GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA...
-
Upload
joseph-wright -
Category
Documents
-
view
213 -
download
0
Transcript of GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA...
GridShib and MyProxyGrid Credential Management and
Identity Federation
Von WelchNCSA
OGF19 http://myproxy.ncsa.uiuc.edu/ 2
Plug - Longer Talks
Wed @ 2-3:30pm
GridShib, MyProxy, GAARDS
Mountain Laurel
OGF19 http://myproxy.ncsa.uiuc.edu/ 3
GridShib
dev.Globus Incubator Project Collaborative between NCSA and U. Chicago GridShib is a project funded by the NSF
Middleware Initiative NMI awards 0438424 and 0438385 Opinions and recommendations are those of the
authors and do not necessarily reflect the views of the National Science Foundation.
Also many thanks to Internet2 Shibboleth Project
OGF19 http://myproxy.ncsa.uiuc.edu/ 4
What is GridShib?
Allows Shibboleth interoperability and SAML functionality in the Globus Toolkit
Allows GT to parse SAML attributes and use for authorization
Allows portals to embed Shibboleth attributes in Grid credentials
Allows conversion of Shibboleth authentication to Grid credentials
OGF19 http://myproxy.ncsa.uiuc.edu/ 5
Software Components
GridShib for Globus Toolkit GridShib for Shibboleth
Includes GridShib Certificate Registry GridShib Certificate Authority GridShib SAML Tools
OGF19 http://myproxy.ncsa.uiuc.edu/ 7
GridShib for GT 0.5
GridShib for GT 0.5 announced Nov 30 Compatible with both GT4.0 and GT4.1
GT4.1 introduces powerful authz framework Separate binaries for each GT version Source build auto-senses target GT platform
New identity-based authorization feature Uses grid-mapfile instead of DN ACLs
Logging enhancements Bug fixes
OGF19 http://myproxy.ncsa.uiuc.edu/ 8
GridShib for GT 0.5.1
GridShib for GT 0.5.1 (expected any day now) Combined VOMS/SAML attribute to account
mapping As with the current gridmap situation, GT4.0.x deployments
cannot take advantage of permit overrides and arbitrarily configure fallbacks
To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML
OGF19 http://myproxy.ncsa.uiuc.edu/ 9
GridShib for GT 0.6
GridShib for GT 0.6 (expected March 2007) Full-featured attribute push PIP
Compatible with current GridShib Attribute Tools
More powerful attribute-based authz policies Allow unique issuer in authz policy rules
OGF19 http://myproxy.ncsa.uiuc.edu/ 10
GridShib SAML Tools
Current version 0.1.2 Self-issues a SAML assertion with up to two
statements Optionally binds this assertion to an X.509 proxy
certificate Supports both SAML AuthenticationStatement and
AttributeStatement Separates the issuing of the SAML from the binding
of the SAML
OGF19 http://myproxy.ncsa.uiuc.edu/ 11
GridShib SAML Tools 0.2.0
Target release date: February 2007 Same command-line interface as v0.1.x
(but with more options) Leverages Shibboleth Attribute Resolver to
support more complicated attribute requirements
Support for nested SSO Response Enhanced logging Java API for Portal developers
OGF19 http://myproxy.ncsa.uiuc.edu/ 12
GridShib for Shib Versions
GridShib for Shib 0.5.1 Announced Aug 8, 2006
GridShib for Shib 0.6 Expected Jan 2007 Will include SAML Issuer Tool (derived from
Shib resolvertest tool)
OGF19 http://myproxy.ncsa.uiuc.edu/ 13
GridShib for Shib 0.6
GridShib for Shib 0.6 (expected April 2007) Core (already included in 0.5)
Requires Shib IdP Includes basic plugins and handlers
Certificate Registry (already included in 0.5) Requires GridShib for Shib Core Includes Derby embedded database
SAML Tools (new in 0.6) Requires GridShib for Shib Core Includes SAML Issuer Tool and SAML X.509 Binding Tool
OGF19 http://myproxy.ncsa.uiuc.edu/ 14
GridShib CA 0.3
