EBONY HUMPHREY AUTHOR l INSPIRATIONAL SPEAKER Ebony Humphrey 2011.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia...
-
Upload
byron-rose -
Category
Documents
-
view
217 -
download
1
Transcript of Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia...
Leveraging Campus Authentication for Grid
Scalability
Jim JoklMarty Humphrey
University of Virginia
Internet2 MeetingApril 2004
University of Virginia 2
NMI Testbed Activity Early project focus
Testing various NMI components Integrating them with campus infrastructure
Next phase: more inter-campus activities Focus on Globus
However, results can be generally applicable How do we facilitate sharing of data and compute
resources between campuses? Scalability and complexity issues for the Grid Security, researcher support, sharing equity issues Our focus: authentication and inter-campus trust
Hence inter-campus aspects of Globus PKI
University of Virginia 3
Background: PublicKey Infrastructure (PKI)
A PKI uses asymmetric cryptography A pair of mathematically related keys
The Public Key is published widely; Private Key is secret
An X.509 Certificate is: An object signed by a Certification Authority (CA) A binding of a user’s identity to their public key An object containing attributes about the individual and the Issuing
Certification Authority
Critical Issues How do you trust the credential binding? How can other institutions trust it? How would trust scale in a large Grid or Grids?
University of Virginia 4
Background: Trust in a Hierarchical PKI
Trust based on trusting “root” certificate
User cert trust via validating cert chain to a trusted root
Some issues: “root” compromise A CA per Grid v.s. a CA
per school v.s. ? Researcher support
Integrating existing campus credentials
Root Certificate
Intermediate Certificate
Intermediate Certificate
User A Cert
User C Cert
User B Cert
User D Cert
User E Cert
University of Virginia 5
Background: Trust in a Bridge PKI
Enables trust between multiple hierarchical CAs
No need to reconstitute whole PKI if CA is compromised
Generally uses more infrastructure than just the cross-certificate pairs
Can enable trust between existing PKIs
Preserves technical and political separation
Logical choice for multi-campus / multi-grid systems Enable researchers to use
home campus credentials
Root A
Mid-A
User A1
User A2
Root B Root n
Mid-B
User B1
User B1
Bridge CA
Cross-certificate pairs
University of Virginia 7
Globus & Bridge Test Environment
Simple bridge test environment revealed Globus can validate a bridge trust path
All needed cross-certificates must be pre-loaded into /etc/grid-security/certificates
Appears that all needed intermediate CA certificates must also be pre-loaded
No known support for a directory mechanism to locate cross-certificates
Does no appear to follow AIA URLs to obtain any needed cross or intermediate certificates
A more complex real-world test is needed
University of Virginia 8
Globus PKI Integration Notes
Campus CA Integration Use of Campus CAs with Globus for inter-
institutional sharing of resources should be manageable
Typical campus certificate profiles (e.g. PKI-lite) work well with Globus
Challenges will exist for locating the needed cross-certificates and intermediate CA certificates
University of Virginia 9
Globus PKI Integration Notes
Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates
are generally in PKCS-12 format Globus expects raw PEM files for the
certificate and the private key A file to map certificate DNs to UNIX
login names must be maintained A maintenance challenge for large inter-
institutional grids
University of Virginia 10
Goals for Larger Test on the NMI Testbed Grid
Test the use of Globus in a real and larger bridged PKI environment
Enable the use of campus CAs in inter-institutional Grids Show that one set of campus-issued credentials can work
Use on a single or multiple grids Eases researcher pain (and support issues)
Explore complexity issues, demonstrate scalability Create appropriate tools and documentation Prepare for Globus to leverage other activities
Higher Education Bridge Certification Authority Higher Education Root Certification Authority
University of Virginia 11
Higher Education Bridge Certification Authority
(HEBCA) A project of EDUCAUSE
Implement a bridge for higher education based on the Federal PKI bridge model
Support both campus PKIs and sector hierarchical PKIs
Cross-certify with the Federal bridge (and others as appropriate)
Use of HEBCA with Globus may be a natural result of this work
University of Virginia 12
US Higher Education Root CA
A project of Internet2 The replacement for the CREN CA
Designed to support campuses that wish to be part of a hierarchical CA CA sign’s campus CA signing certificates
Expectation is to cross-certify with HEBCA at some level
Campus CAs that are part of this hierarchy would also work well in a bridged Globus environment
University of Virginia 13
Current Project Status Built Testbed Bridge CA
Off-line system Cross-certifications
UVA: complete UAB: nearly done TACC: 50% USC: getting started
/etc/grid-security Certificates, policy files,
and hash links generated via scripts
Gridmap file by hand
University of Virginia 14
Tool Development In addition to supporting the testbed grid via cross-
certification, we plan to explore a few tools Credential converter web site that takes a PKCS-12 (as is
available in most enterprise CAs) and returns the PEM files needed by Globus
A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files
Potentially: a CA using a Shibboleth-based RA Provide certificates for campuses that have Shibboleth but
are not yet operating an enterprise CA Each campus would have its own root that would be cross-
certified via the testbed bridge
We should know a lot more in a few months