GLOBUS TOOLKIT SECURITY

Similar documents
Using the MyProxy Online Credential Repository

A Multipolicy Authorization Framework for Grid Security

GSI Online Credential Retrieval Requirements. Jim Basney

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

GSI-based Security for Web Services

Grid Computing Security

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

An authorization Framework for Grid Security using GT4

WSMetacatService a GT4 Web Service Wrapper for Metacat

How to Build a Service Using GT4

How to Build a Service Using GT4

Introduction to SciTokens

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Deploying the TeraGrid PKI

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

Argus Vulnerability Assessment *1

Grid Security Infrastructure

Federated Authentication with Web Services Clients

Network Security Essentials

[GSoC Proposal] Securing Airavata API

GT-OGSA Grid Service Infrastructure

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

SOA S90-20A. SOA Security Lab. Download Full Version :

Globus GTK and Grid Services

Lesson 13 Securing Web Services (WS-Security, SAML)

API Security Management SENTINET

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

Grid Security: The Globus Perspective

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

INDIGO AAI An overview and status update!

IVOA/AstroGrid SSO system and Grid standards

Troubleshooting Grid authentication from the client side

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

Tutorial: Building the Services Ecosystem

Certificate Enrollment for the Atlas Platform

glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination

USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE

WebSphere Message Broker

Globus Toolkit 4 Execution Management. Alexandra Jimborean International School of Informatics Hagenberg, 2009

Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)

Grid Computing Middleware. Definitions & functions Middleware components Globus glite

Introduction to Grid Security

Identity Provider for SAP Single Sign-On and SAP Identity Management

SAP Security in a Hybrid World. Kiran Kola

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Globus Toolkit Firewall Requirements. Abstract

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

Authorization Survey Results & Use Cases Presentation to Concordia Working Group

ArcGIS Server and Portal for ArcGIS An Introduction to Security

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Chapter 17 Web Services Additional Topics

API Security Management with Sentinet SENTINET

(2½ hours) Total Marks: 75

SLCS and VASH Service Interoperability of Shibboleth and glite

Policy Based Dynamic Negotiation for Grid Services Authorization

Configuring SSL. SSL Overview CHAPTER

A User-level Secure Grid File System

Cisco VCS Authenticating Devices

Securing ArcGIS Services

UNICORE Globus: Interoperability of Grid Infrastructures

Authorization Aspects of the Distributed Dataflow-oriented IoT Framework Calvin

Installation and Administration

GAMA: Grid Account Management Architecture

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

User Authentication Principles and Methods

Identity, Authentication and Authorization. John Slankas

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

On the Creation & Discovery of Topics in Distributed Publish/Subscribe systems

By Ian Foster. Zhifeng Yun

igrid: a Relational Information Service A novel resource & service discovery approach

IBM Security Access Manager Version 9.0 October Product overview IBM

CERN Certification Authority

A Roadmap for Integration of Grid Security with One-Time Passwords

EUROPEAN MIDDLEWARE INITIATIVE

Grid Middleware and Globus Toolkit Architecture

Classification and Characterization of Core Grid Protocols for Global Grid Computing

Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

A VO-friendly, Community-based Authorization Framework

SOA Software Policy Manager Agent v6.1 for WebSphere Application Server Installation Guide

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Managing Grid Credentials

Interoperability Solutions Guide for Oracle Web Services Manager 12c (12.2.1)

Managing Certificates

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Security Digital Certificate Manager

Digital Certificates Demystified

BEAAquaLogic. Service Bus. Interoperability With EJB Transport

IBM. Security Digital Certificate Manager. IBM i 7.1

The PRIMA Grid Authorization System

Partner Center: Secure application model

Securing ArcGIS Server Services An Introduction

Cryptography and Network Security

Transcription:

GLOBUS TOOLKIT SECURITY Plamen Alexandrov, ISI Masters Student Softwarepark Hagenberg, January 24, 2009

TABLE OF CONTENTS Introduction (3-5) Grid Security Infrastructure (6-15) Transport & Message-level security Authentication Authorization Single sign-on and Delegation Configuration with Security Descriptors (16-21) Demo: Simple Client/Service Security (22-22) Security services (23-26) Community Authorization Service Passport Online CA & MyProxy Delegation Service 2

WHAT IS A SECURE COMMUNICATION? Privacy: only the sender and the receiver should be able to understand the conversation. Integrity: the receiving end must be able to know for sure that the message he is receiving is exactly the one that the transmitting end sent him. Authentication (and Non-repudiation): ensure that the parties involved in the communication are who they claim to be. protected from malicious users who try to impersonate one of the parties in the secure conversation. Authorization vs. Authentication (Access control): Accounting/auditing for policy compliance. Managing user credentials Administering access rights 3

GRID SECURITY REQUIREMENTS Authentication for User/Processes/Resources Appliance of local access control mechanisms Constraints: Single sign-on & Delegation Protection of credentials Interoperability with local security solutions Exportability (standard X.509v3) Support for secure group communication Support for multiple implementations 4

