Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 219 times |
Download: | 6 times |
USCGridUSCGridKX.509KX.509
&&
Enterprise SecurityEnterprise Security
http://www.usc.edu/isd/services/uscgrid
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 22
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative Specific experience with Specific experience with
KX.509 at USCKX.509 at USC KX.509 & Campus Certificate KX.509 & Campus Certificate
PoliciesPolicies
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 33
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative Specific experience with Specific experience with
KX.509 at USCKX.509 at USC KX.509 & Campus Certificate KX.509 & Campus Certificate
PoliciesPolicies
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 44
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
What if your enterprise already has a non-PKI authentication mechanism in place?
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 55
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid?
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 66
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
What if your enterprise already has a non-PKI authentication mechanism in place? Can an existing security mechanism be leveraged to get the user population on the grid? Or does an entire parallel PKI mechanism need to be created?
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 77
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 88
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.
KX.509 allows you to authenticate to kerberos, then create a proxy certificate based on your kerberos credential.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 99
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
If your existing enterprise authentication mechanism is kerberos, the answer is KX.509.
Suddenly, everyone with a kerberos credential is grid-enabled.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1010
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
What about server certificates? Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1111
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
What about server certificates? Can I use kerberos to create those?
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1212
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
Kerberos does not affect server certificates. A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1313
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1414
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative
Kerberos does not affect server certificates. They must still be generated or acquired the ‘old-fashioned way’ – for instance, by purchasing one through Verisign.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1515
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative Specific experience with Specific experience with
KX.509 at USCKX.509 at USC KX.509 & Campus Certificate KX.509 & Campus Certificate
PoliciesPolicies
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1616
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
What does USC’s KX.509 setup look like?Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1717
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
USCGrid is comprised of a Beowulf cluster (more on that in a minute),
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1818
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
USCGrid is comprised of a Beowulf cluster, a Sunfire 15k called almaak.usc.edu,
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 1919
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
USCGrid is comprised of the Beowulf cluster, a Sunfire 15k called almaak.usc.edu, and a recently- upgraded Condor pool made up 110 Unix workstations in a public userroom.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2020
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2121
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
Kerberos and KX.509 are directly available through an NSF-mounted file system, /usr/usc, to anyone with a Solaris or Linux workstation.
Those with PCs or Macs must ssh to a Unix timesharing system, such as almaak.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2222
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
The KCA runs on hpc-master.usc.edu, the head node for our 576-node 1152-cpu Beowulf cluster.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2323
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile.
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2424
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
To use locally-controlled grid resources, a user’s public certificate must be added to the grid mapfile. KX.509 users don’t have a public certificate.
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2525
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
To use locally-controlled grid resources, a user must be added to the grid mapfile. KX.509 users don’t have a public certificate. How can they be added to a grid mapfile?
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2626
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2727
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
We have a fairly simple-minded method currently for users to follow to request that they be added to the USCGrid mapfile.
Each user must send an email message containing a copy of his or her kx509 certificate to the USCGrid administrator:
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2828
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
Example:
almaak.usc.edu(23): source /usr/usc/nmi/default/setup.cshalmaak.usc.edu(24): kinitPassword for [email protected]: almaak.usc.edu(25): kx509
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 2929
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
almaak.usc.edu(26): kxlist -pService kx509/certificateissuer= /C=US/ST=California/L=Los Angeles /O=University of Southern California/CN=usc.edusubject= /C=US/ST=California/L=Los Angeles /O=University of Southern California /OU=usc.edu/CN=ucs/USERID=ucs/[email protected]=A8hash=e6078654
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3030
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
almaak.usc.edu(27): grid-proxy-info | \mail -s "add me to grid mapfile" \[email protected]
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3131
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
The Unix sysadmin can then add an entry to the grid mapfile using the information from grid-proxy-info:
"/C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=usc.edu/CN=shelley /USERID=shelley/[email protected]" shelley
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3232
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
How hard is it to install and maintain KX.509?Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3333
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
KX.509 is my favorite NMI component.A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3434
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
KX.509 is my favorite NMI component.
You install it,
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3535
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
KX.509 is my favorite NMI component.
You install it, no problem.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3636
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
KX.509 is my favorite NMI component.
You install it, no problem.
Then it runs.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3737
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
• Specific experience with Specific experience with KX.509 at USCKX.509 at USC
KX.509 is my favorite NMI component.
You install it, no problem.
Then it runs. Really.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3838
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 as an alternativeKX.509 as an alternative Specific experience with Specific experience with
KX.509 at USCKX.509 at USC KX.509 & Campus Certificate KX.509 & Campus Certificate
PoliciesPolicies
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 3939
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 & Campus Certificate KX.509 & Campus Certificate PoliciesPolicies
What about certificate policies? Do I still have to implement certificate policies if we use KX.509?
Q:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 4040
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 & Campus Certificate KX.509 & Campus Certificate PoliciesPolicies
KX.509 doesn’t buy you out of dealing with certificate policies.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 4141
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 & Campus Certificate KX.509 & Campus Certificate PoliciesPolicies
KX.509 doesn’t buy you out of dealing with certificate policies.
In a small way, it’s harder to cross-certify because you’re ‘different’.
A:
April 2003April 2003 USCGrid at Internet2USCGrid at Internet2 4242
USCGrid: USCGrid: KX.509 & Enterprise SecurityKX.509 & Enterprise Security
KX.509 & Campus Certificate KX.509 & Campus Certificate PoliciesPolicies
KX.509 doesn’t buy you out of dealing with certificate policies.
We’re working on this with ‘the security community’ – stay tuned.
A: