Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF, Bologna 26-29/12/2007
INFN Grid School 26-30/11/ Summary Security concepts - - Symmetric encryption algorithms - - Asymmetric encryption algorithms - - PKI - - Digital Signature - - Digital Certificates Grid Security: - - VOMS certificates - - myproxy
INFN Grid School 26-30/11/ Glossary Principal An entity: an user, a program, or a machine Credentials Some data providing a proof of identity Authentication Verify the identity of the principal Authorization Map an entity to some set of privileges Confidentiality Encrypt the message so that only the recipient can understand it Integrity Ensure that the message has not been altered in the transmission Non-repudiation Impossibility of denying the authenticity of a digital signature
INFN Grid School 26-30/11/ Cryptography Mathematical algorithm that provides important building blocks for the implementation of a security infrastructure Symbology Plaintext: M Cyphertext: C Encryption with key K 1 : E K 1 (M) = C Decryption with key K 2 : D K 2 (C) = M Algorithms Symmetric Symmetric: K 1 = K 2 Asymmetric Asymmetric: K 1 ≠ K 2 K2K2 K1K1 Encryption Decryption MCM
INFN Grid School 26-30/11/ Symmetric Algorithms PaulJohn ciao3$rciao PaulJohn ciao3$rciao3$r The same key is used for encryption and decryption Advantages: Fast Disadvantages: how to distribute the keys? the number of keys is O(n 2 ) Examples: DES 3DES Rijndael (AES) Blowfish
INFN Grid School 26-30/11/ Asymmetric Algorithms (Public Key) John keys public private Paul keys publicprivate PaulJohn ciao3$rciao PaulJohn ciaocy7ciao 3$r cy7 Every user has two keys: one private and one public: it is hard to derive the private key from the public one; a message encrypted by one key can be decrypted only by the other one. No exchange of secrets is necessary the sender ciphers using the public key of the receiver; the receiver decrypts using his private key; the number of keys is O(n). Examples: Diffie-Helmann (1977) RSA (1978)
INFN Grid School 26-30/11/ One-Way Hash Functions Functions (H) that, given as input a variable-length message (M), produce as output a string of fixed length (h) the length of h must be at least 128 bits (to avoid birthday attacks) given M, it must be easy to calculate H(M) = h given h, it must be difficult to calculate M = H -1 (h) given M, it must be difficult to find M’ such that H(M) = H(M’) Examples: MD4/MD5: hash of 128 bits; SHA (Standard FIPS): hash of 160 bits.
INFN Grid School 26-30/11/ cat prova1 testo di prova md5sum prova1 909adc30dcc15239ac640b52d33a12b2 prova1 cat prova2 testo di prove md5sum prova2 c89ee15b2f056edfbef2dcb62b2249aa prova2 ls -l /bin/ls -rwxr-xr-x 1 root root Dec /bin/ls md5sum /bin/ls 2636c546ce5ca69687f5dfc74cc3175e /bin/ls
INFN Grid School 26-30/11/ Digital Signature John This is some message Digital Signature Paul This is some message Digital Signature This is some message Digital Signature Hash(A) Paul keys publicprivate Hash(B) Hash(A) = ? hash Paul calculates the hash of the message private digital signature Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. verifies public John calculates the hash of the message and verifies it with the one received by A and decyphered with A’s public key. If hashes equal: message wasn’t modified; Paul cannot repudiate it.
INFN Grid School 26-30/11/ Digital Certificates Paul’s digital signature is safe if: Paul’s private key is not compromised John knows Paul’s public key How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? A third party guarantees the correspondence between public key and owner’s identity Both A and B must trust this third party Two models: X.509: hierarchical organization; PGP: “web of trust”.
