ESnet RAF and eduroam™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory ATF Overview Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal Primarily focused on the Office of Science community Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities ATF’s principle service is a set of certificate authorities (CAs) Policy is driven completely by the needs of the science community the IGTF - International Grid Trust Federation the Americas “regional” policy management authority – TAGPMA ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners Authentication and Trust Federation Team 3 FTEs plus heavy support from ESnet UNIX services Roles Plus additional support from network engineering, services, and windows support CA Operator Developer Federation Liaison Product Manager (community outreach) Specialized system administration PMA chairman / member Contributor to community best practices/standards efforts All team members have cross trained to insure continuity. PKI Certificate Authorities Overview ESnet Root CA only signs subordinate CAs ESnet Root CA NERSC Site – NIM Integration ESnet SSL/TLS DOEGrids Future Co-hosting FUSION (Credential Store) OCSP Service ESnet subordinate Certificate Authorities and Services PKI Security Environment Offline Vaulted Root CA PKI Systems Hardware Security HSM Modules Grid User Firewall Secure VLAN Internet Access controlled racks Secure Data Center Building Security LBNL Site security Intrusion Detection 7500 7250 7000 6750 6500 6250 6000 5750 5500 5250 5000 4750 4500 4250 4000 3750 3500 3250 3000 2750 2500 2250 2000 1750 1500 1250 1000 750 500 250 0 User Certificates Service Certificates Expired(+revoked) Certificates Total Certificates Issued Total Cert Requests Ja Fe n-0 b 3 M -0 a 3 A r- 0 p 3 M r- 0 ay 3 Ju -03 n Ju -0 3 A l-0 u 3 S g- 0 ep 3 O -0 c 3 N t- 0 o 3 D v-0 ec 3 Ja -0 3 Fe n-0 4 M b- 0 ar 4 A - 04 p M r- 0 ay 4 Ju -04 n Ju -0 4 A l-0 u 4 S g- 0 e 4 O p- 0 c 4 N t- 04 ov D -0 ec 4 Ja -0 4 Fe n-0 b 5 M -0 ar 5 A - 05 M pr- 0 ay 5 Ju -05 n Ju -0 5 l-0 5 No.of certificates or requests DOEGrids CA Usage Statistics Production service began in June 2003 User Certificates 1999 Total No. of Certificates 5479 Host & Service Certificates 3461 Total No. of Requests 7006 ESnet SSL Server CA Certificates 38 DOEGrids CA 2 CA Certificates (NERSC) 15 Fusion GRID CA certificates * Report as of Jun 15, 2005 76 RAF, eduroam™ and Internet2 Secure ID interconnects PPNL ANL NERSC ORNL Aladdin Smart Card Grid realms ESnet RAF ESnet LBNL eduroam™ DOEGrids MyProxy TERENA NL eduroam™ Crypto Card Interconnecting with eduroam™ at UTK Interconnect Grid Realms at TERENA ESnet possible secondary route for eduroam™ eduroam™ Internet2 UTK eduroam US Internet2 Grid eduroam™ Experiment Phase 0 Use Infoblox loaded with IGTF root certificates EAP/TLS Strong Authentication based on Grid Identity Certs eduroam™ Authorization attributes – eduroam™ defines TACAR or EUGridPMA repository as trust anchor IGTF OCSP experimental service – GGF defining the service Interconnect to eduroam™ at UTK Grid top level interconnect TERENA - Root ESnet User experience local site dependency Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA eduroam™ defines Each site controls how they expose or provide a service to the community. Develop Federation document set Based on GGF documents Plus eduroam™ policies Next Phases Phase 1 Add Authorization Schema Phase 0 plus LDAP server Phase 2 Add Virtual Organization Management System Shibboleth GGF – GridShib or other? TF-EMC2 Phase 0 plus VOMS servers Phase 3 – production hardening Implement our community’s selected solution – or ? ESnet RAF Experiment systems Possible eduroam™ backup route LDAP User Account DB phase 1+ Grid Interconnect TERENA RAF radius appliance eduroam™ Internet2 Interconnect Cisco Catalyst 4000 EAPOL test bed