Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in WLCG/EGEE. Security – January 15-16 2007 - 2 Requirements Providers of resources (computers, storages, databases, services..) need risks to.

Published byColeen Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Security in WLCG/EGEE. Security – January 15-16 2007 - 2 Requirements Providers of resources (computers, storages, databases, services..) need risks to."— Presentation transcript:

1 Security in WLCG/EGEE

2 Security – January 15-16 2007 - 2 Requirements Providers of resources (computers, storages, databases, services..) need risks to be controlled: They are asked to trust users they do not know They trust a VO The VO trusts its members Users need single sign-on: to be able to logon to a machine that can pass the user’s identity to all other resources without further initialization. To trust owners of the resources they are using All that is fulfilled by the Grid Security Infrastructure (GSI) that currently represents the standard for security on all Grid implementations. It enables secure authentication and communication over an open network It relies on public key encryption (PKI), X.509 certificates and…..(see later)

3 Security – January 15-16 2007 - 3 Basic “grid-security” concepts Principal An entity: a user, a program, or a machine Credentials Necessary data to provide the proof of identity Mechanism software providing data authentication, confidentiality, integrity (e.g. Kerberos, GSI) Authentication Verify the identity of the peer (who wants to use resource?) Authorization Verify the complying of policies and rules (is the peer allowed to access resources?) Mapping Establish rule for converting grid identity/property into local account/capability (how to interpret a given access request?) Confidentiality Encrypt the message so that only the recipient can understand it. Integrity Ensure that the message has not be altered in the transmission Non-repudiation Impossibility of denying the authenticity of a digital signature

4 Security – January 15-16 2007 - 4 Encryption Symmetric encryption: same key (“secret”) used for encryption and decryption Kerberos, DES / 3DES, IDEA Asymmetric encryption: different keys used for encryption and decryption RSA, DSA Clear text message Encrypted text Clear text message Encryption Decryption Shared key Clear text message Encrypted text Clear text message Encryption Decryption Key A Key B

5 Security – January 15-16 2007 - 5 PKI: Public Key Infrastructure Provides authentication, integrity, confidentiality, non-repudiation Asymmetric encryption Digital signatures A hash derived from the message and encrypted with the signer’s private key Signature checked decrypting with the signer’s public key Allows key exchange in an insecure medium using a trust model Keys trusted only if signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal Certificate Public key + information about the principal + CA signature X.509 format most used PKI used by SSL, PGP, GSI, WS security, S/MIME, etc. Encrypted text Private Key Public Key Clear text message

6 Security – January 15-16 2007 - 6 X.509 certificates and authentication A B A’s certificate A Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Public key Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

7 Security – January 15-16 2007 - 7 Certification Authorities Issue certificates for users, programs and machines Check the identity and the personal data of the requestor Registration Authorities (e.g. Ian Neilson) do the actual validation within a CA Manage Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire CA certificates are self-signed LCG-2 recognizes a given set of CAs https://lcg-registrar.cern.ch/pki_certificates.html

8 Security – January 15-16 2007 - 8 Certificate classification User certificate issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc. Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch

9 Security – January 15-16 2007 - 9 Globus Grid Security Infrastructure (GSI) Based on PKI Implements some important features Single sign-on: no need to give one’s password every time Delegation: a service can act on behalf of a person Mutual authentication: both sides must authenticate to the other Introduces proxy certificates The user certificate, whose private key is protected by a password, is used to generate and sign a temporary certificate, called proxy, which is used for the actual authentication and does not have a password. As the possession of the proxy certificate is a proof of identity, the file containing it must be kept readable only by the user and the proxy has, by default, a short lifetime to reduce security risks. (short-lived proxy)

10 Security – January 15-16 2007 - 10 More on proxy certificates and delegation Delegation Allowing someone (something) else (eg. a file transfer service) to use my credentials Proxies can be moved over a network Subject identifies the user: User subject: /C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968 Proxy subject: /C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968/CN=proxy Full proxy A proxy created from a user certificate or another full proxy with normal delegation Limited proxy A proxy created from a proxy with limited delegation, or from another limited proxy What does that mean? Entities can decide to accept only full proxies. Examples: GridFTP accepts all proxies Globus gatekeeper accepts only full proxies

11 Security – January 15-16 2007 - 11 Virtual Organizations and authorization WLCG users MUST belong to a Virtual Organization Sets of users belonging to a collaboration List of supported VOs: https://lcg-registrar.cern.ch/virtual_organization.html VOs maintain a list of their members and their capabilities in central DBs. The organization of the VO is then propagated to resources somehow. The whole list of users is downloaded by Grid machines to map user certificate subjects to local “pool” (and not only) accounts Sites decide which VOs to accept... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461".dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968".cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE".alice "/C=CH/O=CERN/OU=GRID/CN=Roberto Santinelli 7735" lhcbsgm... grid-mapfile

12 Security – January 15-16 2007 - 12 VOMS: Virtual Organization Membership Service VOMS Extends the proxy info with VO membership, group, role Voms-proxy-init produces a user’s proxy certificate – like grid-proxy-init does – but with the difference that it contains further user info from the VOMS server(s). This info is returned in a structure containing also the credentials both of the user and of the VOMS server and its time validity. All these data are signed by the VOMS server itself. This structure is called “Attribute-Certificate” (or Pseudo-Certificate). Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert Authentication Request VOMS pseudo- cert

13 Security – January 15-16 2007 - 13 Evolution of VO management Before VOMS User is authorised as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init VOMS User can be in multiple VOs Aggregate rights VO can have groups Different rights Nested groups VO has roles Assigned to specific purposes E,g. system admin, software manager Syncronous update of provilegies. User updated privileges are automatically known to sites VOMS-aware; the site holds only the roles to interpret and map capabilities exposed by user’s certificates (signed by VOMS) voms-proxy-init –voms lhcb:/lhcb/sgm VOMS – now in use on WLCG

14 Security – January 15-16 2007 - 14 LCAS, LCMAPS Local Centre Authorization Service (LCAS) Checks if the user is authorized (looking at Gridmap file) Checks if the user is banned by the VO (CRL) Checks if at that time window the user wants to access, the site accepts jobs Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg. UNIX uid/gid, AFS tokens, etc.): local fabric resources have any notion of grid-user Recent versions do use VOMS-aware plug-ins that map VOMS group and roles presented by the user via FQANs accordingly group-mapfile It uses the old grid-mapfile mechanism (based only on the certificate subject) as fall-back solution (whenever the FQANs is not found in the list of valid ones) or in certain Grid Services like SEs. "/VO=cms/GROUP=/cms".cms "/VO=cms/GROUP=/cms/prod".cmsprod "/VO=cms/GROUP=/cms/prod/ROLE=manager".cmsprodman

15 Security – January 15-16 2007 - 15 GSI environment variables User certificate files: Certificate:X509_USER_CERT (default: $HOME/.globus/usercert.pem ) Private key:X509_USER_KEY (default: $HOME/.globus/userkey.pem ) Proxy:X509_USER_PROXY (default: /tmp/x509up_u ) Host certificate files: Certificate:X509_HOST_CERT (default: /etc/grid-security/hostcert.pem ) Private key:X509_HOST_KEY (default: /etc/grid-security/hostkey.pem ) Trusted certification authority certificates: X509_CERT_DIR(default: /etc/grid-security/certificates ) Location of the grid-mapfile: GRIDMAP(default: /etc/grid-security/grid-mapfile )

16 Security – January 15-16 2007 - 16 Command line interface: certificate and proxy management Get information on a user certificate grid-cert-info[-help] [-file certfile] [OPTION]... Create a proxy certificate grid-proxy-init Destroy a proxy certificate grid-proxy-destroy Get information on a proxy certificate grid-proxy-info Create a voms-proxy and set as primary group the LHCb production and Role lcgadmin Voms-proxy-init –voms lhcb:/lhcb/lcgprod/ROLE=lcgadmin Retrieve information from a voms-proxy Voms-proxy-info –all

17 Security – January 15-16 2007 - 17 Long term proxy: myproxy Proxy has limited lifetime (default is 12 h) Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 days myproxy server: Allows to create and store a long term proxy certificate: myproxy-init -s -s specifies the hostname of the myproxy server myproxy-info Get information about stored long living proxy myproxy-get-delegation Get a new proxy from the MyProxy server myproxy-destroy A service running continuously can renew automatically a proxy created from a long term use proxy and use it to interact with the Grid Examples: automatic job dispatchers (RB, DIRAC,gLite WMS) or data movers (FTS)

Download ppt "Security in WLCG/EGEE. Security – January 15-16 2007 - 2 Requirements Providers of resources (computers, storages, databases, services..) need risks to."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.

Similar presentations

Ads by Google