Presentation is loading. Please wait.

Presentation is loading. Please wait.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Similar presentations


Presentation on theme: "(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang"— Presentation transcript:

1 www.epikh.eu (Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang (hailong.yang@jsi.buaa.edu.cn)hailong.yang@jsi.buaa.edu.cn Sino-German Joint Software Institute, Beihang University Beijing/China Asian 3 2011 – Joint CHAIN / EPIKH School for Application Porting gLite Security

2 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 This presentation is based on the presentations from: PREVIOUS EPIKH SCHOOLS Thanks to all of them.

3 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Outline –Security Tips. –User authentication. –Host authentication. –VO Views. –Job authentication. –Proxies. –Delegation proxies. –Other grid services. Authentication and authorization.

4 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 GRID Authentication. It is based in X.509 or PKI (Public Key Infraestructure). Some host, users, services uses certificates to authenticate an cypher messages. This digital certificates are firmed by CA ( Certification Authority). They are third entity guaranties correspondence between digital certificates and the identity of the owner.

5 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Authentication. The challenge. Authentication protocol. User want to authenticate the server to send data to its. Server send its certificate (public key). User verifies CA signature. User generates a random token and send to Server. Server encrypts it and send it to user. User decrypt it with server public key. And then compare both tokens. Are they the same? SECURITY OF YOUR PRIVATE KEY IS VERY IMPORTANT Server User Server’s certificate Random token Encrypts with his private key Verifies CA signature Encrypts with his private key Encrypted token Decrypt with public key of Server Compares the token with the original

6 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Propierties: integrity and encryption. Integrity: the message is not modified at unsafe transfer media. – This propierty is added by the hash. Encryption: the message over unsafe media are not readable. Only the private key owner can read the message. –This propierty is added by encryption algorithm.

7 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 User authentication. You get a your digital certificate for a CA. Its a time life of one year. You can renew it. Directory $HOME/.globus/ Two files –Certificate ( PublicKey) :usercert.pem with 644 rights. Issuer: the CA authority. Subject: the owner of the certificate. CA digital signature Expired date –Private key:userkey.pem with 400 rights. Have you get your digital certificate?

8 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Obtaining my certificate. openssl pkcs12 -clcerts -nokeys -in -out usercert.key Obtaining my private key. openssl pkcs12 -nocerts -in -out userkey.pem Obtaining a p12 file from private key and ceritificate pem files. openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ Viewing my certificate in plain text. openssl X509 -inform pem -in -text Usefull commands.

9 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Host basic authentication. Host authentication. –Directory /etc/grid-security/ –Files  hostkey.pem with 400 rights.  hostcert.pem with 644 rights. Not all GRID hosts need authentication.

10 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 VOView. A VO (Virtual Organization) is conceived as a group of users. It is a method to control access to resources and accounting their use inside the GRID. This rights is based in a ACL System. (Access Control List). It is mandatory to be member of one.

11 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 VOMS Service. It is a service that manages VOs and users membership. This service authorizes users to use roles and GRID resources. A VOMS Server has four sections: –User Client: request information about roles and rights of user. They have to send a user certificate. –User Server: answer User Client information requests. –Administration Client. –Administration Server

12 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 VOMS Service. There is a mapping between users and VO: –This is described at /etc/grid-security/gridmap-file “/0=EelaGrid/O=users/O=mief/CN=My name and surname”. e2gris1 There is another mapping between VO, roles, Capability and unix user. –This is described at /etc/grid-security/voms-gridmap-file /eela/Role=lcgadmin/Capability=”NULL” eelasgm

13 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Jobs authentication. Jobs need to interact with services. –To tranfer a file from SE to the WN. It needs to prove that it is authorized to use this resource. It needs to have the same privileges than its user. They run where user private key isn't available at local machine. And we don't want our private key move through a unsafe media.

14 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Users have to delegate his identity to his jobs. New certificate and private key are generated and firmed with users private key. Jobs need this certificate, this private key and user certificate. When a job need to authenticate then it sends both certificates. Time life of new certificate is short (default 12 hours). Jobs authentication.

15 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Proxies commands. The new certificate, the new private key, and users certificate is called a proxy. We have to create a proxy to lauch our jobs. How? Usefull comands. voms-proxy-init –voms Create a proxy for your jobs as a member of a VO Authenticate and authorization are included in this command.º voms-proxy-destroy Destroy our proxy voms-proxy-info [--all] Obtain information of our proxy

16 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Delegation proxies. Proxies are valid is short time life. If my jobs runs for long time, what can i do?. The solution in GRID is to delegate our proxy so all services can access to it and authenticate our jobs. Other adventages are –Help to transfer long files. –Store your proxy in a safe server.  They a protected by a password. Safe server is called MYPROXY Server or PX Server.

17 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 17 Delegation = remote creation (second level) of a proxy certificate. –A new keys pair are generated remotely in the server –Client signs the proxy certificate and returns it back It allows remote processes being autentificated in user’s name. –The remote process “is personified” as the user Delegation.

18 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Delegation proxies commands. myproxy-init [-d] Create a proxy and store it at at PX Server. myproxy-info Obtained information about storaged proxy. myproxy-store It store credentials to run. User certificated is included. myproxy-retreive Get our proxy. myproxy-destroy Destroy our proxy myproxy-get-delegation Get a new MyProxy Server.

19 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Other grid services. Information Services. No authentication is required. lcg-infosites and lcg-info Data Management Service. Authentication and authorization are required. lfc-chmod, lfc-getacl, lfc-setacl commands Safe or unsafe transfer file protocols.

20 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Remember. You need a digital certificate and be member of a VO. ¡¡Keep your private key safe!! Proxy commands voms-* –To manage proxies Myproxy commands myproxy-* –To delegate proxies

21 www.eu-eela.eu Beijing/China, Asian 3 2011 Joint-CHAIN/EPIKH Shool for Application Porting, 19.5.2011 Questions … 21


Download ppt "(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang"

Similar presentations


Ads by Google