Grid Security: PKI Based Authentication Infrastructure
description
Transcript of Grid Security: PKI Based Authentication Infrastructure
![Page 1: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/1.jpg)
Source: The Globus ProjectArgonne National Laboratory
USC Information Sciences Institutehttp://www.globus.org/
Updated/Localised: Rajkumar Buyya
Grid Security: PKI Based Authentication Infrastructure
![Page 2: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/2.jpg)
2
Security
As Grid Resources and Users are Distributed and Owned by different organizations, only authorized users should be allowed to access them.
A simple authentication infrastructure is needed. Also, both users and owners should be protected
from each other. The Users need be assured about security of their:
Data Code Message
![Page 3: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/3.jpg)
3
ExampleSecure Remote Startup
key
cert
gatekeeperclient
1. Exchange certificates, authenticate, delegate
2. Check gridmap file3. Lookup service4. Run service program
(e.g. jobmanager)
jobmanager
key
cert
1.
2.
map
4.
services3.
GSPGSC
![Page 4: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/4.jpg)
4
Grid Security Infrastructure (GSI) based on PKI – as realized in Globus
GSI is:
PKI(CAs and
Certificates)
SSL/TLS
Proxies and Delegation
PKI forcredentials
SSL forAuthenticationAnd message protection
Proxies and delegation (GSIExtensions) for secure singleSign-on
PKI: Public Key Infrastructure, SSL: Secure Socket LayerTLS: Transport Level Security
![Page 5: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/5.jpg)
5
Public Key Infrastructure (PKI) PKI allows you to know that
a given public key belongs to a given user
PKI builds on asymmetric encryption:
Each entity has two keys: public and private
Data encrypted with one key can only be decrypted with other.
The private key is known only to the entity
The public key is given to the world encapsulated in a X.509 certificate
Owner
![Page 6: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/6.jpg)
6
Public Key Infrastructure (PKI) Overview
X.509 Certificates Certificate Authorities (CAs) Certificate Policies
Namespaces Requesting a certificate
Certificate Request Registration Authority
Owner
![Page 7: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/7.jpg)
7
X.509
A widely used standard for defining digital certificates. X.509 is actually an ITU (International Telecommunication Union) Recommendation, which means that it has not yet been officially defined or approved for standardized usage. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft products, and vice versa.
![Page 8: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/8.jpg)
8
Certificates
A X.509 certificate binds a public key to a name
It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer)
NameIssuerPublic KeySignature
![Page 9: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/9.jpg)
9
Rajkumar Buyya111, Barry St.Carlton, 3053
BD 01-06-1970Male 165cms, 65KgB&W Eyes
State ofVictoria
Seal
Certificates
Similar to passport or driver’s license
NameIssuerPublic KeySignature
![Page 10: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/10.jpg)
10
Certificates
By checking the signature, one can determine that a public key belongs to a given user.
NameIssuerPublic KeySignature
Hash
=?Decrypt
Public Key fromIssuerIss
uer
![Page 11: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/11.jpg)
11
Certificate Authorities (CAs)
A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates
A Certificate Authority is an entity that exists only to sign user certificates
The CA signs it’s own certificate which is distributed in a trusted manner
Name: CAIssuer: CACA’s Public KeyCA’s Signature
![Page 12: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/12.jpg)
12
Certificate Authorities (CAs)
The public key from the CA certificate can then be used to verify other certificates
NameIssuerPublic KeySignature
Hash
=?Decrypt
Name: CAIssuer: CACA’s Public KeyCA’s Signature
![Page 13: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/13.jpg)
13
Requesting a Certificate
To request a certificate a user starts by generating a key pair
The private key is stored encrypted with a pass phrase the user gives
The public key is put into a certificate request
CertificateRequest
Public Key
EncryptedOn local
disk
![Page 14: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/14.jpg)
14
Certificate Issuance
The user then takes the certificate to the CA
The CA usually includes a Registration Authority (RA) which verifies the request:
The name is unique with respect to the CA
It is the real name of the user
Etc.
