2. Outline
Security issues
UNICORE server components and how they interact
Bastian Demuth: server internals
Sessions 11 and 12: UNICORE clients, workļ¬ow basics
07.07.2009 Slide 2
3. Security Issues
Grid resources communicate via internet ā no ļ¬rewalls to
protect from outside world
Intruders may . . .
read messages between resources
alter messages between resources
connect to two resources and relay messages between them:
man-in-the-middle attack
ļ¬ood resources with messages: denial-of-service attack
07.07.2009 Slide 3
4. Encryption
Symmetric encryption:
Same key used to encrypt and decrypt a message
Disadvantage: Every pair of users must exchange
keys
Asymmetric encryption:
Each user owns a pair of private and public key
Public keys can be exchanged openly
Sender encrypts message with the receiverās public key
Receiver decrypts message with his own private key
07.07.2009 Slide 4
5. Digital Signing
Encryption:
Messages canāt be read or altered by intruders
How do we now where a message really comes from?
Digital signing:
Sender encrypts a message with his private key
Receiver decrypts the message with the senderās public key
Main issue: Get senderās public key from a trusted source
07.07.2009 Slide 5
6. Certiļ¬cation Authorities
How do we know who is the real person behind a key?
ā Certiļ¬cation Authority (CA), e.g. GILDA, CA-Cert, . . .
User creates private key and a matching certiļ¬cate request
User sends certiļ¬cate request to a CA
CA checks userās identity and signs the certiļ¬cate request
CA sends user their signed public key (certiļ¬cate)
Each key contains info about user (real name, email) and signer
(CA).
07.07.2009 Slide 6
7. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Hereās my public key the signer?
07.07.2009 Slide 7
8. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Hereās my public key the signer?
07.07.2009 Slide 7
9. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Hereās my public key the signer?
07.07.2009 Slide 7
10. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hereās my public key
Client Server
Do I trust Do I trust
the signer? Hereās my public key the signer?
07.07.2009 Slide 7
11. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Hereās my public key the signer?
07.07.2009 Slide 7
12. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Encrypt with Encrypt with
server key Please decrypt: k3oAS2 client key
07.07.2009 Slide 7
13. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Decrypt and Decrypt and
check Please decrypt: k3oAS2 check
07.07.2009 Slide 7
14. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Decript with Decrypt with
private key Please decrypt: k3oAS2 private key
07.07.2009 Slide 7
15. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Decrypted: i7Uay4
Client Server
Decrypt and Decrypt and
check Decrypted: PgD9mt check
07.07.2009 Slide 7
16. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Does it Does it
match? Please decrypt: k3oAS2 match?
07.07.2009 Slide 7
17. SSL (Secure Sockets Layer)
Client connects to server
Server sends client its public key
Client checks if it trusts the signer of the serverās key
Server requests clientās public key
Server checks if it trusts the signer of the clientās key
Server and client check if the counterpart owns the private
key belonging to the public key
Exchange of random messages encrypted with the counterpartās
public key
Counterpart mut decrypt message with its private key
Decrypted message must equal the original message
07.07.2009 Slide 8
18. Security in UNICORE
UNICORE has a strong security concept:
Each user has their own private key
Each server component has its own private key
Connections between userās clients and UNICORE servers use
SSL
UNICORE server components use the userās keys for
authentication and authorisation
UNICORE server components use SSL to connect to each
other
07.07.2009 Slide 9
19.
20. UNICORE Architecture
Global registry:
Central point of a UNICORE grid
Keeps track of all available services
Gateway:
āDoor to outside worldā in ļ¬rewall
may serve several resources behind one ļ¬rewall
unicorex:
Central point for job processing and managing
Checks user certiļ¬cate with XUUDB
XUUDB (UNICORE user database):
Mapping between user certiļ¬cates, user logins, roles
TSI (Target System Interface):
Submits jobs to batch system
Components use SSL connections
07.07.2009 Slide 11
21. The Registry
The Registry:
Provide clients with information about services
Two kinds: global / local
Global or central registry:
Serves as a āGridā
Knows all target systems and workļ¬ow services
Services dynamically register with (one or more) registries
Local registry per service container (e.g. unicorex)
For registering service instances
Full WS-RF Service
UNICORE Registry in Gilda:
https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Registry?
