Presentation is loading. Please wait.

Presentation is loading. Please wait.

10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

Published byNicholas Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 10-Jun-03D.P.Kelsey, LCG-GDB-Security2 Overview Topics for agreement today (for 1 st July) Approval of CA’s User Registration – personal info User Registration – Registration Authorities – not finished Topics for 8 th July GDB – advance warning Experiment/VO Procedures (RA’s) User Rules/AUP Incident Response Audit logs Security Group meetings –28 th May (phone) and 5 th June (all day – CERN) http://agenda.cern.ch/displayLevel.php?fid=68

3 10-Jun-03D.P.Kelsey, LCG-GDB-Security3 Approval of LCG-1 CA’s See paper (2 nd June 2003) –As discussed at last GDB Procedure for approving and implementing –Modified as requested by May GDB meeting Initial list (may change after 12/13 June meeting) –Union of DataGrid and CrossGrid CA’s Includes North America Taiwan, FNAL and Hungary – CA meeting 12/13 June –Additional LCG-1 FNAL Kerberos CA GDB asked to approve procedure and initial list

4 10-Jun-03D.P.Kelsey, LCG-GDB-Security4 CA approval procedure For 2003 The LCG-1 Security Group proposes the list of accepted CA’s from two sources: –The list of “traditional” CA’s, issuing long-lived (12 months or more) certificates, comes from the EDG CA Group –The list of additional CA’s (online short-lived, special cases, etc.) is generated by the LCG-1 Security Group Proposed additions to these lists above will be circulated to the GDB and to the LCG-1 site security contacts for objection prior to implementation The LCG-1 operations team maintains the necessary information (certificates, signing policy, CRL’s) and distribution mechanisms for CA’s on both sub-lists All LCG-1 resources will install the full list of approved CA’s

5 10-Jun-03D.P.Kelsey, LCG-GDB-Security5 Initial CA list Canada, CERN, Cyprus, Czech Republic, France, Germany, Greece, Ireland, Italy, Netherlands, Nordic countries, Poland, Portugal, Russia, Slovakia, Spain, UK, and USA. “Catch-all” operated by CNRS/France Taiwan, FNAL and Hungary – under consideration Tokyo, Belgium, Israel, Pakistan –At various stages of preparation

6 10-Jun-03D.P.Kelsey, LCG-GDB-Security6 User Registration: Personal Info Many concerns about distribution of and access to personal data – discussed at last GDB meeting Action on GDB National Members (8 th May GDB) –What user info is required for registration? –Is this for pre-registration of accounts? –Why do you need the info? –Can your policy be changed? There was little response, so on 2 nd June –We made definite proposal See next slide –To date, I have heard from Switzerland, Russia, UK and USA No objections yet.

7 10-Jun-03D.P.Kelsey, LCG-GDB-Security7 User Personal Data (2) Proposal – for agreement today User registers on LCG-1 web site (one central) –Agrees to and “signs” Usage Rules –Agrees to personal data being distributed to all LCG-1 sites (Tier 0/1/2) For use of site/resource managers ONLY Last name, First name, Institution, e-mail address, telephone number, experiment Distributed to all LCG-1 sites (down to Tier 2) –Can be used for pre-registration if required Checks made by Expt/VO managers (see later) Comments: –USA: uncertainty as to whether also need “Nationality” –UK: require Expt/VO managers to check and maintain info

8 10-Jun-03D.P.Kelsey, LCG-GDB-Security8 User Registration Registration Authorities We need Registration Authorities to check –The user actually made the request –User is valid member of the experiment –User is at the listed institution –That all user data looks reasonable E.g. mail address The web form will warn that these checks will be made CERN team investigating feasibility of e-mail confirmation of registration request by user on the provided e-mail address We need to create and maintain lists (per experiment) of –Institutes and Contact names/details –For distribution to all LCG-1 sites

