APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly

APGrid PMA face-to-face meeting, 4/8/2008

Cindy ZhengPRAGMA Grid Coordinator

Pacific Rim Application and Grid Middleware Assemblyhttp://www.pragma-grid.nethttp://goc.pragma-grid.net

PRAGMA-UCSD CA


Overview

• PRAGMA

• PRAGMA Grid

• Purpose of PRAGMA-UCSD-CA

• PRAGMA-UCSD CA setup– (x.y.z) references the relevant

CP/CPS section number


PRAGMA


Strengthen Existing and Establish New Collaborations

Work with Science Teams to

Advance Grid Technologies and Improve the Underlying

Infrastructure

In the Pacific Rim and Globally

PRAGMA

http://www.pragma-grid.net

A Practical Collaborative Framework

Strengthen Existing and Establish New Collaborations

Work with Science Teams to

Advance Grid Technologies and Improve the Underlying

Infrastructure

In the Pacific Rim and Globally

PRAGMAA Practical Collaborative Framework

http://www.pragma-grid.net

35 institutions14 countries


EDU

CATION

GRID

SOFTW

ARESCIEN

CE

PRAGMA’s Collaborative Framework

Source: Philip Papadopoulos, Global Engagement

• GLEON (and CREON) – From Telescience WG– Global Lake Ecological Observatory Network (and Coral Reef)– Grassroots effort to understand lake dynamics

• Avian Flu Grid – From Biosciences WG– Integrates technologies for shared infrastructure

• PRIME : Pacific Rim Experiences for Undergraduates– Prepares globally-enabled workforce– Immersive: Research Apprenticeship; Cultural Experience

• PRIUS: Pacific Rim International UniverSity, Osaka University– Prepares global workforce– Within context of curriculum and research experience

• PRAGMA: Pacific Rim Application and Grid Middleware Assembly– Catalyzes collaborations– Applications drive technology developments

• OptIPuter: SAGE• Ninf-G, Gfarm, Nimrod, SCMSWeb, CSF4, Naregi CA, Opal,

MOGAS, Mgrid, Rocks, GAMA, Condor, Access Grid• GEO, GEON• DataTurbine, Inca


PRAGMA GridPRAGMA Grid

32 institutions in 16 countries/regions, 27 compute sites (+ 9 in preparation)

UZHSwitzerland

NECTECThaiGridThailand

UoHydIndia

MIMOSUSMMalaysia

CUHKHongKong

ASGCNCHCTaiwan

HCMUTHUTIOIT-HCMVietnam

AISTOsakaUUTsukubaTITechJapan

BIIIHPCNGONTUSingapore

MUAustralia

APACQUTAustralia

KISTIKorea

JLUChina

SDSCUSA

CICESEMexico

UNAMMexico

UChileChile

UUtahUSA

NCSAUSA BU

USA

CeNAT-ITCRCosta Rica

BESTGridNew Zealand

CNICGUCASChinaLZU

China

UPRMPuerto Rico

UZHSwitzerland

LZUChina

ASTIPhilippines

SKUUIIndonesia


PRAGMA Grid Members and Teamhttp://goc.pragma-grid.net/wiki/index.php/Site_status_and_tasks

• Sites– 23 sites from PRAGMA member institutions– 15 sites from Non-PRAGMA member institutions– 27 sites contributed compute clusters

• Team members– 170 and growing– one management contact / site– 1~3 technical support contact / site– 1~4 application drivers / application– 1~5/Middleware development teams


Why PRAGMA-UCSD CA?

• PRAGMA experimental CA– Only used within PRAGMA Grid

• Grid interoperation and future– Need IGTF compliant catch-all production CA

• Near term– Only issue production CA when needed


PRAGMA-UCSD CA Team

• CA – Cindy Zheng, Mason Katz (UCSD)• RA – Mason Katz, Anoop Rajendra (UCSD)• PMA – Yoshio Tanaka (AIST)• Security Officer – Phil Papadopoulos (UCSD)• [email protected] reaches no more

and no less than these 5 people


CP/CPS

• Structured as defined in RFC 3647

• http://goc.pragma-grid.net/ca/cp-cps

• OID - 1.3.6.1.4.1.13230.101.2.1.0– Set for CP/CPS (1.2)– Set for cert policy id v3 ext– Registered with IANA– Change procedure described in 9.12


CA Systems

• CA server is dedicated and off-line • RA server is dedicated and on-line• CA software is naregi-wp5-nas-070112


Physical Security• CA and RA servers are in a lockable office

– 2 keys (Cindy Zheng, Karan Bhatia)• CA server is in a locked cabin in the office

– Only Cindy (CA) has the key• Access log

– logged by email at [email protected]– Email archive is included in monthly backup


CA Key and Passphrase

• CA key length 2048 bits (6.1.5)• CP-CPS 6.4 describes CA key

protection– Pass phrase >= 15 characters. – Only known by CA and RA.– In 2 sealed envelopes in 2 separate

locked drawers in Cindy (CA) and Mason (RA)’s office.

