Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team http://www.eu-datagrid.org Peter.Kunszt@cern.ch

Security Tutorial - n° 2 Summary  Security mechanism of EDG n Certificates n Authentication/Authorization n Overview of Authentication mechanism n Registration and Usage n Service security now n Service security in Web Services

Security Tutorial - n° 3 Security Certificates  The project software supports ~12 Certification Authorities from the various partners involved in the project n http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html  For a machine to participate as a Testbed 1 resource all the CAs must be enabled. n all CA certificates can be installed without compromising local site security  Each host running a Grid service needs to be able to authenticate users and other hosts n site manager has full control over security for local nodes  Virtual Organisation represents a community of users n 6 VOs: 4 HEP (ALICE, ATLAS, CMS, LHCb), 1 EO, 1 Biology Usage guidelines Account Registration

Security Tutorial - n° 4 Authentication/Authorization  Authentication (CA Working Group) n 11 national certification authorities n policies & procedures  mutual trust n users identified by CA’s certificates  Authorization (Authorization Working Group) n Based on Virtual Organizations (VO). n Management tools for LDAP-based membership lists. n 6+1 Virtual Organizations VO’s ALICEEarth Obs. ATLASBiomedical CMS LHCbGuidelines CA’s CERN CESNET CNRS DataGrid-ES GridPP Grid-Ireland INFN LIP NIKHEF NorduGrid Russian DataGrid

Security Tutorial - n° 5 1. Authentication Overview CA VO-LDAP user service

Security Tutorial - n° 6 1. Authentication Overview CA VO-LDAP user service cert-request grid-cert-request

Security Tutorial - n° 7 1. Authentication Overview CA VO-LDAP user service cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 8 1. Authentication Overview CA VO-LDAP user service cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 9 1. Authentication Overview CA VO-LDAP user service registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 10 1. Authentication Overview CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

Security Tutorial - n° 11 1. Authentication Overview CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-request grid-cert-request

Security Tutorial - n° 12 1. Authentication Overview CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request

Security Tutorial - n° 13 1. Authentication Overview CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request ca-certificate crl cert/crl update

Security Tutorial - n° 14 1. Authentication Overview CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host-request grid-cert-request ca-certificate crl cert/crl update

Security Tutorial - n° 15 1. Authentication Overview CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host/proxy certs exchanged host-request grid-cert-request ca-certificate crl cert/crl update

Security Tutorial - n° 16 Certificate/Authentication Obtaining a certificate from a CA see http://marianne.in2p3.fr/datagrid/ca/ for CAshttp://marianne.in2p3.fr/datagrid/ca/  new certificate: grid-cert-request n new files in ~/.globus: usercert_request.pem userkey.pem  mail it to the appropriate CA (e.g. cern-globus-ca@cern.ch)cern-globus-ca@cern.ch  save the answer n ~/.globus/usercert.pem  new proxy certificate: grid-proxy-init n /tmp/x509up_u -> You have a certificate signed by an EDG CA.

Security Tutorial - n° 17 Registration/Authorization User registration in an EDG Virtual Organisation  convert your certificate: n openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’  import your certificate in your browser  sign the usage guidelines: https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl  ask an account from your VO administrator by email -> You are registered in the VO-LDAP server and have a user account.

Security Tutorial - n° 18 Usage You must have a valid certificate from a trusted CA!  „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase:...........................+++++....................................+++++  checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy  „logout”: grid-proxy-destroy -> use the grid services

Security Tutorial - n° 19 Signing a Request Upon a certificate request from the user  checking the identity of the user (Registration Authority)  signing the request and sending back the result n openssl ca –in usercert_request.pem –out usercert.pem  if something goes wrong: revocation of a certificate -> CRL  the issued certificates are described in the Certificate Policy (CP)  the process is described in the Certificate Practice Statement (CPS)

Security Tutorial - n° 20 Service You must have the trusted CA certificates in files and the VO- LDAP server(s) URL configured.  registering a trusted CA n /etc/grid-security/certificates: hashed cert, crl and url  generating a gridmap file: mkgridmap n /etc/grid-security/gridmap: DN -> userid/gid mapping  generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) Start the service!

Security Tutorial - n° 21 Testbed support within WP6 Authentication – mkgridmap tool : generate gridmap file

Security Tutorial - n° 22 WMS secure architecture

Security Tutorial - n° 23 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Map role to connection id Authorization Module HTTP + SSL Request + client certificate Trusted CAs Revoked Certs repository Role repository Connection mappings Translator Servlet RDBMS Connection Pool

Security Tutorial - n° 24 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Map role to connection id Authorization Module HTTP + SSL Request + client certificate Trusted CAs Is certificate signed by a trusted CA? Revoked Certs repository Role repository Connection mappings Translator Servlet RDBMS Connection Pool

Security Tutorial - n° 25 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Map role to connection id Authorization Module HTTP + SSL Request + client certificate Trusted CAs Is certificate signed by a trusted CA? Has certificate been revoked? Revoked Certs repository Role repository Connection mappings Translator Servlet RDBMS Connection Pool

Security Tutorial - n° 26 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Connection mappings Translator Servlet RDBMS Connection Pool

Security Tutorial - n° 27 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Role Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Role ok? Connection mappings Translator Servlet RDBMS Connection Pool

Security Tutorial - n° 28 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Role Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Role ok? Connection mappings Translator Servlet RDBMS Request and connection ID Connection Pool

Security Tutorial - n° 29 Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Role Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Role ok? Connection mappings Translator Servlet RDBMS Request and connection ID Connection Pool

Security Tutorial - n° 30 Further Information 

Security Mechanisms The European DataGrid Project Team

Similar presentations

Presentation on theme: "Security Mechanisms The European DataGrid Project Team"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Security Mechanisms The European DataGrid Project Team

Similar presentations

Presentation on theme: "Security Mechanisms The European DataGrid Project Team"— Presentation transcript:

Similar presentations

About project

Feedback