Upload
kevin-pope
View
228
Download
0
Embed Size (px)
Citation preview
KEK GRID CA updates
Takashi Sasaki
Computing Research Center
KEK
Operation statistics • Issued certificates
– User: • Valid: 90• Invalid: 304
– Host:• Valid; 220• Invalid 591
• Total number of users: 169– Disabled: 15– Inactive: 64
Apr-0
6
Jun-
06
Aug-0
6
Oct-0
6
Dec-0
6
Feb-0
7
Apr-0
7
Jun-
07
Aug-0
7
Oct-0
7
Dec-0
7
Feb-0
8
Apr-0
8
Jun-
08
Aug-0
8
Oct-0
80
50
100
150
200
250
300
350
# of issued certs
accumulated
Apr-0
6
Jun-
06
Aug-0
6
Oct-0
6
Dec-0
6
Feb-0
7
Apr-0
7
Jun-
07
Aug-0
7
Oct-0
7
Dec-0
7
Feb-0
8
Apr-0
8
Jun-
08
Aug-0
8
Oct-0
80
100
200
300
400
500
600
700
800
# of issued certs
accumulated
user host
Hardware replacement and operation changes
• We have upgraded the CA hardware as reported earlier
• Operation procedure and role assignments are also going to be changed– We soon update our CP/CPS according to
this change
RA Server CA Server
User Administrator
CAOperator
SecurityOfficer
Help Desk
Certificate UserHost Administrator
Old
CA System
- administrates all tasks on the CA system including the CA private key
- maintains the CA system
- creates users ids and distribute them
- accepts user enrollment - examines user information and approve the use
- a user using a certificate issued by KEK GRID CA
-an administrator of a host using a certificate issued by KEK GRID CA
Organization Diagram from CP/CPSSecurity Officer
User Administrator
Reception Desk
Registration and Endorse
ment
CA Operator
RA Operation
CA Operation
Hardware and
Software
Maintenance
RA Operator Help Desk
Private Key Management
Accept CSR, revocation, registration and user registration
Host Administrator Certificate User
RA Server CA Server
User Administrator
CAOperator
SecurityOfficer
Help Desk
Certificate UserHost Administrator
RAOperator
New
delegate the operation tocreate users ids and distribute them, from CA Operator to RA Operator
CA System
CA Operation Role Assignment
• Before March– Security Officer
• Yoshimi Iida• Kohki Ishikawa
– User Administrator• Takashi Sasaki
– CA Operator• Yukinori Yokoshima• Minoru Nakaya
• After April– Security Officer
• Yoshimi Iida• Manabu Matsui
– User Administrator• Takashi Sasaki
– CA Operator• Yukinori Yokoshima• Minoru Nakaya
– RA Operator• Katsumi Kikuchi • Masato Wada
Operation Diagram
RA Server CA Server
User Administrator
CAOperator
SecurityOfficer
Certificate UserHost Administrator
RAOperator
New User Registration
CA System
2. Interview2. Interview1.. Application with Photo ID
1.. Application with Photo ID
5. Return User ID and Initial Password
5. Return User ID and Initial Password
6. Return User ID and Initial Password to End User
6. Return User ID and Initial Password to End User
3. Register User3. Register User
4. Get Initial Password4. Get Initial Password7. Change Password7. Change Password
Reject, If neededReject, If needed
RA Server CA Server
User Administrator
CAOperator
SecurityOfficer
Certificate UserHost Administrator
RAOperator
After User Registration
CA System 1. Request Operation1. Request Operation
2. System Response2. System Response
Once registered, Certificate User and Host Administrator can access directly RA to request CA services.
They can perform following activities:- User Profile Self Management
- Password Chang- Request User Certificate- Request Host Certificate- Request Certificate Revocation
Once registered, Certificate User and Host Administrator can access directly RA to request CA services.
They can perform following activities:- User Profile Self Management
- Password Chang- Request User Certificate- Request Host Certificate- Request Certificate Revocation
RA
CA
Client
HSM
Internet
F/W
F/W
DMZ
1. All users should download NAREGI-CA package from RA Web, and install into their machines.
2. Users can create private key and certificates signing request (CSR) on their client machine using client toolkit or Web browser extension (Internet Explorer only )
3. Users send CSR to RA server4. RA server identify and verify users, and then
accept users’ CSR.5. RA forward CSR to CA6. CA signs and publish new certificate with its
private key, protected by HSM7. CA return signed certificate to RA.8. RA returns published signed certificate to user.
KEK GRID CA System Certificate Request Procedure
* KEK GRID CA bases on NAREGI-CA software
* *All network connection encrypted with SSL
1
2
3
5 7
4
6
8
(Informational)
Not Changed
RA Server CA Server
User Administrator
CAOperator
SecurityOfficer
Certificate UserHost Administrator
RAOperator
User Support and How to handle irregular Request
CA System
Help Desk
1. Request or Question1. Request or Question
3. Sharing Information3. Sharing Information
2. Forward Question2. Forward Question
4. Perform Response4. Perform Response
External audit
• Hopefully, end of May or June• Volunteers needed
– Anyone, please!