Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

Published byBarry Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November."— Presentation transcript:

1 www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November 2008 gLite Security

2 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 This presentation is based in other presentations of CETA-CIEMAT members. Thanks to all of them.

3 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Index. –Security Tips. –User authentication. –Host authentication. –VO Views. –Job authentication. –Proxies. –Delegation proxies. –Other grid services. Authentication and authorization.

4 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Encrypting. It studies security in information, authentication, access control and encrypting. 4 Symbols: –Plain text: M –Encrypted text: C –Encrypted key K 1 : E K 1 (M) = C Decrypted key K 2 : D K 2 (C) = M Algorithms –Simetric –Simetric: K 1 = K 2 –Asimetric –Asimetric: K 1 ≠ K 2 K2K2 K1K1 Encrypt Decrypt MCM Pedro Carmen

5 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 GRID Authentication. It is based in X.509 or PKI (Public Key Infraestructure). Some host, users, services uses certificates to authenticate an cypher messages. This digital certificates are firmed by CA ( Certification Authority). They are third entity guaranties correspondence between digital certificates and the identity of the owner.

6 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Authentication. The challenge. Authentication protocol. User want to authenticate the server to send data to its. Server send its certificate (public key). User verifies CA signature. User generates a random token and send to Server. Server encrypts it and send it to user. User decrypt it with server public key. And then compare both tokens. Are they the same? SECURITY OF YOUR PRIVATE KEY IS VERY IMPORTANT Server User Server’s certificate Random token Encrypts with his private key Verifies CA signature Encrypts with his private key Encrypted token Decrypt with public key of Server Compares the token with the original

7 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Sending a cyphered message. The hash for this message is calculated. –Digital signature: The hash is cypher too with receiver public key. Message is cyphered. Hash is added to message. –The new message is sends throught an unsafe media. At comunication end-point message is uncyphered with its private key. The hash for uncyphered message is calculated. Both hashes are compared. –Are they the same?

8 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Propierties: integrity and encryption. Integrity: the message is not modified at unsafe transfer media. – This propierty is added by the hash. Encryption: the message over unsafe media are not readable. Only the private key owner can read the message. –This propierty is added by encryption algorithm.

9 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 User authentication. You get a your digital certificate for a CA. Its a time life of one year. You can renew it. Directory $HOME/.globus/ Two files –Certificate ( PublicKey) :usercert.pem with 644 rights. Issuer: the CA authority. Subject: the owner of the certificate. CA digital signature Expired date –Private key:userkey.pem with 400 rights. Have you get your digital certificate?

10 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Obtaining my certificate. openssl pkcs12 -clcerts -nokeys -in -out usercert.key Obtaining my private key. openssl pkcs12 -nocerts -in -out userkey.pem Obtaining a p12 file from private key and ceritificate pem files. openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ Viewing my certificate in plain text. openssl X509 -inform pem -in -text Usefull commands.

11 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Host basic authentication. Host authentication. –Directory /etc/grid-security/ –Files  hostkey.pem with 400 rights.  hostcert.pem with 644 rights. Not all GRID hosts need authentication.

12 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 VOView. A VO (Virtual Organization) is conceived as a group of users. It is a method to control access to resources and accounting their use inside the GRID. This rights is based in a ACL System. (Access Control List). It is mandatory to be member of one.

13 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 VOMS Service. It is a service that manages VOs and users membership. This service authorizes users to use roles and GRID resources. A VOMS Server has four sections: –User Client: request information about roles and rights of user. They have to send a user certificate. –User Server: answer User Client information requests. –Administration Client. –Administration Server

14 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 VOMS Service. There is a mapping between users and VO: –This is described at /etc/grid-security/gridmap-file “/0=EelaGrid/O=users/O=mief/CN=My name and surname”. e2gris1 There is another mapping between VO, roles, Capability and unix user. –This is described at /etc/grid-security/voms-gridmap-file /eela/Role=lcgadmin/Capability=”NULL” eelasgm

15 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Jobs authentication. Jobs need to interact with services. –To tranfer a file from SE to the WN. It needs to prove that it is authorized to use this resource. It needs to have the same privileges than its user. They run where user private key isn't available at local machine. And we don't want our private key move through a unsafe media.

16 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Users have to delegate his identity to his jobs. New certificate and private key are generated and firmed with users private key. Jobs need this certificate, this private key and user certificate. When a job need to authenticate then it sends both certificates. Time life of new certificate is short (default 12 hours). Jobs authentication.

17 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Proxies commands. The new certificate, the new private key, and users certificate is called a proxy. We have to create a proxy to lauch our jobs. How? Usefull comands. voms-proxy-init –voms Create a proxy for your jobs as a member of a VO Authenticate and authorization are included in this command.º voms-proxy-destroy Destroy our proxy voms-proxy-info [--all] Obtain information of our proxy

18 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Delegation proxies. Proxies are valid is short time life. If my jobs runs for long time, what can i do?. The solution in GRID is to delegate our proxy so all services can access to it and authenticate our jobs. Other adventages are –Help to transfer long files. –Store your proxy in a safe server.  They a protected by a password. Safe server is called MYPROXY Server or PX Server.

19 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 19 Delegation = remote creation (second level) of a proxy certificate. –A new keys pair are generated remotely in the server –Client signs the proxy certificate and returns it back It allows remote processes being autentificated in user’s name. –The remote process “is personified” as the user Delegation.

20 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Delegation proxies commands. myproxy-init [-d] Create a proxy and store it at at PX Server. myproxy-info Obtained information about storaged proxy. myproxy-store It store credentials to run. User certificated is included. myproxy-retreive Get our proxy. myproxy-destroy Destroy our proxy myproxy-get-delegation Get a new MyProxy Server.

21 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Other grid services. Information Services. No authentication is required. lcg-infosites and lcg-info Data Management Service. Authentication and authorization are required. lfc-chmod, lfc-getacl, lfc-setacl commands Safe or unsafe transfer file protocols.

22 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Remember. You need a digital certificate and be member of a VO. ¡¡Keep your private key safe!! Proxy commands voms-* –To manage proxies Myproxy commands myproxy-* –To delegate proxies

23 www.eu-eela.eu Itacuruça (Brazil), E2GRIS1, 2.11.2008 – 15.11.2008 Questions … 23

Download ppt "Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Security Management.

Security Management.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

Similar presentations

Ads by Google