Security authentication, authorization and access control in gLite

1
Securityauthentication, authorization and
access control in gLite

• Jorge Gomes, Mário David, Gonçalo Borges
• LIP

2
Summary

• Overview
• Authentication
• Authorization
• Certificates and CAs

3
Virtual Organization concept

• Authorization based on the virtual organizations
  (VO) concept
• VO is a collection of
• Users with their roles in the VO
• Resources (computing, storage ...)
• The VOs are based around users that share common
  goals
• One VO for each application, scientific area,
  experiment ...
• VO contains resources for a particular use and
  set of users
• Each VO should bring their own resources !!!

4
Supporting virtual organizations

• The challenge
• How to share resources
• to support multiple user communities with members
  from many different organizations with common
  goals but with
• complex internal organization
• different roles and responsibilities
• sometimes with sub communities
• desiring different access policies within the VOs
• across highly distributed computing
  infrastructures
• geographically and politically
• across multiple administrative domains
• crossing firewalls and different security
  policies
• Authentication and authorization is a key issue

5
VO examples LHC and the LCG
Each LHC experiment has its own VO ATLAS, CMS,
LHCB, ALICE
6
The problems

• How can the members of the VO be identified?
• Who does belong to a VO? Who does not?
• How does a machine identifies its client?
• How are access rights controlled?
• How does a user access a VO resource without
  having an user account on the machines in between
  or even on the resource?
• How can we still enable the sites to have control
  on their resources usage ?

7
Grid Security Infrastructure - GSI

• Authentication how is identity of user/site
  communicated?
• Authorisation what can a user do?
• Encryption encrypted messages
• Integrity unchanged messages

Security
Authentication
Grid SecurityInfrastructure
Encryption Data Integrity
Authorization
GSI uses public key cryptography (also known as
asymmetric cryptography) as the basis for its
functionality. A central concept in GSI
authentication is the certificate. Every user and
service on the Grid is identified via a
certificate.
8
Basis of Grid Security Infrastructure Public
Key Algorithms

• Every entity that wants to join a VO
  (user/machine/software) has two keys one private
  and one public
• a message encrypted by one key can be decrypted
  only by the other one.
• it is impossible to derive the private key from
  the public one
• Concept (simplified version)
• Public keys are exchanged
• The sender encrypts using receivers public key
• The receiver decrypts using their private key

Johns keys
public
private
9
Digital Signatures in useNon repudiation and
message integrity

• Paul calculates the hash of the message a 128
  bit value based on the content of the message
• Paul encrypts the hash using his private key the
  encrypted hash is the digital signature.
• Paul sends the signed message to John.
• John calculates the hash of the message ? Hash B
• Decrypts A with Pauls public key ? Hash A
• If hashes equal 1. hash B is fromPauls
  private key
• 2. message wasnt modified

Paul
message
Hash A
Digital Signature
John
Pauls keys
Hash B
Hash A
public
private
10
Certificates and keys

• Public key is wrapped into a certificate file
• Certificates are issued by trusted third parties
  Grid Certification Authorities (CA)

• Private key is stored in encrypted file
  protected by a passphrase
• Private and public keys are created by the grid
  user

Certificate
Private key
Public key
Identifies the subscriber user, or service
Subject/CPT/OLIPCA /OLIP/OULisboa/CNJorge
Gomes Issuer /CPT/OLIPCA/CNLIP Certification
Authority Expiration date Jan 18 173134 2008
GMT Serial number 182 (0xb6) Optional Extensions
Identifies the certification authority
Certificate lifetime 365 days
Really identifies a certificate
CA Digital signature
11
Grid Certification Authorities

• The bounding between the users identity and a
  key pair has to be certified by someone
• The third parties that identify the users and
  issue them the key pairs are called Certification
  Authorities (CA)
• CAs issue authentication credentials
  (CERTIFICATES)
• They are independent bodies
• Usually they are not associated with projects or
  infrastructures
• Grid CAs issues certificates for grid computing
  to
• End-users
• Grid services
• The CAs assert that
• the certificate requester corresponds
• User certificate to the identity data in the
  issued certificate
• System to the person responsible for the system
  in the identity data
• the data in the certificate was correct at the
  time of issuance

