W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
Dec 28, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
W. Sliwinski – eLTC – 7March08 1
LSA & Safety –Integration of RBAC and MCS
in the LHC control system
RBAC – Controlling Access
• What is being accessed ?– Device properties (Power Converters, Collimators, Kickers, etc.)
• What type of access ?– get: the value of a property once
– monitor: the value of a property continuously
– set: the value of a property
• Person who wants to protect devices need to know:
1. How to create and manage a role
2. How to create and manage rules (permissions)
3. How to load the rules (Access Maps) into the CMW servers
W.Sliwinski – eLTC – 7March08 2
RBAC Overview
W.Sliwinski – eLTC – 7March08 3
Application RBAC
RBAC Token:
•Application name
•User name
•IP address/location
•Time of authentication
•Time of expiry
•Roles[ ]
•Digital signature (RBA private key)
CMW client
FESA
CMW server
Access MAP
T
T
T
Application Server
Configuration DB
Authentication:– User requests to be
authenticated.
– RBAC authenticates user via NICE user name and password
– RBA returns Token to Application
Authorization:– Application sends token to
Application Server (3-tier env.)
– CMW client sends token to CMW server
– CMW server (on front-end) verifies token
– CMW server checks Access Map for role, location, application, mode
RBAC – Base Concepts
• RBAC Token (Authentication)
– Proof of authentication
– Holds information for authorization: roles, location, application
– Digital signature
• Access Maps (Authorization)
– Access maps are text files on the front-ends
– They are built from the database tables holding all access rules
– Default: if there are no rules for a device property it is NOT protected
– Contain the subset of access rules for a specific server on the front-end
– Read into memory on start-up for fast permission checks
– Verify Token’s digital signature with RBAC public key
• Token came from the RBAC server
• Token contents have not been altered
– Check the expiration time
W.Sliwinski – eLTC – 7March08 4
W.Sliwinski – eLTC – 7March08 5
RBAC - Managing Rules and Access Maps
• No automatic propagation of rules from the data base to the front-ends.
– This is a manual process
• Execute an RBAC script that extracts the rules from the database into text files (Access Maps)
• One Access Map per device class (minimize the rules in one front-end)
• Access Maps are loaded into the CMW server when starting-up the front-end
• Access Maps are generated and put on the front-ends manually by equipment owners
W.Sliwinski – eLTC – 7March08 6
RBAC - part of the LHC control system
• RBAC tokens are passed through the LHC control system
• RBAC token is used to check users access rights at the front-end level
• For GUI developers RBAC is an easy plug-in (even for LabView applications)
– For applications using LSA: use RBAIntegrator class
– With the standard GUI LSA components this results in…
W.Sliwinski – eLTC – 7March08 7
RBAC Features
• Authentication by Location– We can specify that in certain location one does not have to explicitly login
– The user name is the one used to login at the console
– The roles are the ones associated with the user name
• Single Sign On (SSO)
– When SSO is enabled the user has only to log in once at a certain PC and is automatically logged in for all applications running on that PC
• Role Picker– Additional dialog for picking a specific role if user has multiple ones
• Dealing with critical settings
– Generation and management of public and private keys
– User is forced to login even if he is at a location where Authentication by Location is enabled (Authentication by location override)
– Only one critical role can be selected when trimming critical settings
W.Sliwinski – eLTC – 7March08 8
MCS in LHC controls
• MCS is integrated with core LHC controls systems: LSA and FESA
• MCS is part of LSA:
– Critical settings and their signatures are in the LSA database
– Managed in a common way like other settings but additionally require signing
– Signature generation uses RBAC API for private-public key management and signing
– Critical settings are interfaced by the generic applications:
• Trim Editor
• Settings Copy
• Settings Generation
• Settings Acquire
– …all these tools are critical settings aware (RBAC login and Role Picker)
MCS in LHC controls
• MCS is part of FESA:
– Critical properties get an additional field called „signature”
• Holds signature for the rest of the fields
• Message digest of all the remaining fields signed with critical role’s private key
– Signature field has to be correctly filled by client’s application (LSA)
– Signature field is verified just after the message is received from the client, but before the front-end server action gets executed
– If Signature is not valid, the set method is rejected with an exception
– Only data with the valid signature are accepted for critical properties
• RBAC services for MCS:
– Provides secure keystore for private-public key pairs for critical roles
– Secure signing service
– Role picker recognizes and treats differently critical roles
W.Sliwinski – eLTC – 7March08 9
W.Sliwinski – eLTC – 7March08 10
LSA Trim Editor with Critical Settings
vkain
Mention here that critical settings appear red on the trim editor.
