Presentation is loading. Please wait.

Presentation is loading. Please wait.

Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.

Published byJosephine Alice Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University."— Presentation transcript:

1 Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University of Chicago & Argonne National Laboratory GlobusWorld 2008 May 13-15, Oakland, California, U.S.A.

2 2 Content GT4.2 Security Features & Roadmap >Rachana Ananthakrishnan Building Secure Virtual Organizations –ESG: Easy PKI & OpenID OSG & EGEE: Authorization Interoperability >Frank Siebenlist –caBIG: GAARDS - Grid Authentication and Authorization with Reliably Distributed Services >Kunal Modi –TeraGrid: Attribute-based Authorization for Science Gateways Using GridShib >Tom Scavo –Break… !! GridShib-CA Demo !! GW08: May 13-15, 2008

3 3 What is new? GT4.2 Security Features

4 4GW08: May 13-15, 2008 Incubator Projects Globus Software: dev.globus.org Security Execution Mgmt Info Services Common Runtime Globus Projects Other MPICH- G2 GridWay Data Mgmt Incubator Mgmt Cog WF LRMA GAARDS OGROGDTEUGP HOC-SAPURSE GridShib Introduce Dyn Acct WEEP Gavia JSC Gavia MS DDM Virt WkSp SGGC Metrics ServMark GridFTP Reliable File Transfer OGSA-DAI GRAM MDS4 CAS Data Rep Delegation Replica Location Java Runtime C Runtime Python Runtime GT4 C SecGT4 Docs MEDICUS GSI- OpenSSH MyProxy

5 5 Authentication RFC 3820 compliant proxy –Support added 4.0.7 and 4.2 –Interoperable with other compliant implementations Signing policy in Java security –Required in GT 4.2 and optional in GT 4.0.7 –Ensures presented credentials compliant with CA policy –Policy configured with trusted certificates GW08: May 13-15, 2008

6 6 Transport Security HTTPS connection caching –Support in GT 4.2 –Improves performance –Connections with same parameters cached External OpenSSL support –Required GT 4.2 and optional GT 4.0.7 –Leverage OpenSSL installed on local machine GW08: May 13-15, 2008

7 7 GT 4.2 Java Authorization Framework WS independent system Pluggable PIPs, PDPs and combining algorithm Default Permit Override mechanism All GT 4.0.x PDPs supported Additional interceptors: –Parameter PIP, Operation parameter –Resource Property PDP GW08: May 13-15, 2008

8 8 GT 4.2 Authorization Framework Authorization Engine Policy Enforcement Point bPIP1 [owner1] … bPIPn [ownerN] PIP1 [owner1] … PIPn [ownerN] … Request Attributes PIP Attribute Processing PDP Combining Algorithm Attributes PDP1 [owner1] canAdmin canAccess PDPn [ownerN] Decision GW08: May 13-15, 2008

9 9 Policy Assertions from Everywhere GW08: May 13-15, 2008

10 10 CAS Shib LDAP Handle GUMS Grouper VOMS PERMIS XACML SAML SAZ Gridmap XACML ??? Policy Assertions from Everywhere GW08: May 13-15, 2008

11 11 Community Authorization Service Derby database support –Ease of install and configuration WS Policy support –Used for fine-grained authorization of WS calls Local PDP –Embedded with container for performance PDPs/PIPs –PIP for assertion in proxy –PIP for assertion from SOAP message –PDP for enforcing assertion and trusted CAS server –PDP to callout to CAS (Also in GT 4.0.x) ‏ GW08: May 13-15, 2008

12 12 Security Configuration Security descriptors for service configuration –Container configuration (admin) ‏ –Service/resource configuration Compliant to schema –Validation at deployment –Stand alone tools to validate GW08: May 13-15, 2008

13 Building Secure Virtual Organizations ESG: Easy PKI & OpenID OSG & EGEE: Authorization Interoperability

14 14 Earth System Grid (ESG) Single Sign On Solutions PKI SSO –Single Sign On for non-browser applications –MyProxy Online CA –Auto-provisioning of trust configuration Web SSO –Single sign on for http/https applications –OpenID GW08: May 13-15, 2008

15 15GW08: May 13-15, 2008 AuthN DB uname password PKI Client Online-CA AuthN Svc WebSSO AuthN Svc Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts authN Svc Integrated WebSSO & PKI-SSO

16 16 Zero-Config GSI Deployment Bootstrap from username/password –Without preconfiguration No long-lived secrets on the user’s workstation => move secrets to a secure MyProxy-server –Issue derived short-lived proxy-certificates => issue short-lived identity certificates –On-line Certificate Authority (CA) ‏ Provision Trust-Root Info –Trusted CAs, CRLs, OCSP responders Need for bootstrap authentication… –Passwords –One-Time-Passwords GW08: May 13-15, 2008

17 17GW08: May 13-15, 2008 AuthN & Trust-Root Provisioning OTP AuthN Server + user’s security config user-workstation (initially not configured)‏ Secure mutual OTP-Authentication and Key-Exchange Short-Lived Cert + Provisioning of CA’s, AuthZ/Attr Authorities OTP Enhanced MyProxy/GridLogon Svc Bootstrap User’s Trust-Root Config from Secure OTP Authentication

18 18 XACML-2/SAML-2 AuthZ Query Interface Attribute-based AuthZ Query Interface –Enhancement to SAML-1.1 interface Standardized in OASIS Requires XACML-2 GT4-PDP for AuthZ framework Requires further profiling for Interoperability GW08: May 13-15, 2008

19 19 LCMAPS GUMS DynWS VOMS LCAS SAZ PRIMA gpBox Gridmap LCMAPS XACML LCAS EGEE/OSG/Globus AuthZ Interop GW08: May 13-15, 2008 XACML-2 Interface

20 20GW08: May 13-15, 2008 OSG/EGEE/Fermi/Globus/OpenSAML Development Effort Standardize AuthZ Query Interface for OGF’s PRIMA/GUMS/SAZ –Migration of obligation-extended SAML-1.1 to XACML-2 –Use XACML-2 AuthZ Query for SAZ-banning-check Standardize AuthZ Query Interface for next-gen LCMAPS/LCAS service implementation –XACML-2 Query Interface Standardize Profile for use of Attributes and Obligations Goal is to make PRIMA/GUMS/SAZ and LCMAPS/LCAS plug-compatible on service interface level Standardize AuthZ-ticket for GAAA-AuthZ Toolkit –XACML-2 AuthZ Query Result as (possible) ticket/token –Allows for sophisticated authZ result-caching Source code and details –http://www-unix.mcs.anl.gov/~ranantha/xacmlPDP/

21 Building Secure Virtual Organizations caBIG: GAARDS - Grid Authentication and Authorization with Reliably Distributed Services Kunal Modi

22 Building Secure Virtual Organizations TeraGrid: Attribute-based Authorization for Science Gateways Using GridShib Tom Scavo

Download ppt "Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University."

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service.

June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service.
GT4 Introductory and Advanced Practicals Rachana Ananthakrishnan, Charles Bacon, Lisa Childers Argonne National Laboratory University of Chicago.

GT4 Introductory and Advanced Practicals Rachana Ananthakrishnan, Charles Bacon, Lisa Childers Argonne National Laboratory University of Chicago.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Globus 4 Guy Warner NeSC Training.

Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

Similar presentations

Ads by Google