INFN Grid School 26-30/11/ A B C D E F F knows D and E, who knows A and C, who knows A and B. F is reasonably sure that the key from A is really from A. PGP “web of trust”
INFN Grid School 26-30/11/ X.509 Certificates Certification Authority The “third party” is called Certification Authority (CA). Digital Certificates Issue Digital Certificates for users, programs and machines Check the identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation CA’s periodically publish a list of compromised certificates Certificate Revocation Lists (CRL): contain all the revoked certificates yet to expire CA certificates are self-signed
INFN Grid School 26-30/11/ X.509 Certificates An X.509 Certificate contains: owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; digital signature of the CA Public key Subject:C=IT, O=INFN, OU=Personal Certificate, L=CNAF CN=Daniele Cesini Issuer: C=IT, O=INFN, CN=INFN Certification Authority Expiration date: May 10 14:15: GMT Serial number: 080E CA Digital signature Structure of a X.509 certificate
INFN Grid School 26-30/11/
INFN Grid School 26-30/11/
INFN Grid School 26-30/11/
INFN Grid School 26-30/11/ Which CA are trusted in LCG/EGEE? “The EUGridPMA is the international organization to coordinate the trust fabric for e- Science grid authentication in Europe. It collaborates with the regional peers APGridPMA for the Asia-Pacific and The Americas Grid PMA in the International Grid Trust Federation. The charter document defines the group's objective, scope and operation. It is the basis for the guidelines documents on the accreditation procedure, the Authentication profile for X.509 secured "classic" certification authorities and other IGTF recognised Profiles. “ In LCG/EGEE CA are installed on machine trough rpms. The official production apt CA repository is: rpm LCG-CAs/current production apt-get install lcg-CA a metapackage that install all the lcg CA
INFN Grid School 26-30/11/ grid-cert-info cat.globus/usercert.pem -----BEGIN CERTIFICATE----- MIIF1zCCBL+gAwIBAgICCA4wDQYJKoZIhvcNAQEEBQAwQzELMAkGA1UEBhMCSVQx DTALBgNVBAoTBElORk4xJTAjBgNVBAMTHElORk4gQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDQwNTEwMTMxNTIyWhcNMDUwNTEwMTMxNTIyWjCBjzELMAkGA1UE BhMCSVQxDTALBgNVBAoTBElORk4xHTAbBgNVBAsTFFBlcnNvbmFsIENlcnRpZmlj YXRlMQ0wCwYDVQQHEwRDTkFGMRcwFQYDVQQDEw5EYW5pZWxlIENlc2luaTEqMCgG CSqGSIb3DQEJARYbZGFuaWVsZS5jZXNpbmlAY25hZi5pbmZuLml0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEvVPBpTjKLA4F0K+Zgc8pWyEPGDnwLW glktBI6+mYTLuemPzgkZ4CTyrZL7bw5ywXUe717e1Rmg6wDfPANRLkxxRNKNaron kS19eNKjPYpklEKNq2gSGsK0/SsYB2YUG4kWLqtFC93x1Ffdc1Tz0xgrXH3kC0jq NqHImDrbpB7VtvAGC7/e/EJhy9MvlPA4W2vbUnwBocjMA/en3GXs2KY19tbFA3Tg jyIpCMbIeu3GlyTnbSJFoy3eeHkNLsf9c29RAJ5gWxMF7arM++NyURQ9qaEdMINj Cqb7dHJEj8E/AwSsYeWmWHfaPXnjj5aP23UlRTc31nSwh+5y0bMnFwIDAQABo4IC hjCCAoIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBPAwNgYDVR0fBC8wLTAr oCmgJ4YlaHR0cDovL3NlY3VyaXR5LmZpLmluZm4uaXQvQ0EvY3JsLmNybDAXBgNV HSAEEDAOMAwGCisGAQQB0SMKAQQwHQYDVR0OBBYEFCM+8mfoaenmQ76tHy+7hX+5 RKJ6MGsGA1UdIwRkMGKAFMoR710dBwSYqaW1WBpmTgoWK+BJoUekRTBDMQswCQYD VQQGEwJJVDENMAsGA1UEChMESU5GTjElMCMGA1UEAxMcSU5GTiBDZXJ0aWZpY2F END CERTIFICATE----- Something is needed to understand what is written inside a certificate You can use grid-cert-info command (i.e. on a UI) Usage: grid-cert-info - -f cert_file.pem where can be: -all-startdate -subject-enddate -issuer-help Try to look inside a certificate with a text editor
INFN Grid School 26-30/11/ cesini]$ grid-cert-info -f.globus/usercert.pem -subject -enddate -startdate -issuer /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Daniele Apr 16 17:50: GMT Apr 17 17:50: GMT /C=IT/O=INFN/CN=INFN CA grid-cert-info Try to run a grid-cert-info on you certificate