• Only Cindy and Mason have the keys to the drawers.

– The sealed envelops are kept separated from the backed up private key.


Encrypted Private Key Backup

• On offline media – USB drives

• Kept in a locked cabinet

• Only Anoop (RA) has the key


CA Certificate

• Lifetime 10 years (6.3.2)

• End entity lifetime 1 year

• BasicConstraints (7.1.2)– marked as critical– Set as CA:TRUE

• KeyUsage (7.1.2)– Marked as critical– Value include keyCertSign, cRLSign


Certificate Revocation• Can be requested by

– Subscribers– CA, RA– Others can prove compromise or exposure of a private key.

(4.9.2)• An end entity must request revocation as soon as

possible, but within one working day after detection of– he/she lost or compromised the private key pertaining to the

certificate,– the data in the certificate are no longer valid. (4.9.1)

• Authenticate the request (4.9.3)– Verify requestor identity by phone, VTC or face-to-face– Verify reason and evidence

• CA must react as soon as possible, but within one working day, to any revocation request received. (4.9.5)


CRL

• Lifetime is 30 days

• Issued – Every 3 weeks– Or immediately after a revocation (4.9.7)

• http://goc.pragma-grid.net/ca/ca-certs/baec778c.r0

• Version: x509 v2

• Message digest algorithm: SHA-1


User or Host/service Certificates

• Key >=1024 bit (6.1.5)

• Life time 1 year (6.3.2)

• User certificate – should not shared (4.5.1)

• End entity passphrase (6.2.8)– 12 characters or more (enforced by

Naregi-ca client software)


Issue Certificates• Described in 4.1, 4.2:

– User fill and email application form– RA reply

• Ask for photo id (fax or in person)• arrange interview (in person or VTC)

– RA Interview user with• A copy of user application• A copy of user photo id• Fill a RA check list

– Upon approval, RA sign the check list and hand all to CA

– RA email user an encrypted license id and user guide url– RA deliver the password to user (fax or in person)– User install Naregi-ca client software, create certificate

request and email acceptID to pragma-ucsd-ca list– CA generate new certificate and email user for retrieval– CA/RA file all documents


Names

• Meaningful names (3.1.2)– Reasonable association to end entity– CN is FQDN

• Name uniqueness (3.1.5)– List of issued certificates– Prefix and suffix

• Verify host owner/administrator (3.2.2, 3.2.3)– Known organization in PRAGMA community– Verify with known contact of host organization


End Entity Certificates

• x509 format• Extensions (7.1)

– Policy Identifier contain an OID only: 1.3.6.1.4.1.13230.101.1

– CRLDistributionPoints: URI://goc.pragma-grid.net/secure/certificates/baec778c.r0

– keyUsage marked as critical– basicConstraints set to ‘CA: false’ and marked as

critical– Host certificate, a FQDN is included as a dnsName

in the SubjectAlternativeName


Rekey, Renew and Modification

• Certificate rekey is described in 4.7:– Reason for rekey: certificate revoked or expired

• Revoked – re-enroll• Expired – re-apply• 1 month before expire – request new public key

– Process• same as initial enrollment and• If within 5 years of initial enrolment, face to face interview

is not required

• No certificate renew (4.6)• No certificate modification (4.8)


Records Archive

• Records archived (5.5.1)– Forms, emails etc. in enrollment process– Private keys, password– Monthly backup includes

• CA and RA server backup• Mailing list archive

• Retention period (5.5.2)– General: minimum 3 years– Certificates, CRLs: at least 2 years– User identity info: 5 years


Audit

• Described in section 8:– Accept external audit– By APGrid PMA– Self-audit of CA/RA and operation

once a year

• Verify CA contact list once a year


Web Repositoryhttp://goc.pragma-grid.net/ca

• Public accessible– CA root certificates– Certificates issued– CRL– CP/CPS – Contact info

• Grant APGrid PMA and IGTF unlimited re-distribution

• Internal only– Operation manuals– Canned emails– Forms– Check list– CA profiles

• Only CA staff and auditors allowed access


Privacy and Confidentiality

• Defined in 9.3 and 9.4– No confidential info collection– Do not provide personal info to other

organizations

• CA-RA communication– Secure methods (4.1, 4.2)

• Face to face, signed email, skype

– Inform/log changes by email to [email protected]


Disaster Recovery

• Described in 5.7– Hardware, software, data corruption

• Recover with backup asap

– CA key compromise• Notify subscribers, RAs, relying parties• Revoke all issued certificates• Stop certificate/CRL distribution service• Create new key pair and rebuild the CA system


Special Thanks

toYoshio Tanaka and AIST CA teamNaregi-CA developer, Takuto Okuno

For helping setup PRAGMA-UCSD CA

APGrid PMA reviewer, Sangwan KimAPGrid PMA reviewer, Alex Wu

APGrid PMA reviewer, Suriya U-ruekolanFor helping review PRAGMA-UCSD CA CP/CPS

Documents

APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly