KEK Grid CA

Download Report

Transcript KEK Grid CA 

KEK Grid CA
Go Iwai
The 2nd APGrid PMA Meeting at Osaka Univ.
Computing Research Center, High Energy Accelerator Organization (KEK)
KEK Organization and History
• High Energy Accelerator Research Organization (KEK)
–
–
–
–
Institute of Particle and Nuclear Studies
Institute of Materials Structure Science
Accelerator Laboratory
Applied Research Laboratory
•
•
•
•
Computing Research Center
Radiation Science Center
Cryogenics Science Center
Mechanical engineering Center
• History
– National Laboratory for High Energy Physics (1971)
– High Energy Accelerator Research Organization (1997)
• Combined with Institute for Nuclear Study
– High Energy Accelerator Research Organization
• reformed as an Inter-University Research Institute Corporation (2004)
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
2
KEK: High Energy
Accelerator Organization
J-PARC
~60km
Tsukuba
B Factory
Pacific
Ocean
LC-Test Facility
Photon Factory
2006/10/15
Tokai
Tokyo
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
3
Issued Certificates
• Host certificates
– 73 certificates were issued
• User certificates
– 26 certificates were issued
• SSL Server certificates
– 1 certificate was issued
– only for ICEPP (Univ. of Tokyo) and KEK
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
4
Experiences
• /Email field was troublesome and not available any more
– LCG was OK
– SRB-DSI does not work for any certificates including the field
• Power outage because of the regular inspection of
facilities requested by the government
– Power backup by the generator was done with big efforts
– We may stop the operation of CA for 3days in the next year
• Securing private keys are essential for PKI operations
– However, sometimes users copy their’s to remote sites via
network and store on distributed storage systems, even on NFS
servers.
– Education is very important for users
• Regular training should be considered
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
5
Plan
• Change on CP/CPS
– Currently, SSL server certificates are issued only for ICEPP and KEK,
however, LCG needs the SSL server certificates at each LCG site
• C=JP, O=KEK, OU=CRC, CN=FQDN
• SSL server certificates will be issued for each site
• General usages are forbidden and only for usage with LCG
– We assumed that applicants are existing users of KEK Computing
research center
• Contractors in collaborating institutes cannot be a user of us
• We will change CP/CPS to allow applications from them
– Existing users or the persons who are endorsed by the representative of
the collaborating institute of KEK
• We will have the first audit within this year.
– Yoshio Tanaka will be an auditor
• Thank him for his efforts
– November or December?
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
6
End
Any comment or suggestion?
Computing Research Center, High Energy Accelerator Organization (KEK)
For backups
Computing Research Center, High Energy Accelerator Organization (KEK)
CP/CPS
• KEK GRID CA CP/CPS
–
–
–
–
Version: 1.0.0
OID: 1.3.6.1.4.1.200198.1.10.2
Conforms RFC2527
Strongly inspired by CP/CPS’ of NAREGI CA and AIST
CA
• KEK GRID CP/CPS is managed by the KEK GRID
PMA.
– Changes in contents need to be approved by the KEK
GRID PMA, as described in section 8.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
9
End Entities
• Grid Users, Servers and Services:
– Members at KEK and it’s collaborating
institutes
– Computing Facility at KEK and it’s
collaborating institutes
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
10
Certificate Types
• User Certificate:
– C=JP, O=KEK, OU=CRC, CN=Takashi Sasaki
• Globus Servers:
– host
• C=JP, O=KEK, OU=CRC, CN=host/FQDN
– Services
• C=JP, O=KEK, OU=CRC, CN=ldap/FQDN
• Web Servers (only for LCG at KEK CRC and ICEPP,
U. of Tokyo):
– C=JP, O=KEK, OU=CRC, CN=FQDN
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
11
Identification and Authentication
• Prerequisite:
– The person must be an existing user of KEK CRC
• One referee among KEK employees is requested
• Applicants must be a member of either of the projects at KEK
• User Certificate:
– Subscriber must
• submit in-person or mail (or FAX) the application to the user administrator.
• attach a copy of his/her personal identification document with a photo.
• have an interview in-person or on the video conference by the user
administrator
– User administrator confirms the application with the representative’s
signature on it
• Host and Service Certificate
–
An application is required to be submitted by an existing certificate user
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
12
Certificate Restrictions
• Certificate Lifetime:
– 5 years for KEK GRID CA certificate
– 1 year for each end entity certificate
• User and server certificates should not be
shared.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
13
Certificate Revocation
• Certificates are to be revoked when …
– the RA receives a revocation request from a user.
– the user’s key has been compromised or is suspected
of being compromised.
– the user information on the certificate is suspected of
being incorrect.
– the user lost the status of KEK CRC user
• the user leaves the job or etc.
– the CA private key has been compromised.
– a user violates his/her obligations
• as described in the CP/CPS Section 2.1.3.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
14
Revocation Request Procedure
• Revocation Request from a user
– User can choose between two methods, as follows:
• Command-line UI and Web-based UI using encrypted
communication between the user and the RA.
– The RA confirms a revocation request by using the
client certificate, and accepts it.
– The RA sends a revocation request to the CA located in
an independent network segment.
• Communications between the RA and the CA are encrypted.
• The CA security officer can execute a revocation
request on behalf of the user, if it is necessary.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
15
CRL
• The KEK GRID CA will …
– revoke the certificate immediately after receipt and
acceptance of the revocation request.
– publish the CRL on the KEK CA web site immediately.
• A relying party can verify a certificate by
retrieving the newest CRL on the web site.
• The issued CRL is valid for 30 days.
• The CRL will be reissued at least seven days
before the previous one expires.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
16
Physical Security
• CA Server :
– dedicated machine in a locked room
• The room is located in the secure building.
• only connected to the RA server via an exclusive
network using a private address.
• CA server cannot be reached from the Internet.
• CA private key :
– Protected by a FIPS 140-2 Level 3 compliant HSM.
– is copied in a backup device with passphrase in a keylocked shelf.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
17
Records Archival
• Types of Archive Data:
– All issued certificates and CRLs
– All enrollment requests and notifications between the
KEK GRID CA and users
– Operation history of the CA key
• Events of Interest, as described in CP/CPS 4.5.1
• login, logout, reboot, access and error logs, etc…
– Other documents about the KEK GRID CA.
• The retention period is 3 years.
• Archived files are preserved in a key-locked shelf.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
18
Key Pair
• The CA private key is generated by the HSM.
• A user’s key pair is generated on users’ PC by
using a given license ID.
– The user’s private key is not generated by the CA and
the RA.
• Key Length:
– CA Certificate: 2048 bits
– End Entity: 1024 bits
• License ID:
– 24 characters
– is provided from the RA for one-time authentication at
the time of enrollment process of the user.
2006/10/15
The 2nd APGrid PMA Meeting Meeting at Osaka Univ.
19