1 / 13

Security: Deployment 10 May 2002 GridPP4 meeting, Manchester

Security: Deployment 10 May 2002 GridPP4 meeting, Manchester. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. Overview. DataGrid TB1 Security Authentication Authorisation Firewalls Operational security procedures. DataGrid TB1 Security. See documentation on EDG WP6 web site

whistler-zachery
Télécharger la présentation

Security: Deployment 10 May 2002 GridPP4 meeting, Manchester

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security: Deployment10 May 2002GridPP4 meeting, Manchester David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, Security Deployment, GridPP4

  2. Overview • DataGrid TB1 Security • Authentication • Authorisation • Firewalls • Operational security procedures D.P.Kelsey, Security Deployment, GridPP4

  3. DataGrid TB1 Security • See documentation on EDG WP6 web site • http://marianne.in2p3.fr/ • Usage Rules • Users Guide • Installation Guide • The various installation kits do much (most?) of the work for you D.P.Kelsey, Security Deployment, GridPP4

  4. Authentication • Certificates • See talk by Jens Jensen on new UK CA • Trusted Certificate Authorities • Converting certificate formats • Certificate Revocation Lists D.P.Kelsey, Security Deployment, GridPP4

  5. Certificates • Need certificates for • Users They request their own with Registration confirmation • Hosts For the gatekeeper • Services e.g. LDAP/MDS D.P.Kelsey, Security Deployment, GridPP4

  6. Trusted Certificate Authorities • List maintained by EDG WP6 CA group • Procedures and policies compared with minimum requirements • “Matrix of trust” being created • Includes USA and CrossGrid CA’s • Each site has the final say • But default is to accept the EDG list D.P.Kelsey, Security Deployment, GridPP4

  7. Converting cert formats • 2 formats: PEM and PKCS12 • Extensions: .pem and .p12 • Install edg-utils package • Convert PEM to PKCS12 • /opt/edg/bin/grid-mk-pkcs12 • Convert PKCS12 to PEM • /opt/edg/bin/pkcs12-extract • Or use openssl commands (see Installation 12.1.3) D.P.Kelsey, Security Deployment, GridPP4

  8. Certificate Revocation lists • CRL • Each CA maintains a signed list of revoked certificates • Must be current • If not all certificates from that CA are revoked • GSI checks the local copy of the CRL • Must copy regularly (every day?) • edg-fetch-crl to update CRL’s • edg-crl-upgraded daemon to regularly update D.P.Kelsey, Security Deployment, GridPP4

  9. Authorisation • Usage Rules • Users sign this and no other forms • Use browser with your EDG certificate • Virtual Organisations • Users need to request to join • mkgridmap • Tool to create the grid mapfile • Pooled accounts (gridmapdir dynamic accounts) • http://www.gridpp.ac.uk/gridmapdir/ D.P.Kelsey, Security Deployment, GridPP4

  10. o=xyz,dc=eu-datagrid, dc=org o=testbed,dc=eu-datagrid, dc=org ou=People ou=People ou=Testbed1 ou=??? CN=John Smith CN=Mario Rossi CN=John Smith Authentication Certificate Authentication Certificate Authentication Certificate CN=Franz Elmer CN=Franz Elmer mkgridmap ban list grid-mapfile local users EDG Authorisationgrid-mapfile generation VODirectory “AuthorizationDirectory” D.P.Kelsey, Security Deployment, GridPP4

  11. Authorisation (cont’d) • Today can only map one certificate to one account • If need multiple roles then need more than one cert • More work is still needed on • Registration Authorities for VO’s • Security of VO LDAP info D.P.Kelsey, Security Deployment, GridPP4

  12. Firewalls – ports used Port Service 80 HTTP server for Network Monitoring 123 Network Time Protocol 2119 Globus Gatekeeper 2135 MDS info port 2169 FTree info port 2170 Information Index 2171 FTree info port 2811 GSI ftp server 3147 RFIO 7771 Resource Broker 7846 Logging & Bookkeeping 8080 Tomcat Server (R-GMA, SpitFire) 8881 Job Sub. Service (client) 9991 Job Sub. Service (server D.P.Kelsey, Security Deployment, GridPP4

  13. Operational Security • Each site must nominate a Security Contact • But is there a mail list yet? • Incident discovery • We need some tools/procedures (EDG WP6?) • Audit logs • Grid Mapping (Gatekeeper log) • Pooled accounts • Both in syslog D.P.Kelsey, Security Deployment, GridPP4

More Related