MyProxy

Jim BasneySenior Research Scientist

NCSAjbasney@ncsa.uiuc.edu

OGF19 http://myproxy.ncsa.uiuc.edu/ 2

What is MyProxy? An Online Certificate Authority

Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys

An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server

Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie,

VOMS Open Source Software

Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others

Protocol specified in GFD-E.54

OGF19 http://myproxy.ncsa.uiuc.edu/ 3

MyProxy Logon Authenticate to retrieve PKI credentials

End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs)

MyProxy maintains the user’s PKI context Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks)

CA certificates & CRLs updated automatically at login

Integrates with existing authentication systems Providing a gateway to grid authentication

OGF19 http://myproxy.ncsa.uiuc.edu/ 4

MyProxy Authentication Key Passphrase X.509 Certificate

Control credential storage, retrieval, and renewal Supports trusted authentication and renewal services

Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password

Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI)

Pubcookie Web Single Sign-On

Virtual Organization Membership Service (VOMS) Attribute-based access control

OGF19 http://myproxy.ncsa.uiuc.edu/ 5

MyProxy Deployment Options Users already have PKI credentials

MyProxy repository can help users manage the credentials by:

Securing private keys in a professionally managed server Obtaining credentials when/where needed Using credentials with MyProxy-enabled applications

Users have site logons but no PKI credentials MyProxy CA can provide the bridge

Users need to register to obtain PKI credentials User registration portals provide a MyProxy interface

Grid Account Management Architecture (GAMA)http://grid-devel.sdsc.edu/gama

Portal-Based User Registration Service (PURSE)http://www.grids-center.org/solutions/purse

OGF19 http://myproxy.ncsa.uiuc.edu/ 6

MyProxy-enabled Applications

CoG Kit APIs (www.cogkit.org) Grid portal toolkits

GridSphere (www.gridsphere.org) GridPort (gridport.net) OGCE (www.collab-ogce.org)

Authentication modules JAAS (myproxy.ncsa.uiuc.edu/jaas) Apache (myproxy.ncsa.uiuc.edu/apache)

Pubcookie (myproxy.ncsa.uiuc.edu/pubcookie)

OGF19 http://myproxy.ncsa.uiuc.edu/ 7

MyProxy Documentation

OGF19 http://myproxy.ncsa.uiuc.edu/ 8

MyProxy Support

OGF19 http://myproxy.ncsa.uiuc.edu/ 9

Topics for Discussion

Credential Renewal

High Availability

Attribute Support

Web Services Web SSO

Security Context Provisioning

User Registration

HSM Support Audit Logging Others?

OGF19 http://myproxy.ncsa.uiuc.edu/ 10

Credential Renewal

Existing MyProxy-based renewal support EGEE Renewal Service Condor-G

Future Work MyProxy-based GT4 Renewal Service

Integrated with GT4 Delegation Service Support for GRAM, WS-GRAM, RFT

OGF19 http://myproxy.ncsa.uiuc.edu/ 11

High Availability

Existing support Clients retry when server is unreachable

Documentation for MyProxy CA replication

Primary-backup replication of MyProxy repository

Future Work Robust client retry Peer-to-peer repository replication

OGF19 http://myproxy.ncsa.uiuc.edu/ 12

Attribute Support

Existing support VOMS authentication to MyProxy server GridShib CA integration with MyProxy

Future Work Issue credentials with VOMS assertions

SAML authentication to MyProxy server

OGF19 http://myproxy.ncsa.uiuc.edu/ 13

Web Services

Currently MyProxy does not provide a Web Services interface C, Java, Perl, Python APIs

Standard Delegation Service interface is needed For MyProxy, GT4, and EGEE delegation services

OGF19 http://myproxy.ncsa.uiuc.edu/ 14

Web Single Sign-on

Existing Support MyProxy server accepts Pubcookie tokens

Future Work Shibboleth/SAML support Other web SSO methods?

OGF19 http://myproxy.ncsa.uiuc.edu/ 15

Security Context Provisioning

Existing Support MyProxy can provision user certificates, CA certificates, and CRLs

Requires MyProxy server CA certificate to be installed

Future Work Java client support Zero configuration bootstrap

OGF19 http://myproxy.ncsa.uiuc.edu/ 16

User Registration

Existing Support Provided by PURSE and GAMA GridShib CA and OpenIDP

Future Work Integration with MyProxy CA Integration with attribute and authorization services

OGF19 http://myproxy.ncsa.uiuc.edu/ 17

HSM Support

Existing Prototypes MyProxy repository using IBM 4738 MyProxy CA using Aladdin eToken

Future Work Full support for OpenSSL hardware engines in MyProxy CA

OGF19 http://myproxy.ncsa.uiuc.edu/ 18

Audit Logging

Existing Support All MyProxy server operations are logged to syslog

Recent improvements to MyProxy CA logging to meet IGTF guidelines

Future Work Include auditing information in issued credentials

Support standard grid logging interfaces

OGF19 http://myproxy.ncsa.uiuc.edu/ 19

Thank you!

Questions?

Comments?

For more information:jbasney@ncsa.uiuc.eduhttp://myproxy.ncsa.uiuc.edu/http://www.globus.org/toolkit/security/myproxy/