1 / 14

Grid Security 22 Apr 2002 UK HEP Sysman Meeting

Grid Security 22 Apr 2002 UK HEP Sysman Meeting. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. Overview. What is GSI? DataGrid TB1 Security Authentication Authorisation Firewalls Operational security procedures. What is GSI?. Grid Security Infrastructure

admon
Télécharger la présentation

Grid Security 22 Apr 2002 UK HEP Sysman Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Security22 Apr 2002UK HEP Sysman Meeting David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, Security, UKHEP Sysman

  2. Overview • What is GSI? • DataGrid TB1 Security • Authentication • Authorisation • Firewalls • Operational security procedures D.P.Kelsey, Security, UKHEP Sysman

  3. What is GSI? • Grid Security Infrastructure • See recent Globus Developers Tutorial http://www.globus.org/about/events/US_tutorial/slides/Dev-04-Security1.ppt • Selected slides from this presentation D.P.Kelsey, Security, UKHEP Sysman

  4. DataGrid TB1 Security • See documentation on EDG WP6 web site • http://marianne.in2p3.fr/ • Usage Rules • Users Guide • Installation Guide • The various installation kits do much (most?) of the work for you D.P.Kelsey, Security, UKHEP Sysman

  5. Authentication • Certificates • Trusted Certificate Authorities • Converting certificate formats • Certificate Revocation Lists D.P.Kelsey, Security, UKHEP Sysman

  6. Certificates • Need certificates for • Users They request their own with Registration confirmation • Hosts For the gatekeeper • Services e.g. LDAP/MDS D.P.Kelsey, Security, UKHEP Sysman

  7. Trusted Certificate Authorities • List maintained by EDG WP6 CA group • Procedures and policies compared with minimum requirements • “Matrix of trust” being created • Includes USA and CrossGrid CA’s • Each site has the final say • But default is to accept the EDG list D.P.Kelsey, Security, UKHEP Sysman

  8. Converting cert formats • 2 formats: PEM and PKCS12 • Extensions: .pem and .p12 • Install edg-utils package • Convert PEM to PKCS12 • /opt/edg/bin/grid-mk-pkcs12 • Convert PKCS12 to PEM • /opt/edg/bin/pkcs12-extract • Or use openssl commands (see Installation 12.1.3) D.P.Kelsey, Security, UKHEP Sysman

  9. Certificate Revocation lists • CRL • Each CA maintains a signed list of revoked certificates • Must be current • If not all certificates from that CA are revoked • GSI checks the local copy of the CRL • Must copy regularly (every day?) • edg-fetch-crl to update CRL’s • edg-crl-upgraded daemon to regularly update D.P.Kelsey, Security, UKHEP Sysman

  10. Authorisation • Usage Rules • Users sign this and no other forms • Use browser with your EDG certificate • Virtual Organisations • Users need to request to join • mkgridmap • Tool to create the grid mapfile • Pooled accounts (gridmapdir dynamic accounts) • http://www.gridpp.ac.uk/gridmapdir/ D.P.Kelsey, Security, UKHEP Sysman

  11. o=xyz,dc=eu-datagrid, dc=org o=testbed,dc=eu-datagrid, dc=org ou=People ou=People ou=Testbed1 ou=??? CN=John Smith CN=Mario Rossi CN=John Smith Authentication Certificate Authentication Certificate Authentication Certificate CN=Franz Elmer CN=Franz Elmer mkgridmap ban list grid-mapfile local users EDG Authorisationgrid-mapfile generation VODirectory “AuthorizationDirectory” D.P.Kelsey, Security, UKHEP Sysman

  12. Authorisation (cont’d) • Today can only map one certificate to one account • If need multiple roles then need more than one cert • More work is still needed on • Registration Authorities for VO’s • Security of VO LDAP info D.P.Kelsey, Security, UKHEP Sysman

  13. Firewalls – ports used Port Service 80 HTTP server for Network Monitoring 123 Network Time Protocol 2119 Globus Gatekeeper 2135 MDS info port 2169 FTree info port 2170 Information Index 2171 FTree info port 2811 GSI ftp server 3147 RFIO 7771 Resource Broker 7846 Logging & Bookkeeping 8080 Tomcat Server (R-GMA, SpitFire) 8881 Job Sub. Service (client) 9991 Job Sub. Service (server D.P.Kelsey, Security, UKHEP Sysman

  14. Operational Security • Each site must nominate a Security Contact • But is there a mail list yet? • Incident discovery • We need some tools/procedures (EDG WP6?) • Audit logs • Grid Mapping (Gatekeeper log) • Pooled accounts • Both in syslog D.P.Kelsey, Security, UKHEP Sysman

More Related