myproxy a multi purpose grid authentication service
play

MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney - PDF document

Aug 03, 2023 •114 likes •290 views

MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA jbasney@ncsa.uiuc.edu What is MyProxy? A service for managing X.509 PKI credentials A credential repository and certificate authority An

  1. MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA jbasney@ncsa.uiuc.edu What is MyProxy? A service for managing X.509 PKI credentials � � A credential repository and certificate authority An Online Credential Repository � � Issues short-lived X.509 Proxy Certificates � Long-lived private keys never leave the server An Online Certificate Authority � � Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods � � Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software � � Included in Globus Toolkit, VDT, and CoG Kits � C, Java, Python, and Perl clients available � Contributions from EDG, UVA, LBNL, and others WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 2 1

  2. MyProxy Logon Authenticate to retrieve PKI credentials � � End Entity or Proxy Certificate � Trusted CA Certificates � Certificate Revocation Lists (CRLs) MyProxy maintains the user’s PKI context � � Users don’t need to manage long-lived credentials � Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) � CA certificates & CRLs updated automatically at login WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 3 MyProxy Authentication Key Passphrase � X.509 Certificate � � Used for credential renewal Pluggable Authentication Modules (PAM) � � Kerberos password � One Time Password (OTP) � Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) � � Kerberos ticket (SASL GSSAPI) WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 4 2

  3. MyProxy Online Certificate Authority � Issues short-lived X.509 End Entity Certificates � Leverages MyProxy authentication mechanisms � Compatible with existing MyProxy clients � Ties in to site authentication and accounting � Using PAM and/ or Kerberos authentication � Map username to certificate subject via “gridmap” file or LDAP query � Avoid need for long-lived user keys � Server can function as both CA and repository � Issues certificate if no credentials for user are stored WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 5 MyProxy Online Credential Repository Stores X.509 End Entity and Proxy credentials � � Private keys encrypted with user-chosen passphrases � Credentials may be stored directly or via proxy delegation � Users can store multiple credentials from different CAs Access to credentials controlled by user and administrator � policies � Set authentication requirements � Control whether credentials can be retrieved directly or if only proxy delegation is allowed � Restrict lifetime of retrieved proxy credentials Can be deployed for a single user, a site, a virtual � organization, a resource provider, a CA, etc. WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 6 3

  4. Talk Outline � MyProxy Introduction � PKI Introduction and MyProxy CA � Proxy Certificates and MyProxy Repository � MyProxy Scenarios � Administratively Loaded Credentials � Registration Portals � Web Portal Authentication and Delegation � Password-based Delegation � Credential Renewal � Web Single Sign-On (SSO) � Demos � Conclusion WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 7 PKI Overview Public Key Cryptography � Issuer: CA � Sign with private key, verify signature with public key Subject: CA � Encrypt with public key, decrypt with private key Key Distribution � signs � Who does a public key belong to? � Certification Authority (CA) verifies user’s identity and signs certificate Issuer: CA � Certificate is a document that binds the user’s identity to a public key Subject: Jim Authentication � � Signature [ h ( random, … ) ] WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 8 4

  5. PKI Authentication Standard SSL/ TLS Protocol (summarized) Client Server random c certificate s + random s certificate c + { secret } pubkeys + signature c [ h( random c , random s , … ) ] { h( secret ) } secret WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 9 PKI Enrollment CA Applicant 1 2 CA Generate Certificate request new key pair 3 CA Sign new 4 end entity certificate User User User WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 10 5

  6. MyProxy CA with PAM DN lookup Grid LDAP Service Server X.509 password gridmap P Client MyProxy TLS handshake RADIUS certificate request password certificate password A Server keypair Server M CA key TGT Kerberos KDC WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 11 MyProxy CA with Kerberos DN lookup Grid LDAP Service Server X.509 gridmap S S TLS handshake SASL/GSSAPI/Kerberos Client MyProxy A A certificate request certificate keypair S S Server L L CA key ticket Kerberos KDC WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 12 6

  7. PAM/ SASL Issues � PAM Conversation � PAM modules can require multiple rounds of user interaction � No standard protocol � SASL/ PLAI N doesn’t support multiple rounds � Need something like SSH keyboard-interactive protocol � SASL client-side setup � Requires SASL library and configuration of SASL mechanisms � Alternative: native Kerberos protocol support WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 13 Proxy Credentials CA RFC 3820: Proxy Certificate Profile � signs Associate a new private key and certificate � with existing credentials User Short-lived, unencrypted credentials for � multiple authentications in a session signs � Restricted lifetime in certificate limits vulnerability of unencrypted key Proxy Credential delegation (forwarding) without � A transferring private keys signs Proxy B WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 14 7

  8. Proxy Delegation Delegator Delegatee 1 2 Generate Proxy certificate request new key pair 3 Sign new 4 proxy certificate Proxy Proxy Proxy WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 15 MyProxy Put Client MyProxy TLS handshake Server certificate username proxy certificate chain certificate request password policy private key keypair cert chain private key WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 16 8

