Download presentation
Presentation is loading. Please wait.
Published byBrianna McCarthy Modified over 9 years ago
1
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014
2
Key Initiatives Traceability for Certificate-Free Jobs – Working with GLOW. Finished a first pass at evaluating the Glow VO. – Only 3 submit nodes are managed by Glow. The rest is managed by individual PIs. – Issues: Have concerns over how well the PIs are managing security of their own nodes. Also it is not scalable to evaluate every single PI. Concerned about jobs submitted from the PI-managed nodes. Currently, they run at OSG sites other than Fermi. If anything goes wrong, will the PI be able to find the user and take action? Could Glow trace jobs back to a PI? We want to do an incident drill to check all of this. – Will initially allow only Glow managed submit nodes to submit certificate-free jobs. – Will think about PI managed nodes later. Need to consult with Fermilab security
3
Key Initiatives Reducing the number of Worker Node Certs – New initiative to analyze and reduce the number of worker node certificates. Glexec-gums authentication no longer requires a worker node cert. Hope to reduce certificate number by asking sites to use the new glexec. Got the breakdown of all host certs issued by OSG CA from OIM – 5000 total host certs (All numbers are rounded) – Fermi CMS Tier 1 as 1500 host certs – FermiCloud has 1000 host certs – Wisc Tier 2 has 500 host certs – The rest of the sites has anywhere between 20-50.
4
Key Initiatives Why some sites need so many certs: – Fermi CMS Tier 1 needed for the glexec requirement. They already siwtched to new glexec and will need only 500 certs for gridftp servers – FermiCloud needs it for each VM they have. They will continue to have this many certs – Wisc needs it for gridftp servers. We thought glexec requirement was the major reason for worker node certs. In fact only one site CMS tier 1 affected by that and they took action to reduce it. Gridftp servers seem to be the biggest cause now for the high number of certs. We have no more action items on this project. We also invite your help to understand why so many gridftp servers are needed on a site.
5
Key Initiatives OSG IdP and OSGConnect integration – Getting OSG users easily onboard with the OSGConnect project – OSG users will authenticate with OIM and take the authentication result to OSGConnect to prove their identity – Need an OSG IdP. – Soichi created a prototype and demonstrated that it works. – Security team evaluated the OSGConnect registration workflow and designed the interaction between OSG and OSGConnect. – Security team gave approval to move the prototype into production. The work will proceed according to GOC/Production calendar. On a separate note: while evaluating the OSGConnect registration workflow, we identified that we have to evaluate their job submission system and ensure that they have traceability and operational security in the system. The end users appear to log into the system via ssh username/passwd. We already requested restricted resource access for such users.
6
Key Initiatives Certificate-free access to storage – Very excited to start the work. – Goal is to do the same thing we did for the job submission. Access data without end user certs in a secure manner – In early stages but have some promising potential. – Almost all VOs have group-based access to data. A pilot can be assigned to each group to access on group’s behalf. While the jobs are running, pilot can access data securely. – The more problematic part is how to move the data to local storage once the analysis jobs are finished. – Working with storage experts to understand the technology and VO needs. – Significantly affect the identity management roadmap
7
CILogon Basic CA adoption Has been on the back burner because we give priority to certificate-free access. So far 6 sites accept these certificates: FNAL, BNL, Purdue, Wisconsin, sprace, UNL. These sites provide %40 to %45 of used wall clock time in OSG.
8
Other notable work items Continuing training for new VOs Security presentation at Hepix. Paper accepted at ISGC on our traceability work. Will submit a full paper. Operational security: – NTP DDOS attacks. Evaluated perfSonar security and sent out an announcement. – Evaluated changes to OASIS service. Will conduct a incident drill with GOC. Goal: how do we react if one of the nodes have compromised data?
9
Operational Security 1.Vulnerabilities: Many OSG resources have Java 6 running. No patches available for Java 6. Will ask sites to upgrade to Java 7. 2.SHA-2 transition is starting on Dec 1 st. CA will start issuing new SHA-2 compliant certificates after this date. 1.CMS is not ready to make the transition. Dcache problems with SHA-2. They need time to upgrade dcache. 2.CERN CA is not likely to make the transition soon. VOMRS does not work with SHA-2 certs. Until VOMRS is replaced by VOMS Admin 3.Security Controls and Assessment was completed. Now we are looking at the results and identify services/operations that need better security.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.