Grid Security Infrastructure

1
Grid Security Infrastructure

• Wayne Schroeder
• July, 1999
• SRB User Group Meeting
• paper www.sdsc.edu/schroede/gss.html
• SDSC/NPACI CA/GSI PKI (via SSL X.509) w/SSO
  DCE/KRB5 via GSSAPI

2
Grid Security Infrastructure Background

• Secure Authentication (Like DCE/Kerberos)
• Secure Client/Server Communication (Like
  DCE/Kerberos)
• But With Signing, Not Encryption
• Based On X.509 Certificates, Like Web
• Particularly Well Suited For Inter-realm
• Wide Interest Globus, NCSA, NASA, UC/CDL,
  DOE/ASCI
• SDSC Web Environment
• SDSC/NPACI UNIX/C Environment Soon
• Possibly Including Java Environment
• GSI Export License (International Collaborations,
  e.g. PDB)
• GSI is a Public Key Infrastructure (PKI)

3
Grid Security Infrastructure User Interface/Uses

• Users Will Get Certificates From Certificate
  Authority
• Via Web
• Perhaps Someday Issued With NPACI Account
• Will Extract For GSI Use
• Currently Have To Convert To GSI Format (PEM)
• Will Be Able To Use Same Certificate For
• Web Services
• Globus
• SRB
• SSH Interactive Logins / File Transfers
• FTP
• HSI Interface to HPSS
• Other GSI-Enabled Applications

4
Grid Security Infrastructure Software

• Globus-based (Many Collaborators)
• Libraries
• SSLeay (OpenSSL)(Excellent Open SSL
  Implementation)
• Globus GSS-API (Generic Security Service) on
  SSLeay
• SDSC libAID (on GSS-API)
• grid_proxy_init utility
• Creates Temporary Certificate/Key
• Auto Authentication
• Single Sign On (SSO)
• Certificate Authority (Discussed Later)

5
SDSC AID LibraryAuthentication / Integrity of
Data

• Layered on GSS-API (Generic Security Services
  API) Library, in turn layered on
• GSI/SSLeay and/or
• Kerberos or
• DCE Security (under development)
• Handles GSS-API Complexities/HPC Choices
• Simple API, including secure read/write
• Can link with both Kerberos and GSI at the same
  time (calls krb5_gss routines)
• About 1,400 lines of C

6
Layers
7
NPACI Certificate Infrastructure

• SDSC/NPACI Certificate (X.509) Support For
• Web Access
• GSI
• Other, Java(?)
• CA Policy Document
• Describes How CA Is Run
• What An SDSC-NPACI Certificate Really Means
• CA Procedures Document

8
SDSC Encryption / Authentication System (SEA) To
GSI

• SEA Is A Simple PKI
• Interim Solution (2 years)
• Development of SSLeay/OpenSSL
• Development of Globus GSI
• RD, PKI Experience, AID
• But Unique Non-Interoperable
• Phasing Out
• Except Perhaps Encryption

9
NPACI Certificate Authority

• Issues Certificates to Users
• SDSC Selected Netscape CA (V4) Software (June)
• Replacing Netscape 1.0.1 CA
• SDSC Staff Member (Bill Link) will be CA Admin
• CA Policy Document Under Development
• Based on NCSAs
• PACI CA

10
GSI Status

• SRB Will Soon Speak All Major Security Protocols
• GSI/X.509, Kerberos, ( separately) DCE
• SDSC SRB Servers Will Accept GSI, Kerberos, SEA
• Official Globus GSI Release In July
• Test SRB Successfully Used Test GSI via AID for
  Authentication and Data Integrity
• Developing MCAT Tables and Interface to Convert
  Distinguished Names from Certificates to SRB User
  names
• Procedures Developed
• For Accepting Certificates From Other CAs
• For Server Key Management
• Support Side of House Involved in GSI Deployment
• Anke Kamrath leading
• Anke and Tom Perrine Refining CA Policy
• Bill Link installing CA and GSI software

11
SDSC/NPACI CA/GSI PKI (via SSL X.509) w/SSO
DCE/KRB5 via GSSAPI

• San Diego Supercomputer Center / National
  Partnership for Advanced Computational
  Infrastructure Certificate Authority / Grid
  Security Infrastructure Public Key Infrastructure
  (via Secure Socket Layer library X.509
  Certificates) with Single Sign On and Distributed
  Computing Environment / Kerberos Version 5 via
  the Generic Security Service Application
  Programming Interface