  9. MyProxy Get Client MyProxy TLS handshake Server username proxy certificate chain certificate request password cert chain private key cert chain private key X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 17 MyProxy Store Client MyProxy TLS handshake Server certificate username certificate private key policy private key certificate private key WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 18 9

  10. MyProxy Retrieve Client MyProxy TLS handshake Server certificate chain username password private key cert chain private key cert chain private key X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 19 Administratively Loaded Creds Certificate Authority Client MyProxy certificate TLS handshake Server cert chain username proxy certificate chain certificate request password private key private key certificate private key X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 20 10

  11. User Registration Portal Certificate Authority Registration TLS handshake Portal certificate username password Browser User DB certificate private key Client MyProxy username TLS handshake Server username proxy certificate chain certificate request password cert chain private key certificate private key X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 21 Gateway Portal Portal TLS handshake Browser username password cert User key DB X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 22 11

  12. Trusted Portal MyProxy X.509 cert request username cert Portal TLS handshake Browser username password cert cert User key key DB X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 23 Password-based Portal Auth MyProxy X.509 cert request username password cert Portal TLS handshake username password Browser cert cert key key X.509 Grid Service WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 24 12

  13. Password-based Delegation Delegator Delegatee certificate password random certificate username certificate certificate private key private key certificate certificate username username MyProxy certificate request certificate certificate certificate request password random password random TLS handshake certificate certificate TLS handshake certificate private key WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 25 Password-based Renewal Condor-G GRAM Gatekeeper proxy proxy job job proxy proxy proxy proxy proxy proxy password Client Job proxy proxy password password proxy MyProxy proxy WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 26 13

  14. Certificate-based Renewal Workload Management Service Condor-G proxy GRAM Gatekeeper Renewal proxy job proxy Service proxy proxy job proxy proxy cert key Client proxy Job proxy proxy policy X.509 proxy MyProxy proxy WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 27 MyProxy and Web SSO PURSE password password cert Pubcookie password password cookie Login Server MyProxy cookie Browser cookie cookie Portal A cert password X.509 Grid Service X.509 cookie cert Portal B WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 28 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop Jan 22nd, 2006 Toyko, Japan Von Welch vwelch@ncsa.uiuc.edu Outline GridShib MyProxy Future plans: Shibboleth/MyProxy/GridShib

473 views • 28 slides
Exelon Smart Grid Multi-Service Communications Architecture Do Doug Mc McGi Ginnis 4/ 4/5/

Exelon Smart Grid Multi-Service Communications Architecture Do Doug Mc McGi Ginnis 4/ 4/5/

Exelon Smart Grid Multi-Service Communications Architecture Do Doug Mc McGi Ginnis 4/ 4/5/ 5/13 Smart Grid (Generation 1) Grid Automation is not a new concept SCADA/AMR functions have been around for years Smart Grid is the embodiment

514 views • 28 slides
Warren Multi Purpose Health Service Approach To Reducing Falls What is a MPS? MPS allow

Warren Multi Purpose Health Service Approach To Reducing Falls What is a MPS? MPS allow

Warren Multi Purpose Health Service Approach To Reducing Falls What is a MPS? MPS allow smaller rural communities to consolidate services and better match services to community needs. A Multi Purpose Service (MPS) is funded by both

385 views • 16 slides
GWorkflowDL: A Multi-Purpose GWorkflowDL: A Multi-Purpose Language for Scientific Language for

GWorkflowDL: A Multi-Purpose GWorkflowDL: A Multi-Purpose Language for Scientific Language for

3rd CoreGIRD Workshop in Grid Middlewares GWorkflowDL: A Multi-Purpose GWorkflowDL: A Multi-Purpose Language for Scientific Language for Scientific Workflow Enactment Workflow Enactment Simone Pellegrini, Francesco Giacomini INFN CNAF Viale

694 views • 44 slides
Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies and delegations

257 views • 13 slides
Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional

Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional

Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional NCEdCloud Privileged Accounts) - Mark Scheible, MCNC MFA for All NCEdCloud Privileged Users As a part of continuing efforts to enhance the security

479 views • 14 slides
Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional

Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional

Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional NCEdCloud Privileged Accounts) - Mark Scheible, MCNC MFA for All NCEdCloud Privileged Users - 1 As a part of continuing efforts to enhance the

319 views • 15 slides
In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep David Groep Nikhef Amsterdam PDP & Grid In Grid ... where many participants have no a-priori

309 views • 26 slides
DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Lab 03 - Schedule 2

DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Lab 03 - Schedule 2

1 SELECTED TOPICS IN DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Lab 03 - Schedule 2 Create new certificates requests Discussion of Homework 01 Material required for next Assignment MyProxy Java CoG

315 views • 12 slides
FOR GEOMETRIC MULTI-GRID METHODS Nikolay Sakharnykh (NVIDIA), Dusan Stosic (UFPE), 4/4/2016

FOR GEOMETRIC MULTI-GRID METHODS Nikolay Sakharnykh (NVIDIA), Dusan Stosic (UFPE), 4/4/2016

April 4-7, 2016 | Silicon Valley HIGH-ORDER DISCRETIZATIONS FOR GEOMETRIC MULTI-GRID METHODS Nikolay Sakharnykh (NVIDIA), Dusan Stosic (UFPE), 4/4/2016 MULTI-GRID METHODS Introduction Multi-grid solves elliptic PDEs (Ax=b) using a

