Скачать презентацию New open source CA development as Grid research Скачать презентацию New open source CA development as Grid research

943a520a3dd6d32b2364c4451ca95d41.ppt

  • Количество слайдов: 14

New open source CA development as Grid research platform. National Research Grid Initiative in New open source CA development as Grid research platform. National Research Grid Initiative in Japan Takuto Okuno. 1

About NAREGI PKI Group (WP 5) WP 6:Grid-Enabled Apps WP 3:Grid Visualization WP 4: About NAREGI PKI Group (WP 5) WP 6:Grid-Enabled Apps WP 3:Grid Visualization WP 4: Packaging WP 2: Grid Programming - Grid RPC - Grid MPI WP 3:Grid PSE WP 3:Grid Workflow WP 1: Super. Scheduler       WP 1: Grid Monitoring & Accounting (Globus, Condor, UNICORE OGSA) WP 1: Grid VM WP 5: High-Performance & Secure Grid Networking 2

NAREGI Authentication Service Perspective To develop CA and RA server software that supports grid NAREGI Authentication Service Perspective To develop CA and RA server software that supports grid environment. To develop CA/RA policy and authentication service policy satisfied with basic assurance level by GGF. To experiment the operation of PKI authentication service (CA server software and CP/CPS) for UNICORE and Globus grid environment. To consider multi domain policy, and create an authentication mechanism for such environment. It was necessary for developing new CA software to satisfy our functional and security requirement. 3

NAREGI Registration Sequence User site End user Host administrator NAREGI site Site Administrator (LRA) NAREGI Registration Sequence User site End user Host administrator NAREGI site Site Administrator (LRA) License. IDs Request Account Request Certificate Request Might be face to face. Apply certificate operation 1. Prepare License. IDs Account Registration 2. User registration CA Administrator Issue License. IDs Telephon, Mail and so on. Issue a License. ID 3. Submit a license. ID and request to issue a certificate 4. Request to revoke a certificate 5. Request to update a certificate Via command line or WEB (Online) RA Server Accept a user request (issue, revoke, update) 6. grid-mapfile generation Download a base grid-mapfile and generate mapfile for local site base grid-mapfile publish 4

NAREGI CA – roadmap & function layer Development in 2003 in 2004 - 2005 NAREGI CA – roadmap & function layer Development in 2003 in 2004 - 2005 After 2005 Service Interface for VO Management Command User Interface LCMP Web Service Interface for User Interface Account management RA XKMS Web Service Interface (Java API) based on Ai. CA (Open Source) CP/CPS Authentication Policy (single domain) Extended Authentication Policy (multi domain) NAREGI AUTHENTICATION SERVICE NW Infrastructure 5

NAREGI CA – server components LDAP Server CA Server LDAP • Collaborate with Grid NAREGI CA – server components LDAP Server CA Server LDAP • Collaborate with Grid Service, S/MIME, Group ware and so on. RA Server certreq email aicrlpub aicad LCMP aienroll LCMP airad enroll (apache CGI) WEB HTTP gridmapgen email CA management tools User aica PKI utilities certview certconv CA Administrator 6

NAREGI CA – Features at a glance Detailed settings of profile (date/time, subject template, NAREGI CA – Features at a glance Detailed settings of profile (date/time, subject template, policy, etc. ) Extension information for individual profiles Management of user’s private key (key recovery is available) Support HSM (PKCS#11) Issuing multiple certificates in one operation using CSV Remote CA management Manage multiple CA/RAs on a single server Higher security by separating CA server and RA server Web enrollment feature Command line enrollment feature for Globus Authorization using ID/Password, License. ID Interact with LDAP server Automatic issuing of certificates Life cycle management using Web enrollment/Command line enrollment Periodic issue of CRL (possible to interact with LDAP) Access log, issuing log, error log Features for management of grid-mapfile Features for interact with UNICORE UUDB 7