12
Global trust for grid computing

• There is usually one CA per country or very large
  organization
• Many grid CAs do exist worldwide
• Each CA issues certificates for grid users and
  services within its geographical or
  administrative scope
• To establish global grids a common trust domain
  had to be established
• Umbrella on top of the certification authorities
• The International Grid Trust Federation (IGTF)
• the body that manages a global trust domain for
  grid computing
• supports the biggest grid infrastructures
  worldwide
• The IGTF is split in three regional Policy
  Management Authorities
• EUgridPMA ? Europe
• APgridPMA ? Asia Pacific
• TAGPMA ? Americas
• The IGTF trust domain contains
• Around 71 CAs
• operated by 51 entities

13
Geographical coverage of the EUGridPMA

• Green EMEA countries with an Accredited
  Authority
• 23 of 25 EU member states (all except LU, MT)
• AM, CH, HR, IL, IS, NO, PK, RS, RU, TR,
  SEE-catch-all
• Other EUGridPMA Accredited Authorities
• DoEGrids (.us)
• GridCanada (.ca)
• CERN

LIP CA
14
Issuing a certificate
Request
User makes a certificate request using its web
browser
User identity is confirmed by the Registration
Authority / Certification Authority
The certificate can be used for user
authentication
The certificate is issued by the CA and can be
downloaded via web
15
Issuing a certificate
CA server
1. Certificate request
server LIP
3. Request is transferred
2. Identity verification by the RA
6. Certificate is transferred
5. CA signature
8. Certificate download
Private key
Signing machine LIP (off-line)
16
LIP Certification Authority

• The LIP CA is the IGTF grid CA for Portugal
• It is supported by all IGTF relying parties
• http//ca.lip.pt
• CA manager Nuno Dias

17
LIP Certification Authorities
Select one of the RAs the one that matches your
organization If none matches your organization a
a new RA Will have to be established

• The LIP CA has started a network of registration
  authorities
• We welcome more registration authorities !
• The CA manager (Nuno Dias) can be reached at
  ca_at_lip.pt

18
LIP Certification Authority
CA management software based on OpenCA modified
to fit IGTF and CP/CPS requirements

• Just click on automatic browser detection
• Netscape, mozilla, firefox, epiphany, IE 7 do
  work
• Windows Vista is not supported

19
LIP Certification Authority

• Please notice
• The key pair (private public key) is generated
  inside the web browser
• The private key never leaves the browser
• You need the private key installed to recover the
  signed certificate
• Once the signed certificate is retrieved from the
  CA it will be stored in the web browser
  certificate store
• Never request a certificate from an untrusted
  workstation
• Always protect the certificates stored in the
  browser (or elsewhere) with a password !!!!!

Only these fields are used in the
certificate The DNS name is for server
certificates Enter you full name as in identity
card
Information for administrative purposes
Select user or web server for user or
server certificates
Enter a passphrase to recover your certificate
20
LIP Certification Authority

• Remember you need to download the certificate
  from the same machine used to request it !

21
LIP Certification Authority

• To use the gLite middleware you will likely need
  to
• extract the certificate from the browser
• install it in a Linux system with the gLite user
  middleware installed
• Exporting depends on the browser
• find the browser certificate management interface
  on IE 7 do
• Tools-gtInternet options-gtcontent-gtcertificates-gtpe
  rsonal-gtexport
• Follow the wizard
• Answer Yes export the private key
• Enter a passphrase and its confirmation
• Destination filename
• It will produce a file containing both the public
  and private keys in pkcs12 format
• The grid uses the PEM format where the private
  key and public key are stored in two different
  files
• Therefore the PKCS12 file must be converted to
  PEM format
• Use the openssl command available in Linux and
  UNIX systems
• openssl pkcs12 -nocerts -in usercert.p12 -out
  HOME/.globus/userkey.pem
• openssl pkcs12 -clcerts -nokeys -in usercert.p12
  -out HOME/.globus/usercert.pem
• chmod 400 HOME/.globus/userkey.pem

22
Users responsibilities

• Keep your private key secure
• Follow the CA CP/CPS document rules
• Do not loan your certificate to anyone
• Report to your local/regional contact if your
  certificate has been compromised, suspect of
  compromise or lost.
• Always protect your certificate with a GOOD
  passphrase
• More than 12 characters long
• Do not use valid words
• Mix numbers and signs
• Note file access rights for use with globus and
  gLite middleware

