Your SlideShare is downloading. ×
0
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Session10part1 Server Intro
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Session10part1 Server Intro

290

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Mitglied der Helmholtz-Gemeinschaft Introduction to UNICORE 07.07.2009 Rebecca Breu
  • 2. Outline Security issues UNICORE server components and how they interact Bastian Demuth: server internals Sessions 11 and 12: UNICORE clients, workflow basics 07.07.2009 Slide 2
  • 3. Security Issues Grid resources communicate via internet → no firewalls to protect from outside world Intruders may . . . read messages between resources alter messages between resources connect to two resources and relay messages between them: man-in-the-middle attack flood resources with messages: denial-of-service attack 07.07.2009 Slide 3
  • 4. Encryption Symmetric encryption: Same key used to encrypt and decrypt a message Disadvantage: Every pair of users must exchange keys Asymmetric encryption: Each user owns a pair of private and public key Public keys can be exchanged openly Sender encrypts message with the receiver’s public key Receiver decrypts message with his own private key 07.07.2009 Slide 4
  • 5. Digital Signing Encryption: Messages can’t be read or altered by intruders How do we now where a message really comes from? Digital signing: Sender encrypts a message with his private key Receiver decrypts the message with the sender’s public key Main issue: Get sender’s public key from a trusted source 07.07.2009 Slide 5
  • 6. Certification Authorities How do we know who is the real person behind a key? → Certification Authority (CA), e.g. GILDA, CA-Cert, . . . User creates private key and a matching certificate request User sends certificate request to a CA CA checks user’s identity and signs the certificate request CA sends user their signed public key (certificate) Each key contains info about user (real name, email) and signer (CA). 07.07.2009 Slide 6
  • 7. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Hello Client Server Do I trust Do I trust the signer? Here’s my public key the signer? 07.07.2009 Slide 7
  • 8. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Hello Client Server Do I trust Do I trust the signer? Here’s my public key the signer? 07.07.2009 Slide 7
  • 9. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Hello Client Server Do I trust Do I trust the signer? Here’s my public key the signer? 07.07.2009 Slide 7
  • 10. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Here’s my public key Client Server Do I trust Do I trust the signer? Here’s my public key the signer? 07.07.2009 Slide 7
  • 11. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Hello Client Server Do I trust Do I trust the signer? Here’s my public key the signer? 07.07.2009 Slide 7
  • 12. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Please decrypt: Dx8Gwo Client Server Encrypt with Encrypt with server key Please decrypt: k3oAS2 client key 07.07.2009 Slide 7
  • 13. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Please decrypt: Dx8Gwo Client Server Decrypt and Decrypt and check Please decrypt: k3oAS2 check 07.07.2009 Slide 7
  • 14. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Please decrypt: Dx8Gwo Client Server Decript with Decrypt with private key Please decrypt: k3oAS2 private key 07.07.2009 Slide 7
  • 15. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Decrypted: i7Uay4 Client Server Decrypt and Decrypt and check Decrypted: PgD9mt check 07.07.2009 Slide 7
  • 16. SSL (Secure Sockets Layer) SSL Secure network communication via private/public keys. Please decrypt: Dx8Gwo Client Server Does it Does it match? Please decrypt: k3oAS2 match? 07.07.2009 Slide 7
  • 17. SSL (Secure Sockets Layer) Client connects to server Server sends client its public key Client checks if it trusts the signer of the server’s key Server requests client’s public key Server checks if it trusts the signer of the client’s key Server and client check if the counterpart owns the private key belonging to the public key Exchange of random messages encrypted with the counterpart’s public key Counterpart mut decrypt message with its private key Decrypted message must equal the original message 07.07.2009 Slide 8
  • 18. Security in UNICORE UNICORE has a strong security concept: Each user has their own private key Each server component has its own private key Connections between user’s clients and UNICORE servers use SSL UNICORE server components use the user’s keys for authentication and authorisation UNICORE server components use SSL to connect to each other 07.07.2009 Slide 9
  • 19. UNICORE Architecture Global registry: Central point of a UNICORE grid Keeps track of all available services Gateway: ”Door to outside world” in firewall may serve several resources behind one firewall unicorex: Central point for job processing and managing Checks user certificate with XUUDB XUUDB (UNICORE user database): Mapping between user certificates, user logins, roles TSI (Target System Interface): Submits jobs to batch system Components use SSL connections 07.07.2009 Slide 11
  • 20. The Registry The Registry: Provide clients with information about services Two kinds: global / local Global or central registry: Serves as a ‘Grid’ Knows all target systems and workflow services Services dynamically register with (one or more) registries Local registry per service container (e.g. unicorex) For registering service instances Full WS-RF Service UNICORE Registry in Gilda: https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Registry? 07.07.2009 Slide 12
  • 21. The Global Registry What resources dopublish contact of resources know? list you 07.07.2009 Slide 13
