450 likes | 655 Views
Grid Security Tutorial 2006. David Groep NIKHEF. Grid Security Tutorial. You and the Grid organising collaborations in virtual organisations trust and your identity cryptography and signing Getting access to resources attribute-based authorization and VOMS
E N D
Grid Security Tutorial 2006 David Groep NIKHEF
Grid Security Tutorial • You and the Grid • organising collaborations in virtual organisations • trust and your identity • cryptography and signing • Getting access to resources • attribute-based authorization and VOMS • proxies, delegation, forwarding and renewal • How it works in practice: grid security commands • getting your certificate • the GSI protocol • getting a voms-enabled proxy • what happens on the server side Grid Security, Groningen Tutorial 2006
Virtual Organisations What is a Virtual Organisation? A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions. graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke Grid Security, Groningen Tutorial 2006
VOs Typical VO examples • Each of the VL-e application sub programmes • Collaborations like the LHC experiments, or LOFAR, or … • testing/deployment groups like “pvier” • … • Users (you) are usually a member of more than one VO • Any “large” VO will have an internal structure, with groups, subgroups, and various roles Grid Security, Groningen Tutorial 2006
VOs and the infrastructure • The word “VO” is used in many different ways • The EGEE infrastructure and the VL-e PoC provide a “bus-like” interface for VOs, where VOs are essentially user communities Grid Security, Groningen Tutorial 2006
VOs Grid Security, Groningen Tutorial 2006
Org. Certification FederatedCertificationAuthorities Org. Certification Authority Authority Policy Policy Authority Authority Sub-Domain B1 Sub-Domain A1 Domain A AuthZFederation Service Domain B Task GSI Virtual Organization Domain Server X Server Y Trust relationships • For the VO model to work, parties need to (minimally) trust each other in their VO interactions • the alternative would be that every user would have to register at and every resource provider… Grid Security, Groningen Tutorial 2006 graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance
VO federation needs • Trust establishment within the VO is separated in: • user identity (the user’s passport) • group and roles within the VO (visa)as these are different from a persons organisational role graphic: OGSA Architecture 1.0, OGF GFD-I.030 Grid Security, Groningen Tutorial 2006
User Identity • Users and resources are typically part of more than one VO, • but don’t want many passwords • Users and resource get a single authentication token(identity certificate) • that works across virtual organisations • issued by a party trusted by all (“CA”), • recognised by many resource providers, users, and VOs • satisfy traceability and persistency requirement • in itself does not grant any access, but provides a unique binding between an identifier and the subject • This is called your (identity) certificate • It is a cryptographically protected statement by the CA • that you can use to prove your identity in combination with a private keyand its passphrase Grid Security, Groningen Tutorial 2006
This is some message Digital Signature This is some message Paul keys = ? Digital Signature public private Digital signatures at work • Paul calculates the hash of the message • Paul encrypts the hash using his private key: the encrypted hash is the digital signature. • Paul sends the signed message to John. • John calculates the hash of the message and verifies it with A, decyphered with Paul’s publickey. • If hashes equal: message wasn’t modified; Paul cannot repudiate it. Paul This is some message Hash(A) Digital Signature John Hash(B) Hash(A) slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
Trusting the signature • Paul’s digital signature is safe if: • Paul’s private key is not compromised • John knows Paul’s public key • How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? • A third party guarantees the correspondence between public key and owner’s identity. • Both A and B must trust this third party slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature X.509 Certificates Authentication (proving your identity to another party) works the same way in that case the CA as signed a message that contains identifiers which is done in a specific standard format: X.509 • An X.509 Certificate contains: • owner’s public key; • identity of the owner; • info on the CA; • time of validity; • Serial number; • digital signature of the CA slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
