Use of My Proxy for the Fusion Grid

Use of My. Proxy for the Fusion. Grid Mary Thompson Monte Goode Grid. World 2006

Fusion. Grid • Sci. DAC Collaboratory to support experimental fusion scientists (2001 -2006) § Remote job execution Ø § Remote Data access Ø § TRANSP, a large code written and maintained by Princeton Plasma Physics Lab (PPPL) scientists, run at several sites. Wanted to run it at just one site and allow remote access. Had a common data storage format and server software, MDSplus, written at MIT. Needed secure remote access. Remote participation in tokamak experiments • Funded by DOE/MICS. Goal to advance both the fusion science and the computer science. • Princeton Plasma Physics Lab, Princeton CS, General Atomics, MIT Plasma & Fusion Science Center, ANL, LBNL, Univ. of Utah. Grid. World 2006

Motivation for My. Proxy enhancements • Started with GSI and self managed certificates issued by DOEGrids CA • Web Interface to CA not optimal for GSI use export and reformat for use with GSI. § renewals especially problematic § • Script interfaces exist but are brittle • Fusion Scientists submit jobs from a variety of machines. § need to login thru firewalls before they can submit a job Grid. World 2006

My. Proxy for Long-term Credentials • While My. Proxy was originally designed to manage proxy certificates, it is happy to manage end entity certificates as well. • DOEGrids CA policy prohibits third party possession of private keys. • Needed new CA with a different policy Fusion. Grid could run its own CA software § Could use an on-demand CA § Ø Implies another means to authenticate users ESnet agreed to run a separate CA with a policy that allowed private key storage on a secure server § Fusion. Grid certificates are used within the Fusion. Grid for Globus job submission, MDSPlus data access, and access to secure web sites. § Grid. World 2006

Credential Manager (CM) • Web based interface for requesting, renewing or revoking certificates. • Stores certificates and keys in collocated My. Proxy server • Server host is secured Linux server Few accounts, no unnecessary servers, patches up -to-date, located in machine room. § Keys are arguably safer here than on user’s workstations § Grid. World 2006

Credential Manager Use • Fusion. Grid accepts new users via the request to the CM for a new certificate. Requires user name and password, contact information, purpose of joining the Fusion. Grid. § Needs to be approved by a sponsor and issued by an RA. § • Once approved, the end entities credentials are stored in a My. Proxy server. (the Credential. Store) • User get proxy certificates authenticated by user name, password. (myproxy-logon) Note keys are encrypted by the password. Passwords are not stored on CM host. § Don’t need credential stored on the machine from which the Globus job is submitted. § Grid. World 2006

reg ist er Architecture and Basic Use Case pr my Credential Manager (Apache/ CGI) on -log User information oxy Fusion. Grid CA Store Delegate My. Proxy Credential. Store Repository Done once Once per 12 hrs For each job submission End entity credentials Grid. World 2006 Fusion. Grid service

Proxy Renewals • The most commonly used code in the Fusion. Grid (TRANSP) can have queue + run times of up to several weeks. • We set up a different My. Proxy server to provide a proxy renewal service (proxy. Store) • The CM provides a CGI interface designed to be callable by a script to generate a medium lived proxy certificate, add it to the renewal proxy. Store and specify which service may use it for renewal. • Renewals by services are handled by the normal my. Proxy trusted renewers mechanism. Grid. World 2006

Architecture and Renewal Use Case wab t rene Se proxy le [1] on [5] pro [2] [4] my User information xy- log Credential Manager (Apache/ CGI ) [3] [6] Store Delegate My. Proxy Credential. Store Repository Store Delegate My. Proxy. Store End entity credentials Renewable Proxies Once per 12 hrs For each job submission Grid. World 2006 Fusion. Grid service

Why two My. Proxy servers? • The Credential. Store repository stores end-entity certificates with encrypted keys and provides a flexible user-oriented delegation policy. § Anonymous delegation with password • The Proxy. Store repository stores proxies with unencrypted keys and allows for delegations by only a set of known services. § The retriever must authenticate by certificate and be listed as an allowed retriever for the specific certificate. • The proxy that the user gets has a maximum allowed lifetime of 2 weeks (could be shorter) and defaults to 12 hrs. Grid. World 2006

Servers are mirrored for robustness • The three servers and their data bases are mirrored at LBNL and MIT to provide robustness in case of host or network failure at either site. The CM and end-entity is mirrored read-only, it can support proxy-logons but not new user registrations. The mirror is updated once every 24 hours. § The proxy. Store is synchronized in both directions at 1 minute intervals, so that a renewable certificate can always be entered or delegated from. § • The client interfaces try the LBNL server first and then fail over to the MIT servers. • Used twice in 2 years: Security breach at LBL took all our machines off-line, network maintenance at MIT. Grid. World 2006

Portal Technology for Fusion. Grid • Fusion. Grid has experimented with a Java portal, but having a single all purpose portal did not correspond to the realities of the VO. • There already existed several web sites at different institutions, implemented in different technologies (not Java) each serving a single purpose. Monitoring § Authorization § Working documents § Several potential job submission sites § Grid. World 2006

Federated Portals • What was needed was a common way to do authentication across all the Web sites. § Must be simple for an existing Web site to implement • Pub. Cookie - an open source package using signed cookies can do this for web sites in the same domain, e. g. fusiongrid. org. • We wanted to integrate Pub. Cookie with the Fusion. Grid single-signon mechanism that used myproxy-logon. • And enable Web sites to get proxy certificates for authenticated users. Grid. World 2006

Architecture and Portal Use Case ( 1 initi al cont Authentication Plug-in in log (2) (5 with Pub. Cookie Login Server (Apache) (6) act ) cookie ) Webapp Server (Apache) (3) Store Delegate My. Proxy Credential. Store (4) (7) Store Delegate My. Proxy. Store End entity credentials Once per 12 hrs For each job submission Renewable Proxies pub. Cookie proxies Grid. World 2006 Fusion. Grid service

Pub. Cookie - My. Proxy integration • Run Pub. Cookie login server collocated with My. Proxy server on cert. fusiongrid. org • The first time a user goes to a Web application server, he is redirected to the PC login server to get a cookie. • PC login server supports plugins for authentication. • We added an authentication module that calls My. Proxy with the username and password. Grid. World 2006

Pub. C-My. Proxy authentication • Pub. C login prompts the user for his Fusion. Grid username (Grid. Id) and password. • Calls My. Proxy-logon which verifies the password and delegates a proxy • Authentication module stores the proxy in the proxy. Store named by the user’s Grid. Id and enables it to be delegated by the list of known Webapp servers. • Pub. C login server then creates, encrypts and signs the granting cookie and login cookie containing the Grid. Id. Grid. World 2006

Pub. Cookie single-signon process • Normal pub. Cookie process is followed. § § § The login cookie is stored in the user’s browser The granting cookie is passed to the requested app. Server The app. Server creates a site-specific signed cookie containing user’s Grid. Id. All access to that server now have an authenticated Grid. Id. The login cookie is used in subsequent access to other app. Servers • This Grid. Id can be used by the app server to get a delegated proxy to use for Globus job submission or to make authorization queries to the Fusion. Grid authorization server. Grid. World 2006

Summary • Used a My. Proxy repository to store long-term credentials • Added some web interface and scripting frosting around the proxy renewal mechanism • Integrated My. Proxy and Pubcookie to enable single-purpose portals for job submission and other things. Grid. World 2006