07.07.2009 Slide 12
22. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
23. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
24. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
25. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
26. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
27. Registry Entries
Registry entries as seen with the Eclipe Client (expert view):
07.07.2009 Slide 14
28. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway
unicorex
XUUDB
TSI
07.07.2009 Slide 15
29. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
unicorex
XUUDB
TSI
07.07.2009 Slide 15
30. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex
XUUDB
TSI
07.07.2009 Slide 15
31. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certiļ¬cate is allowed job execution
XUUDB
TSI
07.07.2009 Slide 15
32. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certiļ¬cate is allowed job execution
unicorex gets login from XUUDB
XUUDB
TSI
07.07.2009 Slide 15
33. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certiļ¬cate is allowed job execution
unicorex gets login from XUUDB
XUUDB unicorex translates abstract job into
machine-dependent script
TSI
07.07.2009 Slide 15
34. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certiļ¬cate is allowed job execution
unicorex gets login from XUUDB
XUUDB unicorex translates abstract job into
machine-dependent script
unicorex sends machine dependent script to TSI
TSI
07.07.2009 Slide 15
35. Jobs
Abstract job deļ¬nitions:
Given in JSDL (Job Submission Description Language)
XML speciļ¬cation from the Global Grid Forum
Contain for example:
Job name, description
Resource requirements (RAM, numer of CPUs needed, . . . )
Information about transferring of ļ¬les before or after execution
An application name and version
Each job has a life time ā after that itās data is deleted from the
server
07.07.2009 Slide 16
36. The Gateway
The Gateway:
Gateway talks to clients and servers located on other sites
All communication from server components of this sites goes
via Gateway
Gateway must trust the CAs of users
Users must trust the CA of the Gateway
UNICORE Gateway of Gilda:
https://gilda-lb-01.ct.infn.it:8080
The UNICORE Registry of Gilda
https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Regist
A unicorex of Gilda:
https://gilda-lb-01.ct.infn.it:8080/REGISTRY/GILDA-CATANIA
07.07.2009 Slide 17
37. The unicorex
unicorex:
Authorises requests using the authorisation service XUUDB
Translates abstract job into concrete job for target system via
the IDB
Provides storage resources
Provides ļ¬le transfer services
Provides job management services
07.07.2009 Slide 18
38. The XUUDB
XUUDB:
Maps user certiļ¬cates to logins on that machine
Assigns roles (user, admin, . . . )
Nr | GcID | Xlogin | Role | Projects | DN
----------------------------------------------------------------
1 | OMII_EI | rbreu | user | | CN = Rebecca Breu , OU = JSC , OU =
2 | OMII_EI | sandra | user | | EMAILADDRESS = s . bergmann@fz - j
07.07.2009 Slide 19
39. The TSI
The TSI . . .
forks a process which runs with the userās ID
creates a temporary directory on the target system (uspace)
changes current working directory to uspace
submits job to local batch system
Input and ouput:
all input needed for job has to be copied into the uspace
all output that is to survive the end of job execution has to be
copied elsewhere
Terms used:
File import: File tranfer from somewhere into uspace
File export: File tranfer from uspace to somewhere
07.07.2009 Slide 20
42. IDB: Incarnation Database
The IDB is a ļ¬le with rules for translating abstract jobs into
executable scripts.
< idb:IDBApplication >
< i d b : A p p l i c a t i o n N a m e > Bash shell </ i d b : A p p l i c a t i o n N a m e >
< i d b : A p p l i c a t i o n V e r s i o n > 3.1.16 </ i d b : A p p l i c a t i o n V e r s i o n >
< j s d l : P O S I X A p p l i c a t i o n xmlns:jsdl = " http: // schemas . ggf . org / jsdl
< j sd l: Ex e cu ta bl e >/ bin / bash </ js dl : Ex ec ut a bl e >
< jsdl:Argument > -- debugger $ DEBUG ? </ jsdl:Argument >
< jsdl:Argument > -v $ VERBOSE ? </ jsdl:Argument >
< jsdl:Argument >$ ARGUMENTS ? </ jsdl:Argument >
< jsdl:Argument >$ SOURCE ? </ jsdl:Argument >
</ j s d l : P O S I X A p p l i c a t i o n >
</ i d b: I D B A p p l i c a t i o n >
07.07.2009 Slide 23
43. UNICORE Quickstart
Easy installation and usage
of UNICORE server
components with the
Quickstart bundle
containing:
all needed server
components
demo certiļ¬cates
easy to use graphical
installer
07.07.2009 Slide 24
44. UNICORE LiveCD
The UNICORE LiveCD contains
complete Linux system
automatically starting server components
pre-conļ¬gured clients
07.07.2009 Slide 25
45. Visit UNICORE on the internet
Downloads, information, documentation, . . . :
http://www.unicore.eu
07.07.2009 Slide 26