kek grid ca

Computing Research Center, High Energy Accelerator Organization (KEK)Computing Research Center, High Energy Accelerator Organization (KEK)

KEK Grid CAKEK Grid CA

Go IwaiGo Iwai

The 2The 2ndnd APGrid PMA Meeting at Osaka Univ. APGrid PMA Meeting at Osaka Univ.

2006/10/152006/10/15 The 2nd APGrid PMA Meeting Meeting at Osaka Univ.The 2nd APGrid PMA Meeting Meeting at Osaka Univ. 22

KEK Organization and KEK Organization and HistoryHistory• High Energy Accelerator Research Organization (KEK)High Energy Accelerator Research Organization (KEK)

– Institute of Particle and Nuclear StudiesInstitute of Particle and Nuclear Studies– Institute of Materials Structure ScienceInstitute of Materials Structure Science– Accelerator LaboratoryAccelerator Laboratory– Applied Research LaboratoryApplied Research Laboratory

• Computing Research CenterComputing Research Center• Radiation Science CenterRadiation Science Center• Cryogenics Science CenterCryogenics Science Center• Mechanical engineering CenterMechanical engineering Center

• HistoryHistory– National Laboratory for High Energy Physics (1971)National Laboratory for High Energy Physics (1971)– High Energy Accelerator Research Organization (1997)High Energy Accelerator Research Organization (1997)

• Combined with Institute for Nuclear Study Combined with Institute for Nuclear Study – High Energy Accelerator Research OrganizationHigh Energy Accelerator Research Organization

• reformed as an Inter-University Research Institute Corporation reformed as an Inter-University Research Institute Corporation (2004)(2004)


KEK: High Energy KEK: High Energy Accelerator OrganizationAccelerator Organization

J-PARCJ-PARC

B FactoryB Factory

Photon FactoryPhoton Factory

LC-Test FacilityLC-Test Facility

TokyoTokyo

TsukubaTsukuba

TokaiTokai~60km~60km

PacificPacificOceanOcean


Issued Certificates Issued Certificates

• Host certificates Host certificates – 7373 certificates were issued certificates were issued

• User certificates User certificates – 2626 certificates were issued certificates were issued

• SSL Server certificatesSSL Server certificates– 1 certificate was issued1 certificate was issued– only for ICEPP (Univ. of Tokyo) and KEKonly for ICEPP (Univ. of Tokyo) and KEK


ExperiencesExperiences

• /Email field was troublesome and not available any /Email field was troublesome and not available any more more – LCG was OKLCG was OK– SRB-DSI does not work for any certificates including the fieldSRB-DSI does not work for any certificates including the field

• Power outage because of the regular inspection of Power outage because of the regular inspection of facilities requested by the government facilities requested by the government – Power backup by the generator was done with big efforts Power backup by the generator was done with big efforts – We may stop the operation of CA for 3days in the next yearWe may stop the operation of CA for 3days in the next year

• Securing private keys are essential for PKI operationsSecuring private keys are essential for PKI operations– However, sometimes users copy their’s to remote sites via However, sometimes users copy their’s to remote sites via

network and store on distributed storage systems, even on NFS network and store on distributed storage systems, even on NFS servers. servers.

– Education is very important for usersEducation is very important for users• Regular training should be considered Regular training should be considered


PlanPlan

• Change on CP/CPSChange on CP/CPS– Currently, SSL server certificates are issued only for ICEPP and Currently, SSL server certificates are issued only for ICEPP and

KEK, however, LCG needs the SSL server certificates at each KEK, however, LCG needs the SSL server certificates at each LCG siteLCG site

• C=JP, O=KEK, OU=CRC, CN=FQDNC=JP, O=KEK, OU=CRC, CN=FQDN• SSL server certificates will be issued for each site SSL server certificates will be issued for each site • General usages are forbidden and only for usage with LCGGeneral usages are forbidden and only for usage with LCG

– We assumed that applicants are existing users of KEK We assumed that applicants are existing users of KEK Computing research centerComputing research center

• Contractors in collaborating institutes cannot be a user of usContractors in collaborating institutes cannot be a user of us• We will change CP/CPS to allow applications from them We will change CP/CPS to allow applications from them

– Existing users or the persons who are endorsed by the representative of Existing users or the persons who are endorsed by the representative of the collaborating institute of KEKthe collaborating institute of KEK

• We will have the first audit within this year. We will have the first audit within this year. – Yoshio Tanaka will be an auditor Yoshio Tanaka will be an auditor

• Thank him for his efforts Thank him for his efforts – November or December? November or December?


