Jianlin Zhu Huazhong Normal University Running AliEn Secure
Services
Slide 2
Outline Security Considerations for AliEn Services Security
Environment for AliEn Services Security Infrastructure for AliEn
Services Security Instances for AliEn Services Future work
Reference
Slide 3
AliEn AliEn is a distributed computing environment with the aim
to offer the ALICE user community a transparent access to worldwide
distributed computing and storage resources. AliEn components are
web services, and they talk to each other using SOAP(Simple Object
Access Protocol) Central Services
Proxy,IS,Authen,Server,Logger,Broker,TransferManager,TransferBro
ker,TransferOptimizer,JobOptimizer,CatalogueOptimizer,PackMa
nMaster,MessageMaster,SEManager,JobInfoManager,MonaLisa Site
Services ClusterMonitor,CE,SE,PackMan,MonaLisa
Slide 4
Security Considerations AliEn is running with more than twenty
service components providing the public services for the whole grid
system Supporting the Grid Security Infrastructure and Public Key
Infrastructure Security Authentication Communication Encryption
Private key protection Delegation Single sign-on Compatibility
transparency to the Grid Components Modular security function
Slide 5
Grid Security Infrastructure PKI (CAs and Certificates) SSL/
TLS Proxies and Delegation PKI for credentials SSL for
Authentication And message protection Proxies and delegation (GSI
Extensions) for secure single Sign-on PKI: Public Key
Infrastructure, SSH: Secure Socket Layer TLS: Transport Level
Security
Slide 6
Public Key Infrastructure (PKI) PKI allows you to know that a
given public key belongs to a given user PKI builds off of
asymmetric encryption: Each entity has two keys: public and private
Data encrypted with one key can only be decrypted with other. The
private key is known only to the entity The public key is given to
the world encapsulated in a X.509 certificate Owner X.509
Certificates Certificate Authorities (CAs) Certificate Policies
Namespaces Requesting a certificate Certificate Request
Registration Authority
Slide 7
Secure Socket Layer (SSL) Also known as TLS (Transport Layer
Security) Uses certificates and TCP sockets to provide a secured
connection Authentication of one or both parties using the
certificates Message protection Confidentiality (encryption)
Integrity Certificates TCP Sockets SSL/TLS
Slide 8
GSI Grid Security Infrastructure (GSI) Based on Generic
Security Services API (GSS-API) Uses an extension to X509
certificates Provides a mechanism to: Authenticate a subject
Authorise a resource Implement a single sign-on mechnism Current
implementation does this using: Proxy certificates and
Certification Authorities Gridmap file
$ voms-proxy-info -all subject :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxy issuer :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : proxy strength :
1024 bits path : /tmp/x509up_u50218 timeleft : 11:45:59 === VO
alice extension information === VO : alice subject :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu issuer :
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch attribute :
/alice/Role=lcgadmin/Capability=NULL attribute :
/alice/Role=NULL/Capability=NULL attribute :
/alice/lcg1/Role=NULL/Capability=NULL timeleft : 11:45:58 uri :
voms.cern.ch:15000 VOMS credentials are represented in the form of
FQAN (short for Fully Qualified Attribute Name). A FQAN is a string
compound consisting of the group, the subgroups, and the role a
user chooses from, in order to access a resource
Slide 11
HTTPS as the AliEn secure protocol HTTPS is an interesting and
important protocol for several reasons: It is by far the most
widely deployed secure protocol It has a large amount of high
quality modules that we could leverage It has excellent interaction
with Firewalls, Network Address Translation and Application Proxies
it has the potential to solve some of the problems sites have with
private IP farms along with HTTP, is the basis for Web and Grid
Services AliEn Services are Web Services using SOAP/XML to send
messages HTTPS consists of HTTP/1.1 over an SSL connection security
done by SSL layer, using X509 certificates (including GSI)
Slide 12
Security Environment for AliEn Services Apache as the AliEn
serivces hosting environment mod_perl Supporting the perl language
mod_ssl Supporting PKI (X.509 certificates verification )
mod_gridsite Supporting GSI (Parses GACL policies,X.509,GSI,VOMS
credentials)
Slide 13
What Apache provides Allow customization of standard Apache
installation through program modularity Extensibility,
decomposition and flexibility Rich modules mod_ssl mod_ssl
Encryption (private communications) mod_perl mod_perl, mod_cgi,
etc. Application and language support (cgi, perl, php, etc)mod_cgi
mod_gridsite mod_gridsite (GACL policies,X.509,GSI,VOMS
credentials) support Can be added at compile or before execution
(with DSO) using LoadModule and AddModule directives
Slide 14
What SSL Provides Secure communcation between client and
server. SSL protocol works on top of the tcp/ip layer and below the
application layer. Provides for authentication using certificates,
multiple encryption cipher choices, methods to exchange session
keys, and integrity checking. Server authentication almost always
takes place. Client authentication is optional. Once authetication
and handshaking are done then data is transmitted using the
strongest mutually available cipher over tcp/ip. Weaker ciphers
have resulted in some potential SSL security holes.
Slide 15
What Gridsite Provides Support for clients with GSI proxies to
standard Apache/mod_ssl With the XML access control language
GACL,to define read,write,list,admin permissions for
files,directories and scripts With the VOMS credentials, the
resource owners could decide which privileges to provide to which
VO attributes. /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu
Slide 16
Apache+mod_ssl+mod_gridsite Together Apache, mod_ssl and
mod_gridsite create a system of security with digital certificates
and GSI that allows you to offer secure, encrypted connections to
the web server. One more way to run AliEn services Easy to config
and manage transparent to users Secure single sign-on
Jobs TaskQueue Job Broker Job Manager CE JA Central services
Site services SplittingExpired PrioritiesMerging Zombies Job
optimizers File catalogue LFN GUID Meta data SE Packman MonALISA JA
CE SE Packman MonALISA CM logger Site A Site B CM LCG services
CREAM CE Adding secure function Authen
Slide 19
Slide 20
Slide 21
Slide 22
Future Plan Adding security protection to the AliEn services
one by one Adding support for XACML and Delegation PortType Large
scale testing the AliEn Secure services
Slide 23
Reference PKI,RFC3280 http://tools.ietf.org/html/rfc3280 GSI,
RFC 3820 http://tools.ietf.org/html/rfc3820 The Globus Project,
http://www.globus.org/security The Apache
Project,http://www.apache.org/ The Gridsite Project,
http://www.gridsite.org/