Authentication and Authorization in Grids

advertisement
Authentication, Authorization, & Identity
Issues in Grids
SURA Grid Workshop
Austin, TX
December 8, 2005
Jim Jokl
University of Virginia
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Agenda
•
•
•
•
Quick Refresher on PKI
Globus & GSI
MyProxy & Grid portal integration
Overviews
– Shibboleth and GridShib
– Virtual Organizations (VO), VOMS, VOX, VOMRS
• Example: SURAgrid approach
– Cross-certification and PKI Bridges
– National PKI context
– Directory integration (VO approach)
• Campus infrastructure integration
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Two Types of Cryptography
• Symmetric key cryptography
– A pre-shared secret is used to encrypt the data
– Some examples: DES, 3-DES, RC4, etc
• Public key cryptography
– A pair of mathematically related keys are
generated
• One of the keys, the Public Key, is freely distributed
• The other key, the Private Key, is kept confidential
– Given one of the keys, it is computationally very
hard to compute the other
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Public Key Cryptography
– Data encrypted using the public key can
only be decrypted by the person with the
private key
Example: Bob sends secret data to Alice
1. Bob obtains a
copy of Alice’s
public key
2. Bob encrypts
the data using
the public key
and sends it
to Alice
1. Alice receives
the data
2. Alice decrypts
the data using
the private
key that only
she possesses
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Public Key Cryptography
one key
Plain
Text
the other key
Encrypted
Text
– Likewise, data encrypted with the private key can be
decrypted by anyone having a copy of the public key
• Assuming that the private key is protected and held by an
individual, this is the basis for a digital signature
• If I encrypt data using my Private Key, anyone with my
published Public Key can decrypt it. Since they used my Public
Key to decrypt the data everyone knows that only I (with my
Private Key) could have encrypted the data.
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Certification Authorities (CA) and
Registration Authorities (RA)
– Accept certificate requests from users (RA)
– Validate the user’s identity (RA)
– Generate and sign the user’s certificate attesting to
the mapping of the identity to the public key (CA)
– Revoke certificates if needed (RA/CA)
– Operate under a set of policies and practices at a
specific Level of Assurance (RA/CA)
– Operate directories and other databases
– The combination of the CA, RA, and associated
directories forms the Public Key Infrastructure
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
A Digital Certificate is:
– An object that binds a user’s
identity to their public key
– An object signed by a Certification
Authority (CA)
– An object containing some
attributes about the person who
owns the certificate
– An object containing some
information about the CA
• Useful for relying party to
understand campus identity policy
– Often published in a campus
directory if support for encryption
is anticipated
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Certification Authorities and Trust
Root
Certificate
Intermediate
Certificate
User A
Cert
User C
Cert
Intermediate
Certificate
User B
Cert
User D
Cert
User E
Cert
• You determine if you
trust a certificate by
validating all of the
certificates starting
from the user’s cert
up to a root that you
trust
• 100+ root certificates
in my Microsoft store
• The “I” in PKI
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Digital Certificates and Security
• Login id and password never flow over the
network
• Strong cryptography – what does flow over
the network is very safe
• Enables mutual authentication
• Defeats a variety of man in the middle
attacks
• No (practical) brute-force attacks
• Is often easier to use than login/password
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Certificate Profiles
• A description of the fields in a certificate
– Recommended fields to use
– Field values
– Critical flags
– Recommendations for PKI architects on the
various trade-offs available as they select
their certificate profile
– Example Profile
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Trust, Private Key Protection and
Non-Repudiation
• Digital signatures - based on the idea that
only the user has access their private key
• A user’s private key is generally protected
by the workstation’s operating system
– Typical protection is no better than for any
password that the user lets the operating
system store
• Hardware tokens can be used for strong
private key protection, mobility, and as a
component in a non-repudiation strategy
