Security GridPP6 30 Jan 2003 Coseners House

1. SecurityGridPP6 30 Jan 2003Coseners House David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, GridPP Security

2. Overview • EU DataGrid • LHC Computing Grid (LCG) • GGF • UK STF • GridPP participants • Andrew McNab, Jens Jensen, Linda Cornwall, DPK (and others from time to time) D.P.Kelsey, GridPP Security

3. WP7 Security Coord Group • D7.5 – Requirements and TB1 • 112 EDG requirements • 72 essential, 37 desirable aims, 3 long-term aim • Includes • Virtual Organisations (VO’s) – Role based authorisation • Authorise resources as well as users • Local Authorisation • Decisions and keep ACL’s local to data • Confidentiality • Encrypted medical data • Don’t know who is in a VO • International Collaboration – must inter-operate! • D7.6 Security Design document – to be finalised during Feb 03 D.P.Kelsey, GridPP Security

4. WP6 CA group- Authentication • International/Inter-project collaboration important • Building “Trust” between national CA’s and VO’s/projects • EDG, CrossGrid, ( also LCG, EGEE, …) • Defines list of “trusted” CA’s • Minimum requirements and best practice • Currently 16 national CA’s • Includes the new UK CA • Will grow to ~20 • Considering FNAL (and CERN?) Kerberos CA • And SLAC Virtual Smart Card • Aim to formalise a European PKI PMA body • with links to North America, (Asia-Pacific?), … D.P.Kelsey, GridPP Security

5. Security Design/Developments • Security components developed (see EDG web) • CA Trust Matrix tools • VO/LDAP & VOMS – Authorisation • LCAS, LCMAPS – local authorisation and mapping • Gridmapdir – dynamic leased accounts • Gridsite – certificate-based web management • SlashGrid - dn-based grid homefile system • GACL – Library to parse ACL’s (XML) • edg-java-security (for Data Management, web services) • G-HTTPS (see Andrew’s slides) D.P.Kelsey, GridPP Security

6. Authorisation dn User VOMS dn + attrs service authenticate service Java C authr LCAS pre-proc pre-proc acl acl map authr LCMAPS LCAS Coarse-grainede.g. Spitfire WP2 Fine-grainede.g. RepMeC WP2/WP3 Coarse-grainede.g. CE, Gatekeeper WP4 Fine-grainede.g. SE, /grid WP5 D.P.Kelsey, GridPP Security

7. Authentication Request OK Query AuthDB VOMSpseudo-cert VOMSpseudo-cert VOMS client VO Membership Service • Client and server authenticate themselves and establish a secure communication channel using standard Globus API. • The Client sends the request to the Server. • The Server checks the request and sends back the required info (signed by itself). • The Client checks the validity of the info received. • Steps 1—4 are repeated for each Server the Client wants to contact. • The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers. C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy D.P.Kelsey, GridPP Security

8. LCG - Grid Deployment • Planning now for LCG-1 (summer 03) • DPK is technical expert on LCG GDB WG3 • Legal, political, site security policies, etc. • Acceptable Use policies (Rules) • What is needed for User Registration (single signing)? • What is acceptable to Site Security Officers? • GGF Site-AAA requirements group • An extremely important area – could kill the Grid! • Authorisation (important area) • VO’s need to manage their members and sites/resource providers negotiate with VO’s D.P.Kelsey, GridPP Security

9. GGF and UK STF • Global Grid Forum • We are active in the various Security Area groups • CA • GridCP • CA Ops • Authz • New Authorization group (McNab co-chair) • Site- AAA – Requirements • UK Security Task Force (core programme) • To advise the Director, and make recommendations • Jens Jensen and DPK members • http://umbriel.dcs.gla.ac.uk/NeSC/general/teams/stf/ • NeSC Security workshop (Dec 5/6, 2002) D.P.Kelsey, GridPP Security