Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Authorization for the ESS* Control System

Published byColeen Hall Modified over 8 years ago

Similar presentations

Presentation on theme: "Authentication and Authorization for the ESS* Control System"— Presentation transcript:

1 Authentication and Authorization for the ESS* Control System
Suzanne Gysin – European Spallation Source Jaka Bobnar – Cosylab *ESS: European Spallation Source

2 Suzanne Gysin, RBAC for ESS Control System
What is ESS? The European Spallation Source (ESS) will house the most powerful proton linac ever built. The average beam power will be 5 MW which is five times greater than SNS. The peak beam power will be 125 MW which is over seven times greater than SNS 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

3 Suzanne Gysin, RBAC for ESS Control System
ESS Science Case ESS is a neutron spallation source for neutron scattering measurements. Neutron scattering offers a complementary view of matter in comparison to other probes such as x-rays from synchrotron light sources. The scattering cross section of many elements can be much larger for neutrons than for photons. Neutron radiograph X-Ray Image 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

4 Suzanne Gysin, RBAC for ESS Control System
Where Will ESS Be Built? ESS is located in southern Sweden adjacent to MAX-IV (A 4th generation light source) To provide a world-class material research center for Europe 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

5 Suzanne Gysin, RBAC for ESS Control System
How Much Will ESS Cost? Personnel Investment 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

6 Suzanne Gysin, RBAC for ESS Control System
How Will ESS be Funded? with in-kind and cash contributions. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

7 How Long Will ESS Take to Build?
10/05/2013 Suzanne Gysin, RBAC for ESS Control System

8 Control System Core Software - requirements
Configuration Data Management Lattice DB* Controls Configuration DB* Device Configuration DB Cable DB* Requirements documents available In collaboration with DISCS 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

9 Control System Core Software - requirements
Control System Services Authentication and Authorization CSS including BOY, BEAST, and BEAUTY Save, Compare and Restore* Post Mortem support Maintenance Log Diagnostic Logging Service Naming Convention Database, tools, and procedures 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

10 Software Core Milestones
2014: Q2: MS 1: Lattice Database V2 (BLED 2) Q3: MS 2: Naming convention software tools 2015: Q1: MS 3: Controls Configuration Database MS 4: Cabling Database 2016: Q2: MS 5:Device Configuration Database 2017: Q1: MS 6: Vertical Test Complete 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

11 Suzanne Gysin, RBAC for ESS Control System
DISCS Collaboration Distributed Information Services for Control Systems (Vasu Vuppala) Collaborators with BNL, FRIB, SLAC, ESS, Cosylab, IHEP. Data bases: machine configuration, lattice, measurements, alignment, cables, machine state, inventory, operations, calibration, and design parameters   Services/applications include Channel Finder, Logbook, Traveler, Unit Conversion, RBAC, Online Model, and Save-Restore. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

12 Authentication and Authorization (RBAC)
2007 – developed RBAC for LSA the LHC Control system at CERN. Proposal/Investigation how to: Adapt RBAC to EPICS Adapt RBAC to general resources 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

13 Role Based Access Control (RBAC)
Machine Safety ESS’s 5 MW is powerful and potentially very damaging RBAC protects from crippling machine damage RBAC is proactive rather than reactive, it prevents invoking machine protection system Machine Performance Don’t mess with a fine tuned system Access is denied during certain machine states  10/05/2013 Suzanne Gysin, RBAC for ESS Control System

14 CERN’s LHC Controls RBAC extended
LHC RBAC has good qualifications in use on a complex control system, with many diverse users, for many years. EPICS is popular choice for new control system project could use a standard RBAC service ESS controls Uses EPICS Needs an RBAC implantation  10/05/2013 Suzanne Gysin, RBAC for ESS Control System

15 RBAC at LHC Controls at CERN
Authentication of the user: User sends a request from the Application to be authenticated by the RBAC server RBAC authenticates user via NICE user name and password RBA returns RBAC token to Application Authorization of a request: Application sends token to Application Server (3-tier env.) CMW client sends token to CMW server CMW server (on front-end) verifies token CMW server checks Access Map for role, location, application, mode Application RBAC Server RBAC Token: Application name User name IP address/location Time of authentication Time of expiry Roles[ ] Digital signature (RBA private key) CMW client CMW server Access MAP FESA 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

16 Suzanne Gysin, RBAC for ESS Control System
Two main questions … How to extend CERN’s LHC controls RBAC to EPICS? How to extend CERN’s LHC controls RBAC to protect general resources such as databases and software services? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

17 Suzanne Gysin, RBAC for ESS Control System
Two use cases Use case 1: RBAC for EPICS protect access to the Channel Access Process Variables Use case 2: RBAC for Configuration Data Configuration database and its Java web applications 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

18 Use Case 1: RBAC for EPICS
Karl wants to protect the klystrons. Karl creates a role “Klystron Commissioner” with write privileges “Klystron Crawler” is a Channel Access Client application to monitor and control the Channel Access PV’s. “Klystron Controller” is a Channel Access Server for the klystron PV’s. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

