Upload
jack-hewitt
View
218
Download
3
Embed Size (px)
Citation preview
Single Sign-On Single Sign-On with GRID with GRID CertificatesCertificates
Ernest ArtiagaErnest Artiaga(CERN – IT)(CERN – IT)
GridPP 7GridPP 7thth Collaboration Meeting Collaboration Meeting July 2003July 2003
OutlineOutline
Motivation and goalsMotivation and goals Authentication mechanismsAuthentication mechanisms Implementing web single sign-onImplementing web single sign-on
Mapping certificates to accountsMapping certificates to accounts Providing certificates to usersProviding certificates to users Current statusCurrent status
Summary and conclusionsSummary and conclusions
Motivation and goalsMotivation and goals The GRID environment offers:The GRID environment offers:
A lot of computing powerA lot of computing power The possibility to execute big and complex The possibility to execute big and complex
applicationsapplications But GRID users will also need basic services:But GRID users will also need basic services:
MailMail WebWeb Access to administrative proceduresAccess to administrative procedures
We want to We want to integrateintegrate the services for GRID the services for GRID and local usersand local users Cross-platform authenticationCross-platform authentication Single sign-onSingle sign-on
Authentication Authentication mechanismsmechanisms
PKI/CertificatesPKI/Certificates Off-line authenticationOff-line authentication
Someone (CA) signs a document saying who I amSomeone (CA) signs a document saying who I am The service verifies the signatureThe service verifies the signature
Used across platformsUsed across platforms Standard extension mechanismsStandard extension mechanisms
KerberosKerberos tickets tickets On-line authenticationOn-line authentication
Someone (KDC) tells the service that I am really who I Someone (KDC) tells the service that I am really who I claim to beclaim to be
Intra-site security mechanism (used by Unix and Intra-site security mechanism (used by Unix and Microsoft)Microsoft)
Implementing single Implementing single sign-onsign-on
Users coming from Users coming from GRIDGRID and local and local UnixUnix and and WindowsWindows environments environments
Services are Services are multi-platformmulti-platform (Unix/Windows)(Unix/Windows)
Logon and Authentication mechanisms are Logon and Authentication mechanisms are differentdifferent A user must type his/her credentials again and A user must type his/her credentials again and
againagain
SolutionSolution?? We will focus onWe will focus on web web servicesservices
Single sign-on via webSingle sign-on via web
The user must provide a valid PKI/CertificateThe user must provide a valid PKI/Certificate We must trust the web server: it will We must trust the web server: it will impersonateimpersonate
the user!the user! ComplexComplex scenario: many possibilities scenario: many possibilities
Web Server
User
Services
Impersonation in Impersonation in Apache/UnixApache/Unix
Direct impersonation via CertificatesDirect impersonation via Certificates Privileged serverPrivileged server DB to map certificates into accountsDB to map certificates into accounts The service The service runs as the userruns as the user owning the certificate owning the certificate
(login)(login) Impersonation via Kerberos ticketImpersonation via Kerberos ticket
The service The service acquires the user ticketacquires the user ticket to access the to access the resourcesresources
It It should get Kerberos ticket from the certificateshould get Kerberos ticket from the certificate May use extra software: Kerberos leveraged PKIMay use extra software: Kerberos leveraged PKI
KCT (Kerberos Certificate Translation)KCT (Kerberos Certificate Translation) Mod_KCT (Apache module)Mod_KCT (Apache module)
Impersonation in MS Impersonation in MS web serversweb servers
Based on the Based on the Windows Identity Windows Identity MappingMapping mechanism mechanism Maps a Maps a certificatecertificate to a Windows to a Windows accountaccount
((logonlogon)) The identity mapping is set in the The identity mapping is set in the
Active DirectoryActive Directory Common for the whole domainCommon for the whole domain
Provides an internal ticketProvides an internal ticket Allows accessing windows resourcesAllows accessing windows resources
Windows identity Windows identity mappingmapping
Two flavors: manual and automaticTwo flavors: manual and automatic In In manual mappingmanual mapping, the administrator , the administrator
must specify which certificate maps into must specify which certificate maps into which account (can be done which account (can be done programmatically)programmatically)
In In automatic mappingautomatic mapping, the , the certificate certificate must contain an extensionmust contain an extension with the User with the User Principal Name (UPN) of the accountPrincipal Name (UPN) of the account No explicit mapping is neededNo explicit mapping is needed Originally designed for Originally designed for smart cardssmart cards
Integrating external Integrating external GRID usersGRID users
Local account for GRID usersLocal account for GRID users?? Users not registered locally, but having Users not registered locally, but having
valid GRID certificatesvalid GRID certificates How to handle them (Unix/Windows)? How to handle them (Unix/Windows)?
