Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson.

Published byPrimrose Baker Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson."— Presentation transcript:

1 Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson

2 Overview Discussion of basic security infrastructure used by OSG Will discuss certificates Will discuss procedures and policies for OSG Will discuss some of the tools available Q&A time afterwards March 19, 20092GSAW 2009 Clemson

3 Certificates Used OSG uses X.509 certificates for authentication and authorization Most certificates in DOEGrids certificate chain Obtained from GOC / Need someone to “vouch” for you All tools use and verify using certificates – User submissions (job submission, gsiftp) use proxies signed by user’s X.509 certificate – Sites and services have host certificates which are verified by user tools March 19, 2009GSAW 2009 Clemson3

4 CA Certificates What are they? – Public certificate for certificate authorities – Used to verify authenticity of user certificates Why do you care? – If you don’t have them, users can’t access your site March 19, 20094GSAW 2009 Clemson

5 Installing CA Certificates The OSG installation will not install CA certificates by default – Users will not be able to access your site! To install CA certificates – Edit a configuration file to select what CA distribution you want vdt-update-certs.conf – Run a script vdt-setup-ca-certificates 5 March 19, 2009GSAW 2009 Clemson

6 Choices for CA certificates You have two choices: – Recommended: OSG CA distribution IGTF + TeraGrid-only – Optional: VDT CA distribution IGTF only (Eventually) Same as OSG CA (Today) IGTF: Policy organization that makes sure that CAs are trustworthy You can make your own CA distribution You can add or remove CAs March 19, 20096GSAW 2009 Clemson

7 Why all this effort for CAs? Certificate authentication is the first hurdle for a user to jump through Do you trust all CAs to certify users? – Does your site have a policy about user access? – Do you only trust US CAs? European CAs? – Do you trust the IGTF-accredited Iranian CA? Does the head of your institution? March 19, 20097GSAW 2009 Clemson

8 Updating CAs CAs are regularly updated – New CAs added – Old CAs removed – Tweaks to existing CAs If you don’t keep up to date: – May be unable to authenticate some user – May incorrectly accept some users Easy to keep up to date – vdt-update-certs Runs once a day, gets latest CA certs March 19, 20098GSAW 2009 Clemson

9 CA Certificate RPM There is an alternative for CA Certificate installation: RPM – We have an RPM for each CA cert distribution – No deb package yet – Install and keep up to date with yum – Some details not discussed here: read the docs March 19, 20099GSAW 2009 Clemson

10 Certificate Revocation Lists (CRLs) It’s not enough to have the CAs CAs publish CRLs: lists of certificates that have been revoked – Sometimes revoked for administrative reasons – Sometimes revoked for security reasons You really want up to date CRLs CE provides periodic update of CRLs – Program called fetch-cr – Runs once a day (today) – Will run four times a day (soon) March 19, 200910GSAW 2009 Clemson

11 Authorization Done by gridmap files or GUMS Gridmap files are fairly simple – Text file with DN followed by local account Will look at GUMS March 19, 2009GSAW 2009 Clemson11

12 GUMS The GUMS service performs one function: it maps users' grid certificates/credentials to site-specific identities/credentials (e.g., UNIX accounts or Kerberos principals) in accordance with the site's grid resource usage policy. The GUMS interface for the callout implements two standards, the older OSGA OpenSAML 1.1 AuthZ format and the new OSGA OpenSAML-XACML 2.1 AuthZ format. The existence of these interfaces means that any kind of client that implements one of these standards is able to contact GUMS. Existing clients are GT2/Prima, GT4, gPlazma/dCache, and glexec. Command line client too Allows blacklisting of users/DNs March 19, 2009GSAW 2009 Clemson12

13 Security Team Mine Altunay (maltunay@fnal.gov)maltunay@fnal.gov – Security Officer Doug Olson (dlolson@lbl.gov)dlolson@lbl.gov – Deputy Security Officer Jim Basney (jbasney@ncsa.uiuc.edu)jbasney@ncsa.uiuc.edu Ron Cudzewicz (cudzewicz@fnal.gov) March 19, 2009GSAW 2009 Clemson13

14 Policies Site Registration Database – OSG Information Management – site manager, site security, site operations, site incident response – Names, email, address, phone – Old stale info needs to be uptaded – OIM is maintained at GOC – We currently check once year, but will the frequency increase once OIM sends automated emails March 19, 2009GSAW 2009 Clemson14

15 Site Operations Policy: how to be a good citizen https://osg-docdb.opensciencegrid.org:440/cgi-bin/RetrieveFile?docid=676, https://osg-docdb.opensciencegrid.org:440/cgi-bin/RetrieveFile?docid=676 Must support at least one VO: MIS – We are doing drills, tests are coming up – not perfect but getting there – Update your gums template – Let us know if you suspend a VO Apply patches announced asap – Let us know if you cannot Make sure published site info is accurate

16 Incident Response Policy Incident: any real or suspected event that poses a real or potential threat You MUST Report and Respond – Report: email security@opensciencegrid.orgsecurity@opensciencegrid.org – abuse@opensciencegrid.org abuse@opensciencegrid.org – +1 317-278-9699 – https://twiki.grid.iu.edu/twiki/bin/view/Security/IncidentDiscoveryReporting – Respond: follow this policy in collaboration with OSG

