requirements at first meetingApproval and identification of start date
Active Directory – keeping in touch
Subscribe to activedir-lWatch for SIG meeting announcements and other news on discussion list
AD project steering committee
Brian Roma – Alumni AffairsJason Seymour – ECEKeene Silfer – University LibrariesDan Elswit/Tom Dunn (primary & backup) – CALSKarlis Musa/David Bosch (primary & backup) – Cornell Nanoscale FacilityKevin Baradet – JGSMWilliam Law – Theory CenterPhilip Halcomb – Mann LibraryKim Burlingame – CISERShijie Yang – Wilson Synchrotron