Running AliEn Secure services

Jianlin ZhuHuazhong Normal UniversityRunning AliEn Secure Services

OutlineSecurity Considerations for AliEn ServicesSecurity Environment for AliEn ServicesSecurity Infrastructure for AliEn ServicesSecurity Instances for AliEn ServicesFuture workReferenceAliEnAliEn is a distributed computing environment with the aim to offer the ALICE user community a transparent access to worldwide distributed computing and storage resources.AliEn components are web services, and they talk to each other using SOAP(Simple Object Access Protocol)Central Services Proxy,IS,Authen,Server,Logger,Broker,TransferManager,TransferBroker,TransferOptimizer,JobOptimizer,CatalogueOptimizer,PackManMaster,MessageMaster,SEManager,JobInfoManager,MonaLisaSite Services ClusterMonitor,CE,SE,PackMan,MonaLisaSecurity Considerations AliEn is running with more than twenty service components providing the public services for the whole grid system

Supporting the Grid Security Infrastructure and Public Key InfrastructureSecurity AuthenticationCommunication EncryptionPrivate key protectionDelegationSingle sign-on Compatibilitytransparency to the Grid Components Modular security function Grid Security InfrastructurePKI(CAs andCertificates)SSL/TLSProxies and DelegationPKI forcredentialsSSL forAuthenticationAnd message protectionProxies and delegation (GSIExtensions) for secure singleSign-onPKI: Public Key Infrastructure, SSH: Secure Socket LayerTLS: Transport Level SecurityPublic Key Infrastructure (PKI)PKI allows you to know that a given public key belongs to a given userPKI builds off of asymmetric encryption:Each entity has two keys: public and privateData encrypted with one key can only be decrypted with other.The private key is known only to the entityThe public key is given to the world encapsulated in a X.509 certificateOwnerX.509 CertificatesCertificate Authorities (CAs)Certificate PoliciesNamespacesRequesting a certificateCertificate RequestRegistration AuthoritySecure Socket Layer (SSL)Also known as TLS (Transport Layer Security)Uses certificates and TCP sockets to provide a secured connectionAuthentication of one or both parties using the certificatesMessage protectionConfidentiality (encryption)IntegrityCertificatesTCP SocketsSSL/TLSGSIGrid Security Infrastructure (GSI)Based on Generic Security Services API (GSS-API)Uses an extension to X509 certificatesProvides a mechanism to:Authenticate a subjectAuthorise a resourceImplement a single sign-on mechnismCurrent implementation does this using:Proxy certificates and Certification AuthoritiesGridmap file

[lxplus215] ~ $ grid-proxy-info (grid-proxy-init -old)subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxyissuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhuidentity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhutype : full legacy globus proxystrength : 512 bitspath : /tmp/x509up_u50218timeleft : 11:59:54[lxplus215] ~ $ grid-proxy-info(grid-proxy-init -rfc)subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=1441834040issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhuidentity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhutype : RFC 3820 compliant impersonation proxystrength : 512 bitspath : /tmp/x509up_u50218timeleft : 11:59:54[lxplus215] ~ $ grid-proxy-info(grid-proxy-init)subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=1135709971issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhuidentity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhutype : Proxy draft (pre-RFC) compliant impersonation proxystrength : 512 bitspath : /tmp/x509up_u50218timeleft : 11:59:55 $ voms-proxy-info -allsubject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxyissuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhuidentity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhutype : proxystrength : 1024 bitspath : /tmp/x509up_u50218timeleft : 11:45:59=== VO alice extension information ===VO : alicesubject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhuissuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.chattribute : /alice/Role=lcgadmin/Capability=NULLattribute : /alice/Role=NULL/Capability=NULLattribute : /alice/lcg1/Role=NULL/Capability=NULLtimeleft : 11:45:58uri : voms.cern.ch:15000 VOMS credentials are represented in the form of FQAN (short for Fully Qualified Attribute Name). A FQAN is a string compound consisting of the group, the subgroups, and the role a user chooses from, in order to access a resource HTTPS as the AliEn secure protocolHTTPS is an interesting and important protocol for several reasons:It is by far the most widely deployed secure protocolIt has a large amount of high quality modules that we could leverageIt has excellent interaction with Firewalls, Network Address Translation and Application Proxies it has the potential to solve some of the problems sites have with private IP farmsalong with HTTP, is the basis for Web and Grid Services AliEn Services are Web Services using SOAP/XML to send messages HTTPS consists of HTTP/1.1 over an SSL connectionsecurity done by SSL layer, using X509 certificates (including GSI)Security Environment for AliEn ServicesApache as the AliEn serivces hosting environment mod_perl Supporting the perl language mod_ssl Supporting PKI (X.509 certificates verification ) mod_gridsite Supporting GSI (Parses GACL policies,X.509,GSI,VOMS credentials) What Apache providesAllow customization of standard Apache installation through program modularityExtensibility, decomposition and flexibilityRich modules mod_ssl Encryption (private communications) mod_perl, mod_cgi, etc. Application and language support (cgi, perl, php, etc) mod_gridsite (GACL policies,X.509,GSI,VOMS credentials) supportCan be added at compile or before execution (with DSO) using LoadModule and AddModule directives

What SSL ProvidesSecure communcation between client and server.SSL protocol works on top of the tcp/ip layer and below the application layer.Provides for authentication using certificates, multiple encryption cipher choices, methods to exchange session keys, and integrity checking.Server authentication almost always takes place. Client authentication is optional.Once authetication and handshaking are done then data is transmitted using the strongest mutually available cipher over tcp/ip. Weaker ciphers have resulted in some potential SSL security holes.

What Gridsite ProvidesSupport for clients with GSI proxies to standard Apache/mod_sslWith the XML access control language GACL ,to define read,write,list,admin permissions for files,directories and scriptsWith the VOMS credentials, the resource owners could decide which privileges to provide to which VO attributes.

/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu

Apache+mod_ssl+mod_gridsiteTogether Apache , mod_ssl and mod_gridsite create a system of security with digital certificates and GSI that allows you to offer secure, encrypted connections to the web server.One more way to run AliEn servicesEasy to config and managetransparent to usersSecure single sign-on

RDBMSLDAPFile MetedataCatalogueAPI(C/C++/Perl)User ApplicationFSGUIWebPortalAuthenticationUser InterfaceDatabase ProxySecurityClusterMonitorDBDInterfaceAliEn Core Components andServicesExternalSoftwareV.O.Packages&CommandsDBIPerlCorePerlModulesExternalLibrariesConfigManagementPackageManagementADBISOAP/XMLCESEPackManMonaLisaISRB.......LoggerCLIJobsTaskQueueJob BrokerJob ManagerCEJA

Central servicesSite servicesSplittingExpiredPrioritiesMergingZombiesJob optimizersFile catalogueLFNGUIDMetadataSEPackmanMonALISAJACESEPackmanMonALISACMloggerSite ASite BCMLCG servicesCREAMCEAdding secure functionAuthen

Future PlanAdding security protection to the AliEn services one by oneAdding support for XACML and Delegation PortTypeLarge scale testing the AliEn Secure services

ReferencePKI ,RFC3280http://tools.ietf.org/html/rfc3280GSI, RFC 3820http://tools.ietf.org/html/rfc3820The Globus Project, http://www.globus.org/securityThe Apache Project,http://www.apache.org/The Gridsite Project, http://www.gridsite.org/

Questions?