John’s certificate Verify CA signature Random phrase Encrypt with J.’ s private key Encrypted phrase Decrypt with J.’ s public key Compare with original phrase Public Key Infrastructures • every user/host/service has an X.509 certificate; • certificates are signed by trusted (by the local sites) CA’s; • every Grid transaction is mutually authenticated: • John sends his certificate; • Paul verifies signature in John’s certificate; • Paul sends to John a challenge string; • John encrypts the challenge string with his private key; • John sends encrypted challenge to Paul • Paul uses John’s public key to decrypt the challenge. • Paul compares the decrypted string with the original challenge • If they match, Paul verified John’s identity and John can not repudiate it. Based on X.509 PKI: John Paul VERY IMPORTANT Private keysmust be stored only: in protected places AND in encrypted form slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
Trusted third parties • All research grid infrastructures share the same base set of trusted third parties (‘CAs’) • There is typically one in each country • The credentials they issue are comparable in quality Grid Security, Groningen Tutorial 2006
Requirements for (inter)national trust • Identity vetting procedures • Based on (national) photo ID’s • Face-to-face verification of applicants via a network of Registration Authorities • possible to trace the user in case of unlawful misconduct • Secure binding between the request and the identity vetting • Periodic renewal (once every year) • Secure operation • off-line signing key or HSM-backed on-line secured systems • Response to incidents • Timely revocation of compromised certificates new models and guidelines are being agreed on right now, but are not yet available. Grid Security, Groningen Tutorial 2006
OK C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Pinco’s VO attributes VO affiliation • Per-VO Authorisations (“visa”) • granted to a person or service by a virtual organisation • based on the ‘passport’ name • acknowledged by the resource owners • providers can still ban individual users, and decide which privileges are granted to which VO attributes • In your case, these ‘visa’ are called VOMS credentials • It is a cryptographically protected statement by the VO • which is bound (by the VO) to your subject name Grid Security, Groningen Tutorial 2006
Single sign-on and delegation • To authenticate with your certificate directly you would have to type a passphrase every time • Also you need a way to send you VOMS credentials across • In the Grid Security Infrastructure today, this is solved by ‘proxy certificates’ • a temporary key pair • in a temporary certificate signed by your ‘long term’ private key • valid for a limited time (default: 12 hours) • and itself not protected by a passphrase Grid Security, Groningen Tutorial 2006
User certificate file User Proxy certificate file Private Key (Encrypted) Pass Phrase grid-proxy-init • User enters pass phrase, which is used to decrypt private key. • Private key is used to sign a proxy certificate with its own, new public/private key pair. • User’s private key not exposed after proxy has been signed • Proxy placed in /tmp • the private key of the Proxy is not encrypted: • stored in local file: must be readable only by the owner; • proxy lifetime is short (typically 12 h) to minimize security risks. • NOTE: No network traffic! Grid Security, Groningen Tutorial 2006 slide from EGEE NA3 Tutorial repository
Delegation and limited proxy • Delegation = remote creation of a (second level) proxy credential • New key pair generated remotely on server • Client signs proxy cert and returns it • for GT2 services it is built into the protocol, for GT4 WS use the delegation service (gLite: it’s implicit in the service) • Allows remote process to authenticate on behalf of the user • Remote process “impersonates” the user • The client can elect to delegate a “limited proxy” • Each service decides whether it will allow authentication with a limited proxy • Job manager service requires a full proxy • GridFTP server allows either full or limited proxy to be used Grid Security, Groningen Tutorial 2006 slide from EGEE NA3 Tutorial repository
Proxy again … • grid-proxy-init ≡ “login to the Grid” • To “logout” you have to destroy your proxy: • grid-proxy-destroy • This does NOT destroy any proxies that were delegated from this proxy. • You cannot revoke a remote proxy • Usually create proxies with short lifetimes • To gather information about your proxy: • grid-proxy-info • Options for printing proxy information-subject -issuer-type -timeleft-strength -help slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