Substantial improvement over version 0.2 More robust protocol Installation of trusted CAs at the client Pluggable back-end CAs
Uses an openssl-based CA by default A module to use a MyProxy CA is included
Certificate registry functionality A module that auto-registers DNs with myVocs
OGF19 http://myproxy.ncsa.uiuc.edu/ 15
GridShib CA 0.4 Target release: March 2007 Fall back to default SSLSocketFactory on error (Bug
4875) [1] Create CA with domain name componements (Bug
4887) [2] Register certificate on the front channel with
GridShib for Shibboleth Certificate Registry Integrate GridShib SAML Tools to bind simple
attribute assertion to EEC Bind IdP entityID to SIA extension Handle creating DN from mix of atttributes (Bug
4889) [3]
OGF19 http://myproxy.ncsa.uiuc.edu/ 16
What is MyProxy? An Online Certificate Authority
Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys
An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server
Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS
Open Source Software Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others
Protocol specified in GFD-E.54
OGF19 http://myproxy.ncsa.uiuc.edu/ 17
Topics for Discussion
Credential Renewal
High Availability Attribute Support Web Services Web SSO
Security Context Provisioning
User Registration HSM Support Audit Logging Others?
OGF19 http://myproxy.ncsa.uiuc.edu/ 18
Credential Renewal
Existing MyProxy-based renewal support EGEE Renewal Service Condor-G
Future Work MyProxy-based GT4 Renewal Service
Integrated with GT4 Delegation Service Support for GRAM, WS-GRAM, RFT
OGF19 http://myproxy.ncsa.uiuc.edu/ 19
High Availability
Existing support Clients retry when server is unreachable Documentation for MyProxy CA replication Primary-backup replication of MyProxy
repository Future Work
Robust client retry Peer-to-peer repository replication
OGF19 http://myproxy.ncsa.uiuc.edu/ 20
Attribute Support
Existing support VOMS authentication to MyProxy server GridShib CA integration with MyProxy
Future Work Issue credentials with VOMS assertions SAML authentication to MyProxy server
OGF19 http://myproxy.ncsa.uiuc.edu/ 21
Web Services
Currently MyProxy does not provide a Web Services interface C, Java, Perl, Python APIs
Standard Delegation Service interface is needed For MyProxy, GT4, and EGEE delegation
services
OGF19 http://myproxy.ncsa.uiuc.edu/ 22
Web Single Sign-on
Existing Support MyProxy server accepts Pubcookie tokens
Future Work Shibboleth/SAML support Other web SSO methods?
OGF19 http://myproxy.ncsa.uiuc.edu/ 23
Security Context Provisioning
Existing Support MyProxy can provision user certificates, CA
certificates, and CRLs Requires MyProxy server CA certificate to be
installed Future Work
Java client support Zero configuration bootstrap
OGF19 http://myproxy.ncsa.uiuc.edu/ 24
User Registration
Existing Support Provided by PURSE and GAMA GridShib CA and OpenIDP
Future Work Integration with MyProxy CA Integration with attribute and authorization
services
OGF19 http://myproxy.ncsa.uiuc.edu/ 25
HSM Support
Existing Prototypes MyProxy repository using IBM 4738 MyProxy CA using Aladdin eToken
Future Work Full support for OpenSSL hardware engines
in MyProxy CA
OGF19 http://myproxy.ncsa.uiuc.edu/ 26
Audit Logging
Existing Support All MyProxy server operations are logged to
syslog Recent improvements to MyProxy CA
logging to meet IGTF guidelines Future Work
Include auditing information in issued credentials
Support standard grid logging interfaces
OGF19 http://myproxy.ncsa.uiuc.edu/ 27
Thank you
Reminder:Wed @ 2-3:30pmGridShib, MyProxy, GAARDSMountain Laurel
For more information:[email protected]://myproxy.ncsa.uiuc.edu/http://gridshib.globus.org