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Grid Security Infrastructure (GSI)
• Basic Grid security needs
– Strong authentication
– Ability to encrypt data
– Cross-organizational security infrastructure
– Single sign-on
• Solution
– GSI is based on PKI and certificates are
used for authentication
– Uses mutual authentication and encryption
when needed
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
PKI Mutual Authentication
•
Client Authentication
1. Client connects to server and sends user’s certificate
2. Server uses its root key store to validate the user’s certificate
3. Server sends client some random data; client uses private key
to encrypt data; server decrypts data validating that client has
access to the private key
•
Server Authentication
1. Server replies sending its digital certificate to the client
2. Client validates the server’s certificate using its trusted root
store
3. Client sends some random data to the server; server encrypts
the data using its private key; client decrypts data validating that
server has access to the private key
•
Globus uses SSL/TLS to accomplish mutual
authentication
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Globus Proxy Certificates
GridCA Root
Certificate
GridCA
Intermediate
Certificate
User Certificate
Proxy1
Proxy 2
Proxy 3
• Proxy certificates are signed
by the user’s end entity
certificate
• A new key pair is used
• Short lived proxy credential
• Usable as if it were a normal
certificate within the globus
infrastructure
• Not a security risk for other
campus uses of PKI
– Basic Constraints field
• grid-proxy-init
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Globus Toolkit Authentication
and Authorization Configuration
• Basic PKI authentication configuration
– /etc/grid-security/certificates
– Populate with trusted CA certificates and
policy files
– Example:
• 860e3429.0 -> UVa-root-skp.crt
• 860e3429.signing_policy
• UVa-root-skp.crt
– OpenSSL can generate the certificate hashes
• openssl x509 -hash -in UVa-root-skp.crt –noout
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Globus Toolkit Authentication
and Authorization Configuration
• Basic Globus authorization configuration
– Simple file-based authorization is a basic GSI
service
– A mapping file is used to map Unix user names to
certificate DNs
– /etc/grid-security/grid-mapfile
• "/C=US/O=University of Virginia/OU=UVA Standard PKI
User/emailAddress=jaj@Virginia.EDU/CN=James A. Jokl 52" jaj
– An LDAP call-out can be used instead of the
simple Grid Mapfile
– Newer versions of Globus add more authorization
capability
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Testing Globus Authentication
Configuration using OpenSSL
User’s
Computer
SSL with
PKI Authentication
Globus
Gatekeeper
Computer
Cluster
Job
Queues
• Testing the gatekeeper PKI configuration
• Remember: Globus uses SSL with PKI authentication
• openssl s_client -ssl3 -no_tls1 -connect gate.target.edu:2119 \
-cert .globus/usercert.pem -key .globus/userkey.pem \
-CApath /etc/grid-security/certificates
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
MyProxy Service
• A service for retrieving proxy credentials
– Commonly used in Grid Portal environments
• A server service for storing and protecting
user’s private keys
– Keys are stored on a secure server
– Keys are encrypted using the user’s password
• User password is not stored on the server
• Provides some protection against server
compromise
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Some Basic MyProxy Protocol Functions
• PUT – place a credential on the MyProxy Server
– Server generates a key pair and certificate request
– Client, which has access to the user’s private key, signs
the request creating a proxy certificate
• GET – obtain a proxy certificate from the server
– Client generates a key pair and certificate request
– Server signs the request using the stored credential and
sends the proxy credentials to the client
• INFO – list the available credentials on the server
• DESTROY – remove credentials on the server
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
MyProxy in a Grid
Portal Environment
• User initializes
credentials in
MyProxy Server
• User logs into portal
• Portal retrieves proxy
credentials
• User interacts with
portal
• Jobs are submitted
via gatekeeper
MyProxy
Server
Grid Portal
Server
Globus
Gatekeeper
User
Web
Login
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
Cluster
Job
Queue
December 8 & 9, 2005, Austin, TX
MyProxy Basic Authorization
• Internal and configurations options for:
– Who can store credentials on server
– Ensures that only the owner can delete,
over-write, or change credential password