Remember certificates are valid for one
year They have to be renewed yearly ! DO IT
ONE MONTH PRIOR TO EXPIRATION Otherwise you will
have to pass by the identity checks again !
sipos_at_glite-tutor ls -l .globus/ total
8 -rw-r--r-- 1 sipos users 1761 Oct 25
2006 usercert.pem -r-------- 1 sipos users
951 Oct 24 2006 userkey.pem
If your certificate is used by someone other than
you, it cannot be proven that it was not you.
23
Joining a VO
Obtaining certificate Annually

• Steps
• User obtains certificate from Certification
  Authority
• User registers at the VO
• via VOMS
• VO manager authorizes the user
• via VOMS

CA
Joining VOOnce
VO mgr
VOMS
List of EGEE VOs On CIC Operations Portal
VO database
Users identity in the Grid Subject of
certificate /CPT/OLIPCA/OULisbon/CNJorge
Gomes
24
Joining a VO using VOMS
Need to have the Certificate loaded in the
browser. Some information is filled in
automatically from the certificate information Re
ad the VO guidelines before accepting to
join The VO manager will contact you to know who
you are and check if you can join the VO

• VOMS is a service to manage virtual organization
  user memberships
• See EGEE NA4 and CIC portals for joining EGEE VOs
• http//cic.gridops.org/

25
Basic services of gLite
Information System
Submit job
query
Retrieve status output
Create proxy credential
publish state
Submit job
query
Retrieve status output
process
Authorization Service (VO Management Service)
26
Need for delegation
Start this job for meon the best resource of
biomed VO!
Broker
User
Site A
Site B
These services do not know each other. They know
and trust YOU!
Computing Element
Computing Element
Process
Process
Site C
With mutual authentication
Storage Element
27
Delegation of user identities by limited proxies

• Delegation - allows remote process and services
  to authenticate on behalf of the user
• Remote process/service impersonates the user
• Achieved by creation of next-level key-pair from
  the users key-pair.
• New key-pair is a single file Proxy credential
• Proxy has limited lifetime (usually 12 hours)
• Proxy may be valid for limited operations
• The client can delegate the proxy to processes
• Each service decides whether it accepts proxies
  for authentication

28
Logging into the GridCreating a proxy credential

• jorge voms-proxy-init -voms dteam
• Your identity /CPT/OLIPCA/OLIP/OULisboa/CNJo
  rge Gomes
• Enter GRID pass phrase
• Creating temporary proxy .........................
  .............. Done
• Contacting lcg-voms.cern.ch15004
  /DCch/DCcern/OUcomputers/CNlcg-voms.cern.ch
  "dteam" Done
• Creating proxy ...................................
  .................. Done
• Your proxy is valid until Tue Oct 23 063752
  2007

• voms-proxy-init ? login to the Grid
• Enter GRID pass phrase ? private key is
  protected by a password
• Options for voms-proxy-init
• -voms ltVO namegt
• -hours ltlifetime of new credentialgt
• -help

29
voms-proxy-init in the background

• User enters pass phrase, which is used to decrypt
  private key.
• New private and new public key-pair generated
  and saved into proxy file
• Original private key is used to sign the proxy
  file
• Users private key not exposed after proxy has
  been signed

• Proxy file saved in /tmp
• the private key part of the Proxy is not
  encrypted
• proxy lifetime is short (typically 12 h) to
  minimize security risks.
• NOTE VOMS server is contacted during this step.

30
Delegation of user identities by limited proxies

• Certificate DN
• /CPT/OLIP CA/OULisbon/CNJorge Gomes
• Proxy DN
• /CPT/OLIP CA/OULisbon/CNJorge Gomes/CNproxy
• jorge_at_ui01 jorge printenv X509_USER_PROXY
• X509_USER_PROXY/tmp/x509up_u115
• jorge_at_ui01 jorge ls -l /tmp/x509
• -rw------- 1 jorge csys 5851 Oct
  22 1837 /tmp/x509up_u115
• -rw------- 1 david csys 5964 Oct
  12 1315 /tmp/x509up_u129
• jorge_at_ui01 jorge openssl x509 -noout -subject
  -in /tmp/x509up_u115
• subject /CPT/OLIPCA/OLIP/OULisboa/CNJorge
  Gomes/CNproxy
• jorge_at_ui01 jorge openssl x509 -noout -enddate
  -in /tmp/x509up_u115
• notAfterOct 23 073138 2007 GMT

