Transcript KEK Grid CA
KEK Grid CA
Go Iwai
The 2nd APGrid PMA Meeting at Osaka Univ.
Computing Research Center, High Energy Accelerator Organization (KEK)
KEK Organization and History
• High Energy Accelerator Research Organization (KEK)
–
–
–
–
Institute of Particle and Nuclear Studies
Institute of Materials Structure Science
Accelerator Laboratory
Applied Research Laboratory
•
•
•
•
Computing Research Center
Radiation Science Center
Cryogenics Science Center
Mechanical engineering Center
• History
– National Laboratory for High Energy Physics (1971)
– High Energy Accelerator Research Organization (1997)
• Combined with Institute for Nuclear Study
– High Energy Accelerator Research Organization
• reformed as an Inter-University Research Institute Corporation (2004)
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
2
KEK: High Energy
Accelerator Organization
J-PARC
~60km
Tsukuba
B Factory
Pacific
Ocean
LC-Test Facility
Photon Factory
2006/10/15
Tokai
Tokyo
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
3
Issued Certificates
• Host certificates
– 73 certificates were issued
• User certificates
– 26 certificates were issued
• SSL Server certificates
– 1 certificate was issued
– only for ICEPP (Univ. of Tokyo) and KEK
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
4
Experiences
• /Email field was troublesome and not available any more
– LCG was OK
– SRB-DSI does not work for any certificates including the field
• Power outage because of the regular inspection of
facilities requested by the government
– Power backup by the generator was done with big efforts
– We may stop the operation of CA for 3days in the next year
• Securing private keys are essential for PKI operations
– However, sometimes users copy their’s to remote sites via
network and store on distributed storage systems, even on NFS
servers.
– Education is very important for users
• Regular training should be considered
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
5
Plan
• Change on CP/CPS
– Currently, SSL server certificates are issued only for ICEPP and KEK,
however, LCG needs the SSL server certificates at each LCG site
• C=JP, O=KEK, OU=CRC, CN=FQDN
• SSL server certificates will be issued for each site
• General usages are forbidden and only for usage with LCG
– We assumed that applicants are existing users of KEK Computing
research center
• Contractors in collaborating institutes cannot be a user of us
• We will change CP/CPS to allow applications from them
– Existing users or the persons who are endorsed by the representative of
the collaborating institute of KEK
• We will have the first audit within this year.
– Yoshio Tanaka will be an auditor
• Thank him for his efforts
– November or December?
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
6
End
Any comment or suggestion?
Computing Research Center, High Energy Accelerator Organization (KEK)
For backups
Computing Research Center, High Energy Accelerator Organization (KEK)
CP/CPS
• KEK GRID CA CP/CPS
–
–
–
–
Version: 1.0.0
OID: 1.3.6.1.4.1.200198.1.10.2
Conforms RFC2527
Strongly inspired by CP/CPS’ of NAREGI CA and AIST
CA
• KEK GRID CP/CPS is managed by the KEK GRID
PMA.
– Changes in contents need to be approved by the KEK
GRID PMA, as described in section 8.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
9
End Entities
• Grid Users, Servers and Services:
– Members at KEK and it’s collaborating
institutes
– Computing Facility at KEK and it’s
collaborating institutes
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
10
Certificate Types
• User Certificate:
– C=JP, O=KEK, OU=CRC, CN=Takashi Sasaki
• Globus Servers:
– host
• C=JP, O=KEK, OU=CRC, CN=host/FQDN
– Services
• C=JP, O=KEK, OU=CRC, CN=ldap/FQDN
• Web Servers (only for LCG at KEK CRC and ICEPP,
U. of Tokyo):
– C=JP, O=KEK, OU=CRC, CN=FQDN
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
11
Identification and Authentication
• Prerequisite:
– The person must be an existing user of KEK CRC
• One referee among KEK employees is requested
• Applicants must be a member of either of the projects at KEK
• User Certificate:
– Subscriber must
• submit in-person or mail (or FAX) the application to the user administrator.
• attach a copy of his/her personal identification document with a photo.
• have an interview in-person or on the video conference by the user
administrator
– User administrator confirms the application with the representative’s
signature on it
• Host and Service Certificate
–
An application is required to be submitted by an existing certificate user
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
12
Certificate Restrictions
• Certificate Lifetime:
– 5 years for KEK GRID CA certificate
– 1 year for each end entity certificate
• User and server certificates should not be
shared.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
13
Certificate Revocation
• Certificates are to be revoked when …
– the RA receives a revocation request from a user.
– the user’s key has been compromised or is suspected
of being compromised.
– the user information on the certificate is suspected of
being incorrect.
– the user lost the status of KEK CRC user
• the user leaves the job or etc.
– the CA private key has been compromised.
– a user violates his/her obligations
• as described in the CP/CPS Section 2.1.3.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
14
Revocation Request Procedure
• Revocation Request from a user
– User can choose between two methods, as follows:
• Command-line UI and Web-based UI using encrypted
communication between the user and the RA.
– The RA confirms a revocation request by using the
client certificate, and accepts it.
– The RA sends a revocation request to the CA located in
an independent network segment.
• Communications between the RA and the CA are encrypted.
• The CA security officer can execute a revocation
request on behalf of the user, if it is necessary.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
15
CRL
• The KEK GRID CA will …
– revoke the certificate immediately after receipt and
acceptance of the revocation request.
– publish the CRL on the KEK CA web site immediately.
• A relying party can verify a certificate by
retrieving the newest CRL on the web site.
• The issued CRL is valid for 30 days.
• The CRL will be reissued at least seven days
before the previous one expires.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
16
Physical Security
• CA Server :
– dedicated machine in a locked room
• The room is located in the secure building.
• only connected to the RA server via an exclusive
network using a private address.
• CA server cannot be reached from the Internet.
• CA private key :
– Protected by a FIPS 140-2 Level 3 compliant HSM.
– is copied in a backup device with passphrase in a keylocked shelf.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
17
Records Archival
• Types of Archive Data:
– All issued certificates and CRLs
– All enrollment requests and notifications between the
KEK GRID CA and users
– Operation history of the CA key
• Events of Interest, as described in CP/CPS 4.5.1
• login, logout, reboot, access and error logs, etc…
– Other documents about the KEK GRID CA.
• The retention period is 3 years.
• Archived files are preserved in a key-locked shelf.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
18
Key Pair
• The CA private key is generated by the HSM.
• A user’s key pair is generated on users’ PC by
using a given license ID.
– The user’s private key is not generated by the CA and
the RA.
• Key Length:
– CA Certificate: 2048 bits
– End Entity: 1024 bits
• License ID:
– 24 characters
– is provided from the RA for one-time authentication at
the time of enrollment process of the user.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
19