INFN Grid School 26-30/11/ grid-cert-info cesini]$ grid-cert-info –all –f /etc/grid-security/certificates/2f3fadf6.0 cesini]$ grid-cert-info -file /etc/grid-security/certificates/2f3fadf6.0 Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IT, O=INFN, CN=INFN CA Validity Not Before: Oct 3 14:16: GMT Not After : Oct 3 14:16: GMT Subject: C=IT, O=INFN, CN=INFN CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ce:95:8e:0e:83:95:9d:42:a9:ca:29:23:ca:b7: 63:f9:0a:49:ba:82:5e:2a:4a:85:e1:f6:dd:e8:ba: ea:79:02:f4:76:a0:22:96:e5:51:f0:3e:32:fd:3d: ……. Exponent: (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20 X509v3 Authority Key Identifier: keyid:D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20 DirName:/C=IT/O=INFN/CN=INFN CA serial:00 Signature Algorithm: sha1WithRSAEncryption 78:d7:d3:3f:b7:3f:72:72:40:62:01:23:96:80:5c:e4:b7:36: e0:c4:7f:43:1d:a8:22:c5:20:6b:17:8e:db:c8:9b:69:03:48: c4:86:40:e8:39:b9:99:c9:2d:30:21:69:3f:a0:5f:97:8d:90: 37:73:86:eb:89:12:05:b5:14:f1:83:cb:62:1f:eb:38:03:e1: …….. cesini]$ openssl verify /etc/grid-security/certificates/2f3fadf6.0 /etc/grid-security/certificates/2f3fadf6.0: /C=IT/O=INFN/CN=INFN CA error 18 at 0 depth lookup:self signed certificate OK Gather info about a certificate in your CE directory /etc/grid-security/certificates/
INFN Grid School 26-30/11/ The Grid Security Infrastructure (GSI) John’s certificate Verify CA signature Random phrase + timestamp Encrypt hash with J.’ s private key Encrypted hash Decrypt with J.’ s public key Compare with hash of original phrase Based on X.509 PKI: John Paul Every Grid transaction is mutually authenticated: John sends his certificate; Paul verifies CA signature in John’s certificate; Paul sends to John a challenge string; John encrypts the hash of the challenge string with his private key; John sends encrypted hash challenge to Paul Paul uses John’s public key to decrypt the hash Paul compares the decrypted string with the has of original challenge If they match, Paul verified John’s identity and John can not repudiate it. Attention: if Bill is in the middle and manages to have John’s private key he can impersonate John!! Private keys must be stored in protected places and in encrypted form
INFN Grid School 26-30/11/ The Grid Security Infrastructure (GSI) On the Grid who is John and who is Paul? Which are the entities that need a certificate? WMS CE WN LFC BDII SE User A Certificate is needed for: USER (NOT UI) RB/WMS CEVOMS SELFC FTSMYPROXY glite-wms-job-submit A Certificate is NOT needed for: WN BDII UI
INFN Grid School 26-30/11/ X.509 Proxy Certificate On the Grid the user does not use his own long living certificate Security problems may arise. X.509 Proxy Certificate GSI extension to X.509 Identity Certificates Has a limited lifetime Is signed by the normal end entity certificate or by another proxy Delegation = remote creation of a (second level) proxy credential Allows remote process to authenticate on behalf of the user
INFN Grid School 26-30/11/ Virtual Organizations and voms-proxy-init To submit to the Grid, personal certificates are not the end of the story. Users MUST join at least one of the groups allowed to use the Grid resources = Virtual Organization (VO) The proxy obtained with grid-proxy-init does not contain information about your VO The VOMS ( Virtual Organization Membership Service) e xtends the proxy info with VO membership, group, role and capabilities. Related commands: voms-proxy-init voms-proxy-destroy voms-proxy-info voms-proxy-list
INFN Grid School 26-30/11/ Groups and Roles in VOMS Every user in a VO belongs to at least one group: E.g: /infngrid And may also belong to some subgroups: E.g: /infngrid/g1, /infngrid/g2, meaning subgroups g1 and g2 of /infngrid There are also Roles: E.g: /Role=VO-Admin Roles make sense only in the contest of a group: E.g: /Role=VO-Admin in the group /infngrid. Compact way of describing it: (FQAN) /infngrid/Role=VO-Admin Holding the role of VO-Admin in the group /infngrid
INFN Grid School 26-30/11/ voms-proxy-init creates your proxy for the grid If you forget this command, nothing will work! Many, many options. Most advanced Will show only basic usage. But two things are important: If you are reporting a bug, add –debug to voms-proxy-init’s command line before reporting the output ‘voms-proxy-init –version’ to discover which version you have. The version of gLite or LCG you have is useless.