9 10-Jun-03D.P.Kelsey, LCG-GDB-Security9 VO Registration (2) Discussions with GDB Experiment Reps and current VO managers –Started by documenting the current procedures –But no firm proposal in time for this meeting Today’s VO managers (EDG) –ALICEDaniele MuraINFN –ATLASAlessandro De SalvoINFN –CMSAndrea SciabaINFN –LHCbJoel ClosierCERN Plan to continue to use the existing VO servers and services (run by NIKHEF) and the current VO managers (all agree to continue) Then plan for Jan 2004

10 10-Jun-03D.P.Kelsey, LCG-GDB-Security10 Current procedures (1) ALICE How to Check Request?All known Contact “Supervisor”?No Remove users?No Number of users today?49 New Requests/week?~1 Backup Mgr?? Willing to continue?Yes

11 10-Jun-03D.P.Kelsey, LCG-GDB-Security11 Current procedures (2) ATLAS How to Check Request?~80% well-known or check CERN DB or Supervisor or User Contact “Supervisor”?If necessary Remove users?No – cert expiry? Number of users today?78 New Requests/week?1-2 Backup Mgr?No Willing to continue?Yes

12 10-Jun-03D.P.Kelsey, LCG-GDB-Security12 Current procedures (3) CMS How to Check Request?Known or CMS web Contact “Supervisor”?No Remove users?No Number of users today?63 New Requests/week?<1 Backup Mgr?No Willing to continue?Yes

13 10-Jun-03D.P.Kelsey, LCG-GDB-Security13 Current procedures (4) LHCb How to Check Request?Known or PIE/and contact Institute rep Contact “Supervisor”?sometimes Remove users?no Number of users today?25 New Requests/week?<1 Backup Mgr?No Willing to continue?Yes

14 10-Jun-03D.P.Kelsey, LCG-GDB-Security14 Draft proposal – VO/RA For 1 st July – continue as today Work needed on more robust procedures –That can scale Distributed RA’s required Long-term aim –Make part of CERN Experiment/User Office registration procedures For discussion at 8 th July GDB –Paper 23rd June

15 10-Jun-03D.P.Kelsey, LCG-GDB-Security15 User Rules/AUP To be agreed to (signed via private key in browser) when User registers Still working on draft Based on current EDG Usage Rules Does not override sites rules and policies Only allows professional use For discussion at next GDB –Paper 23rd June

16 10-Jun-03D.P.Kelsey, LCG-GDB-Security16 Incident Response Draft document discussed on Security Contacts list Procedures for 1 st July (before GOC) –Incidents, communications, enforcement, escalation etc We have created an ops security list –Default site entry is the Contact person but an operational list would be better For discussion at next GDB Paper 23rd June

17 10-Jun-03D.P.Kelsey, LCG-GDB-Security17 Audit logs CERN team working on this Changes have been made to the Globus gatekeeper and jobmanager (LSF and probably PBS) to allow log rotation and access to batch jobid –Have been submitted to VDT –Integration into EDG release in due course We will propose a list of audit logs –To be kept for 3 months (100 days?) by all sites Paper to GDB on 23rd June –For discussion at next meeting –Details of what is needed N.b. We need audit logs from the RB –No real auditing until this exists

Download ppt "10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK"

Similar presentations

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Last update 01/06/2014 03:23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures https://edms.cern.ch/document/503198/

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK

11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
LCG Milestones for Deployment, Fabric, & Grid Technology Ian Bird LCG Deployment Area Manager PEB 3-Dec-2002.

LCG Milestones for Deployment, Fabric, & Grid Technology Ian Bird LCG Deployment Area Manager PEB 3-Dec-2002.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
Launch on 17 th March 2008 Open Media Fulfilment Re-engineering 1.

Launch on 17 th March 2008 Open Media Fulfilment Re-engineering 1.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK

20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

DOE Grids New subordinate CP/CPS v2.3 New subordinate CP/CPS v2.3 New name DOEGrids.org New name DOEGrids.org Old name DOESciencegrid.org Old name DOESciencegrid.org.

Similar presentations

Ads by Google