NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego
description
Transcript of NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego
NERSC Online CA UpdateTAGPMA Meeting,
February 2012, San Diego
Shreyas CholiaNERSC, LBL
NERSC
• DOE Office of Science Supercomputing Facility at LBL
• Multiple compute & storage systems– Hopper, Franklin, Carver, Euclid, PDSF,
HPSS, Global File System
NERSC CA
• Provides short-lived certificates to NERSC user community for convenient access to NERSC resources as well as external resources accessible via grid interfaces.
3
NERSC CA at a Glance
• IGTF Accredited SLCS MyProxy CA• CA Cert signed by ESnet Root CA• Uses NERSC username-password to
generate short lived credential (upto 11 days)• HSM - Aladdin eToken USB device• Command Line Interface:
myproxy-logon -s nerscca.nersc.gov -l <user>Password:
• Also accessible via programmatic APIs
4
NERSC CA Service
myproxy-logon
-l “starbuck”
Online CA myproxy Server
PAM LDAP
Send encryptedtoken
LDAPServer
Validate password
“/CN=Joe User” joe “/CN=Jane Doe” jane “/CN=Lee Adama” apollo “/CN=Kara Thrace” starbuck
consultcert-mapfilefor DN
Return signed cert
NERSC user DBGeneratemapfile
NERSC CA cert“/CN=Kara Thrace”
6
Use Cases
• Workflows based on Globus Gatekeeper, GridFTP, GSISSH – OSG, Atlas, STAR, Planck etc.– Climate Data Transfer over WAN
• Portals - Trusted portal requests short-lived cert and uses it on your behalf– Globus online– NEWT - NERSC Web API (REST API to access
NERSC– Science Gateways
Issues
• Current model cannot do single-sign on across NERSC resources.
• CA key expiring in 2013; – future of ESnet Root CA is uncertain.
• HSM is slooooow and rejects requests under load– 10-15 seconds to sign a single request
7
Enabling Single Sign On
• NERSC already runs a Shibboleth IDP to provide single sign-on for web resources
• We'd like to use NEWT and Science Gateways via SSO– Sign in once to Shib– Enable access to grid resources via Shib token
• Using Shib-Oauth-MyProxy CA (from NCSA) would allow us to use the user's Shib credentials to create a certificate.
• Proposal: Expand NERSC CA scope to cover Shib authentication. Update to CP/CPS?
8
Shib Login
• Login once to Shib Oauth Service using NERSC username /password
• Client browser gets OAuth token.
• Browser presents token to trusted web service (NEWT, Science Gateway).
• Oauth assertion authorizes web service to retrieve certificate
9
Design 1
10
Design 2
11
New CA certificate and HSM
• We would like to move to a more robust HSM solution.– Something that works with Shib-MyProxy CA– Reasonable performance (1 sec signing time– Does OK under load (handle multiple
simultaneous requests)– Suggestions?
• We need to issue a new CA cert. – Is a self-signed cert OK?– What do we need to do wrt IGTF process?
12