(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang Sino-German Joint Software Institute, Beihang University Beijing/China Asian – Joint CHAIN / EPIKH School for Application Porting gLite Security
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, This presentation is based on the presentations from: PREVIOUS EPIKH SCHOOLS Thanks to all of them.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Outline –Security Tips. –User authentication. –Host authentication. –VO Views. –Job authentication. –Proxies. –Delegation proxies. –Other grid services. Authentication and authorization.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, GRID Authentication. It is based in X.509 or PKI (Public Key Infraestructure). Some host, users, services uses certificates to authenticate an cypher messages. This digital certificates are firmed by CA ( Certification Authority). They are third entity guaranties correspondence between digital certificates and the identity of the owner.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Authentication. The challenge. Authentication protocol. User want to authenticate the server to send data to its. Server send its certificate (public key). User verifies CA signature. User generates a random token and send to Server. Server encrypts it and send it to user. User decrypt it with server public key. And then compare both tokens. Are they the same? SECURITY OF YOUR PRIVATE KEY IS VERY IMPORTANT Server User Server’s certificate Random token Encrypts with his private key Verifies CA signature Encrypts with his private key Encrypted token Decrypt with public key of Server Compares the token with the original
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Propierties: integrity and encryption. Integrity: the message is not modified at unsafe transfer media. – This propierty is added by the hash. Encryption: the message over unsafe media are not readable. Only the private key owner can read the message. –This propierty is added by encryption algorithm.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, User authentication. You get a your digital certificate for a CA. Its a time life of one year. You can renew it. Directory $HOME/.globus/ Two files –Certificate ( PublicKey) :usercert.pem with 644 rights. Issuer: the CA authority. Subject: the owner of the certificate. CA digital signature Expired date –Private key:userkey.pem with 400 rights. Have you get your digital certificate?
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Obtaining my certificate. openssl pkcs12 -clcerts -nokeys -in -out usercert.key Obtaining my private key. openssl pkcs12 -nocerts -in -out userkey.pem Obtaining a p12 file from private key and ceritificate pem files. openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ Viewing my certificate in plain text. openssl X509 -inform pem -in -text Usefull commands.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Host basic authentication. Host authentication. –Directory /etc/grid-security/ –Files hostkey.pem with 400 rights. hostcert.pem with 644 rights. Not all GRID hosts need authentication.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, VOView. A VO (Virtual Organization) is conceived as a group of users. It is a method to control access to resources and accounting their use inside the GRID. This rights is based in a ACL System. (Access Control List). It is mandatory to be member of one.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, VOMS Service. It is a service that manages VOs and users membership. This service authorizes users to use roles and GRID resources. A VOMS Server has four sections: –User Client: request information about roles and rights of user. They have to send a user certificate. –User Server: answer User Client information requests. –Administration Client. –Administration Server
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, VOMS Service. There is a mapping between users and VO: –This is described at /etc/grid-security/gridmap-file “/0=EelaGrid/O=users/O=mief/CN=My name and surname”. e2gris1 There is another mapping between VO, roles, Capability and unix user. –This is described at /etc/grid-security/voms-gridmap-file /eela/Role=lcgadmin/Capability=”NULL” eelasgm
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Jobs authentication. Jobs need to interact with services. –To tranfer a file from SE to the WN. It needs to prove that it is authorized to use this resource. It needs to have the same privileges than its user. They run where user private key isn't available at local machine. And we don't want our private key move through a unsafe media.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Users have to delegate his identity to his jobs. New certificate and private key are generated and firmed with users private key. Jobs need this certificate, this private key and user certificate. When a job need to authenticate then it sends both certificates. Time life of new certificate is short (default 12 hours). Jobs authentication.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Proxies commands. The new certificate, the new private key, and users certificate is called a proxy. We have to create a proxy to lauch our jobs. How? Usefull comands. voms-proxy-init –voms Create a proxy for your jobs as a member of a VO Authenticate and authorization are included in this command.º voms-proxy-destroy Destroy our proxy voms-proxy-info [--all] Obtain information of our proxy
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Delegation proxies. Proxies are valid is short time life. If my jobs runs for long time, what can i do?. The solution in GRID is to delegate our proxy so all services can access to it and authenticate our jobs. Other adventages are –Help to transfer long files. –Store your proxy in a safe server. They a protected by a password. Safe server is called MYPROXY Server or PX Server.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Delegation = remote creation (second level) of a proxy certificate. –A new keys pair are generated remotely in the server –Client signs the proxy certificate and returns it back It allows remote processes being autentificated in user’s name. –The remote process “is personified” as the user Delegation.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Delegation proxies commands. myproxy-init [-d] Create a proxy and store it at at PX Server. myproxy-info Obtained information about storaged proxy. myproxy-store It store credentials to run. User certificated is included. myproxy-retreive Get our proxy. myproxy-destroy Destroy our proxy myproxy-get-delegation Get a new MyProxy Server.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Other grid services. Information Services. No authentication is required. lcg-infosites and lcg-info Data Management Service. Authentication and authorization are required. lfc-chmod, lfc-getacl, lfc-setacl commands Safe or unsafe transfer file protocols.
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Remember. You need a digital certificate and be member of a VO. ¡¡Keep your private key safe!! Proxy commands voms-* –To manage proxies Myproxy commands myproxy-* –To delegate proxies
Beijing/China, Asian Joint-CHAIN/EPIKH Shool for Application Porting, Questions … 21