– Which clients are able to obtain delegated
credentials from the server
– Protection for access to stored credentials
– Lifetime for stored credentials
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
MyProxy Commands
•
•
•
•
•
myproxy-init: store proxy
myproxy-logon: retrieve proxy
myproxy-info: query stored credentials
myproxy-destroy: remove credential
myproxy-change-pass-phrase:
change password encrypting private key
• myproxy-store: store credential
• myproxy-retrieve: retrieve credential
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Shibboleth
• Project of Internet2 and
NSF Middeware Initiative
User
– Focus: intercampus
authentication and
authorization
– Federated identity
1
3
• Fundamental design goals
User’s
Shibboleth
ORIGIN
Site
– Privacy protection
– Strong technology
• PKI cryptography
• Signed SAML assertions
5
6
8
2
Shibboleth
Protected
Web Site
(TARGET)
4
7
Local AuthN
– Use local campus
authentication for
intercampus applications
Directory
– Support directory based
authorization via AA (6-8)
• eduPerson schema
WAYF
9
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
Schematic of
Shibboleth
Process Flow
December 8 & 9, 2005, Austin, TX
Shibboleth and GridShib
• Focus: leverage the attribute work done
in the Shibboleth community for Grid
authorization in Globus
• Shibboleth architecture includes the
Attribute Authority (AA) and signed
SAML assertions
• Campus directories are being upgraded
to support standardized schema such as
eduPerson
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Shibboleth and GridShib
• GridShib Globus plugin (GT4)
– Makes authorization decisions based on data from
a Shibboleth AA
• GridShib Shibboleth plugin
– A name mapping plugin that maps certificate
Subject DNs to local Principal Name
• Uses an equivalent to a grid-mapfile
– With the local principal name, attributes can be
obtained from the Shibboleth AA
• WAYF-type functionality is preconfigured
• Beta Gridshib software is available now
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Virtual Organizations (VO)
• Grids are frequently built to support interinstitutional research projects
– Not all users at each institution should be able to
access Grid resources
– Grid security is important and inter-institutional Grids
still need strong user authentication
– Like the researchers, resources are likely to be
placed on the Grid by multiple organizations
• A description of a Grid Virtual Organization
– The collection of researchers and the resources that
they are enabled to access can be thought of as a
VO
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Virtual Organization Tasks
• Policies
– Who can join the organization
– How are resources allocated e.g., what
agreements are needed between resource
owners, resource consumers, and the VO
• Implementation
– Inter-institutional authentication
– Authorization: all users in a Grid may not all
have the same roles. Group-based
authorization may be needed
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Some Virtual Organization Tools
• VOMS – VO Membership Service
– Holds VO authorization information such as a user’s
groups and certificate information
– When a user submits a job, VOMS generates an
extended proxy with a short lifetime
• VOX – VOMS eXtended
– Holds additional information on each VO member to
support authorization decisions by resources
• VOMRS – VOMS Registration Service
– A central registry of users for the VO
– Holds status, roles, certificate, rights, etc
– Approval process for database entries
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Some VOMRS Data Elements
• Roles
– Visitor, Candidate, Applicant, Member
• Status
– New, Approved, Denied, Suspended
• Authorization Status
– New, Approved, Denied
• Rights
– Full, none
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Example: SURAgrid Approach
for Authentication and Authorization
• Goal
– Develop a scalable inter-campus solution
• Preferred mechanisms
– Leverage campus middleware activities
• Researchers should not need to operate their
own authentication systems
• Use local campus credentials inter-institutionally
– Rely on existing higher education interinstitutional authentication efforts
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Inter-campus Globus Authentication
• Leverage native campus PKI credentials on SURAgrid
– Users do all of their work using local campus PKI credentials
• How do we create the inter-campus trust fabric?
– Standard inter-campus PKI trust mechanisms include
• Operating a single Grid CA or trusting other campus CAs
• Cross-certification and Bridge PKIs
• How well does Globus operate in a bridged PKI?