NAREGI CA – Secure grid web service perspective RA Server LCMP XKMS Account Mapping NAREGI CA – Secure grid web service perspective RA Server LCMP XKMS Account Mapping Service XKMS (X-KISS) (X-KRSS) CA Server Offline issue SAML Service Provider Online issue and revocation Authentication Authority Attribute Authority Authentication (include SSO) Issuing a certificate online via WEB browser or WEB service Also, offline issue using a smart card or a USB token is provided. SOAP / HTTP RPC User WS-Security (encrypted, signature) Policy Decision Point XACML Refer policy and access rights Agreement Factory (scheduler) OGSI, OGSA Strong authentication and encryption are provided by WSSecurity on using OBSA Grid RPC. Also, Single Sign On by SAML may be usable. CPU Resource OGSI, OGSA Grid Application Service Provider DATA Resource 8

NAREGI CA - CD contents l README (Overview, install, etc. . ) l LICENSE NAREGI CA - CD contents l README (Overview, install, etc. . ) l LICENSE l Release NOTE l naregi-ca-1. 0. tar. gz l Source files l CP/CPS, Administrator Guide, etc. . l naregi-project l naregi_pre. pdf (about NAREGI) l wp 5_pre. pdf (about NAREGI Work Package 5) 9

Appendix. Cryptographic Algorithms ・Available Cryptographic and Hash algorithms Public key cryptography RSA (with key Appendix. Cryptographic Algorithms ・Available Cryptographic and Hash algorithms Public key cryptography RSA (with key generation) DSA (with parameter generation) Elliptic Curve DSA (with parameter generation) Symmetric cryptography DES(ECB, CBC, CFB) Triple-DES(ECB, CBC) RC 2(ECB, CBC) Hash MD 2, MD 5, SHA 1 HMAC (key hash) 10

Appendix. File Formats ・Available PKI files Certificate X 509 DER, PEM (*. cer, *. Appendix. File Formats ・Available PKI files Certificate X 509 DER, PEM (*. cer, *. pem ) PKCS#7 DER ( *. p 7 b ) PKCS#12 DER ( *. p 12, *. pfx ) Private Key PKCS#1 PEM (*. key, *. pem ) PKCS#8 DER (*. key, *. pem ) PKCS#12 DER ( *. p 12, *. pfx ) CRL X 509 DER, PEM (*. crl, *. pem ) PKCS#7 DER ( *. p 7 b ) Cross certificate pair X 509 DER, PEM (*. ccp, *. pem ) Certificate Signing Request PKCS#10  DER, PEM (*. crl, *. pem) 11

Appendix. grid-mapfile generation Generate a grid-mapfile from a global mapfile and local users. csv Appendix. grid-mapfile generation Generate a grid-mapfile from a global mapfile and local users. csv file. grid-mapfile Grid node (7) gridmapgen Generate a grid-mapfile that includes a license. ID and a subject DN mapping. (6) http download (5) users. csv grid-mapfile LCMP Issue or revoke (1) RA Server a certificate (4) Create a file that defines a license. ID and local account name mapping. CA Server (3) Issue or revoke a certificate. Input license. ID and subject DN (2) Site Administrator Inform a license. ID User 12

Appendix. NAREGI Authentication Service Na. Re. GI Auth. Policy Domain User Proxy Create User Appendix. NAREGI Authentication Service Na. Re. GI Auth. Policy Domain User Proxy Create User CSR JOB Request Other Auth. Policy Domains JOB Request Create Resource Process Create Process Resource Delegate Validate Cert Validate RA CA Collaboration RA CA 13

NAREGI CA – roadmap NAREGI CA – development roadmap In 2003 l. LCMP protocol NAREGI CA – roadmap NAREGI CA – development roadmap In 2003 l. LCMP protocol definition l. NAREGI CA development l. Start trial CA operation In 2004 l. Optimize performance (10 k certificates/h) l. LCMP Java API l. Service Interface for account management In 2005 l. XKMS l. Feedback / improve server operation 14