Скачать презентацию Security Mechanisms The European Data Grid Project Team Скачать презентацию Security Mechanisms The European Data Grid Project Team

c0c1883965e8d8bc07df498f632c27f5.ppt

  • Количество слайдов: 25

Security Mechanisms The European Data. Grid Project Team http: //www. eu-datagrid. org Security Mechanisms The European Data. Grid Project Team http: //www. eu-datagrid. org

Overview Ø User side n n Ø Getting a certificate Becoming a member of Overview Ø User side n n Ø Getting a certificate Becoming a member of the VO Server side n Authentication / CA n Authorization / VO (with some examples) Security Tutorial - n° 2

Authentication/Authorization CA’s Ø CERN Authentication (CA Working Group) CESNET 16 national certification authorities + Authentication/Authorization CA’s Ø CERN Authentication (CA Working Group) CESNET 16 national certification authorities + Cross. Grid CAs CNRS (3) n policies & procedures mutual trust Grid-Ireland n users identified by CA’s certificates n Ø German. Grid INFN NIKHEF Authorization (Authorization Working Group) n n n LIP Based on Virtual Organizations (VO). Management tools for VO membership lists. 6+2 Virtual Organizations Nordu. Grid Russian Data. Grid DATAGRID-ES VO’s Grid. PP ALICE Earth Obs. US–DOE Root CA ATLAS Biomedical US-DOE Sub CA CMS Testbed Cross. Grid (*) LHCb Tutorial Security Tutorial - n° 3

Authentication Overview CA service user VO Security Tutorial - n° 4 Authentication Overview CA service user VO Security Tutorial - n° 4

Certificate Request CA grid-cert-request service user cert-request once in every year VO Security Tutorial Certificate Request CA grid-cert-request service user cert-request once in every year VO Security Tutorial - n° 5

Requesting a Certificate Ø grid-cert-request A certificate request and private key is being created. Requesting a Certificate Ø grid-cert-request A certificate request and private key is being created. [. . . ] E SIT EB A E W TH AL C CK ON CHE ATI N OUR OF Y Using configuration from /usr/local/grid/globus/etc/globus-user-ssleay. conf Generating a 1024 bit RSA private key [. . . ] A private key and a certificate request has been generated with the subject: /O=Grid/O=CERN/OU=cern. ch/CN=Akos Frohner [. . . ] Your private key is stored in. . . /. globus/userkey. pem Your request is stored in. . . /. globus/usercert_request. pem Please e-mail the certificate request to the CERN CA cat. . . /. globus/usercert_request. pem | mail cern-globus-ca@cern. ch Your certificate will be mailed to you within two working days. Security Tutorial - n° 6

ex am Request Details. . . Ø openssl req –in ~/. globus/usercert_request. pem –text ex am Request Details. . . Ø openssl req –in ~/. globus/usercert_request. pem –text Data: Version: 0 (0 x 0) Subject: O=Grid, O=CERN, OU=cern. ch, CN=Akos Frohner User information Subject Public Key Info: Public Key Algorithm: rsa. Encryption RSA Public Key: (1024 bit) Modulus (1024 bit): Public key 00: ba: ae: e 2: 9 a: 98: be: 94: f 5: 9 e: e 7: f 7: 06: 58: [. . . ] Exponent: 65537 (0 x 10001) Signature Algorithm: md 5 With. RSAEncryption 29: 87: 63: 40: 65: af: 1 b: 39: e 9: 71: b 9: 3 f: 70: 80: 0 c: 27: 71: 0 e: [. . . ] -----BEGIN CERTIFICATE REQUEST----- Signature on the public key and user information PEM encoded request MIIBhj. CB 8 AIBADBHMQ 0 w. Cw. YDVQQKEw. RHcmlk. MQ 0 w. C [. . . ] -----END CERTIFICATE REQUEST----- Security Tutorial - n° 7 ple

Certificate Signing CA grid-cert-request user cert signing service cert-request certificate VO Security Tutorial - Certificate Signing CA grid-cert-request user cert signing service cert-request certificate VO Security Tutorial - n° 8

ex am Signing a Request ple Upon a certificate request from the user Ø ex am Signing a Request ple Upon a certificate request from the user Ø checking the identity of the user (Registration Authority) Ø signing the request and sending back the result n Ø Ø Ø openssl ca –in usercert_request. pem –out usercert. pem if something goes wrong: revocation of a certificate -> CRL the issued certificates are described in the Certificate Policy (CP) the process is described in the Certificate Practice Statement (CPS) Security Tutorial - n° 9

Certificate Details 1. Ø ex am openssl x 509 –in ~/. globus/usercert. pem –text Certificate Details 1. Ø ex am openssl x 509 –in ~/. globus/usercert. pem –text Certificate: Data: Version: 3 (0 x 2) X 509. 3 – with extensions Serial Number: 199 (0 xc 7) Signature Algorithm: md 5 With. RSAEncryption Issuer: C=CH, O=CERN, CN=CERN CA Issuer CA Validity Not Before: Jun 11 08: 25: 59 2002 GMT long term certificate Not After : Sep 29 11: 22: 33 2002 GMT Subject: O=Grid, O=CERN, OU=cern. ch, CN=Akos Frohner user information Subject Public Key Info: same as in the request [. . . ] Security Tutorial - n° 11 ple

Preparation for Registration CA grid-cert-request user cert signing service cert-request certificate cert. pkcs 12 Preparation for Registration CA grid-cert-request user cert signing service cert-request certificate cert. pkcs 12 convert VO Security Tutorial - n° 13

Registration/Authorization User registration in an EDG Virtual Organisation Ø convert your certificate: n Ø Registration/Authorization User registration in an EDG Virtual Organisation Ø convert your certificate: n Ø Ø Ø openssl pkcs 12 –export –in ~/. globus/usercert. pem –inkey ~/. globus/userkey. pem –out user. p 12 –name ’Joe Smith’ import your certificate in your browser sign the usage guidelines: https: //marianne. in 2 p 3. fr/cgi-bin/datagrid/register/account. pl ask an account from your VO administrator by email -> You are registered in the VO-LDAP server and have a user account. Security Tutorial - n° 14

Registration CA grid-cert-request cert signing user service cert-request certificate cert. pkcs 12 Account Registration Registration CA grid-cert-request cert signing user service cert-request certificate cert. pkcs 12 Account Registration convert registration VO once for the lifetime of the VO (only the DN not the keys, so they may change) Usage guidelines Security Tutorial - n° 15

Starting a Session CA grid-cert-request user cert signing service cert-request certificate cert. pkcs 12 Starting a Session CA grid-cert-request user cert signing service cert-request certificate cert. pkcs 12 convert registration VO proxy-cert grid-proxy-init every 12/24 hours Security Tutorial - n° 16

Usage You must have a valid certificate from a trusted CA! Ø „login”: grid-proxy-init Usage You must have a valid certificate from a trusted CA! Ø „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: . . . . +++++ Ø checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern. ch/CN=Akos Frohner/CN=proxy Ø „logout”: grid-proxy-destroy -> use the grid services Security Tutorial - n° 17

Certificate Request for a Host CA grid-cert-request user cert signing service host-request certificate cert. Certificate Request for a Host CA grid-cert-request user cert signing service host-request certificate cert. pkcs 12 convert registration VO proxy-cert grid-proxy-init once in every year Security Tutorial - n° 19

Signing the Certificate CA cert signing grid-cert-request user cert signing service host-request certificate cert. Signing the Certificate CA cert signing grid-cert-request user cert signing service host-request certificate cert. pkcs 12 host-cert convert registration VO proxy-cert grid-proxy-init Security Tutorial - n° 20

Configuration on the Server CA cert signing grid-cert-request user cert signing cert-request certificate cert. Configuration on the Server CA cert signing grid-cert-request user cert signing cert-request certificate cert. pkcs 12 service cert/crl update convert registration host-request host-cert ca-certificate crl VO-LDAP proxy-cert grid-proxy-init automatically updated every night/week Security Tutorial - n° 21

inf o Service You must have the trusted CA certificates in files and the inf o Service You must have the trusted CA certificates in files and the VOLDAP server(s) URL configured. Ø registering a trusted CA n Ø generating a gridmap file: mkgridmap n Ø /etc/grid-security/certificates: hashed cert, crl and url /etc/grid-security/gridmap: DN -> userid/gid mapping generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) Start the service! Security Tutorial - n° 22

