Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Trust Service (GTS). www.cagrid.org Problem How does the grid clients/services know which CA certificates to trust? Should I trust this CA?

Published byRoland Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Trust Service (GTS). www.cagrid.org Problem How does the grid clients/services know which CA certificates to trust? Should I trust this CA?"— Presentation transcript:

1 Grid Trust Service (GTS)

2 www.cagrid.org Problem How does the grid clients/services know which CA certificates to trust? Should I trust this CA?

3 www.cagrid.org Current Approach Current Approach (Globus, caGrid 0.5) Service Container and or Service can be configured by specifying a trusted ca certificates directory in the server/service configuration directory Credentials are accepted if they are signed by a ca certificate in the trusted ca directory. Drawbacks Hard for grid administrators to manage Difficult to provision trusted authorities Every time a new trusted authority comes on line, all the services in the grid must re-configured to trust that authorities. Difficult to provision CRLs Impossible to keep trusted CA list current Trust is configured at the container level, not at the service level Trust Fabric in the hands of users Potential Serious Security Risk

4 www.cagrid.org Certificate Validation Profiles Locally Stored Locally Validated Profile (LSLV) Trusted Certificates are locally stored. Revocation Lists Store Locally Certificates received are validated against locally stored trusted certificates. Equivalent to XKMS Tier 0 Pros Almost no infrastructure required Cons Impossible to keep trusted CA list current Trust Fabric in the hands of users Potential Serious Security Risk

5 www.cagrid.org Certificate Validation Profiles Remotely Retrieved Locally Validated Profile (RRLV) Trusted Certificates exist and are managed by a Trust Service Certificates received are validated against trusted certificates retrieved from a trust service Equivalent to XKMS Tier 1 Pros Authentication performed against the current trust fabric Validation done locally, specialized validation requirements can be enforced. Cons Validation done locally, poor enforcement could lead to a potential security risk. Relies on bootstrapping from the Trust Service

6 www.cagrid.org Certificate Validation Profiles Remotely Stored Remotely Validated Profile (RSRV) Trusted Certificates exist and are managed by a Trust Service Certificates received are sent to a Trust Service to be validated Equivalent to XKMS Tier 2 Pros Authentication performed against the current trust fabric Validation done remotely and enforced globally. Local deployment no longer responsible for validation Certificate Path Discovery Managed. Enforcement of CA Signing Policies Cons Network Overhead

7 www.cagrid.org Certificate Validation Profile Support Locally Stored Locally Validated Profile (LSLV) Supported by Globus 4.0.3 Directory of Trusted Certificates Certificate Validation against certificates in directory of Trusted Certificates Remotely Retrieved Locally Validated Profile (RRLV) Use trust service to obtain trusted CA certificates and CRLS and store them in the Globus Trusted Certificate directory. Trust Service client manages the Globus Trusted Certificate directory for Globus, keeping it up to date. Only minor changes to Globus required. Supporting Remotely Stored Remotely Validated Profile (RSRV) Globus contacts Trust Service during authentication to determine if the credentials in question are signed by a Trusted CA Trust Service performs all validation and enforces revocation lists. Support requires SIGNIFICANT changes to the Globus Toolkit

8 www.cagrid.org Grid Trust Service Approach Design and Implement a Grid Trust Service Support for the Remotely Retrieved Locally Validated Profile (RRLV). Provide plug-in for the existing Globus Toolkit Supporting the Retrieved Remotely Validated Profile (RRRV) Work with Globus team to develop a validation interface abstracting validation in Globus. Future versions of Globus can be configured with a custom validation interface

9 www.cagrid.org Grid Trust Service (GTS) WSRF Grid Service Define and manage levels of assurance. Provides Support for Managing Trusted Certificate Authorities Administrator register/manage certificate authorities and CRLS with GTS Client tools synchronize Globus Trust Framework with GTS Remotely Retrieved Locally Validated Profile (RRLV) Globus is authenticating against the current trust fabric Distributed GTS, Enabling the creation of a scalable trust fabric.

10 www.cagrid.org Grid Trust Service (GTS) Levels of Assurance ex. Passport vs. Library Card GTS provides a mechanism for defining and managing Levels of Assurance or Trust Levels. GTS Administrators can Add/Update/Remove Trust Levels Requires grid credentials (GTS Administrator) Each Trusted Authority can be associated with a set of trust levels. Certificate Authorities can be queried by level of assurance.

