Jianlin Zhu Huazhong Normal University Running AliEn Secure Services
Preview:
Citation preview
- Slide 1
- Jianlin Zhu Huazhong Normal University Running AliEn Secure
Services
- Slide 2
- Outline Security Considerations for AliEn Services Security
Environment for AliEn Services Security Infrastructure for AliEn
Services Security Instances for AliEn Services Future work
Reference
- Slide 3
- AliEn AliEn is a distributed computing environment with the aim
to offer the ALICE user community a transparent access to worldwide
distributed computing and storage resources. AliEn components are
web services, and they talk to each other using SOAP(Simple Object
Access Protocol) Central Services
Proxy,IS,Authen,Server,Logger,Broker,TransferManager,TransferBro
ker,TransferOptimizer,JobOptimizer,CatalogueOptimizer,PackMa
nMaster,MessageMaster,SEManager,JobInfoManager,MonaLisa Site
Services ClusterMonitor,CE,SE,PackMan,MonaLisa
- Slide 4
- Security Considerations AliEn is running with more than twenty
service components providing the public services for the whole grid
system Supporting the Grid Security Infrastructure and Public Key
Infrastructure Security Authentication Communication Encryption
Private key protection Delegation Single sign-on Compatibility
transparency to the Grid Components Modular security function
- Slide 5
- Grid Security Infrastructure PKI (CAs and Certificates) SSL/
TLS Proxies and Delegation PKI for credentials SSL for
Authentication And message protection Proxies and delegation (GSI
Extensions) for secure single Sign-on PKI: Public Key
Infrastructure, SSH: Secure Socket Layer TLS: Transport Level
Security
- Slide 6
- Public Key Infrastructure (PKI) PKI allows you to know that a
given public key belongs to a given user PKI builds off of
asymmetric encryption: Each entity has two keys: public and private
Data encrypted with one key can only be decrypted with other. The
private key is known only to the entity The public key is given to
the world encapsulated in a X.509 certificate Owner X.509
Certificates Certificate Authorities (CAs) Certificate Policies
Namespaces Requesting a certificate Certificate Request
Registration Authority
- Slide 7
- Secure Socket Layer (SSL) Also known as TLS (Transport Layer
Security) Uses certificates and TCP sockets to provide a secured
connection Authentication of one or both parties using the
certificates Message protection Confidentiality (encryption)
Integrity Certificates TCP Sockets SSL/TLS
- Slide 8
- GSI Grid Security Infrastructure (GSI) Based on Generic
Security Services API (GSS-API) Uses an extension to X509
certificates Provides a mechanism to: Authenticate a subject
Authorise a resource Implement a single sign-on mechnism Current
implementation does this using: Proxy certificates and
Certification Authorities Gridmap file
- Slide 9
- [lxplus215] ~ $ grid-proxy-info (grid-proxy-init -old) subject
: /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxy issuer :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : full legacy globus
proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft :
11:59:54 [lxplus215] ~ $ grid-proxy-info(grid-proxy-init -rfc)
subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=1441834040
issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : RFC 3820 compliant
impersonation proxy strength : 512 bits path : /tmp/x509up_u50218
timeleft : 11:59:54 [lxplus215] ~ $
grid-proxy-info(grid-proxy-init) subject :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=1135709971 issuer :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : Proxy draft
(pre-RFC) compliant impersonation proxy strength : 512 bits path :
/tmp/x509up_u50218 timeleft : 11:59:55
- Slide 10
- $ voms-proxy-info -all subject :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu/CN=proxy issuer :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu identity :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu type : proxy strength :
1024 bits path : /tmp/x509up_u50218 timeleft : 11:45:59 === VO
alice extension information === VO : alice subject :
/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu issuer :
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch attribute :
/alice/Role=lcgadmin/Capability=NULL attribute :
