Securi ty M echani sm s The European DataGri d Proj ect Team http: //www. eu-datagri d. org
O vervi ew � User si de � Getti ng a certi fi cate � Becom i ng a m em ber of the VO � Server si de � Authenti cati on / CA � Authori zati on / VO ( wi th som e exam pl es) Securi ty Tutori al -n° 2
Authenti cati on DataGri d Certi fi cati on Authenti cati on ( CA W orki ng Group) Authori ti es � CERN Pol i ci es & Procedures � m utual trust � Czech Republ i c Currentl y the EDG CA group has approved Canada � France CN RS 15 EDG CAs � Germ any 5 CrossGri d CAs � Irel and France- CN RS acted as catchal l CA to accept N etherl ands � si tes not covered by accepted CAs N ordi c Countri es Portugal Users i denti fi ed by thei r personal certi fi cate � Russi a Spai n CrossGri d Certi fi cati on Authori ti es Uni ted Ki ngdom US –DO E Sl ovaki a CrossGri d CAs Cyprus Pol and Greece Securi ty Tutori al -n° 3
Authori zati on � Authori zati on ( Authori zati on W orki ng DataGri d Vi rtual O rgani zati ons Group) W P6 � Based on Vi rtual O rgani zati ons ( VO ) ITEAM TSTG � Authori zati ons by experi m ent ALICE � 12 + 1 Vi rtual O rgani zati ons ATLAS LH Cb � Each VO has hi s own m anager CM S BABAR D0 EARTH O B GEN O M IC M EDICAL IM AGIN G Gui del i nes Securi ty Tutori al -n° 4
Authenti cati on O vervi ew � M ethod to request certi fi cate dependi ng of the CA � A certi fi cate i s val i d 1 year � W eb request � O penssl request � Gri d- cert- request � France CN RS � Czech Republ i c � Canada � Irel and � CERN � Ital y � Germ any � N etherl ands � N ordi c Countri es � Uni ted Ki ngdom � US DO E � Portugal � Russi a � Spai n Securi ty Tutori al -n° 5
CN RS Personal Certi fi cate Request � http: //i gc. servi ces. cnrs. fr/Datagri d- fr/ � See dem o Securi ty Tutori al -n° 6
Certi fi cate Converti on � Convert your certi fi cate from PKCS1 2 form at i n PEM form at � /opt/edg/bi n/pkcs12- extract O r nocerts \ � openssl pkcs12 - -in cert.p12 \ -out ~user/.globus/userkey.pem nokeys \ � openssl pkcs12 - cl certs - -in cert.p12 \ -out ~user/.globus/usercert.pem Securi ty Tutori al -n° 7
Authori zati on User regi strati on i n an EDG Vi rtual O rgani sati on � Si gn the usage gui del i nes: https: //m ari anne. i n2p3. fr/cgi - bi n/datagri d/regi ster/account. pl � In case of probl em , contact your VO M anager - > You are regi stered i n the VO server and have a user account. Securi ty Tutori al -n° 8
Usage You m ust have a val i d certi fi cate from a trusted CA! gri d-proxy-i ni t � „ l ogi n” : short l i feti m e certi fi cate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ gri d-proxy-i nfo -subj ect � checki ng the proxy: /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy gri d-proxy-destroy � „ l ogout” : - > use the gri d servi ces Securi ty Tutori al -n° 9
CN RS H ost Certi fi cate Request � http: //i gc. servi ces. cnrs. fr/Datagri d- fr/ � See dem o � You recei ve by crypted and si gned em ai l the host certi fi cate Securi ty Tutori al -n° 1 0
Confi gurati on on the Server � Al l RPM s are here: � http: //datagri d. i n2p3. fr/autobui l d/rh6. 2/rpm l i st/ � Certi fi cate and CRL URLs of the CAs: Authenti cati on � http: //datagri d. i n2p3. fr/autobui l d/rh6. 2/rpm l i st/CE- ca- v1_4_3. htm l � Creati on of the gri dm apfi l e: Authori zati on � http: //datagri d. i n2p3. fr/di stri buti on/datagri d/wp6/RPM S/edg- m kgri dm ap- 1. 0. 9- 2. i 386. rpm � Scri pts to update gri dm apfi l e and CRLs: Authenti cati on/Authori zati on � http: //datagri d. i n2p3. fr/di stri buti on/datagri d/wp6/RPM S/edg- uti l s- system - 1. 3. 2- 1. noarch. rpm Securi ty Tutori al -n° 1 1
Sum m ary � Authenti fi cati on � http: //m ari anne. i n2p3. fr/datagri d/ca/ca- tabl e- ca. htm l � http: //m ari anne. i n2p3. fr/datagri d/ca/ca- hel p. htm l � http: //i gc. servi ces. cnrs. fr/Datagri d- fr/ � Authori zati on � https: //m ari anne. i n2p3. fr/cgi - bi n/datagri d/regi ster/account. pl � http: //m ari anne. i n2p3. fr/datagri d/vo/vo- tabl e. htm l Securi ty Tutori al -n° 1 2
Further Inform ati on Gri d � EDG CAs: http: //m ari anne. i n2p3. fr/datagri d/ca � Gl obus Securi ty: http: //www. gl obus. org/securi ty/ � EDG W P2: http: //gri d- data- m anagem ent. web. cern. ch/gri d- data- m anagem ent/securi ty/ � EDG D7. 5: http: //edm s. cern. ch/docum ent/340234 Background � GGF Securi ty: http: //www. gri dforum . org/securi ty/ � GSS- API: http: //www. faqs. org/faqs/kerberos- faq/general /secti on- 84. htm l � IETF PKIX charter: http: //www. i etf. org/htm l . charters/pki x- charter. htm l � PKCS: http: //www. rsasecuri ty. com /rsal abs/pkcs/i ndex. htm l Securi ty Tutori al -n° 1 3
Recommend
More recommend
