Managing Credentials on the Tera Grid with My

Managing Credentials on the Tera. Grid with My. Proxy Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign jbasney@ncsa. uiuc. edu Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

What is My. Proxy? • A service for managing X. 509 PKI credentials – A credential repository and certificate authority • An Online Credential Repository – Issues short-lived X. 509 Proxy Certificates – Long-lived private keys never leave the server • An Online Certificate Authority – Issues short-lived X. 509 End Entity Certificates • Supporting multiple authentication methods – Passphrase, Certificate, PAM, SASL, Kerberos • Open Source Software – Included in Globus Toolkit, VDT, and Co. G Kits – C, Java, Python, and Perl clients available – Contributions from EDG, UVA, LBNL, and others Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

My. Proxy and Tera. Grid • My. Proxy v 3. 4 clients in CTSS 3 • myproxy. teragrid. org server – Retrieve credentials with myproxy-logon – Store credentials with myproxy-init • My. Proxy-based authentication – Tera. Grid User Portal – Tera. Grid Ticket System • Software for Science Gateways – Portal-based User Registration – Web Single Sign-on Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

My. Proxy Put Client certificate private key TLS handshake username certificate request proxy certificate policy password chain My. Proxy Server keypair cert chain private key Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

My. Proxy Get Client cert chain TLS handshake username certificate request proxy certificate chain password My. Proxy Server private key cert chain X. 509 Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu private key Grid Service National Center for Supercomputing Applications

Tera. Grid User Portal • All Tera. Grid users receive a Portal username and password – Login to https: //portal. teragrid. org/ – Portal obtains credentials for resource access – Users can run myproxy-logon to obtain credentials directly from My. Proxy • Uses My. Proxy CA with Kerberos PAM – TERAGRID. ORG Kerberos Realm – Leverages existing NCSA Online CA Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

My. Proxy CA with PAM X. 509 Client/Portal keypair Grid Service TLS handshake certificate request certificate password gridmap My. Proxy Server CA key P A M TGT Kerberos KDC Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

Tera. Grid Ticket System • Uses My. Proxy for certificate-based authentication – Store a credential with myproxy-init – Enter My. Proxy password on Ticket System https: //tickets. teragrid. org/ – Ticket System verifies certificate identity using Tera. Grid grid-mapfile Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

TG Ticket System Authentication myproxy-init certificate TLS handshake username certificate request proxy certificate chain password private key My. Proxy cert chain private key X. 509 cert request username Tickets Browser TLS handshake password username password cert key gridmap Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

Tera. Grid Science Gateways • Community interfaces to TG resources – Web portals, desktop applications, etc. • Many different approaches to user authentication • My. Proxy can assist with – User registration – Certificate management – Single sign-on Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

My. Proxy and Grid Portals Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

User Registration Portals PURSE: Portal-based User Registration Service GAMA: Grid Account Management Architecture ESG Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

Trusted Portal Browser TLS handshake password username Portal X. 509 cert request username cert User DB key X. 509 Tera. Grid ’ 06 My. Proxy http: //myproxy. ncsa. uiuc. edu Grid Service National Center for Supercomputing Applications

My. Proxy and Web SSO PURSE password cookie Browser Pubcookie Login Server cert password My. Proxy cookie Portal A X. 509 cert Grid Service cookie X. 509 cookie Portal B Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu cert National Center for Supercomputing Applications

SSO for Browser and Application Browser Authenticate passwordrandom Portal cert JWS cert passwordrandom Application cert X. 509 Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu passwordrandom My. Proxy Server Grid Service National Center for Supercomputing Applications

Password-based Delegation Delegator certificate Delegatee username passwordrandom private key certificate private key certificate username certificate request password TLS handshake random My. Proxy certificate username certificate request passwordrandom certificate handshake TLS private key Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

Conclusion • My. Proxy provides credential management services for Tera. Grid – myproxy. teragrid. org server – Tera. Grid User Portal and Ticket System authentication • My. Proxy supports many credential management options for portals and web services – Requests for new functionality are invited Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications

Thank you! Questions? Comments? For more information: jbasney@ncsa. uiuc. edu http: //myproxy. ncsa. uiuc. edu/ http: //www. globus. org/toolkit/security/myproxy/ Tera. Grid ’ 06 http: //myproxy. ncsa. uiuc. edu National Center for Supercomputing Applications