Upload File

osg pki contingency and recovery plans mine altunay, von welch [email protected]@fnal.gov,...

6
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch [email protected] , [email protected] October 16, 2012

Upload: eugene-foster

Post on 04-Jan-2016

212 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

OSG PKI Contingency and Recovery Plans

Mine Altunay, Von Welch

[email protected], [email protected]

October 16, 2012

mailto:[email protected]
mailto:[email protected]
Page 2: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Background

• The Open Science Grid (OSG) relies on a public key infrastructure (PKI) built around an OSG Certificate Authority (CA) to support its operations.

• The OSG PKI is operated by two parties: The OSG itself operates a network of trusted agents

(registration authorities and grid admins) who vet certificate requests and a web front-end OSG Information Management (OIM) System that provides interfaces for users for PKI functions

The DigiCert, a private company, operates the CA that, at direction of OSG and within the bounds of policy, performs the issuance of certificates.

2

Page 3: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Goals and Scope

• Create a Recovery Plans document that present a recovery plan for PKI failure scenarios.

• Not a risk analysis, does not attempt to analyze whether or not a PKI failure is something that the OSG should prepare for.

• Analyzes the options for a recovery plan and recommends a broad course of action.

• Describes all the steps necessary to bring the OSG PKI back to its normal functional state.

• Focuses on the new OSG PKI, not the DOEGrids CA although most of the discussion is valid for DOEGrids CA as well.

3

Page 4: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

OSG PKI Failure Cases

• 2 Failure Types: compromise and loss of service Back-End CA Compromise OSG Information Management (OIM) Front-End

Compromise Back-End CA Loss of Availability OSG OIM Front-End Loss of Availability

4

Page 5: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Recovery Plans

• A recovery plan for each failure type is presented in the document available at http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121.

The plan: Is a workflow of specific steps that should be taken in

the aftermath of a failure to restore PKI back to normal. E.g., forming the incident response team, revoking compromised certs, issuing replacement certs, community communications, and so on.

Considers slight variations in a failure type depending on the different levels of severity (e.g. all RA Agents compromised vs. only some are compromised), incorporates conditional branches into the workflow.

5

http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121
Page 6: OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

October 16, 2012 WLCG Management Board

Recovery Plans

Each step is accompanied with specific timelines, estimating how long the plan execution would take.

Each step has a clear owner responsible for performing the activities in the event of a failure.

• Due to time limitation and the complexity of each plan, I will not present them here.

• Please contact me and Von Welch should you have any questions or feedback.

6


Science Gateway Security Recommendations Jim Basney [email protected] Von Welch [email protected] This material is based upon work supported by the

Low Background, GravitationalLow Background, Gravitational Waves…vmsstreamer1.fnal.gov/Lectures/DUSEL/presentations/100903Mandic.pdf · Low Background, GravitationalLow Background,

Overview of NSF ACCI Task Force on Campus Bridging Report Craig Stewart [email protected] Von Welch [email protected] Presented at Coalition for Academic

MiniBooNE : Current Status Heather Ray [email protected] Los Alamos National Lab

OSG User Support - Fermilab · OSG User Support March 13, 2013 Chander Sehgal [email protected]

Grid Authorization Landscape and Futures Von Welch NCSA [email protected]

Dan Hooper Particle Astrophysics Center Fermi National Laboratory [email protected]

Jonathan Loving Fermi Lab Computing Division [email protected]

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab

Mine Altunay July 30, 2007 Security and Privacy in OSG

GPU-Based Network Traffic Monitoring & Analysis Tools Wenji Wu; Phil DeMar [email protected]@fnal.gov, [email protected]@fnal.gov CHEP 2013 October

Grounding Guidelines Developed for LBNE Presented by Terri Shaw (FNAL) [email protected]

Ff NO A Accelerator Upgrades: Status Phil Adamson Fermilab [email protected]

Metrics and Monitoring on FermiGrid Keith Chadwick Fermilab [email protected]

Albert Stebbins Theoretical Astrophysics Group Fermi National Laboratory [email protected]

THE ANALYSIS OF TURKISH FORENSIC ACCOUNTING …iibfdergi.sdu.edu.tr/assets/uploads/sites/352/files/yil-2015-cilt... · ALTUNAY – ACAR 44 2015 Key Words: Forensic Accounting, Litigation

LAr1-ND David Montanari Fermi National Accelerator Laboratory [email protected] CERN – Feb 16, 2014

Carl Schumann ([email protected])[email protected] 1 June 2012

INSIDE - fnal.gov

Albert Stebbins Theoretical Astrophysics Group Fermi National Laboratory [email protected] Theoretical Astrophysics Group @ Fermilab Annual DOE Review

Conventional Construction Working Group Meeting Tom Lackowski L2 Conventional Facilities ([email protected])[email protected] 630.840.3640 Mu2e Working Group

Von Welch [email protected]

Fermi Linux 6.1.1 Connie Sieh April 10, 2000 OSS Department [email protected]

OSG Security Program Review OSG Security Team M. Altunay, FNAL, OSG Security Officer, D. Olson LBNL, Ron Cudzewicz FNAL J. Basney NCSA, Anand Padmanabhan

OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Brian Bockelman

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch [email protected]

1 Career Exploration: Physics and Fermilab Joe Grange [email protected]

THINGS BIG & SMALL Dhiman Chakraborty ([email protected])

Project Risk Management Overview Mike Dinnon ([email protected])[email protected] LBNE Risk Manager Mu2e WGM August 18, 2010 Project Risk Management Overview

Project Risk Management Overview Mike Dinnon ( [email protected] ) LBNE Risk Manager Mu2e WGM

Results and Implications from MiniBooNE LLWI, 25 Feb 2011 Warren Huelsnitz, LANL [email protected]

Volume 21 Friday, May 15, 1998 Number 10 - fnal.gov

Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven Leyffer, Jeffrey T. Linderoth, and Zhen Xie

NSF ACCI Task Force on Campus Bridging CASC Meeting 16 March 2011, Arlington VA Craig Stewart [email protected] Von Welch [email protected] This material