vkain
If you select a critical setting to be trimmed here, if you press trim you are asked to log in
vkain
When dealing with critical settings you cannot just stay with all your roles, you have to choose one specific role. You have to know that you are doing something critical now. All critical roles appear in red.
vkain
If you have chosen the right role, assuming that you have it. You can trim and then apply. The signature will then be generated and if the cycle is resident directly sent to the hardware as well as to the database. In the hardware the signature will be verified as mentioned earlier by Verena.
W.Sliwinski – eLTC – 7March08 11
How do we make settings critical? (1)
• Must be LSA setting
– Define LSA parameters for concerned FESA properties
• RBAC critical role must be defined and associated with the critical property
• One must have the critical property administrator RBAC role
– LHC Protection Panel
• LSA is the master datasource for MCS
– property is marked as critical only in LSA database
• Set property as critical using LSA Parameter Configuration application
• Use LSA Parameter Configuration application (already RBAC & MCS aware)
How do we make settings critical? (2)
W.Sliwinski – eLTC – 7March08 12
How do we make settings critical? (3)
• Generate new FESA xml configuration file and sent it via email to equipment owner
• Configuration file needs to be put on the FESA device – requires restart of server
W.Sliwinski – eLTC – 7March08 13
W.Sliwinski – eLTC – 7March08 14
How to ensure that DB and HW properties are in synch? (1)
• Integrity checks in MCS:
– Integrity in the LSA DB (db check)
• LSA is the true source, make sure db signature is consistent with the data
– Integrity between LSA DB and HW (online check)
• Signature is not kept on the front-end, compare current values in DB & HW
– Will be done before every fill and during the fill (SIS, Sequencer)
– Check deployed config - if configuration file is gone…we know it as well…
– Verify whether the configuration file for critical settings is on the front-end
– Verify whether the configuration file has the correct contents
• All the checks are provided in the Parameter Configuration application
– In the form of GUI buttons
– Can be launched asynchronously, independently of Sequencer & SIS
How to ensure that DB and HW properties are in synch? (2)
W.Sliwinski – eLTC – 7March08 15
W.Sliwinski – eLTC – 7March08 16
Features of dealing with Critical Settings
• Higher level parameters
– Designers of parameter spaces have to be aware that high level parameters (e.g. Momentum) become implicitely critical if they depend on lower-level critical parameters
• If collimators tolerance function depends on Momentum and was made critical then only collimators expert can trim value of Momentum !!!
• Generation of critical settings
– Whenever a cycle has to be generated: need for an authorized person
– Issue for optics/energy dependent critical settings (multiplexed): e.g. Collimators
– Most of all critical settings are non-multiplexed
• Copy of critical settings
– Whenever settings have to be copied from one cycle to another one:
• Critical settings are skipped (cycle copy)
• Only authorized person can copy critical settings (beam process copy)
– Issue again for optics/energy dependent critical settings: e.g. Collimators
W.Sliwinski – eLTC – 7March08 17
Conclusions• RBAC and MCS
– provide infrastructure for operating the LHC safely
– are fully integrated in the LHC control system
– are based on industrial security standards
• Using MCS we can always ensure integrity of settings which are crucial for machine safety
• Clearly, RBAC and MCS will require a cultural change…
• …but this infrastructure is as transparent to normal operation as possible– Authentication by Location
– Single Sign On
– Only a few critical settings – critical settings must be exceptional
• RBAC and MCS are already operational
Related Documents
