www DOEGrids org DOE s PKI service for Grids

www. DOEGrids. org DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003

Outline n n Grids Auth. N/Auth. Z model International Grid Federation efforts DOEGrids Federation Experimental OCSP service 2

Grids Auth. N/Auth. Z n n Separate the two problems First focus on solving identity • • • Harmonize identities policies Standard efforts: GGF, Grid PMA Grid identity Federations: EDG, Cross Grid, DOEGrids • Other federations: TERENA, EGEE, e. Infrastructure? n Authorization still research topic • Individual grids developing own polices n VOMS, Proxy services 3

International Grid Federation n WWW. Grid. PMA. org Informal confederation Representatives from Major Grid PMAs • European Data Grid and Cross Grid PMA • NCSA Alliance • DOEGrids PMA • NASA Information Power Grid • TERENA • Asian Pacific PMA n n n AIST, Japan SDSC, USA KISTI, Korea BII, Singapore Kasetsart Univ. , Thailand CAS, China 4

DOEGrids Federation n Managed by multiple stake holders • 15 member Policy Management Authority Representing DOE and NSF • PMA Responsible for Certificate Policy and Certification Practice statement • PMA Manages operator relationship n n n Operator: ESnet at Lawrence Berkeley National Laboratory Peers with European Data Grid PMA and the Cross Grid project 20+ Registration Authority Agents 5

DOEGrids community * Includes DOESG transitioned Certificates 6

DOEGrids usage 7

General PKI Service Architecture ESnet Root CA ESnet only signs subordinate CAs Certificate Authority links WWW. ES. net/CA DOEGrids VO support Integrated Site Auth. N NERSC NIM Integration K/X 509 (FNAL) WWW. DOEGrids. org/CA Virtual Secure Card (SLAC) ESnet subordinate Certificate Authorities and proposed CAs 8

DOEGrids Physical Security Architecture Vaulted Root CA 9

DOEGrids PKI roles n Policy Management Authority • Manages PKI policies n Security Officer • • n Manages PKI infrastructure Responsible for implementing PKI policies Registration Authority • Represents VO on PMA • Responsible for identity vetting of VO members n Registration Agent • Delegated identity vetting from RA n Grid Administrator (new) • Delegated by Agent to issue Service Certificates 10

Grid Admin Role Grid Admin Server Cert Interface Provide PKCS#10 Server Request and submit SSL Client Authentication Using DOEGrids CA certificate failed Authentication Error successful Grid. Admin LDAP Request Validation & Authorization process against Grid. Admin LDAP Successful? No Authorization Error Yes Issue Server Certificate 11

Experimental OCSP service Machine B Machine A OCSP Service *edg-fetch-crl-cron downloads all the CRLs listed on EDG website into /opt/edg/certificates folder *postcrl_ocsp OCSP Service OCSP Admin Interface checks if the file is new for every CRL file ( *. r 0)under /opt/edg/certificates folder Parse the CRL file and filter only base 64 encoded CRL portion. Apply URL encoding logic *OCSP Service LDAP Post this CRL data into OCSP Service Admin interface (SSL Client Authentication 12 * edg-fetch-crl-cron & postcrl_ocsp are cron job runs every night *All the CA certificates listed on http: //marianne. in 2 p 3. fr/datagrid/ca/catable-ca. html has been installed with OCSP Service