NERSC Online CA UpdateTAGPMA Meeting,

February 2012, San Diego

Shreyas CholiaNERSC, LBL

NERSC

• DOE Office of Science Supercomputing Facility at LBL

• Multiple compute & storage systems– Hopper, Franklin, Carver, Euclid, PDSF,

HPSS, Global File System

NERSC CA

• Provides short-lived certificates to NERSC user community for convenient access to NERSC resources as well as external resources accessible via grid interfaces.

3

NERSC CA at a Glance

• IGTF Accredited SLCS MyProxy CA• CA Cert signed by ESnet Root CA• Uses NERSC username-password to

generate short lived credential (upto 11 days)• HSM - Aladdin eToken USB device• Command Line Interface:

myproxy-logon -s nerscca.nersc.gov -l <user>Password: 

• Also accessible via programmatic APIs

4

NERSC CA Service

myproxy-logon

-l “starbuck”

Online CA myproxy Server

PAM LDAP

Send encryptedtoken

LDAPServer

Validate password

“/CN=Joe User” joe “/CN=Jane Doe” jane “/CN=Lee Adama” apollo “/CN=Kara Thrace” starbuck

consultcert-mapfilefor DN

Return signed cert

NERSC user DBGeneratemapfile

NERSC CA cert“/CN=Kara Thrace”

6

Use Cases

• Workflows based on Globus Gatekeeper, GridFTP, GSISSH – OSG, Atlas, STAR, Planck etc.– Climate Data Transfer over WAN

• Portals - Trusted portal requests short-lived cert and uses it on your behalf– Globus online– NEWT - NERSC Web API (REST API to access

NERSC– Science Gateways

Issues

• Current model cannot do single-sign on across NERSC resources.

• CA key expiring in 2013; – future of ESnet Root CA is uncertain.

• HSM is slooooow and rejects requests under load– 10-15 seconds to sign a single request

7

Enabling Single Sign On

• NERSC already runs a Shibboleth IDP to provide single sign-on for web resources

• We'd like to use NEWT and Science Gateways via SSO– Sign in once to Shib– Enable access to grid resources via Shib token

• Using Shib-Oauth-MyProxy CA (from NCSA) would allow us to use the user's Shib credentials to create a certificate.

• Proposal: Expand NERSC CA scope to cover Shib authentication. Update to CP/CPS?

8

Shib Login

• Login once to Shib Oauth Service using NERSC username /password

• Client browser gets OAuth token.

• Browser presents token to trusted web service (NEWT, Science Gateway).

• Oauth assertion authorizes web service to retrieve certificate

9

Design 1

10

Design 2

11

New CA certificate and HSM

• We would like to move to a more robust HSM solution.– Something that works with Shib-MyProxy CA– Reasonable performance (1 sec signing time– Does OK under load (handle multiple

simultaneous requests)– Suggestions?

• We need to issue a new CA cert. – Is a self-signed cert OK?– What do we need to do wrt IGTF process?

12