10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

10-Jun-03D.P.Kelsey, LCG-GDB-Security2 Overview Topics for agreement today (for 1 st July) Approval of CA’s User Registration – personal info User Registration – Registration Authorities – not finished Topics for 8 th July GDB – advance warning Experiment/VO Procedures (RA’s) User Rules/AUP Incident Response Audit logs Security Group meetings –28 th May (phone) and 5 th June (all day – CERN)

10-Jun-03D.P.Kelsey, LCG-GDB-Security3 Approval of LCG-1 CA’s See paper (2 nd June 2003) –As discussed at last GDB Procedure for approving and implementing –Modified as requested by May GDB meeting Initial list (may change after 12/13 June meeting) –Union of DataGrid and CrossGrid CA’s Includes North America Taiwan, FNAL and Hungary – CA meeting 12/13 June –Additional LCG-1 FNAL Kerberos CA GDB asked to approve procedure and initial list

10-Jun-03D.P.Kelsey, LCG-GDB-Security4 CA approval procedure For 2003 The LCG-1 Security Group proposes the list of accepted CA’s from two sources: –The list of “traditional” CA’s, issuing long-lived (12 months or more) certificates, comes from the EDG CA Group –The list of additional CA’s (online short-lived, special cases, etc.) is generated by the LCG-1 Security Group Proposed additions to these lists above will be circulated to the GDB and to the LCG-1 site security contacts for objection prior to implementation The LCG-1 operations team maintains the necessary information (certificates, signing policy, CRL’s) and distribution mechanisms for CA’s on both sub-lists All LCG-1 resources will install the full list of approved CA’s

10-Jun-03D.P.Kelsey, LCG-GDB-Security5 Initial CA list Canada, CERN, Cyprus, Czech Republic, France, Germany, Greece, Ireland, Italy, Netherlands, Nordic countries, Poland, Portugal, Russia, Slovakia, Spain, UK, and USA. “Catch-all” operated by CNRS/France Taiwan, FNAL and Hungary – under consideration Tokyo, Belgium, Israel, Pakistan –At various stages of preparation

10-Jun-03D.P.Kelsey, LCG-GDB-Security6 User Registration: Personal Info Many concerns about distribution of and access to personal data – discussed at last GDB meeting Action on GDB National Members (8 th May GDB) –What user info is required for registration? –Is this for pre-registration of accounts? –Why do you need the info? –Can your policy be changed? There was little response, so on 2 nd June –We made definite proposal See next slide –To date, I have heard from Switzerland, Russia, UK and USA No objections yet.

10-Jun-03D.P.Kelsey, LCG-GDB-Security7 User Personal Data (2) Proposal – for agreement today User registers on LCG-1 web site (one central) –Agrees to and “signs” Usage Rules –Agrees to personal data being distributed to all LCG-1 sites (Tier 0/1/2) For use of site/resource managers ONLY Last name, First name, Institution, address, telephone number, experiment Distributed to all LCG-1 sites (down to Tier 2) –Can be used for pre-registration if required Checks made by Expt/VO managers (see later) Comments: –USA: uncertainty as to whether also need “Nationality” –UK: require Expt/VO managers to check and maintain info

10-Jun-03D.P.Kelsey, LCG-GDB-Security8 User Registration Registration Authorities We need Registration Authorities to check –The user actually made the request –User is valid member of the experiment –User is at the listed institution –That all user data looks reasonable E.g. mail address The web form will warn that these checks will be made CERN team investigating feasibility of confirmation of registration request by user on the provided address We need to create and maintain lists (per experiment) of –Institutes and Contact names/details –For distribution to all LCG-1 sites

10-Jun-03D.P.Kelsey, LCG-GDB-Security9 VO Registration (2) Discussions with GDB Experiment Reps and current VO managers –Started by documenting the current procedures –But no firm proposal in time for this meeting Today’s VO managers (EDG) –ALICEDaniele MuraINFN –ATLASAlessandro De SalvoINFN –CMSAndrea SciabaINFN –LHCbJoel ClosierCERN Plan to continue to use the existing VO servers and services (run by NIKHEF) and the current VO managers (all agree to continue) Then plan for Jan 2004

10-Jun-03D.P.Kelsey, LCG-GDB-Security10 Current procedures (1) ALICE How to Check Request?All known Contact “Supervisor”?No Remove users?No Number of users today?49 New Requests/week?~1 Backup Mgr?? Willing to continue?Yes

10-Jun-03D.P.Kelsey, LCG-GDB-Security11 Current procedures (2) ATLAS How to Check Request?~80% well-known or check CERN DB or Supervisor or User Contact “Supervisor”?If necessary Remove users?No – cert expiry? Number of users today?78 New Requests/week?1-2 Backup Mgr?No Willing to continue?Yes

10-Jun-03D.P.Kelsey, LCG-GDB-Security12 Current procedures (3) CMS How to Check Request?Known or CMS web Contact “Supervisor”?No Remove users?No Number of users today?63 New Requests/week?<1 Backup Mgr?No Willing to continue?Yes

10-Jun-03D.P.Kelsey, LCG-GDB-Security13 Current procedures (4) LHCb How to Check Request?Known or PIE/and contact Institute rep Contact “Supervisor”?sometimes Remove users?no Number of users today?25 New Requests/week?<1 Backup Mgr?No Willing to continue?Yes

10-Jun-03D.P.Kelsey, LCG-GDB-Security14 Draft proposal – VO/RA For 1 st July – continue as today Work needed on more robust procedures –That can scale Distributed RA’s required Long-term aim –Make part of CERN Experiment/User Office registration procedures For discussion at 8 th July GDB –Paper 23rd June

10-Jun-03D.P.Kelsey, LCG-GDB-Security15 User Rules/AUP To be agreed to (signed via private key in browser) when User registers Still working on draft Based on current EDG Usage Rules Does not override sites rules and policies Only allows professional use For discussion at next GDB –Paper 23rd June

10-Jun-03D.P.Kelsey, LCG-GDB-Security16 Incident Response Draft document discussed on Security Contacts list Procedures for 1 st July (before GOC) –Incidents, communications, enforcement, escalation etc We have created an ops security list –Default site entry is the Contact person but an operational list would be better For discussion at next GDB Paper 23rd June

10-Jun-03D.P.Kelsey, LCG-GDB-Security17 Audit logs CERN team working on this Changes have been made to the Globus gatekeeper and jobmanager (LSF and probably PBS) to allow log rotation and access to batch jobid –Have been submitted to VDT –Integration into EDG release in due course We will propose a list of audit logs –To be kept for 3 months (100 days?) by all sites Paper to GDB on 23rd June –For discussion at next meeting –Details of what is needed N.b. We need audit logs from the RB –No real auditing until this exists