– OpenSSL PKI in Globus is not bridge-aware
– Known to work from NMI Testbed project
• Decision: work with intercampus trust based on a PKI
Bridge
– Leverage EDUCAUSE Higher Education Bridge CA (HEBCA)
when ready
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Background: Cross-certification
• Top section
– Traditional hierarchical
validation example
• Bottom section
– Validation using cross
certification example
– UVA signed a certificate
request from the UAB CA
– UAB signed a certificate
request from the UVA CA
– This pair of cross
certificates enables each
school to trust certs from
the other using only their
own root as a trust anchor
– An n2 problem
I: UAB
S: UAB
I: UVA
S: UVA
I: UAB
S: User-2
I: UVA
S: User-1
I: UAB
S: UAB
I: UAB
S: UVA
I: UVA
S: User-1
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
I: UVA
S: UVA
Cross
Certs
I: UVA
S: UAB
I: UAB
S: User-2
December 8 & 9, 2005, Austin, TX
Background: Bridged PKI
Bridge
CA
Cross-certificate
pairs
Campus A
Mid-A
User
A1
Campus B
Mid-B
User
B1
User
A2
User
B1
Campus
n
• Used to enable trust
between multiple
hierarchical CAs
• Generally more
infrastructure than just
the cross-certificate pairs
• Typically involves strong
policy & practices
• Solves the n2 problem
• For SURAgrid we
preload cross-certs
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
SURAgrid Authentication Schematic
SURAgrid
Bridge CA
F’s PKI
Campus F
Grid
E’s PKI
Campus E
Grid
Cross-cert pairs
D’s PKI
A’s PKI
Campus A
Grid
B’s PKI
Campus B
Grid
C’s PKI
Campus D
Grid
Campus C
Grid
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
SURAgrid Authentication Status
• SURAgrid Bridge CA
– Off-line system
– Used Linux and OpenSSL to
build bridge
• Cross-certifications with the
bridge complete or in
progress for 8 SURAgrid
sites
• Several more planned in
near future
• SURAgrid Bridge Web Site
• Interesting PKI issues
discussed in paper
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Higher Education Bridge Certification
Authority (HEBCA)
• A project of EDUCAUSE
– Implement a bridge for higher education
based on the Federal PKI bridge model
– Support both campus PKIs and sector
hierarchical PKIs
– Cross-certify with the Federal bridge
(and others as appropriate)
• Should form an excellent permanent
trust fabric for a bridge-based Grid
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Model SURAgrid Authentication
HEBCA
F’s PKI
Campus F
Grid
E’s PKI
Campus E
Grid
Cross-cert pairs
D’s PKI
A’s PKI
Campus A
Grid
B’s PKI
Campus B
Grid
C’s PKI
Campus D
Grid
Campus C
Grid
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Bridge to Bridge Context
• A federal view on how the
FBCA
inter-bridge environment is
likely to develop
• FBCA – Federal Bridge
SAFE
• SAFE – Pharmaceutical
HEBCA
• HEBCA – Higher Ed
• Commercial - aerospace Commercial
and defense
Others
• Grid extensible across PKI
bridges?
