Grid Security Tutorial 2006
description
Transcript of Grid Security Tutorial 2006
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Grid Security Tutorial 2006David Groep
NIKHEF
Grid Security, Groningen Tutorial 2006 2
Enabling Grids for E-sciencE
INFSO-RI-508833
Grid Security Tutorial
• You and the Grid– organising collaborations in virtual organisations– trust and your identity– cryptography and signing
• Getting access to resources– attribute-based authorization and VOMS– proxies, delegation, forwarding and renewal
• How it works in practice: grid security commands– getting your certificate– the GSI protocol– getting a voms-enabled proxy– what happens on the server side
Grid Security, Groningen Tutorial 2006 3
Enabling Grids for E-sciencE
INFSO-RI-508833
Virtual Organisations
What is a Virtual Organisation?
A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.
graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke
Grid Security, Groningen Tutorial 2006 4
Enabling Grids for E-sciencE
INFSO-RI-508833
VOs
Typical VO examples• Each of the VL-e application sub programmes• Collaborations like the LHC experiments, or LOFAR, or …• testing/deployment groups like “pvier”• …
• Users (you) are usually a member of more than one VO• Any “large” VO will have an internal structure,
with groups, subgroups, and various roles
Grid Security, Groningen Tutorial 2006 5
Enabling Grids for E-sciencE
INFSO-RI-508833
VOs and the infrastructure
• The word “VO” is used in many different ways• The EGEE infrastructure and the VL-e PoC
provide a “bus-like” interface for VOs, where VOs are essentially user communities
Grid Security, Groningen Tutorial 2006 6
Enabling Grids for E-sciencE
INFSO-RI-508833
VOs
Grid Security, Groningen Tutorial 2006 7
Enabling Grids for E-sciencE
INFSO-RI-508833
Trust relationships
• For the VO model to work, parties need to (minimally) trust each other in their VO interactions– the alternative would be that every user would have to register at
and every resource provider…
Org. Certification
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
GSI
Org. CertificationAuthority
Sub-Domain B1
Authority
AuthZFederationService
VirtualOrganization
Domain
FederatedCertificationAuthorities
graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance
Grid Security, Groningen Tutorial 2006 8
Enabling Grids for E-sciencE
INFSO-RI-508833
VO federation needs
• Trust establishment within the VO is separated in:– user identity (the user’s passport)– group and roles within the VO (visa)
as these are different from a persons organisational role
graphic: OGSA Architecture 1.0, OGF GFD-I.030
Grid Security, Groningen Tutorial 2006 9
Enabling Grids for E-sciencE
INFSO-RI-508833
User Identity
• Users and resources are typically part of more than one VO, • but don’t want many passwords
• Users and resource get a single authentication token(identity certificate)– that works across virtual organisations– issued by a party trusted by all (“CA”), – recognised by many resource providers, users, and VOs– satisfy traceability and persistency requirement– in itself does not grant any access, but provides
a unique binding between an identifier and the subject
• This is called your (identity) certificate• It is a cryptographically protected statement by the CA• that you can use to prove your identity
in combination with a private key and its passphrase
Grid Security, Groningen Tutorial 2006 10
Enabling Grids for E-sciencE
INFSO-RI-508833
• Paul calculates the hashhash of the message
• Paul encrypts the hash using his privateprivate key: the encrypted hash is the digital signaturedigital signature.
• Paul sends the signed message to John.
• John calculates the hash of the message and verifiesverifies it with A, decyphered with Paul’s publicpublic key.
• If hashes equal: message wasn’t modified; Paul cannot repudiate it.
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Paul keys
public private
Hash(B)
Hash(A)
= ?
