1 / 11

GridCC Security Infrastructure

GridCC Security Infrastructure. Sakis Moralis < amoral@netmode.ntua.gr > IASA & NTUA Network Management & Optimal Design Laboratory – NETMODE December 15, 2005. GridCC Specific Characteristics. Near real time control of (virtual) instruments Responsive control

gayora
Download Presentation

GridCC Security Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GridCC Security Infrastructure Sakis Moralis <amoral@netmode.ntua.gr> IASA & NTUA Network Management & Optimal Design Laboratory – NETMODE December 15, 2005

  2. GridCC Specific Characteristics • Near real time control of (virtual) instruments • Responsive control • Control of instrumentation within a Grid environment • Quality of service requirements for all components of the GridCC Grid • Automated problem solving within a Grid environment • Human interaction with Grids through the Virtual Control Room • Enactment of complex workflows. • Based on Web Services Technologies

  3. GridCC Architecture

  4. GridCC Core Use Cases • Control and monitor of a High-Energy Physics (HEP) experiment • very high number of instruments • a large number of concurrent “users” (sometimes in the form of automatic monitoring tasks) • a high-rate of incoming data • Far Remote Operation of an Accelerator • large numbers of instruments (mainly sensors) • requirements on the reaction times to alarms • human-machine interface • error-handling • PowerGrid

  5. Other GridCC Use Cases • Control of a Distributed Intrusion Detection System (IDS) • Meteorology (Forecasting) • Geo-Hazard predictions • Device Farm • Neuro data analysis

  6. AAI Guidlines • Single sign on. An authenticated user should be able to authenticate once (per user session) and access many resources. • Encrypted Authentication, using X.509 Certificates. In this way the existing CAs, employed by other grid projects will be utilized. A user should have one Certificate in order to access different Grid infrastructures • Message authentication and integrity. These should be mandatory while encrypted communication could be optional depending on each use case • Access control. Only authorized resources should be used, as long as they are available • Auditing of control messages and the user who sent them • Must pose minimum weight on the responsiveness of a control session

  7. GridCC Architectural Choices • X.509 Certificates for initial authentication (using PKINIT) • Kerberos for Authentication to the end-systems • Authorization is based on the subgroup of a user • Mapping of a identity • user/subgroup@VO -> principal/instance@REALM • Access Rules (default deny policy) • Operation, PortType, Service Endpoint Url, Kerberos Instance

  8. GridCC AAI Architecture

  9. Performance improvements Over PKI • Session Key distribution is performed using Kerberos tickets (improve performance by avoiding SSL Handshake) • Service Providers (e.g. IE) do not keep/check remote user’s credentials for Authentication (accept if the ticket is valid) • Authorization is performed through the Access Control Manager (ACM) rule based system. The use of groups allows fewer rules. • Finer control of a session characteristics • Encrypt the whole message with the session key • Sign the message with the session key (timestamp included)

  10. GridCC AAI using a simple scenario

  11. Questions?

More Related