Grid Security & IGCA Shikha Mehrotra C-DAC Knowledge Park Bangalore
Why security a major concern? Because both customer data and program are residing in resource Provider Premises. One of the biggest security concerns about cloud/grid computing is that when you move your information into the cloud/grid, you lose control of it. The service gives you access to the data, but you have no way of ensuring no one else has access to the data.
Some important terms What is authentication? An system is how you identify yourself to the computer. The goal behind an authentication system is to verify that the user is actually who they say they are. What is authorization? Authorization checks that authentic user have proper permission or not to access that particular services.
What is the role of CERTIFICATES in grid? What is the role of CERTIFICATES in grid?
Some important terms Certificate: A certificate is a digital document that certifies that a certain public key is owned by a particular user. This document is signed by Certificate Authority (CA). Certificate/Certification Authority (CA) Certification authority (CA) is an entity that issues digital certificates for use by other parties. Revoked Certificate An certificate is said to be invalid once it is revoked.
Registration Authority (RA) A Registration Authority (RA) is an authority in a network that verifies user request for a digital certificate and tells the Certificate Authority (CA) to issue certificate. Verifies applicant & photo identity in Face to Face meeting Approve/Reject the application.
So, who will issue the grid certificate?
IGCA Indian Grid Certification Authority located at C- DAC, Knowledge Park, Bangalore, India. IGCA is the accredited member of APGridPMA. Issues X.509 Certificates t to support tthe secure environment in Grid. (for GARUDA, institutes that t do research in grid from India and foreign institutes that collaborates with GARUDA).
IGCA Registration Process Communication ca.garudaindia.in Web Repository R A IGCA Manager 5 Verifies RA signature To ensure it is not 2 Online CSR generation CSR Ser rial No. Face to face meeting 3 4 Mail/Fax the application form with the photo id igca@cdac.in tempered 6 Files the application i form & Hands over to CAO user 1 CAO 7 Fill application form for certificate request Mail to download certificate 8 Issues the certificate
How long my certificate t is valid?
Walkthrough Homepage http://ca.garudaindia.in/ di i / User Certificate Request process http://ca.garudaindia.in/index.php/certificate/request-a-new-certificate/ di i /i d h / ifi / ifi / Host Certificate Request process http://ca.garudaindia.in/index.php/certificate/host-certificate-request- di i /i d h / tifi t /h t tifi t t process/ RA enrollment process http://ca.garudaindia.in/index.php/ra/establish-ra/ Video Tutorials http://ca.garudaindia.in/index.php/information/faq/video-guides/ IGCA contact igca@cdac.in
Few examples.
What is Grid Proxy? Short Lived Certificate. Derived from public & private keys.
Garuda SLCS
Garuda SLCS Website: http://labs.garudaindia.in The purpose of GARUDA SLCS is to provide grid users with an instant access to GARUDA grid for a trial period of 30days. The fully automated process of SLCS will help users such as beginners and workshop participants to get a quick access and experience of GARUDA before using the operational grid.
Highlights: Get an access in less than 5mins. Service over the internet. Targeted for beginners to get the feel of GARUDA
Virtual Organization Definition : A virtual organization or company is one whose members are geographically apart, usually working by computer while appearing to others to be a single, unified organization with a real physical location. For e.g. a set of bioinformaticians at the University of Oxford may be working closely with a group at Harvard and they wish to share their computational resources, services and/or applications.
VOMS VOMS Virtual Organization Management/Membership Service VOMS is a system to classify users that are part of a Virtual Organization (VO) on the Set of attributes that will be granted to them upon request. include that information inside Globus-compatible proxy certificates
VO Registration http://voms.garudaindia.in/
VO Registration
VO Registration
Thank You
List of support queues in Garuda Sl. No. Project Name Support queue E-mail 1 Any grid related problem GDeployment grid-help@cdac.in 2 GidP Grid Portal tl Portal rt-gp@cdac.in @d 3 Service Oriented Architecture SOA rt-soa@cdac.in 4 GARUDAVOMS Voms voms@cdac.in 5 Grid IDE Tool GridIDE rt-gide@cdac.in 6 OSDD OSDD rt-osdd@cdac.in d 7 Garuda Network Related Netops netops@cdac.in 8 GARUDA SRM GDS rt-gds@cdac gds@cdac.in 9 Not sure about the queue Other rt@cdac.in 25
Phone support Grid Support: 080-66116511 080-66116472 080-66116474 Network Support: 080-66116510 080-66116473 Grid Portal: 080-66116493 080-66116494 080-66116459 GSRM: 080-66116692 080-66116457 26
Grid Support To log your support request Go to http://gridsupport.garudaindia.in Login with your GARUDA Account. Raise ticket in appropriate queue. To raise a problem ticket Select the queue Click new ticket Support request can also be sent via e-mail
Garuda RT (Request Tracker) Login page Raising a ticket
List of support queues in Garuda Sl. No. Project Name Support queue E-mail 1 Any grid related problem GDeployment grid-help@cdac.in 2 GidP Grid Portal tl Portal rt-gp@cdac.in @d 3 Service Oriented Architecture SOA rt-soa@cdac.in 4 GARUDAVOMS Voms voms@cdac.in 5 Grid IDE Tool GridIDE rt-gide@cdac.in 6 OSDD OSDD rt-osdd@cdac.in d 7 Garuda Network Related Netops netops@cdac.in 8 GARUDA SRM GDS rt-gds@cdac gds@cdac.in 9 Not sure about the queue Other rt@cdac.in
Garuda Resource List Institution Location Resources Space Application Centre Ahmedabad VSAT Terminal - 2 Nos. Indian Institute of Science Bangalore 64 cpu; POWER5; Linux Raman Research Institute Bangalore 32 cpu; Opteron; Linux Institute of Mathematical Sciences Chennai 24 cpu; Opteron cluster (Cray XD1) Madras Institute of Technology Chennai 16 cpu; P4; Linux Indian Institute of Technology Delhi 32 cpu; Opteron; Linux Jawaharlal Nehru University Delhi 32+16+16 cpu; Opteron, Opteron, Itanium; Linux Institute of Genomics and Integrative Biology Delhi 48 cpu; Xeon; Linux Indian Institute of Technology Guwahati 128 cpu; Opteron; Linux University of Hyderabad Hyderabad 32 way SMP; POWER4, AIX Indian Institute of Technology Kharagapur gp 16+16 cpu; Power PC2, Xeon; AIX, Linux Physical Research Laboratory Ahmedabad 32cpus; 64bit AMD Institute of Microbial Technology Chandigarh - University of Pune Pune -
GARUDA Partners
Virtual User Community in Garuda Group Name Bioinformatics ClimateModelling OSDD Description application of statistics and computer science to the molecular biology Deals with the dynamics of the climate system. Community dedicated to develop drugs for tropical infectious diseases like malaria, tuberculosis GeoPhysis CAE Study related to physics of the Earth and its environment in space usage of computer software to solve engineering problems IndianHeritage Focused on technology products for preserving & processing Heritage texts HealthInformatics Focused on utilizing compute power for health informatics MaterialScience Euindia interdisciplinary i field applying the properties of matter to science and engineering i The vision of a worldwide Grid for Research by both Europe and India ToolsDeveloper Forum to communicate and collaborate on developing Garuda Tools
What is CRIN Pin mail? What will I do with it? CRIN pin (Certificate Revocation Number) is mailed to user (encrypted with user public key) during his/her certificate creation time. Used for requesting certificate revocation. CRIN pin can be viewed only by decrypting with user private key, so only user can request for revocation. 33
CP/CPS Certificate, CRL Profile Security Controls Certificate Issuance,Rekey Revoke Procedural Controls Other business & legal matters OID : 1.3.1.4.1.31180.10.1.1.0 IA C- IGCACP/CPSVer. NA DA C Auditing, Logging Procedures 34
IGTF The International Grid Trust Federation (IGTF) is a body to establish common policies and guidelines between its Policy Management Authorities (PMAs) members. http://www.igtf.net/ 35
APGridPMA The APGridPMA (http://www.apgridpma.org/) is the international organization to coordinate the trust fabric for e-science in Asia-Pacific, working in close collaboration -- via the International Grid Trust Federation (IGTF) -- with the other regional peers: EuGridPMA; the Americas Grid PMA http://www.apgridpma.org 36
IGCA Roles - RA A Registration Authority (RA) is an authority in a network that verifies user request for a digital certificate and tells the Certificate Authority (CA) to issue certificate. Verifies applicant & photo identity i in Face to Face meeting Approve/Reject the application. Records events in the RA record form. Insist users to protect his/her private key Report IGCA about changes in subscribers information Request for revocation when end entity leaves organization Intimate IGCA, when RA leaves the organization. 37
IGCA Roles IGCA Manager Assist User/RA regarding the IGCA Operations Accepts the application forms & verifies RA signature. Files application form & hands over to CAO Communicates with RA securely. 38
IGCA Roles - CAO Setup & maintenance of the IGCA. Updates the CP/CPS, Operational Manual, Security document. Issue/Revoke/Re-key certificates & publish in web repository Issue CRL & Publish in web repository 39
RA A Registration Authority y( (RA) is an authority in a network that verifies user request for a digital certificate and tells the Certificate t Authority (CA) to issue certificate. t Verifies applicant & photo identity i in Face to Face meeting Approve/Reject the application. Insist st users s to protect his/her private key Report IGCA about changes in subscribers information Request for revocation when end entity leaves organization Intimate t IGCA, when RAleaves the organization. 40