www.eu-eela.org e-infrastructure shared between europe and latin america certification authorities...

www.eu-eela.org

E-infrastructure shared between Europe and Latin America

Certification Authorities in LA and links with TAGPMAVanessa Hamar (ULA) / Jorge Gomes (LIP) [email protected] / [email protected]

First Latin American EELA WorkshopMérida , 24.04.2006

Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA 2


Pilot Testbed operation and support

EELA aims to establish a common interoperable Pilot Grid Testbed between existing resources in Latin America and Europe based on the EGEE middleware framework. The EELA Pilot Testbed supports dissemination activities and application exploitation.

EELA will start with a reduced set of sites that will be expanded as the project evolves.

However the range of users will

include all partners and also new users not yet identified.

The grid authentication is the first major deployment issue.



• EELA will work closely with several international projects:

– EGEE Use of EGEE Middleware to set-up a pilot e-infrastructure interoperable

with EGEE. EELA will setup an LA ROC (Regional Operational Centre) following the

EGEE model. The EELA European partners already operate grid infrastructures

integrated into EGEE

– Close collaboration with other projects ALICE/GEANT, EUCHINAGRID, EUMEDGRID, SEE-GRID, …

• EELA must be interoperable with these projects !

Relationships with other projects



Authentication

• Most grid infrastructures including the ones based on EGEE/LCG middleware use X.509 certificates for authentication.

• How does it work:– Each user, system or service must have a certificate that is used for

authentication purposes– In order to ensure the identify of each subject (user, system or service)

the certificate must be signed by a trusted authority that asserts that the certificate belongs to the subject

– These are the so called certification authorities (CAs) that: Accept certificate requests and verify the subject identity Signing the successfully verified certificate requests Revoke certificates when needed Issue lists of revoked certificates

– An X.509 authentication infrastructure is called a PKI (Public Key Infrastructure)



Authentication

• In the grid world one single CA usually covers a predefined geographic region or administrative domain:– Large organization– Country– A set of countries (scalability can be an issue)

• A common international trust domain for grid computing has been created to join the several existing certification authorities into a single authentication domain and thus enabling sharing of grid resources worldwide.

• The International Grid Trust Federation (IGTF) has been created to coordinate and manage this trust domain.



IGTF

• The international scientific community is working to deploy computational Grids for the advancement of science and engineering.

• The promise of global computational Grids, requires policies and procedures that reliably identify Grid subscribers and resources.

• A number of regional and large PKIs have established Policy Management Authorities to manage their individual certification process.

• The goal of the IGTF will be to foster harmonization and synchronization of these various PMAs policies to allow for a global trust relationship to be established.

• Three PMAs have been created covering 3 world regions:– European Grid PMA (EUgridPMA)

– Asia Pacific Grid PMA (APgridPMA)

– The Americas Grid PMA (TAGPMA)

• The European Grid PMA was the first PMA to be established and was born from the DataGrid Certification Authorities Coordination Group (CACG) that was established by the DataGrid and CrossGrid projects.



IGTF

International Grid Trust Federation

(Working to Establish Worldwide Trust for Grids)http://www.gridpma.org

Asia PacificPMA

AmericasPMA

LIP CA PortugalCERN CA SwitzerlandCNRS Grid FranceCyGrid CyprusCESNET Czech DutchGrid NetherlandsGermanGrid GermanyHellasGrid GreeceGridIreland IrelandINFN CA ItalyBelnet BelgiumGrid-PK PakistanSIGNET SloveniaEstonianGrid EstoniaAustrianGrid AustriaNIIF/HungarNet HungaryIHEP ChinaBalticGrid EuropeTR-Grid Turkey

NorduGrid Nordic countriesPolishGrid PolandRussian Datagrid RussiaSlovakGrid SlovakiaDataGrid-ES SpainUK e-Science United KingdomBelnetGrid BelgiumGrid-PK PakistanFNAL Grid USAGridCanada CanadaDOEGrids USAArmeSFo ArmeniaIUCC IsraelASCCG TaiwanSeeGrid EuropeRMKI HungarySWITCH SwitzerlandDFN GermanyRDIG RussiaPKIrisGrid Spain

DOEGrids USAGridCanada CanadaFNAL USA

AIST JapanAPAC AustraliaASGCC TaiwanSDG ChinaIHEP ChinaKISTI KoreaNaregi JapanBMG SingaporeCMSD IndiaHKU Hong KongNCHC TaiwanOsaka U. JapanUSM Malaysia

International Grid Trust Federation

The list is always growing



EUgridPMA

Is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. As its main activity the EUGridPMA coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. The EUGridPMA itself does not provide identity assertions, but instead asserts that the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.