Digital signatures at work
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 11
Enabling Grids for E-sciencE
INFSO-RI-508833
• Paul’s digital signature is safe if:1. Paul’s private key is not compromised
2. John knows Paul’s public key
• How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s?– A third party guarantees the correspondence between public key
and owner’s identity.– Both A and B must trust this third party
Trusting the signature
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 12
Enabling Grids for E-sciencE
INFSO-RI-508833
X.509 Certificates
• An X.509 Certificate contains:– owner’s public key;
– identity of the owner;
– info on the CA;
– time of validity;
– Serial number;
– digital signature of the CA
Public keyPublic key
Subject:Subject:C=CH, O=CERN, C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba OU=GRID, CN=Andrea Sciaba 89688968
Issuer: C=CH, O=CERN, Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAOU=GRID, CN=CERN CA
Expiration date: Expiration date: Aug 26 08:08:14 Aug 26 08:08:14 2005 GMT2005 GMT
Serial number: 625 (0x271)Serial number: 625 (0x271)
CA Digital signatureCA Digital signature
• Authentication (proving your identity to another party) works the same way
• in that case the CA as signed a message that contains identifiers
• which is done in a specific standard format: X.509
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 13
Enabling Grids for E-sciencE
INFSO-RI-508833
Public Key Infrastructures
• every user/host/service has an X.509 certificate;• certificates are signed by trusted (by the local sites) CA’s;• every Grid transaction is mutually authenticated:
1. John sends his certificate;2. Paul verifies signature in John’s certificate;3. Paul sends to John a challenge string;4. John encrypts the challenge string with his private key;5. John sends encrypted challenge to Paul6. Paul uses John’s public key to decrypt the challenge.7. Paul compares the decrypted string with the original
challenge8. If they match, Paul verified John’s identity and John can
not repudiate it.
JohnJohn PaulPaulJohn’s certificateJohn’s certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypt with J.’ s private keyEncrypt with J.’ s private key
Encrypted phraseEncrypted phrase
Decrypt with J.’ s public keyDecrypt with J.’ s public key
Compare with original phraseCompare with original phrase
Based on X.509 PKI:
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only:
in protectedprotected places
ANDAND
in encryptedencrypted form
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 14
Enabling Grids for E-sciencE
INFSO-RI-508833
Trusted third parties
• All research grid infrastructures share the same base set of trusted third parties (‘CAs’)
• There is typically one in each country• The credentials they issue are comparable in quality
Grid Security, Groningen Tutorial 2006 15
Enabling Grids for E-sciencE
INFSO-RI-508833
Requirements for (inter)national trust
• Identity vetting procedures– Based on (national) photo ID’s– Face-to-face verification of applicants
via a network of Registration Authorities– possible to trace the user in case of unlawful misconduct– Secure binding between the request and the identity vetting– Periodic renewal (once every year)
• Secure operation– off-line signing key or HSM-backed on-line secured systems
• Response to incidents– Timely revocation of compromised certificates
new models and guidelines are being agreed on right now, but are not yet available.
Grid Security, Groningen Tutorial 2006 16
Enabling Grids for E-sciencE
INFSO-RI-508833
VO affiliation
• Per-VO Authorisations (“visa”)– granted to a person or service by a virtual organisation– based on the ‘passport’ name– acknowledged by the resource owners – providers can still ban individual users,
and decide which privileges are granted to which VO attributes
• In your case, these ‘visa’ are called VOMS credentials• It is a cryptographically protected statement by the VO• which is bound (by the VO) to your subject name
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
Pinco’sVO
attributes
Grid Security, Groningen Tutorial 2006 17
Enabling Grids for E-sciencE
INFSO-RI-508833
Single sign-on and delegation
• To authenticate with your certificate directly you would have to type a passphrase every time
• Also you need a way to send you VOMS credentials across
• In the Grid Security Infrastructure today, this is solved by ‘proxy certificates’– a temporary key pair– in a temporary certificate signed by your ‘long term’ private key– valid for a limited time (default: 12 hours)– and itself not protected by a passphrase
Grid Security, Groningen Tutorial 2006 18
Enabling Grids for E-sciencE
INFSO-RI-508833
grid-proxy-init
• User enters pass phrase, which is used to decrypt private key.
• Private key is used to sign a proxy certificate with its own, new public/private key pair.– User’s private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
• Proxy placed in /tmp– the private key of the Proxy is not encrypted:– stored in local file: must be readable only by the owner;– proxy lifetime is short (typically 12 h) to minimize security risks.