19 Use Case 1: RBAC for EPICS
Players: Karl – the user Klystron Commissioner– the role Klystron Crawler– the application - Channel Access Client Klystron Controller – the IOC with the relevant PV - Channel Access Server Actions: User Authentication Check user name and password Authorization of a session Check token timeout and signature Authorization of a request Check token role, host id, and system parameters 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

20 RBAC for EPICS: Authentication of the user
User logs into the CA Client with the login dialog provide by the RBAC service. If the authentication is not successful, the RBAC servers returns an error and the CA Client denies access to the User If the authentication is successful , the CA Client receives a token with the following: Role (Klystron Commissioner) Location (the host id) RBAC server digital signature encrypted with the RBAC’s private key (512 bits 64 bytes) User Authentication is complete 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

21 RBAC for EPICS: Authorization of the session
Goal: to check token parameters common to all requests only once. check the RBAC signature with the public key check the expiration date of the token The CA Client connects to a CA Server via the CA handshake to establish a session. CA Client sends token information (role, location, and signature) to the CA Server in the header. * CA Server verifies the token’s expiration date and signature with RBAC public key.* 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

22 RBAC for EPICS: Authorization of the session
If invalid, the session is terminated and the user notified with an error. If the token is valid, the CA Server saves the token for authorizing future requests within this session. The user is authorized for the session 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

23 Authorization of the session issue
Requires a change in Channel Access Protocol for starting a session (i.e. sending the token information) Requires the implementation of checks in the existing Channel Access Servers Distribution of public key to the CA servers Work around … Make the session authorization optional 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

24 RBAC for EPICS: Authorization of a request
The user initiates a request to set a PV using the CA Client. CA Client sends the request to CA Server along with the role and host id. CA Server checks the role, location, beam mode or other system parameters as defined in the .afc file If the authorization fails, CA Server returns an error, If the authorization succeeds, CA Server fulfills request 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

25 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Logout User logs out by calling the RBAC logout API with the session Session is terminated all token information is removed from the CA server 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

26 Suzanne Gysin, RBAC for ESS Control System
RBAC for EPICS: Issues Time it takes to verify the token on the first handshake. Do we want to factor out the handshake or include it in the first PV access? Prototype the time it takes to verify token. The handshake for starting a session is modified A login and logout interface specific for Channel Access clients that manages the session with a modified handshake. Make the session authorization optional Users may have multiple roles, how to select and switch roles? How common is this, and what is the use case? Channel Access uses the OS user name, RBAC expects the role name in the request. How is the user name changed to the role in the CA Client? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

27 RBAC for EPICS: Assumptions
The CA Client checks if the token has expired every n-minutes and prompts the user for a renewal. The CA Client has one connection for every CA Server The CA Client is written in Java The CA Servers have the RBAC public key ( servers) The CA Servers receive their .afc files from the RBAC server The CA Servers save the token for the duration of a session. There is enough space for role name, the digital signature, expiration date in the CA header (512 characters) 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

28 Use Case 2: RBAC for Configuration Data
Karl, still the RF engineer, would like to protect his klystron configuration. The role“Klystron Commissioner” has permission to change the RF configuration. The “Configuration Manager” is the app used to edit the configuration. The Configuration Manager’s underlying database is the Controls Configuration Database (CCDB). 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

29 Use Case 2: RBAC for Configuration Data
Players: Karl – the user Klystron Commissioner– the role Configuration Manager– the application – Glassfish web application Controls Configuration Database – the RDB, the resource to protect Actions: User Authentication Check user name and password Authorization of a session Check token timeout and signature Authorization of a request Check token role, host id, and system parameters 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

30 RBAC for configuration data: Authentication of the user
The user logs into the Configuration Manager using the login dialog provide by the RBAC service. If the authentication is not successful, the Configuration Manager denies access If the authentication is successful, the Configuration Manager receives a token with the following: Role (Klystron Commissioner) Location (the host id) RBAC server digital signature encrypted with the RBAC’s private key (512 bits 64 bytes) User Authentication is complete 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

31 RBAC for configuration data: Authorization of the session
The Configuration Manager ( the app) verifies the tokens expiration date and signature with RBAC public key.* If invalid, the session is terminated and the user notified with an error. If the token is valid, the Configuration Manager saves the token for authorizing future requests within this session. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

32 RBAC for configuration data: Authorization of a request
The user initiates a request to set a database field using the Configuration Manager Configuration Manager uses the database service (API) to interact with the database. The Configuration Manager sends the role, and location along with the request to the database service. This database service checks the role, location, and beam mode according to its access map for the specific request.* If the authorization fails, Configuration Manager returns an error, if it succeeds the request is full filled. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

33 RBAC for configuration data: Assumptions
The Configuration Manager checks if the token has expired every n-minutes and prompts the user for a renewal. The Configuration Manager uses a database service, the database service is the only way to connect to the database. The Configuration Manager has the RBAC public key The access rights are written by the owner of the database and the algorithm to check the access rights is local to the database API. The Configuration Manager saves the token for the duration of a session. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

34 RBAC for configuration data: Issues
If there is a use case for queuing or forwarding requests it needs to be well understood No standard access map: Each database service will have to implement its own request authorization code and access map. Should the session authorization be in the application or the database service? How does the configuration database receive the beam mode ? 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