31
Proxy in action
Single sign-on via grid-id generation of
proxy cred.
User
GSI-enabled server
GSI-enabled server
Site A
Site B
Computing Element
Computing Element
Site C
With mutual authentication
Storage Element
32
Logging out from the GridDestroying the proxy
credential

• voms-proxy-init login to the Grid
• Before logout you have to destroy your proxy
• voms-proxy-destroy
• This does NOT destroy any proxies that were
  delegated from this proxy.
• You cannot revoke a remote proxy
• Usually create proxies with short lifetimes
• To gather information about your proxy
• voms-proxy-info
• Options for printing proxy information-subject
  -issuer -all -type
  -timeleft-strength -help

33
voms-proxy-init in the background 2

• VOMS VO Management Service
• VO level service
• Database of user roles
• voms-proxy-init
• Creates a proxy locally
• Contacts the VOMS server and extends the proxy
  with a role
• voms-proxy-init voms swetest
• Allows VOs to centrally manage user roles

Proxy VOMSroles
Proxy
34
Controlling user rights Virtual Organization
Membership Service

• Before VOMS
• All VO members have same rights
• Grid user identities are mapped onto local user
  accounts statically
• User is authorised as a member of a single VO (no
  aggregation of roles)
• grid-proxy-init

• VOMS
• VO can have groups
• Different rights for each
• Different groups of experimentalists
• Nested groups
• VOMS has roles
• Assigned to specific purposes
• E,g. system admin
• When assume this role
• User can be in multiple VOs
• Aggregate roles
• Proxy certificate carries the additional
  attributes
• voms-proxy-init

35
Controlling user rights on sites Pool accounts
Local user pool 1
Students
Local user pool 2
Researchers
Local user pool 3
VO administrators
The grid user can perform those actions on the
site that any user account from pool 3 is
allowed to
36
gLite AA Summary

• Authentication
• User obtains certificate from Certificate
  Authority
• Connects to UI by ssh and uploads certificate to
  UI
• or
• Login to a portal and use MyProxy
• Single logon to the Grid - create proxy
• then Grid Security Infrastructure uses proxies

Annually
CA
Once
VO mgr
VOMS

• Authorisation
• User joins Virtual Organisation
• VO manager updates VOMS DB
• Capabilities added to proxy by VOMS

VO database
GSI
37
User Responsibilities 2.

• Do not launch a delegation service for longer
  than your current task needs !!!!

If your certificate or delegated service is used
by someone other than you, it cannot be proven
that it was not you.
38
MyProxy server

• You may need
• To interact with a grid from many machines
• And you realise that you must NOT, EVER leave
  your certificate where anyone can find and use
  it.
• Solution you can store a proxy in a MyProxy
  server and derive a proxy certificate when
  needed
• MyProxy storage server for proxy files

39
MyProxy example
Proxy
Certificate
Private key
Proxy
40
Summary - To become an user

• Obtain a certificate from a recognized CA
• www.gridpma.org
• 1 year long, renewable certificates, accepted in
  every EGEE VO
• For Portugal this is the LIPCA http//ca.lip.pt
• Find a VO and register
• EGEE NA4 - CIC Operations portal
  http//cic.gridops.org/
• For testing you can register in the swetest VO
• Eventually a new VO may be created
• Use the grid
• command line clients installed on the User
  Interface server (UI is a machine maintained by
  the VO / your institute / you)
• voms-proxy-init -voms ltVO namegt
• voms-proxy-destroy

41
iscampos_at_ifca.unican.es
42
About the exercises

• The presentations are available at
• http//www.lip.pt/grid-training/program.php
• For this training session we have issued dummy
  certificates from a dummy CA
• Please login now into the User Interface server
• ui03.lip.pt
• use your SSH client from your notebook
• use the usernames and passwords that have been
  distributed

