Enabling Grids for E-sciencE - II Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valéry Tschopp, SWITCH JRA1 All Hands Meeting, Abingdon, 9 Nov 2006 www.eu-egee.org INFSO-RI-031688
Presentation Outline Enabling Grids for E-sciencE • Introduction – Shibboleth – Short-Lived Credential Service • General Architecture • SLCS Client • SLCS Server • Deployment • Questions & Answers EGEE-II JRA1 All Hands Meeting – November 2006 2 INFSO-RI-031688
Shibboleth Enabling Grids for E-sciencE • Authentication and Authorization Infrastructure (AAI) • Developed by Internet2 • Single Sign On (SSO) – When a user access a resource � Identity Provider authenticates the user (independent of the resource) � Service Provider (resource) authorizes the access based on the user’s attributes received from the Identity Provider • SAML: Security Assertion Markup Language – OASIS Standard See http://www.switch.ch/aai/demo EGEE-II JRA1 All Hands Meeting – November 2006 3 INFSO-RI-031688
Shibboleth Enabling Grids for E-sciencE EGEE-II JRA1 All Hands Meeting – November 2006 4 INFSO-RI-031688
Short-Lived Credential Service Enabling Grids for E-sciencE • IGFT Profile, EUGridPMA, TAGPMA, … • ‘Real’ personal X.509 certificate • SLCS requirements SLCS Certificate Traditional User Cert Automated generation based ‘Traditional’ RA operations on the user management (copy of passport, …) system Lifetime < 1mio seconds Lifetime < 1 year + 1 month Revocation list (CRL) optional Revocation list mandatory • Leverage your existing user management infrastructure EGEE-II JRA1 All Hands Meeting – November 2006 5 INFSO-RI-031688
General Architecture Enabling Grids for E-sciencE EGEE-II JRA1 All Hands Meeting – November 2006 6 INFSO-RI-031688
SLCS Client Enabling Grids for E-sciencE • User is authenticated by his Identity Provider • Private key and certificate signing request (CSR) are generated locally, then CSR is sent to the SLCS server • SLCS server verifies and signs the CSR, then issues a short-lived X.509 certificate • The private key and the X.509 certificate are store locally in $HOME/.globus EGEE-II JRA1 All Hands Meeting – November 2006 7 INFSO-RI-031688
SLCS Client Example Enabling Grids for E-sciencE tschopp@venus$ slcs-init -v --idp switch.ch Config: slcs-init.xml IdentityProvider: switch.ch Username: tschopp Shibboleth Password: *********** Key Password: Key password is empty, using Shibboleth password. Shibboleth login... SLCS login request... Generate private key (1024 bits)... Generate certificate request... SLCS certificate request... Store private key [/home/tschopp/.globus/userkey.pem]... Store SLCS certificate [/home/tschopp/.globus/usercert.pem]... Done. tschopp@venus$ EGEE-II JRA1 All Hands Meeting – November 2006 8 INFSO-RI-031688
SLCS Server Enabling Grids for E-sciencE • Interfaces based on standards – HTTPS and XML between the user and the SLCS server – PKIX-CMC (RFC 2797) between the SLCS server and the Online CA • Access authorization to the SLCS based on the user’s attributes • Certificate subject is built based on the user’s attributes – Given Name: Valéry – Surname: Tschopp – Home Organization: switch.ch – Subject: DC=CH, DC=SWITCH, DC=SLCS, O=SWITCH - Research and Education Network, CN=Valery Tschopp 9FEE5EE3 After verification against the policies, the certificate is issued by a • Online CA • Audit logs are stored on the SLCS server • Pluggable components EGEE-II JRA1 All Hands Meeting – November 2006 9 INFSO-RI-031688
SLCS Server Enabling Grids for E-sciencE EGEE-II JRA1 All Hands Meeting – November 2006 10 INFSO-RI-031688
Deployment Enabling Grids for E-sciencE • Certification of SLCS (server and online CA) by the EUGripPMA is ongoing EGEE-II JRA1 All Hands Meeting – November 2006 11 INFSO-RI-031688
Q&A Enabling Grids for E-sciencE Questions? EGEE-II JRA1 All Hands Meeting – November 2006 12 INFSO-RI-031688
Recommend
More recommend
