Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Slides:



Advertisements
Similar presentations
HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.
Advertisements

Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.
It’s not about security... it’s about access! Grid Security Pieter van Beek.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.
Apache ssl Objectives Contents Practical Summary Setup Apache + ssl
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 9, 2009 CSCI 6268/TLEN 5550, Fall 2009.
HTCondor Security Mechanisms Overview “Padlock” by Peter Ford © 2005 Licensed under the Creative Commons Attribution 2.0 license
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
APACHE SERVER By Innovationframes.com »
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
SSL Technology Overview and Troubleshooting Tips.
Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming
X.509 Certificate management in.Net By, Vishnu Kamisetty
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To.
Onno W. Purbo openssl Onno W. Purbo
Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Symmetric Encryption Mom’sSecretApplePieRecipe Mom’sSecretApplePieRecipe The same key is used to encrypt and decrypt the data. DES is one example. Pie.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Zach Miller Computer Sciences Department University of Wisconsin-Madison Securing Condor.
Zach Miller Computer Sciences Department University of Wisconsin-Madison Securing Condor.
호스트 인증서 신청 방법 How to Request Host Certificate
Condor Project Computer Sciences Department University of Wisconsin-Madison Grids and Condor Barcelona,
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Advanced Sendmail Part 1
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Creating and Managing Digital Certificates Chapter Eleven.
Public / Private Key Example Dan Fleck CS 469: Security Engineering Coming up: Today 11.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Connect and Replicate Securely: How to use MySQL with SSL Sheeri K. Cabral, MySQL Team Lead
HTCondor Security Basics
SSL Setup Making PROPworks® Applications Secure
Grid Security.
CIS5930 Internet Computing
HTCondor Security Basics HTCondor Week, Madison 2016
Public-key Infrastructure
A Programmer’s Guide to Secure Connections
Public-key Infrastructure
Grid Security Infrastructure
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool

Basic Concepts › You have a Condor pool  Personal Condor (1 node)  1000 node cluster › Who can use your pool?

Basic Concepts › “Who can use it” is really two concepts: › The “Who” is authentication › The “can” is authorization

Basic Concepts › Authentication is finding out WHO some entity is. › How is this done?  Common methods: Present a secret that only that only you should know Perform some action that only you can do Present a credential that only you could have

Basic Concepts › Authorization is deciding what someone is allowed to do. › You must know who they are before you can decide this!

Basic Concepts › I’m using “they” pretty loosely here. › “They” could be:  A user  A machine  An agent/daemon/service

Basic Concepts › In the context of a Condor pool:  You want only machines that you know to be in the pool  You want only people you know to submit jobs

Authentication › When users submit jobs, Condor authenticates them:  FS on Unix  NTSSPI on Windows › The Condor SCHEDD daemon now “owns” the jobs, and acts on their behalf.

Authentication › So how can we trust the SCHEDD? › Daemon-to-daemon authentication

Authentication › A Condor daemon must prove to other Condor daemons that it is authentic. › Quick and Easy: Pool Password

Pool Password › All daemons know a “password” › This password (hash) is stored:  In a permissions-protected file on UNIX  In the encrypted part of the registry on Windows

Pool Password › To set it: % condor_store_cred -c add Account: Enter password: Operation succeeded.

Pool Password › This is typically done locally on each machine that will use the password › On UNIX, you can copy the file containing the hash to each machine  COPY IT SECURELY!  CHECK THE PERMISSIONS!

Pool Password › Configure Condor to use it › Set your condor_config: SEC_DAEMON_AUTHENTICATION = REQUIRED SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

Pool Password › So, are we “All Good”? › What about flocking to other pools? › Condor-C?

Pool Password › Password must be the same for everyone – are you prepared to give it to another administrator? › What if they also flock with other pools, are you prepared for them to give it to their flocking friends? › And so on?

Flexibility › It would be nice if each pool could have its own credential › Well, you can! Use the SSL authentication method.

Why use SSL? › Widely used and deployed › Flexible enough for securing communications between Condor daemons and also for authenticating users

Basics: OpenSSL › OpenSSL is typically already installed on modern Linux systems › On more obscure flavors of Unix, and on Windows, you will likely need to install it yourself › Can be obtained here:

Basics: OpenSSL › Or, instead of installing OpenSSL everywhere, you can create your credentials on a Linux machine and securely move them to another machine where they will be used › Make sure the permissions are such that only the proper people can read the key!

