MyProxy and the Globus Toolkit
Download
Report
Transcript MyProxy and the Globus Toolkit
MyProxy and the Globus Toolkit
Agenda:
10:00-10:30
10:30-10:45
10:45-11:00
11:00-11:15
11:15-11:30
MyProxy Introduction and Update
(Jim Basney, NCSA)
MyProxy and NVO
(Mike Freemon, NCSA)
MyProxy and FusionGrid
(Mary Thompson, LBL)
MyProxy and EGEE
(Ludek Matyska, CESNET)
Panel Discussion
See http://myproxy.ncsa.uiuc.edu/talks.html for slides.
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
http://myproxy.ncsa.uiuc.edu/
1
MyProxy
Introduction and Update
Jim Basney
Senior Research Scientist
NCSA
[email protected]
What is MyProxy?
An Online Certificate Authority
An Online Credential Repository
Issues short-lived X.509 Proxy Certificates
Long-lived private keys never leave the server
Supporting multiple authentication methods
Issues short-lived X.509 End Entity Certificates
Avoid need for long-lived user keys
Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS
Open Source Software
Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits
C, Java, Python, and Perl clients available
Contributions from EDG, UVA, LBL, and others
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
3
MyProxy Logon
Authenticate to retrieve PKI credentials
MyProxy maintains the user’s PKI context
End Entity or Proxy Certificate
Trusted CA Certificates
Certificate Revocation Lists (CRLs)
Users don’t need to manage long-lived credentials
Enables server-side monitoring and policy
enforcement (ex. passphrase quality checks)
CA certificates & CRLs updated automatically at login
MyProxy integrates with existing authentication
systems
Providing a gateway to grid authentication
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
4
MyProxy Authentication
Key Passphrase
X.509 Certificate
Pluggable Authentication Modules (PAM)
Kerberos ticket (SASL GSSAPI)
Pubcookie
Kerberos password
One Time Password (OTP)
Lightweight Directory Access Protocol (LDAP) password
Simple Authentication and Security Layer (SASL)
Control credential storage, retrieval, and renewal
Supports trusted authentication and renewal services
Web Single Sign-On
Virtual Organization Membership Service (VOMS)
Attribute-based access control
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
5
MyProxy Deployment Options
Users already have PKI credentials
MyProxy repository can help users manage the
credentials by:
Users have site logons but no PKI credentials
Securing private keys in a professionally managed server
Obtaining credentials when/where needed
Using credentials with MyProxy-enabled applications
MyProxy CA can provide the bridge
Users need to register to obtain PKI credentials
User registration portals provide a MyProxy interface
GridWorld 2006
Grid Account Management Architecture (GAMA)
http://grid-devel.sdsc.edu/gama
Portal-Based User Registration Service (PURSE)
http://www.grids-center.org/solutions/purse
http://myproxy.ncsa.uiuc.edu/
6
MyProxy CA Configuration
Authentication options:
PAM, SASL/Kerberos, SSL/TLS
Username to certificate subject mapping
Via “gridmap” file, LDAP query, or call-out
Certificate extension config file and call-out
Maximum certificate lifetime policy
Works well with Globus Simple CA
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
7
MyProxy Repository Policies
Who can store credentials?
Restrict to specific users or CAs
Restrict to administrator only
Who can retrieve credentials?
Allow anyone with correct password
server-wide
Allow only trusted services / portals
and
per-credential
Maximum lifetime of retrieved
credentials
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
8
MyProxy-enabled Applications
CoG Kit APIs
Grid portal toolkits
(www.cogkit.org)
GridSphere
(www.gridsphere.org)
GridPort
(gridport.net)
OGCE
(www.collab-ogce.org)
Authentication modules
JAAS
(myproxy.ncsa.uiuc.edu/jaas)
Apache
(myproxy.ncsa.uiuc.edu/apache)
Pubcookie
(myproxy.ncsa.uiuc.edu/pubcookie)
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
9
MyProxy Documentation
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
10
MyProxy Support
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
11
MyProxy Protocols
Presenting the following scenarios:
Obtain credentials via MyProxy CA
Store credentials in MyProxy repository
User Registration Portals
Web Portal Authentication and Delegation
Web Single Sign-On (SSO)
Credential Renewal
Password-based Delegation
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
12
MyProxy CA with PAM
DN lookup
Grid
Service
LDAP
Server
X.509
password
Client
keypair
TLS handshake
certificate
password
certificate
request
gridmap
MyProxy
Server
CA key
P
A
M
password
RADIUS
Server
TGT
Kerberos
KDC
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
13
MyProxy CA with Kerberos
DN lookup
Grid
Service
LDAP
Server
X.509
S
Client A
keypair S
L
TLS handshake
SASL/GSSAPI/Kerberos
certificate
certificaterequest
S
A
S
L
gridmap
MyProxy
Server
CA key
ticket
Kerberos
KDC
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
14
MyProxy Put
Client
certificate
private key
TLS handshake
username
proxy
certificate
password
certificate
request
policy
chain
MyProxy
Server
keypair
cert chain
private key
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
15
MyProxy Get
Client
cert chain
TLS handshake
username
proxy
certificate
password
certificate
request
chain
MyProxy
Server
private key
cert chain
X.509
GridWorld 2006
private key
Grid
Service
http://myproxy.ncsa.uiuc.edu/
16
User Registration Portal
Certificate
Authority
Browser
TLS handshake
username
password
Registration
Portal
certificate
User
DB
Client
cert chain
TLS handshake
username
proxy
certificate
password
certificate
request
chain
MyProxy
Server
certificate
private key
username
private key
certificate
X.509
GridWorld 2006
private key
Grid
Service
http://myproxy.ncsa.uiuc.edu/
17
Password-based Portal Auth
X.509
cert request
username
Browser
TLS handshake
password
username
Portal
MyProxy
password
cert
cert cert
key key
X.509
Grid
Service
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
18
Trusted Portal
MyProxy
Browser
TLS handshake
password
username
Portal
X.509
cert request
username
cert
cert cert
User
DB key key
X.509
Grid
Service
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
19
MyProxy and Web SSO
PURSE
password
password
cookie
Browser
password
cert
Pubcookie
Login Server
password
MyProxy
cookie
cookie
cookie
Portal A
X.509
cert
cookie
Grid
Service
X.509
cookie
Portal B
GridWorld 2006
cert
http://myproxy.ncsa.uiuc.edu/
20
Password-based Renewal
job
Condor-G
proxy
password
proxy
job
GRAM Gatekeeper
proxy
proxy
Client
proxy
Job
proxy
password
proxy
password
MyProxy
proxy
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
21
Certificate-based Renewal
Workload Management
Service
proxy
Renewal
Service
job
cert
Client
key
Condor-G
proxy
proxy
proxy
policy
job
GRAM Gatekeeper
proxy
Job
proxy
X.509
proxy
MyProxy
proxy
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
22
Password-based Delegation
Delegator
certificate
Delegatee
username
passwordrandom
private key
certificate
certificate
certificate
private key
certificate
username
certificate
certificate
request
password
TLS handshake random
MyProxy
certificate
certificate
certificate
username
certificate
certificate
request
passwordrandom
certificate
TLS handshake
private key
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
23
SSO for Browser and Application
Browser
Authenticate
passwordrandom
Portal
cert
JWS
cert
passwordrandom
passwordrandom
Application
cert
X.509
GridWorld 2006
passwordrandom
MyProxy
Server
Grid
Service
http://myproxy.ncsa.uiuc.edu/
24
Conclusion
MyProxy provides a versatile solution for credential
management on the grid
Demonstrated use in many authentication,
delegation, and single sign-on scenarios
MyProxy provides practical authentication solutions
Minimize changes to existing software and protocols
Leverage community standards
GSI, PAM, SASL, Kerberos, LDAP, Pubcookie
Active MyProxy open source community
New capabilities can be deployed incrementally
We all benefit from each other’s work
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
25
MyProxy and the Globus Toolkit
Agenda:
10:00-10:30
10:30-10:45
10:45-11:00
11:00-11:15
11:15-11:30
MyProxy Introduction and Update
(Jim Basney, NCSA)
MyProxy and NVO
(Mike Freemon, NCSA)
MyProxy and FusionGrid
(Mary Thompson, LBL)
MyProxy and EGEE
(Ludek Matyska, CESNET)
Panel Discussion
See http://myproxy.ncsa.uiuc.edu/talks.html for slides.
GridWorld 2006
http://myproxy.ncsa.uiuc.edu/
http://myproxy.ncsa.uiuc.edu/
26