Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.

Grid Security. Typical Grid Scenario Users Resources.

Security on Grid Roberto Barbera Univ. of Catania and INFN

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.

Summer School Certificates Diego Romano & Gilda Team.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

Unit 1: Protection and Security for Grid Computing Part 2

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

Security, Authorisation and Authentication.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.

Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.

E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

Client installation DIRAC Project. DIRAC Client Software  Many operations can be performed through the Web interface  Even more to come  However, certain.

Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.

Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Security, Authorisation and Authentication Mike Mineter,

Operations Management Board 19th Dec. 2013

Authentication, Authorisation and Security

Giuseppe LA ROCCA INFN - Catania, Italy

Authorization and Authentication in gLite

Practicals on VOMS and MyProxy

gLite 1.4. Data Mangement Exercises

Security and getting access to the training infrastructure

Security, Authorisation and Authentication

Grid Security Jinny Chien Academia Sinica Grid Computing.

Presentation transcript:

Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN Catania Tutorial on “Grid Computing” EMBnet Conference 2008

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Private and Public keys Grid security is based on the concept of public key encryption. Each user (or other entity like a server) has a private key, generated randomly. – The private key must therefore be kept totally secure; if someone can steal it they can impersonate the owner completely. Each private key is mathematically related to another number called the public key. – As the name suggests this can be known to everyone. – Formally it’s possible to calculate the private key from the public key, but in practice such a calculation is expected to take an unfeasibly long time (the time grows exponentially with the size of the keys).

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Encryption The keys are used with an encryption algorithm, i.e. a mathematical function which can be applied to any data to produce a coded version of the data. – The algorithm has the property that data encrypted using the private key can be decrypted with the public key, and vice versa. Advangtages(s)Disadvantage(s) Symmetric Algorithms FastExchange the secret keys to all the entities Asymmetric Algorithms No need to exchange keys between the entities. More secure Slow

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Certificates To be useful, the public key has to be connected to some information about who the entity is. This is stored in a specific format known as an X.509 certificate An X.509 Certificate contains: –o–owner’s public key; –i–identity of the owner; –i–info on the CA; –t–time of validity; –S–Serial number; –d–digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) CA Digital signature

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Certification Authorities Certificates are issued by a Certification Authority (CA) How to obtain a certificate: The RA will provide the user with a key to be used in the registration form to obtain a personal user’s Certificate. The user wants to get a certificate The users meets the RA (Registration Authority) that will verify the user’s identity

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Proxies To interact directly with a remote service a certificate can be used to prove identity. – However, in the Grid world it is often necessary for a remote service to act on a user’s behalf (e.g. a job running on a remote site needs to be able to talk to other servers to transfer files) – The solution is the use a proxy.  To make a proxy a new public/private key pair is created /C=UK/O=eScience/OU=CLRC/L=RAL/CN=john smith/CN=proxy  Proxies normally have a rather short lifetime, typically 12 hours.  Proxy placed in /tmp must be readable only by the owner; User certificate file Private Key (Encrypted) Pass Phrase User Proxy certificate file

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 VO & VOMS Grid users MUST belong to Virtual Organization (VO) – Groups, Role and Capability Virtual Organization Membership Service (VOMS) is a service responsible to maintain information about roles and privileges of users within a VO. It grants users authorization to access the resource at VO level. When the proxy is created one or more VOMS servers are contacted, and they return a mini certificate known as an Attribute Certificate (AC) which is signed by the VO and contains information about group membership and any associated roles within the VO

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 voms-proxy-init --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Enter GRID pass phrase: Your proxy is valid until Sat Feb 4 01:08: Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN "gilda“ Done Creating proxy Done Your proxy is valid until Sat Feb 4 01:08: voms-proxy-init

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La type : proxy strength : 512 bits path : /tmp/x509up_u512 timeleft : 11:55:52 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:55:41 Standard globus attributes Attribute Certificate voms-proxy-init

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September Starting from Feb also the Italian INFN CA will start to issue Robot Certificates. Thanks to these new certificates biologists will be able to access the grid sharing the certificate installed on the portal. 2.UK and NL CA are already issuing robot certificates 3.A personal credential which can perform automated tasks on behalf of the user. Robot Certificates

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Your identity: /C=IT/O=GILDA/OU=Robots/L=INFN Catania/CN=Robot: MrBayes - Giuseppe La Rocca Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy Done Your proxy is valid until Thu May 8 21:42: A glance at a robot certificate

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 In order to strong reduce the risks of having the portal certificate compromised and improve the security, the INFN CA has decided to issue this new certificate on board of the Aladdin eToken PRO 32K smart card. Each smart card can support several robot certificates: one for each application user wants to share with the other. – An user’s PIN is prompted every time user try to read the certificate on board of the smart card to generate a proxy. – A first prototype of Grid Portal using robot certificate on board of this hardware has been successfully designed. Robot Certificates

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Using the eToken PRO to generate proxies Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken. A shell script mkproxy script was written for this purpose.mkproxy script – This script requires quite a few special programs and libraries, which need to be installed before attempting to use the mkproxy script. The mkproxy script has been tested on – Windows XP (using cygwin) – Linux Fedora Core 5 (fc5) – Linux CentOS 4, Scientific Linux 4 (rhel4) – Linux OpenSuse 10 (suse10) – In the near future we hope to test it on MacOS X as well

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Testing If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command mkproxy –-label=”Robot:MrBayes” Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) Robot:MrBayes – Giuseppe La Rocca's GILDA ID id: d d d d a31 Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca Generating a 512 bit RSA private key writing new private key to 'proxykey.D17633' engine "pkcs11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot:MrBayes – Giuseppe La Rocca /CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03:58:09 CEST Add VOMS extentions running the command : voms-proxy-init --noregen -voms

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 mkproxy command line options. /bin/mkproxy --help mkproxy version 1.40 This script will generate a X509 grid proxy using a public/private key pair found on an attached Aladdin eToken PRO. Options [--help]Displays usage. [--version] Displays version. [--debug] Enables extra debug output. [--quiet] Quiet mode, minimal output. [--limited] Creates a limited globus proxy. [--old] Creates a legacy globus proxy (default). [--gt3] Creates a pre-RFC3820 compliant proxy. [--rfc] Creates a RFC3820 compliant proxy. [--days=N] Number of days the proxy is valid. [--valid=HH:MM]Proxy is valid for HH hours and MM minutes (default=12:00). [--path-length=N] Allow a chain of at most N proxies to be generated from this one (default=2). [--bits=N] Number of bits in key (512, 1024, 2048, default=512). [--out=proxyfile] Non-standard location of new proxy cert.

Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 References & Questions _eToken_PRO_to_generate_grid_proxieshttp:// _eToken_PRO_to_generate_grid_proxies [Jan Just Keijser]