Title: caGrid 1.0 Trust Architecture 3rd TAGPMA FacetoFace Meeting Texas Advanced Computing Center Austin,
1 caGrid 1.0 Trust Architecture3rd TAGPMA
Face-to-Face MeetingTexas Advanced Computing
Center (Austin, Texas)November 29th, 2006
- Scott Oster
- oster_at_bmi.osu.edu
- Department of Biomedical Informatics
- The Ohio State University
2Agenda
- caBIG/caGrid Overview
- Grid Trust Service (GTS) Overview
- Certificate Validation Profiles
- Managing Trust Fabric with GTS
- SyncGTS
- GTS Federation
- Dorian Overview
- Identity Federation
- Trusted Authorities
- Dorian Identity Provider
- Dorian/GTS Integration
3Cancer Biomedical Informatics Grid (caBIGTM)
- The cancer Biomedical Informatics Grid
(caBIG), is a voluntary network or grid
connecting individuals and institutions to enable
the sharing of data and tools, creating a World
Wide Web of cancer research. The goal is to speed
the delivery of innovative approaches for the
prevention and treatment of cancer. The
infrastructure and tools created by caBIG also
have broad utility outside the cancer community.
NCIs 2015 Goal
- http//cabig.cancer.gov/
- National Cancer Institute Initiative
- Over 800 Participants
- Over 80 Organizations
- Over 70 Projects
Relieve suffering and death due to cancer by the
year 2015
4caGrid
- Grid Infrastructure for caBIG
- Higher Level Components and Infrastructure for
satisfying caBIG requirements - caGrid Provided Components
- Grid Service Graphical Development Toolkit
(Introduce) - Metadata
- Advertisement and Discovery
- Semantic Services
- Data Service Infrastructure
- Analytical Service Infrastructure
- Identifiers
- Workflow
- Security
5caGrid 1.0 Security Components
- Grid Trust Service (GTS)
- Creation and Management of a federated trust
fabric - Supports applications and services in deciding
whether or not signers of digital
credentials/user attributes can be trusted - Dorian
- Grid User Account Management / Identity
Management and Federation - Enable users to use their institution-provided
identity for authenticating to a Grid - Grid Grouper
- Grid Group / VO Management
- Enables Group/VO Based Authorization
- Grid CA
- Command Line platform independent certificate
authority. - Security Communication Metadata
- The ability for two parties to negotiate a
communication mechanism based on the servers
requirements
6Grid Trust Service (GTS)Provisioning and
Managing a Federated Trust Fabric
7Problem
- How do the grid clients/services know which CA
certificates to trust?
?????
?????
8Certificate Validation Profiles
- Locally Stored Locally Validated Profile (LSLV)
- Trusted Certificates are locally stored
- Revocation Lists Store Locally
- Certificates received are validated against
locally stored trusted certificates - Equivalent to XKMS Tier 0
- Pros
- Almost no infrastructure required
- Cons
- Difficult to keep trusted CA list current
- Trust Fabric in the hands of users
9Certificate Validation Profiles
- Remotely Retrieved Locally Validated Profile
(RRLV) - Trusted Certificates exist and are managed by a
Trust Service - Certificates received are validated against
trusted certificates retrieved from a trust
service - Equivalent to XKMS Tier 1
- Pros
- Authentication performed against the current
trust fabric - Validation done locally, specialized validation
requirements can be enforced. - Cons
- Validation done locally, poor enforcement could
lead to a potential security risk - Relies on bootstrapping from the Trust Service
10Certificate Validation Profiles
- Remotely Stored Remotely Validated Profile (RSRV)
- Trusted Certificates exist and are managed by a
Trust Service - Certificates received are sent to a Trust Service
to be validated - Equivalent to XKMS Tier 2
- Pros
- Authentication performed against the current
trust fabric - Validation done remotely and enforced globally
- Local deployment no longer responsible for
validation - Certificate Path Discovery Managed.
- Enforcement of CA Signing Policies
- Cons
- Network Overhead
11Certificate Validation Profiles Supported Today
- Globus 4.0 employs the Locally Stored Locally
Validated Profile (LSLV) - File System Directory of Trusted Certificates
- Contains Certificate and Certificate Revocation
List (CRL) for each trusted CA - Certificate Validation
- Certificates are validated if they are signed by
a certificate contained in the Globus Trusted
Certificate Directory - A number of difficulties arise employing this at
the scale of caBIG - Hard for grid administrators to manage
- Difficult to provision trusted authorities
- Difficult to provision CRLs
- Trust Fabric in the hands of users
12Certificate Validation Profiles Adding Support
to Globus
- Supporting Remotely Retrieved Locally Validated
Profile (RRLV) in Globus - Use trust service to obtain trusted CA
certificates and CRLS and store them in the
Globus Trusted Certificate directory - Trust Service client manages the Globus Trusted
Certificate directory for Globus, keeping it up
to date - Limited changes to Globus required, just run the
Trust Service Client for syncing Globus with the
Trust Service - Supporting Remotely Stored Remotely Validated
Profile (RSRV) in Globus - Globus contacts Trust Service during
authentication to determine if the credentials in
question are signed by a Trusted CA - Trust Service performs all validation and
enforces revocation lists - Support requires source changes to the Globus
Toolkit - Several changes need to be made in the Globus
communication layers - Changes need to be made in the Proxy validation
layer
13Grid Trust Service (GTS)
- Grid Trust Service (GTS)
- WSRF Grid Service
- Trust Level Creation and Management
- Provides Support for Managing Trusted Certificate
Authorities - Administrators register/manage certificate
authorities and CRLS with GTS - Client tools synchronize Globus Trust Framework
with GTS - Remotely Retrieved Locally Validated Profile
(RRLV) - Globus is authenticating against the current
trust fabric - Distributed GTS, Enabling the creation of a
scalable trust fabric
14GTS Support for Certificate Validation Profiles
- Provide full support for the Remotely Retrieved
Locally Validated Profile (RRLV) - Support the trust service side of Retrieved
Remotely Validated Profile (RRRV) - GTS provides a validation service interface (not
used in current Globus integration) - Full profile support will require changes to
Globus to support a validation callout
15Grid Trust Service (GTS)
- Trust Level Management
- GTS provides a mechanism for defining and
managing Trust Levels - GTS Administrators can Add/Update/Remove Trust
Levels - Requires grid credentials (GTS Administrator)
- Each Trusted Authority is assigned levels of
trust - GTS can be queried by level of trust
16Grid Trust Service (GTS)
- Trusted Authorities
- GTS manages a set of certificate authorities that
are trusted in the grid to sign grid credentials
or grid proxy certificates - Trusted Authority A certificate authority
trusted by the GTS - Name (Subject of the CA Certificate)
- Trust Levels The Levels of Trust associated
with the CA - Status The current status of the CA (Trusted or
Suspended) - Certificate The ca certificate that corresponds
to the private key that is used by the ca to sign
certificates. (credentials) - Certificate Revocation List (CRL) CA signed
list of revoked credentials - Is Authority Specifies whether or not the GTS
listing this Trusted Authority is the authority
for it - Authority GTS The authoritative GTS for the
Trusted Authority - Source GTS The GTS from which the current GTS
obtained the Trusted Authority - Expiration The date after which this Trusted
Authority should no longer be trusted
17Grid Trust Service (GTS)
- Managing Trusted Authorities
- GTS provides support for adding/updating
/removing Trusted Authorities through its Grid
Service Interface - Requires Grid Credentials or Proxy Certificate of
a GTS Administrator - GTS Provides an administrative Java Client
- GTS Provides an administrative GUI
18Grid Trust Service (GTS)
- Querying for Trusted Authorities
- GTS provides a public mechanism for
discovering/querying the Trusted Certificate
Authorities - Query interface enables synchronization tools to
be built to synchronize authorities trusted be
Globus with those trusted by the GTS - GTS Provides a Java Search Client
- GTS Provides a GUI built on top of the Search
Client. - Query Criteria
- Name
- Trust Level
- Status (Trusted, Suspended)
- Lifetime (Valid, Expired)
- Is Authority
- Authority GTS
- Source GTS
19Sync GTS
- Toolkit used for synchronizing client and service
containers with the GTS - Takes in a set of GTS Queries and executes them
on a set of GTS services, synchronizing the
results of the queries with the Globus Trusted
Certificates Directory - Supports multiple execution mechanisms
- Grid Service in a grid service container
- Embedded in a client or service
- Command Line
20Grid Trust Service (GTS) Federation
- GTS Federation
- A GTS can inherit Trusted Authorities and Trust
Levels from other GTS instances - Allows one to build a scalable Trust Fabric
