3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

Tony Doyle GridPP2 Proposal, BT Meeting, Imperial, 23 July 2003.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

MyProxy: A Multi-Purpose Grid Authentication Service

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Security Mechanisms The European DataGrid Project Team

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Public Key Infrastructure from the Most Trusted Name in e-Security.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Unit 1: Protection and Security for Grid Computing Part 2

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

RAL Site Report John Gordon IT Department, CLRC/RAL HEPiX Meeting, JLAB, October 2000.

10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

CLRC and the European DataGrid Middleware Information and Monitoring Services The current information service is built on the hierarchical database OpenLDAP.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

WP6: Authorization Service Workshop in Eger Marcin Adamski, Michał Chmielewski, Sergiusz Fonrobert, Jarek Nabrzyski and Tomasz Ostwald Poznań Supercomputing.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK

Dave Newbold, University of Bristol14/8/2001 Testbed 1 What is it? First deployment of DataGrid middleware tools The place where we find out if it all.

14 June 2001LHCb workshop at Bologna1 LHCb and Datagrid - Status and Planning F Harris(Oxford)

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

7-Mar-01D.P.Kelsey, User access, WP6, Amsterdam1 WP6: GRID mapfiles and Users access policy David Kelsey CLRC/RAL, UK

Update on EDG Security (VOMS)

The GENIUS Security Services

Presentation transcript:

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

3-Nov-00D.P.Kelsey, HEPiX, JLAB2 Overview DataGRID Globus security Example: UK CA Issues – for coordination Future plans n.b. early days: more questions than answers!

3-Nov-00D.P.Kelsey, HEPiX, JLAB3 Work Packages WP 1 Grid Workload Management(C. Vistoli/Italy) WP 2 Grid Data Management (B. Segal/CERN) WP 3 Grid Monitoring services(R. Middleton/UK) WP 4 Fabric Management (T. Smith/CERN) WP 5 Mass Storage Management (J. Gordon/UK) WP 6 Integration Testbed (F. Etienne/France) WP 7 Network Services (C. Michau/France) WP 8 HEP Applications (F. Carminati/CERN) WP 9 EO Science Applications (L. Fusco/ESA) WP 10 Biology Applications (C. Michau/France) WP 11 Dissemination (G. Mascari/Italy) WP 12 Project Management (F. Gagliardi/CERN)

Simplified Workpackage Relationships HEP Apps (WP8)EO Apps (WP9)Bio Apps (WP10) Workload Management (WP1) Data Management (WP2)Monitoring Services (WP3) Globus Middleware Fabric Manage- ment (WP4) Networking (WP7) Mass Storage Management (WP5) Applications Data Grid Services Core Middleware Physical Fabric

3-Nov-00D.P.Kelsey, HEPiX, JLAB5 Grid Security Infrastructure (GSI) from Globus Interdomain – bridges gap between different local solutions Uses X.509 certificates for authentication –machines and users have a globally unique “ID” –Certifies the user’s identity Avoids clear-text passwords Single sign-on via grid-proxy-init Authentication not authorisation Grid enabled applications – GSI-ftp, GSI-ssh, globus-job-run etc. GRID security kept separate from local site security and authorisation mechanisms –Access to Grid resources granted via mapping in a gridmap file –To local username or Kerberos principal

3-Nov-00D.P.Kelsey, HEPiX, JLAB6 Certificates for Globus 3 components –Certificate; signed by trusted 3 rd party contains the public key –Private key - stored on disk of home machine –Pass-phrase to decrypt private key Can get these from Globus, but not sufficient checks DataGRID Testbed needs its own Certificate Authority (CA) or CA’s –“Set of National CA’s” is the current favourite

3-Nov-00D.P.Kelsey, HEPiX, JLAB7 Certificates for UK testbed As an example … UK Testbed (4 or 5 sites) starting November 2000 Globus CA certificates not appropriate RAL will issue Globus certificates –limited lifetime (~ 6 months) with fixed end date –only for use by globus (not etc) For bona fide members of the UK HEP Testbed community Use personal contact with nominated contacts at each UK site for confirming user credentials

3-Nov-00D.P.Kelsey, HEPiX, JLAB8 Issues for coordination Users want simple and easy access –DataGRID needs certificates that will be valid across the whole Testbed (or whole GRID?) One CA for DataGRID (or even HEP) not appropriate –But could have one CA plus hierarchical user registration Scaling problems with many CA’s –All globus clients need a list of trusted CA’s –For maintenance, must minimise # of CA’s

3-Nov-00D.P.Kelsey, HEPiX, JLAB9 Issues (2) Does a hierarchy add value? –A HEP root-CA could certify all national CA’s –May need mods to Globus code? Structure – National, Experiments, …? Use general or Globus-specific certificates? Need to have agreed and written procedures –so we can trust each others certificates –Will sites trust each other? Proxy certificates are limited – no chaining

3-Nov-00D.P.Kelsey, HEPiX, JLAB10 Issues (3) Authorisation via certificates? –should certificate include the users experiment affiliation? –An important architectural decision Globus developments … –Community Authorisation Server –Group access control over distributed resources DataGRID needs to decide how to manage authorisation –LDAP registry of users/groups may be needed

3-Nov-00D.P.Kelsey, HEPiX, JLAB11 Issues (4) How to revoke certificates? (very important) –people who leave –compromised certificates (or CA!) –CA maintains a CRL –How to distribute? User education –Safety of private key and pass-phrase –No sharing of certificates

3-Nov-00D.P.Kelsey, HEPiX, JLAB12 Future plans DataGRID WP6 Testbed security contacts/experts meet soon –Probably early next month at CERN –To propose the CA structure and procedures Need to check PPDG and GriPhyN plans Question to audience… Are there other issues we need to consider?