/alice/Role=NULL/Capability=NULL attribute :
/alice/lcg1/Role=NULL/Capability=NULL timeleft : 11:45:58 uri :
voms.cern.ch:15000 VOMS credentials are represented in the form of
FQAN (short for Fully Qualified Attribute Name). A FQAN is a string
compound consisting of the group, the subgroups, and the role a
user chooses from, in order to access a resource
- Slide 11
- HTTPS as the AliEn secure protocol HTTPS is an interesting and
important protocol for several reasons: It is by far the most
widely deployed secure protocol It has a large amount of high
quality modules that we could leverage It has excellent interaction
with Firewalls, Network Address Translation and Application Proxies
it has the potential to solve some of the problems sites have with
private IP farms along with HTTP, is the basis for Web and Grid
Services AliEn Services are Web Services using SOAP/XML to send
messages HTTPS consists of HTTP/1.1 over an SSL connection security
done by SSL layer, using X509 certificates (including GSI)
- Slide 12
- Security Environment for AliEn Services Apache as the AliEn
serivces hosting environment mod_perl Supporting the perl language
mod_ssl Supporting PKI (X.509 certificates verification )
mod_gridsite Supporting GSI (Parses GACL policies,X.509,GSI,VOMS
credentials)
- Slide 13
- What Apache provides Allow customization of standard Apache
installation through program modularity Extensibility,
decomposition and flexibility Rich modules mod_ssl mod_ssl
Encryption (private communications) mod_perl mod_perl, mod_cgi,
etc. Application and language support (cgi, perl, php, etc)mod_cgi
mod_gridsite mod_gridsite (GACL policies,X.509,GSI,VOMS
credentials) support Can be added at compile or before execution
(with DSO) using LoadModule and AddModule directives
- Slide 14
- What SSL Provides Secure communcation between client and
server. SSL protocol works on top of the tcp/ip layer and below the
application layer. Provides for authentication using certificates,
multiple encryption cipher choices, methods to exchange session
keys, and integrity checking. Server authentication almost always
takes place. Client authentication is optional. Once authetication
and handshaking are done then data is transmitted using the
strongest mutually available cipher over tcp/ip. Weaker ciphers
have resulted in some potential SSL security holes.
- Slide 15
- What Gridsite Provides Support for clients with GSI proxies to
standard Apache/mod_ssl With the XML access control language
GACL,to define read,write,list,admin permissions for
files,directories and scripts With the VOMS credentials, the
resource owners could decide which privileges to provide to which
VO attributes. /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlin zhu
- Slide 16
- Apache+mod_ssl+mod_gridsite Together Apache, mod_ssl and
mod_gridsite create a system of security with digital certificates
and GSI that allows you to offer secure, encrypted connections to
the web server. One more way to run AliEn services Easy to config
and manage transparent to users Secure single sign-on
- Slide 17
- RDBMS LDAP File Metedata Catalogue API(C/C++/Perl) User
Application FS GUI Web Portal Authentication User Interface
Database Proxy Security ClusterMonitor DBD Interface AliEn Core
Components and Services External Software V.O. Packages &
Commands DBI Perl Core Perl Modules External Libraries Config
Management Package Management ADBI SOAP/XML CESEPackManMonaLisa
ISRB....... Logger CLI
- Slide 18
- Jobs TaskQueue Job Broker Job Manager CE JA Central services
Site services SplittingExpired PrioritiesMerging Zombies Job
optimizers File catalogue LFN GUID Meta data SE Packman MonALISA JA
CE SE Packman MonALISA CM logger Site A Site B CM LCG services
CREAM CE Adding secure function Authen
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Future Plan Adding security protection to the AliEn services
one by one Adding support for XACML and Delegation PortType Large
scale testing the AliEn Secure services
- Slide 23
- Reference PKI,RFC3280 http://tools.ietf.org/html/rfc3280 GSI,
RFC 3820 http://tools.ietf.org/html/rfc3820 The Globus Project,
http://www.globus.org/security The Apache
Project,http://www.apache.org/ The Gridsite Project,
http://www.gridsite.org/
- Slide 24
- Questions?