MyProxy Jim Basney Senior Research Scientist NCSA [email protected] What is MyProxy? An Online Certificate Authority An Online Credential Repository OGF19 Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source.
Download ReportTranscript MyProxy Jim Basney Senior Research Scientist NCSA [email protected] What is MyProxy? An Online Certificate Authority An Online Credential Repository OGF19 Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source.
MyProxy
Jim Basney
Senior Research Scientist NCSA [email protected]
OGF19
What is MyProxy?
An Online Certificate Authority Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source Software Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others Protocol specified in GFD-E.54
http://myproxy.ncsa.uiuc.edu/ 2
OGF19
MyProxy Logon
Authenticate to retrieve PKI credentials End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) MyProxy maintains the user’s PKI context Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login Integrates with existing authentication systems Providing a gateway to grid authentication http://myproxy.ncsa.uiuc.edu/ 3
MyProxy Authentication
OGF19 Key Passphrase X.509 Certificate Control credential storage, retrieval, and renewal Supports trusted authentication and renewal services Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI) Pubcookie Web Single Sign-On Virtual Organization Membership Service (VOMS) Attribute-based access control http://myproxy.ncsa.uiuc.edu/ 4
OGF19
MyProxy Deployment Options
Users already have PKI credentials MyProxy repository can help users manage the credentials by: Securing private keys in a professionally managed server Obtaining credentials when/where needed Using credentials with MyProxy-enabled applications Users have site logons but no PKI credentials MyProxy CA can provide the bridge Users need to register to obtain PKI credentials User registration portals provide a MyProxy interface Grid Account Management Architecture (GAMA) http://grid-devel.sdsc.edu/gama Portal-Based User Registration Service (PURSE) http://www.grids-center.org/solutions/purse http://myproxy.ncsa.uiuc.edu/ 5
OGF19
MyProxy-enabled Applications
CoG Kit APIs (www.cogkit.org) Grid portal toolkits GridSphere (www.gridsphere.org) GridPort OGCE (gridport.net) (www.collab-ogce.org) Authentication modules JAAS (myproxy.ncsa.uiuc.edu/jaas) Apache Pubcookie (myproxy.ncsa.uiuc.edu/apache) (myproxy.ncsa.uiuc.edu/pubcookie) http://myproxy.ncsa.uiuc.edu/ 6
MyProxy Documentation
OGF19 http://myproxy.ncsa.uiuc.edu/ 7
MyProxy Support
OGF19 http://myproxy.ncsa.uiuc.edu/ 8
OGF19
Topics for Discussion
Credential Renewal High Availability Attribute Support Web Services Web SSO
Security Context Provisioning User Registration HSM Support Audit Logging Others?
http://myproxy.ncsa.uiuc.edu/ 9
OGF19
Credential Renewal
Existing MyProxy-based renewal support EGEE Renewal Service Condor-G Future Work MyProxy-based GT4 Renewal Service Integrated with GT4 Delegation Service Support for GRAM, WS-GRAM, RFT http://myproxy.ncsa.uiuc.edu/ 10
OGF19
High Availability
Existing support Clients retry when server is unreachable Documentation for MyProxy CA replication Primary-backup replication of MyProxy repository Future Work Robust client retry Peer-to-peer repository replication http://myproxy.ncsa.uiuc.edu/ 11
OGF19
Attribute Support
Existing support VOMS authentication to MyProxy server GridShib CA integration with MyProxy Future Work Issue credentials with VOMS assertions SAML authentication to MyProxy server http://myproxy.ncsa.uiuc.edu/ 12
OGF19
Web Services
Currently MyProxy does not provide a Web Services interface C, Java, Perl, Python APIs Standard Delegation Service interface is needed For MyProxy, GT4, and EGEE delegation services http://myproxy.ncsa.uiuc.edu/ 13
Web Single Sign-on
Existing Support MyProxy server accepts Pubcookie tokens Future Work Shibboleth/SAML support Other web SSO methods?
OGF19 http://myproxy.ncsa.uiuc.edu/ 14
OGF19
Security Context Provisioning
Existing Support MyProxy can provision user certificates, CA certificates, and CRLs Requires MyProxy server CA certificate to be installed Future Work Java client support Zero configuration bootstrap http://myproxy.ncsa.uiuc.edu/ 15
OGF19
User Registration
Existing Support Provided by PURSE and GAMA GridShib CA and OpenIDP Future Work Integration with MyProxy CA Integration with attribute and authorization services http://myproxy.ncsa.uiuc.edu/ 16
OGF19
HSM Support
Existing Prototypes MyProxy repository using IBM 4738 MyProxy CA using Aladdin eToken Future Work Full support for OpenSSL hardware engines in MyProxy CA http://myproxy.ncsa.uiuc.edu/ 17
OGF19
Audit Logging
Existing Support All MyProxy server operations are logged to syslog Recent improvements to MyProxy CA logging to meet IGTF guidelines Future Work Include auditing information in issued credentials Support standard grid logging interfaces http://myproxy.ncsa.uiuc.edu/ 18
OGF19
Thank you!
Questions?
Comments?
For more information: [email protected]
http://myproxy.ncsa.uiuc.edu/ http://www.globus.org/toolkit/security/myproxy/ http://myproxy.ncsa.uiuc.edu/ 19