43
Exercise 1

• openssl x509 text noout in
  HOME/.globus/usercert.pem

X509v3 Subject Key Identifier
6C356F6257DF928C7F7576CE4D31
21ADEF8193C0 X509v3 Authority
Key Identifier
keyid42AE6EF7861E9EE868EFCF79533862
4E00F242EC
DirName/CPT/OLIPCA/CNLIP Certification
Authority serial00
X509v3 Subject Alternative Name
emailjorge_at_lip.pt X509v3 Issuer
Alternative Name
emailca_at_lip.pt Netscape CA
Revocation Url
http//ca.lip.pt/crl/crl.pem Netscape
CA Policy Url http//ca.lip.pt/po
licy X509v3 Certificate Policies
Policy 1.3.6.1.4.1.9846.10.1.1.4.0
X509v3 CRL Distribution Points
URIhttp//ca.lip.pt/crl/crl.pem
Signature Algorithm sha1WithRSAEncryption
51bc6970000c45f120fc7a180f943cb64
5b5 b5903ca1afcb16ff7a395f7f
9cfee32ab7c0 78f50294d769d5b2
386df89040aa173dca0b
5d21798d50e73f65471b9df2169d629ee9
11 4883814600b6c8aa278c5b8db
e1b3c2b2c6b fea7bd42483d0042
18e40559a06d6ea6589e
b5dffe88e97ed820ae926c043097545477
82 595fde21628e7ba56842a9e32
1447bf70a09 9ec4397e2929ab72
eadbbbfa233e306b365e
3056a5623aa62a04f867d538f30f31c67b
cd c2eca8c2f5265eec815a3a601
4f208e2a705 d9dba28e8bca06d0
cfded4933fcba447dd86
9e3431eef6a032348488852f0437e240b8
77 3aac085d0c1f616a0223f5620
bbdea1deeec e7bd4e06
Certificate Data Version 3 (0x2)
Serial Number 182 (0xb6) Signature
Algorithm sha1WithRSAEncryption Issuer
CPT, OLIPCA, CNLIP Certification Authority
Validity Not Before Jan 18
173134 2007 GMT Not After Jan 18
173134 2008 GMT Subject CPT, OLIPCA,
OLIP, OULisboa, CNJorge Gomes Subject
Public Key Info Public Key
Algorithm rsaEncryption RSA Public
Key (1024 bit) Modulus (1024
bit) 00ae0ef667d45dfc
10362d48b89206
10de042b29244cbbd59269bdb343c3
6af6826427b8952d576d268
0984220
e00fe096325d0dd216c4db4d3c86fc
22c1f4fd8d0db50e09c4797
7bfc06d
35d6fe047e80155e5895e510f8bc26
ed48150d003533959881ab6
25967ca
78054a847f0f28423cdfbacf084886
8408b754b992e2e5c9
Exponent 65537 (0x10001) X509v3
extensions X509v3 Basic Constraints
critical CAFALSE
Netscape Cert Type SSL Client,
S/MIME X509v3 Key Usage critical
Digital Signature, Non Repudiation,
Key Encipherment, Data
Encipherment Netscape Comment
LIP Certification Authority User Signed
Cerificate
44
Exercise 2

• Look at installed CA certificates
• ls /etc/grid-security/certificates
• You will see files such as
• 11b4a5a2.0 lt CA certificate in PEM format
• 11b4a5a2.crl_url lt URL to download a CRL
• 11b4a5a2.info lt info about the CA
• 11b4a5a2.r0 lt CRL revocation list
• 11b4a5a2.signing_policy lt CA name space

45
Exercise 2

• You can look at any CA certificate
• openssl x509 text noout in
  /etc/grid-security/certificates/11b4a5a2.0
• Certificate
• Data
• Version 3 (0x2)
• Serial Number 0 (0x0)
• Signature Algorithm sha1WithRSAEncryption
  
• Issuer CPT, OLIPCA, CNLIP
  Certification Authority
• Validity
• Not Before Jun 3 164259 2004 GMT
• Not After Jun 2 164259 2009 GMT
• Subject CPT, OLIPCA, CNLIP
  Certification Authority
• Subject Public Key Info
• Public Key Algorithm rsaEncryption
• RSA Public Key (2048 bit)
• Modulus (2048 bit)

46
Exercise 2

• You can look at the CRLs containing the lists of
  revoked certificates
• openssl crl text noout in /etc/grid-security/
  certificates/11b4a5a2.r0
• Certificate Revocation List (CRL)
• Version 1 (0x0)
• Signature Algorithm md5WithRSAEncryption
• Issuer /CPT/OLIPCA/CNLIP
  Certification Authority
• Last Update Oct 1 092206 2007 GMT
• Next Update Oct 31 092206 2007 GMT
• Revoked Certificates
• Serial Number 01
• Revocation Date Jun 4 133214 2004 GMT
• Serial Number 02
• Revocation Date Jul 5 145216 2004 GMT
• Serial Number 04
• Revocation Date Jun 7 095659 2004 GMT
• Serial Number 05
• Revocation Date Jun 7 101650 2004 GMT
• ...

47
Exercise 3

• Changing the password of a certificate (private
  key) in PEM
• cd HOME/.globus openssl rsa -in
  userkey.pem -des3 -out new-userkey.pem mv
  new-userkey.pem userkey.pem
• Verify a certificate
• openssl verify -CApath /etc/grid-security/certi
  ficates \ HOME/.globus/usercert.pem

48
Exercise 4

• Create a VOMS proxy in the int.eu.grid itut VO
• jorge voms-proxy-init -voms itut
• Your identity /CPT/OLIPCA/OLIP/OULisboa/CNJo
  rge Gomes
• Enter GRID pass phrase
• Creating temporary proxy .........................
  .......................... Done
• Contacting i2g-voms.lip.pt20003
  /CPT/OLIPCA/OLIP/OULisboa/CNi2g-voms.lip.pt
  "itut" Done
• Creating proxy ...................................
  ..................................................
  .... Done
• Your proxy is valid until Tue Oct 23 080245
  2007
• See proxy in /tmp
• jorge ls l /tmp/x509up_uid -u
• -rw------- 1 jorge csys 5213 Oct 22
  2002 /tmp/x509up_u115
• jorge openssl x509 subject noout in
  /tmp/x509up_uid -u
• subject /CPT/OLIPCA/OLIP/OULisboa/CNJorge
  Gomes/CNproxy

49
Exercise 5

• Get info from proxy
• jorge voms-proxy-info -all
• subject /CPT/OLIPCA/OLIP/OULisboa/CNJorge
  Gomes/CNproxy
• issuer /CPT/OLIPCA/OLIP/OULisboa/CNJorge
  Gomes
• identity /CPT/OLIPCA/OLIP/OULisboa/CNJorge
  Gomes
• type proxy
• strength 512 bits
• path /tmp/x509up_u115
• timeleft 114528
• VO itut
• subject /CPT/OLIPCA/OLIP/OULisboa/CNJorge
  Gomes
• issuer /CPT/OLIPCA/OLIP/OULisboa/CNi2g-v
  oms.lip.pt
• attribute /itut/RoleNULL/CapabilityNULL
• timeleft 114528

50
Exercise 6

• Destroy the proxy
• jorge voms-proxy-destroy
• jorge voms-proxy-info
• Couldn't find a valid proxy.

51
Exercise 7

• List the user roles in VOMS
• jorge voms-proxy-list -voms itut
• Enter GRID pass phrase
• Your identity /CPT/OLIPCA/OLIP/OULisboa/CNJo
  rge Gomes
• Cannot find file or dir /home/csys/jorge/.glite/v
  omses
• Creating temporary proxy .........................
  ................................. Done
• Contacting i2g-voms.lip.pt20003
  /CPT/OLIPCA/OLIP/OULisboa/CNi2g-voms.lip.pt
  "itut" Done
• Available attributes
• /itut/RoleNULL/CapabilityNULL
• /itut/RoleVO-Admin/CapabilityNULL ? Im one
  of the VO managers
• Invoke a role just as example
• jorge voms-proxy-init -voms itut/RoleVO-Admin
  
• Your identity /CPT/OLIPCA/OLIP/OULisboa/CNJo
  rge Gomes
• Enter GRID pass phrase
• Creating temporary proxy .........................
  ............................ Done
• Contacting i2g-voms.lip.pt20003
  /CPT/OLIPCA/OLIP/OULisboa/CNi2g-voms.lip.pt
  "itut" Done
• Creating proxy ...................................
  ......................................... Done
• Your proxy is valid until Tue Oct 23 083138 2007

52
Further information athttp//www.globus.org/sec
urity/overview.htmlhttp//www.gridpma.org/http
//ca.lip.pt/http//ca.lip.pt/index.php?linkinfo