archer’s security requirements within the aaf

ARCHER’s Security Requirementswithin the AAF

2

Research Repository Requirements(relevant to AAF)• Identity Management provided by the Federation

Single-sign-on for Federation services• Federation members can access services

For accessing and managing datasets in a Research Repository Accessible from either desktop or web applications

• Federation members can define groups of Federation members which can access their datasets

Groups membership defined autonomously by the group• Research Repository accessible by other Federation services

including Grid services• Privileges for content owners and groups managed by the Research Repository• Consistent Identity and Group Management across Shibboleth and PKI protected

services

3

Consistent Identity & Group Management

Shibboleth-protected Services

Identity Managem

ent

Group M

anagement

PKI-protected Services

4

Status of Repository Requirements• Identity Management provided by the Federation

Single-sign-on for Federation services• Federation members can access services

For accessing and managing datasets in a Research Repository Accessible from either desktop or web applications

• Federation members can define groups of Federation members which can access their datasets

Groups membership defined autonomously by the group• Research Repository accessible by other Federation services

Including Grid services• Privileges for content owners and groups managed by the Research

Repository• Consistent Identity and Group Management across Shibboleth and PKI

protected services

Legend• Available• Under Development• Not available

5

Objective Access a Federation service (e.g. a research repository) using Shibboleth from either a web or desktop application

Research Repository

Problem Shibboleth was never designed to be used from desktop applications

6

Solution: Accessing a Federation Service from the Desktop using Federation’s Identity Management

Fed Service(PKI-protected)

IdP Desktop App

Desktop

CredentialManager

CertificateProvider

1. Request Cert. 2. Authenticate

3. Shib. Token

4. Shib Token7. Short-lived Cert.9. Short-lived Cert. 10. Success/Fail

8. Short-lived Cert.

5.Shib Token

6.Attributes

7

Credential Manager Requirements

• Must be able to authenticate with an Identity Provider• Must be able to be trusted by the user, as they will be authenticating with

their institution through it• Must be able to cache the user’s credentials• Must query the user for confirmation, if an application requests a credential• Must be available for Win, Mac, and Linux boxes

8

Certificate Provider Requirements

• Must generate certificates which: Are short-term Maintain a consistent identity for the user Are approved by IGTF Are signed by the Federation Transport only those shibboleth attributes that are essential for

accessing PKI protected services• Service must be managed by the Federation• Desirable to have an interface which allows Grid Certificates to be

refreshed

9

Useful Security Components

• SWITCH’s SLCS, for the Certificate Provider Shibboleth protected web application Generates IGTF approved certificates from Shibboleth attributes

• Bandit-Project’s DigitalMe, for the Credential Manager Similar to Microsoft’s InfoCard/Cardspace solution Written in Java

• Red Hat’s CA To be used by the AAF

10

Cert. Provision with Cert.available from MyProxy Certificate User

IdPCertificate Provider(Service Provider)

Certificate Provider

Certificate Generator

MyProxy

2. Shib Token

3. Attributes

1. Shib Token

6. Short-lived Cert.

4. Attributes

External interface available to MyProxy to refresh certificates

5. Short-lived Cert

11

Cert. Provider with Cert.not available from MyProxy Certificate User

IdPCertificate Provider

(SLCS)

Certificate Provider

Certificate Generator

MyProxy

2. Shib Token

3. Attributes

1. Shib Token

12. Short-lived Cert.

4. Attributes

5.Fail

External interface available to MyProxy to refresh certificates

10. Attributes

11.Short-lived Cert.

6. Attributes

9. Success

7. Attributes and Medium-lived Cert.

8. Success

12

Web PortalIdP

Certificate Provider

Certificate Provider

Red Hat CA MyProxyExternal interface available to MyProxy to refresh certificates

SLCS

Post Back

Request Shor-term CertPost back Cert.

Desktop App DigitalMe

Shib Module

13

Prototypes: Shib Desktop Access & Shib Cert Provider

SVN:https://dev.archer.edu.au/projects/archer-data-activities/svn/security/current

In this folder, there are three separated projects as follows:

ArcherCertProvider: The front end Webapps to manage certificate.CardSpace: The desktop module for local certificate management.Desktop Shibboleth: The desktop module for shibboleth authentication.

Installation of each module is provided in README files available ineach project.

To run the demonstration:

1. Deploy the ArcherCertProvider to a J2EE application (tested withTomcat 5.14+ and 6.*)- an existing war file can be found athttps://dev.archer.edu.au/downloads/ArcherCertProvider.war

2. Start the CardSpace: ant LocalCertManager

3. Run a HelloWorld example of an GSI application: ant GSIApp