- Allows institutions to stand up their own GTS,
inheriting all the trusted authorities in the
wider grid, yet being to add their own
authorities that might not yet be trusted by the
wider grid - A GTS can also be used to join the trust fabrics
of two or more grids
21Grid Trust Service (GTS) Federation
- Each GTS contains a list of Authoritative Grid
Trust Services - Authority GTS
- GTS Service End Point
- Priority
- Specifies the priority of an authority GTS with
respect to other authority GTS - Used in resolving conflicts between authority
grid trust services - Time to Live
- Specifies how long a Trust Authority should be
valid - Synchronize Trust Level
- Specifies whether or not to sync the trust levels
- Perform Authorization
- Specifies whether or not to perform authorization
- If perform authorization is specified, the
identity of the authority GTS must also be
specified - The GTS can be configured how often to sync with
its authorities - On syncing a GTS will obtain all valid Trusted
Authorities and Trust Levels (if specified) from
each authority GTS and organize them locally
based on priority
22Grid Trust Service (GTS) Federation
23Grid Trust Service (GTS) Federation
- Managing GTS Authorities for a GTS
- GTS provides support for adding/updating
/removing GTS Authorities through its Grid
Service Interface - Requires Grid Credentials or Proxy Certificate of
a GTS Administrator - GTS Provides an administrative Java Client
- GTS Provides an administrative GUI
24 DorianIdentity Management and Federation
25Grid Security Authentication Overview
- Clients authenticate to the grid using a grid
proxy - Grid Proxy consists of a private key and proxy
certificate signed by the users grid credentials - Extension of X.509 Identity Certificates
- Short Lifetime
- Asserts Identity of users and services
- Enables single sign-on
- Short Term Certificate, signed by clients long
term private key - Supports Delegation
- Grid Credentials consist of a long term
certificate and private key
26caGrid Authentication
- Identity / User Provisioning Problem
- Hundreds of organizations, Tens of thousands of
users - How do we assign Identity to users, how do we
provision user accounts? - Who should assert the identity for a given user?
- Givens
- Access to data will be through a Grid
Infrastructure - Some users may need to have access to
de-identified/identified medical data - Local Institutional Review Boards (IRBs) will
need their policies enforced - Some Users already have accounts at their home
institutions - Local Account provisioning policies differ from
institution to institution
27 Identity Management and Federation
- caBIG Security Whitepaper recommends the use of
Identity Management and Federation to facilitate
Authentication - A system that allows individuals to use the same
user name, password or other personal
identification to sign on to the systems of more
than one enterprise in order to conduct
transactions - Enable users to use their institution provided
identity for authenticating to a Grid - User should be able to authenticate to the Grid
using their institutions existing mechanisms
Image taken from the caBIG Security Evaluation
White Paper
28Identity Management and Federation
- Identity Provider (IdP)
- Federation partner that vouches for the identity
of a user - The IdP authenticates the user, and provides an
authentication token (proof) to the service
provider - Service Provider (SP)
- A service provider is a federation partner that
provides services to end user - Relies on IdP to authenticate users
- Security Assertion Markup Language (SAML)
- XML Based Security Language for exchanging
authentication and authorization information
29Dorian Grid Identity Management and Federation
- Grid User Account Management
- Administrative interface for account provisioning
and management - Built in Certificate Authority
- Manages Grid Credentials for each user
- Enables users to authenticate and create grid
proxies, which they may use to access the grid - Identity Management and Federation
- Integration point between external security
domains and the grid - User may use existing credentials to obtain a
grid proxy - Users authenticate to IdP, obtain a SAML
assertion (proof) which is then given to Dorian
to facilitate the creation of a grid proxy - Automated Account Creation and Provisioning
30Dorian Grid Identity Management and Federation
- WSRF Compliant Web Service
- Secure Communication
- Administrative Operations
- User Operations
- Dorian Identity Provider
- Built in username/password IdP
- Enables developers, smaller groups, research
labs, unaffiliated users, and other groups
without an IdP to use Dorian as their IdP, such
that they may leverage Dorian for creating grid
credentials - Administrative GUI
31Dorian Grid Identity Management and Federation
- Users authenticate to IdP, obtain a SAML
assertion (proof) which is then given to Dorian
to facilitate the creation of a grid proxy - Trust is established between
- Dorian and registered IdPs
- Dorian must trust the identity assertions
- Dorian and Clients
