Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security recommendations for dCache

Published byVivian Hardy Modified over 6 years ago

Similar presentations

Presentation on theme: "Security recommendations for dCache"— Presentation transcript:

1 Security recommendations for dCache
Paul Millar on behalf of .. Antje, Dmitry, Christian, Gerd, Jan, Patrick, Tanja, Tigran, Timur, Thomas, Owen, Kai dCache.org

2 A long-lived Golden release and shorter supported feature releases
A long-lived Golden release and shorter supported feature releases. Recommendations that depend on which version is used are prefixed with “[1.9.5]” or “[later]”

3 Component overview Additional, optional, component that are not shown here: SRM, SpaceManager, PinManager, TransferManager,

4 How to start/stop services
dCache runs as one or more Java processes Starting and stopping all dCache processes: /opt/d-cache/bin/dcache start /opt/d-cache/bin/dcache stop Chimera NFS server [1.9.5] /opt/d-cache/libexec/chimera-nfs- run.sh [later] NFS server is just another service. [later] can run dCache as non-root user But there are some hurdles Some services need to listen on <1024 port Grid certificates may be readable only by root Billing and statistics attempt to write to /opt/d-cache

5 Network usage - messaging
dCache uses a message-passing system: cells and JMS. Cells: Default on all current dCache releases. Two steps: discovery, connectivity. Discovery: LB listens in dCacheDomain for UDP port , Remote domain: sends packet to dCacheDomain, receives reply which tunnels are needed to establish connectivity. Connectivity: dCacheDomain listens on a (by default) random port, but can be configured, Remote domain establishes TCP connection, JMS [later] JMS with embedded ActiveMQ: dCacheDomain listen on TCP 11112, others connect to this.

6 Network usage - transfers
Doors and SRM listen on configurable ports: LAN protocols: NFS 2049, dcap 22125, Gsidcap 22128, Kerberos-dcap 22725 WAN protocols: SRM 8443, GridFTP 2811, HTTP/WedDAV 2880, KerberosFTP 22127, (insecure/normal) FTP Ephemeral ports are taken from a configurable range: LAN protocols use port-range ( ) WAN protocols use port-range ( )

7 Network usage – database, NFS
Some components need access to a database Those that need database access: SRM, Pin Manager, space manager, replica manager [<1.9.9] gPlazma cell. If using Chimera: NFS server, PnfsManager If using PNFS: PNFS (dbserver processes). Restrict access to db: Grant access to a username with a good password POSIX access to namespace (NFS mounting): Only needed by some components: PnfsManager (if using PNFS), [1.9.5] SRM, dirDomain. Results in NFS network traffic between namespace (PNFS and Chimera) and the node running the service.

8 User mapping gPlazma component to control user mapping.
Several mechanisms: XACML SAML Kpwd GridMap, Gplazmalite, SAZ Any number can be enabled, site-admin supplies the order, first plugin to map wins.

9 How to prevent access Banning users is configured inside gPlazma
Use gPlazmaLite (grid-vorolemap) with dash as username This should be first in list of gPlazma plugin Ban a user outright: Ban a user as member of FQAN: Ban all members of an FQAN: be aware of explicit DN mappings will not be banned. "/O=ExampleGrid/OU=ExampleSite/CN=Joe Bloggs" - "/O=ExampleGrid/OU=ExampleSite/CN=Joe Bloggs" "/example.org" - "*" "/example.org/Role=rogue_user" -

10 Log files In general: Services run within a “domain” (i.e., a JVM instance) Each domain has a log file (in /var/log by default) SRM [1.9.5] /opt/d-cache/libexec/apache- tomcat/logs/catalina.out [later] normal logging for domain Chimera [1.9.5] /tmp/himera.log

11 Administrator access Two main means of sys-admin access: web and ssh
Web monitoring listens on port 2880 SSH admin interface listens on port 22223 Recommend securing access to these two service from trusted hosts. For example: Allow access to port only from localhost Allow access access to port 2880 from site- admin's machine Relay web access via an Apache instance listening on a secure port, require user certificate from web browser and authorise on that certificate.

12 Future plans (security)
New gPlazma: more modular, more flexible As part of this, support for Argus. Moving towards JMS: Allows redundant communication, Allows tunnelling messages through encrypted communication. New web admin interface: Security model

13 Summary Run latest patch version of dCache,
Secure network communication Message, Data transfers, Mounted namespace (if needed). Know (practice) how to ban a user, “Know thy system” To know when something is abnormal, you must know what is normal. know what is happening.

Download ppt "Security recommendations for dCache"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Storage: Futures Flavia Donno CERN/IT WLCG Grid Deployment Board, CERN 8 October 2008.

Storage: Futures Flavia Donno CERN/IT WLCG Grid Deployment Board, CERN 8 October 2008.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
1 Web Server Administration Chapter 9 Extending the Web Environment.

1 Web Server Administration Chapter 9 Extending the Web Environment.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Chapter 13 – Network Security

Chapter 13 – Network Security
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.

INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Daemon issue 14 SSH Port Forwarding Yannis Tsopokis Wednesday, April 26 th 2006.

Daemon issue 14 SSH Port Forwarding Yannis Tsopokis Wednesday, April 26 th 2006.
Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.

Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.
EMerge Browser Managed Security Platform Module 3: Startup eMerge Certification Course  Physical connection  TCP/IP Characteristics of PC  Initial connection.

EMerge Browser Managed Security Platform Module 3: Startup eMerge Certification Course  Physical connection  TCP/IP Characteristics of PC  Initial connection.
DCache at Tier3 Joe Urbanski University of Chicago US ATLAS Tier3/Tier2 Meeting, Bloomington June 20, 2007.

DCache at Tier3 Joe Urbanski University of Chicago US ATLAS Tier3/Tier2 Meeting, Bloomington June 20, 2007.
D C a c h e Michael Ernst Patrick Fuhrmann Tigran Mkrtchyan d C a c h e M. Ernst, P. Fuhrmann, T. Mkrtchyan Chep 2003 Chep2003 UCSD, California.

D C a c h e Michael Ernst Patrick Fuhrmann Tigran Mkrtchyan d C a c h e M. Ernst, P. Fuhrmann, T. Mkrtchyan Chep 2003 Chep2003 UCSD, California.
Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.

Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
DCache Basics Alessandro Usai, Sergio Maffioletti Grid Group CSCS.

DCache Basics Alessandro Usai, Sergio Maffioletti Grid Group CSCS.

Similar presentations

Ads by Google