Security Mechanisms

1
Security Mechanisms

• The European DataGrid Project Team
• http//www.eu-datagrid.org

Peter.Kunszt_at_cern.ch
2
Summary

• Security mechanism of EDG
• Certificates
• Authentication/Authorization
• Overview of Authentication mechanism
• Registration and Usage
• Service security now
• Service security in Web Services

3
Security Certificates

• The project software supports 12 Certification
  Authorities from the various partners involved in
  the project
• http//marianne.in2p3.fr/datagrid/ca/ca-table-ca.h
  tml
• For a machine to participate as a Testbed 1
  resource all the CAs must be enabled.
• all CA certificates can be installed without
  compromising local site security
• Each host running a Grid service needs to be able
  to authenticate users and other hosts
• site manager has full control over security for
  local nodes
• Virtual Organisation represents a community of
  users
• 6 VOs 4 HEP (ALICE, ATLAS, CMS, LHCb), 1 EO, 1
  Biology

Account Registration
Usage guidelines
4
Authentication/Authorization

• Authentication (CA Working Group)
• 11 national certification authorities
• policies procedures ? mutual trust
• users identified by CAs certificates
• Authorization (Authorization Working Group)
• Based on Virtual Organizations (VO).
• Management tools for LDAP-based membership lists.
• 61 Virtual Organizations

5
1. Authentication Overview
6
1. Authentication Overview
7
1. Authentication Overview
8
1. Authentication Overview
9
1. Authentication Overview
10
1. Authentication Overview
11
1. Authentication Overview
12
1. Authentication Overview
13
1. Authentication Overview
14
1. Authentication Overview
15
1. Authentication Overview
16
Certificate/Authentication

• Obtaining a certificate from a CA
• see http//marianne.in2p3.fr/datagrid/ca/ for
  CAs
• new certificate grid-cert-request
• new files in /.globus usercert_request.pem
  userkey.pem
• mail it to the appropriate CA (e.g.
  cern-globus-ca_at_cern.ch)
• save the answer
• /.globus/usercert.pem
• new proxy certificate grid-proxy-init
• /tmp/x509up_ultuidgt
• -gt You have a certificate signed by an EDG CA.

17
Registration/Authorization

• User registration in an EDG Virtual Organisation
• convert your certificate
• openssl pkcs12 export in /.globus/usercert.pem
  inkey /.globus/userkey.pem out user.p12 name
  Joe Smith
• import your certificate in your browser
• sign the usage guidelines https//marianne.in2p3
  .fr/cgi-bin/datagrid/register/account.pl
• ask an account from your VO administrator by
  email
• -gt You are registered in the VO-LDAP server and
  have a user account.

18
Usage

• You must have a valid certificate from a trusted
  CA!
• login grid-proxy-init
• short lifetime certificate 24 hours
• Enter PEM pass phrase
• ...........................
• ....................................
• checking the proxy grid-proxy-info -subject
• /OGrid/OCERN/OUcern.ch/CNAkos
  Frohner/CNproxy
• logout grid-proxy-destroy
• -gt use the grid services

19
Signing a Request

• Upon a certificate request from the user
• checking the identity of the user (Registration
  Authority)
• signing the request and sending back the result
• openssl ca in usercert_request.pem out
  usercert.pem
• if something goes wrong revocation of a
  certificate -gt CRL
• the issued certificates are described in the
  Certificate Policy (CP)
• the process is described in the Certificate
  Practice Statement (CPS)

20
Service

• You must have the trusted CA certificates in
  files and the VO-LDAP server(s) URL configured.
• registering a trusted CA
• /etc/grid-security/certificates hashed cert, crl
  and url
• generating a gridmap file mkgridmap
• /etc/grid-security/gridmap DN -gt userid/gid
  mapping
• generating host/service certificate
  grid-cert-request host (see user certificates
  for the whole process)
• Start the service!

21
Testbed support within WP6 Authentication
mkgridmap tool generate gridmap file
22
WMS secure architecture
23
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Role repository
Translator Servlet
Connectionmappings
Map role to connection id
24
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Role repository
Translator Servlet
Connectionmappings
Map role to connection id
25
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Role repository
Translator Servlet
Connectionmappings
Map role to connection id
26
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Does user specify role?
Role repository
Translator Servlet
Connectionmappings
Map role to connection id
27
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Does user specify role?
Role repository
Translator Servlet
Role
Connectionmappings
Map role to connection id
28
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Does user specify role?
Role repository
Translator Servlet
Role
Connectionmappings
Map role to connection id
29
Security Mechanism for Spitfire
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Does user specify role?
Role repository
Translator Servlet
Role
Connectionmappings
Map role to connection id
30
Further Information