1 / 14

caGrid Security Overview

caGrid Security Overview. Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011. caGrid Organization. Security Services. Dorian. Identity Provider Creation and management of user accounts Issue Security Assertion Markup Language (SAML) Assertions as proof of authentication

janina
Télécharger la présentation

caGrid Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011

  2. caGrid Organization

  3. Security Services

  4. Dorian • Identity Provider • Creation and management of user accounts • Issue Security Assertion Markup Language (SAML) Assertions as proof of authentication • Certificate Authority to sign SAML Assertions • Identify Federation Service • Manages trusted identity providers • Manages Grid users • Manages host certificates • Issues Grid credentials (X.509 Certificates) • Manages internal Dorian groups (i.e., Dorian administrators)

  5. GTS Details The Grid Trust Service (GTS) is a caGrid service enabling the provisioning and management of a grid trust fabric. The features of the GTS can be summarized as follows: • It provides a complete Grid enabled federated solution for registering and managing trusted certificate authorities and their certificate revocation lists (CRLs). • It allows the definition and management of levels of assurance, allowing Grid administrators to group CAs appropriately into levels of assurance. • Supports retrieval of the current state of the trust fabric

  6. GTS Details (2) • GTS services can be federated or “chained” in a fashion that is similar to DNS on the Internet

  7. Grid of Grids

  8. SyncGTS The SyncGTS Service: • Is installed by the caGrid installer to every grid container. • Is responsible for keeping the local trust store for each client and service updated. Thus, every Grid node has an up-to-date view of the trust fabric, including a current list of trusted CAs and corresponding CRLs • The local trust store is the ~/.globus/certificates directory SyncGTS can be run manually or from cron.

  9. SyncGTS API public static booleansynchronizeOnce(String syncDescriptionFile) {boolean success = false; try { //Load Sync Description SyncDescription description = (SyncDescription)Utils.deserializeDocument(syncDescriptionFile,SyncDescription.class); //Sync with the Trust Fabric OnceSyncGTS.getInstance().syncOnce(description); success = true; } catch (Exception e) {e.printStackTrace(); } return success; } • Form more details see http://cagrid.org/display/knowledgebase/Part+Four+-+Authentication

  10. Grid Authentication Collaboration

  11. GTS / Dorian Circular Dependency Complicates Grid Installation

  12. Credential Delegation Service (CDS) • CDS allows a grid userto delegate their grid credentials to other users and services that can perform grid actions as the original user. • A service is able to request a delegated credential from CDS. • The service uses the delegated credential to request other services. • Nothing forces a service to use a delegated credential. • CDS can also be used to delegate a credential to a gridGrouper group. • CDS protocol keeps private keys private

  13. Credential Delegation Service (CDS)

  14. CDS Use

More Related