1 / 30

Security Mechanisms

Security Mechanisms. The European DataGrid Project Team http://www.eu-datagrid.org. Peter.Kunszt@cern.ch. Summary. Security mechanism of EDG Certificates Authentication/Authorization Overview of Authentication mechanism Registration and Usage Service security now

eloise
Télécharger la présentation

Security Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Mechanisms The European DataGrid Project Team http://www.eu-datagrid.org Peter.Kunszt@cern.ch

  2. Summary • Security mechanism of EDG • Certificates • Authentication/Authorization • Overview of Authentication mechanism • Registration and Usage • Service security now • Service security in Web Services

  3. Security Certificates • The project software supports ~12 Certification Authorities from the various partners involved in the project • http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html • For a machine to participate as a Testbed 1 resource allthe CAs must be enabled. • all CA certificates can be installed without compromising local site security • Each host running a Grid service needs to be able to authenticate users and other hosts • site manager has full control over security for local nodes • Virtual Organisation represents a community of users • 6 VOs: 4 HEP (ALICE, ATLAS, CMS, LHCb), 1 EO, 1 Biology Account Registration Usage guidelines

  4. Authentication/Authorization • Authentication (CA Working Group) • 11 national certification authorities • policies & procedures  mutual trust • users identified by CA’s certificates • Authorization (Authorization Working Group) • Based on Virtual Organizations (VO). • Management tools for LDAP-based membership lists. • 6+1 Virtual Organizations

  5. CA service user VO-LDAP 1. Authentication Overview

  6. CA grid-cert-request service user cert-request VO-LDAP 1. Authentication Overview

  7. CA grid-cert-request cert signing service user cert-request certificate VO-LDAP 1. Authentication Overview

  8. CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 VO-LDAP 1. Authentication Overview

  9. CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO-LDAP 1. Authentication Overview

  10. CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

  11. CA grid-cert-request grid-cert-request cert signing service user host-request cert-request certificate convert cert.pkcs12 registration VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

  12. CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request host-cert certificate convert cert.pkcs12 registration VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

  13. CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

  14. CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP gridmap mkgridmap proxy-cert grid-proxy-init 1. Authentication Overview

  15. CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP gridmap mkgridmap proxy-cert grid-proxy-init host/proxy certs exchanged 1. Authentication Overview

  16. Certificate/Authentication Obtaining a certificate from a CA see http://marianne.in2p3.fr/datagrid/ca/ for CAs • new certificate: grid-cert-request • new files in ~/.globus: usercert_request.pem userkey.pem • mail it to the appropriate CA (e.g. cern-globus-ca@cern.ch) • save the answer • ~/.globus/usercert.pem • new proxy certificate: grid-proxy-init • /tmp/x509up_u<uid> -> You have a certificate signed by an EDG CA.

  17. Registration/Authorization User registration in an EDG Virtual Organisation • convert your certificate: • openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’ • import your certificate in your browser • sign the usage guidelines: https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl • ask an account from your VO administrator by email -> You are registered in the VO-LDAP server and have a user account.

  18. Usage You must have a valid certificate from a trusted CA! • „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ • checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy • „logout”: grid-proxy-destroy -> use the grid services

  19. Signing a Request Upon a certificate request from the user • checking the identity of the user (Registration Authority) • signing the request and sending back the result • openssl ca –in usercert_request.pem –out usercert.pem • if something goes wrong: revocation of a certificate -> CRL • the issued certificates are described in the Certificate Policy (CP) • the process is described in the Certificate Practice Statement (CPS)

  20. Service You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured. • registering a trusted CA • /etc/grid-security/certificates: hashed cert, crl and url • generating a gridmap file: mkgridmap • /etc/grid-security/gridmap: DN -> userid/gid mapping • generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) Start the service!

  21. Testbed support within WP6 Authentication – mkgridmap tool : generate gridmap file

  22. WMS secure architecture

  23. HTTP + SSLRequest + client certificate Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Role repository Translator Servlet Connectionmappings Map role to connection id

  24. HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Role repository Translator Servlet Connectionmappings Map role to connection id

  25. HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Role repository Translator Servlet Connectionmappings Map role to connection id

  26. HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Connectionmappings Map role to connection id

  27. HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Role ok? Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Role Connectionmappings Map role to connection id

  28. HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Role ok? Request and connection ID Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Role Connectionmappings Map role to connection id

  29. HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Role ok? Request and connection ID Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Role Connectionmappings Map role to connection id

  30. Further Information

More Related