INFN Grid School 26-30/11/ voms-proxy-init: basic usage [ marotta]$ voms-proxy-init --voms infngrid Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Nov 22 03:19: marotta]$ voms-proxy-info –all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:54 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 11:59:54 VO
INFN Grid School 26-30/11/ What Attributes can you request? voms-proxy-list --voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Cannot find file or dir: /home/marotta//.glite/vomses Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Available attributes: /infngrid/Role=NULL/Capability=NULL /infngrid/Role=VO-Admin/Capability=NULL /infngrid/Role=SoftwareManager/Capability=NULL /infngrid/prova/Role=NULL/Capability=NULL
INFN Grid School 26-30/11/ voms-proxy-init: basic usage voms-proxy-init --voms infngrid:all Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini [… omissis…] Your proxy is valid until Thu Nov 22 03:31: voms-proxy-info –all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:55 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/Role=VO-Admin/Capability=NULL attribute : /infngrid/Role=SoftwareManager/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 11:59:55 Values
INFN Grid School 26-30/11/ voms-proxy-init: basic usage [ voms-proxy-init --voms infngrid:/infngrid/Role=VO-Admin Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Nov 22 03:31: voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:58 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=VO-Admin/Capability=NULL attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 11:59:58 Role
INFN Grid School 26-30/11/ voms-proxy-init: advanced usage voms-proxy-init --voms infngrid --valid 10:00 Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Nov 22 01:51: voms-proxy-init --voms infngrid --valid 1000:00 Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Warning: voms.cnaf.infn.it:15000: The validity of this VOMS AC in your proxy is shortened to seconds! Done Creating proxy Done Your proxy is valid until Wed Jan 2 07:52: Error!
INFN Grid School 26-30/11/ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 999:59:59 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 23:59:59 Length has been shortened
INFN Grid School 26-30/11/ Destroying credentials: ciasc]$ voms-proxy-destroy ciasc]$
INFN Grid School 26-30/11/ Long term proxy - myproxy Grid tasks may need a time longer than the proxy lifetime (short for security reasons) A myproxy server is used to create and store a long term proxy which is used to renew short term proxies when they are going to expire. Related commands: myproxy-init myproxy-get-delegation myproxy-destroy A dedicated service on the WMS can renew automatically the proxy on your behalf contacting the myproxy server (the myproxy server should be indicated in the job description)
INFN Grid School 26-30/11/ Myproxy basics Registering a credential: myproxy-init -d --voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini verify OK Cannot find file or dir: /home/marotta//.glite/vomses Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Wed Nov 28 16:31: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini now exists on myproxy.cnaf.infn.it.
INFN Grid School 26-30/11/ Getting the credential back: myproxy-get-delegation -d Enter MyProxy pass phrase: A proxy has been received for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini in /tmp/x509up_u514 voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy/CN=proxy identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:50 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL timeleft : 11:58:05
INFN Grid School 26-30/11/ Destroying the Credential: myproxy-destroy -d Default MyProxy credential for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini was successfully removed. Avoid directly using MyProxy for job submissions! myproxy-init overwrites your existing credentials Means that you cannot specify roles! Use proxyrenewal instead! Details in Marco’s presentation.
INFN Grid School 26-30/11/ References Cryptography “The Handbook of Applied Cryptography” by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone “Applied Cryptography” by Bruce Schneier “Applied Cryptography” by Bruce Schneier Grid Security LCG Security: security/ Globus Security: Grid-it portal: