Security Mechanisms The European DataGrid Project Team

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

MyProxy: A Multi-Purpose Grid Authentication Service

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

1c.1 Assignment 2 Preliminaries Review Full details in assignment write-up. ITCS 4146/5146 Grid Computing, 2007, UNC-Charlotte, B. Wilkinson. Jan 24, 2007.

Summer School Certificates Diego Romano & Gilda Team.

Security Mechanisms The European DataGrid Project Team

1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

EDG Security European DataGrid Project Security Coordination Group

INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.

Security Mechanisms The European DataGrid Project Team

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

Security Mechanisms The European DataGrid Project Team

User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

EGEE is a project funded by the European Union under contract IST Authentication and Authorization in LCG-2 Flavia Donno Section Leader for.

Last update 31/01/ :41 LCG 1 Maria Dimou Procedures for introducing new Virtual Organisations to EGEE NA4 Open Meeting Catania.

Security Mechanisms The European DataGrid Project Team

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Gilda certificates. Certification Authority

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

EGEE is a project funded by the European Union under contract IST Security Mechanisms David Groep (after original by Ákos Frohner) EDG tutorial.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Continue by your own… Riccardo Bruno

EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

The European DataGrid Project Team

MyProxy Server Installation

Authorization and Authentication in gLite

Practicals on VOMS and MyProxy

ESRIN Grid Workshop Tutorial

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Installation, Configuration, Examples of use

Grid Security Jinny Chien Academia Sinica Grid Computing.

Certificate management Miroslav Dobrucký Institute of Informatics SAS

Viet Tran Institute of Informatics Slovakia

Update on EDG Security (VOMS)

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

The EU DataGrid Security Services

The EU DataGrid Security Services

Grid Security Overview

The GENIUS Security Services

Grid Security Infrastructure

Presentation transcript:

Security Mechanisms The European DataGrid Project Team

Security Tutorial - n° 2 Overview  User side n Getting a certificate n Becoming a member of the VO  Server side n Authentication / CA n Authorization / VO (with some examples)

Security Tutorial - n° 3 Authentication/Authorization  Authentication (CA Working Group) n 16 national certification authorities + CrossGrid CAs n policies & procedures  mutual trust n users identified by CA’s certificates  Authorization (Authorization Working Group) n Based on Virtual Organizations (VO). n Management tools for VO membership lists. n 6+2 Virtual Organizations VO’s ALICEEarth Obs. ATLASBiomedical CMSTestbed LHCbTutorial CA’s CERN CESNET CNRS (3) GermanGrid Grid-Ireland INFN NIKHEF NorduGrid LIP Russian DataGrid DATAGRID-ES GridPP US–DOE Root CA US-DOE Sub CA CrossGrid (*)

Security Tutorial - n° 4 Authentication Overview CA VO user service

Security Tutorial - n° 5 Certificate Request CA VO user service cert-request grid-cert-request once in every two-three years

Security Tutorial - n° 6 Requesting a Certificate  grid-cert-request A certificate request and private key is being created. [...] Using configuration from /usr/local/grid/globus/etc/globus-user-ssleay.conf Generating a 1024 bit RSA private key [...] A private key and a certificate request has been generated with the subject: /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner [...] Your private key is stored in.../.globus/userkey.pem Your request is stored in.../.globus/usercert_request.pem Please the certificate request to the CERN CA cat.../.globus/usercert_request.pem | mail Your certificate will be mailed to you within two working days.

Security Tutorial - n° 7 Certificate Signing CA VO user service cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 8 Preparation for Registration CA VO user service cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 9 Registration/Authorization User registration in an EDG Virtual Organisation  convert your certificate: n openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’  import your certificate in your browser  sign the usage guidelines:  ask an account from your VO administrator by -> You are registered in the VO-LDAP server and have a user account.

Security Tutorial - n° 10 Registration CA VO user service registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing Usage guidelines Account Registration once for the lifetime of the VO – you may change the certificate keys!

Security Tutorial - n° 11 Starting a Session CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing every 12/24 hours

Security Tutorial - n° 12 Usage You must have a valid certificate from a trusted CA!  „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase:  checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy  „logout”: grid-proxy-destroy -> use the grid services

Security Tutorial - n° 13 Certificate Request for a Host CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-request grid-cert-request once in every two-three years

Security Tutorial - n° 14 Signing the Certificate CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request

Security Tutorial - n° 15 Configuration on the Server CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

Security Tutorial - n° 16 Authorization Information CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

Security Tutorial - n° 17 Using a Service CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host/proxy certs exchanged host-request grid-cert-request ca-certificate crl cert/crl update

Security Tutorial - n° 18 Summary Obtaining a certificate from a CA see for CAshttp://marianne.in2p3.fr/datagrid/ca/  new certificate: grid-cert-request n new files in ~/.globus: usercert_request.pem userkey.pem  mail it to the appropriate CA (e.g.  save the answer n ~/.globus/usercert.pem  new proxy certificate: grid-proxy-init n /tmp/x509up_u -> You have a certificate signed by an EDG CA.

Security Tutorial - n° 19 Further Information Grid  EDG CAs:  Globus Security:  EDG WP2: management/security/ management/security/  EDG D7.5: Background  GGF Security:  GSS-API: 84.htmlhttp:// 84.html  IETF PKIX charter: charter.htmlhttp:// charter.html  PKCS: