EUROPEAN MIDDLEWARE INITIATIVE

Similar documents
Argus Vulnerability Assessment *1

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

Troubleshooting Grid authentication from the client side

glite Grid Services Overview

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

First Principles Vulnerability Assessment. Motivation

Bookkeeping and submission tools prototype. L. Tomassetti on behalf of distributed computing group

Parallel Computing in EGI

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

SLCS and VASH Service Interoperability of Shibboleth and glite

Troubleshooting Grid authentication from the client side

Improving Grid User's Privacy with glite Pseudonymity Service

The PanDA System in the ATLAS Experiment

Grid Infrastructure For Collaborative High Performance Scientific Computing

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

How to Set Up External CA VPN Certificates

Setup Desktop Grids and Bridges. Tutorial. Robert Lovas, MTA SZTAKI

Overview of HEP software & LCG from the openlab perspective

The glite middleware. Presented by John White EGEE-II JRA1 Dep. Manager On behalf of JRA1 Enabling Grids for E-sciencE

Job submission and management through web services: the experience with the CREAM service

LCG-2 and glite Architecture and components

On the employment of LCG GRID middleware

EMI Deployment Planning. C. Aiftimiei D. Dongiovanni INFN

DataGrid. Document identifier: Date: 24/11/2003. Work package: Partner: Document status. Deliverable identifier:

FREE SCIENTIFIC COMPUTING

Introduction to Grid Infrastructures

Grid Security Infrastructure

EUROPEAN MIDDLEWARE INITIATIVE

VOMS Support, MyProxy Tool and Globus Online Tool in GSISSH-Term Siew Hoon Leong (Cerlane) 23rd October 2013 EGI Webinar

Grid Architectural Models

Grid Computing Security

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Certificate Properties File Realm

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Managing Certificates

A QUICK INTRODUCTION TO VOMS

Server Installation and Administration Guide

g-eclipse A Framework for Accessing Grid Infrastructures Nicholas Loulloudes Trainer, University of Cyprus (loulloudes.n_at_cs.ucy.ac.

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

GRID COMPUTING APPLIED TO OFF-LINE AGATA DATA PROCESSING. 2nd EGAN School, December 2012, GSI Darmstadt, Germany

Grid Computing Middleware. Definitions & functions Middleware components Globus glite

Securing ArcGIS Services

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Advanced Job Submission on the Grid

GSI Online Credential Retrieval Requirements. Jim Basney

Gergely Sipos MTA SZTAKI

User Authentication Principles and Methods

NeuroLOG WP1 Sharing Data & Metadata

DIRAC distributed secure framework

New open source CA development as Grid research platform.

Introduction to Programming and Computing for Scientists

AMGA metadata catalogue system

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

( PROPOSAL ) THE AGATA GRID COMPUTING MODEL FOR DATA MANAGEMENT AND DATA PROCESSING. version 0.6. July 2010 Revised January 2011

On-demand target, up and running

GLOBUS TOOLKIT SECURITY

TIPS AND TRICKS. Johan Olivier SECURITY

Using SSL to Secure Client/Server Connections

The EU DataGrid Testbed

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Deploying the TeraGrid PKI

Comparative evaluation of software tools accessing relational databases from a (real) grid environments

Monitoring System for the GRID Monte Carlo Mass Production in the H1 Experiment at DESY

DESY. Andreas Gellrich DESY DESY,

International Collaboration to Extend and Advance Grid Education. glite WMS Workload Management System

Managing Grid Credentials

Configuring SSL. SSL Overview CHAPTER

The ATLAS PanDA Pilot in Operation

Features and Future. Frédéric Hemmer - CERN Deputy Head of IT Department. Enabling Grids for E-sciencE. BEGrid seminar Brussels, October 27, 2006

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

Nolij Transfer 6 Migration Planning & Preparation. Danielle Whitney Services Product Manager

Configuring SSL. SSL Overview CHAPTER

Layered Architecture

High Performance Computing Course Notes Grid Computing I

Implementing GRID interoperability

Federated Authentication with Web Services Clients

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.8+

Grid Interoperation and Regional Collaboration

The glite middleware. Ariel Garcia KIT

YAIM Overview. Bruce Becker Meraka Institute. Co-ordination & Harmonisation of Advanced e-infrastructures for Research and Education Data Sharing

LDAP Directory Integration

The CORAL Project. Dirk Düllmann for the CORAL team Open Grid Forum, Database Workshop Barcelona, 4 June 2008

Argus Authorization Service

Introduction to Programming and Computing for Scientists

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

ALHAD G. APTE, BARC 2nd GARUDA PARTNERS MEET ON 15th & 16th SEPT. 2006

IBM. Security Digital Certificate Manager. IBM i 7.1

LHC COMPUTING GRID INSTALLING THE RELEASE. Document identifier: Date: April 6, Document status:

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

INDIGO AAI An overview and status update!

LCG User Registration & VO management

VMs at a Tier-1 site. EGEE 09, Sander Klous, Nikhef

Using the MyProxy Online Credential Repository

/****************************************************************************\ DAS Release for Solaris, Linux, and Windows

Configuring SSL CHAPTER

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

EUROPEAN MIDDLEWARE INITIATIVE

Transcription:

EUROPEAN MIDDLEWARE INITIATIVE VOMS CORE AND WMS SECURITY ASSESSMENT EMI DOCUMENT Document identifier: EMI-DOC-SA2- VOMS_WMS_Security_Assessment_v1.0.doc Activity: Lead Partner: Document status: Document link: SA2 CSIC Final https://cdsweb.cern.ch/record/1277602 Abstract: VOMS Core and WMS security vulnerability assessment INFSO-RI-261611 2010-2013 Members of EMI collaboration PUBLIC 1 / 6

1. SECURITY ASSESSMENT OF SOFTWARE PRODUCTS Products Release Discovered Vulnerabilities Fixed glexec 0.8 EMI 1 2 - Argus 1.2 EMI 1 0 0 VOMS Core 2.0.2 EMI 1 1 0 WMS 3.3.4 EMI 1 Update 11 In progress - Currently, the progress status for the components under evaluation is as follows: VOMS Core 2.0.2: the assessment is completed and one vulnerability was found. We worked on VOMS Core from July, 2011 to January, 2012 (seven months). WMS 3.3.4: The assessment is currently at the Component Evaluation Step. We started to work on WMS in February, 2012. Now we show the intermediate artefacts as a result of the three first steps of FPVA, namely the Architectural 1 and Resource 2 diagrams for both VOMS Core and WMS. 1 Architectural Analysis: identify the major structural components of the system, including modules, threads, processes, and hosts. For each of these components, identify the way in which they interact, both with each other and with users. The artefact produced at this stage is a document that diagrams the structure of the system and the interactions amongst the different components and with the end users. 2 Resource Identification: identify the key resources accessed by each component and the operations supported on those resources. Resources include elements such as hosts, files, databases, logs, and devices. For each resource, describe its value as an end target or as an intermediate target. The artefact produced at this stage is an annotation of the architectural diagrams with resource descriptions. EMI RI-261611 Members of the EMI collaboration PUBLIC 2 / 6

2. VOMS CORE 2.0.2 Figure 1: VOMS Architecture Diagram Figure 1shows the generic architecture of VOMS. VOMS is divided in two main components, VOMS Core and VOMS Admin. To connect and authenticate to the VOMS daemon, users must have a valid end entity certificate that is signed by a trusted CA, and has not been revoked. This certificate is used to sign a time limited proxy certificate that is used for authentication to the VOMS daemon. To gain access to the VOMS daemon services the client software uses the authentication proxy certificate to negotiate a SSL connection using mutual authentication between the client and the VOMS daemon. On the other hand, the VOMS Admin component consists of a VOMS Admin server, which is a Java application that runs under Tomcat; a web user interface, which is used by users for daily administration tasks; and a SOAP interface for remote clients, called voms-admin that can perform most of the main actions using a SOAP interface to VOMS Admin. The VOMS database stores the membership of the virtual organization, their roles and attributes, and data only used by VOMS Admin. The VOMS daemon only reads the database, while VOMS Admin component both reads and writes the database. INFSO-RI-261611 2010-2013 Members of EMI collaboration PUBLIC 3 / 6

Figure 2: VOMS Client-Server Interaction Diagram All interactions between the VOMS server and a VOMS client follow a pattern shown in Figure 2. To begin the client-server interaction, the client process makes a connection to the VOMS daemon. When the connection is made, the VOMS server uses a forking server model to handle all requests, so a forked copy of the VOMS daemon is created that handles the interaction with this connection. Next, the VOMS daemon checks the user authentication certificate DN for authorization, and that the requested attributes are valid. If authorized, the VOMS daemon returns an attribute certificate binding the user DN with the requested attributes, and the client creates a new proxy certificate with the returned attribute certificate embedded. After servicing the request, the forked VOMS daemon exits. The above sequence of steps may be repeated any number of times. The forked server model allows concurrent execution of request, and isolates requests from each other. The main resource that the VOMS daemon manages is the VOMS database, which contains all the information about users in a VO with their roles and attributes. The database also contains data used by VOMS Admin. VOMS can use an Oracle or MySQL database. In our assessment we used a MySQL database. The VOMS daemon also uses other files such as the TRUSTED_CA directory that contains files describing all the trusted Certificate Authorities (CA) including the CA certificates and signing policy files of the CAs trusted by the Grid Security Infrastructure (GSI). The /etc/grid-security directory contains the X.509 host certificate and private key. The CONFIG_DIR VO_NAME directory contains the configuration files of VOMS, including a file with the database user and password. Finally, the log files are used to keep track of the activity performed by VOMS Core. INFSO-RI-261611 2010-2013 Members of EMI collaboration PUBLIC 4 / 6

Figure 3: VOMS Core Resources Diagram (VOMS Client) On the client side, as shown in Figure 3, the main resource that the VOMS Client manages is the user certificate/key, called respectively usercert and userkey. Both PKCS12 and PEM formatted credentials are acceptable. INFSO-RI-261611 2010-2013 Members of EMI collaboration PUBLIC 5 / 6

3. WMS 3.3.4 User Host User Interface VOMS Host VOMS Server LFC Host LCG File Catalog IS Host Information Service Workload Manager System (WMS) 3.3.4 Architecture SOAP/ HTTPS Job Status GridFTP WM Proxy Server Workload Manager Match-Maker / Broker CE Host Apache Information supermarket Proxy Renewal RB Host LB DataBase Logging and Bookkeeping LB Proxy Job Controller Condor G Log Monitor Local File System Figure 4: WMS Architecture Diagram ICE CE Host CREAM LRMS WN Host WN job OS privileges user root DB privileges LB_Admin External Component As shown in Figure 4, the Workload Management System (WMS) is a collection of components responsible for the distribution and management of tasks across grid resources. The WMS basically receives requests of job execution from a client, finds the required appropriate resources, then dispatches and follows the jobs until completion, handling failure whenever possible. The core component of the WMS is the Workload Manager (WM), whose purpose is to accept and satisfy requests for job management coming from its clients. The main resources that the WMS manages are the user certificate/key, the SandBox directory and the log files. INFSO-RI-261611 2010-2013 Members of EMI collaboration PUBLIC 6 / 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback