Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Mechanisms The European DataGrid Project Team

Published byMelanie Harmon Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Mechanisms The European DataGrid Project Team"— Presentation transcript:

1 Security Mechanisms The European DataGrid Project Team http://www.eu-datagrid.org

2 Security Tutorial - n° 2 Overview  User side n Getting a certificate n Becoming a member of the VO  Server side n Authentication / CA n Authorization / VO (with some examples)

3 Security Tutorial - n° 3 Authentication/Authorization  Authentication (CA Working Group) n 16 national certification authorities + CrossGrid CAs n policies & procedures  mutual trust n users identified by CA’s certificates  Authorization (Authorization Working Group) n Based on Virtual Organizations (VO). n Management tools for VO membership lists. n 6+2 Virtual Organizations VO’s ALICEEarth Obs. ATLASBiomedical CMSTestbed LHCbTutorial CA’s CERN CESNET CNRS (3) GermanGrid Grid-Ireland INFN NIKHEF NorduGrid LIP Russian DataGrid DATAGRID-ES GridPP US–DOE Root CA US-DOE Sub CA CrossGrid (*)

4 Security Tutorial - n° 4 Authentication Overview CA VO user service

5 Security Tutorial - n° 5 Certificate Request CA VO user service cert-request grid-cert-request once in every two-three years

6 Security Tutorial - n° 6 Requesting a Certificate  grid-cert-request A certificate request and private key is being created. [...] Using configuration from /usr/local/grid/globus/etc/globus-user-ssleay.conf Generating a 1024 bit RSA private key [...] A private key and a certificate request has been generated with the subject: /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner [...] Your private key is stored in.../.globus/userkey.pem Your request is stored in.../.globus/usercert_request.pem Please e-mail the certificate request to the CERN CA cat.../.globus/usercert_request.pem | mail cern-globus-ca@cern.ch Your certificate will be mailed to you within two working days.

7 Security Tutorial - n° 7 Certificate Signing CA VO user service cert-request grid-cert-request certificate cert signing

8 Security Tutorial - n° 8 Preparation for Registration CA VO user service cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

9 Security Tutorial - n° 9 Registration/Authorization User registration in an EDG Virtual Organisation  convert your certificate: n openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’  import your certificate in your browser  sign the usage guidelines: https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl  ask an account from your VO administrator by email -> You are registered in the VO-LDAP server and have a user account.

10 Security Tutorial - n° 10 Registration CA VO user service registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing Usage guidelines Account Registration once for the lifetime of the VO – you may change the certificate keys!

11 Security Tutorial - n° 11 Starting a Session CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing every 12/24 hours

12 Security Tutorial - n° 12 Usage You must have a valid certificate from a trusted CA!  „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase:...........................+++++....................................+++++  checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy  „logout”: grid-proxy-destroy -> use the grid services

13 Security Tutorial - n° 13 Certificate Request for a Host CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-request grid-cert-request once in every two-three years

14 Security Tutorial - n° 14 Signing the Certificate CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request

15 Security Tutorial - n° 15 Configuration on the Server CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

16 Security Tutorial - n° 16 Authorization Information CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

17 Security Tutorial - n° 17 Using a Service CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host/proxy certs exchanged host-request grid-cert-request ca-certificate crl cert/crl update

18 Security Tutorial - n° 18 Summary Obtaining a certificate from a CA see http://marianne.in2p3.fr/datagrid/ca/ for CAshttp://marianne.in2p3.fr/datagrid/ca/  new certificate: grid-cert-request n new files in ~/.globus: usercert_request.pem userkey.pem  mail it to the appropriate CA (e.g. cern-globus-ca@cern.ch)cern-globus-ca@cern.ch  save the answer n ~/.globus/usercert.pem  new proxy certificate: grid-proxy-init n /tmp/x509up_u -> You have a certificate signed by an EDG CA.

19 Security Tutorial - n° 19 Further Information Grid  EDG CAs: http://marianne.in2p3.fr/datagrid/cahttp://marianne.in2p3.fr/datagrid/ca  Globus Security: http://www.globus.org/security/http://www.globus.org/security/  EDG WP2: http://grid-data-management.web.cern.ch/grid-data- management/security/http://grid-data-management.web.cern.ch/grid-data- management/security/  EDG D7.5: http://edms.cern.ch/document/340234http://edms.cern.ch/document/340234 Background  GGF Security: http://www.gridforum.org/security/http://www.gridforum.org/security/  GSS-API: http://www.faqs.org/faqs/kerberos-faq/general/section- 84.htmlhttp://www.faqs.org/faqs/kerberos-faq/general/section- 84.html  IETF PKIX charter: http://www.ietf.org/html.charters/pkix- charter.htmlhttp://www.ietf.org/html.charters/pkix- charter.html  PKCS: http://www.rsasecurity.com/rsalabs/pkcs/index.htmlhttp://www.rsasecurity.com/rsalabs/pkcs/index.html

Download ppt "Security Mechanisms The European DataGrid Project Team"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
1c.1 Assignment 2 Preliminaries Review Full details in assignment write-up. ITCS 4146/5146 Grid Computing, 2007, UNC-Charlotte, B. Wilkinson. Jan 24, 2007.

1c.1 Assignment 2 Preliminaries Review Full details in assignment write-up. ITCS 4146/5146 Grid Computing, 2007, UNC-Charlotte, B. Wilkinson. Jan 24, 2007.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.

1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.
EDG Security European DataGrid Project Security Coordination Group

EDG Security European DataGrid Project Security Coordination Group
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN, 27-28.02.2006.

INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,
Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

Similar presentations

Ads by Google