Post on 13-Jan-2016
APGrid PMA face-to-face meeting, 4/8/2008
Cindy ZhengPRAGMA Grid Coordinator
Pacific Rim Application and Grid Middleware Assemblyhttp://www.pragma-grid.nethttp://goc.pragma-grid.net
PRAGMA-UCSD CA
APGrid PMA face-to-face meeting, 4/8/2008
Overview
• PRAGMA
• PRAGMA Grid
• Purpose of PRAGMA-UCSD-CA
• PRAGMA-UCSD CA setup– (x.y.z) references the relevant
CP/CPS section number
APGrid PMA face-to-face meeting, 4/8/2008
PRAGMA
APGrid PMA face-to-face meeting, 4/8/2008
Strengthen Existing and Establish New Collaborations
Work with Science Teams to
Advance Grid Technologies and Improve the Underlying
Infrastructure
In the Pacific Rim and Globally
PRAGMA
http://www.pragma-grid.net
A Practical Collaborative Framework
Strengthen Existing and Establish New Collaborations
Work with Science Teams to
Advance Grid Technologies and Improve the Underlying
Infrastructure
In the Pacific Rim and Globally
PRAGMAA Practical Collaborative Framework
http://www.pragma-grid.net
35 institutions14 countries
APGrid PMA face-to-face meeting, 4/8/2008
EDU
CATION
GRID
SOFTW
ARESCIEN
CE
PRAGMA’s Collaborative Framework
Source: Philip Papadopoulos, Global Engagement
• GLEON (and CREON) – From Telescience WG– Global Lake Ecological Observatory Network (and Coral Reef)– Grassroots effort to understand lake dynamics
• Avian Flu Grid – From Biosciences WG– Integrates technologies for shared infrastructure
• PRIME : Pacific Rim Experiences for Undergraduates– Prepares globally-enabled workforce– Immersive: Research Apprenticeship; Cultural Experience
• PRIUS: Pacific Rim International UniverSity, Osaka University– Prepares global workforce– Within context of curriculum and research experience
• PRAGMA: Pacific Rim Application and Grid Middleware Assembly– Catalyzes collaborations– Applications drive technology developments
• OptIPuter: SAGE• Ninf-G, Gfarm, Nimrod, SCMSWeb, CSF4, Naregi CA, Opal,
MOGAS, Mgrid, Rocks, GAMA, Condor, Access Grid• GEO, GEON• DataTurbine, Inca
APGrid PMA face-to-face meeting, 4/8/2008
PRAGMA GridPRAGMA Grid
32 institutions in 16 countries/regions, 27 compute sites (+ 9 in preparation)
UZHSwitzerland
NECTECThaiGridThailand
UoHydIndia
MIMOSUSMMalaysia
CUHKHongKong
ASGCNCHCTaiwan
HCMUTHUTIOIT-HCMVietnam
AISTOsakaUUTsukubaTITechJapan
BIIIHPCNGONTUSingapore
MUAustralia
APACQUTAustralia
KISTIKorea
JLUChina
SDSCUSA
CICESEMexico
UNAMMexico
UChileChile
UUtahUSA
NCSAUSA BU
USA
CeNAT-ITCRCosta Rica
BESTGridNew Zealand
CNICGUCASChinaLZU
China
UPRMPuerto Rico
UZHSwitzerland
LZUChina
ASTIPhilippines
SKUUIIndonesia
APGrid PMA face-to-face meeting, 4/8/2008
PRAGMA Grid Members and Teamhttp://goc.pragma-grid.net/wiki/index.php/Site_status_and_tasks
• Sites– 23 sites from PRAGMA member institutions– 15 sites from Non-PRAGMA member institutions– 27 sites contributed compute clusters
• Team members– 170 and growing– one management contact / site– 1~3 technical support contact / site– 1~4 application drivers / application– 1~5/Middleware development teams
APGrid PMA face-to-face meeting, 4/8/2008
Why PRAGMA-UCSD CA?
