Security Mechanisms

Security Mechanisms The European DataGrid Project Team http://www.eu-datagrid.org Peter.Kunszt@cern.ch

Summary • Security mechanism of EDG • Certificates • Authentication/Authorization • Overview of Authentication mechanism • Registration and Usage • Service security now • Service security in Web Services

Security Certificates • The project software supports ~12 Certification Authorities from the various partners involved in the project • http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html • For a machine to participate as a Testbed 1 resource allthe CAs must be enabled. • all CA certificates can be installed without compromising local site security • Each host running a Grid service needs to be able to authenticate users and other hosts • site manager has full control over security for local nodes • Virtual Organisation represents a community of users • 6 VOs: 4 HEP (ALICE, ATLAS, CMS, LHCb), 1 EO, 1 Biology Account Registration Usage guidelines

Authentication/Authorization • Authentication (CA Working Group) • 11 national certification authorities • policies & procedures  mutual trust • users identified by CA’s certificates • Authorization (Authorization Working Group) • Based on Virtual Organizations (VO). • Management tools for LDAP-based membership lists. • 6+1 Virtual Organizations

CA service user VO-LDAP 1. Authentication Overview

CA grid-cert-request service user cert-request VO-LDAP 1. Authentication Overview

CA grid-cert-request cert signing service user cert-request certificate VO-LDAP 1. Authentication Overview

CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 VO-LDAP 1. Authentication Overview

CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO-LDAP 1. Authentication Overview

CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

CA grid-cert-request grid-cert-request cert signing service user host-request cert-request certificate convert cert.pkcs12 registration VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request host-cert certificate convert cert.pkcs12 registration VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP proxy-cert grid-proxy-init 1. Authentication Overview

CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP gridmap mkgridmap proxy-cert grid-proxy-init 1. Authentication Overview

CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP gridmap mkgridmap proxy-cert grid-proxy-init host/proxy certs exchanged 1. Authentication Overview

Certificate/Authentication Obtaining a certificate from a CA see http://marianne.in2p3.fr/datagrid/ca/ for CAs • new certificate: grid-cert-request • new files in ~/.globus: usercert_request.pem userkey.pem • mail it to the appropriate CA (e.g. cern-globus-ca@cern.ch) • save the answer • ~/.globus/usercert.pem • new proxy certificate: grid-proxy-init • /tmp/x509up_u<uid> -> You have a certificate signed by an EDG CA.

Registration/Authorization User registration in an EDG Virtual Organisation • convert your certificate: • openssl pkcs12 –export –in ~/.globus/usercert.pem –inkey ~/.globus/userkey.pem –out user.p12 –name ’Joe Smith’ • import your certificate in your browser • sign the usage guidelines: https://marianne.in2p3.fr/cgi-bin/datagrid/register/account.pl • ask an account from your VO administrator by email -> You are registered in the VO-LDAP server and have a user account.

Usage You must have a valid certificate from a trusted CA! • „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ • checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy • „logout”: grid-proxy-destroy -> use the grid services

Signing a Request Upon a certificate request from the user • checking the identity of the user (Registration Authority) • signing the request and sending back the result • openssl ca –in usercert_request.pem –out usercert.pem • if something goes wrong: revocation of a certificate -> CRL • the issued certificates are described in the Certificate Policy (CP) • the process is described in the Certificate Practice Statement (CPS)

Service You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured. • registering a trusted CA • /etc/grid-security/certificates: hashed cert, crl and url • generating a gridmap file: mkgridmap • /etc/grid-security/gridmap: DN -> userid/gid mapping • generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) Start the service!

Testbed support within WP6 Authentication – mkgridmap tool : generate gridmap file

WMS secure architecture

HTTP + SSLRequest + client certificate Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Role repository Translator Servlet Connectionmappings Map role to connection id

HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Role repository Translator Servlet Connectionmappings Map role to connection id

HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Role repository Translator Servlet Connectionmappings Map role to connection id

HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Connectionmappings Map role to connection id

HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Role ok? Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Role Connectionmappings Map role to connection id

HTTP + SSLRequest + client certificate Is certificate signedby a trusted CA? Has certificatebeen revoked? No No Yes Find default Role ok? Request and connection ID Security Mechanism for Spitfire Servlet Container SSLServletSocketFactory RDBMS Trusted CAs TrustManager Revoked Certsrepository Security Servlet ConnectionPool Authorization Module Does user specify role? Role repository Translator Servlet Role Connectionmappings Map role to connection id

Further Information

Security Mechanisms