Security Tutorial - n° 2
Summary
Security mechanism of EDG Certificates Authentication/Authorization Overview of Authentication mechanism Registration and Usage Service security now Service security in Web Services
Security Tutorial - n° 3
Security Certificates The project software supports ~12 Certification
Authorities from the various partners involved in the project
http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html For a machine to participate as a Testbed 1
resource all the CAs must be enabled. all CA certificates can be installed without
compromising local site security
Each host running a Grid service needs to be able to authenticate users and other hosts
site manager has full control over security for local nodes
Virtual Organisation represents a community of users
6 VOs: 4 HEP (ALICE, ATLAS, CMS, LHCb), 1 EO, 1 Biology Usage guidelines
Account Registration
Security Tutorial - n° 4
Authentication/Authorization
Authentication (CA Working Group) 11 national certification authorities policies & procedures mutual trust users identified by CA’s certificates
Authorization (Authorization Working Group) Based on Virtual Organizations (VO). Management tools for LDAP-based membership lists. 6+1 Virtual Organizations
VO’sALICE Earth Obs.ATLAS BiomedicalCMSLHCb Guidelines
CA’sCERNCESNETCNRSDataGrid-ESGridPPGrid-IrelandINFNLIPNIKHEFNorduGridRussian DataGrid
Security Tutorial - n° 5
1. Authentication OverviewCA
VO-LDAP
user service
Security Tutorial - n° 6
1. Authentication OverviewCA
VO-LDAP
user servicecert-request
grid-cert-request
Security Tutorial - n° 7
1. Authentication OverviewCA
VO-LDAP
user servicecert-request
grid-cert-request
certificate
cert signing
Security Tutorial - n° 8
1. Authentication OverviewCA
VO-LDAP
user service
cert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
Security Tutorial - n° 9
1. Authentication OverviewCA
VO-LDAP
user service
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
Security Tutorial - n° 10
1. Authentication OverviewCA
VO-LDAP
user service
proxy-cert grid-proxy-init
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
Security Tutorial - n° 11
1. Authentication OverviewCA
VO-LDAP
user service
proxy-cert grid-proxy-init
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signinghost-request
grid-cert-request
Security Tutorial - n° 12
1. Authentication OverviewCA
VO-LDAP
user service
proxy-cert grid-proxy-init
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
host-request
grid-cert-request
Security Tutorial - n° 13
1. Authentication OverviewCA
VO-LDAP
user service
proxy-cert grid-proxy-init
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
host-request
grid-cert-request
ca-certificatecrl
cert/crl update
Security Tutorial - n° 14
1. Authentication OverviewCA
VO-LDAP
user service
proxy-cert grid-proxy-init
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
gridmapmkgridmap
host-request
grid-cert-request
ca-certificatecrl
cert/crl update
Security Tutorial - n° 15
1. Authentication OverviewCA
VO-LDAP
user service
proxy-cert grid-proxy-init
registrationcert.pkcs12 convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
gridmapmkgridmap
host/proxy certs exchanged
host-request
grid-cert-request
ca-certificatecrl
cert/crl update
Security Tutorial - n° 16
Certificate/Authentication
Obtaining a certificate from a CA see http://marianne.in2p3.fr/datagrid/ca/ for CAs new certificate: grid-cert-request
new files in ~/.globus: usercert_request.pem userkey.pem mail it to the appropriate CA (e.g. [email protected]) save the answer
~/.globus/usercert.pem new proxy certificate: grid-proxy-init
/tmp/x509up_u<uid>
-> You have a certificate signed by an EDG CA.
Security Tutorial - n° 17
Registration/Authorization
User registration in an EDG Virtual Organisation convert your certificate:
openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’
import your certificate in your browser sign the usage guidelines:
https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl ask an account from your VO administrator by email-> You are registered in the VO-LDAP server and have a user
account.
Security Tutorial - n° 18
Usage
You must have a valid certificate from a trusted CA! „login”: grid-proxy-init short lifetime certificate: 24 hours
Enter PEM pass phrase:
...........................+++++
....................................+++++
checking the proxy: grid-proxy-info -subject/O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy
„logout”: grid-proxy-destroy-> use the grid services
Security Tutorial - n° 19
Signing a Request
Upon a certificate request from the user checking the identity of the user (Registration Authority) signing the request and sending back the result
openssl ca –in usercert_request.pem –out usercert.pem if something goes wrong: revocation of a certificate -> CRL
the issued certificates are described in the Certificate Policy (CP)
the process is described in the Certificate Practice Statement (CPS)
Security Tutorial - n° 20
Service
You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured.
registering a trusted CA /etc/grid-security/certificates: hashed cert, crl and url
generating a gridmap file: mkgridmap /etc/grid-security/gridmap: DN -> userid/gid mapping
generating host/service certificate: grid-cert-request –host (see user certificates for the whole process)
Start the service!
Security Tutorial - n° 21
Testbed support within WP6 Authentication – mkgridmap tool : generate gridmap
file
Security Tutorial - n° 22
WMS secure
architecture
Security Tutorial - n° 23
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Trusted CAs
Revoked Certsrepository
Role repository
Connectionmappings
Translator Servlet
RDBMS
ConnectionPool
Security Tutorial - n° 24
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Trusted CAsIs certificate signed
by a trusted CA?
Revoked Certsrepository
Role repository
Connectionmappings
Translator Servlet
RDBMS
ConnectionPool
Security Tutorial - n° 25
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Trusted CAsIs certificate signed
by a trusted CA?
Has certificatebeen revoked?
Revoked Certsrepository
Role repository
Connectionmappings
Translator Servlet
RDBMS
ConnectionPool
Security Tutorial - n° 26
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Does user specify role?
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Yes
Trusted CAsIs certificate signed
by a trusted CA?
No
Has certificatebeen revoked?
Revoked Certsrepository
Find defaultNo
Role repository
Connectionmappings
Translator Servlet
RDBMS
ConnectionPool
Security Tutorial - n° 27
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Does user specify role?
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Yes
Role
Trusted CAsIs certificate signed
by a trusted CA?
No
Has certificatebeen revoked?
Revoked Certsrepository
Find defaultNo
Role repositoryRole ok?
Connectionmappings
Translator Servlet
RDBMS
ConnectionPool
Security Tutorial - n° 28
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Does user specify role?
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Yes
Role
Trusted CAsIs certificate signed
by a trusted CA?
No
Has certificatebeen revoked?
Revoked Certsrepository
Find defaultNo
Role repositoryRole ok?
Connectionmappings
Translator Servlet
RDBMS
Request and connection ID
ConnectionPool
Security Tutorial - n° 29
Security Mechanism for Spitfire
Servlet ContainerSSLServletSocketFactory
TrustManager
Security Servlet
Does user specify role?
Map role to connection id
Authorization Module
HTTP + SSLRequest + client certificate
Yes
Role
Trusted CAsIs certificate signed
by a trusted CA?
No
Has certificatebeen revoked?
Revoked Certsrepository
Find defaultNo
Role repositoryRole ok?
Connectionmappings
Translator Servlet
RDBMS
Request and connection ID
ConnectionPool
Security Tutorial - n° 30
Further Information