nersc online ca update tagpma meeting, february 2012, san diego
DESCRIPTION
NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego . Shreyas Cholia NERSC, LBL. NERSC. DOE Office of Science Supercomputing Facility at LBL Multiple compute & storage systems Hopper, Franklin, Carver, Euclid, PDSF, HPSS, Global File System. NERSC CA. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/1.jpg)
NERSC Online CA UpdateTAGPMA Meeting,
February 2012, San Diego
Shreyas CholiaNERSC, LBL
![Page 2: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/2.jpg)
NERSC
• DOE Office of Science Supercomputing Facility at LBL
• Multiple compute & storage systems– Hopper, Franklin, Carver, Euclid, PDSF,
HPSS, Global File System
![Page 3: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/3.jpg)
NERSC CA
• Provides short-lived certificates to NERSC user community for convenient access to NERSC resources as well as external resources accessible via grid interfaces.
3
![Page 4: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/4.jpg)
NERSC CA at a Glance
• IGTF Accredited SLCS MyProxy CA• CA Cert signed by ESnet Root CA• Uses NERSC username-password to
generate short lived credential (upto 11 days)• HSM - Aladdin eToken USB device• Command Line Interface:
myproxy-logon -s nerscca.nersc.gov -l <user>Password:
• Also accessible via programmatic APIs
4
![Page 5: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/5.jpg)
NERSC CA Service
myproxy-logon
-l “starbuck”
Online CA myproxy Server
PAM LDAP
Send encryptedtoken
LDAPServer
Validate password
“/CN=Joe User” joe “/CN=Jane Doe” jane “/CN=Lee Adama” apollo “/CN=Kara Thrace” starbuck
consultcert-mapfilefor DN
Return signed cert
NERSC user DBGeneratemapfile
NERSC CA cert“/CN=Kara Thrace”
![Page 6: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/6.jpg)
6
Use Cases
• Workflows based on Globus Gatekeeper, GridFTP, GSISSH – OSG, Atlas, STAR, Planck etc.– Climate Data Transfer over WAN
• Portals - Trusted portal requests short-lived cert and uses it on your behalf– Globus online– NEWT - NERSC Web API (REST API to access
NERSC– Science Gateways
![Page 7: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/7.jpg)
Issues
• Current model cannot do single-sign on across NERSC resources.
• CA key expiring in 2013; – future of ESnet Root CA is uncertain.
• HSM is slooooow and rejects requests under load– 10-15 seconds to sign a single request
7
![Page 8: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/8.jpg)
Enabling Single Sign On
• NERSC already runs a Shibboleth IDP to provide single sign-on for web resources
• We'd like to use NEWT and Science Gateways via SSO– Sign in once to Shib– Enable access to grid resources via Shib token
• Using Shib-Oauth-MyProxy CA (from NCSA) would allow us to use the user's Shib credentials to create a certificate.
• Proposal: Expand NERSC CA scope to cover Shib authentication. Update to CP/CPS?
8
![Page 9: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/9.jpg)
Shib Login
• Login once to Shib Oauth Service using NERSC username /password
• Client browser gets OAuth token.
• Browser presents token to trusted web service (NEWT, Science Gateway).
• Oauth assertion authorizes web service to retrieve certificate
9
![Page 10: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/10.jpg)
Design 1
10
![Page 11: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/11.jpg)
Design 2
11
![Page 12: NERSC Online CA Update TAGPMA Meeting, February 2012, San Diego](https://reader036.vdocument.in/reader036/viewer/2022062410/56816122550346895dd07b0d/html5/thumbnails/12.jpg)
New CA certificate and HSM
• We would like to move to a more robust HSM solution.– Something that works with Shib-MyProxy CA– Reasonable performance (1 sec signing time– Does OK under load (handle multiple
simultaneous requests)– Suggestions?
• We need to issue a new CA cert. – Is a self-signed cert OK?– What do we need to do wrt IGTF process?
12