EndEnd

Any comment or Any comment or suggestion?suggestion?


For backupsFor backups


CP/CPSCP/CPS• KEK GRID CA CP/CPSKEK GRID CA CP/CPS

– Version: 1.0.0 Version: 1.0.0 – OID: 1.3.6.1.4.1.200198.1.10.2OID: 1.3.6.1.4.1.200198.1.10.2– Conforms RFC2527Conforms RFC2527– Strongly inspired by CP/CPS’ of NAREGI CA and AIST Strongly inspired by CP/CPS’ of NAREGI CA and AIST

CACA

• KEK GRID CP/CPS is managed by the KEK GRID KEK GRID CP/CPS is managed by the KEK GRID PMA. PMA. – Changes in contents need to be approved by the KEK Changes in contents need to be approved by the KEK

GRID PMA, as described in section 8. GRID PMA, as described in section 8.


End EntitiesEnd Entities

• Grid Users, Servers and Services:Grid Users, Servers and Services:– Members at KEK and it’s collaborating Members at KEK and it’s collaborating

institutesinstitutes– Computing Facility at KEK and it’s Computing Facility at KEK and it’s

collaborating institutescollaborating institutes


Certificate Types Certificate Types • User Certificate: User Certificate:

– C=JP, O=KEK, OU=CRC, CN=Takashi SasakiC=JP, O=KEK, OU=CRC, CN=Takashi Sasaki• Globus Servers:Globus Servers:

– hosthost• C=JP, O=KEK, OU=CRC, CN=host/FQDNC=JP, O=KEK, OU=CRC, CN=host/FQDN

– ServicesServices• C=JP, O=KEK, OU=CRC, CN=ldap/FQDNC=JP, O=KEK, OU=CRC, CN=ldap/FQDN

• Web Servers (only for LCG at KEK CRC and ICEPP, U. of Web Servers (only for LCG at KEK CRC and ICEPP, U. of Tokyo):Tokyo):– C=JP, O=KEK, OU=CRC, CN=FQDNC=JP, O=KEK, OU=CRC, CN=FQDN


Identification and Identification and AuthenticationAuthentication• Prerequisite:Prerequisite:

– The person must be an existing user of KEK CRCThe person must be an existing user of KEK CRC• One referee among KEK employees is requestedOne referee among KEK employees is requested• Applicants must be a member of either of the projects at KEKApplicants must be a member of either of the projects at KEK

• User Certificate:User Certificate:– Subscriber mustSubscriber must

• submit in-person or mail (or FAX) the application to the user administrator. submit in-person or mail (or FAX) the application to the user administrator. • attach a copy of his/her personal identification document with a photo.attach a copy of his/her personal identification document with a photo.• have an interview in-person or on the video conference by the user have an interview in-person or on the video conference by the user

administratoradministrator– User administrator confirms the application with the representative’s User administrator confirms the application with the representative’s

signature on it signature on it • Host and Service Certificate Host and Service Certificate

– An application is required to be submitted by an existing certificate An application is required to be submitted by an existing certificate useruser


Certificate RestrictionsCertificate Restrictions

• Certificate Lifetime:Certificate Lifetime:– 5 years for KEK GRID CA certificate 5 years for KEK GRID CA certificate – 1 year for each end entity certificate 1 year for each end entity certificate

• User and server certificates should not be User and server certificates should not be shared. shared.


Certificate RevocationCertificate Revocation• Certificates are to be revoked when … Certificates are to be revoked when …

– the RA receives a revocation request from a user. the RA receives a revocation request from a user. – the user’s key has been compromised or is the user’s key has been compromised or is

suspected of being compromised. suspected of being compromised. – the user information on the certificate is suspected the user information on the certificate is suspected

of being incorrect. of being incorrect. – the user lost the status of KEK CRC userthe user lost the status of KEK CRC user

• the user leaves the job or etc.the user leaves the job or etc.