Relying Parties



TAGPMA

• The Americas PMA (TAGPMA) is a regional PMA created to cover the Americas area from Canada to the tip of Chile.

• TAGPMA was created in 2005 and its membership and activities are just starting.

• The appearance of potential new CAs in LA supported by the EELA project have been welcomed by TAGPMA – they are providing the needed push to start the charter

• This is a situation also welcomed by the EUgridPMA that has already too many members

• Members of the TAGPMA which operate a classic PKI based Authentication service, must continue to operate the service under the Classic PKI Authentication Profile that is maintained by the EUGridPMA

• For more information see: http://www.tagpma.org/



Accreditation

• For new CAs to be accepted as an IGTF PMA member they have to pass through a rigorous and extensive accreditation process.

• The CA policies and operations must be extensively documented in a CP/CPS document.

• The CP/CPSs are reviewed by the PMA members.• The CA online repositories are checked by the PMA• The CA managers must attend the PMA face-to-face

meetings, present the CA and answer all questions from the other members including other CA managers and relying parties.

• The CA must implement all required changes.• This is an iterative process that aims to establish trust.



EELA Authentication

• Upon the start of EELA there were no Latin American CAs recognized by IGTF or any of its three PMAs.

• For EELA the deployment of a PKI in Latin America recognized by IGTF is fundamental for the deployment of the grid computing pilot testbed and for the project success.

• This PKI is a basic requirement for the successful dissemination and extension of the grid technologies into the LA countries.

• EELA is setting up a PKI authentication infrastructure:– Compatible with EGEE, LCG, and other EGEE/LCG based projects– Internationally accepted/recognized (IGTF)– That can remain operational beyond the end of the project:

as one of the project outcomes allowing further future projects in LA and within each country enabling LA scientific users to share and access resources at global level



EELA and CAs

• The IGTF is a recent development.• When the EELA Technical Annex was written the IGTF didn’t yet

existed• The EELA strategy had to be adjusted

– Short term (for the immediate needs): Use the existing catchall CA from CNRS (France)

• This is a temporary solution• By the end of the year EELA needs a better working solution

– Medium term: Contact IGTF trough EUgridPMA (where some of the project partners are

CA representatives) Ask for the help of the PMAs in the setup and accreditation of the CAs Establish new CAs in LA:

• one per country where possible• one catchall CA for the whole LA region• using the classic CA profile

Obtain accreditation from the TAGPMA



Classic Profile

• What is it:– The CA signs and revokes certificates– These are long-term certificates (one year)– The CA has subordinate RAs that just perform the administrative task of

checking the subject identity in different organizations or departments– The other possible profile is the SLCS where short lifetime certificates

are issued based on other credentials such as kerberos tickets, but this is not yet recognized at the IGTF level.

• Advantages:– Is the most known CA profile– A lot of know-how and solutions do exist– Most of the CAs operating today use the classic profile– Is the easiest to support across administrative domains– The profile requirements are stable and controlled by EUgridPMA



Classic Profile

• A network of subordinated RAs is necessary to perform the identity verification of the subjects

• The RAs will be created at the level of the organizations or at the level of departments:– Operating at university or research centre wide level (more difficult)– Operating at the level of a department or group– The CA can also operate an RA but don’t forget that the physical

presence of the subject is required for identity verification• The RAs will be created only upon request, their creation should

be user driven.

CA

RA

RA

RA RA RA RARARA

Univ A Univ B Univ C Univ D Univ E Univ F Univ G



Classic profile

• How to obtain a certificate:

The certificate is issuedby the CA

The certificate is used asa key to access the grid

A certificate requestis performed

The user identify isconfirmed by the RA



Why one CA per country

– Long term scalability Latin America is a huge geographic area Many LA countries are quite large The potential number of users and end entities is high

– Long term sustainability There is a cost associated with the operation of the CAs A single large CA would raise the cost and funding issue Easier to fund

– Awareness of local details Better knowledge of the local law Better knowledge of the local academic environment

– Better coordination and support Nearest to the end users Same language Better understanding of the needs and difficulties

– Flexibility Easier to adapt to new local requirements

– Robustness and security Is a CA fails the implications will be limited to a single country