35 Commonalities, LHC, EPICS, Databases
Authentication RBAC server authenticates the user protocol differs, CERN uses RBAC token, ESS may use Kerberos RBAC server is responsible for logging authentication requests Authorization RBAC server manages the mapping of users, roles, and permissions for the roles RBAC server generates the access rules for a the device server and makes them available Access rights syntax differs: RBAC uses table, ESS uses EPICS access control file syntax Databases have their own syntax which is not managed by RBAC 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

36 Suzanne Gysin, RBAC for ESS Control System
Conclusion ESS is collaborating with DISCS to extend CERN’s LHC controls RBAC for EPICS and other software resources. We have shown two use cases using the same steps and with the same general architecture. From this we can decide which parts are re-usable which parts to implement first Next steps: Gather use cases and requirements from ESS and DISCS collaboration Prototype and design Ready for development, 2014-Q1 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

37 Suzanne Gysin, RBAC for ESS Control System
Action items A&A for Channel Finder – Bob D. G.Shen Need the access map in the applications, to discern protection in the app. - Gabrielle. Single sign on – Gabrielle Token forwarding, restore for example, check transaction management – query resource if the entire transaction is ok. – Gabrielle 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

38 Suzanne Gysin, RBAC for ESS Control System
A1 and A2 in RBAC A1 = Authentication : Authentication means the user identity has been verified with a shared secret usually the password. At CERn, RBAC authenticates users via NICE – CERN’s central credential service Kerberos could be used for ESS. Challenge is the authentication of users from many different labs (federation) A2 = Authorization: Authorization means that the user has been granted the authority to execute a particular action At CERN authorization applies to settings in the front ends, the authorization is granted to a particular role 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

39 Suzanne Gysin, RBAC for ESS Control System
RBAC with EPICS A1: User sends a request from the Application to be authenticated by the RBAC server RBAC authenticates user via user name and password RBA returns token to application Kerberos is a good candidate for this. A2: The token is verified on initiating a session between Client and Server. The request is verified by the Server at the time it is sent. Before Runtime: The RBAC server generates an access control file (access map) for a Server Application Channel Access Client RBAC Server Channel Access server IOC access configuration file (.acf) Public Key 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

40 Suzanne Gysin, RBAC for ESS Control System
Differences: Where and when the access rights are checked: EPICS: the access rights are sent by the CA* server to the CA client at the time of the connection. Both the CA client is aware of the access rights, and the CA server checks the access rights. RBAC: the access rights are kept on the middleware (CMW) server and checked by the server. Syntax of the access map: EPICS: a Channel Access ‘access control file’ syntax is used RBAC: an ASCII table is used Authentication Protocol: EPICS: proposed protocol is Kerberos ** proposal RBAC: NICE authentication *CA = Channel Access 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

41 Suzanne Gysin, RBAC for ESS Control System
Differences: Who: Users and roles EPICS uses the userid of the channel access client. RBAC uses the roles distributed in the RBAC token Where: Authentication by location: EPICS uses the hostid where the user is logged on. This is the host on which the channel access client exists. RBAC uses the application name and the IP address. This enables the authentication by location i.e. control room. What: Settings and PV EPICS protects each individual fields of records. Each record has a field containing the Access Security Group (ASG) to which the record belongs. RBAC protects each setting in the FESA database. 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

42 Suzanne Gysin, RBAC for ESS Control System
Differences When: beam mode and current values as variables EPICS: Access rules can contain input links and calculations similar to the calculation record, thereby including current values of process variables as part of access privilege.  RBAC is able to protect the devices relative to the beam mode. This is programmed in the CMW. * CMW = Central Middle Ware 10/05/2013 Suzanne Gysin, RBAC for ESS Control System

Download ppt "Authentication and Authorization for the ESS* Control System"

Similar presentations

Database Workshop Report

Database Workshop Report
Staying in Sync with Cloud 2 Device Messaging. About Me Chris Risner Twitter: chrisrisner.

Staying in Sync with Cloud 2 Device Messaging. About Me Chris Risner Twitter: chrisrisner.
Paul Chu FRIB Controls Group Leader (Acting) Service-Oriented Architecture for High-level Applications.

Paul Chu FRIB Controls Group Leader (Acting) Service-Oriented Architecture for High-level Applications.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CLS Process Variable Database By: Diony Medrano. CLS PV Database - Topics Background Design Constraints Design and Implementation Benefits and Future.

CLS Process Variable Database By: Diony Medrano. CLS PV Database - Topics Background Design Constraints Design and Implementation Benefits and Future.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ESS Timing System Plans and Requirements Timo Korhonen Chief Engineer, Integrated Control System Division www.europeanspallationsource.se May 19, 2014.

ESS Timing System Plans and Requirements Timo Korhonen Chief Engineer, Integrated Control System Division May 19, 2014.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Introduction to z/OS Basics © 2006 IBM Corporation Chapter 8: Designing and developing applications for z/OS.

Introduction to z/OS Basics © 2006 IBM Corporation Chapter 8: Designing and developing applications for z/OS.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Similar presentations

Ads by Google