Presentation is loading. Please wait.

Presentation is loading. Please wait.

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK

Published byAlexandrina Howard Modified over 9 years ago

Similar presentations

Presentation on theme: "LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX2 Outline Update since October 2003 (Vancouver HEPiX) Introduction Policy Procedures & Operations Technology Future work

3 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX3 Introduction LCG & EGEE

4 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX4 LCG today

5 AHM2004, Nottingham, September 2004 - 5 The next generation of grids: EGEE Enabling Grids for E-science in Europe Build a large-scale production grid service to: Underpin European science and technology Link with and build on national, regional and international initiatives Foster international cooperation both in the creation and the use of the e-infrastructure Network infrastructure ( GÉANT ) Operations, Support and training Collaboration Pan-European Grid

6 AHM2004, Nottingham, September 2004 - 6 EGEE Activities 48 % service activities (Grid Operations, Support and Management, Network Resource Provision) 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development) 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation) 32 Million Euros EU funding over 2 years starting 1 st April 2004 Emphasis in EGEE is on operating a production grid and supporting the end-users

7 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX7 Security Activities in EGEE(LCG) JRA3JRA1 NA4 Middleware Security Group Joint Security Policy Group NA4 Solutions/Recommendations Req. SA1 “Joint Security Policy Group” defines policy and procedures and inputs requirements to MWSG (For LCG/GDB and EGEE/SA1) (Cross Membership of US OSG Sec Team) CA Coordination Security Middleware Applications Operations OSG LCG OSCT

8 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX8 Security Policy

9 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX9 LCG Security Policy During 2003/04, the LCG project agreed a first version of its Security Policy –Written by the Joint Security Policy Group –Approved by the Grid Deployment Board/PEB A single common policy for the whole project –But does not override local policies An important step forward for a production Grid The policy –Defines Attitude of the project towards security and availability –Gives Authority for defined actions –Puts Responsibilities on individuals and bodies Now being used by EGEE and (some) national Grids

10 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX10 LCG Policy Security & Availability Policy Usage Rules Certification Authorities Audit Requirements GOC Guides Incident Response User Registration & VO Management http://cern.ch/proj-lcg-security/documents.html Application Development & Network Admin Guide picture from Ian Neilson New since Oct 2003

11 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX11 Security Procedures & Operations

12 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX12 Security Procedures Incident Response –Open Science Grid leading this area –See talks in Friday morning’s Operations session LCG/EGEE Operational Security –Operational Security Coordination Team (OSCT) –Again: see Friday’s talk User Registration & VO Management –Requirements for 4 LHC Experiments Presented at May 2004 (Edinburgh) HEPiX (M.Dimou)

13 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX13 User Registration and VO Membership Management Requirements document (V2.7) –https://edms.cern.ch/document/428034https://edms.cern.ch/document/428034 –approved by GDB in May 2004 Task force created to propose the solution Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, … Recent Meeting at CERN –15-17 September, 2004 http://cern.ch/dimou/lcg/registrar/TF/meetings/ 2004-09-15/ –Technical solution now agreed

14 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX14 User Registration (1) Every user (4 LHC expts) must register in CERN HR db first –Already true for the majority Advantages of using existing procedures No duplication of effort or personal data –External users (e.g. people never coming to CERN) and short-term users (e.g. external summer students) Need a simple, speedy and robust procedure –Non-VO people e.g.testers/experiment independent people must register in CERN HR (e.g. via LCG/IT) Eventual aim is to use the experiment participation end-date in CERN HR to trigger immediate suspension from the VO

15 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX15 User Registration (2) VO registration expiry date –Not exceeding 1 year from date of VO registration –Less if institute-contract/CERN HR registration expires before then Personal User Data will only reside in CERN HR There is no automatic membership of VO –User has to complete a form and the VO manager has to approve Authorized personnel at resource centres will have read access to the VO registration info

16 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX16 User Registration (3) When VO expiry date is reached, the VO membership is immediately suspended –Advance warning will be sent to the user There will be other possible reasons for suspension –E.g. following security problems

