teragrid ’06 national center for supercomputing applications managing credentials on the teragrid...
TRANSCRIPT
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
Managing Credentials on the TeraGrid with MyProxy
Jim BasneySenior Research Scientist
National Center for Supercomputing ApplicationsUniversity of Illinois at Urbana-Champaign
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
What is MyProxy?
• A service for managing X.509 PKI credentials– A credential repository and certificate authority
• An Online Credential Repository– Issues short-lived X.509 Proxy Certificates
– Long-lived private keys never leave the server
• An Online Certificate Authority– Issues short-lived X.509 End Entity Certificates
• Supporting multiple authentication methods– Passphrase, Certificate, PAM, SASL, Kerberos
• Open Source Software– Included in Globus Toolkit, VDT, and CoG Kits
– C, Java, Python, and Perl clients available
– Contributions from EDG, UVA, LBNL, and others
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
MyProxy and TeraGrid
• MyProxy v3.4 clients in CTSS 3• myproxy.teragrid.org server
– Retrieve credentials with myproxy-logon– Store credentials with myproxy-init
• MyProxy-based authentication– TeraGrid User Portal– TeraGrid Ticket System
• Software for Science Gateways– Portal-based User Registration– Web Single Sign-on
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
keypair
MyProxy Put
Client
MyProxyServer certificate
private key
certificate requestproxy certificate chainusername password policy
private key
cert chain
TLS handshake
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
private key
MyProxy Get
Client
MyProxyServer certificate requestproxy certificate chainusername password
private key
cert chain
TLS handshake
GridService
X.509
cert chain
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
TeraGrid User Portal
• All TeraGrid users receive a Portal username and password– Login to https://portal.teragrid.org/– Portal obtains credentials for resource access– Users can run myproxy-logon to obtain
credentials directly from MyProxy
• Uses MyProxy CA with Kerberos PAM– TERAGRID.ORG Kerberos Realm– Leverages existing NCSA Online CA
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
gridmap
CA keykeypair
MyProxy CA with PAM
Client/Portal
MyProxyServerpassword
PAM
KerberosKDC
TGT
certificate requestcertificateTLS handshake
GridService
X.509
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
TeraGrid Ticket System
• Uses MyProxy for certificate-based authentication– Store a credential with myproxy-init– Enter MyProxy password on Ticket System
https://tickets.teragrid.org/– Ticket System verifies certificate identity using
TeraGrid grid-mapfile
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
private key
TG Ticket System Authentication
MyProxy
private key
myproxy-init certificate requestproxy certificate chainusername password
TLS handshakecertificate cert chain
Browser
Tickets
cert
keypasswordusername
TLS handshake
X.509
cert
key
cert
cert request
password
username
gridmap
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
TeraGrid Science Gateways
• Community interfaces to TG resources– Web portals, desktop applications, etc.
• Many different approaches to user authentication
• MyProxy can assist with– User registration– Certificate management– Single sign-on
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
MyProxy and Grid Portals
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
User Registration Portals
PURSE: Portal-based User Registration Service
GAMA: Grid Account Management Architecture
ESG
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
Trusted Portal
Browser
Portal
UserDB
cert
key
GridService
X.509
passwordusernameTLS handshake
MyProxyX.509
cert
key
cert
cert requestusername
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
MyProxy and Web SSO
PURSE
MyProxyBrowser
Portal A
Portal B
PubcookieLogin Server
passwordpassword
cert
cookie
cookie
passwordpassword
cookie
cookiecert
cert
cookieGrid
Service
cookie
X.509
X.509
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
SSO for Browser and Application
Portal
MyProxyServer
Browser
Application
Authenticatepasswordrandom
passwordrandom
JWS
cert
cert
GridService
X.509
passwordrandom
passwordrandom
cert
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
Password-based Delegation
MyProxy
DelegateeDelegator
certificate
private key
passwordrandomusername
private key
private key
certificate
certificate
certificate
certificatecertificate
username
TLS handshakepasswordrandom
certificatecertificate request
certificate username
passwordrandom
TLS handshake
certificate request
certificate
certificate
certificate
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
Conclusion
• MyProxy provides credential management services for TeraGrid– myproxy.teragrid.org server– TeraGrid User Portal and Ticket System
authentication
• MyProxy supports many credential management options for portals and web services– Requests for new functionality are invited
TeraGrid ’06 http://myproxy.ncsa.uiuc.edu National Center for Supercomputing Applications
Thank you!
Questions?
Comments?
For more information:
http://myproxy.ncsa.uiuc.edu/
http://www.globus.org/toolkit/security/myproxy/