Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.

Published byScott Neil Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011."— Presentation transcript:

1 1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011

2 caGrid Organization 2

3 Security Services 3

4 Dorian Identity Provider Creation and management of user accounts Issue Security Assertion Markup Language (SAML) Assertions as proof of authentication Certificate Authority to sign SAML Assertions Identify Federation Service Manages trusted identity providers Manages Grid users Manages host certificates Issues Grid credentials (X.509 Certificates) Manages internal Dorian groups (i.e., Dorian administrators)

5 GTS Details The Grid Trust Service (GTS) is a caGrid service enabling the provisioning and management of a grid trust fabric. The features of the GTS can be summarized as follows: It provides a complete Grid enabled federated solution for registering and managing trusted certificate authorities and their certificate revocation lists (CRLs). It allows the definition and management of levels of assurance, allowing Grid administrators to group CAs appropriately into levels of assurance. Supports retrieval of the current state of the trust fabric

6 GTS Details (2) GTS services can be federated or “chained” in a fashion that is similar to DNS on the Internet

7 Grid of Grids

8 SyncGTS The SyncGTS Service: Is installed by the caGrid installer to every grid container. Is responsible for keeping the local trust store for each client and service updated. Thus, every Grid node has an up-to-date view of the trust fabric, including a current list of trusted CAs and corresponding CRLs The local trust store is the ~/.globus/certificates directory SyncGTS can be run manually or from cron.

9 SyncGTS API public static boolean synchronizeOnce(String syncDescriptionFile) { boolean success = false; try { //Load Sync Description SyncDescription description = (SyncDescription) Utils.deserializeDocument(syncDescriptionFile, SyncDescription.class); //Sync with the Trust Fabric Once SyncGTS.getInstance().syncOnce(description); success = true; } catch (Exception e) { e.printStackTrace(); } return success; } Form more details see http://cagrid.org/display/knowledgebase/Part+Four+-+Authentication 9

10 Grid Authentication Collaboration 10

11 GTS / Dorian Circular Dependency Complicates Grid Installation 11

12 Credential Delegation Service (CDS) CDS allows a grid user to delegate their grid credentials to other users and services that can perform grid actions as the original user. A service is able to request a delegated credential from CDS. The service uses the delegated credential to request other services. Nothing forces a service to use a delegated credential. CDS can also be used to delegate a credential to a gridGrouper group. CDS protocol keeps private keys private 12

13 Credential Delegation Service (CDS) 13

14 CDS Use 14

Download ppt "1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Experience Building and Supporting Secure Ad Hoc Collaborations Deb Agarwal Lawrence Berkeley National Laboratory Ad Hoc Collaboration - Internet2 Fall.

Experience Building and Supporting Secure Ad Hoc Collaborations Deb Agarwal Lawrence Berkeley National Laboratory Ad Hoc Collaboration - Internet2 Fall.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google