• PRAGMA experimental CA– Only used within PRAGMA Grid
• Grid interoperation and future– Need IGTF compliant catch-all production CA
• Near term– Only issue production CA when needed
APGrid PMA face-to-face meeting, 4/8/2008
PRAGMA-UCSD CA Team
• CA – Cindy Zheng, Mason Katz (UCSD)• RA – Mason Katz, Anoop Rajendra (UCSD)• PMA – Yoshio Tanaka (AIST)• Security Officer – Phil Papadopoulos (UCSD)• pragma-ucsd-ca@sdsc.edu reaches no more
and no less than these 5 people
APGrid PMA face-to-face meeting, 4/8/2008
CP/CPS
• Structured as defined in RFC 3647
• http://goc.pragma-grid.net/ca/cp-cps
• OID - 1.3.6.1.4.1.13230.101.2.1.0– Set for CP/CPS (1.2)– Set for cert policy id v3 ext– Registered with IANA– Change procedure described in 9.12
APGrid PMA face-to-face meeting, 4/8/2008
CA Systems
• CA server is dedicated and off-line • RA server is dedicated and on-line• CA software is naregi-wp5-nas-070112
APGrid PMA face-to-face meeting, 4/8/2008
Physical Security• CA and RA servers are in a lockable office
– 2 keys (Cindy Zheng, Karan Bhatia)• CA server is in a locked cabin in the office
– Only Cindy (CA) has the key• Access log
– logged by email at pragma-ucsd-ca@sdsc.edu– Email archive is included in monthly backup
APGrid PMA face-to-face meeting, 4/8/2008
CA Key and Passphrase
• CA key length 2048 bits (6.1.5)• CP-CPS 6.4 describes CA key
protection– Pass phrase >= 15 characters. – Only known by CA and RA.– In 2 sealed envelopes in 2 separate
locked drawers in Cindy (CA) and Mason (RA)’s office.
• Only Cindy and Mason have the keys to the drawers.
– The sealed envelops are kept separated from the backed up private key.
APGrid PMA face-to-face meeting, 4/8/2008
Encrypted Private Key Backup
• On offline media – USB drives
• Kept in a locked cabinet
• Only Anoop (RA) has the key
APGrid PMA face-to-face meeting, 4/8/2008
CA Certificate
• Lifetime 10 years (6.3.2)
• End entity lifetime 1 year
• BasicConstraints (7.1.2)– marked as critical– Set as CA:TRUE
• KeyUsage (7.1.2)– Marked as critical– Value include keyCertSign, cRLSign
APGrid PMA face-to-face meeting, 4/8/2008
Certificate Revocation• Can be requested by
– Subscribers– CA, RA– Others can prove compromise or exposure of a private key.
(4.9.2)• An end entity must request revocation as soon as
possible, but within one working day after detection of– he/she lost or compromised the private key pertaining to the
certificate,– the data in the certificate are no longer valid. (4.9.1)
• Authenticate the request (4.9.3)– Verify requestor identity by phone, VTC or face-to-face– Verify reason and evidence
• CA must react as soon as possible, but within one working day, to any revocation request received. (4.9.5)
APGrid PMA face-to-face meeting, 4/8/2008
CRL
• Lifetime is 30 days
• Issued – Every 3 weeks– Or immediately after a revocation (4.9.7)
• http://goc.pragma-grid.net/ca/ca-certs/baec778c.r0
• Version: x509 v2
• Message digest algorithm: SHA-1
APGrid PMA face-to-face meeting, 4/8/2008
User or Host/service Certificates
• Key >=1024 bit (6.1.5)
• Life time 1 year (6.3.2)
• User certificate – should not shared (4.5.1)
• End entity passphrase (6.2.8)– 12 characters or more (enforced by
Naregi-ca client software)
APGrid PMA face-to-face meeting, 4/8/2008
Issue Certificates• Described in 4.1, 4.2:
– User fill and email application form– RA reply
• Ask for photo id (fax or in person)• arrange interview (in person or VTC)
– RA Interview user with• A copy of user application• A copy of user photo id• Fill a RA check list
– Upon approval, RA sign the check list and hand all to CA
– RA email user an encrypted license id and user guide url– RA deliver the password to user (fax or in person)– User install Naregi-ca client software, create certificate
request and email acceptID to pragma-ucsd-ca list– CA generate new certificate and email user for retrieval– CA/RA file all documents
APGrid PMA face-to-face meeting, 4/8/2008
Names
• Meaningful names (3.1.2)– Reasonable association to end entity– CN is FQDN
• Name uniqueness (3.1.5)– List of issued certificates– Prefix and suffix
• Verify host owner/administrator (3.2.2, 3.2.3)– Known organization in PRAGMA community– Verify with known contact of host organization
APGrid PMA face-to-face meeting, 4/8/2008
End Entity Certificates
• x509 format• Extensions (7.1)
– Policy Identifier contain an OID only: 1.3.6.1.4.1.13230.101.1
– CRLDistributionPoints: URI://goc.pragma-grid.net/secure/certificates/baec778c.r0
– keyUsage marked as critical– basicConstraints set to ‘CA: false’ and marked as
critical– Host certificate, a FQDN is included as a dnsName
in the SubjectAlternativeName
APGrid PMA face-to-face meeting, 4/8/2008
Rekey, Renew and Modification
• Certificate rekey is described in 4.7:– Reason for rekey: certificate revoked or expired
• Revoked – re-enroll• Expired – re-apply• 1 month before expire – request new public key
– Process• same as initial enrollment and• If within 5 years of initial enrolment, face to face interview
is not required
• No certificate renew (4.6)• No certificate modification (4.8)
APGrid PMA face-to-face meeting, 4/8/2008
Records Archive
• Records archived (5.5.1)– Forms, emails etc. in enrollment process– Private keys, password– Monthly backup includes
• CA and RA server backup• Mailing list archive
• Retention period (5.5.2)– General: minimum 3 years– Certificates, CRLs: at least 2 years– User identity info: 5 years
APGrid PMA face-to-face meeting, 4/8/2008
Audit
• Described in section 8:– Accept external audit– By APGrid PMA– Self-audit of CA/RA and operation
once a year
• Verify CA contact list once a year
APGrid PMA face-to-face meeting, 4/8/2008
Web Repositoryhttp://goc.pragma-grid.net/ca
• Public accessible– CA root certificates– Certificates issued– CRL– CP/CPS – Contact info
• Grant APGrid PMA and IGTF unlimited re-distribution
• Internal only– Operation manuals– Canned emails– Forms– Check list– CA profiles
• Only CA staff and auditors allowed access
APGrid PMA face-to-face meeting, 4/8/2008
Privacy and Confidentiality
• Defined in 9.3 and 9.4– No confidential info collection– Do not provide personal info to other
organizations
• CA-RA communication– Secure methods (4.1, 4.2)
• Face to face, signed email, skype
– Inform/log changes by email to pragma-ucsd-ca@sdsc.edu
APGrid PMA face-to-face meeting, 4/8/2008
Disaster Recovery
• Described in 5.7– Hardware, software, data corruption
• Recover with backup asap
– CA key compromise• Notify subscribers, RAs, relying parties• Revoke all issued certificates• Stop certificate/CRL distribution service• Create new key pair and rebuild the CA system
APGrid PMA face-to-face meeting, 4/8/2008
Special Thanks
toYoshio Tanaka and AIST CA teamNaregi-CA developer, Takuto Okuno
For helping setup PRAGMA-UCSD CA
APGrid PMA reviewer, Sangwan KimAPGrid PMA reviewer, Alex Wu
APGrid PMA reviewer, Suriya U-ruekolanFor helping review PRAGMA-UCSD CA CP/CPS