Authentication Request OK C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Query AuthDB VOMSpseudo-cert VOMSpseudo-cert VOMS user Embedding your VOMS credentials • The proxy can also be used as a container for other stuff • the standard SSL protocol has no other way of adding stuff to the secure session • but a ‘plain’ grid proxy does not indicate which VO you belong to • the VOMS credential is embedded as an extension in the proxy [davidg@tbn01 davidg]$ voms-proxy-info -all … Type : proxy Bits : 512 Valid From : Jun 2 06:22:02 2004 GMT Validity left : Jun 2 18:27:02 2004 GMT VO : wpsix Holder Subject: /O=dutchgrid…/O=nikhef/CN=David Groep … Issuer Subject:/C=FR/O=CNRS/OU=UREC/ CN=vo-iteam.datagrid.cnrs.fr … Valid from : Jun 2 06:26:09 2004 GMT Valid to : Jun 2 18:26:09 2004 GMT Attribute : /wpsix/Role=NULL/Capability=NULL Grid Security, Groningen Tutorial 2006
Getting a VOMS proxy • VOMS credential consists of a list of attributes • short for Fully Qualified Attribute Name, is what VOMS uses to express membership and other authorization info • Groups membership, roles and capabilities may be expressed in a format that bounds them together<group>/Role=[<role>][/Capability=<capability>] [glite-tutor] /home/giorgio > voms-proxy-init --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase: ****** Your proxy is valid until Mon Jan 30 23:35:51 2006 Creating temporary proxy.................................Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it] "gilda" Creating proxy ...................................... Done Your proxy is valid until Mon Jan 30 23:35:51 2006 slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
Long term proxies • Proxy has limited lifetime (default is 12 h) • Bad idea to have longer proxy • However, a grid task might need to use a proxy for a much longer time • Grid jobs in HEP Data Challenges on LCG last up to 2 days • myproxy server: • Allows to create and store a long term proxy certificate: • myproxy-init -s <host_name> • -s: <host_name> specifies the hostname of the myproxy server • myproxy-info • Get information about stored long living proxy • myproxy-get-delegation • Get a new proxy from the MyProxy server • myproxy-destroy • Chech out the myproxy-xxx - - help option • A dedicated service on the RB can renew automatically the proxy • File transfer services in gLite validates user request and eventually renew proxies • contacting myproxy server slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
UI MyProxy Server myproxy-init myproxy-get-delegation Web Portal (UI) WEB Browser execution Local WS output the Grid any grid service Grid authentication with MyProxy slide from EGEE NA3 Tutorial repository Grid Security, Groningen Tutorial 2006
But what do I have to do? A Grid Security walk-through
CA service user VO A walk-through Grid Security, Groningen Tutorial 2006
CA grid-cert-request service user cert-request VO Certificate request once every year Grid Security, Groningen Tutorial 2006
Contacting the CA • Each CA has different policies and practices • Generate a cryptographic key pair • using a script like grid-cert-request • with your web browser • using a Java Applet • Appear in-person to the Registration Authority (RA) • RA approves your request • CA signs the approved request and sends you the cert • via mail: copy to your home directory • via the web: download into your browser and export to disk • All use a network of RAs close to you Grid Security, Groningen Tutorial 2006
DutchGrid CA http://ca.dutchgrid.nl/ Grid Security, Groningen Tutorial 2006
Making the request (DutchGrid CA) triode:davidg:1004$ sh makerequest.sh Generating user request and private key in /tmp Do NOT delete the private key in this directory NOTICE: you are about to create the cryptographic key pair you need in your certificate. The private key is highly confidential information! Do not share it with anyone and do not send it by mail to the Certification Authority Your private key is stored in a file named ‘userkey.pem' Using configuration from /tmp/certreq15061.cnf Generating a 1024 bit RSA private key .....++++++ ..................++++++ writing new private key to '/tmp/userkey.pem' ----- Mailing [CA:medium] certificate request to the DutchGrid CA … In the authentication process by the CA, you may be asked to provide a proof-of-possession of the keypair you submitted. This may involve you providing part of your public keydata displayed below: BA806384C5FDBA0CB079049AF252BF8532014E9A13DB6E9FF9259ED67D10E07B3B76376723D3FB17D25770629EFA3CE6F27533E468CFD9D2CBBD861ADBDF6677EE203B8133B77EC6F7FC74904A055D54BCD613BB753A9BCF81AF3B400CB43C917C29E41C4354AE452166B19D84B03C132971D7A951140D077BB0D0022F7AE065 *** Fill in the registration form now, and go to your RA. run request script Proof of Possession Challenge Grid Security, Groningen Tutorial 2006
