Security Mechanisms The European DataGrid Project Team http://www.eu-datagrid.org
Overview � User side � Getting a certificate � Becoming a member of the VO � Server side � Authentication / CA � Authorization / VO (with some examples) Security Tutorial - n° 2
Authentication/Authorization CA’s CERN Authentication (CA Working Group) � CESNET 16 national certification authorities CNRS (3) � + CrossGrid CAs GermanGrid Grid-Ireland policies & procedures � mutual trust � INFN users identified by CA’s certificates � NIKHEF NorduGrid Authorization (Authorization Working Group) � LIP Based on Virtual Organizations (VO). � Russian DataGrid Management tools for � DATAGRID-ES VO membership lists. GridPP VO’s 6+2 Virtual Organizations US–DOE Root CA � ALICE Earth Obs. US-DOE Sub CA ATLAS Biomedical CrossGrid (*) CMS Testbed LHCb Tutorial Security Tutorial - n° 3
Authentication Overview CA service user VO Security Tutorial - n° 4
Certificate Request CA grid-cert-request service user cert-request once in every two- VO three years Security Tutorial - n° 5
Requesting a Certificate � grid-cert-request A certificate request and private key is being created. [...] Using configuration from /usr/local/grid/globus/etc/globus-user-ssleay.conf Generating a 1024 bit RSA private key [...] A private key and a certificate request has been generated with the subject: /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner [...] Your private key is stored in .../ .globus/userkey.pem Your request is stored in .../ .globus/usercert_request.pem Please e-mail the certificate request to the CERN CA cat .../.globus/usercert_request.pem | mail cern-globus-ca@cern.ch Your certificate will be mailed to you within two working days. Security Tutorial - n° 6
Certificate Signing CA grid-cert-request cert signing service user cert-request certificate VO Security Tutorial - n° 7
Preparation for Registration CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 VO Security Tutorial - n° 8
Registration/Authorization User registration in an EDG Virtual Organisation � convert your certificate: � openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’ � import your certificate in your browser � sign the usage guidelines: https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl � ask an account from your VO administrator by email -> You are registered in the VO-LDAP server and have a user account. Security Tutorial - n° 9
Registration CA grid-cert-request cert signing service user cert-request certificate Account convert cert.pkcs12 Registration registration VO once for the lifetime of the VO – you may change the Usage guidelines certificate keys! Security Tutorial - n° 10
Starting a Session CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init every 12/24 hours Security Tutorial - n° 11
Usage You must have a valid certificate from a trusted CA! � „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ � checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy � „logout”: grid-proxy-destroy -> use the grid services Security Tutorial - n° 12
Certificate Request for a Host CA grid-cert-request grid-cert-request cert signing service user host-request cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init once in every two- three years Security Tutorial - n° 13
Signing the Certificate CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request host-cert certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Security Tutorial - n° 14
Configuration on the Server CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP proxy-cert grid-proxy-init automatically updated every night/week Security Tutorial - n° 15
Authorization Information CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl gridmap VO-LDAP mkgridmap proxy-cert grid-proxy-init automatically updated every night/week Security Tutorial - n° 16
Using a Service CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl gridmap VO-LDAP mkgridmap proxy-cert grid-proxy-init host/proxy certs exchanged Security Tutorial - n° 17
Summary Obtaining a certificate from a CA see http://marianne.in2p3.fr/datagrid/ca/ for CAs � new certificate: grid-cert-request � new files in ~/.globus: usercert_request.pem userkey.pem � mail it to the appropriate CA (e.g. cern-globus-ca@cern.ch) � save the answer � ~/.globus/usercert.pem � new proxy certificate: grid-proxy-init � /tmp/x509up_u<uid> -> You have a certificate signed by an EDG CA. Security Tutorial - n° 18
Further Information Grid � EDG CAs: http://marianne.in2p3.fr/datagrid/ca � Globus Security: http://www.globus.org/security/ � EDG WP2: http://grid-data-management.web.cern.ch/grid-data- management/security/ � EDG D7.5: http://edms.cern.ch/document/340234 Background � GGF Security: http://www.gridforum.org/security/ � GSS-API: http://www.faqs.org/faqs/kerberos-faq/general/section- 84.html � IETF PKIX charter: http://www.ietf.org/html.charters/pkix- charter.html � PKCS: http://www.rsasecurity.com/rsalabs/pkcs/index.html Security Tutorial - n° 19
Recommend
More recommend