Service: CA Certificates Ø ex am ls /etc/grid-security/certificates 0 ed 6468 a. 0 c Service: CA Certificates Ø ex am ls /etc/grid-security/certificates 0 ed 6468 a. 0 c 35 c 1972. 0 d 64 ccb 53. 0 0 ed 6468 a. crl_url c 35 c 1972. crl_url d 64 ccb 53. crl_url 0 ed 6468 a. r 0 c 35 c 1972. r 0 d 64 ccb 53. r 0 0 ed 6468 a. signing_policy c 35 c 1972. signing_policy d 64 ccb 53. signing_policy 16 da 7552. 0 cf 4 ba 8 c 8. 0 df 312 a 4 e. 0 16 da 7552. crl_url cf 4 ba 8 c 8. crl_url df 312 a 4 e. crl_url 16 da 7552. r 0 cf 4 ba 8 c 8. r 0 df 312 a 4 e. r 0 16 da 7552. signing_policy cf 4 ba 8 c 8. signing_policy Ø df 312 a 4 e. signing_policy cat c 35 c 1972. crl_url http: //globus. home. cern. ch/globus/ca/cern. crl. pem Security Tutorial - n° 23 ple

Service: Revocation List Ø ex am openssl crl -in c 35 c 1972. r Service: Revocation List Ø ex am openssl crl -in c 35 c 1972. r 0 –text Certificate Revocation List (CRL): Version 1 (0 x 0) Signature Algorithm: md 5 With. RSAEncryption Issuer: /C=CH/O=CERN/CN=CERN CA the issuer is the CA itself Last Update: Jul 1 17: 53: 17 2002 GMT Next Update: Aug 5 17: 53: 17 2002 GMT next update: shall be checked Revoked Certificates: Serial Number: 5 A the revoced certificate’s number Revocation Date: May 24 16: 45: 52 2002 GMT Signature Algorithm: md 5 With. RSAEncryption Signature – as usual Security Tutorial - n° 25 ple

Authorization Information CA cert signing grid-cert-request user cert signing cert-request certificate cert. pkcs 12 Authorization Information CA cert signing grid-cert-request user cert signing cert-request certificate cert. pkcs 12 service cert/crl update convert proxy-cert host-cert ca-certificate registration VO-LDAP host-request crl mkgridmap grid-proxy-init automatically updated every night/week Security Tutorial - n° 26

Using a Service CA cert signing grid-cert-request user cert signing cert-request certificate cert. pkcs Using a Service CA cert signing grid-cert-request user cert signing cert-request certificate cert. pkcs 12 service cert/crl update convert proxy-cert host-cert ca-certificate registration VO-LDAP host-request crl mkgridmap grid-proxy-init host/proxy certs exchanged Security Tutorial - n° 29

Summary Obtaining a certificate from a CA see http: //marianne. in 2 p 3. Summary Obtaining a certificate from a CA see http: //marianne. in 2 p 3. fr/datagrid/ca/ for CAs Ø new certificate: grid-cert-request n new files in ~/. globus: usercert_request. pem userkey. pem Ø mail it to the appropriate CA (e. g. cern-globus-ca@cern. ch) Ø save the answer n Ø ~/. globus/usercert. pem new proxy certificate: grid-proxy-init n /tmp/x 509 up_u -> You have a certificate signed by an EDG CA. Security Tutorial - n° 30

Further Information Grid Ø EDG CAs: http: //marianne. in 2 p 3. fr/datagrid/ca Ø Further Information Grid Ø EDG CAs: http: //marianne. in 2 p 3. fr/datagrid/ca Ø Globus Security: http: //www. globus. org/security/ Ø Ø EDG WP 2: http: //grid-data-management. web. cern. ch/grid-datamanagement/security/ EDG D 7. 5: http: //edms. cern. ch/document/340234 Background Ø Ø GGF Security: http: //www. gridforum. org/security/ GSS-API: http: //www. faqs. org/faqs/kerberos-faq/general/section 84. html IETF PKIX charter: http: //www. ietf. org/html. charters/pkixcharter. html PKCS: http: //www. rsasecurity. com/rsalabs/pkcs/index. html Security Tutorial - n° 31