www.eu-eela.org e-infrastructure shared between europe and latin america certification authorities...
Post on 19-Dec-2015
214 Views
Preview:
TRANSCRIPT
www.eu-eela.org
E-infrastructure shared between Europe and Latin America
Certification Authorities in LA and links with TAGPMAVanessa Hamar (ULA) / Jorge Gomes (LIP) vanessa@ula.ve / jorge@lip.pt
First Latin American EELA WorkshopMérida , 24.04.2006
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 2
E-infrastructure shared between Europe and Latin America
Pilot Testbed operation and support
EELA aims to establish a common interoperable Pilot Grid Testbed between existing resources in Latin America and Europe based on the EGEE middleware framework. The EELA Pilot Testbed supports dissemination activities and application exploitation.
EELA will start with a reduced set of sites that will be expanded as the project evolves.
However the range of users will
include all partners and also new users not yet identified.
The grid authentication is the first major deployment issue.
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 3
E-infrastructure shared between Europe and Latin America
• EELA will work closely with several international projects:
– EGEE Use of EGEE Middleware to set-up a pilot e-infrastructure interoperable
with EGEE. EELA will setup an LA ROC (Regional Operational Centre) following the
EGEE model. The EELA European partners already operate grid infrastructures
integrated into EGEE
– Close collaboration with other projects ALICE/GEANT, EUCHINAGRID, EUMEDGRID, SEE-GRID, …
• EELA must be interoperable with these projects !
Relationships with other projects
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 4
E-infrastructure shared between Europe and Latin America
Authentication
• Most grid infrastructures including the ones based on EGEE/LCG middleware use X.509 certificates for authentication.
• How does it work:– Each user, system or service must have a certificate that is used for
authentication purposes– In order to ensure the identify of each subject (user, system or service)
the certificate must be signed by a trusted authority that asserts that the certificate belongs to the subject
– These are the so called certification authorities (CAs) that: Accept certificate requests and verify the subject identity Signing the successfully verified certificate requests Revoke certificates when needed Issue lists of revoked certificates
– An X.509 authentication infrastructure is called a PKI (Public Key Infrastructure)
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 5
E-infrastructure shared between Europe and Latin America
Authentication
• In the grid world one single CA usually covers a predefined geographic region or administrative domain:– Large organization– Country– A set of countries (scalability can be an issue)
• A common international trust domain for grid computing has been created to join the several existing certification authorities into a single authentication domain and thus enabling sharing of grid resources worldwide.
• The International Grid Trust Federation (IGTF) has been created to coordinate and manage this trust domain.
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 6
E-infrastructure shared between Europe and Latin America
IGTF
• The international scientific community is working to deploy computational Grids for the advancement of science and engineering.
• The promise of global computational Grids, requires policies and procedures that reliably identify Grid subscribers and resources.
• A number of regional and large PKIs have established Policy Management Authorities to manage their individual certification process.
• The goal of the IGTF will be to foster harmonization and synchronization of these various PMAs policies to allow for a global trust relationship to be established.
• Three PMAs have been created covering 3 world regions:– European Grid PMA (EUgridPMA)
– Asia Pacific Grid PMA (APgridPMA)
– The Americas Grid PMA (TAGPMA)
• The European Grid PMA was the first PMA to be established and was born from the DataGrid Certification Authorities Coordination Group (CACG) that was established by the DataGrid and CrossGrid projects.
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 7
E-infrastructure shared between Europe and Latin America
IGTF
International Grid Trust Federation
(Working to Establish Worldwide Trust for Grids)http://www.gridpma.org
Asia PacificPMA
AmericasPMA
LIP CA PortugalCERN CA SwitzerlandCNRS Grid FranceCyGrid CyprusCESNET Czech DutchGrid NetherlandsGermanGrid GermanyHellasGrid GreeceGridIreland IrelandINFN CA ItalyBelnet BelgiumGrid-PK PakistanSIGNET SloveniaEstonianGrid EstoniaAustrianGrid AustriaNIIF/HungarNet HungaryIHEP ChinaBalticGrid EuropeTR-Grid Turkey
NorduGrid Nordic countriesPolishGrid PolandRussian Datagrid RussiaSlovakGrid SlovakiaDataGrid-ES SpainUK e-Science United KingdomBelnetGrid BelgiumGrid-PK PakistanFNAL Grid USAGridCanada CanadaDOEGrids USAArmeSFo ArmeniaIUCC IsraelASCCG TaiwanSeeGrid EuropeRMKI HungarySWITCH SwitzerlandDFN GermanyRDIG RussiaPKIrisGrid Spain
DOEGrids USAGridCanada CanadaFNAL USA
AIST JapanAPAC AustraliaASGCC TaiwanSDG ChinaIHEP ChinaKISTI KoreaNaregi JapanBMG SingaporeCMSD IndiaHKU Hong KongNCHC TaiwanOsaka U. JapanUSM Malaysia
International Grid Trust Federation
The list is always growing
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 8
E-infrastructure shared between Europe and Latin America
EUgridPMA
Is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. As its main activity the EUGridPMA coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. The EUGridPMA itself does not provide identity assertions, but instead asserts that the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.
