Single Sign-On Single Sign-On with GRID with GRID CertificatesCertificates

Ernest ArtiagaErnest Artiaga(CERN – IT)(CERN – IT)

GridPP 7GridPP 7thth Collaboration Meeting Collaboration Meeting July 2003July 2003

OutlineOutline

Motivation and goalsMotivation and goals Authentication mechanismsAuthentication mechanisms Implementing web single sign-onImplementing web single sign-on

Mapping certificates to accountsMapping certificates to accounts Providing certificates to usersProviding certificates to users Current statusCurrent status

Summary and conclusionsSummary and conclusions

Motivation and goalsMotivation and goals The GRID environment offers:The GRID environment offers:

A lot of computing powerA lot of computing power The possibility to execute big and complex The possibility to execute big and complex

applicationsapplications But GRID users will also need basic services:But GRID users will also need basic services:

MailMail WebWeb Access to administrative proceduresAccess to administrative procedures

We want to We want to integrateintegrate the services for GRID the services for GRID and local usersand local users Cross-platform authenticationCross-platform authentication Single sign-onSingle sign-on

Authentication Authentication mechanismsmechanisms

PKI/CertificatesPKI/Certificates Off-line authenticationOff-line authentication

Someone (CA) signs a document saying who I amSomeone (CA) signs a document saying who I am The service verifies the signatureThe service verifies the signature

Used across platformsUsed across platforms Standard extension mechanismsStandard extension mechanisms

KerberosKerberos tickets tickets On-line authenticationOn-line authentication

Someone (KDC) tells the service that I am really who I Someone (KDC) tells the service that I am really who I claim to beclaim to be

Intra-site security mechanism (used by Unix and Intra-site security mechanism (used by Unix and Microsoft)Microsoft)

Implementing single Implementing single sign-onsign-on

Users coming from Users coming from GRIDGRID and local and local UnixUnix and and WindowsWindows environments environments

Services are Services are multi-platformmulti-platform (Unix/Windows)(Unix/Windows)

Logon and Authentication mechanisms are Logon and Authentication mechanisms are differentdifferent A user must type his/her credentials again and A user must type his/her credentials again and

againagain

SolutionSolution?? We will focus onWe will focus on web web servicesservices

Single sign-on via webSingle sign-on via web

The user must provide a valid PKI/CertificateThe user must provide a valid PKI/Certificate We must trust the web server: it will We must trust the web server: it will impersonateimpersonate

the user!the user! ComplexComplex scenario: many possibilities scenario: many possibilities

Web Server

User

Services

Impersonation in Impersonation in Apache/UnixApache/Unix

Direct impersonation via CertificatesDirect impersonation via Certificates Privileged serverPrivileged server DB to map certificates into accountsDB to map certificates into accounts The service The service runs as the userruns as the user owning the certificate owning the certificate

(login)(login) Impersonation via Kerberos ticketImpersonation via Kerberos ticket

The service The service acquires the user ticketacquires the user ticket to access the to access the resourcesresources

It It should get Kerberos ticket from the certificateshould get Kerberos ticket from the certificate May use extra software: Kerberos leveraged PKIMay use extra software: Kerberos leveraged PKI

KCT (Kerberos Certificate Translation)KCT (Kerberos Certificate Translation) Mod_KCT (Apache module)Mod_KCT (Apache module)

Impersonation in MS Impersonation in MS web serversweb servers

Based on the Based on the Windows Identity Windows Identity MappingMapping mechanism mechanism Maps a Maps a certificatecertificate to a Windows to a Windows accountaccount

((logonlogon)) The identity mapping is set in the The identity mapping is set in the

Active DirectoryActive Directory Common for the whole domainCommon for the whole domain

Provides an internal ticketProvides an internal ticket Allows accessing windows resourcesAllows accessing windows resources

Windows identity Windows identity mappingmapping

Two flavors: manual and automaticTwo flavors: manual and automatic In In manual mappingmanual mapping, the administrator , the administrator

must specify which certificate maps into must specify which certificate maps into which account (can be done which account (can be done programmatically)programmatically)

In In automatic mappingautomatic mapping, the , the certificate certificate must contain an extensionmust contain an extension with the User with the User Principal Name (UPN) of the accountPrincipal Name (UPN) of the account No explicit mapping is neededNo explicit mapping is needed Originally designed for Originally designed for smart cardssmart cards

Integrating external Integrating external GRID usersGRID users

Local account for GRID usersLocal account for GRID users?? Users not registered locally, but having Users not registered locally, but having

valid GRID certificatesvalid GRID certificates How to handle them (Unix/Windows)? How to handle them (Unix/Windows)?