- Clients must trust Dorian to manage the exchange
- Dorian and Services
- Services must trust Dorian-created User
credentials - Dorian acts as a trust integration point between
Identity Providers and Service Providers
32Dorian Proxy Creation
SAML Assertion
- Proxy Creation Workflow
- Client authenticates with Local IdP
- Client creates public/private key pair to use for
grid proxy - Client requests Dorian to create a grid proxy
- Dorian verifies that the SAML assertion provided
by the user is signed by a Trusted IdP and that
the user has a valid account - Dorian locates the users grid credentials,
private key and certificate - Dorian uses the public key provided to create a
proxy certificate and signs it with the users
private key - Dorian returns the proxy certificate to the user
- The user may now use the proxy to authenticate to
grid services
SAML Assertion
Username / Password (or other)
SAML Assertion
Signed
33Dorian Grid User Account Creation
- A grid account is created the first time a user
accesses Dorian with a SAML Assertion signed by a
registered Trusted Identity Provider - Each grid account has a status associated with it
- Active, Pending, Suspended, Expired
- Only users with an Active Status will be given
access to the grid - The initial status of a user account upon
creation depends on the user policy configured
with their IdP - A User Policy is applied to a users account
every time they request that a proxy is created - Example User Policy
- Auto Approval Upon account creation, the users
account status is set to active, they will be
immediately granted access to the grid - Manual Approval Upon account creation, the
users account stats is set to Pending, and
administrator will need to grant them access to
the grid - User Policies enable the administration of Dorian
to be as hands on/off as the administrators wish
34Dorian Grid User Accounts
- Grid User Account
- IdP Local User Id
- Used to uniquely Identifier a user within the
context of an IdP - First Name
- Last Name
- Email
- User Role Role within Dorian (admin?)
- User Status Account Status, Active, Pending,
Suspended - Grid Credentials
- Private Key Used is signing proxy certificates
- Long term Certificate
- Grid Identity
- Dorian CA Metadata, Trusted IdP Id, Local User Id
/OOSU/OUBMI/OUcaGrid/OUDorian/OUlocalhost/OU
IdP 1/CNjdoe
Dorian CA Metadata
IdP Id
Local User Id
35Dorian Managing Trusted Identity Providers
- Trusted Identity Provider An IdP which Dorian
is configured to trust and manage grid user
accounts - Id - Dorian assigned Identifier for the IdP
- Name Human Readable Name for easy
identification - Status Active / Suspended
- User Policy Executed when users authenticate,
dictates a policy to apply to a users account - Allowed Authentication Methods
- IdP Certificate - Certificate whose corresponding
private key will be used in signing SAML
assertions
36Dorian Identity Provider
- Dorian Identity Provider (Dorian IdP)- Enables
developers, smaller groups, research labs,
unaffiliated users, and other groups without an
IdP to use Dorian as their IdP, such that they
may leverage Dorian for creating grid credentials - Registration- Provides a registration mechanism
through the grid service interface - Authentication- Username/Password Authentication
over grid service interface, successful
authentication returns a SAML assertion which can
later be consume by Dorian in exchange for a grid
proxy - Account Management Provides administrative
operations for managing Dorian IdP accounts
37Dorian Identity Provider Registration /
Authentication
- Potential Users obtain and account on the Dorian
IdP by registering - Grid Service Interface provides a mechanism for
registering with the Dorian IdP account - Uses internally standardized AuthenticationServi
ce interface - Dorian GUI provides graphical interface for
registering with the Dorian IdP - Account creation depends on how the Dorian IdP is
configured - Auto Creation
- Manual Creation
- Once Approved, registered users can authenticate
(username, password) to the Dorian IdP to obtain
a SAML Assertion which can then be used to create
a proxy
38Dorian Identity Provider User Management
- Dorian IdP User Management
- Manage User Account Information
- Manage Account Status
- Active, Suspended, Pending.
- Grant IdP Admin Rights
- Account Management done through grid service
interface, only users with admin rights may
manage accounts - Full Account Management Support through the
Dorian GUI
39Dorian Integration with GTS
- Dorian provides the optional capability to
integrate with a Grid Trust Service (GTS) - When a Dorian managed user account is disabled,
Dorian publishes an updated CRL to the GTS
indicating that users corresponding certificate
is invalid - When a trusted Identity Provider is disabled, all
corresponding User accounts are disabled - Dorian service identity must be given
administrative privileges to appropriate GTS
Trusted Authority (Dorians CA)
40caGrid 1.0 Security Team
- Team
- Shannon Hastings
- Tahsin Kurc
- Vinay Kumar
- Stephen Langella (Security Lead)
- Scott Oster
- Joel Saltz
- Frank Siebenlist