John Kewley STFC e-Science Centre Accessing the Grid from DL 8 th January 2008 Accessing the Grid from DL John Kewley Grid Technology Group E-Science Centre CCLRC Daresbury Laboratory [email protected]
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Accessing the Grid from DL
John KewleyGrid Technology Group
E-Science CentreCCLRC Daresbury Laboratory
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Talk outlineTalk outline
1. Requirements for accessing the NW-Grid
2. An introduction to Grid Security
3. How to apply for a Grid Certificate and access the NW-Grid / NGS
Content of future talks will cover:
1. Next steps with the NW-Grid
2. Use of the DL Condor Pool
3. NGS and the NGS Portal
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
RequirementsRequirements
To access the Grid, you will need:
1. An e-Science certificate, from a trusted certification authority, in an appropriate format
2. The Distinguished Name (DN) from your certificate registered with the Grid resource you intend to use
3. Client-side middleware on the accessing computer (unless you intend using only browser/portal technology)
4. No firewalls "in the way" between your client and the grid resource
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Security IssuesSecurity Issues
● How does the expensive Grid resource "account" for its use? Are these users who they claim to be?
● How does a user utilise a resource on a remote machine when he may not have an account on any intervening ones?
● How can you trust the remote machine to "behave" with your data?
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Security BasicsSecurity Basics
● Authentication
– Who you are, Identity
– Non-repudiation
● Authorisation
– What you are allowed to do, Capability
– Which resources you can use
● Confidentiality (encryption)
● Integrity (untampered, lossless)
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Tools of the Tools of the tradetrade
Encryption
● Secret “symmetric” key – both parties need to share the key
– DES, RC4– Comparatively efficient
● Public/private key – “asymmetric” - 2 keys mathematically related
– RSA, DSA– Slower
Oneway hash / message digest– MD5, SHA-1– fast
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Gbbyf bs gur Gbbyf bs gur genqrgenqr
Rapelcgvba
● Frpergt “flzzrgevp” xrl – obgu cnegvrf arrq gb funer gur xrl
– QRF, EP4– Pbzcnengviryl rssvpvrag
● Choyvp/cevingr xrl – “nflzzrgevp” - 2 xrlf zngurzngvpnyyl eryngrq
– EFN, QFN– Fybjre
Barjnl unfu / zrffntr qvtrfg– ZQ5, FUN-1– Snfg
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Tools of the Tools of the tradetrade
Encryption
● Secret “symmetric” key – both parties need to share the key
– DES, RC4– Comparatively efficient
● Public/private key – “asymmetric” - 2 keys mathematically related
– RSA, DSA– Slower
Oneway hash / message digest– MD5, SHA-1– fast
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Public/Private Public/Private keyskeys
● Asymmetric encryption comprises a key pair: one private and one public:
– it is impossible to derive the private key from the public one;
– a message encrypted by one key can be decrypted only by its partner
● Public keys can be freely exchanged / distributed
● The sender encrypts using his private key
● The receiver decrypts using sender's public key;
Encrypted Encrypted texttext
Private Key Public Key
Clear text Clear text messagemessage
Clear text Clear text messagemessage
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
CertificatesCertificates
● A statement from a trusted 3rd party (the Certification Authority), that your public key (and hence your private key) is associated with your identity
● A certificate can only be verified if you have the public key of the party who signed it
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
X.509 X.509 CertificatesCertificates
An X.509 Certificate contains:
● owner’s public key;
● identity of the owner;
● info on the CA;
● validity;
● Serial number;
● digital signature from the CA
Public keyPublic key
Subject:Subject:C=CH, O=CERN, C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba OU=GRID, CN=Andrea Sciaba 89688968
Issuer: C=CH, O=CERN, Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAOU=GRID, CN=CERN CA
Expiration date: Expiration date: Aug 26 08:08:14 Aug 26 08:08:14 2005 GMT2005 GMT
Serial number: 625 (0x271)Serial number: 625 (0x271)
CA Digital signatureCA Digital signature
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Certificate RequestCertificate Request
Private Key encrypted on local disk
CertRequest
Public Key
ID
Cert
User generatespublic/private
key pair in browser.
User sends public key to CA and shows RA proof
of identity.
CA signature links identity and public key in certificate. CA informs user.
CA root certificate
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Downloading and Downloading and Testing your certificateTesting your certificate
You will receive an email with instructions telling you how to download your certificate.
Since the private key is stored locally, you will need to use the SAME browser when downloading as applying for your certificate.
You should then follow the instructions on the website to Test your certificate. On successful completion, your DN will be displayed for use when registering for Grid resources
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
Registering to useRegistering to useNW-GridNW-Grid
There is a web registration form for NW-Grid
Once approved, this will :
● assign you a common username (e.g. nwdljk)
● register the Distinguished Name (DN) from your certificate with the NW-Grid machines
/C=UK/O=eScience/OU=CLRC/L=DL/CN=john kewley
● open NW-Grid firewalls so your client machine(s) can access the Grid resources.
http://man4.nw-grid.ac.uk:8080/user_registration
John KewleySTFC e-Science Centre
Accessing the Grid from DL8th January 2008
What is the Grid?http://gridcafe.web.cern.ch/
What is e-Science?http://www.e-science.cclrc.ac.uk/
http://www.nesc.ac.uk/
What is the NW-GRID?http://www.nw-grid.ac.uk/
UK e-Science CA:http://www.grid-support.ac.uk/content/view/182/184/
https://ca.grid-support.ac.uk/
LinksLinks