• NOTE: No network traffic!slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 19
Enabling Grids for E-sciencE
INFSO-RI-508833
Delegation and limited proxy
• Delegation = remote creation of a (second level) proxy credential– New key pair generated remotely on server– Client signs proxy cert and returns it– for GT2 services it is built into the protocol,
for GT4 WS use the delegation service (gLite: it’s implicit in the service)• Allows remote process to authenticate on behalf of the user
– Remote process “impersonates” the user• The client can elect to delegate a “limited proxy”
– Each service decides whether it will allow authentication with a limited proxy
– Job manager service requires a full proxy– GridFTP server allows either full or limited proxy to be used
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 20
Enabling Grids for E-sciencE
INFSO-RI-508833
Proxy again …
• grid-proxy-init ≡ “login to the Grid”• To “logout” you have to destroy your proxy:
– grid-proxy-destroy
– This does NOT destroy any proxies that were delegated from this proxy.
– You cannot revoke a remote proxy– Usually create proxies with short lifetimes
• To gather information about your proxy: – grid-proxy-info
– Options for printing proxy information-subject -issuer-type -timeleft-strength -help
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 21
Enabling Grids for E-sciencE
INFSO-RI-508833
Embedding your VOMS credentials
• The proxy can also be used as a container for other stuff– the standard SSL protocol has no other way of adding stuff to
the secure session– but a ‘plain’ grid proxy does not indicate which VO you belong to– the VOMS credential is embedded as an extension in the proxy
Query
Authentication
Request
AuthDB
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo-cert
VOMSpseudo-cert
[davidg@tbn01 davidg]$ voms-proxy-info -all…Type : proxyBits : 512Valid From : Jun 2 06:22:02 2004 GMTValidity left : Jun 2 18:27:02 2004 GMTVO : wpsixHolder Subject: /O=dutchgrid…/O=nikhef/CN=David Groep…Issuer Subject:/C=FR/O=CNRS/OU=UREC/ CN=vo-iteam.datagrid.cnrs.fr…Valid from : Jun 2 06:26:09 2004 GMTValid to : Jun 2 18:26:09 2004 GMTAttribute : /wpsix/Role=NULL/Capability=NULL
Grid Security, Groningen Tutorial 2006 22
Enabling Grids for E-sciencE
INFSO-RI-508833
Getting a VOMS proxy
• VOMS credential consists of a list of attributes• short for Fully Qualified Attribute Name, is what VOMS uses to express
membership and other authorization info• Groups membership, roles and capabilities may be expressed in a
format that bounds them together<group>/Role=[<role>][/Capability=<capability>]
[glite-tutor] /home/giorgio > voms-proxy-init --voms gilda
Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/[email protected] GRID pass phrase: ******
Your proxy is valid until Mon Jan 30 23:35:51 2006Creating temporary proxy.................................Done
Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/[email protected]] "gilda"
Creating proxy ...................................... DoneYour proxy is valid until Mon Jan 30 23:35:51 2006
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 23
Enabling Grids for E-sciencE
INFSO-RI-508833
Long term proxies
• Proxy has limited lifetime (default is 12 h)– Bad idea to have longer proxy
• However, a grid task might need to use a proxy for a much longer time – Grid jobs in HEP Data Challenges on LCG last up to 2 days
• myproxy server:– Allows to create and store a long term proxy certificate:– myproxy-init -s <host_name>
-s: <host_name> specifies the hostname of the myproxy server
– myproxy-info Get information about stored long living proxy
– myproxy-get-delegation Get a new proxy from the MyProxy server
– myproxy-destroy– Chech out the myproxy-xxx - - help option
• A dedicated service on the RB can renew automatically the proxy• File transfer services in gLite validates user request and eventually renew
proxies– contacting myproxy server
slide from EGEE NA3 Tutorial repository
Grid Security, Groningen Tutorial 2006 24
Enabling Grids for E-sciencE
INFSO-RI-508833
Grid authentication with MyProxy
UI
LocalWS
MyProxyServer
Web Portal(UI)
myproxy-init
any grid service
myproxy-get-delegation
outputthe Grid
execution
WEB Browser
slide from EGEE NA3 Tutorial repository
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
But what do I have to do?
A Grid Security walk-through
Grid Security, Groningen Tutorial 2006 26
Enabling Grids for E-sciencE
INFSO-RI-508833
A walk-through
CA
VO
user service
Grid Security, Groningen Tutorial 2006 27
Enabling Grids for E-sciencE
INFSO-RI-508833
Certificate request
CA
VO
user service
cert-request
grid-cert-request
once every year
Grid Security, Groningen Tutorial 2006 28
Enabling Grids for E-sciencE
INFSO-RI-508833
Contacting the CA
• Each CA has different policies and practices
• Generate a cryptographic key pair– using a script like grid-cert-request– with your web browser– using a Java Applet
• Appear in-person to the Registration Authority (RA)• RA approves your request• CA signs the approved request and sends you the cert
– via mail: copy to your home directory– via the web: download into your browser and export to disk
• All use a network of RAs close to you
Grid Security, Groningen Tutorial 2006 29
Enabling Grids for E-sciencE
INFSO-RI-508833
DutchGrid CA
http://ca.dutchgrid.nl/http://ca.dutchgrid.nl/
Grid Security, Groningen Tutorial 2006 30
Enabling Grids for E-sciencE
INFSO-RI-508833
Making the request (DutchGrid CA)
triode:davidg:1004$ sh makerequest.shGenerating user request and private key in /tmpDo NOT delete the private key in this directoryNOTICE: you are about to create the cryptographic key pair you need in your certificate. The private key is highly confidential information! Do not share it with anyone and do not send it by mail to the Certification Authority Your private key is stored in a file named ‘userkey.pem'
Using configuration from /tmp/certreq15061.cnfGenerating a 1024 bit RSA private key.....++++++..................++++++writing new private key to '/tmp/userkey.pem'-----Mailing [CA:medium] certificate request to the DutchGrid CA…In the authentication process by the CA, you may be asked toprovide a proof-of-possession of the keypair you submitted. Thismay involve you providing part of your public keydata displayedbelow:
BA806384C5FDBA0CB079049AF252BF8532014E9A13DB6E9FF9259ED67D10E07B3B76376723D3FB17D25770629EFA3CE6F27533E468CFD9D2CBBD861ADBDF6677EE203B8133B77EC6F7FC74904A055D54BCD613BB753A9BCF81AF3B400CB43C917C29E41C4354AE452166B19D84B03C132971D7A951140D077BB0D0022F7AE065
*** Fill in the registration form now, and go to your RA.
Proof of Possession Challenge
run request script
Grid Security, Groningen Tutorial 2006 31
Enabling Grids for E-sciencE
INFSO-RI-508833
Your request
• openssl req –in ~/.globus/user_request.pem –text Data:
Version: 0 (0x0)
Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos Frohner User information
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit): Public key
00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58: [...]
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption Signature on the public
29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e: [...] key and user information
-----BEGIN CERTIFICATE REQUEST----- PEM encoded request
MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC [...]
-----END CERTIFICATE REQUEST-----
Grid Security, Groningen Tutorial 2006 32
Enabling Grids for E-sciencE
INFSO-RI-508833
Private Key Details
• openssl rsa -in ~/.globus/userkey.pem –textEnter PEM pass phrase: ***************
Private-Key: (1024 bit)
modulus: [...]
publicExponent: ..... (0x......)
privateExponent: [...]
prime1: [...] private parameters
prime2: [...]
exponent1: [...]
exponent2: [...]
coefficient: [...]
writing RSA key
-----BEGIN RSA PRIVATE KEY----- PEM encoded private key
-----END RSA PRIVATE KEY-----
Grid Security, Groningen Tutorial 2006 33
Enabling Grids for E-sciencE
INFSO-RI-508833
Certificate signing
CA
VO
user service
cert-request
grid-cert-request
certificate
cert signing
Grid Security, Groningen Tutorial 2006 34
Enabling Grids for E-sciencE
INFSO-RI-508833
Importing your certificate in the browser
CA
VO
user service
cert.pkcs12convert
cert-request
grid-cert-request
certificate
cert signing
Grid Security, Groningen Tutorial 2006 35
Enabling Grids for E-sciencE
INFSO-RI-508833
Browser certificates
• Your our certificate must be in PKCS#12 formatopenssl pkcs12 –export \
–in ~/.globus/usercert.pem \–inkey ~/.globus/userkey.pem \–out user.p12 \–name ’Joe Smith’
• Use the “certificate store” of your browser– Windows: double-click on the “.p12” file– Explorer: Internet Options – tab: Content– Netscape 6: Preferences –
Privacy&Sec – Certificates, then use “Restore”
• And SET THE MASTER PASSWORD
Grid Security, Groningen Tutorial 2006 36
Enabling Grids for E-sciencE
INFSO-RI-508833
Usage Guidelines
CA
VO
user service
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
Usage guidelines
Account Registration
once for the lifetime of the VO
(based on your DN)
Grid Security, Groningen Tutorial 2006 37
Enabling Grids for E-sciencE
INFSO-RI-508833
Registering with your VO
for LCG use:http://lcg-registrar.cern.ch/ Agree to VO AUP!Agree to VO AUP!
