Proposal for eduroam enabling Grid community

advertisement
ESnet RAF and
eduroam™
Tony J. Genovese
ATF Team
ESnet/Lawrence Berkeley National
Laboratory
ATF Overview


Authentication services for DOE Office of Science projects,
including international collaborations, computational Grids,
ESnet community, and ESnet internal
Primarily focused on the Office of Science community



Facilitating several trust federations to enable interoperable
science Grids – Policy Management Authorities



ATF’s principle service is a set of certificate authorities (CAs)
Policy is driven completely by the needs of the science community
the IGTF - International Grid Trust Federation
the Americas “regional” policy management authority – TAGPMA
ATF also pilots new technology, new policy systems, and
develops project proposals in collaboration with other partners
Authentication and Trust Federation
Team

3 FTEs plus heavy support from ESnet UNIX services


Roles








Plus additional support from network engineering, services, and
windows support
CA Operator
Developer
Federation Liaison
Product Manager (community outreach)
Specialized system administration
PMA chairman / member
Contributor to community best practices/standards efforts
All team members have cross trained to insure continuity.
PKI Certificate Authorities
Overview
ESnet Root CA
only signs
subordinate CAs
ESnet Root CA
NERSC
Site – NIM
Integration
ESnet
SSL/TLS
DOEGrids
Future
Co-hosting
FUSION
(Credential
Store)
OCSP
Service
ESnet subordinate Certificate Authorities and Services
PKI Security Environment
Offline Vaulted Root CA
PKI Systems
Hardware Security
HSM
Modules
Grid User
Firewall
Secure VLAN
Internet
Access controlled racks
Secure Data Center
Building Security
LBNL Site security
Intrusion Detection
7500
7250
7000
6750
6500
6250
6000
5750
5500
5250
5000
4750
4500
4250
4000
3750
3500
3250
3000
2750
2500
2250
2000
1750
1500
1250
1000
750
500
250
0
User Certificates
Service Certificates
Expired(+revoked)
Certificates
Total Certificates Issued
Total Cert Requests
Ja
Fe n-0
b 3
M -0
a 3
A r- 0
p 3
M r- 0
ay 3
Ju -03
n
Ju -0 3
A l-0
u 3
S g- 0
ep 3
O -0
c 3
N t- 0
o 3
D v-0
ec 3
Ja -0 3
Fe n-0
4
M b- 0
ar 4
A - 04
p
M r- 0
ay 4
Ju -04
n
Ju -0 4
A l-0
u 4
S g- 0
e 4
O p- 0
c 4
N t- 04
ov
D -0
ec 4
Ja -0
4
Fe n-0
b 5
M -0
ar 5
A - 05
M pr- 0
ay 5
Ju -05
n
Ju -0 5
l-0
5
No.of certificates or requests
DOEGrids CA Usage Statistics
Production service began in June 2003
User Certificates
1999 Total No. of Certificates
5479
Host & Service Certificates
3461 Total No. of Requests
7006
ESnet SSL Server CA Certificates
38
DOEGrids CA 2 CA Certificates (NERSC)
15
Fusion GRID CA certificates
* Report as of Jun 15, 2005
76
RAF, eduroam™ and Internet2
Secure ID
interconnects
PPNL
ANL
NERSC
ORNL
Aladdin
Smart Card
Grid realms
ESnet RAF
ESnet
LBNL
eduroam™
DOEGrids
MyProxy
TERENA
NL
eduroam™
Crypto Card
Interconnecting with eduroam™ at UTK
Interconnect Grid Realms at TERENA
ESnet possible secondary route for eduroam™
eduroam™
Internet2
UTK
eduroam
US
Internet2
Grid eduroam™ Experiment

Phase 0

Use Infoblox loaded with IGTF root certificates






EAP/TLS Strong Authentication based on Grid Identity Certs
eduroam™ Authorization attributes – eduroam™ defines
TACAR or EUGridPMA repository as trust anchor
IGTF OCSP experimental service – GGF defining the service
Interconnect to eduroam™ at UTK
Grid top level interconnect


TERENA - Root
ESnet


User experience local site dependency



Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA
eduroam™ defines
Each site controls how they expose or provide a service to the
community.
Develop Federation document set

Based on GGF documents Plus eduroam™ policies
Next Phases

Phase 1



Add Authorization Schema
Phase 0 plus LDAP server
Phase 2

Add Virtual Organization Management System





Shibboleth
GGF – GridShib or other?
TF-EMC2
Phase 0 plus VOMS servers
Phase 3 – production hardening

Implement our community’s selected solution – or ?
ESnet RAF Experiment systems
Possible eduroam™ backup route
LDAP User Account DB phase 1+
Grid Interconnect TERENA
RAF radius appliance
eduroam™ Internet2 Interconnect
Cisco Catalyst 4000
EAPOL test bed
Download