GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney**...
-
date post
19-Dec-2015 -
Category
Documents
-
view
227 -
download
1
Transcript of GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney**...
![Page 1: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/1.jpg)
GGF15 Workshop
MyProxy Integration with PubCookie
Marty Humphrey*, Jim Jokl*, and Jim Basney**
*Department of Computer Science, University of Virginia, Charlottesville, VA**NCSA/University of Illinois, Urbana-Champaign, IL
Supported by: NSF Next Generation Software (NSF NGS), NSF Middleware Initiative (NMI), San Diego Supercomputing Center
![Page 2: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/2.jpg)
GGF15 Workshop
The Challenge
• I have a dream…• Opportunistically expand campus researchers’ local
resources to “The Grid”
• [Security] Problem: • Relatively little of campus is PKI-enabled• Grid is (largely) PKI (GSI)
• Goal: Leverage existing site (campus) authentication infrastructure• Approach: integrate PubCookie and MyProxy
![Page 3: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/3.jpg)
GGF15 Workshop
PubCookie
![Page 4: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/4.jpg)
GGF15 Workshop
PubCookie in Action (1)
Your IIS or Apache Web Server
Campus Login Server
End-User
PC Pubcookie Apache Module or ISAPI Filter
From Tom Jordon, UW-Madison
![Page 5: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/5.jpg)
GGF15 Workshop
PubCookie in Action (2)
Your IIS or Apache Web Server
Campus Login Server
End-User
PC Pubcookie Apache Module or ISAPI Filter
Authenticated to Central Login Server?
-- Nope
From Tom Jordon, UW-Madison
![Page 6: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/6.jpg)
GGF15 Workshop
Logged In
PubCookie in Action (3)
Your IIS or Apache Web Server
Campus Login Server
End-User
PC Pubcookie Apache Module or ISAPI Filter
RedirectLogin
From Tom Jordon, UW-Madison
![Page 7: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/7.jpg)
GGF15 Workshop
Logged In
PubCookie in Action (4)
Your IIS or Apache Web Server
Campus Login Server
End-User
PC Pubcookie Apache Module or ISAPI Filter
Redirect
Authenticated to Central Login Server?
-- Yep
Access Allowed
From Tom Jordon, UW-Madison
![Page 8: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/8.jpg)
GGF15 Workshop
Logged In
PubCookie in Action (5)
Your IIS or Apache Web Server
Campus Login Server
End-User
PC Pubcookie Apache Module or ISAPI Filter
Another IIS or Apache Web Server
PC Pubcookie Apache Module or ISAPI Filter
Authenticated to Central Login Server?
-- Yep Access Allowed
From Tom Jordon, UW-Madison
![Page 9: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/9.jpg)
GGF15 Workshop
PubCookie/MyProxy Integration
Browser
Pubcookie Login Server
Campus Authentication
Server
1
23
4
5
6
7
MyProxy Server
8 (SSL)
9 (SSL)
10Grid request
1112
Pubcookie-enabled
Application Server
![Page 10: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/10.jpg)
GGF15 Workshop
![Page 11: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/11.jpg)
GGF15 Workshop
![Page 12: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/12.jpg)
GGF15 Workshop
![Page 13: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/13.jpg)
GGF15 Workshop
![Page 14: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/14.jpg)
GGF15 Workshop
![Page 15: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/15.jpg)
GGF15 Workshop
Technical Details
• 3 main cookies involved in PubCookie (http://www.pubcookie.org/docs/how-pubcookie-works.html)
• Granting cookie: “contains the authenticated username and some other items”
• Granting cookie is signed by PubCookie login server and encrypted in symmetric key shared between app server and PubCookie login server
• Login cookie: “scoped to the login server and will be used on any subsequent visits by the user to the login server”
• Opaque to the client – only login server can decrypt
• Session cookie: scoped to app server• Problem: granting cookie does not persist
![Page 16: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/16.jpg)
GGF15 Workshop
Software Development
• No mods to the MyProxy Client• Upload creds via normal mechanism• Presents the granting cookie in the “password” field
• Mods to MyProxy server to be able to decrypt and verify signature on pubcookie
• Mods to portal (uPortal) to keep the granting cookie• Issue: JSR 168 does not deal well with cookies
• Note: we cannot use the granting cookie as the password directly
![Page 17: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/17.jpg)
GGF15 Workshop
Cleartext in MyProxy Server?
• Yes, in this instantiation• We are not unique in this regard
• Alternative:• Use the granting cookie as the basis to generate/retrieve
user-specific [large] passphrase, like so….
![Page 18: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/18.jpg)
GGF15 Workshop
PubCookie/MyProxy Integration
Browser
Pubcookie Login Server
Campus Authentication
Server
1
23
4
5
6
7
MyProxy Server
10 (SSL)
11 (SSL)
12Grid request
1312
Pubcookie-enabled
Application Server
Password server
89
![Page 19: GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,](https://reader034.fdocuments.net/reader034/viewer/2022042615/56649d2b5503460f94a01453/html5/thumbnails/19.jpg)
GGF15 Workshop
Summary
• Integration of PubCookie with MyProxy reduces the number of passphrases
• Currently pushing mods to OGCE2 and MyProxy CVS
• Future• What about Shibboleth?