esnet raf and eduroam ™
DESCRIPTION
ESnet RAF and eduroam ™. Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory. ATF Overview. Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal - PowerPoint PPT PresentationTRANSCRIPT
ESnet RAF and ESnet RAF and eduroameduroam™™
Tony J. GenoveseTony J. Genovese
ATF TeamATF Team
ESnet/Lawrence Berkeley ESnet/Lawrence Berkeley National LaboratoryNational Laboratory
ATF OverviewATF Overview Authentication services for DOE Office of Science Authentication services for DOE Office of Science
projects, including international collaborations, projects, including international collaborations, computational Grids, ESnet community, and ESnet computational Grids, ESnet community, and ESnet internalinternal
Primarily focused on the Office of Science communityPrimarily focused on the Office of Science community ATF’s principle service is a set of certificate authorities (CAs)ATF’s principle service is a set of certificate authorities (CAs) Policy is driven completely by the needs of the science Policy is driven completely by the needs of the science
communitycommunity Facilitating several trust federations to enable Facilitating several trust federations to enable
interoperable science Grids – Policy Management interoperable science Grids – Policy Management AuthoritiesAuthorities
the IGTF - International Grid Trust Federationthe IGTF - International Grid Trust Federation the Americas “regional” policy management authority – the Americas “regional” policy management authority –
TAGPMATAGPMA ATF also pilots new technology, new policy systems, ATF also pilots new technology, new policy systems,
and develops project proposals in collaboration with and develops project proposals in collaboration with other partnersother partners
3 FTEs plus heavy support from ESnet UNIX 3 FTEs plus heavy support from ESnet UNIX servicesservices Plus additional support from network engineering, Plus additional support from network engineering,
services, and windows supportservices, and windows support RolesRoles
CA Operator CA Operator DeveloperDeveloper Federation LiaisonFederation Liaison Product Manager (community outreach)Product Manager (community outreach) Specialized system administrationSpecialized system administration PMA chairman / memberPMA chairman / member Contributor to community best practices/standards Contributor to community best practices/standards
effortsefforts All team members have cross trained to insure All team members have cross trained to insure
continuity.continuity.
Authentication and Trust Authentication and Trust Federation TeamFederation Team
ESnet subordinate Certificate Authorities and Services
ESnet Root CA
FUSION(Credential
Store)
ESnetSSL/TLS
ESnet Root CAonly signs subordinate CAs
DOEGrids
Future Co-hosting
OCSPService
NERSCSite – NIMIntegration
PKI Certificate Authorities PKI Certificate Authorities OverviewOverview
Offline Vaulted Root CA
Internet
Firewall
Intrusion Detection
Grid User
HSM
Secure Data Center
Building Security
LBNL Site security
Hardware Security Modules
Access controlled racks
PKI Systems
PKI Security EnvironmentPKI Security Environment
Secure VLAN
DOEGrids CA Usage DOEGrids CA Usage StatisticsStatistics
User CertificatesUser Certificates 19919999
Total No. of CertificatesTotal No. of Certificates 54795479
Host & Service CertificatesHost & Service Certificates 34634611
Total No. of RequestsTotal No. of Requests 70067006
ESnet SSL Server CA CertificatesESnet SSL Server CA Certificates 3838
DOEGrids CA 2 CA Certificates (NERSC) DOEGrids CA 2 CA Certificates (NERSC) 1515
Fusion GRID CA certificatesFusion GRID CA certificates 7676
* Report as of Jun 15, 2005
0250500750
100012501500175020002250250027503000325035003750400042504500475050005250550057506000625065006750700072507500
Production service began in June 2003
No
.of
ce
rtif
ica
tes
or
req
ue
sts
User Certificates
Service Certificates
Expired(+revoked)Certificates
Total Certificates Issued
Total Cert Requests
RAF, eduroamRAF, eduroam™™ and and Internet2 interconnectsInternet2 interconnects
eduroam™ eduroam™
ESnet RAF ESnet RAF
eduroam US
Internet2
eduroam US
Internet2
ESnetLBNL
TERENANL
Internet2UTKInterconnecting with eduroam™ at UTK
Interconnect Grid Realms at TERENAESnet possible secondary route for eduroam™
ORNL
PPNLANL
NERSC
eduroam™ eduroam™
Grid realms
DOEGridsMyProxy
Crypto Card
Secure ID
AladdinSmart Card
Grid eduroamGrid eduroam™™ ExperimentExperiment
Phase 0Phase 0 Use Infoblox loaded with IGTF root certificatesUse Infoblox loaded with IGTF root certificates
EAP/TLS Strong Authentication based on Grid Identity EAP/TLS Strong Authentication based on Grid Identity CertsCerts
eduroameduroam™™ Authorization attributes – eduroam Authorization attributes – eduroam™™ defines defines TACAR or EUGridPMA repository as trust anchorTACAR or EUGridPMA repository as trust anchor IGTF OCSP experimental service – GGF defining the IGTF OCSP experimental service – GGF defining the
serviceservice Interconnect to eduroamInterconnect to eduroam™™ at UTK at UTK Grid top level interconnectGrid top level interconnect
TERENA - RootTERENA - Root ESnetESnet
Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMAGrid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA User experience local site dependencyUser experience local site dependency
eduroameduroam™™ defines defines Each site controls how they expose or provide a service Each site controls how they expose or provide a service
to the community.to the community. Develop Federation document setDevelop Federation document set
Based on GGF documents Plus eduroamBased on GGF documents Plus eduroam™™ policies policies
Next PhasesNext Phases
Phase 1Phase 1 Add Authorization SchemaAdd Authorization Schema Phase 0 plus LDAP serverPhase 0 plus LDAP server
Phase 2Phase 2 Add Virtual Organization Management SystemAdd Virtual Organization Management System
Shibboleth Shibboleth GGF – GridShib or other?GGF – GridShib or other? TF-EMC2 TF-EMC2
Phase 0 plus VOMS serversPhase 0 plus VOMS servers Phase 3 – production hardeningPhase 3 – production hardening
Implement our community’s selected solution Implement our community’s selected solution – or ?– or ?
ESnet RAF Experiment ESnet RAF Experiment systemssystems
LDAP User Account DB phase 1+Grid Interconnect TERENA
RAF radius appliance
eduroam™ Internet2 Interconnect
Possible eduroam™ backup route
Cisco Catalyst 4000 EAPOL test bed