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
SURAgrid AuthN/AuthZ Status
• Bridge CA and cross-certification process
– Forms the basic AuthN infrastructure
– Builds a trust fabric that enables each site to trust the
certificates issued by the other sites
• The grid-mapfile
– Controls the basic (binary) AuthZ process
– Sites add certificate Subject DNs from remote sites to
their grid-mapfile based on email from SURAgrid sites
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
SURAgrid AuthZ Development
• Grid-mapfile automation
– Sites that use a recent version of Globus will
use a LDAP callout that replaces the gridmapfile
– For other sites there will be some software that
provides and updates a grid-mapfile for their
gatekeeper
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
SURAgrid AuthZ Development
• LDAP AuthZ Directory
– Web interface for site administrators to add and
remove their SURAgrid users
– Fully distributed model where each site maintains its
central VO membership data
– Directory holds and coordinates
•
•
•
•
•
•
Certificate Subject DN
Unix login name (prefixed by school initials)
Allocated Unix UID (high numbers)
Some Unix GIDs? (high numbers)
Perhaps SSH public key, perhaps gsissh only
Other (tbd)
– Reliability
• Replication to sites that want local copies
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
SURAgrid AuthZ Development
• Sites contributing non-dedicated
resources to SURAgrid greatly
complicate the equation
• We will provide a code template for
editing grid-mapfiles to manage
SURAgrid users
• Publish our LDAP schema
– Sites may query LDAP to implement their
own SURAgrid AuthZ/AuthN interface
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Likely SURAgrid AuthZ Directions
– User directory or directory access
•
•
•
•
•
•
Group management
Person attributes
VO names
Store per-person, per-group allocations
Integrate with accounting
Local and remote stop-lists
– Resource directory
• Hold resource usage policies
• Time of day, classifications, etc
– Mapping users to resources within resource policy
constraints
– We’ll learn a lot more about what is actually required as
we work with the early user groups
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Campus Grid AuthN Decisions
General Higher Education Context
• How a campus chooses to implement
their Grid authentication may be
influenced by other higher education
middleware efforts
• Highlights from some other projects
follow
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
PKI and USHER/HEBCA
• (How) do all of these PKI pieces fit
together?
– USHER – US Higher Education Root CA
– HEBCA – Higher Education Bridge CA
– Campus Certification Authorities
– EDUCAUSE contract for outsourced
certificates
• What should a campus be doing?
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Fundamental Campus PKI
Decision: Build or Buy
• Building your own PKI
– Certification Authority (CA)
• Developing or installing CA software (e.g., simpleCA, etc)
• Operating it in a secure environment
– Implementing the Registration Authority (RA) function
• Identity proofing of individuals
• Handling requests for revocation, etc.
– Some considerations
• Early investment in staff time, likely lower per-certificate costs
for large deployments in the long run
• Users can have as many certificates as they need
– Software examples at:
http://middleware.internet2.edu/hepkitag/opensrc.html
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Fundamental Campus PKI
Decision: Build or Buy
• Buying PKI services
– Certification Authority (CA)
• Provided by the outsource company
• Operated remotely in a secure environment
– Implementing the Registration Authority (RA) function
• Identity proofing of individuals
• Handling requests for revocation, etc.
– Some considerations
• Quick start-up
• Annual costs bounded by the number of certificates issued
• Root certificate likely already trusted by your browsers and
installed in your operating systems
• May limit the number of certificates that each user can have
– Example: http://www.educause.edu/imsp
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Your Campus May Have
non-Globus needs for a Central PKI
• The build vs. buy decision may be influenced by
your PKI applications
– Electronic mail (S/MIME)
– VPN (IPSec), Wireless (EAP-TLS), & SSH
authentication
– Web authentication
– LionShare
– Digital signatures on documents
• Applications with large numbers of users may tip
the balance towards the “build” option
– Note that certificate management (getting the same
certificate/key on multiple computers) can be hard for
users
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Inter-organizational Trust
Cross-certificate
pairs
Campus A
Mid-A
User
Campus B
Mid-B
User
User
USHER CA
HEBCA
Bridge
User
Campus
n
Campus
CA
Campus
CA
User
Campus
CA
User
User
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
Campus
CA
Campus
CA
User
December 8 & 9, 2005, Austin, TX
A Higher-level View of
Inter-organizational Trust
FBCA
Campus CA
Educause
Verisign CA
Campus
Users
Campus CA
SAFE
HEBCA
Commercial
Others
Campus CA
Campus
Users
USHER CA
Campus
Users
Campus CA
Campus CA
Campus CA
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
• Thank You
• Questions, Discussion?
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Some References
•
•
•
•
•
•
•
•
PKI-Lite middleware.internet2.edu/hepki-tag
HEPKI Model Certification Policy
Software CA packages
HEBCA – www.educause.edu/hebca
USHER – www.usherca.org (soon)
VOMS
GridShib - gridshib.globus.org
MyProxy - myproxy.ncsa.uiuc.edu
SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide
December 8 & 9, 2005, Austin, TX
Download