17 When contacting OSG, let us know: – If any certs are compromised, or suspicious – If any VO accounts are affected – Have you informed any CA for revocation ? – Have you shut down the node ? Will you ? – Any suspicious connection out of your node to another grid resource ? – Any corrupted data – Please KEEP US INFORMED, keep emailing during your forensics, even if you think it is embarrassing – We are ALL in this together

18 VDT Security Tools CA hygiene: run fetch-crl to update CRLs – How can we improve the tools Run vdt-cert-update to update CA directory Update your GUMS template – Subscribe to RSS feed at GOC – www.grid.iu.edu/news www.grid.iu.edu/news – http://software.grid.iu.edu/pacman/tarballs/vo-version/gums.template http://software.grid.iu.edu/pacman/tarballs/vo-version/gums.template – http://vdt.cs.wisc.edu/components/gums.html

19 Example of a security incident Will outline an example of how to deal with a security incident Four major steps – Stop further exposure – Find out if your site was exposed and to what extent – Conduct basic forensics – Clean up suspect jobs March 19, 2009GSAW 2009 Clemson19

20 Stopping further exposure Just ban the user’s DN How? March 19, 2009GSAW 2009 Clemson20

21 Sites using gridmap Update the edg/etc/edg-mkgridmap.conf – Add a line 'deny “DN”' – Wild cards are also accepted – Regenerate grid-mapfile executing edg/sbin/edg- mkgridmap – Log file can be generally found at edg/log/edg- mkgridmap.log Check your grid-mapfile and confirm that the DN has indeed been removed Repeat for any other hosts using gridmap files March 19, 2009GSAW 2009 Clemson21

22 If Using GUMS Go to the GUMS interface –https://gums- host:8443/gums/ Add new manual group called banned – Configuration -> User Groups -> Add – Select type = manual and provide name, description. Then save Add this group to a “banned user group” – Click on Configuration – Select the group from drop down menu and save March 19, 2009GSAW 2009 Clemson22

23 GUMS Part 2 Add user DN to the banned group – Click on “Manual User Group Members” in “User Management” section – Click Add, select the appropriate “user group” – Add the user DN and save Test the mapping from your CE – %gums-host mapUser "DN" (as su) – Only if the mapping returns null, the user is banned March 19, 2009GSAW 2009 Clemson23

24 Determining Exposure Need to check logs Examples – Globus gatekeeper and accounting logs – GUMS log can provide a centralized place to check multiple gatekeepers – Check syslogs Location of some log files can be found at – https://twiki.grid.iu.edu/bin/view/Integration/ITB 092/ComputeElementLogFiles What did you find? March 19, 2009GSAW 2009 Clemson24

25 Checking Exposure 2 Has the “bad DN” run on your site? What IP address did the job originate from? When (timestamps)? What unix account did the user map to? Did the mapping use a pool account or were all users from VO mapped to same account? March 19, 2009GSAW 2009 Clemson25

26 Need to continue? If the site had no record of the activity from the user, then Hurray!! No exposure and you are done! – Please make sure that none of your grid resources were exposed If you see activity related to that DN, more action is needed March 19, 2009GSAW 2009 Clemson26

27 Forensics Conduct basic forensics to identify what the DN has run – Check the logs to see what jobmanager(s) were used – Check your batch system logs – Log into nodes and/or CE and see which processes are owned by the user – Use lsof and netstat to find any open files or ports that the DN is running – Check scripts, run strings to see if any hostnames or contact information appears March 19, 2009GSAW 2009 Clemson27

28 Cleanup Use batch manager to remove any remaining jobs – condor_rm cluster_id – qdel job_id – kill -9 any remaining processes – If all VO DNs mapped to same account, can delete all jobs for that account March 19, 2009GSAW 2009 Clemson28

29 Escalations / Followup Follow home institution policies for security incidents If the DN may have been able to access or obtain other user DNs contact security@opensciencegrid.org immediately security@opensciencegrid.org March 19, 2009GSAW 2009 Clemson29

30 Security Best Practices Best Practices https://twiki.grid.iu.edu/bin/view/Security/Be stPractices March 19, 2009GSAW 2009 Clemson30

31 Acknowledgements Mine Altunay Jim Blasney Alain Roy Anand Padmanabhan March 19, 2009GSAW 2009 Clemson31

Download ppt "Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson."

Similar presentations

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Human Services Directory Presented by: Liz Meggetto, Central West Gippsland Primary Care Partnership, July, 2013 Acknowledgements to: Ilka Carapina, Database.

Human Services Directory Presented by: Liz Meggetto, Central West Gippsland Primary Care Partnership, July, 2013 Acknowledgements to: Ilka Carapina, Database.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
LANDesk Management Gateway

LANDesk Management Gateway
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG S ITE INSTALLATION AND M AINTENANCE Suchandra Thapa Computation Institute University of Chicago.

OSG S ITE INSTALLATION AND M AINTENANCE Suchandra Thapa Computation Institute University of Chicago.

Similar presentations

Ads by Google