DCAFI changes at FNAL - info to WLCG Catch All CA and the CERN CA managers

Thursday 4 Aug 2016, 10:00 → 11:30 Europe/Zurich

513/R-068 (CERN)

Maria Dimou (CERN), Tanya Levshina

To make sure that WLCG and OSG are mutually informed and correct in their documentation pages

taking advantage of the presence of Tanya Levshina (FNAL) at CERN this week

and to be sure that the WLCG RA and the CERN CA managers are in sync with events in the USA Grid community

we shall have a presentation/discussion by Tanya on the near future plans of FNAL's Distributed Computing Access with Federated Identities (DCAFI) project.

Relevant pages:

• http://fife.fnal.gov/dcafi-project-progress/
• http://wlcg.web.cern.ch/getting-started/certificates
• http://cern.ch/ca

DCAFI_CERN.pdf

Present: Tanya Levshina, Hannah Short, Maria Dimou, Romain Wartel, Paolo Tedesco

Maria's notes - please correct mistakes

Tanya said that all security questions be sent to Mine Altunai maltunay@fnal.gov

DCAFI will remove the need for each user to have a personal certificate for submitting jobs to the GRID or access storage. He will only have his kerberos token or use Fermilab Services(LDAP) username/password for submission.

CILogon Basic CA is the service provider of choice for FNAL migration from KCA and also for OSG DigiCert,

OSG DigiCert will also move to CILogon middle 2017.

KCA support goes down by the end of 2016. FNAL proactively faces it out in September.

The MyProxy server will be used for proxy cert attribution (not user certificate) lasting for 4 weeks. The 24-hour poxy will be used by middleware (JobSub server) to do job submission 

OSG Digicert service certificate can be used in this system but not a CERN CA cert.

FNAL VOMS contains all FNAL employees. No OSG, WLCG job submission takes place from this system.

Grid jobs are handled by HTCondor.

Hannah and Romain are working on deciding which Federations are trust-worthy. In the FNAL case only those who are on the ECP-IdP. Hannah is working on the critieria on how to establish trust. InCommon is participating in this effort.

EGI has a similar CILogon similar to the FNAL solution.

CERN has SSO for a long time already to integrate to the other Federated Identities in Europe. We have ECP at CERN already but access to Storage is done via old-fashion X.509

Romain said the IdPs are not controlled by us, so not trusted like the CAs. This is now they are currently investigating what you put in the DN to be sure the user is the one he claims to be.

No USCMS users will be subject to this workflow. Other FNAL (e.g. (e.g. NOvA, Mu2e, g-2, MicroBooNE, LarIAt) experiments do.

Romain advised that Mine and Dave talk to Hannah for joining the effort going-on now with InCommon and other providers.

Input from Hannah after the meeting:

As we mentioned, there is an international effort to flag trusted IdPs in eduGAIN called Sirtfi https://refeds.org/sirtfi. This could form a good basis for your decisions as to which IdPs should have access to your infrastructure. Actually, one of the main developers in CiLogon is heavily involved!

The idea is that you would be able to identify IdPs with good operational security via a tag in their metadata. See https://wiki.refeds.org/display/SIRTFI/Guide+for+Federation+Participants 

Here’s a short blog post on EGI’s involvement with Federated ID http://www.egi.eu/news-and-media/newsletters/Inspired_Issue_24/AARC_first_year_of_work.html They are currently running a pilot quite similar to yours

If you could let us know some of the details as to user mapping and DNs, I would be very interested to hear. 

I’ll loop Mine in to the Sirtfi work.

Thank you,

Hannah