ARCS SLCS CA Sam Morrison Australian Research Collaboration Service (ARCS) (formally APAC) Sam Morrison
What is SLCS? • Short Lived Credential Service • Lifetime < 1 million sec • Online CA • Authenticate using Identity Management system Sam Morrison
Why SLCS? • Allow users to access HPC/Data/other via existing PKI infrastructure. • Users need know nothing about certificates, crls, private keys etc. Sam Morrison
Identity Management • Shibboleth • Australian Access Federation (AAF) • Will include all universities in Australia (and NZ) • Id. P = Identity Provider • SP = Service Provider Sam Morrison
ARCS SLCS system • Semi Production • Two VMs • Switch SLCS server with Shibboleth SP • Online CA (ejbca) Sam Morrison
Sam Morrison
DN Uniqueness • Generate DN from values sent from the Id. P • /DC=au/DC=org/DC=arcs/DC=slcs/O=<Organisation> • /CN=<common. Name> <au. Edu. Person. Shared. Token> • au. Edu. Person. Shared. Token is unique and persistent Sam Morrison
Future • Write CP/CPS • Purchase dedicated server and HSM for online CA • Get Accredited Sam Morrison
Proposed Network Structure Sam Morrison
Policy • Each Id. P has agreement with the SLCS server (as well as federation agreement) • Need to make sure Id. Ps are well managed. Ensured by AAF policy. • CP/CPS under development Sam Morrison
Level of Assurance (Lo. A) • All identities have a Lo. A • Some services don't require high Lo. A • Have 2 Online CAs • One for high Lo. A – IGTF (planned) • One for other services – non IGTF Sam Morrison
Delegating credential retrieval • Allow another SP to get a SLCS cert on behalf of a user • Key/cert stored on web server not on client • Security Concerns? Sam Morrison
Sam Morrison
Questions? Sam Morrison
Скачать презентацию ARCS SLCS CA Sam Morrison Australian Research Collaboration
8746b12610aa963fa59698accf42e38d.ppt