for ‘national’ VOs use:https://register.matrix.sara.nl/or https://mu4.matrix.sara.nl:8443/vomses
Grid Security, Groningen Tutorial 2006 38
Enabling Grids for E-sciencE
INFSO-RI-508833
Starting a session
CA
VO
user service
proxy-certvoms-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
every 12/24 hours
Grid Security, Groningen Tutorial 2006 39
Enabling Grids for E-sciencE
INFSO-RI-508833
Configuration on the Server
CA
VOMS
user service
proxy-certvoms-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
host-request
grid-cert-request
ca-certificate
crl
cert/crl update
automatically updated every
night/week
Grid Security, Groningen Tutorial 2006 40
Enabling Grids for E-sciencE
INFSO-RI-508833
Using a Service
CA
VOMS
user service
proxy-certvoms-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
gridmapoptional:
mkgridmap
host/proxy certs and VOMS attributes exchanged
host-request
grid-cert-request
ca-certificate
crl
cert/crl update
Grid Security, Groningen Tutorial 2006 41
Enabling Grids for E-sciencE
INFSO-RI-508833
Summary
CA: authenticationVO: AUP, authorization and access
• new certificate: follow the web page instructions• send to the appropriate CA (e.g. [email protected])• save the answer
– ~/.globus/usercert.pem
• import in web browser (.p12) and register with VO
• new proxy certificate: voms-proxy-init –vo foobar– /tmp/x509up_u<uid>
• use the Grid
Grid Security, Groningen Tutorial 2006 42
Enabling Grids for E-sciencE
INFSO-RI-508833
Extra: certificate renewal
• Your certificate has a validity of 12 months, then you will have to renew– you get an email warning 4 weeks in advance (and at ~ 2 weeks)– download the script from the web site– run it on a unix system with OpenSSL installed (no macs!)
• The script generates a signed email message– send the signed message to [email protected] – do not modify the message in any way, preferably use
sendmail –t < newrequest.txtas the script tells you at the end
– your Registration Authority will be contacted for confirmation– after response from the RA, a new certificate is mailed to you
• When you get the new certificate, remember to also put the newkey.pem file in the proper place!
Grid Security, Groningen Tutorial 2006 43
Enabling Grids for E-sciencE
INFSO-RI-508833
Extra: managing a VOMS VO
Grid Security, Groningen Tutorial 2006 44
Enabling Grids for E-sciencE
INFSO-RI-508833
VOMS management through the web
• VOMS groups and roles can be managed by the VO-admin through the VOMS-Admin web interface
• Connect to https://mu4.matrix.sara.nl:8443/voms/voname
Grid Security, Groningen Tutorial 2006 45
Enabling Grids for E-sciencE
INFSO-RI-508833
extra: on the USB key
1. go to the CA web site at http://ca.dutchgrid.nl/
2. complete all web forms, and print out the paper
3. download the Unix shell script
4. run the makerequest.sh script, specifying where the keys should be created:
mkdir /mnt/flash/.globussh makerequest.sh /mnt/flash/.globus/
5. write down the proof-of-possession challenge on the paper
Back home
1. receive the mail from the CA
2. insert your USB flash drive again, and copy the mail to/mnt/flash/.globus/usercert.pem
3. make a symlink in your home directory on the UI:ln –s /mnt/flash/.globus $HOME/.globus
4. login to the grid with grid-proxy-init