Leveraging Campus Authentication for Grid

Scalability

Jim JoklMarty Humphrey

University of Virginia

Internet2 MeetingApril 2004

University of Virginia 2

NMI Testbed Activity Early project focus

Testing various NMI components Integrating them with campus infrastructure

Next phase: more inter-campus activities Focus on Globus

However, results can be generally applicable How do we facilitate sharing of data and compute

resources between campuses? Scalability and complexity issues for the Grid Security, researcher support, sharing equity issues Our focus: authentication and inter-campus trust

Hence inter-campus aspects of Globus PKI

University of Virginia 3

Background: PublicKey Infrastructure (PKI)

A PKI uses asymmetric cryptography A pair of mathematically related keys

The Public Key is published widely; Private Key is secret

An X.509 Certificate is: An object signed by a Certification Authority (CA) A binding of a user’s identity to their public key An object containing attributes about the individual and the Issuing

Certification Authority

Critical Issues How do you trust the credential binding? How can other institutions trust it? How would trust scale in a large Grid or Grids?

University of Virginia 4

Background: Trust in a Hierarchical PKI

Trust based on trusting “root” certificate

User cert trust via validating cert chain to a trusted root

Some issues: “root” compromise A CA per Grid v.s. a CA

per school v.s. ? Researcher support

Integrating existing campus credentials

Root Certificate

Intermediate Certificate

Intermediate Certificate

User A Cert

User C Cert

User B Cert

User D Cert

User E Cert

University of Virginia 5

Background: Trust in a Bridge PKI

Enables trust between multiple hierarchical CAs

No need to reconstitute whole PKI if CA is compromised

Generally uses more infrastructure than just the cross-certificate pairs

Can enable trust between existing PKIs

Preserves technical and political separation

Logical choice for multi-campus / multi-grid systems Enable researchers to use

home campus credentials

Root A

Mid-A

User A1

User A2

Root B Root n

Mid-B

User B1

User B1

Bridge CA

Cross-certificate pairs

University of Virginia 6

PKI Bridge Path Validation

University of Virginia 7

Globus & Bridge Test Environment

Simple bridge test environment revealed Globus can validate a bridge trust path

All needed cross-certificates must be pre-loaded into /etc/grid-security/certificates

Appears that all needed intermediate CA certificates must also be pre-loaded

No known support for a directory mechanism to locate cross-certificates

Does no appear to follow AIA URLs to obtain any needed cross or intermediate certificates

A more complex real-world test is needed

University of Virginia 8

Globus PKI Integration Notes

Campus CA Integration Use of Campus CAs with Globus for inter-

institutional sharing of resources should be manageable

Typical campus certificate profiles (e.g. PKI-lite) work well with Globus

Challenges will exist for locating the needed cross-certificates and intermediate CA certificates

University of Virginia 9

Globus PKI Integration Notes

Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates

are generally in PKCS-12 format Globus expects raw PEM files for the

certificate and the private key A file to map certificate DNs to UNIX

login names must be maintained A maintenance challenge for large inter-

institutional grids

University of Virginia 10

Goals for Larger Test on the NMI Testbed Grid

Test the use of Globus in a real and larger bridged PKI environment

Enable the use of campus CAs in inter-institutional Grids Show that one set of campus-issued credentials can work

Use on a single or multiple grids Eases researcher pain (and support issues)

Explore complexity issues, demonstrate scalability Create appropriate tools and documentation Prepare for Globus to leverage other activities

Higher Education Bridge Certification Authority Higher Education Root Certification Authority

University of Virginia 11

Higher Education Bridge Certification Authority

(HEBCA) A project of EDUCAUSE

Implement a bridge for higher education based on the Federal PKI bridge model

Support both campus PKIs and sector hierarchical PKIs

Cross-certify with the Federal bridge (and others as appropriate)

Use of HEBCA with Globus may be a natural result of this work

University of Virginia 12

US Higher Education Root CA

A project of Internet2 The replacement for the CREN CA

Designed to support campuses that wish to be part of a hierarchical CA CA sign’s campus CA signing certificates

Expectation is to cross-certify with HEBCA at some level

Campus CAs that are part of this hierarchy would also work well in a bridged Globus environment

University of Virginia 13

Current Project Status Built Testbed Bridge CA

Off-line system Cross-certifications

UVA: complete UAB: nearly done TACC: 50% USC: getting started

/etc/grid-security Certificates, policy files,

and hash links generated via scripts

Gridmap file by hand

University of Virginia 14

Tool Development In addition to supporting the testbed grid via cross-

certification, we plan to explore a few tools Credential converter web site that takes a PKCS-12 (as is

available in most enterprise CAs) and returns the PEM files needed by Globus

A tool to chase down cross-certificates from AIA fields and build the needed Globus links and signing policy files

Potentially: a CA using a Shibboleth-based RA Provide certificates for campuses that have Shibboleth but

are not yet operating an enterprise CA Each campus would have its own root that would be cross-

certified via the testbed bridge

We should know a lot more in a few months