684 views • 44 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti <sergio.maffioletti@gc3.uzh.ch> Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/ GridCertLib EGI

383 views • 26 slides
Multi - Grid Methods Press et al., Numerical Recipes in C , Section 19.6

Multi - Grid Methods Press et al., Numerical Recipes in C , Section 19.6

Multi - Grid Methods Press et al., Numerical Recipes in C , Section 19.6 http://www.nrbook.com/a/bookcpdf.php A Multigrid Tutorial, http://www.llnl.gov/casc/people/henson/mgtut/welcome.html Tuesday, June 26, 2007 1 Multi - Grid Methods

407 views • 22 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
Multi-factor Authentication Coming to a NERSC near you You Have Probably Heard of MFA

Multi-factor Authentication Coming to a NERSC near you You Have Probably Heard of MFA

Multi-factor Authentication Coming to a NERSC near you You Have Probably Heard of MFA Password One-time Password (OTP) Factor == Authentication Method Certificate Hardware Token Biometric password + OTP token + PIN Multi-factor ::= 2+

90 views • 7 slides
Computer Animation Tim Weyrich March 2010 Physical simulation Heavily based on slides by Marco

Computer Animation Tim Weyrich March 2010 Physical simulation Heavily based on slides by Marco

Computer Animation Tim Weyrich March 2010 Physical simulation Heavily based on slides by Marco Gillies Physical simulation Physical simulation: books ! Animation is about things moving ! One book that is OK: ! The motion of

824 views • 13 slides
Spontaneous Wave Function Collapse with Frame Dragging Lajos Di osi Wigner Center, Budapest

Spontaneous Wave Function Collapse with Frame Dragging Lajos Di osi Wigner Center, Budapest

Spontaneous Wave Function Collapse with Frame Dragging Lajos Di osi Wigner Center, Budapest 25 Sept 2019, Frascati Supported by Foundational Questions Institute & Fetzer Franklin Fund National Research Development and Innovation Office

323 views • 11 slides
Estimating Chinese households transport expenditure using non-transport survey data Flexible

Estimating Chinese households transport expenditure using non-transport survey data Flexible

Estimating Chinese households transport expenditure using non-transport survey data Flexible demand systems, income, and the built environment Paul Natsuo Kishimoto <kishimot@iiasa.ac.at> iTEM4 workshop, day 2 31 October 2018 0 /30 0

794 views • 61 slides
Folder Contents Agenda 10:00AM 10:20AM Registration 10:20AM 10:30AM Welcome and

Folder Contents Agenda 10:00AM 10:20AM Registration 10:20AM 10:30AM Welcome and

Folder Contents Agenda 10:00AM 10:20AM Registration 10:20AM 10:30AM Welcome and Introduction 10:30AM 11:15AM Highlights of the MACRA Rule 11:15AM 12:00PM Tips and Tricks for MU and PQRS 12:00PM Lunch 12:15PM 1:15PM Panel:

1.31k views • 114 slides
A Grid Research Toolbox The Failure Trace Archive DGSim A. Iosup, O. Sonmez, N. Yigitbasi, M.

A Grid Research Toolbox The Failure Trace Archive DGSim A. Iosup, O. Sonmez, N. Yigitbasi, M.

and Cloud A Grid Research Toolbox The Failure Trace Archive DGSim A. Iosup, O. Sonmez, N. Yigitbasi, M. Jan H. Mohamed, S. Anoep, D.H.J. Epema LRI/INRIA Futurs Paris, INRIA PDS Group, ST/EWI, TU Delft H. Li, L. Wolters I. Raicu, C.

883 views • 46 slides
Unit 3: Direct current and electric resistance Electric current and movement of charges.

Unit 3: Direct current and electric resistance Electric current and movement of charges.

Unit 3: Direct current and electric resistance Electric current and movement of charges. Intensity of current and drift speed. Density of current in homogeneous currents. Ohms law. Resistance of a homogeneous conductor of

433 views • 10 slides
Information Geometric Nonlinear Filtering: a Hilbert Space Approach Nigel Newton (University of

Information Geometric Nonlinear Filtering: a Hilbert Space Approach Nigel Newton (University of

Information Geometric Nonlinear Filtering: a Hilbert Space Approach Nigel Newton (University of Essex) Information Geometry and its Applications IV, Liblice, June 2016 In honour of Shun-ichi Amari on the occasion of his 80 th birthday

972 views • 58 slides
1 Prof. S. Ben-Yaakov , DC-DC Converters [9- 4] Current transformer I L I L L T t I I out

1 Prof. S. Ben-Yaakov , DC-DC Converters [9- 4] Current transformer I L I L L T t I I out

Prof. S. Ben-Yaakov , DC-DC Converters [9- 1] Current Sensing 9.1 Resistor 9.2 Current transformer Prof. S. Ben-Yaakov , DC-DC Converters [9- 2] Current Sensing Control PCM, ACM Protection I R Sense Resistor V R Problems

426 views • 6 slides

More recommend