Upload File

osg pki contingency and recovery plans mine altunay, von welch [email protected]@fnal.gov,...

6
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch [email protected] , [email protected] October 16, 2012

Upload: eugene-foster

Post on 04-Jan-2016

212 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

OSG PKI Contingency and Recovery Plans

Mine Altunay, Von Welch

[email protected], [email protected]

October 16, 2012

mailto:[email protected]
mailto:[email protected]
Page 2: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Background

• The Open Science Grid (OSG) relies on a public key infrastructure (PKI) built around an OSG Certificate Authority (CA) to support its operations.

• The OSG PKI is operated by two parties: The OSG itself operates a network of trusted agents

(registration authorities and grid admins) who vet certificate requests and a web front-end OSG Information Management (OIM) System that provides interfaces for users for PKI functions

The DigiCert, a private company, operates the CA that, at direction of OSG and within the bounds of policy, performs the issuance of certificates.

2

Page 3: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Goals and Scope

• Create a Recovery Plans document that present a recovery plan for PKI failure scenarios.

• Not a risk analysis, does not attempt to analyze whether or not a PKI failure is something that the OSG should prepare for.

• Analyzes the options for a recovery plan and recommends a broad course of action.

• Describes all the steps necessary to bring the OSG PKI back to its normal functional state.

• Focuses on the new OSG PKI, not the DOEGrids CA although most of the discussion is valid for DOEGrids CA as well.

3

Page 4: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

OSG PKI Failure Cases

• 2 Failure Types: compromise and loss of service Back-End CA Compromise OSG Information Management (OIM) Front-End

Compromise Back-End CA Loss of Availability OSG OIM Front-End Loss of Availability

4

Page 5: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Recovery Plans

• A recovery plan for each failure type is presented in the document available at http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121.

The plan: Is a workflow of specific steps that should be taken in

the aftermath of a failure to restore PKI back to normal. E.g., forming the incident response team, revoking compromised certs, issuing replacement certs, community communications, and so on.

Considers slight variations in a failure type depending on the different levels of severity (e.g. all RA Agents compromised vs. only some are compromised), incorporates conditional branches into the workflow.

5

http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121
Page 6: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Recovery Plans

Each step is accompanied with specific timelines, estimating how long the plan execution would take.

Each step has a clear owner responsible for performing the activities in the event of a failure.

• Due to time limitation and the complexity of each plan, I will not present them here.

• Please contact me and Von Welch should you have any questions or feedback.

6


GPU-Based Network Traffic Monitoring & Analysis Tools Wenji Wu; Phil DeMar [email protected]@fnal.gov, [email protected]@fnal.gov CHEP 2013 October

Update On Scientific Linux Connie Sieh [email protected] Pat Riehecky [email protected] Hepix Spring 2013

Von Welch [email protected]

Grid Authorization Landscape and Futures Von Welch NCSA [email protected]

Low Background, GravitationalLow Background, Gravitational Waves…vmsstreamer1.fnal.gov/Lectures/DUSEL/presentations/100903Mandic.pdf · Low Background, GravitationalLow Background,

LAr1-ND David Montanari Fermi National Accelerator Laboratory [email protected] CERN – Feb 16, 2014

OSG Security Program Review OSG Security Team M. Altunay, FNAL, OSG Security Officer, D. Olson LBNL, Ron Cudzewicz FNAL J. Basney NCSA, Anand Padmanabhan

Jonathan Loving Fermi Lab Computing Division [email protected]

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab

Trust Relationships in Grid CHEP 07 Mine Altunay

Mine Altunay July 30, 2007 Security and Privacy in OSG

Project Risk Management Overview Mike Dinnon ([email protected])[email protected] LBNE Risk Manager Mu2e WGM August 18, 2010 Project Risk Management Overview

INSIDE - fnal.gov

Results and Implications from MiniBooNE LLWI, 25 Feb 2011 Warren Huelsnitz, LANL [email protected]

Grid Security: What is it? Where is it going? Why? Von Welch [email protected] National Center for Supercomputing Applications Globus Alliance

Social projection and paradox of values of post-modernism · Social projection and paradox of values of post-modernism Emine Altunay Şam1a 1Amasya University, Education Faculty,

Dan Hooper Particle Astrophysics Center Fermi National Laboratory [email protected]

Project Risk Management Overview Mike Dinnon ( [email protected] ) LBNE Risk Manager Mu2e WGM

LBNE Project Overview Elaine McCluskey LBNE Project Manager [email protected] SPAFOA Meeting 13 Nov 2012

October 11 th 2007 Ken Schultz ([email protected])

OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Brian Bockelman

NSF ACCI Task Force on Campus Bridging CASC Meeting 16 March 2011, Arlington VA Craig Stewart [email protected] Von Welch [email protected] This material

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA [email protected]

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch [email protected]

Volume 21 Friday, May 15, 1998 Number 10 - fnal.gov

Albert Stebbins Theoretical Astrophysics Group Fermi National Laboratory [email protected] Theoretical Astrophysics Group @ Fermilab Annual DOE Review

Carl Schumann ([email protected])[email protected] 1 June 2012

Fermi Linux 6.1.1 Connie Sieh April 10, 2000 OSS Department [email protected]

F Fermilab July 6, 2005Recycler Damper Stability1 Recycler Damper High Frequency Stability Jim Crisp [email protected]

GridShib CIP Seminar December 6th, 2005 Tom Scavo [email protected] Von Welch [email protected] NCSA

THINGS BIG & SMALL Dhiman Chakraborty ([email protected])

Scientific Linux Infrastructure Changes Connie Sieh [email protected] Pat Riehecky [email protected] Hepix Fall 2012 Oct 15, 2012

Science Gateway Security Recommendations Jim Basney [email protected] Von Welch [email protected] This material is based upon work supported by the

Albert Stebbins Theoretical Astrophysics Group Fermi National Laboratory [email protected]

OSG User Support - Fermilab · OSG User Support March 13, 2013 Chander Sehgal [email protected]