MyProxy

Jim Basney

Senior Research Scientist NCSA [email protected]

OGF19

What is MyProxy?

     An Online Certificate Authority   Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys An Online Credential Repository   Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server Supporting multiple authentication methods  Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source Software    Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others Protocol specified in GFD-E.54

http://myproxy.ncsa.uiuc.edu/ 2

OGF19

MyProxy Logon

   Authenticate to retrieve PKI credentials    End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) MyProxy maintains the user’s PKI context    Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login Integrates with existing authentication systems  Providing a gateway to grid authentication http://myproxy.ncsa.uiuc.edu/ 3

MyProxy Authentication

OGF19       Key Passphrase X.509 Certificate   Control credential storage, retrieval, and renewal Supports trusted authentication and renewal services Pluggable Authentication Modules (PAM)    Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL)  Kerberos ticket (SASL GSSAPI) Pubcookie  Web Single Sign-On Virtual Organization Membership Service (VOMS)  Attribute-based access control http://myproxy.ncsa.uiuc.edu/ 4

OGF19

MyProxy Deployment Options

   Users already have PKI credentials  MyProxy repository can help users manage the credentials by:    Securing private keys in a professionally managed server Obtaining credentials when/where needed Using credentials with MyProxy-enabled applications Users have site logons but no PKI credentials  MyProxy CA can provide the bridge Users need to register to obtain PKI credentials  User registration portals provide a MyProxy interface   Grid Account Management Architecture (GAMA) http://grid-devel.sdsc.edu/gama Portal-Based User Registration Service (PURSE) http://www.grids-center.org/solutions/purse http://myproxy.ncsa.uiuc.edu/ 5

OGF19

MyProxy-enabled Applications

   CoG Kit APIs (www.cogkit.org) Grid portal toolkits  GridSphere (www.gridsphere.org)   GridPort OGCE (gridport.net) (www.collab-ogce.org) Authentication modules  JAAS (myproxy.ncsa.uiuc.edu/jaas)   Apache Pubcookie (myproxy.ncsa.uiuc.edu/apache) (myproxy.ncsa.uiuc.edu/pubcookie) http://myproxy.ncsa.uiuc.edu/ 6

MyProxy Documentation

OGF19 http://myproxy.ncsa.uiuc.edu/ 7

MyProxy Support

OGF19 http://myproxy.ncsa.uiuc.edu/ 8

OGF19

Topics for Discussion

    

Credential Renewal High Availability Attribute Support Web Services Web SSO

    

Security Context Provisioning User Registration HSM Support Audit Logging Others?

http://myproxy.ncsa.uiuc.edu/ 9

OGF19

Credential Renewal

  Existing MyProxy-based renewal support  EGEE Renewal Service  Condor-G Future Work  MyProxy-based GT4 Renewal Service   Integrated with GT4 Delegation Service Support for GRAM, WS-GRAM, RFT http://myproxy.ncsa.uiuc.edu/ 10

OGF19

High Availability

  Existing support  Clients retry when server is unreachable  Documentation for MyProxy CA replication  Primary-backup replication of MyProxy repository Future Work  Robust client retry  Peer-to-peer repository replication http://myproxy.ncsa.uiuc.edu/ 11

OGF19

Attribute Support

  Existing support  VOMS authentication to MyProxy server  GridShib CA integration with MyProxy Future Work  Issue credentials with VOMS assertions  SAML authentication to MyProxy server http://myproxy.ncsa.uiuc.edu/ 12

OGF19

Web Services

  Currently MyProxy does not provide a Web Services interface  C, Java, Perl, Python APIs Standard Delegation Service interface is needed  For MyProxy, GT4, and EGEE delegation services http://myproxy.ncsa.uiuc.edu/ 13

Web Single Sign-on

  Existing Support  MyProxy server accepts Pubcookie tokens Future Work  Shibboleth/SAML support  Other web SSO methods?

OGF19 http://myproxy.ncsa.uiuc.edu/ 14

OGF19

Security Context Provisioning

  Existing Support  MyProxy can provision user certificates, CA certificates, and CRLs  Requires MyProxy server CA certificate to be installed Future Work  Java client support  Zero configuration bootstrap http://myproxy.ncsa.uiuc.edu/ 15

OGF19

User Registration

  Existing Support  Provided by PURSE and GAMA  GridShib CA and OpenIDP Future Work  Integration with MyProxy CA  Integration with attribute and authorization services http://myproxy.ncsa.uiuc.edu/ 16

OGF19

HSM Support

  Existing Prototypes  MyProxy repository using IBM 4738  MyProxy CA using Aladdin eToken Future Work  Full support for OpenSSL hardware engines in MyProxy CA http://myproxy.ncsa.uiuc.edu/ 17

OGF19

Audit Logging

  Existing Support  All MyProxy server operations are logged to syslog  Recent improvements to MyProxy CA logging to meet IGTF guidelines Future Work  Include auditing information in issued credentials  Support standard grid logging interfaces http://myproxy.ncsa.uiuc.edu/ 18

OGF19

Thank you!

Questions?

Comments?

For more information: [email protected]

http://myproxy.ncsa.uiuc.edu/ http://www.globus.org/toolkit/security/myproxy/ http://myproxy.ncsa.uiuc.edu/ 19