Basics: SSL config › You can use the default from the openssl package or start with my simplified version here: › › Find the section [ req_distinguished_name ] and customize it: [ req_distinguished_name ] stateOrProvinceName_default = Wisconsin localityName_default = Madison 0.organizationName_default = University of Wisconsin -- Madison 1.organizationName_default = Computer Sciences Department organizationalUnitName_default = Condor Project

Single Credential › In this example, we will create a single key/certificate pair and use that to secure communications between Condor daemons › This is roughly equivalent to the pool password method – it is a shared secret stored in a file

Single Credentials › First, create the private key file: openssl genrsa -out cndrsrvc.key 1024 Generating RSA private key, 1024 bit long modulus e is (0x10001) chmod 600 cndrsrvc.key

Single Credential › Now, create a self-signed certificate openssl req -new -x509 -days key cndrsrvc.key \ -out cndrsrvc.crt -config openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [US]: State or Province Name (full name) [Wisconsin]: Locality Name (eg, city) [Madison]: Organization Name (eg, company) [University of Wisconsin -- Madison]: Second Organization Name (eg, company) [Computer Sciences Department]: Organizational Unit Name (eg, section) [Condor Project]: Common Name (eg, YOUR name) []: Service Address []:

Single Credential › Inspect the certificate we made: openssl x509 -noout -text -in cndrsrvc.crt Certificate: Data: Version: 3 (0x2) Serial Number: 8c:94:7b:b1:f9:6a:bd:72 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Wisconsin, L=Madison, O=University of Wisconsin -- \ Madison, O=Computer Sciences Department, OU=Condor Project, CN=Service Validity Not Before: May 1 14:31: GMT Not After : Apr 28 14:31: GMT Subject: C=US, ST=Wisconsin, L=Madison, O=University of Wisconsin -- \ Madison, O=Computer Sciences Department, OU=Condor Project, CN=Service …

Single Credential › Great! Now what? › Create a map file  Condor needs to know how to map the distinguished name to an actual username. For example: /C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Service Should map to: condor › Configure the Condor daemons

Condor Mapfile › Simple format › Three fields (on one line)  Authentication method (SSL in this case)  Source DN  Mapped user SSL "/C=US/ST=Wisconsin/L=Madison/O=University of Wisconsin -- Madison/O=Computer Sciences Department/OU=Condor Project/CN=Service“ condor

condor_config › Add the following entries: AUTH_SSL_CLIENT_CAFILE = /path/to/cndrsrvc.crt AUTH_SSL_CLIENT_CERTFILE = /path/to/cndrsrvc.crt AUTH_SSL_CLIENT_KEYFILE = /path/to/cndrsrvc.key AUTH_SSL_SERVER_CAFILE = /path/to/cndrsrvc.crt AUTH_SSL_SERVER_CERTFILE = /path/to/cndrsrvc.crt AUTH_SSL_SERVER_KEYFILE = /path/to/cndrsrvc.key › And the map file: CERTIFICATE_MAPFILE = /path/to/condor_mapfile

condor_config › Tell condor to use SSL: SEC_DAEMON_AUTHENTICATION = REQUIRED SEC_DAEMON_AUTHENTICATION_METHODS = SSL

That’s (mostly) It! › You have now enabled SSL authentication between all your Condor daemons › But at this point, it isn’t much different than using a Pool Password

Creating a CA › The solution is to issue separate credentials for each entity that will be involved in authenticating › Can’t do this with Pool Password, but you can with SSL

Creating a CA › This involves creating a Certificate Authority which is trusted by Condor › All certificates issued by the CA are then trusted › Certs can be easily issued for hosts and users

Creating a CA › Create the root key and cert which will be used to sign all other certificates › This key should be protected with a password (don’t forget it!!)

Creating a CA › Generate a key: openssl genrsa -des3 -out root-ca.key 1024 Generating RSA private key, 1024 bit long modulus e is (0x10001) Enter pass phrase for root-ca.key: Verifying - Enter pass phrase for root-ca.key:

Creating a CA › Now create a self signed certificate openssl req -new -x509 -days key root-ca.key -out root-ca.crt -config openssl.cnf Enter pass phrase for root-ca.key: CA PASSWORD HERE You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [US]: State or Province Name (full name) [Wisconsin]: Locality Name (eg, city) [Madison]: Organization Name (eg, company) [University of Wisconsin -- Madison]: Second Organization Name (eg, company) [Computer Sciences Department]: Organizational Unit Name (eg, section) [Condor Project]: Common Name (eg, YOUR name) []: ROOT CA Address []:

Creating a CA › Again, you can inspect the certificate openssl x509 -noout -text -in root-ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: c7:99:e5:f7:c6:54:00:7a Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Wisconsin, L=Madison, O=University of Wisconsin – Madison, O=Computer Sciences Department, OU=Condor Project, CN=ROOT CA …

Creating a CA › In the directory with the Root CA and openssl.cnf file, run these commands: touch ca.db.index echo 01 > ca.db.serial

Creating a Host Credential › Create the key and a signing request openssl req -newkey rsa:1024 -keyout \ host_omega.key -nodes -config \ openssl.cnf -out host_omega.req

Creating a Host Certificate Generating a 1024 bit RSA private key writing new private key to 'host_omega.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [US]: State or Province Name (full name) [Wisconsin]: Locality Name (eg, city) [Madison]: Organization Name (eg, company) [University of Wisconsin -- Madison]: Second Organization Name (eg, company) [Computer Sciences Department]: Organizational Unit Name (eg, section) [Condor Project]: Common Name (eg, YOUR name) []: omega.cs.wisc.edu Address []:

Creating a Host Credential openssl ca -config openssl.cnf -out \ host_omega.crt -infiles host_omega.req Using configuration from openssl.cnf Enter pass phrase for./root-ca.key: Check that the request matches the signature Signature ok Certificate Details: … Certificate is to be certified until May 01 14:31: GMT (365 days) Sign the certificate? [y/n]: y

Configuring Condor › Each host can now use it’s own credential (example for omega.cs.wisc.edu) AUTH_SSL_CLIENT_CAFILE = /path/to/root-ca.crt AUTH_SSL_CLIENT_CERTFILE = /path/to/host_omega.crt AUTH_SSL_CLIENT_KEYFILE = /path/to/host_omega.key AUTH_SSL_SERVER_CAFILE = /path/to/root-ca.crt AUTH_SSL_SERVER_CERTFILE = /path/to/host_omega.crt AUTH_SSL_SERVER_KEYFILE = /path/to/host_omega.key

Creating a User Credential openssl req -newkey rsa:1024 -keyout zmiller.key -config openssl.cnf -out zmiller.req Generating a 1024 bit RSA private key writing new private key to 'zmiller.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: USER PASSWORD HERE You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [US]: State or Province Name (full name) [Wisconsin]: Locality Name (eg, city) [Madison]: Organization Name (eg, company) [University of Wisconsin -- Madison]: Second Organization Name (eg, company) [Computer Sciences Department]: Organizational Unit Name (eg, section) [Condor Project]: Common Name (eg, YOUR name) []: Zach Miller Address []:

Creating a User Credential openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req Using configuration from openssl.cnf Enter pass phrase for./root-ca.key: CA PASSWORD Check that the request matches the signature Signature ok Certificate Details: … Certificate is to be certified until May 1 14:31: GMT (365 days) Sign the certificate? [y/n]: y

Mapping Users › You could have one entry per user: SSL “C=US/ST=Wisconsin/L=Madison, O=University of Wisconsin – Madison/O=Computer Sciences Department/OU=Condor Project/CN=Zach zmiller SSL “C=US/ST=Wisconsin/L=Madison, O=University of Wisconsin – Madison/O=Computer Sciences Department/OU=Condor Project/CN=Todd tannenba … Etc.

Mapping Users › In the CERTIFICATE_MAPFILE, you can now add a rule to map all users by extracting the username from their address: SSL \1

Securing Everything › If all hosts and users have credentials, you can then enable SSL authentication for ALL communication, not just daemon-to- daemon. In the condor_config: SEC_DEFAULT_AUTHENTICATION = REQUIRED SEC_DEFAULT_AUTHENTICATION_METHODS = SSL

More Information › Ask me during this week! › You can find more detailed information, and examples using multi-level CAs here:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.