Download - Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware andVOMS service status

Andrew McNabGrid Security Research Fellow

University of Manchester

11 January 2006 A.McNab – Grid Security

Outline

● GridSiteWiki● Shibboleth● Delegation● GridHTTP● SiteCast● VOMS middleware● VOMS service


GridSiteWiki

• Uses software developed for the collaborative “Wikipedia” encyclopedia– Added support for certificates that grid

users have for authentication– So no need to remember passwords

• Raises the question of what other “legacy” web systems can be gridified

• But there's Shibboleth going live soon too...


Shibboleth

• Shibboleth is being adopted by JISC to replace ATHENS for library / database services– For all UK University / NHS staff & students

• As part of FAME-PERMIS, we've implemented a stopgap Shibboleth Identity Provider– Leverages X.509 Certs/DNs by allowing user

to choose a username / password to use.• Adding support to GridSite for Shibboleth

attributes, to turn GridSites into Service Providers


Delegation

● GSI proxy delegation was part of Globus 2 binary protocols

● For Web Service / SOAP grids, need a new way to do this● We proposed a set of HTTP delegation methods during EDG

● For EGEE, we wrote the WSDL / SOAP delegation portType now used by EGEE (Manchester-UK & KTH-SE) implementations, and by WLMS and Data Management

● There are ongoing discussions with OSG and Globus about merging the EGEE portType with Globus's new delegation service.– During January, we (Manchester-UK & KTH-SE) are

producing C and Java for revised EGEE portType


GridHTTP

● htcp and GridSite make it easy to use HTTP(S) for reading and writing files on remote servers

● One advantage of GridFTP was support for 3rd party transfers between remote sites

● GridSite now supports this using WebDAV COPY method and onetime passcodes– Authentication / authorization / obtain

passcode via HTTPS– File transfer via HTTP using onetime passcode

● Currently adding multistream remote transfers– managing remotely passcodes is the issue...


SiteCast

● Using HTTP(S) for file transfers has also been taken up by EGEE WLMS

● We're now looking at how to locate local replicas of files on GridSite HTTP(S) servers

● Have designed a simple replica location system for farms with many disks/hosts– Now implemented in server-side and htcp– Uses UDP multicast to find lists of replicas of a

given file: looks at filesystem rather than database

● Intend to do test deployments on some of the Tier-2 equipment (pre-production farm first)


VOMS middleware

● GridSite parses VOMS attribute certificates from LCG / EGEE VOMS servers

● As VOMS is deployed, scaling problems are emerging– Need to distribute certificate of each VOMS to

each host (WN?) which will check them– N(hosts) x N(VOs) ?!?!?

● One solution is to include VOMS cert along with attribute certificate– Being implemented by INFN-IT (server),

Manchester-UK (client C) and KTH-SE (client Java) this month

GridPP VOMS(slides from Alessandra Forti)

• GridPP national VOMS to support:– Smaller VOs as phenogrid, t2k– Local VOs

• Agreement with NGS for mutual

support – Common infrastructure to maintain the

VOMS servers– Common VOs support– Common distribution of information – Enable each other VOs on each other

systems

What is

happening• ½ FTE for VO management support: – Sergey Dolgodobrov

• Support part of the Tier2 infrastructure – 3 servers for GridPP: 1 Test, 1 production, 1

backup– 2 servers for NGS: 1 production, 1 backup

• Sergey will be the VOMS administrator and will do VOs support

• Production VOMS servers (voms.gridpp.ac.uk) has been installed and is ready to be used

• 2 VOs have been already enabled– Gridpp for testing– T2k

How to enable a

VO• A formal request has to be made to the ROC– ask Jeremy Coles

• Information about the VO has to be supplied in the request– Name, description, Vo manager, VO security contact

• The request has to be approved by the PMB– PMB meets every week so it won’t take long

• After approval the VO gets created on the VOMS– VO manager will be than able to add users

• The information to enable the VO at sites will be then downloadable from the gridpp WEB site. – This might change in the future if CIC portal will be used

instead. – VOs will be responsible to maintain the information up-to-

date

• More details on the procedure can be found at http://www.gridpp.ac.uk/deployment/users/newvo.html

http://www.gridpp.ac.uk/deployment/users/newvo.html

http://www.gridpp.ac.uk/deployment/users/newvo.html


Summary

● Through JISC funding, we're doing some work on Shibboleth support

● We continue to work with EGEE JRA3 to provide tools for other parts of EGEE / LCG.

● Delegation and VOMS support are being reworked currently.

● “GridHTTP” extended to support 3rd party transfers

● SiteCast offers lightweight replica location.● Joseph, Yibiao and Sergey are making a big contribution to all these ongoing subprojects