11 www.cagrid.org Grid Trust Service (GTS) Trusted Authorities GTS manages a set of certificate authorities that are trusted in the grid to sign grid credentials. Trusted Authority – A certificate authority trusted by the GTS. Name (Subject of the CA Certificate) Trust Level (s) – The level(s) of Trust associated with the CA. Status – The current status of the CA (Trusted or Suspended) Certificate – The ca certificate that corresponds to the private key that is used by the ca to sign certificates. (credentials). Certificate Revocation List (CRL) – CA signed list of revoked credentials. Is Authority – Specifies whether or not the GTS listing this Trusted Authority is the authority for it. Authority GTS – The authoritative GTS for the Trusted Authority Source GTS – The GTS from where the current GTS obtained the Trusted Authority from. Expiration – The date at which after this Trusted Authority should no longer be trusted.

12 www.cagrid.org Grid Trust Service (GTS) Querying for Trusted Authorities GTS provides a public mechanism for discovering/querying the Trusted Certificate Authorities. Query interface enables synchronization tools to be built to synchronize authorities trusted be Globus with those trusted by the GTS GTS Provides a Java Search Client API GTS Provides a GUI built on top of the Search Client API. Query Criteria Name Trust Level (s) Status (Trusted, Suspended) Lifetime (Valid, Expired) Is Authority Authority GTS Source GTS

13 www.cagrid.org Grid Trust Service (GTS) Managing Trusted Authorities GTS provides support for adding/updating /removing Trusted Authorities through its Grid Service Interface. Requires Grid Credentials or Proxy Certificate of a GTS Administrator GTS Provides an administrative Java Client API GTS Provides an administrative GUI.

14 www.cagrid.org SyncGTS Toolkit used for synchronizing client and service containers with the GTS Takes a set of GTS Queries and executes them on a GTS, synchronizing the results of the queries with the Globus Trusted Certificates Directory. Supports multiple execution mechanisms. Grid Service in a grid service container Embedded in a client or service Command Line

15 www.cagrid.org Grid Trust Service (GTS) Federation GTS Federation A GTS can inherit Trusted Authorities and Trust Levels from other Grid Trust Services Allows one to build a scalable Trust Fabric. Allows institutions to stand up their own GTS, inheriting all the trusted authorities in the wider grid, yet being to add their own authorities that might not yet be trusted by the wider grid. A GTS can also be used to join the trust fabrics of two or more grids.

16 www.cagrid.org Grid Trust Service (GTS) Federation Each GTS has a set of Authoritative GTSs The GTS can be configured how often to sync with its authorities. On syncing a GTS will obtain all valid Trusted Authorities and Trust Levels (if specified) from each authority GTS and organize them locally base on priority. Managing GTS Authorities for a GTS GTS provides support for adding/updating /removing GTS Authorities through its Grid Service Interface. Requires Grid Credentials or Proxy Certificate of a GTS Administrator GTS Provides an administrative Java Client GTS Provides an administrative GUI.

17 Grid Grouper

18 www.cagrid.org Grid Grouper Grid Grouper provides a group based authorization solution for the grid. Groups are defined and managed at the grid level. Grid services/applications enforce authorization policy based on membership to groups. Grid Grouper is built on top of Grouper. Grouper Internet 2 Initiative (http://middleware.internet2.edu/dir/groups/grouper/) Java Object Model for Group Management Basic group management by distributed authorities Construction of group based on subgroups Composite groups (whose membership is determined by the union, intersection, or relative complement of two other groups); Custom group types and custom attributes; Trace back of indirect membership Applications interact with Grouper by embedding the Grouper’s java object model within applications.

19 www.cagrid.org Grid Grouper Grid Grouper Grid enables Grouper WSRF Compliant Web Service Enables Grid access to Groups Allows management of Groups from the Grid Grid Grouper Object Model Java API for accessing and managing groups over the grid. Similar to Grouper’s Object Model Applications/Service leverage Grid Grouper Object model in a similar fashion to leveraging the Grouper Object Model. Grid Grouper Admin UI Graphical User Interface for accessing and administrating groups in Grid Grouper.