Relying Parties
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 9
E-infrastructure shared between Europe and Latin America
TAGPMA
• The Americas PMA (TAGPMA) is a regional PMA created to cover the Americas area from Canada to the tip of Chile.
• TAGPMA was created in 2005 and its membership and activities are just starting.
• The appearance of potential new CAs in LA supported by the EELA project have been welcomed by TAGPMA – they are providing the needed push to start the charter
• This is a situation also welcomed by the EUgridPMA that has already too many members
• Members of the TAGPMA which operate a classic PKI based Authentication service, must continue to operate the service under the Classic PKI Authentication Profile that is maintained by the EUGridPMA
• For more information see: http://www.tagpma.org/
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 10
E-infrastructure shared between Europe and Latin America
Accreditation
• For new CAs to be accepted as an IGTF PMA member they have to pass through a rigorous and extensive accreditation process.
• The CA policies and operations must be extensively documented in a CP/CPS document.
• The CP/CPSs are reviewed by the PMA members.• The CA online repositories are checked by the PMA• The CA managers must attend the PMA face-to-face
meetings, present the CA and answer all questions from the other members including other CA managers and relying parties.
• The CA must implement all required changes.• This is an iterative process that aims to establish trust.
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 11
E-infrastructure shared between Europe and Latin America
EELA Authentication
• Upon the start of EELA there were no Latin American CAs recognized by IGTF or any of its three PMAs.
• For EELA the deployment of a PKI in Latin America recognized by IGTF is fundamental for the deployment of the grid computing pilot testbed and for the project success.
• This PKI is a basic requirement for the successful dissemination and extension of the grid technologies into the LA countries.
• EELA is setting up a PKI authentication infrastructure:– Compatible with EGEE, LCG, and other EGEE/LCG based projects– Internationally accepted/recognized (IGTF)– That can remain operational beyond the end of the project:
as one of the project outcomes allowing further future projects in LA and within each country enabling LA scientific users to share and access resources at global level
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 12
E-infrastructure shared between Europe and Latin America
EELA and CAs
• The IGTF is a recent development.• When the EELA Technical Annex was written the IGTF didn’t yet
existed• The EELA strategy had to be adjusted
– Short term (for the immediate needs): Use the existing catchall CA from CNRS (France)
• This is a temporary solution• By the end of the year EELA needs a better working solution
– Medium term: Contact IGTF trough EUgridPMA (where some of the project partners are
CA representatives) Ask for the help of the PMAs in the setup and accreditation of the CAs Establish new CAs in LA:
• one per country where possible• one catchall CA for the whole LA region• using the classic CA profile
Obtain accreditation from the TAGPMA
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 13
E-infrastructure shared between Europe and Latin America
Classic Profile
• What is it:– The CA signs and revokes certificates– These are long-term certificates (one year)– The CA has subordinate RAs that just perform the administrative task of
checking the subject identity in different organizations or departments– The other possible profile is the SLCS where short lifetime certificates
are issued based on other credentials such as kerberos tickets, but this is not yet recognized at the IGTF level.
• Advantages:– Is the most known CA profile– A lot of know-how and solutions do exist– Most of the CAs operating today use the classic profile– Is the easiest to support across administrative domains– The profile requirements are stable and controlled by EUgridPMA
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 14
E-infrastructure shared between Europe and Latin America
Classic Profile
• A network of subordinated RAs is necessary to perform the identity verification of the subjects
• The RAs will be created at the level of the organizations or at the level of departments:– Operating at university or research centre wide level (more difficult)– Operating at the level of a department or group– The CA can also operate an RA but don’t forget that the physical
presence of the subject is required for identity verification• The RAs will be created only upon request, their creation should
be user driven.
CA
RA
RA
RA RA RA RARARA
Univ A Univ B Univ C Univ D Univ E Univ F Univ G
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 15
E-infrastructure shared between Europe and Latin America
Classic profile
• How to obtain a certificate:
The certificate is issuedby the CA
The certificate is used asa key to access the grid
A certificate requestis performed
The user identify isconfirmed by the RA
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 16
E-infrastructure shared between Europe and Latin America
Why one CA per country
– Long term scalability Latin America is a huge geographic area Many LA countries are quite large The potential number of users and end entities is high
– Long term sustainability There is a cost associated with the operation of the CAs A single large CA would raise the cost and funding issue Easier to fund
– Awareness of local details Better knowledge of the local law Better knowledge of the local academic environment
– Better coordination and support Nearest to the end users Same language Better understanding of the needs and difficulties
– Flexibility Easier to adapt to new local requirements
– Robustness and security Is a CA fails the implications will be limited to a single country
NEEDED
FOR
LARGE
DEPLOYMENT
(this is the model
recomended by
EUgridPMA)
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 17
E-infrastructure shared between Europe and Latin America
catchall CA
• A catchall CA is used to issue certificates to organizations in regions without a specific national CA when:– The national CAs are yet being deployed– There are difficulties to setup a national CA
• EELA is setting up a catchall CA for the Latin American region
• The CA will be operated by Universidade Federal Fluminense (UFF) in Brazil
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 18
E-infrastructure shared between Europe and Latin America
Current CNRS RAs
• As a short term solution EELA is obtaining certificates for the LA partners from the French CNRS catchall CA
• Four RAs have been established:
– UFF (Universidade Federal Fluminense) Instituto de Computação (Vinod Rebello)
– UFRJ (Universidade Federal do Rio de Janeiro) Instituto de Física (Diego Carvalho)
– UNAM (Universidad Nacional Autonoma de Mexico) Instituto de Ciencias Nucleares (Lukas Nellen)
– ULA (Universidad de los Andes) Centro Nacional de Cálculo Científico (Vanessa Hamar)
• More will be established as necessary
• The use of the CRNS catchall CA is a temporary measure with reduced scalability
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 19
E-infrastructure shared between Europe and Latin America
EELA Candidate CAs
• Argentina– UNLP - Universidad Nacional de La Plata
Javier Diaz <jdiaz@unlp.edu.ar>
• Brazil– UFF – Universidade Federal Fluminense
Vinod Rebello <vinod@ic.uff.br>
• Chile– REUNA – Red Universitaria Nacional
Juan Carlos Martínez <jcmartin@reuna.cl>
• Peru– SENAMHI – Servicio Nacional de Meteorología e Hidrología del Perú
Richard Miguel <rmiguel@senamhi.gob.es>
• México– UNAM – Universidad Nacional Autónoma de México
Juan Carlos Guel <cguel@seguridad.unam.mx>
• Venezuela– ULA – Universidad de los Andes
Vanessa Hamar <vanessa@ula.ve>
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 20
E-infrastructure shared between Europe and Latin America
EELA Candidate CAs
CA Hosting organization
Status
Argentina UNLP CP/CPS reviewed by TAGPMA,
CA infrastructure being deployed
Brazil UFF CP/CPS reviewed by TAGPMA,
CA infrastructure being deployed
Catchall UFF CP/CPS reviewed by TAGPMA,
CA infrastructure being deployed
Chile REUNA CP/CPS reviewed by TAGPMA,
CA infrastructure being deployed
Mexico UNAM CP/CPS reviewed by TAGPMA,
CA infrastructure being deployed
Venezuela ULA CP/CPS internal review by EELA
Peru SENHAMI Working on the CP/CPS
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 21
E-infrastructure shared between Europe and Latin America
Status• EELA has been presented for the first time at the EUgridPMA
meeting held in Vienna (Austria) in January:– The EELA project was very well received by both the EUgridPMA and
TAGPMA members present at the meeting– The organization of the first TAGPMA face-to-face meeting was agreed
to be held in Rio de Janeiro• The deployment work started in January with the focus on the
operation procedures and certification practices.• EELA members started to participate in TAGPMA videoconferences.• EELA was officially accepted as a TAGPMA member representing a
major relying party• In March the CP/CPSs of the CAs were submitted to the TAGPMA
for review.• In March the first TAGPMA face-to-face meeting was organized in
Rio de Janeiro with the help of RNP: – During the meeting the EELA CAs being currently deployed were
presented and their CP/CPSs discussed.– The CP/CPS were considered of very good quality.
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 22
E-infrastructure shared between Europe and Latin America
Status
• Most EELA CAs are now being actuality deployed which includes:– Customization and deployment of the CA management software– Setup of the required systems and services
CA repository CA signing station
• Full TAGPMA accreditation should be obtained in the next face-to-face meeting to be held in Canada
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 23
E-infrastructure shared between Europe and Latin America
Authorization
• The possession of a certificate does not gives the right of access to any grid resources by itself.
• The EELA grid authorization is based on the VO concept. • VOs are basically groups of users that share common or similar
interests and that which to share the same resources.• Instead of authorizing users individually site access is allowed on
a VO basis enabling better scalability.– The site manager does not need to add individual users– The site manager authorizes entire VOs– The site manager can refuse specific certificate subjects
• The management of a VO is a responsibility of the VO itself that designates a VO manager for that purpose.
• The VO manager is responsible for allowing or denying access to the VO based on the VO policies.
Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 24
E-infrastructure shared between Europe and Latin America
Future and conclusions
• An international federation for authentication in grid computing is already in operation worldwide
• The EELA efforts will enable the creation of Latin American certification authorities recognized worldwide
• We would like to identify other potential end entities and relying parties interested in the usage of certificates for grid computing in Latin America to:– take further advantage of the authentication infrastructure being
deployed – join the EELA grid infrastructure
top related