CertificateRequest
Public KeyID
![Page 15: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/15.jpg)
15
Certificate Issuance
The CA then signs the certificate request and issues a certificate for the user
CertificateRequest
Public Key
NameIssuerPublic KeySignature
Sign
![Page 16: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/16.jpg)
16
Secure Socket Layer (SSL)
Also known as TLS (Transport Layer Security) Uses certificates and TCP sockets to provide
a secured connection Authentication of one or both parties using the
certificates Message protection
Confidentiality (encryption) Integrity
Certificates TCP Sockets
SSL/TLS
![Page 17: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/17.jpg)
17
Mutual Authentication
A and B are two parties: Both need to trust each others’ CA.
A B (A establishes connection to B and gives his certificate (name,pub. Key) to B).
B makes sure that it can trust CA of A. B generates random message A and asks it
encrypt it. A encrypts it and send to B B decrypts using A’s public key. If the msg. is
same as what B has sent, then A is who it is claiming to be.
![Page 18: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/18.jpg)
18
Globus Security: Review
GSI extends existing standard protocols & APIs
Based on standards: SSL/TLS, X.509, GSS-API Extensions for single sign-on and delegation
The Globus Toolkit provides: Generic Security Services API (GSS-API) on GSI
protocols The GSS-API is the IETF standard for adding
authentication, delegation, message integrity, and message confidentiality to applications.
Various tools for credential management, login/logout, etc.
![Page 19: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/19.jpg)
19
Obtaining a Certificate
The program grid-cert-request is used to create a public/private key pair and unsigned certificate in ~/.globus/:
usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file
Must be readable only by the owner
Mail usercert_request.pem to [email protected] Receive a Globus-signed certificate
Place in ~/.globus/usercert.pem Other organizations use different approaches
NCSA, NPACI, NASA, etc. have their own CA
![Page 20: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/20.jpg)
20
My Certificate (certified by CA)
Certificate: Data: Version: 3 (0x2) Serial Number: 26 (0x1a) Signature Algorithm: md5WithRSAEncryption Issuer: O=Australian Grid Forum, OU=AusGrid Testbed, CN=ausgrid.org Validity Not Before: Feb 8 03:40:20 2004 GMT Not After : Feb 7 03:40:20 2005 GMT Subject: O=Australian Grid Forum, OU=AusGrid Testbed, OU=cs.mu.oz.au, CN=RajkumarBuyya Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bb:c7:92:a8:14:75:81:2c:38:b6:45:e9:db:12: a3:6b:e2:66:41:62:44:ef:1a:56:5c:42:71:ec:8b: 04:1e:01:53:43:84:1a:cb:8e:a9:d1:99:67:1f:ef:.. 07:5f:92:04:6e:ca:29:77:ec:9d:f3:36:c2:49:40: 8f:51:8e:63:4e:82:2b:c7:c9:0c:bc:55:ce:01:d1: 8a:f4:dc:19:c4:01:37:f9:9f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server, S/MIME, Object Signing Signature Algorithm: md5WithRSAEncryption b2:f0:a2:79:bc:2d:0f:02:15:f2:4d:8a:e8:5f:7c:79:1e:43: 09:d9:6e:59:7b:7c:71:87:8c:4a:10:9c:0e:74:ea:26:48:8c: .. 4e:fb:d7:f9:81:eb:d8:74:59:17:fa:c9:64:8d:88:0e:98:1e:
Validity Start/End
![Page 21: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/21.jpg)
21
-----BEGIN CERTIFICATE-----MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY
<snip>u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4-----END CERTIFICATE-----
Sample usercert.pem: (public key)
-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl
<snip>et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=-----END RSA PRIVATE KEY-----
Sample userkey.pem (private key):
Certificate and Key Data
![Page 22: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/22.jpg)
22
Certificate Information
To get cert information run grid-cert-info% grid-cert-info –subject/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya
Options for printing cert information-all -startdate-subject -enddate-issuer -help
[raj@belle .globus]$ grid-proxy-info subject : /O=Australian Grid Forum/OU=AusGrid
Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya/CN=proxy issuer : /O=Australian Grid Forum/OU=AusGrid
Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya identity : /O=Australian Grid Forum/OU=AusGrid
Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 0:59:25
![Page 23: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/23.jpg)
23
“Logging on” to the Grid
To run programs, authenticate to Globus:% grid-proxy-initEnter PEM pass phrase: ******
Creates a temporary, local, short-lived proxy credential for use by our computations
Options for grid-proxy-init:-hours <lifetime of credential>-bits <length of key>-help
![Page 24: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/24.jpg)
24
grid-proxy-init Details
grid-proxy-init creates the local proxy file. User enters pass phrase, which is used to
decrypt private key. Private key is used to sign a proxy certificate
with its own, new public/private key pair. User’s private key not exposed after proxy has
been signed Proxy placed in /tmp, read-only by user NOTE: No network traffic! grid-proxy-info displays proxy details
![Page 25: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/25.jpg)
25
Grid Sign-On With grid-proxy-init
User certificate file
Private Key(Encrypted)
PassPhrase
User Proxycertificate file
![Page 26: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/26.jpg)
26
Destroying Your Proxy (logout)
To destroy your local proxy that was created by grid-proxy-init:% grid-proxy-destroy
This does NOT destroy any proxies that were delegated from this proxy. You cannot revoke a remote proxy Usually create proxies with short lifetimes
![Page 27: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/27.jpg)
27
Proxy Information
To get proxy information run grid-proxy-info% grid-proxy-info -subject/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya
Options for printing proxy information-subject -issuer-type -timeleft-strength -help
Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key>
Returns 0 status for true, 1 for false:
![Page 28: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/28.jpg)
28
Important Files
/etc/grid-security hostcert.pem: certificate used by the server in mutual
authentication hostkey.pem: private key corresponding to the
server’s certificate (read-only by root) grid-mapfile: maps grid subject names to local user
accounts (really part of gatekeeper) /etc/grid-security/certificates
CA certificates: certs that are trusted when validating certs, and thus needn’t be verified
ca-signing-policy.conf: defines the subject names that can be signed by each CA
![Page 29: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/29.jpg)
29
Important Files
$HOME/.globus usercert.pem: User’s certificate (subject name,
public key, CA signature) userkey.pem: User’s private key (encrypted
using the user’s pass phrase) /tmp
Proxy file(s): Temporary file(s) containing unencrypted proxy private key and certificate (readable only by user’s account)
Same approach Kerberos uses for protecting tickets
![Page 30: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/30.jpg)
30
Secure Services
On most Unix machines, inetd listens for incoming service connections and passes connections to daemons for processing.
On Grid servers, the gatekeeper securely performs the same function for many services It handles mutual authentication using files
in /etc/grid-security It maps to local users via the gridmap file
![Page 31: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/31.jpg)
31
Sample Gridmap File
# Distinguished name Local# username"/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya" bellegrid
"/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Srikumar Venugopal" bellegrid"/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Jia Yu" jiayu"/C=JP/O=AIST GTRC/CN=Peerapon Vateekul/[email protected]" mikegrid
Gridmap file maintained by Globus administrator
Entry maps Grid-id into local user name(s)
![Page 32: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/32.jpg)
32
ExampleSecure Remote Startup
key
cert
gatekeeperclient
1. Exchange certificates, authenticate, delegate
2. Check gridmap file3. Lookup service4. Run service program
(e.g. jobmanager)
jobmanager
key
cert
1.
2.
map
4.
services3.
