1 / 15

Accessing the Grid from DL

Accessing the Grid from DL. John Kewley Grid Technology Group E-Science Centre CCLRC Daresbury Laboratory j.kewley@dl.ac.uk. Talk outline . Requirements for accessing the NW-Grid An introduction to Grid Security How to apply for a Grid Certificate and access the NW-Grid / NGS

lali
Télécharger la présentation

Accessing the Grid from DL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accessing the Grid from DL John Kewley Grid Technology Group E-Science Centre CCLRC Daresbury Laboratory j.kewley@dl.ac.uk

  2. Talk outline • Requirements for accessing the NW-Grid • An introduction to Grid Security • How to apply for a Grid Certificate and access the NW-Grid / NGS Content of future talks will cover: • Next steps with the NW-Grid • Use of the DL Condor Pool • NGS and the NGS Portal

  3. Requirements To access the Grid, you will need: • An e-Science certificate, from a trusted certification authority, in an appropriate format • The Distinguished Name (DN) from your certificate registered with the Grid resource you intend to use • Client-side middleware on the accessing computer (unless you intend using only browser/portal technology) • No firewalls "in the way" between your client and the grid resource

  4. Security Issues • How does the expensive Grid resource "account" for its use? Are these users who they claim to be? • How does a user utilise a resource on a remote machine when he may not have an account on any intervening ones? • How can you trust the remote machine to "behave" with your data?

  5. Security Basics • Authentication • Who you are, Identity • Non-repudiation • Authorisation • What you are allowed to do, Capability • Which resources you can use • Confidentiality (encryption) • Integrity (untampered, lossless)

  6. Tools of the trade Encryption • Secret “symmetric” key – both parties need to share the key • DES, RC4 • Comparatively efficient • Public/private key – “asymmetric” - 2 keys mathematically related • RSA, DSA • Slower Oneway hash / message digest • MD5, SHA-1 • fast

  7. Gbbyf bs gur genqr Rapelcgvba • Frpergt “flzzrgevp” xrl – obgu cnegvrf arrq gb funer gur xrl • QRF, EP4 • Pbzcnengviryl rssvpvrag • Choyvp/cevingr xrl – “nflzzrgevp” - 2 xrlf zngurzngvpnyyl eryngrq • EFN, QFN • Fybjre Barjnl unfu / zrffntr qvtrfg • ZQ5, FUN-1 • Snfg

  8. Tools of the trade Encryption • Secret “symmetric” key – both parties need to share the key • DES, RC4 • Comparatively efficient • Public/private key – “asymmetric” - 2 keys mathematically related • RSA, DSA • Slower Oneway hash / message digest • MD5, SHA-1 • fast

  9. Clear text message Clear text message Encrypted text Public Key Private Key Public/Private keys • Asymmetric encryption comprises a key pair: one private and one public: • it is impossible to derive the private key from the public one; • a message encrypted by one key can be decrypted only by its partner • Public keys can be freely exchanged / distributed • The sender encrypts using his private key • The receiver decrypts using sender's public key;

  10. Certificates • A statement from a trusted 3rd party (the Certification Authority), that your public key (and hence your private key) is associated with your identity • A certificate can only be verified if you have the public key of the party who signed it

  11. X.509 Certificates An X.509 Certificate contains: • owner’s public key; • identity of the owner; • info on the CA; • validity; • Serial number; • digital signature from the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature

  12. State of Illinois ID Certificate Request User generatespublic/privatekey pair in browser. CA root certificate CA signature links identity and public key in certificate. CA informs user. CertRequest Public Key Certification Authority User sends public key to CA and shows RA proof of identity. Cert Private Key encrypted on local disk

  13. Downloading and Testing your certificate You will receive an email with instructions telling you how to download your certificate. Since the private key is stored locally, you will need to use the SAME browser when downloading as applying for your certificate. You should then follow the instructions on the website to Test your certificate. On successful completion, your DN will be displayed for use when registering for Grid resources

  14. Registering to useNW-Grid There is a web registration form for NW-Grid Once approved, this will : • assign you a common username (e.g. nwdljk) • register the Distinguished Name (DN) from your certificate with the NW-Grid machines /C=UK/O=eScience/OU=CLRC/L=DL/CN=john kewley • open NW-Grid firewalls so your client machine(s) can access the Grid resources. http://man4.nw-grid.ac.uk:8080/user_registration

  15. Links What is the Grid? http://gridcafe.web.cern.ch/ What is e-Science? http://www.e-science.cclrc.ac.uk/ http://www.nesc.ac.uk/ What is the NW-GRID? http://www.nw-grid.ac.uk/ UK e-Science CA: http://www.grid-support.ac.uk/content/view/182/184/ https://ca.grid-support.ac.uk/

More Related