JAVA WS AUTH & AUTHZ Web Services use SOAP over HTTP for communicating messages. Implements the WS-Security standard and the WS-SecureConversation specification. Provided features are: authentication of the sender. encryption of the message. integrity protection of the message. replay attack protection. 5

GRID SECURITY INFRASTRUCTURE Provides: Transport-level and message-level security. Authentication through X.509 digital certificates. Several authorization schemes. Credential delegation and single sign-on. Different levels of security: container, service, resource and client. 6

GRID SECURITY INFRASTRUCTURE: TRANSPORT & MESSAGE-LEVEL SECURITY Transport-level security Encrypts the complete communication. Message-level security Encrypts only the content of the SOAP message. Both are based on public-key cryptography. Can guarantee privacy, integrity, authentication. Security schemes (not mutually exclusive): GSI Secure Message: message-level, WS-Security. GSI Secure Conversation: message-level, WS- SecureConversation, secure context, credential delegation. GSI Transport: transport-level, TLS(SSL). 7

GRID SECURITY INFRASTRUCTURE: TRANSPORT & MESSAGE-LEVEL SECURITY Technology Privacy (Encrypted) Integrity (Signed) Anonymous authentication GSI Secure Message WS-Security GSI Secure Conversation WS- SecureConvers ation GSI Transport TLS (SSL) YES YES YES YES YES YES NO YES YES Delegation NO YES NO Performance Good if sending few messages Good if sending many messages Best 8

GRID SECURITY INFRASTRUCTURE: AUTHENTICATION GSI supports three authentication methods: X.509 Certificates: provides strong authentication. all three protection schemes support X.509 certificates. Username and password: more limited form of authentication. privacy, integrity and delegation features are not supported. Anonymous authentication: unauthenticated communication. when using more than one security scheme. ex.: GSI Secure Conversation (with X.509 certificates) and anonymous GSI Transport escape redundant authentication. 9

GRID SECURITY INFRASTRUCTURE: BASIC AUTHENTICATION (HOW TO) Obtaining host certificates Request a certificate from well-known CA. Use SimpleCA: $GLOBUS_LOCATION/setup/globus/setup-simple-ca. $GLOBUS_LOCATION/setup/globus_simple_ca_CA_Hash_setu p/setup-gsi defaul. grid-cert-request -host 'hostname. grid-ca-sign -in hostcert_request.pem -out hostsigned.pem. Use Globus s low-trust cert.: http://gcs.globus.org:8080/gcs. Install host credentials in container Should be located in /etc/grid-security/. Container key should be only readable by globus user. Verify basic security (creating local proxy certificate) grid-proxy-init -verify debug. 10

GRID SECURITY INFRASTRUCTURE: AUTHORIZATION Based on XACML authorization model Policy Enforcement Point (PEP) intercepts the access requests from users and sends the requests to the PDP. Policy Decision Point (PDP) makes access decisions according to the security policy or policy set written by PAP. queries the PIP for attributes of the subjects, the resource, and the environment. the access decision is sent to the PEP. Policy Information Point (PIP) Policy Administration Point (PAP) A policy language Policies organized hierarchically into PolicySets, Policies and Rules. A rule is composed of a target, an effect and a condition. A Policy consists of a target, one or more rules, and an optional set of obligations. 11

GRID SECURITY INFRASTRUCTURE: GT4 AUTHORIZATION FRAMEWORK 12

GRID SECURITY INFRASTRUCTURE: BUILT-IN AUTHORIZATION OPTIONS Server-side authorization PDPs at Container, Service or Resource level None: no authorization is performed. Self: client s identity should match server s identity. Gridmap: a list of authorized users (ACL). Identity authz.: one user gridmap conf. programmatically. Host authz.: client should provide a host credential. SAML callout authz.: OGSA Authorization Service. Client-side authorization options None: no authorization is performed. Self: server s identity should mach client s identity. Identity authz.: service should have specified identity. Host: service should have a host credential and client should resolve address of the host. Custom authorization 13

GRID SECURITY INFRASTRUCTURE: SINGLE SIGN-ON AND DELEGATION A user should be able to initiate computations by authenticating only once. A computation may acquire resources, use resources, release resources, and communicate internally without further authentication of the user. Users should be able to delegate (restricted) rights to computational units (credential delegation). Public key based authentication do not expose your private key. 14

GRID SECURITY INFRASTRUCTURE: X.509 PROXY CERTIFICATES A proxy certificate is a special type of X.509 certificate that is signed by the normal end entity cert (or by another proxy). Gives the owner of the proxy the right of temporarily acting on the original entity s behalf. The private key of a proxy may not be secured by a password (exposure is limited). Contains embedded restriction policies Policy is evaluated by resource (upon proxy use). Reduces rights available to the proxy to a subset of those held by the original entity. May be used in local environment or created remotely and signed by the original entity to support delegation. 15

CONFIGURATION WITH SECURITY DESCRIPTORS: SETUP Configuring Container Security Descriptor $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd. Configuring Service Security Descriptor in the service's deployment descriptor section as a parameter. c 16

CONFIGURATION WITH SECURITY DESCRIPTORS: SETUP Configuring Resource Security Descriptor the object should be returned by getsecuritydescriptor method. Configuring Client Security Descriptor directly on the stub. c 17

CONFIGURATION WITH SECURITY DESCRIPTORS: COMMUNICATION Valid only for Service and Client Security Descriptors. <auth-method> <none/>: (server only) No authentication is performed. <GSISecureMessage> <protection-level> <integrity/>: the message must be integrity-protected (signed). <privacy/>: the message must be privacy-protected (encrypted and signed). <peer-credential value=" path to file with credentials to encrypt with">: (client only). <GSISecureConversation> <protection-level> <integrity/>: the message must be integrity-protected (signed). <privacy/>: the message must be privacy-protected (encrypted and signed). <anonymous/>: (client only) Server is accessed as anonymous. <delegation value= full/limited />: (client only) Type of delegation to be done. <context-lifetime/>: (client only) the lifetime of the context established. <GSITransport> <protection-level> <integrity/>: the message must be integrity-protected (signed). <privacy/>: the message must be privacy-protected (encrypted and signed). <anonymous/>: (client only) Server is accessed as anonymous. 18

CONFIGURATION WITH SECURITY DESCRIPTORS: CREDENTIALS Valid for Container, Service, Resource and Client Security Descriptors The credentials can be set using either: the path to a proxy file. the path to a certificate and key file. 19

CONFIGURATION WITH SECURITY DESCRIPTORS: AUTHORIZATION Server-side configuration: Client-side configuration: Identity authorization is done using the value as the identity. 20

CONFIGURATION WITH SECURITY DESCRIPTORS: OTHER Server-side configuration: Reject Limited Proxy - if clients that present limited proxies can be allowed to authenticate successfully. Replay attack prevention - messages outside of this time window will be rejected automatically, inside checked by UUID. Context lifetime lifetime of security context (GSI Secure Conv.). Default gridmap (resource level). Run-as mode (service level): credentials your service should use for the operation being invoked: <run-as value="caller"/>. <run-as value="service"/>. <run-as value="resource"/>. <run-as value="system"/>. Authentication and run-as per-method (service level). Context Timer Interval (container level) (GSI Secure Conversation). Replay Timer Interval (container level) (GSI Secure Message). Client-side configuration: Username/Password - <usernametype> element. 21

DEMO: SIMPLE CLIENT/SERVICE SECURITY Changes in MathService s source code Only logging security information. Logging the invoked method, identity of the caller, invocation subject, service subject and system subject. Using simple service security configuration Requiring private GSI Secure Conversation in service SD. No authorization (with none PDP interceptor). Shorthand client-side source code configuration (no SD) 1. Using GSI Secure Conversation with Encryption. 2. No client side authorization. 22

SECURITY SERVICES: COMMUNITY AUTHORIZATION SERVICE Q: How does a large community grant its users access to a large set of resources? Should minimize burden on both the users and resource providers. Community Authorization Service (CAS) Community negotiates access to resources. Resource outsources fine-grain authorization to CAS. Resource only knows about CAS user credential. CAS handles user registration, group membership User who wants access to resource asks CAS for a capability credential. Restricted proxy of the CAS user cred., checked by resource. 23

SECURITY SERVICES: COMMUNITY AUTHORIZATION PROTOTYPE 1. CAS request, with resource names and operations 2. CAS reply, with capability and resource CA info CAS Does the collective policy authorize this request for this user? user/group membership resource/collective membership collective policy information User 3. Resource request, authenticated with capability 4. Resource reply Resource Is this request authorized by the capability? Is this request authorized for the CAS? local policy information 24

SECURITY SERVICES: PASSPORT ONLINE CA & MYPROXY Requiring users to manage their own certs and keys is annoying and error prone. A solution: Leverage Passport global authentication to obtain a proxy credential. Online credential repository. Creates and issues new (restricted) proxy cert. to the user on demand (myproxy-init, myproxy-logon). Store X.509 proxy credentials in the MyProxy repository, protected by a passphrase, for later retrieval over the network. Users can store and retrieve multiple X.509 end-entity credentials (myproxy-store, myproxy-retrieve. Eliminates the need for copying private keys and certificate files. 25

SECURITY SERVICES: DELEGATION SERVICE Provides an interface for the delegation and renewal of credentials to a hosting environment. Allows for a single delegated credential to be reused across multiple service invocations. Improved online credential repositories. globus-credential-delegate - delegation client. globus-credential-refresh - delegation refresh client. globus-delegation-client - C delegation client. wsrf-destroy - destroys a resource. wsrf-query - performs query on a resource property document. 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback