Presentation is loading. Please wait.

Presentation is loading. Please wait.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Published byPierce Whitehead Modified over 8 years ago

Similar presentations

Presentation on theme: "3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 3-Nov-00D.P.Kelsey, HEPiX, JLAB2 Overview DataGRID Globus security Example: UK CA Issues – for coordination Future plans n.b. early days: more questions than answers!

3 3-Nov-00D.P.Kelsey, HEPiX, JLAB3 Work Packages WP 1 Grid Workload Management(C. Vistoli/Italy) WP 2 Grid Data Management (B. Segal/CERN) WP 3 Grid Monitoring services(R. Middleton/UK) WP 4 Fabric Management (T. Smith/CERN) WP 5 Mass Storage Management (J. Gordon/UK) WP 6 Integration Testbed (F. Etienne/France) WP 7 Network Services (C. Michau/France) WP 8 HEP Applications (F. Carminati/CERN) WP 9 EO Science Applications (L. Fusco/ESA) WP 10 Biology Applications (C. Michau/France) WP 11 Dissemination (G. Mascari/Italy) WP 12 Project Management (F. Gagliardi/CERN)

4 Simplified Workpackage Relationships HEP Apps (WP8)EO Apps (WP9)Bio Apps (WP10) Workload Management (WP1) Data Management (WP2)Monitoring Services (WP3) Globus Middleware Fabric Manage- ment (WP4) Networking (WP7) Mass Storage Management (WP5) Applications Data Grid Services Core Middleware Physical Fabric

5 3-Nov-00D.P.Kelsey, HEPiX, JLAB5 Grid Security Infrastructure (GSI) from Globus Interdomain – bridges gap between different local solutions Uses X.509 certificates for authentication –machines and users have a globally unique “ID” –Certifies the user’s identity Avoids clear-text passwords Single sign-on via grid-proxy-init Authentication not authorisation Grid enabled applications – GSI-ftp, GSI-ssh, globus-job-run etc. GRID security kept separate from local site security and authorisation mechanisms –Access to Grid resources granted via mapping in a gridmap file –To local username or Kerberos principal

6 3-Nov-00D.P.Kelsey, HEPiX, JLAB6 Certificates for Globus 3 components –Certificate; signed by trusted 3 rd party contains the public key –Private key - stored on disk of home machine –Pass-phrase to decrypt private key Can get these from Globus, but not sufficient checks DataGRID Testbed needs its own Certificate Authority (CA) or CA’s –“Set of National CA’s” is the current favourite

7 3-Nov-00D.P.Kelsey, HEPiX, JLAB7 Certificates for UK testbed As an example … UK Testbed (4 or 5 sites) starting November 2000 Globus CA certificates not appropriate RAL will issue Globus certificates –limited lifetime (~ 6 months) with fixed end date –only for use by globus (not e-mail etc) For bona fide members of the UK HEP Testbed community Use personal contact with nominated contacts at each UK site for confirming user credentials

8 3-Nov-00D.P.Kelsey, HEPiX, JLAB8 Issues for coordination Users want simple and easy access –DataGRID needs certificates that will be valid across the whole Testbed (or whole GRID?) One CA for DataGRID (or even HEP) not appropriate –But could have one CA plus hierarchical user registration Scaling problems with many CA’s –All globus clients need a list of trusted CA’s –For maintenance, must minimise # of CA’s

9 3-Nov-00D.P.Kelsey, HEPiX, JLAB9 Issues (2) Does a hierarchy add value? –A HEP root-CA could certify all national CA’s –May need mods to Globus code? Structure – National, Experiments, …? Use general or Globus-specific certificates? Need to have agreed and written procedures –so we can trust each others certificates –Will sites trust each other? Proxy certificates are limited – no chaining

10 3-Nov-00D.P.Kelsey, HEPiX, JLAB10 Issues (3) Authorisation via certificates? –should certificate include the users experiment affiliation? –An important architectural decision Globus developments … –Community Authorisation Server –Group access control over distributed resources DataGRID needs to decide how to manage authorisation –LDAP registry of users/groups may be needed

11 3-Nov-00D.P.Kelsey, HEPiX, JLAB11 Issues (4) How to revoke certificates? (very important) –people who leave –compromised certificates (or CA!) –CA maintains a CRL –How to distribute? User education –Safety of private key and pass-phrase –No sharing of certificates

12 3-Nov-00D.P.Kelsey, HEPiX, JLAB12 Future plans DataGRID WP6 Testbed security contacts/experts meet soon –Probably early next month at CERN –To propose the CA structure and procedures Need to check PPDG and GriPhyN plans Question to audience… Are there other issues we need to consider?

Download ppt "3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Tony Doyle GridPP2 Proposal, BT Meeting, Imperial, 23 July 2003.

Tony Doyle GridPP2 Proposal, BT Meeting, Imperial, 23 July 2003.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Similar presentations

Ads by Google