  • 22. The Global Registry What resources dopublish contact of resources know? list you 07.07.2009 Slide 13
  • 23. The Global Registry What resources dopublish contact of resources know? list you 07.07.2009 Slide 13
  • 24. The Global Registry What resources dopublish contact of resources know? list you 07.07.2009 Slide 13
  • 25. The Global Registry What resources dopublish contact of resources know? list you 07.07.2009 Slide 13
  • 26. Registry Entries Registry entries as seen with the Eclipe Client (expert view): 07.07.2009 Slide 14
  • 27. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway unicorex XUUDB TSI 07.07.2009 Slide 15
  • 28. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway Client contacs unicorex via Gateway unicorex XUUDB TSI 07.07.2009 Slide 15
  • 29. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway Client contacs unicorex via Gateway Client sends signed abstract job to unicorex unicorex XUUDB TSI 07.07.2009 Slide 15
  • 30. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway Client contacs unicorex via Gateway Client sends signed abstract job to unicorex unicorex asks XUUDB if the user belonging to unicorex the certificate is allowed job execution XUUDB TSI 07.07.2009 Slide 15
  • 31. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway Client contacs unicorex via Gateway Client sends signed abstract job to unicorex unicorex asks XUUDB if the user belonging to unicorex the certificate is allowed job execution unicorex gets login from XUUDB XUUDB TSI 07.07.2009 Slide 15
  • 32. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway Client contacs unicorex via Gateway Client sends signed abstract job to unicorex unicorex asks XUUDB if the user belonging to unicorex the certificate is allowed job execution unicorex gets login from XUUDB XUUDB unicorex translates abstract job into machine-dependent script TSI 07.07.2009 Slide 15
  • 33. When a job is being submitted . . . Client Client establishes SSL-Connection to Gateway Gateway Client contacs unicorex via Gateway Client sends signed abstract job to unicorex unicorex asks XUUDB if the user belonging to unicorex the certificate is allowed job execution unicorex gets login from XUUDB XUUDB unicorex translates abstract job into machine-dependent script unicorex sends machine dependent script to TSI TSI 07.07.2009 Slide 15
  • 34. Jobs Abstract job definitions: Given in JSDL (Job Submission Description Language) XML specification from the Global Grid Forum Contain for example: Job name, description Resource requirements (RAM, numer of CPUs needed, . . . ) Information about transferring of files before or after execution An application name and version Each job has a life time – after that it’s data is deleted from the server 07.07.2009 Slide 16
  • 35. The Gateway The Gateway: Gateway talks to clients and servers located on other sites All communication from server components of this sites goes via Gateway Gateway must trust the CAs of users Users must trust the CA of the Gateway UNICORE Gateway of Gilda: https://gilda-lb-01.ct.infn.it:8080 The UNICORE Registry of Gilda https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Regist A unicorex of Gilda: https://gilda-lb-01.ct.infn.it:8080/REGISTRY/GILDA-CATANIA 07.07.2009 Slide 17
  • 36. The unicorex unicorex: Authorises requests using the authorisation service XUUDB Translates abstract job into concrete job for target system via the IDB Provides storage resources Provides file transfer services Provides job management services 07.07.2009 Slide 18
  • 37. The XUUDB XUUDB: Maps user certificates to logins on that machine Assigns roles (user, admin, . . . ) Nr | GcID | Xlogin | Role | Projects | DN ---------------------------------------------------------------- 1 | OMII_EI | rbreu | user | | CN = Rebecca Breu , OU = JSC , OU = 2 | OMII_EI | sandra | user | | EMAILADDRESS = s . bergmann@fz - j 07.07.2009 Slide 19
  • 38. The TSI The TSI . . . forks a process which runs with the user’s ID creates a temporary directory on the target system (uspace) changes current working directory to uspace submits job to local batch system Input and ouput: all input needed for job has to be copied into the uspace all output that is to survive the end of job execution has to be copied elsewhere Terms used: File import: File tranfer from somewhere into uspace File export: File tranfer from uspace to somewhere 07.07.2009 Slide 20
  • 39. The Uspace 07.07.2009 Slide 21
  • 40. IDB: Incarnation Database The IDB is a file with rules for translating abstract jobs into executable scripts. < idb:IDBApplication > < i d b : A p p l i c a t i o n N a m e > Bash shell </ i d b : A p p l i c a t i o n N a m e > < i d b : A p p l i c a t i o n V e r s i o n > 3.1.16 </ i d b : A p p l i c a t i o n V e r s i o n > < j s d l : P O S I X A p p l i c a t i o n xmlns:jsdl = " http: // schemas . ggf . org / jsdl < j sd l: Ex e cu ta bl e >/ bin / bash </ js dl : Ex ec ut a bl e > < jsdl:Argument > -- debugger $ DEBUG ? </ jsdl:Argument > < jsdl:Argument > -v $ VERBOSE ? </ jsdl:Argument > < jsdl:Argument >$ ARGUMENTS ? </ jsdl:Argument > < jsdl:Argument >$ SOURCE ? </ jsdl:Argument > </ j s d l : P O S I X A p p l i c a t i o n > </ i d b: I D B A p p l i c a t i o n > 07.07.2009 Slide 23
  • 41. UNICORE Quickstart Easy installation and usage of UNICORE server components with the Quickstart bundle containing: all needed server components demo certificates easy to use graphical installer 07.07.2009 Slide 24
  • 42. UNICORE LiveCD The UNICORE LiveCD contains complete Linux system automatically starting server components pre-configured clients 07.07.2009 Slide 25
  • 43. Visit UNICORE on the internet Downloads, information, documentation, . . . : http://www.unicore.eu 07.07.2009 Slide 26

×