– the CA private key has been compromised. the CA private key has been compromised. – a user violates his/her obligations a user violates his/her obligations

• as described in the CP/CPS Section 2.1.3. as described in the CP/CPS Section 2.1.3.


Revocation Request Revocation Request ProcedureProcedure• Revocation Request from a userRevocation Request from a user

– User can choose between two methods, as follows: User can choose between two methods, as follows: • Command-line UI and Web-based UI using encrypted communication bCommand-line UI and Web-based UI using encrypted communication b

etween the user and the RA. etween the user and the RA. – The RA confirms a revocation request by using the client certiThe RA confirms a revocation request by using the client certi

ficate, and accepts it. ficate, and accepts it. – The RA sends a revocation request to the CA located in an inThe RA sends a revocation request to the CA located in an in

dependent network segment. dependent network segment. • Communications between the RA and the CA are encrypted.Communications between the RA and the CA are encrypted.

• The CA The CA securitysecurity officer can execute a revocation officer can execute a revocation request on behalf of the user, if it is necessary. request on behalf of the user, if it is necessary.


CRLCRL• The KEK GRID CA will … The KEK GRID CA will …

– revoke the certificate immediately after receipt and revoke the certificate immediately after receipt and acceptance of the revocation request. acceptance of the revocation request.

– publish the CRL on the KEK CA web site immediately. publish the CRL on the KEK CA web site immediately.

• A relying party can verify a certificate by A relying party can verify a certificate by retrieving the newest CRL on the web site. retrieving the newest CRL on the web site.

• The issued CRL is valid for 30 days. The issued CRL is valid for 30 days. • The CRL will be reissued at least seven days The CRL will be reissued at least seven days

before the previous one expires. before the previous one expires.


Physical SecurityPhysical Security

• CA Server : CA Server : – dedicated machine in a locked roomdedicated machine in a locked room

• The room is located in the secure building. The room is located in the secure building. • only connected to the RA server via an exclusive only connected to the RA server via an exclusive

network using a private address. network using a private address. • CA server cannot be reached from the Internet.CA server cannot be reached from the Internet.• CA private key : CA private key :

– Protected by a FIPS 140-2 Level 3 compliant HSM. Protected by a FIPS 140-2 Level 3 compliant HSM. – is copied in a backup device with passphrase in a key-is copied in a backup device with passphrase in a key-

locked shelf. locked shelf.


Records ArchivalRecords Archival• Types of Archive Data: Types of Archive Data:

– All issued certificates and CRLs All issued certificates and CRLs – All enrollment requests and notifications between the KEK GAll enrollment requests and notifications between the KEK G

RID CA and users RID CA and users – Operation history of the CA key Operation history of the CA key

• Events of Interest, as described in CP/CPS 4.5.1 Events of Interest, as described in CP/CPS 4.5.1 • login, logout, reboot, access and error logs, etc… login, logout, reboot, access and error logs, etc…

– Other documents about the KEK GRID CA. Other documents about the KEK GRID CA. • The retention period is 3 years. The retention period is 3 years. • Archived files are preserved in a key-locked shelf. Archived files are preserved in a key-locked shelf.


Key PairKey Pair• The CA private key is generated by the HSM. The CA private key is generated by the HSM. • A user’s key pair is generated on users’ PC by A user’s key pair is generated on users’ PC by

using a given license ID.using a given license ID.– The user’s private key is not generated by the CA The user’s private key is not generated by the CA

and the RA. and the RA. • Key Length: Key Length:

– CA Certificate: 2048 bitsCA Certificate: 2048 bits– End Entity: 1024 bitsEnd Entity: 1024 bits

• License ID:License ID:– 24 characters24 characters– is provided from the RA for one-time authentication is provided from the RA for one-time authentication

at the time of enrollment process of the user.at the time of enrollment process of the user.

kek grid ca

Documents