240 likes | 446 Views
Running AliEn Secure Services. Jianlin Zhu Huazhong Normal University. Outline. Security Considerations for AliEn Services Security Environment for AliEn Services Security Infrastructure for AliEn Services Security Instances for AliEn Services Future work Reference. AliEn.
E N D
Running AliEn Secure Services Jianlin Zhu Huazhong Normal University
Outline • Security Considerations for AliEn Services • Security Environment for AliEn Services • Security Infrastructure for AliEn Services • Security Instances for AliEn Services • Future work • Reference
AliEn • AliEn is a distributed computing environment with the aim to offer the ALICE user community a transparent access to worldwide distributed computing and storage resources. • AliEn components are web services, and they talk to each other using SOAP(Simple Object Access Protocol) • Central Services Proxy,IS,Authen,Server,Logger,Broker,TransferManager,TransferBroker,TransferOptimizer,JobOptimizer,CatalogueOptimizer,PackManMaster,MessageMaster,SEManager,JobInfoManager,MonaLisa • Site Services ClusterMonitor,CE,SE,PackMan,MonaLisa
Security Considerations • AliEn is running with more than twenty service components providing the public services for the whole grid system • Supporting the Grid Security Infrastructure and Public Key Infrastructure • Security Authentication • Communication Encryption • Private key protection • Delegation • Single sign-on • Compatibility,transparency to the Grid Components • Modular security function
Grid Security Infrastructure Proxies and delegation (GSI Extensions) for secure single Sign-on Proxies and Delegation SSL/ TLS PKI (CAs and Certificates) SSL for Authentication And message protection PKI for credentials PKI: Public Key Infrastructure, SSH: Secure Socket Layer TLS: Transport Level Security
Owner Public Key Infrastructure (PKI) • X.509 Certificates • Certificate Authorities (CAs) • Certificate Policies • Namespaces • Requesting a certificate • Certificate Request • Registration Authority • PKI allows you to know that a given public key belongs to a given user • PKI builds off of asymmetric encryption: • Each entity has two keys: public and private • Data encrypted with one key can only be decrypted with other. • The private key is known only to the entity • The public key is given to the world encapsulated in a X.509 certificate
Secure Socket Layer (SSL) • Also known as TLS (Transport Layer Security) • Uses certificates and TCP sockets to provide a secured connection • Authentication of one or both parties using the certificates • Message protection • Confidentiality (encryption) • Integrity SSL/TLS Certificates TCP Sockets
GSI • Grid Security Infrastructure (GSI) • Based on Generic Security Services API (GSS-API) • Uses an extension to X509 certificates • Provides a mechanism to: • Authenticate a subject • Authorise a resource • Implement a single sign-on mechnism • Current implementation does this using: • Proxy certificates and Certification Authorities • Gridmapfile
[lxplus215] ~ $ grid-proxy-info (grid-proxy-init -old) subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu/CN=proxy issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft : 11:59:54 [lxplus215] ~ $ grid-proxy-info(grid-proxy-init -rfc) subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu/CN=1441834040 issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu type : RFC 3820 compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft : 11:59:54 [lxplus215] ~ $ grid-proxy-info(grid-proxy-init) subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu/CN=1135709971 issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u50218 timeleft : 11:59:55
VOMS credentials are represented in the form of FQAN (short for Fully Qualified Attribute Name). • A FQAN is a string compound consisting of the group, the subgroups, and the role a user chooses from, in order to access a resource $ voms-proxy-info -all subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu/CN=proxy issuer : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu identity : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu type : proxy strength : 1024 bits path : /tmp/x509up_u50218 timeleft : 11:45:59 === VO alice extension information === VO : alice subject : /C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch attribute : /alice/Role=lcgadmin/Capability=NULL attribute : /alice/Role=NULL/Capability=NULL attribute : /alice/lcg1/Role=NULL/Capability=NULL timeleft : 11:45:58 uri : voms.cern.ch:15000
HTTPS as the AliEn secure protocol • HTTPS is an interesting and important protocol for several reasons: • It is by far the most widely deployed secure protocol • It has a large amount of high quality modules that we could leverage • It has excellent interaction with Firewalls, Network Address Translation and Application Proxies • it has the potential to solve some of the problems sites have with private IP farms • along with HTTP, is the basis for Web and Grid Services • AliEn Services are Web Services using SOAP/XML to send messages • HTTPS consists of HTTP/1.1 over an SSL connection • security done by SSL layer, using X509 certificates (including GSI)
Security Environment for AliEn Services • Apache as the AliEnserivces hosting environment mod_perl Supporting the perl language mod_ssl Supporting PKI (X.509 certificates verification ) mod_gridsite Supporting GSI (Parses GACLpolicies,X.509,GSI,VOMS credentials)
What Apache provides • Allow customization of standard Apache installation through program modularity • Extensibility, decomposition and flexibility • Rich modules mod_ssl Encryption (private communications) mod_perl, mod_cgi, etc. Application and language support (cgi, perl, php, etc) mod_gridsite (GACLpolicies,X.509,GSI,VOMS credentials) support • Can be added at compile or before execution (with DSO) using LoadModule and AddModule directives
What SSL Provides • Secure communcation between client and server. • SSL protocol works on top of the tcp/ip layer and below the application layer. • Provides for authentication using certificates, multiple encryption cipher choices, methods to exchange session keys, and integrity checking. • Server authentication almost always takes place. Client authentication is optional. • Once authetication and handshaking are done then data is transmitted using the strongest mutually available cipher over tcp/ip. • Weaker ciphers have resulted in some potential SSL security holes.
What Gridsite Provides • Support for clients with GSI proxies to standard Apache/mod_ssl • With the XML access control language GACL ,to define read,write,list,admin permissions for files,directories and scripts • With the VOMS credentials, the resource owners could decide which privileges to provide to which VO attributes. <?xml version="1.0"?> <gacl> <entry> <person><dn>/C=CN/O=HEP/O=CCNU/OU=PHYS/CN=jianlinzhu</dn> </person> <allow><read/></allow> </entry> </gacl>
Apache+mod_ssl+mod_gridsite • Together Apache , mod_ssl and mod_gridsitecreate a system of security with digital certificates and GSIthat allows you to offer secure, encrypted connections to the web server. • One more way to run AliEn services • Easy to config and manage • transparent to users • Secure single sign-on
Interface FS User Application CLI GUI Web Portal API(C/C++/Perl) AliEn Core Components and Services User Interface File Metedata Catalogue Config Management Package Management ADBI Security Database Proxy SOAP/XML CE SE PackMan MonaLisa ClusterMonitor ....... Authentication IS RB Logger External Software LDAP Perl Core Perl Modules External Libraries V.O. Packages & Commands DBI DBD RDBMS
Adding secure function Authen JA File catalogue SE JA LFN GUID Meta data CM logger CE Job Manager CREAM CE Job Broker TaskQueue MonALISA Site A Jobs Packman Splitting Expired Zombies Site B Priorities Merging CE MonALISA Packman Job optimizers Central services SE CM Site services LCG services
Future Plan • Adding security protection to the AliEn services one by one • Adding support for XACML and Delegation PortType • Large scale testing the AliEn Secure services
Reference • PKI ,RFC3280,http://tools.ietf.org/html/rfc3280 • GSI, RFC3820,http://tools.ietf.org/html/rfc3820 • The Globus Project, http://www.globus.org/security • The Apache Project,http://www.apache.org/ • The Gridsite Project, http://www.gridsite.org/