Security Middleware andVOMS service status

Andrew McNabGrid Security Research Fellow

University of Manchester

11 January 2006 A.McNab – Grid Security

Outline

● GridSiteWiki● Shibboleth● Delegation● GridHTTP● SiteCast● VOMS middleware● VOMS service

11 January 2006 A.McNab – Grid Security

GridSiteWiki

• Uses software developed for the collaborative “Wikipedia” encyclopedia– Added support for certificates that grid

users have for authentication– So no need to remember passwords

• Raises the question of what other “legacy” web systems can be gridified

• But there's Shibboleth going live soon too...

11 January 2006 A.McNab – Grid Security

Shibboleth

• Shibboleth is being adopted by JISC to replace ATHENS for library / database services– For all UK University / NHS staff & students

• As part of FAME-PERMIS, we've implemented a stopgap Shibboleth Identity Provider– Leverages X.509 Certs/DNs by allowing user

to choose a username / password to use.• Adding support to GridSite for Shibboleth

attributes, to turn GridSites into Service Providers

11 January 2006 A.McNab – Grid Security

Delegation

● GSI proxy delegation was part of Globus 2 binary protocols

● For Web Service / SOAP grids, need a new way to do this● We proposed a set of HTTP delegation methods during EDG

● For EGEE, we wrote the WSDL / SOAP delegation portType now used by EGEE (Manchester-UK & KTH-SE) implementations, and by WLMS and Data Management

● There are ongoing discussions with OSG and Globus about merging the EGEE portType with Globus's new delegation service.– During January, we (Manchester-UK & KTH-SE) are

producing C and Java for revised EGEE portType

11 January 2006 A.McNab – Grid Security

GridHTTP

● htcp and GridSite make it easy to use HTTP(S) for reading and writing files on remote servers

● One advantage of GridFTP was support for 3rd party transfers between remote sites

● GridSite now supports this using WebDAV COPY method and onetime passcodes– Authentication / authorization / obtain

passcode via HTTPS– File transfer via HTTP using onetime passcode

● Currently adding multistream remote transfers– managing remotely passcodes is the issue...

11 January 2006 A.McNab – Grid Security

SiteCast

● Using HTTP(S) for file transfers has also been taken up by EGEE WLMS

● We're now looking at how to locate local replicas of files on GridSite HTTP(S) servers

● Have designed a simple replica location system for farms with many disks/hosts– Now implemented in server-side and htcp– Uses UDP multicast to find lists of replicas of a

given file: looks at filesystem rather than database

● Intend to do test deployments on some of the Tier-2 equipment (pre-production farm first)

11 January 2006 A.McNab – Grid Security

VOMS middleware

● GridSite parses VOMS attribute certificates from LCG / EGEE VOMS servers

● As VOMS is deployed, scaling problems are emerging– Need to distribute certificate of each VOMS to

each host (WN?) which will check them– N(hosts) x N(VOs) ?!?!?

● One solution is to include VOMS cert along with attribute certificate– Being implemented by INFN-IT (server),

Manchester-UK (client C) and KTH-SE (client Java) this month

GridPP VOMS(slides from Alessandra Forti)

• GridPP national VOMS to support:– Smaller VOs as phenogrid, t2k– Local VOs

• Agreement with NGS for mutual

support – Common infrastructure to maintain the

VOMS servers– Common VOs support– Common distribution of information – Enable each other VOs on each other

systems

What is

happening• ½ FTE for VO management support: – Sergey Dolgodobrov

• Support part of the Tier2 infrastructure – 3 servers for GridPP: 1 Test, 1 production, 1

backup– 2 servers for NGS: 1 production, 1 backup

• Sergey will be the VOMS administrator and will do VOs support

• Production VOMS servers (voms.gridpp.ac.uk) has been installed and is ready to be used

• 2 VOs have been already enabled– Gridpp for testing– T2k

How to enable a

VO• A formal request has to be made to the ROC– ask Jeremy Coles

• Information about the VO has to be supplied in the request– Name, description, Vo manager, VO security contact

• The request has to be approved by the PMB– PMB meets every week so it won’t take long

• After approval the VO gets created on the VOMS– VO manager will be than able to add users

• The information to enable the VO at sites will be then downloadable from the gridpp WEB site. – This might change in the future if CIC portal will be used

instead. – VOs will be responsible to maintain the information up-to-

date

• More details on the procedure can be found at http://www.gridpp.ac.uk/deployment/users/newvo.html

11 January 2006 A.McNab – Grid Security

Summary

● Through JISC funding, we're doing some work on Shibboleth support

● We continue to work with EGEE JRA3 to provide tools for other parts of EGEE / LCG.

● Delegation and VOMS support are being reworked currently.

● “GridHTTP” extended to support 3rd party transfers

● SiteCast offers lightweight replica location.● Joseph, Yibiao and Sergey are making a big contribution to all these ongoing subprojects