ESnet RAF and eduroam Tony J Genovese ATF

ESnet RAF and eduroam™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory

ATF Overview n n Authentication services for DOE Office of Science projects, including international collaborations, computational Grids, ESnet community, and ESnet internal Primarily focused on the Office of Science community n n n Facilitating several trust federations to enable interoperable science Grids – Policy Management Authorities n n n ATF’s principle service is a set of certificate authorities (CAs) Policy is driven completely by the needs of the science community the IGTF - International Grid Trust Federation the Americas “regional” policy management authority – TAGPMA ATF also pilots new technology, new policy systems, and develops project proposals in collaboration with other partners

Authentication and Trust Federation Team n 3 FTEs plus heavy support from ESnet UNIX services n n Roles n n n n Plus additional support from network engineering, services, and windows support CA Operator Developer Federation Liaison Product Manager (community outreach) Specialized system administration PMA chairman / member Contributor to community best practices/standards efforts All team members have cross trained to insure continuity.

PKI Certificate Authorities Overview ESnet Root CA only signs subordinate CAs ESnet Root CA NERSC Site – NIM Integration ESnet SSL/TLS DOEGrids Future Co-hosting FUSION (Credential Store) OCSP Service ESnet subordinate Certificate Authorities and Services

PKI Security Environment Offline Vaulted Root CA PKI Systems Hardware Security HSM Modules Grid User Firewall Secure VLAN Internet Access controlled racks Secure Data Center Building Security LBNL Site security Intrusion Detection

DOEGrids CA Usage Statistics User Certificates 1999 Total No. of Certificates 5479 Host & Service Certificates 3461 Total No. of Requests 7006 ESnet SSL Server CA Certificates 38 DOEGrids CA 2 CA Certificates (NERSC) 15 Fusion GRID CA certificates * Report as of Jun 15, 2005 76

RAF, eduroam™ and Internet 2 Secure ID interconnects PPNL ANL NERSC ORNL ESnet RAF ESnet LBNL Aladdin Smart Card Grid realms eduroam™ DOEGrids My. Proxy TERENA NL eduroam™ Crypto Card Interconnecting with eduroam™ at UTK Interconnect Grid Realms at TERENA ESnet possible secondary route for eduroam™ Internet 2 UTK eduroam US Internet 2

Grid eduroam™ Experiment n Phase 0 n Use Infoblox loaded with IGTF root certificates n n n EAP/TLS Strong Authentication based on Grid Identity Certs eduroam™ Authorization attributes – eduroam™ defines TACAR or EUGrid. PMA repository as trust anchor IGTF OCSP experimental service – GGF defining the service Interconnect to eduroam™ at UTK Grid top level interconnect n n TERENA - Root ESnet n n User experience local site dependency n n n Grid PMAs: EU Grid PMA, AP Grid PMA and TAGPMA eduroam™ defines Each site controls how they expose or provide a service to the community. Develop Federation document set n Based on GGF documents Plus eduroam™ policies

Next Phases n Phase 1 n n n Add Authorization Schema Phase 0 plus LDAP server Phase 2 n Add Virtual Organization Management System n n n Shibboleth GGF – Grid. Shib or other? TF-EMC 2 Phase 0 plus VOMS servers Phase 3 – production hardening n Implement our community’s selected solution – or ?

ESnet RAF Experiment systems Possible eduroam™ backup route LDAP User Account DB phase 1+ Grid Interconnect TERENA RAF radius appliance eduroam™ Internet 2 Interconnect Cisco Catalyst 4000 EAPOL test bed