Validate the certificateValidate the certificate Create account on-the-flyCreate account on-the-fly Assign new user to appropriate Assign new user to appropriate groupsgroups Map the certificate to the new accountMap the certificate to the new account Delete the account at user ‘logout’Delete the account at user ‘logout’
So far…So far… Web services can be configured to use Web services can be configured to use
certificates for authenticationcertificates for authentication We should be able to use GRID We should be able to use GRID
certificates to access these servicescertificates to access these services Possibly Possibly adding some extensionsadding some extensions
……Now we need to integrate the local Now we need to integrate the local usersusers How can we easily provide them with How can we easily provide them with
certificates ?certificates ?
Providing certificates to Providing certificates to usersusers
GRID users GRID users alreadyalready have a certificate have a certificate
The others…The others… At CERN, both local Unix and Windows At CERN, both local Unix and Windows
users receive a Kerberos ticket during users receive a Kerberos ticket during logonlogon We can issue a PKI/Certificate from a We can issue a PKI/Certificate from a
Kerberos ticketKerberos ticket KCA (Kerberized CA)KCA (Kerberized CA)
Integrating non-GRID Integrating non-GRID usersusers
Kerberos Leveraged PKIKerberos Leveraged PKI
Credential Cache
Credential Cache
Login
KDC
KCA
Browser
LibPKCS11
Web Server
ToolsTools
KCA (Kerberized CA) supports KCA (Kerberized CA) supports Kerberos V (Windows 2000 Kerberos V (Windows 2000 compatible)compatible)
KCA clients are available for Unix KCA clients are available for Unix and Windowsand Windows
PKCS11 library (smart card PKCS11 library (smart card emulation) is also available for Unix emulation) is also available for Unix and Windowsand Windows
IssuesIssues Interoperability puts Interoperability puts extra requirementsextra requirements in in
the certificatesthe certificates Specific extensionsSpecific extensions Revocation listsRevocation lists ……
It depends on many componentsIt depends on many components Some of them not completely stable or ready for Some of them not completely stable or ready for
productionproduction The server must be able toThe server must be able to
AcceptAccept the certificate the certificate IdentifyIdentify the account to which the certificate the account to which the certificate
refersrefers
The integrated viewThe integrated view
Linux Box
Windows 2000KDC
Linux KCA
OpenSSL CA
Web BrowserLib PKCS11
Windows 2000IIS 5.0
AD
Resources
CertificateTemplate
WinBox
UnixApache
Mod_KCTKCT
MITKDC
GRID Certificates
Summary and Summary and conclusionsconclusions
It is It is possiblepossible To To integrateintegrate GRIDGRID and local infrastructure and local infrastructure servicesservices Provide Provide cross-platformcross-platform Single Sign-onSingle Sign-on using GRID using GRID
authentication mechanisms (i.e. PKI/Certificates )authentication mechanisms (i.e. PKI/Certificates ) But But full functionalityfull functionality has has issuesissues……
LotsLots of components involved (KDC, KCA, AD…) of components involved (KDC, KCA, AD…) Compatibility (not fully documented requirements)Compatibility (not fully documented requirements)
Is the Is the complexitycomplexity worth while? worth while? Over-complexOver-complex for a reliable service today for a reliable service today But the components are being used/developed in But the components are being used/developed in
other areasother areas
Summary and Summary and conclusionsconclusions
Nevertheless, it is an Nevertheless, it is an interestinginteresting mechanismmechanism Web services are widely spreadWeb services are widely spread
Can be shared by GRID and non-Grid usersCan be shared by GRID and non-Grid users Smooth transition from non-GRID to GRIDSmooth transition from non-GRID to GRID
Partial functionality is possible and Partial functionality is possible and ready to ready to workwork Mapping long term certificatesMapping long term certificates
Some of the tools are being actively developedSome of the tools are being actively developed
We’ve heard of some related success stories We’ve heard of some related success stories
Questions?Questions?