Speaker
Description
It is well known that submitting jobs to the grid and transferring the
resulting data are not trivial tasks, especially when users are required
to manage their own X.509 certificates. Asking users to manage their
own certificates means that they need to keep the certificates secure,
remember to renew them periodically, frequently create proxy
certificates, and make them available to long-running grid jobs. We
have made those tasks easier by creating and managing certificates for
users. In order to do this we have written a new general purpose open
source tool called `cigetcert´ that takes advantage of the existing
InCommon federated identity infrastructure and the InCommon X.509
certificate creation service, CILogon. The tool uses the SAML Enhanced
Client or Proxy (ECP) profile protocol which was designed for non-web
browser environments, so it fits well with traditional command
line-based grid access. The tool authenticates with the local
institution's Identity Provider (IdP) using either Kerberos or the
institutional username/password, retrieves a user certificate from
CILogon Basic CA, stores a relatively short-lived proxy certificate on
the local disk, and stores a longer-lived proxy certificate in a MyProxy
server. The local disk proxy certificate is then available to submit
jobs, and the grid job submission system reads the proxy certificate out
of the MyProxy server and uses that to authorize data transfers for
long-lived grid jobs. This paper describes the motivation, design,
implementation, and deployment of this system that provides grid access
with federated identities.
| Primary Keyword (Mandatory) | Security and policies |
|---|---|
| Secondary Keyword (Optional) | Distributed workload management |
