myproxy jim basney senior research scientist ncsa [email protected]
TRANSCRIPT
OGF19 http://myproxy.ncsa.uiuc.edu/ 2
What is MyProxy? An Online Certificate Authority
Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys
An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server
Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie,
VOMS Open Source Software
Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others
Protocol specified in GFD-E.54
OGF19 http://myproxy.ncsa.uiuc.edu/ 3
MyProxy Logon Authenticate to retrieve PKI credentials
End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs)
MyProxy maintains the user’s PKI context Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks)
CA certificates & CRLs updated automatically at login
Integrates with existing authentication systems Providing a gateway to grid authentication
OGF19 http://myproxy.ncsa.uiuc.edu/ 4
MyProxy Authentication Key Passphrase X.509 Certificate
Control credential storage, retrieval, and renewal Supports trusted authentication and renewal services
Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password
Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI)
Pubcookie Web Single Sign-On
Virtual Organization Membership Service (VOMS) Attribute-based access control
OGF19 http://myproxy.ncsa.uiuc.edu/ 5
MyProxy Deployment Options Users already have PKI credentials
MyProxy repository can help users manage the credentials by:
Securing private keys in a professionally managed server Obtaining credentials when/where needed Using credentials with MyProxy-enabled applications
Users have site logons but no PKI credentials MyProxy CA can provide the bridge
Users need to register to obtain PKI credentials User registration portals provide a MyProxy interface
Grid Account Management Architecture (GAMA)http://grid-devel.sdsc.edu/gama
Portal-Based User Registration Service (PURSE)http://www.grids-center.org/solutions/purse
OGF19 http://myproxy.ncsa.uiuc.edu/ 6
MyProxy-enabled Applications
CoG Kit APIs (www.cogkit.org) Grid portal toolkits
GridSphere (www.gridsphere.org) GridPort (gridport.net) OGCE (www.collab-ogce.org)
Authentication modules JAAS (myproxy.ncsa.uiuc.edu/jaas) Apache (myproxy.ncsa.uiuc.edu/apache)
Pubcookie (myproxy.ncsa.uiuc.edu/pubcookie)
OGF19 http://myproxy.ncsa.uiuc.edu/ 7
MyProxy Documentation
OGF19 http://myproxy.ncsa.uiuc.edu/ 8
MyProxy Support
OGF19 http://myproxy.ncsa.uiuc.edu/ 9
Topics for Discussion
Credential Renewal
High Availability
Attribute Support
Web Services Web SSO
Security Context Provisioning
User Registration
HSM Support Audit Logging Others?
OGF19 http://myproxy.ncsa.uiuc.edu/ 10
Credential Renewal
Existing MyProxy-based renewal support EGEE Renewal Service Condor-G
Future Work MyProxy-based GT4 Renewal Service
Integrated with GT4 Delegation Service Support for GRAM, WS-GRAM, RFT
OGF19 http://myproxy.ncsa.uiuc.edu/ 11
High Availability
Existing support Clients retry when server is unreachable
Documentation for MyProxy CA replication
Primary-backup replication of MyProxy repository
Future Work Robust client retry Peer-to-peer repository replication
OGF19 http://myproxy.ncsa.uiuc.edu/ 12
Attribute Support
Existing support VOMS authentication to MyProxy server GridShib CA integration with MyProxy
Future Work Issue credentials with VOMS assertions
SAML authentication to MyProxy server
OGF19 http://myproxy.ncsa.uiuc.edu/ 13
Web Services
Currently MyProxy does not provide a Web Services interface C, Java, Perl, Python APIs
Standard Delegation Service interface is needed For MyProxy, GT4, and EGEE delegation services
OGF19 http://myproxy.ncsa.uiuc.edu/ 14
Web Single Sign-on
Existing Support MyProxy server accepts Pubcookie tokens
Future Work Shibboleth/SAML support Other web SSO methods?
OGF19 http://myproxy.ncsa.uiuc.edu/ 15
Security Context Provisioning
Existing Support MyProxy can provision user certificates, CA certificates, and CRLs
Requires MyProxy server CA certificate to be installed
Future Work Java client support Zero configuration bootstrap
OGF19 http://myproxy.ncsa.uiuc.edu/ 16
User Registration
Existing Support Provided by PURSE and GAMA GridShib CA and OpenIDP
Future Work Integration with MyProxy CA Integration with attribute and authorization services
OGF19 http://myproxy.ncsa.uiuc.edu/ 17
HSM Support
Existing Prototypes MyProxy repository using IBM 4738 MyProxy CA using Aladdin eToken
Future Work Full support for OpenSSL hardware engines in MyProxy CA
OGF19 http://myproxy.ncsa.uiuc.edu/ 18
Audit Logging
Existing Support All MyProxy server operations are logged to syslog
Recent improvements to MyProxy CA logging to meet IGTF guidelines
Future Work Include auditing information in issued credentials
Support standard grid logging interfaces
OGF19 http://myproxy.ncsa.uiuc.edu/ 19
Thank you!
Questions?
Comments?
For more information:[email protected]://myproxy.ncsa.uiuc.edu/http://www.globus.org/toolkit/security/myproxy/