Jianlin Zhu Huazhong Normal University Running AliEn Secure Services

Outline Security Considerations for AliEn Services Security Environment for AliEn Services Security Infrastructure for AliEn Services Security Instances for AliEn Services Future work Reference

AliEn AliEn is a distributed computing environment with the aim to offer the ALICE user community a transparent access to worldwide distributed computing and storage resources. AliEn components are web services, and they talk to each other using SOAP(Simple Object Access Protocol) Central Services Proxy,IS,Authen,Server,Logger,Broker,TransferManager,TransferBro ker,TransferOptimizer,JobOptimizer,CatalogueOptimizer,PackMa nMaster,MessageMaster,SEManager,JobInfoManager,MonaLisa Site Services ClusterMonitor,CE,SE,PackMan,MonaLisa

Security Considerations AliEn is running with more than twenty service components providing the public services for the whole grid system  Supporting the Grid Security Infrastructure and Public Key Infrastructure  Security Authentication  Communication Encryption  Private key protection  Delegation  Single sign-on  Compatibility ， transparency to the Grid Components  Modular security function

Grid Security Infrastructure PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication And message protection Proxies and delegation (GSI Extensions) for secure single Sign-on PKI: Public Key Infrastructure, SSH: Secure Socket Layer TLS: Transport Level Security

Public Key Infrastructure (PKI) PKI allows you to know that a given public key belongs to a given user PKI builds off of asymmetric encryption: Each entity has two keys: public and private Data encrypted with one key can only be decrypted with other. The private key is known only to the entity The public key is given to the world encapsulated in a X.509 certificate Owner X.509 Certificates Certificate Authorities (CAs) Certificate Policies Namespaces Requesting a certificate Certificate Request Registration Authority

Secure Socket Layer (SSL) Also known as TLS (Transport Layer Security) Uses certificates and TCP sockets to provide a secured connection Authentication of one or both parties using the certificates Message protection Confidentiality (encryption) Integrity Certificates TCP Sockets SSL/TLS

GSI Grid Security Infrastructure (GSI) Based on Generic Security Services API (GSS-API) Uses an extension to X509 certificates Provides a mechanism to: Authenticate a subject Authorise a resource Implement a single sign-on mechnism Current implementation does this using: Proxy certificates and Certification Authorities Gridmap file

[lxplus215] ~ $ grid-proxy-info (grid-proxy-init -old) subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxy issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft : 11:59:54 [lxplus215] ~ $ grid-proxy-info(grid-proxy-init -rfc) subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN= issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : RFC 3820 compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft : 11:59:54 [lxplus215] ~ $ grid-proxy-info(grid-proxy-init) subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN= issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft : 11:59:55

$ voms-proxy-info -all subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxy issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : proxy strength : 1024 bits path : /tmp/x509up_u50218 timeleft : 11:45:59 === VO alice extension information === VO : alice subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch attribute : /alice/Role=lcgadmin/Capability=NULL attribute : /alice/Role=NULL/Capability=NULL attribute : /alice/lcg1/Role=NULL/Capability=NULL timeleft : 11:45:58 uri : voms.cern.ch:15000  VOMS credentials are represented in the form of FQAN (short for Fully Qualified Attribute Name).  A FQAN is a string compound consisting of the group, the subgroups, and the role a user chooses from, in order to access a resource

HTTPS as the AliEn secure protocol HTTPS is an interesting and important protocol for several reasons: It is by far the most widely deployed secure protocol It has a large amount of high quality modules that we could leverage It has excellent interaction with Firewalls, Network Address Translation and Application Proxies  it has the potential to solve some of the problems sites have with private IP farms along with HTTP, is the basis for Web and Grid Services  AliEn Services are Web Services using SOAP/XML to send messages HTTPS consists of HTTP/1.1 over an SSL connection security done by SSL layer, using X509 certificates (including GSI)

Security Environment for AliEn Services Apache as the AliEn serivces hosting environment mod_perl Supporting the perl language mod_ssl Supporting PKI (X.509 certificates verification ) mod_gridsite Supporting GSI (Parses GACL policies,X.509,GSI,VOMS credentials)

What Apache provides Allow customization of standard Apache installation through program modularity Extensibility, decomposition and flexibility Rich modules mod_ssl mod_ssl Encryption (private communications) mod_perl mod_perl, mod_cgi, etc. Application and language support (cgi, perl, php, etc)mod_cgi mod_gridsite mod_gridsite (GACL policies,X.509,GSI,VOMS credentials) support Can be added at compile or before execution (with DSO) using LoadModule and AddModule directives

What SSL Provides Secure communcation between client and server. SSL protocol works on top of the tcp/ip layer and below the application layer. Provides for authentication using certificates, multiple encryption cipher choices, methods to exchange session keys, and integrity checking. Server authentication almost always takes place. Client authentication is optional. Once authetication and handshaking are done then data is transmitted using the strongest mutually available cipher over tcp/ip. Weaker ciphers have resulted in some potential SSL security holes.

What Gridsite Provides Support for clients with GSI proxies to standard Apache/mod_ssl With the XML access control language GACL,to define read,write,list,admin permissions for files,directories and scripts With the VOMS credentials, the resource owners could decide which privileges to provide to which VO attributes. /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu

Apache+mod_ssl+mod_gridsite Together Apache, mod_ssl and mod_gridsite create a system of security with digital certificates and GSI that allows you to offer secure, encrypted connections to the web server. One more way to run AliEn services Easy to config and manage transparent to users Secure single sign-on

RDBMS LDAP File Metedata Catalogue API(C/C++/Perl) User Application FS GUI Web Portal Authentication User Interface Database Proxy Security ClusterMonitor DBD Interface AliEn Core Components and Services External Software V.O. Packages & Commands DBI Perl Core Perl Modules External Libraries Config Management Package Management ADBI SOAP/XML CESEPackManMonaLisa ISRB Logger CLI

Jobs TaskQueue Job Broker Job Manager CE JA Central services Site services SplittingExpired PrioritiesMerging Zombies Job optimizers File catalogue LFN GUID Meta data SE Packman MonALISA JA CE SE Packman MonALISA CM logger Site A Site B CM LCG services CREAM CE Adding secure function Authen

Future Plan Adding security protection to the AliEn services one by one Adding support for XACML and Delegation PortType Large scale testing the AliEn Secure services

Reference PKI,RFC3280 ， GSI, RFC 3820 ， The Globus Project, The Apache Project, The Gridsite Project,

Questions?