John Kewley STFC e-Science Centre Accessing the Grid from DL 8 th January 2008 Accessing the Grid from DL John Kewley Grid Technology Group E-Science Centre.

John KewleySTFC e-Science Centre

Accessing the Grid from DL8th January 2008

Accessing the Grid from DL

John KewleyGrid Technology Group

E-Science CentreCCLRC Daresbury Laboratory

[email protected]



Talk outlineTalk outline

1. Requirements for accessing the NW-Grid

2. An introduction to Grid Security

3. How to apply for a Grid Certificate and access the NW-Grid / NGS

Content of future talks will cover:

1. Next steps with the NW-Grid

2. Use of the DL Condor Pool

3. NGS and the NGS Portal



RequirementsRequirements

To access the Grid, you will need:

1. An e-Science certificate, from a trusted certification authority, in an appropriate format

2. The Distinguished Name (DN) from your certificate registered with the Grid resource you intend to use

3. Client-side middleware on the accessing computer (unless you intend using only browser/portal technology)

4. No firewalls "in the way" between your client and the grid resource



Security IssuesSecurity Issues

● How does the expensive Grid resource "account" for its use? Are these users who they claim to be?

● How does a user utilise a resource on a remote machine when he may not have an account on any intervening ones?

● How can you trust the remote machine to "behave" with your data?



Security BasicsSecurity Basics

● Authentication

– Who you are, Identity

– Non-repudiation

● Authorisation

– What you are allowed to do, Capability

– Which resources you can use

● Confidentiality (encryption)

● Integrity (untampered, lossless)



Tools of the Tools of the tradetrade

Encryption

● Secret “symmetric” key – both parties need to share the key

– DES, RC4– Comparatively efficient

● Public/private key – “asymmetric” - 2 keys mathematically related

– RSA, DSA– Slower

Oneway hash / message digest– MD5, SHA-1– fast



Gbbyf bs gur Gbbyf bs gur genqrgenqr

Rapelcgvba

● Frpergt “flzzrgevp” xrl – obgu cnegvrf arrq gb funer gur xrl

– QRF, EP4– Pbzcnengviryl rssvpvrag

● Choyvp/cevingr xrl – “nflzzrgevp” - 2 xrlf zngurzngvpnyyl eryngrq

– EFN, QFN– Fybjre

Barjnl unfu / zrffntr qvtrfg– ZQ5, FUN-1– Snfg



Tools of the Tools of the tradetrade

Encryption

● Secret “symmetric” key – both parties need to share the key

– DES, RC4– Comparatively efficient

● Public/private key – “asymmetric” - 2 keys mathematically related

– RSA, DSA– Slower

Oneway hash / message digest– MD5, SHA-1– fast



Public/Private Public/Private keyskeys

● Asymmetric encryption comprises a key pair: one private and one public:

– it is impossible to derive the private key from the public one;

– a message encrypted by one key can be decrypted only by its partner

● Public keys can be freely exchanged / distributed

● The sender encrypts using his private key

● The receiver decrypts using sender's public key;

Encrypted Encrypted texttext

Private Key Public Key

Clear text Clear text messagemessage

Clear text Clear text messagemessage



CertificatesCertificates

● A statement from a trusted 3rd party (the Certification Authority), that your public key (and hence your private key) is associated with your identity

● A certificate can only be verified if you have the public key of the party who signed it



X.509 X.509 CertificatesCertificates

An X.509 Certificate contains:

● owner’s public key;

● identity of the owner;

● info on the CA;

● validity;

● Serial number;

● digital signature from the CA

Public keyPublic key

Subject:Subject:C=CH, O=CERN, C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba OU=GRID, CN=Andrea Sciaba 89688968

Issuer: C=CH, O=CERN, Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAOU=GRID, CN=CERN CA

Expiration date: Expiration date: Aug 26 08:08:14 Aug 26 08:08:14 2005 GMT2005 GMT

Serial number: 625 (0x271)Serial number: 625 (0x271)

CA Digital signatureCA Digital signature



Certificate RequestCertificate Request

Private Key encrypted on local disk

CertRequest

Public Key

ID

Cert

User generatespublic/private

key pair in browser.

User sends public key to CA and shows RA proof

of identity.

CA signature links identity and public key in certificate. CA informs user.

CA root certificate



Downloading and Downloading and Testing your certificateTesting your certificate

You will receive an email with instructions telling you how to download your certificate.

Since the private key is stored locally, you will need to use the SAME browser when downloading as applying for your certificate.

You should then follow the instructions on the website to Test your certificate. On successful completion, your DN will be displayed for use when registering for Grid resources



Registering to useRegistering to useNW-GridNW-Grid

There is a web registration form for NW-Grid

Once approved, this will :

● assign you a common username (e.g. nwdljk)

● register the Distinguished Name (DN) from your certificate with the NW-Grid machines

/C=UK/O=eScience/OU=CLRC/L=DL/CN=john kewley

● open NW-Grid firewalls so your client machine(s) can access the Grid resources.

http://man4.nw-grid.ac.uk:8080/user_registration



What is the Grid?http://gridcafe.web.cern.ch/

What is e-Science?http://www.e-science.cclrc.ac.uk/

http://www.nesc.ac.uk/

What is the NW-GRID?http://www.nw-grid.ac.uk/

UK e-Science CA:http://www.grid-support.ac.uk/content/view/182/184/

https://ca.grid-support.ac.uk/

LinksLinks

John Kewley STFC e-Science Centre Accessing the Grid from DL 8 th January 2008 Accessing the Grid from DL John Kewley Grid Technology Group E-Science Centre.

Documents