WebFTS as a first WLCG/HEP FIM pilot

Andrea Manzi

Andrey Kiryanov

2

8th FIM4R meeting

What is WebFTS?• https://webfts.cern.ch• Web based tool to transfer files between

grid/cloud storages• Modular protocol support

• gsiftp, http(s), xrootd and srm• Cloud extensions: dropbox, CERNBox

• Initial development funded by

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 3

Based on FTS3 FTS3 is the service responsible for distributing the

majority of LHC data across the WLCG infrastructure

Low level data movement service, responsible for moving sets of files from one site to another while allowing participating sites to control the network resource usage

Used by LHC VOs + many others VOs part of EGI ~20PB monthly transfer volume / ~2.2M files per

day (WLCG) http://dashb-fts-transfers.cern.ch/ui/

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 4

“X509 free” access• X509 delegation is needed to let WebFTS

access the grid on users behalf• Users make private key available to browser

• Not available via browser API

• We are trying to replace user certificate delegation with transparent access via Identity Federation (pilot project for WLCG)

• The same technology may be used for other types of services, e.g. job submission.

WebFTS as a first WLCG/HEP FIM pilot 04/02/2015 5

WebFTS pilot

04/02/2015WebFTS as a first WLCG/HEP FIM pilot

Architecture

WebFTSWebFTS

CERN SSO

CERN SSOIdPIdP

Cre

den

tials

Attr

ibu

tes

Web

Red

irect

WA

YF SA

ML

VOMSVOMSIdPIdPIdPIdPIdPIdP

GridStorageElement

GridStorageElement

X.509VOMS

STSSTS

IOTACA

IOTACA

SA

ML

X.5

09V

OM

S

Slide adapted from Romain Wartel, GDB Sept 2014

7

eduGAIN

WebFTS as a first WLCG/HEP FIM pilot

Built on existing federations and infrastructures

CERN participates in eduGAIN via SWITCHaai Many NRENs participate in eduGAIN too

04/02/2015 8

IdF and CERN SSO

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 9

What happens when you log-in to SSO?

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 10

SSO

Auth request (redirect)

SAML Assertion

Apache

SSO plug-in

SAML = Security Assertion Markup LanguageSAML Assertion is essentially a signed list of attributes (name, email,

etc.)

Aut

h.

SA

ML

Web browser

HTTP session

STS

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 11

• Security Token Service (STS) consumes SAML2 assertions and produces X.509 credentials in return.• STS is an implementation of WS-Trust OASIS standard and

it speaks SOAP.• This functionality is based on so-called IOTA CA

(Identifier-Only Trust Assurance Certification Authority) that issues short-living (days) X.509 certificates.• At CERN we can get such certificates from “CERN CA”

(which is NOT “CERN Grid CA”) – the same that signs EduRoam certificates.

SAML2 Assertio

n

What’s in all this for WebFTS?

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 12

Auth request (redirect)

SAML2 Assertion

Apache

SSO plug-in

STS

Auth request

Web browserSAML2 Assertion

X.509 certificate FTS3RESTAPI(JavaScript context)

Aut

h.

SA

ML2

IOTA CA

SSO

Next steps

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 13

• The way STS issues certificates has to change. Basically STS has more than one mode of operation:• It can generate a key pair, sign it with a CA, and send

both certificate and private key back to us. This is what is used right now, but this is wrong because private key is transmitted over the network.

• It can generate a proxy certificate (with or without VOMS extensions) based on a public key provided from our side. This is more secure but this requires changes in the delegation code on WebFTS side ( ongoing )

• VOMS integration is implemented by FTS now. Waiting for STS VOMS integration.

Open Issues

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 14

• Above all we have to convince sites to trust IOTA-profile CAs.• It has to be discussed at the level of

Infrastructures: EGI, WLCG, ..• How we associate different identities of the same

user (e.g. normal X.509 certificate and IdF) ?• Now we manually map the X509 user credentials

with IOTA CA DN on the VOMS ( as alias)• But how to guarantee this DN to be unique?

Open Issues[ii]

04/02/2015WebFTS as a first WLCG/HEP FIM pilot 15

• STS RA for the IOTA CA should use an eduGAIN persistent identifier attribute to ask for a unique DN• Which attributes can be consider persistent and unique

in eduGAIN?• Looks like the eduPersonPrincipalName can be

reassigned according to local policy..• Can we use SAML2 Persistent Identifier ? And are all

eduGAIN IdPs providing it?• What about a combination of attributes?

What we have achieved so far?

• IdF-enabled WebFTS is a working prototype available at https://webfts-dev.cern.ch/• only few testing Storage Elements have IOTA

CA configured

• This is an important step towards “X.509-free” access to Grid resources.

• As said the same technology may be used for other types of services

WebFTS as a first WLCG/HEP FIM pilot 04/02/2015 16

17WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

Questions?

https://github.com/cern-it-sdc-id/webfts