17 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX17 Technical Solution agreed 15-17 Sep meeting decisions: The VO registration database –Will be VOMRS component from US CMS VOX –VOMRS needs development to meet new requirements (FNAL working on this) –VOMRS manages the groups and roles -> VOMS CERN is working on VOMRS interconnection to the CERN HR DB (Oracle) The dynamic Authorization will be VOMS –Groups and roles Non-LHC VO’s may use the VOMS-admin component (an alternative admin UI) Time to implement not yet agreed –Aiming for early in 2005

18 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX18 Security Technology

19 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX19 Authentication: EU Grid PMA CAs  Green: Accredited  Yellow: Recent approvals or still under discussion  Slovenia just approved  Austria & Bulgaria soon? Other Accredited CAs:  DoEGrids (US)  GridCanada  ASCCG (Taiwan)  ArmeSFO (Armenia)  CERN  Russia (HEP)  FNAL Service CA (US)  Israel  Pakistan 27 Accredited CAs “Catch-all” CAs operated by CNRS (for EGEE) US DOE (for LCG) SEE-GRID (for SE Europe)

20 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX20 AuthZ – VOMS & LCAS VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration LCAS

21 AHM2004, Nottingham, September 2004 - 21 gLite security Aims at being Modular – add new modules later Agnostic – modules will evolve Standard – start with transport-level security but intend to move to WS-Security when it matures Interoperable - at least for AuthN & AuthZ Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules Security architecture: https://edms.cern.ch/document/487004/https://edms.cern.ch/document/487004/

22 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX22 EGEE AuthZ Policy Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders

23 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX23 Future Work Policy –Working on more general policy (with OSG) No longer LCG-specific –EU eInfrastructure Reflection Group (18 Nov 04) Acceptable Use Policy and Authorization for EU eScience Procedures –Operational Security, including Incident Response –User Registration Technology –Authentication Asia/Pacific & Americas PMAs being created Credential Repositories –Authorization – dynamic role-based access control VOMRS & VOMS Local control and policy, e.g. via LCAS/LCMAPS Security requirements, Operational Constraints –Very important to get Site input to operations and middleware development (all feedback is very welcome!)

24 18-Oct-04David Kelsey, LCG/EGEE Security, HEPiX24 References LCG/EGEE Joint Security Policy Group http://proj-lcg-security.web.cern.ch/ EGEE JRA3 (Security) http://egee-jra3.web.cern.ch/ http://egee-jra3.web.cern.ch/ Open Science Grid Security http://www.opensciencegrid.org/techgroups/security/ http://www.opensciencegrid.org/techgroups/security/ EU DataGrid Security http://hep-project-grid-scg.web.cern.ch/ http://hep-project-grid-scg.web.cern.ch/ LCG Guide to Application, Middleware and Network Security https://edms.cern.ch/document/452128 https://edms.cern.ch/document/452128 EU eInfrastructure Reflection Group http://www.e-irg.org/ http://www.e-irg.org/ EU Grid PMA (CA coordination) http://www.eugridpma.org/ http://www.eugridpma.org/ TERENA Tacar (CA repository) http://www.terena.nl/tech/task-forces/tf-aace/tacar/ http://www.terena.nl/tech/task-forces/tf-aace/tacar/

Download ppt "LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK"

Similar presentations

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.

INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
LCSC2003 24 October 2003 - 1 The EGEE project: building a grid infrastructure for Europe Bob Jones EGEE Technical Director 4 th Annual Workshop on Linux.

LCSC October The EGEE project: building a grid infrastructure for Europe Bob Jones EGEE Technical Director 4 th Annual Workshop on Linux.
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK

Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 Workshop David Groep,
EGEE is proposed as a project funded by the European Union under contract IST-2003-508833 EU eInfrastructure project initiatives FP6-EGEE Fabrizio Gagliardi.

EGEE is proposed as a project funded by the European Union under contract IST EU eInfrastructure project initiatives FP6-EGEE Fabrizio Gagliardi.
INFSO-RI-508833 Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.

INFSO-RI Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

Similar presentations

Ads by Google