20 www.cagrid.org Grid Grouper Admin UI

21 www.cagrid.org Grouper Model - Stems Groups are organized into Stems or Namespaces for partitioning Groups. Stem Metadata Child Stems Groups Privileges CREATE Privilege – Grants the ability to create groups within a stem. STEM Privilege – (1) Grants the ability to create child stems within a stem. (2) Grants that ability to assign CREATE & STEM privileges for a stem

22 www.cagrid.org Grouper Model - Groups Group Metadata - Describes the group Display Name Date Created Created By Date Last Modified Last Modified By Attributes Etc. Members A set of user or groups that are members of the group. Privileges Set of subjects that have rights to access the group

23 www.cagrid.org Grouper Model - Groups Group/Membership Types Direct Membership User is directly added as a member to a group Referred to as an Immediate Member. Subgroup Membership A Group can be added to another Group as a subgroup, making all members of the subgroup members of the group. Members who membship is acquired through a sub group are referred to as Effective Members. Composite Membership A group who's members are determined by a set operation (union, intersection, complement) of two other groups. Example: A composite group consisting of the Intersection of Group X and Group Y would contain all the members that are both member of Group X and Group Y.

24 www.cagrid.org Grouper Model - Groups Group Privileges VIEW Privilege - Access to a group’s name in lists & can refer to group READ Privilege – Access basic information about a group UPDATE Privilege – Administer membership and membership related privileges ADMIN Privilege - Can modify everything, including group name, description, & privileges, and can delete the group OPTIN Privilege - Can add self to the members list OPTOUT Privilege - Can remove self from the members list

25 www.cagrid.org Introduce – Grid Service Authoring Toolkit Introduce A graphical framework which enables fast and easy creation of Globus based grid services. Introduce and Grid Grouper Support for protecting access to grid services with Grid Grouper Service Level Method Level

26 caGrid Authz

27 www.cagrid.org Common Security Module (CSM) Provides a centralize approach to managing and enforcing access control policy. Grid Integration Points Globus PDP Framework Introduce created services.

28 www.cagrid.org Globus PDP Approach

29 www.cagrid.org Introduce Approach Supports both service and operation level authorization.

30 Additional Information

31 www.cagrid.org Project Resources and Communication www.cagrid.org Download Software Documentation Tutorials Technical Paper and Presentations caGrid 1.0 GForge Home Feature Requests Bug Reports Downloads / Source Repository http://gforge.nci.nih.gov/projects/cagrid-1-0/ caGrid Users Mailing List https://list.nih.gov/archives/cagrid_users-l.html cagrid_users-l@list.nih.gov

32 www.cagrid.org Software Quality Testing Unit and System Automated Builds/Tests on multiple nodes Nightly (on a schedule) Continuous (every CVS check in) Quality Dashboards DART (multi-site, historical archive of quality) CruiseControl Code Test Coverage

33 www.cagrid.org GAARDS Team Ohio State University Stephen Langella Shannon Hastings Scott Oster David Ervin Tahsin Kurc Joel Saltz Argonne National Labs Frank Siebenlist Semantic Bits Joshua Phillips Vinay Kumar NCICB Avinash Shanbhag Booze Allen Hamilton Arumani Manisundaram

Download ppt "Grid Trust Service (GTS). www.cagrid.org Problem How does the grid clients/services know which CA certificates to trust? Should I trust this CA?"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.

CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.
CVRG Presenter Disclosure Information Tahsin Kurc, PhD Center for Comprehensive Informatics Emory University CardioVascular Research Grid Core Infrastructure.

CVRG Presenter Disclosure Information Tahsin Kurc, PhD Center for Comprehensive Informatics Emory University CardioVascular Research Grid Core Infrastructure.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Technical Introduction to caGrid Service Development caGrid 1.3 Justin Permar caGrid Knowledge Center https://cabig-kc.nci.nih.gov/CaGrid/KC.

Technical Introduction to caGrid Service Development caGrid 1.3 Justin Permar caGrid Knowledge Center
OpenMDR: Generating Semantically Annotated Grid Services Rakesh Dhaval Shannon Hastings.

OpenMDR: Generating Semantically Annotated Grid Services Rakesh Dhaval Shannon Hastings.

Similar presentations

Ads by Google