A Design for the LIGO Data Grid Security Infrastructure

Document #:

LIGO-T0900516-v4

Document type:

T - Technical notes

Abstract:

LIGO wishes to remove the burden from users of
requesting, retrieving, and managing X.509 digital
certificates and the associated private keys. This new
authentication and authorization infrastructure design
for the LIGO Data Grid (LDG) includes deploying
short-lived credential services (SLCS) using the
MyProxy server at all LIGO computing sites. In
this design LIGO and Virgo collaboration members
use their LIGO credentials (Kerberos principal
and password) to authenticate to the MyProxy
server and obtain a proxy credential suitable
for authentication to LIGO Data Grid services
and resources. Users no longer have to request,
retrieve, renew, or manage X.509 credentials.
Additionally this design includes infrastructure
for the automatic generation and deployment of
grid-mapfiles to remove from LIGO administrators
the burden of keeping by hand access control lists
current. Lastly, this design
includes details and specifications for a LIGO
Root CA, a subordinate CA for signing host and
service certificate requests, and subordinate
CAs to be used with the LIGO SLCS.

Files in Document:

• AuthComm-CA-Grid-Design.pdf (165.4 kB)

Other Files:

• AuthComm-CA-Grid-Design.tex (41.9 kB)

Topics:

• Computing/archiving

Authors:

• Scott Koranda

Keywords:

CA SLCS MyProxy LIGOmapper proxy grid