Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.

Similar presentations


Presentation on theme: "1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011."— Presentation transcript:

1 1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011

2 caGrid Organization 2

3 Security Services 3

4 Dorian Identity Provider Creation and management of user accounts Issue Security Assertion Markup Language (SAML) Assertions as proof of authentication Certificate Authority to sign SAML Assertions Identify Federation Service Manages trusted identity providers Manages Grid users Manages host certificates Issues Grid credentials (X.509 Certificates) Manages internal Dorian groups (i.e., Dorian administrators)

5 GTS Details The Grid Trust Service (GTS) is a caGrid service enabling the provisioning and management of a grid trust fabric. The features of the GTS can be summarized as follows: It provides a complete Grid enabled federated solution for registering and managing trusted certificate authorities and their certificate revocation lists (CRLs). It allows the definition and management of levels of assurance, allowing Grid administrators to group CAs appropriately into levels of assurance. Supports retrieval of the current state of the trust fabric

6 GTS Details (2) GTS services can be federated or “chained” in a fashion that is similar to DNS on the Internet

7 Grid of Grids

8 SyncGTS The SyncGTS Service: Is installed by the caGrid installer to every grid container. Is responsible for keeping the local trust store for each client and service updated. Thus, every Grid node has an up-to-date view of the trust fabric, including a current list of trusted CAs and corresponding CRLs The local trust store is the ~/.globus/certificates directory SyncGTS can be run manually or from cron.

9 SyncGTS API public static boolean synchronizeOnce(String syncDescriptionFile) { boolean success = false; try { //Load Sync Description SyncDescription description = (SyncDescription) Utils.deserializeDocument(syncDescriptionFile, SyncDescription.class); //Sync with the Trust Fabric Once SyncGTS.getInstance().syncOnce(description); success = true; } catch (Exception e) { e.printStackTrace(); } return success; } Form more details see http://cagrid.org/display/knowledgebase/Part+Four+-+Authentication 9

10 Grid Authentication Collaboration 10

11 GTS / Dorian Circular Dependency Complicates Grid Installation 11

12 Credential Delegation Service (CDS) CDS allows a grid user to delegate their grid credentials to other users and services that can perform grid actions as the original user. A service is able to request a delegated credential from CDS. The service uses the delegated credential to request other services. Nothing forces a service to use a delegated credential. CDS can also be used to delegate a credential to a gridGrouper group. CDS protocol keeps private keys private 12

13 Credential Delegation Service (CDS) 13

14 CDS Use 14


Download ppt "1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011."

Similar presentations


Ads by Google