David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) NIKHEF 13 October 2004 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Overview Joint (LCG/EGEE) Security Group meetings http://agenda.cern.ch/displayLevel.php?fid=68 18 Aug, 7 Sep, 6 Oct 2004 Next meetings: 2 Nov 2004 and 25 Nov 2004 (EGEE workshop – The Hague) Name and Membership of Group Security concerns from ATLAS Data Management User Registration Task Force Operational Security User Rules/AUP Site and VO registration procedures 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Name & Membership Was “Joint Security Group” Joint in sense of LCG & EGEE (& OSG members) Some in EGEE found this confusing JRA3 (Ake Edlund) is the main activity Renamed to Joint Security Policy Group (JSPG) Responsible for Policy and Procedures Reports to LCG GDB EGEE ROC Managers also need to agree policy New members Miguel Cárdenas (Spain) Bio-medical person (soon) 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

Security Activities in EGEE CA Coordination NA4 NA4 NA4 NA4 Solutions/Recommendations Req. JRA3 JRA1 Req. Req. Req. Middleware Security Group Joint Security Policy Group Req. “Joint Security Policy Group” defines policy and procedures For LCG/GDB and EGEE/SA1 (Cross Membership of OSG) Req. SA1 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

Security concerns ATLAS data management Miguel Branco – CHEP talk (see JSPG agenda - 4 Oct) Very interesting and honest! (useful for input to JRA3 etc) Users don’t like certificates (and are confused) Using user certificate for services (clients) Lots of clashes between 3 different ATLAS VOs LCG, Grid3, NorduGrid MyProxy credential renewal (single point failure) No security on LCG replica catalogue Using atlassgm (s/w mgr) to run production jobs We need VOMS, and LCAS/LCMAPS! Experiments need help to develop secure applications Security of DB resident data 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

User Registration and VO Membership Management Requirements document (V2.7) https://edms.cern.ch/document/428034 approved by GDB in May 2004 Task force created to propose the solution TF Membership Maria Dimou (LCG Registrar, DTeam VO manager) Joni Hahkala (VOMS Admin development leader) Tanya Levshina (VOX leader) Ian Neilson (LCG Security Officer) – Task Force leader DPK Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, … Recent Meeting at CERN on 15-17 September, 2004 http://cern.ch/dimou/lcg/registrar/TF/meetings/2004-09-15/ 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

The Registration and VO Data/Databases ORGDB No direct read access at all, except via link from AuthN/VODB As maintained by CERN HR/User Office/Experiment Secretariats User fields required here: Family Name, Given Name, Institute Name, Phone Number, e-mail address And contract, experiment participation end dates Authentication part of VODB Authorised read access possible (site admins) Live link to record in ORGDB (via db key) User’s DN(s) from certificate and DN of signing CA Registration and Expiry dates Authorisation part of VODB Used by AuthZ technology (attribute authority) Groups, Roles, attributes assigned by VO manager Suspension status flag 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Process (1) Every user (4 LHC expts) must register in ORGDB first Already true for the majority Advantages of using existing procedures No duplication of effort or personal data External users (e.g. people never coming to CERN) and short-term users (e.g. summer students) Needs a simple, speedy and robust procedure Non-VO people, e.g.testers/experiment independent people must register in ORGDB (e.g. via LCG/IT) Eventual aim is to use the experiment participation end-date in ORGDB to trigger immediate suspension from the VO 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Process (2) VODB expiry date Not exceeding 1 year from date of VO registration Less if institute-contract/ORGDB-registration expires before then Care to be taken with transition to avoid large number of renewals at the same time Personal User Data will only reside in ORGDB There is no automatic membership of VODB. User has to complete a form and the VO manager has to approve 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Process (3) When VODB expiry date is reached, the VO membership is immediately suspended Advance warning will be sent to the user There will be other possible reasons for suspension E.g. following security problems 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

Technical Solution agreed 15-17 Sep meeting decisions: The Authentication part of VODB (reg database) Will be US CMS VOX - VOMRS component Subject to FNAL agreement VOMRS needs development to meet new requirements CERN is working on VOMRS interconnection to the Oracle DB (ORGDB) Non-LHC VO’s may use the VOMS admin component Time to implement not yet fixed Aim for early next year 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Operational Security Incident Response OSG document A good document We (LCG/EGEE) should base our incident response on this JSPG to set policy, OSCT to define procedures EGEE OSCT Operational Security Coordination Team Presented to ROC Managers (by Ian Neilson) ARM2 Bologna – 5th October Each ROC to nominate a person Adds to the existing CSIRT procedures (does not replace) Propose Incident Response procedures And security service challenges 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Acceptable Use Policy Current LCG User Rules Very LCG specific (actually LCG-1 specific!) Very much “draft” quality Based on old EDG security policy Has lots of site rules as well We need a new version! EU eInfrastructure Reflection Group tackling AUP now DPK to chair parallel session on this (18 Nov) New draft zero already exists (too early to discuss) Concentrating on defining Acceptable Use What is allowed What is not (e.g. personal use, for-profit use) Work with OSG, NRENs, National Grids Acceptable to all (keep it short and simple) We are already bound by the network AUPs To be accepted at registration in a VO May need a separate document on User Rules? 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

Site and VO registration Too many of both to handle informally Two documents being written Defines procedures to join LCG/EGEE infrastructure Forms (web) need to be filled We need all the contact details Approval required Site: ROC, VO: EGEE NA4 After registration Sites need write access to CVS Today needs a CERN AFS account CERN security not so happy (investigate alternatives) Sites subsequently join testzone and then the BDII 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

D.P.Kelsey, LCG-GDB-Security Summary Not asking for formal GDB approvals today Hope to have various documents before Dec 2004 meeting But all feedback very welcome Important message We need to deploy and use VOMS and LCAS/LCMAPS as soon as possible We need to offer “roles” Lets get a simple use-case working Waiting for gLite is too late 13-Oct-04 D.P.Kelsey, LCG-GDB-Security