![Page 33: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/33.jpg)
33
Simple job submission
globus-job-run provides a simple RSH compatible interface % grid-proxy-init Enter PEM pass phrase: *****
% globus-job-run host program [args] Authentication Test
% globusrun –a –r hostname
![Page 34: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/34.jpg)
34
Delegation
Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Proxy cert and public key sent to client Clients signs proxy cert and returns it Server (usually) puts proxy in /tmp
Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user
![Page 35: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/35.jpg)
35
Limited Proxy
During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy GRAM (job submission) client does this
Each service decides whether it will allow authentication with a limited proxy Job manager service requires a full proxy GridFTP server allows either full or limited
proxy to be used
![Page 36: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/36.jpg)
36
Restricted Proxies
A generalization of the simple limited proxies Desirable to have fine-grained restrictions Reduces exposure from compromised proxies
Embed restriction policy in proxy cert Policy is evaluated by resource upon proxy use Reduces rights available to the proxy to a subset of
those held by the user A proxy no longer grants full impersonation rights
Extensible to support any policy language
![Page 37: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/37.jpg)
37
ExerciseSign-On & Remote Process
Creation Use grid-cert-info to examine your cert:
% grid-cert-info -all
Use grid-proxy-init to create a proxy certificate:% grid-proxy-initEnter PEM pass phrase:......................................+++++.....+++++
Use grid-proxy-info to query proxy:% grid-proxy-info -subject
Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp
![Page 38: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/38.jpg)
38
Generic Security Service API
The GSS-API is the IETF draft standard for adding authentication, delegation, message integrity, and message confidentiality to apps For secure communication between two parties over a
reliable channel (e.g. TCP) GSS-API separates security from communication,
which allows security to be easily added to existing communication code. Filters on each end of the communications link
GSS-API Extensions defined in GGF draft Globus Toolkit components all use GSS-API
![Page 39: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/39.jpg)
39
gss_inquire_cred()
Extract information (e.g. the subject name) from a credential
gss_inquire_cred_by_oid()
Extract information associated with a OID (owner ID) from a credential (e.g. information in certificate extensions)Will be in future version > GT 2.0
![Page 40: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/40.jpg)
40
Authorization
GSI handles authentication, but authorization is a separate issue
Authorization issues: Management of authorization on a multi-organization grid
is still an interesting problem. The grid-mapfile doesn’t scale well, and works only at the
resource level, not the collective level. Large communities that share resources exacerbates
authorization issues, which has led us to CAS (Community Authorization Service)…
Why not use Grid Bank Services ? All those GSPs providing services through the Grid
Marketplace can allow any consumer to access their services as long as GridBank guarantees the payment,
![Page 41: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/41.jpg)
41
X509v3 Digital Certificate
…………
Subject:
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald”
…………
Clients
ResourcesResource access authorization file (grid-mapfile)
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta” alex
“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya” rajkumar
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald” chris
X509v3 Digital Certificate
…………
Subject:
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta”
…………
X509v3 Digital Certificate
…………
Subject:
“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya”
…………
Access Scalability Problem
![Page 42: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/42.jpg)
42
Resource access authorization file (grid-mapfile)
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=GridBank” gridbank
GridBank
Template (local) accounts
gbaccount1
gbaccount2
gbaccount3
Resource access authorization file (grid-mapfile)
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=GridBank” gridbank
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta” gbaccount1
Template (local) accounts
gbaccount2
gbaccount3
Request to access resource
Passing client’s Certificate Subject
Execute job
GridBank Accounts“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta”
“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya”
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald”
GridBank’s Solution to Access Scalability Problem: Modified gatekeeper
![Page 43: Grid Security: PKI Based Authentication Infrastructure](https://reader036.fdocuments.us/reader036/viewer/2022081506/568145a7550346895db29ce3/html5/thumbnails/43.jpg)
43
Security Summary
Programs for credential management grid-cert-info, grid-proxy-init, grid-proxy-
destroy, grid-proxy-info GSS-API: The Globus Toolkit Grid
Security Infrastructure (GSI) uses this API, which allows programs to easily add security
globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use