Your request • openssl req –in ~/.globus/user_request.pem –text Data: Version: 0 (0x0) Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos FrohnerUser information Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):Public key 00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58:[...] Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryptionSignature on the public 29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e:[...]key and user information -----BEGIN CERTIFICATE REQUEST-----PEM encoded request MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC[...] -----END CERTIFICATE REQUEST----- Grid Security, Groningen Tutorial 2006
Private Key Details • openssl rsa -in ~/.globus/userkey.pem –text Enter PEM pass phrase: *************** Private-Key: (1024 bit) modulus: [...] publicExponent: ..... (0x......) privateExponent: [...] prime1: [...]private parameters prime2: [...] exponent1: [...] exponent2: [...] coefficient: [...] writing RSA key -----BEGIN RSA PRIVATE KEY-----PEM encoded private key -----END RSA PRIVATE KEY----- Grid Security, Groningen Tutorial 2006
CA grid-cert-request cert signing service user cert-request certificate VO Certificate signing Grid Security, Groningen Tutorial 2006
CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 VO Importing your certificate in the browser Grid Security, Groningen Tutorial 2006
Browser certificates • Your our certificate must be in PKCS#12 format openssl pkcs12 –export \ –in ~/.globus/usercert.pem \ –inkey~/.globus/userkey.pem \ –out user.p12 \ –name ’Joe Smith’ • Use the “certificate store” of your browser • Windows: double-click on the “.p12” file • Explorer: Internet Options – tab: Content • Netscape 6: Preferences – Privacy&Sec – Certificates, then use “Restore” • And SET THE MASTER PASSWORD Grid Security, Groningen Tutorial 2006
CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO Usage Guidelines Account Registration once for the lifetime of the VO (based on your DN) Usage guidelines Grid Security, Groningen Tutorial 2006
Registering with your VO for ‘national’ VOs use:https://register.matrix.sara.nl/or https://mu4.matrix.sara.nl:8443/vomses for LCG use:http://lcg-registrar.cern.ch/ Agree to VO AUP! Grid Security, Groningen Tutorial 2006
CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO proxy-cert voms-proxy-init Starting a session every 12/24 hours Grid Security, Groningen Tutorial 2006
CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VOMS proxy-cert voms-proxy-init Configuration on the Server automatically updated every night/week Grid Security, Groningen Tutorial 2006
CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VOMS gridmap optional:mkgridmap proxy-cert voms-proxy-init host/proxy certs and VOMS attributes exchanged Using a Service Grid Security, Groningen Tutorial 2006
Summary CA: authentication VO: AUP, authorization and access • new certificate: follow the web page instructions • send to the appropriate CA (e.g. ca@dutchgrid.nl) • save the answer • ~/.globus/usercert.pem • import in web browser (.p12) and register with VO • new proxy certificate: voms-proxy-init –vo foobar • /tmp/x509up_u<uid> • use the Grid only once ~daily Grid Security, Groningen Tutorial 2006
Extra: certificate renewal • Your certificate has a validity of 12 months, then you will have to renew • you get an email warning 4 weeks in advance (and at ~ 2 weeks) • download the script from the web site • run it on a unix system with OpenSSL installed (no macs!) • The script generates a signed email message • send the signed message to ca@dutchgrid.nl • do not modify the message in any way, preferably use sendmail –t < newrequest.txtas the script tells you at the end • your Registration Authority will be contacted for confirmation • after response from the RA, a new certificate is mailed to you • When you get the new certificate, remember to also put the newkey.pem file in the proper place! Grid Security, Groningen Tutorial 2006
Extra: managing a VOMS VO Grid Security, Groningen Tutorial 2006
VOMS management through the web • VOMS groups and roles can be managed by the VO-admin through the VOMS-Admin web interface • Connect to https://mu4.matrix.sara.nl:8443/voms/voname Grid Security, Groningen Tutorial 2006
extra: on the USB key • go to the CA web site at http://ca.dutchgrid.nl/ • complete all web forms, and print out the paper • download the Unix shell script • run the makerequest.sh script, specifying where the keys should be created:mkdir /mnt/flash/.globus sh makerequest.sh /mnt/flash/.globus/ • write down the proof-of-possession challenge on the paper Back home • receive the mail from the CA • insert your USB flash drive again, and copy the mail to/mnt/flash/.globus/usercert.pem • make a symlink in your home directory on the UI:ln –s /mnt/flash/.globus $HOME/.globus • login to the grid withgrid-proxy-init Grid Security, Groningen Tutorial 2006