NEEDED

FOR

LARGE

DEPLOYMENT

(this is the model

recomended by

EUgridPMA)



catchall CA

• A catchall CA is used to issue certificates to organizations in regions without a specific national CA when:– The national CAs are yet being deployed– There are difficulties to setup a national CA

• EELA is setting up a catchall CA for the Latin American region

• The CA will be operated by Universidade Federal Fluminense (UFF) in Brazil



Current CNRS RAs

• As a short term solution EELA is obtaining certificates for the LA partners from the French CNRS catchall CA

• Four RAs have been established:

– UFF (Universidade Federal Fluminense) Instituto de Computação (Vinod Rebello)

– UFRJ (Universidade Federal do Rio de Janeiro) Instituto de Física (Diego Carvalho)

– UNAM (Universidad Nacional Autonoma de Mexico) Instituto de Ciencias Nucleares (Lukas Nellen)

– ULA (Universidad de los Andes) Centro Nacional de Cálculo Científico (Vanessa Hamar)

• More will be established as necessary

• The use of the CRNS catchall CA is a temporary measure with reduced scalability



EELA Candidate CAs

• Argentina– UNLP - Universidad Nacional de La Plata

Javier Diaz <[email protected]>

• Brazil– UFF – Universidade Federal Fluminense

Vinod Rebello <[email protected]>

• Chile– REUNA – Red Universitaria Nacional

Juan Carlos Martínez <[email protected]>

• Peru– SENAMHI – Servicio Nacional de Meteorología e Hidrología del Perú

Richard Miguel <[email protected]>

• México– UNAM – Universidad Nacional Autónoma de México

Juan Carlos Guel <[email protected]>

• Venezuela– ULA – Universidad de los Andes

Vanessa Hamar <[email protected]>



EELA Candidate CAs

CA Hosting organization

Status

Argentina UNLP CP/CPS reviewed by TAGPMA,

CA infrastructure being deployed

Brazil UFF CP/CPS reviewed by TAGPMA,


Catchall UFF CP/CPS reviewed by TAGPMA,


Chile REUNA CP/CPS reviewed by TAGPMA,


Mexico UNAM CP/CPS reviewed by TAGPMA,


Venezuela ULA CP/CPS internal review by EELA

Peru SENHAMI Working on the CP/CPS



Status• EELA has been presented for the first time at the EUgridPMA

meeting held in Vienna (Austria) in January:– The EELA project was very well received by both the EUgridPMA and

TAGPMA members present at the meeting– The organization of the first TAGPMA face-to-face meeting was agreed

to be held in Rio de Janeiro• The deployment work started in January with the focus on the

operation procedures and certification practices.• EELA members started to participate in TAGPMA videoconferences.• EELA was officially accepted as a TAGPMA member representing a

major relying party• In March the CP/CPSs of the CAs were submitted to the TAGPMA

for review.• In March the first TAGPMA face-to-face meeting was organized in

Rio de Janeiro with the help of RNP: – During the meeting the EELA CAs being currently deployed were

presented and their CP/CPSs discussed.– The CP/CPS were considered of very good quality.



Status

• Most EELA CAs are now being actuality deployed which includes:– Customization and deployment of the CA management software– Setup of the required systems and services

CA repository CA signing station

• Full TAGPMA accreditation should be obtained in the next face-to-face meeting to be held in Canada



Authorization

• The possession of a certificate does not gives the right of access to any grid resources by itself.

• The EELA grid authorization is based on the VO concept. • VOs are basically groups of users that share common or similar

interests and that which to share the same resources.• Instead of authorizing users individually site access is allowed on

a VO basis enabling better scalability.– The site manager does not need to add individual users– The site manager authorizes entire VOs– The site manager can refuse specific certificate subjects

• The management of a VO is a responsibility of the VO itself that designates a VO manager for that purpose.

• The VO manager is responsible for allowing or denying access to the VO based on the VO policies.



Future and conclusions

• An international federation for authentication in grid computing is already in operation worldwide

• The EELA efforts will enable the creation of Latin American certification authorities recognized worldwide

• We would like to identify other potential end entities and relying parties interested in the usage of certificates for grid computing in Latin America to:– take further advantage of the authentication infrastructure being

deployed – join the EELA grid infrastructure

www.eu-eela.org e-infrastructure shared between europe and latin america certification authorities...

Documents