1. GridUNESP – V Workshop
Certification Authority
Sergio M. Lietti
16Dec2009
2. Open Science Grid (OSG)
OSG brings together computing and storage
resources from campuses and research
communities into a common, shared grid
infrastructure over research networks via a common
set of middleware
OSG offers participating research communities low-
threshold access to more resources than they could
afford individually,via a combination of dedicated,
scheduled and opportunistic alternatives
3. Open Science Grid (OSG)
OSG has 82
sites, most of
them in USA, but
also in Brazil,
China, Mexico,
South Africa, and
South Korea.
GridUnesp will be
part of OSG sites
soon
4. Security
In order to share the infrastructure between all sites,
security is essencial
The Grid Security Infrastructure (GSI) uses public key
cryptography (also known as asymetric cryptography) as the
basis for its functionality
The primary motivations behind the GSI are:
The need for secure communication (authenticated and perhaps
confidential) between elements of a computational Grid.
The need to support security across organizational boundaries, thus
prohibiting a centrally-managed security system.
The need to support "single sign-on" for users of the Grid, including
delegation of credentials for computations that involve multiple
resources and/or sites.
5. Certificates
Every user and service on the Grid is identified via a
certificate, which contains information vital to
identifying and authenticating the user or service
A GSI certificate includes four primary pieces of
information:
A subject name, which identifies the person or object that
the certificate represents
The public key belonging to the subject
The identity of a Certificate Authority (CA) that has
signed the certificate to certify that the public key and
the identity both belong to the subject
The digital signature of the named CA
6. Certificates
A Certification Authority (CA) is used to certify the
link between the public key and the subject in the
certificate
In order to trust the certificate and its contents, the
CA's certificate must be trusted
GSI certificates are encoded in the X.509 certificate
format, a standard data format for certificates
established by the Internet Engineering Task Force
(IETF)
7. X.509
X.509
In cryptography, X.509 is an ITU-T standard for a
public key infrastructure (PKI) for single sign-on (SSO)
and Privilege Management Infrastructure (PMI)
X.509 specifies, amongst other things, standard formats
for public key certificates, certificate revocation lists,
attribute certificates, and a certification path validation
algorithm
In the X.509 system, a CA issues a certificate binding a
public key to a particular Distinguished Name in the
X.500 tradition, or to an Alternative Name such as an e-
mail address or a DNS-entry
8. Public Key Infrastructure
Public-key cryptography is a relatively new cryptographic
approach whose distinguishing characteristic is the use of
asymmetric key algorithms instead of or in addition to
symmetric key algorithms
The asymmetric key algorithms are used to create a
mathematically related key pair: a secret private key and a
published public key
Encryption and authorization is performed using the public
key while decryption and digital signature is performed with
the private key
Each user has a pair of cryptographic keys — a public key
and a private key. The private key is kept secret, whilst the
public key may be widely distributed
9. User Certificate files
Within the Globus era the key file (userkey.pem) and the
certificate file (usercert.pem) correspond to the key pair of
the public-key cryptography
The userkey.pem file contains the private key encrypted
with your password.
The certificate file (usercert.pem) contains your public key
together with additional important informations such as the
subject name of the holder of the certificate, the name of the
signing CA, and the digital signature of the CA
Both files are stored inside a directory called .globus in the
users´s home directory
12. User Certificate files
In order to obtain a valid passport to the Grid you need to
create a key pair and submit your public key to the CA (this
process is called as a certificate request) for a signature.
The CA will follow its certificate policy and upon successful
evaluation of your request your public key will be signed and
posted back to you.
The important role of the CA is to establish a trustful
connection between the identity of the user and the public
key in the certificate file
The digital signature of the CA in the user's certificate file
officially declares that the public key in the file belongs to
the specific user (subject name)
13. Certification Authority
Grid Certificates
Hosts and services certificates for the servers
Personal certificates for the users
Why?
Security
User and server identification
Who does issue certificates?
An Certification Authority (CA)
IGTF – The International Grid Trust Federation (TAGPMA,
EUGridPMA, APGridPMA, TACAR)
TAGPMA – The Americas Grid Police Management Authority
14. ANSP Grid Certification Authority
Local Certification Authorities
Brazil – UFF Brazilian Grid CA
São Paulo – the Academic Network at São Paulo Grid CA - soon
Users of ANSP Grid CA
Researchers from GridUNESP projetc
Researchers from the state of São Paulo
ANSP Grid CA will
offer a free X509 certification service for academic research and
development activities in the e-Science and Grid Computing
Communities of the state of São Paulo
15. ANSP Grid CA Deployment
ANSP is already a member of TAGPMA
Present status: Accreditation Process.
Recently, ANSP has bought two Hardware
Security Modules (HSM´s) to generate its
root certificate
TAGPMA accreditation allows members to
interoperate with other IGTF participants in
worldwide collaborations on the Grid
16. In the meantime
User certificates will be issued by Simple-CA (globus
package) installed on GridUnesp main server
Those certificates will allow users to submit jobs
only to GridUnesp machines
A web page is being constructed so users can
request their certificates
Requests will be approved by Research Groups
leaders and signed certificates will then be sent to
users