Presentation is loading. Please wait.

Presentation is loading. Please wait.

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

Published byBailey Larsen Modified over 10 years ago

Similar presentations

Presentation on theme: "22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman2 Overview What is GSI? DataGrid TB1 Security Authentication Authorisation Firewalls Operational security procedures

3 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman3 What is GSI? Grid Security Infrastructure See recent Globus Developers Tutorial http://www.globus.org/about/events/US_tutorial/slides/D ev-04-Security1.ppt Selected slides from this presentationSelected

4 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman4 DataGrid TB1 Security See documentation on EDG WP6 web site –http://marianne.in2p3.fr/http://marianne.in2p3.fr/ –Usage Rules –Users Guide –Installation Guide The various installation kits do much (most?) of the work for you

5 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman5 Authentication Certificates Trusted Certificate Authorities Converting certificate formats Certificate Revocation Lists

6 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman6 Certificates Need certificates for –UsersThey request their own with Registration confirmation –HostsFor the gatekeeper –Servicese.g. LDAP/MDS

7 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman7 Trusted Certificate Authorities List maintained by EDG WP6 CA group Procedures and policies compared with minimum requirements Matrix of trust being created Includes USA and CrossGrid CAs Each site has the final say –But default is to accept the EDG list

8 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman8 Converting cert formats 2 formats:PEM and PKCS12 Extensions:.pem and.p12 Install edg-utils package –Convert PEM to PKCS12 /opt/edg/bin/grid-mk-pkcs12 –Convert PKCS12 to PEM /opt/edg/bin/pkcs12-extract Or use openssl commands (see Installation 12.1.3)

9 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman9 Certificate Revocation lists CRL Each CA maintains a signed list of revoked certificates Must be current –If not all certificates from that CA are revoked GSI checks the local copy of the CRL Must copy regularly (every day?) edg-fetch-crlto update CRLs edg-crl-upgradeddaemon to regularly update

10 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman10 Authorisation Usage Rules –Users sign this and no other forms –Use browser with your EDG certificate Virtual Organisations –Users need to request to join mkgridmap –Tool to create the grid mapfile Pooled accounts (gridmapdir dynamic accounts) –http://www.gridpp.ac.uk/gridmapdir/http://www.gridpp.ac.uk/gridmapdir/

11 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman11 EDG Authorisation grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory Authorization Directory CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

12 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman12 Authorisation (contd) Today can only map one certificate to one account –If need multiple roles then need more than one cert More work is still needed on –Registration Authorities for VOs –Security of VO LDAP info

13 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman13 Firewalls – ports used PortService 80HTTP server for Network Monitoring 123Network Time Protocol 2119Globus Gatekeeper 2135MDS info port 2169FTree info port 2170Information Index 2171FTree info port 2811GSI ftp server 3147RFIO 7771Resource Broker 7846Logging & Bookkeeping 8080Tomcat Server (R-GMA, SpitFire) 8881Job Sub. Service (client) 9991Job Sub. Service (server

14 22-Apr-02D.P.Kelsey, Security, UKHEP Sysman14 Operational Security Each site must nominate a Security Contact –But is there a mail list yet? Incident discovery –We need some tools/procedures (EDG WP6?) Audit logs –Grid Mapping (Gatekeeper log) –Pooled accounts –Both in syslog

Download ppt "22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Andrew McNab - Manchester HEP - 15 February 2002 Testbed Release in the UK EDG Testbed 1 GridPP sources of information GridPP VO GIIS and Resource Broker.

Andrew McNab - Manchester HEP - 15 February 2002 Testbed Release in the UK EDG Testbed 1 GridPP sources of information GridPP VO GIIS and Resource Broker.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Partner Logo UK GridPP Testbed Rollout John Gordon GridPP 3rd Collaboration Meeting Cambridge 15th February 2002.

Partner Logo UK GridPP Testbed Rollout John Gordon GridPP 3rd Collaboration Meeting Cambridge 15th February 2002.
18 April 2002 e-Science Architectural Roadmap Open Meeting 1 Support for the UK e-Science Roadmap David Boyd UK Grid Support Centre CLRC e-Science Centre.

18 April 2002 e-Science Architectural Roadmap Open Meeting 1 Support for the UK e-Science Roadmap David Boyd UK Grid Support Centre CLRC e-Science Centre.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Bob Jones – Project Architecture - 1 March 2002 - n° 1 Information & Monitoring Services Antony Wilson WP3, RAL

Bob Jones – Project Architecture - 1 March n° 1 Information & Monitoring Services Antony Wilson WP3, RAL
Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.

Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.

John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Grid Application Builders Teach In31/01/02Antony Wilson Information & Monitoring Services WP3.

Grid Application Builders Teach In31/01/02Antony Wilson Information & Monitoring Services WP3.
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK

11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
Www.DOEGrids.org www.DOEGrids.org DOE’s PKI service for Grids www.DOEGrids.org Tony J. Genovese Malaga, Spain November 2003.

DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Similar presentations

Ads by Google