Validate the certificateValidate the certificate Create account on-the-flyCreate account on-the-fly Assign new user to appropriate Assign new user to appropriate groupsgroups Map the certificate to the new accountMap the certificate to the new account Delete the account at user ‘logout’Delete the account at user ‘logout’

So far…So far… Web services can be configured to use Web services can be configured to use

certificates for authenticationcertificates for authentication We should be able to use GRID We should be able to use GRID

certificates to access these servicescertificates to access these services Possibly Possibly adding some extensionsadding some extensions

……Now we need to integrate the local Now we need to integrate the local usersusers How can we easily provide them with How can we easily provide them with

certificates ?certificates ?

Providing certificates to Providing certificates to usersusers

GRID users GRID users alreadyalready have a certificate have a certificate

The others…The others… At CERN, both local Unix and Windows At CERN, both local Unix and Windows

users receive a Kerberos ticket during users receive a Kerberos ticket during logonlogon We can issue a PKI/Certificate from a We can issue a PKI/Certificate from a

Kerberos ticketKerberos ticket KCA (Kerberized CA)KCA (Kerberized CA)

Integrating non-GRID Integrating non-GRID usersusers

Kerberos Leveraged PKIKerberos Leveraged PKI

Credential Cache

Credential Cache

Login

KDC

KCA

Browser

LibPKCS11

Web Server

ToolsTools

KCA (Kerberized CA) supports KCA (Kerberized CA) supports Kerberos V (Windows 2000 Kerberos V (Windows 2000 compatible)compatible)

KCA clients are available for Unix KCA clients are available for Unix and Windowsand Windows

PKCS11 library (smart card PKCS11 library (smart card emulation) is also available for Unix emulation) is also available for Unix and Windowsand Windows

IssuesIssues Interoperability puts Interoperability puts extra requirementsextra requirements in in

the certificatesthe certificates Specific extensionsSpecific extensions Revocation listsRevocation lists ……

It depends on many componentsIt depends on many components Some of them not completely stable or ready for Some of them not completely stable or ready for

productionproduction The server must be able toThe server must be able to

AcceptAccept the certificate the certificate IdentifyIdentify the account to which the certificate the account to which the certificate

refersrefers

The integrated viewThe integrated view

Linux Box

Windows 2000KDC

Linux KCA

OpenSSL CA

Web BrowserLib PKCS11

Windows 2000IIS 5.0

AD

Resources

CertificateTemplate

WinBox

UnixApache

Mod_KCTKCT

MITKDC

GRID Certificates

Summary and Summary and conclusionsconclusions

It is It is possiblepossible To To integrateintegrate GRIDGRID and local infrastructure and local infrastructure servicesservices Provide Provide cross-platformcross-platform Single Sign-onSingle Sign-on using GRID using GRID

authentication mechanisms (i.e. PKI/Certificates )authentication mechanisms (i.e. PKI/Certificates ) But But full functionalityfull functionality has has issuesissues……

LotsLots of components involved (KDC, KCA, AD…) of components involved (KDC, KCA, AD…) Compatibility (not fully documented requirements)Compatibility (not fully documented requirements)

Is the Is the complexitycomplexity worth while? worth while? Over-complexOver-complex for a reliable service today for a reliable service today But the components are being used/developed in But the components are being used/developed in

other areasother areas

Summary and Summary and conclusionsconclusions

Nevertheless, it is an Nevertheless, it is an interestinginteresting mechanismmechanism Web services are widely spreadWeb services are widely spread

Can be shared by GRID and non-Grid usersCan be shared by GRID and non-Grid users Smooth transition from non-GRID to GRIDSmooth transition from non-GRID to GRID

Partial functionality is possible and Partial functionality is possible and ready to ready to workwork Mapping long term certificatesMapping long term certificates

Some of the tools are being actively developedSome of the tools are being actively developed

We’ve heard of some related success stories We’ve heard of some related success stories

Questions?Questions?