Security Mechanisms The European DataGrid Project Team

Slides:

Advertisements

Similar presentations

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

Advertisements

Programme: 145 sessions & social events

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

User Certificate Application Guide Mason Hsiung. Visit start to request your user certificatehttp://ca.grid.sinica.edu.tw.

GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Summer School Certificates Diego Romano & Gilda Team.

AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.

Security Mechanisms The European DataGrid Project Team

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

August 13, 2003Eric Hjort Getting Started with Grid Computing in STAR Eric Hjort, LBNL STAR Collaboration Meeting August 13, 2003.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

ESnet PKI Developed for the DOE Science Grid and SciDAC.

Exporting User Certificate from Internet Explorer.

DataGrid WP6/CA CA Trust Matrices Trinity College Dublin (TCD) Brian Coghlan CERN DEC-2002.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

Information Security Systems Cost Effective Authenticity & Integrity in CEN/FISCALIS eInvoicing Good Practice Guidelines Nick Pope – Principal Consultant,

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

Security Mechanisms The European DataGrid Project Team

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,

11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Gilda certificates. Certification Authority

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.

GRID-FR French CA Alice de Bignicourt.

Registration StratusLab Tutorial (Orsay, France) 28 November 2012.

Security Mechanisms The European DataGrid Project Team

David Kelsey CLRC/RAL, UK

The European DataGrid Project Team

HellasGrid CA & euGridPMA

Update on EDG Security (VOMS)

The European Parliament – voice of the people

The European Parliament – voice of the people

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

The EU DataGrid Security Services

The EU DataGrid Security Services

The GENIUS Security Services

Prodcom Statistics in Focus

Presentation transcript:

Security Mechanisms The European DataGrid Project Team

Security Tutorial - n° 2 Overview  User side n Getting a certificate n Becoming a member of the VO  Server side n Authentication / CA n Authorization / VO (with some examples)

Security Tutorial - n° 3 Authentication  Authentication (CA Working Group) n Policies & Procedures  mutual trust n Currently the EDG CA group has approved s 15 EDG CAs s 5 CrossGrid CAs n France-CNRS acted as catchall CA to accept sites not covered by accepted CAs n Users identified by their personal certificate CrossGrid Certification Authorities Slovakia Cyprus Poland Greece DataGrid Certification Authorities CERN Czech Republic Canada France CNRS Germany Ireland Netherlands Nordic Countries Portugal Russia Spain United Kingdom US – DOE CrossGrid CAs

Security Tutorial - n° 4 Authorization  Authorization (Authorization Working Group) n Based on Virtual Organizations (VO) n Authorizations by experiment n Virtual Organizations n Each VO has his own manager DataGrid Virtual Organizations WP6 ITEAM TSTG ALICE ATLAS LHCb CMS BABAR D0 EARTHOB GENOMIC MEDICAL IMAGING Guidelines

Security Tutorial - n° 5 Authentication Overview  Method to request certificate depending of the CA  A certificate is valid 1 year  Web request n France CNRS n Ireland n Italy n Netherlands n United Kingdom n US DOE  Grid-cert-request n Canada n CERN n Germany n Nordic Countries n Portugal n Russia n Spain  Openssl request n Czech Republic

Security Tutorial - n° 6 CNRS Personal Certificate Request  n See demo

Security Tutorial - n° 7 Certificate Convertion  Convert your certificate from PKCS12 format in PEM format n /opt/edg/bin/pkcs12-extract Or openssl pkcs12 -nocerts \ -in cert.p12 \ -out ~user/.globus/userkey.pem openssl pkcs12 -clcerts -nokeys \ -in cert.p12 \ -out ~user/.globus/usercert.pem

Security Tutorial - n° 8 Authorization User registration in an EDG Virtual Organisation  Sign the usage guidelines:  In case of problem, contact your VO Manager -> You are registered in the VO server and have a user account.

Security Tutorial - n° 9 Usage You must have a valid certificate from a trusted CA!  „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase:  checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy  „logout”: grid-proxy-destroy -> use the grid services

Security Tutorial - n° 10 CNRS Host Certificate Request  n See demo  You receive by crypted and signed the host certificate

Security Tutorial - n° 11 Configuration on the Server  All RPMs are here: n  Certificate and CRL URLs of the CAs:Authentication n  Creation of the gridmapfile:Authorization n mkgridmap i386.rpm mkgridmap i386.rpm  Scripts to update gridmapfile and CRLs: Authentication/Authorization n system noarch.rpm system noarch.rpm

Security Tutorial - n° 12 Summary  Authentification n n n  Authorization n n

Security Tutorial - n° 13 Further Information Grid  EDG CAs:  Globus Security:  EDG WP2: management/security/ management/security/  EDG D7.5: Background  GGF Security:  GSS-API: 84.htmlhttp:// 84.html  IETF PKIX charter: charter.htmlhttp:// charter.html  PKCS: