2. Outline
Security issues
UNICORE server components and how they interact
Bastian Demuth: server internals
Sessions 11 and 12: UNICORE clients, workflow basics
07.07.2009 Slide 2
3. Security Issues
Grid resources communicate via internet → no firewalls to
protect from outside world
Intruders may . . .
read messages between resources
alter messages between resources
connect to two resources and relay messages between them:
man-in-the-middle attack
flood resources with messages: denial-of-service attack
07.07.2009 Slide 3
4. Encryption
Symmetric encryption:
Same key used to encrypt and decrypt a message
Disadvantage: Every pair of users must exchange
keys
Asymmetric encryption:
Each user owns a pair of private and public key
Public keys can be exchanged openly
Sender encrypts message with the receiver’s public key
Receiver decrypts message with his own private key
07.07.2009 Slide 4
5. Digital Signing
Encryption:
Messages can’t be read or altered by intruders
How do we now where a message really comes from?
Digital signing:
Sender encrypts a message with his private key
Receiver decrypts the message with the sender’s public key
Main issue: Get sender’s public key from a trusted source
07.07.2009 Slide 5
6. Certification Authorities
How do we know who is the real person behind a key?
→ Certification Authority (CA), e.g. GILDA, CA-Cert, . . .
User creates private key and a matching certificate request
User sends certificate request to a CA
CA checks user’s identity and signs the certificate request
CA sends user their signed public key (certificate)
Each key contains info about user (real name, email) and signer
(CA).
07.07.2009 Slide 6
7. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Here’s my public key the signer?
07.07.2009 Slide 7
8. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Here’s my public key the signer?
07.07.2009 Slide 7
9. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Here’s my public key the signer?
07.07.2009 Slide 7
10. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Here’s my public key
Client Server
Do I trust Do I trust
the signer? Here’s my public key the signer?
07.07.2009 Slide 7
11. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Hello
Client Server
Do I trust Do I trust
the signer? Here’s my public key the signer?
07.07.2009 Slide 7
12. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Encrypt with Encrypt with
server key Please decrypt: k3oAS2 client key
07.07.2009 Slide 7
13. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Decrypt and Decrypt and
check Please decrypt: k3oAS2 check
07.07.2009 Slide 7
14. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Decript with Decrypt with
private key Please decrypt: k3oAS2 private key
07.07.2009 Slide 7
15. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Decrypted: i7Uay4
Client Server
Decrypt and Decrypt and
check Decrypted: PgD9mt check
07.07.2009 Slide 7
16. SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Please decrypt: Dx8Gwo
Client Server
Does it Does it
match? Please decrypt: k3oAS2 match?
07.07.2009 Slide 7
17. SSL (Secure Sockets Layer)
Client connects to server
Server sends client its public key
Client checks if it trusts the signer of the server’s key
Server requests client’s public key
Server checks if it trusts the signer of the client’s key
Server and client check if the counterpart owns the private
key belonging to the public key
Exchange of random messages encrypted with the counterpart’s
public key
Counterpart mut decrypt message with its private key
Decrypted message must equal the original message
07.07.2009 Slide 8
18. Security in UNICORE
UNICORE has a strong security concept:
Each user has their own private key
Each server component has its own private key
Connections between user’s clients and UNICORE servers use
SSL
UNICORE server components use the user’s keys for
authentication and authorisation
UNICORE server components use SSL to connect to each
other
07.07.2009 Slide 9
19.
20. UNICORE Architecture
Global registry:
Central point of a UNICORE grid
Keeps track of all available services
Gateway:
”Door to outside world” in firewall
may serve several resources behind one firewall
unicorex:
Central point for job processing and managing
Checks user certificate with XUUDB
XUUDB (UNICORE user database):
Mapping between user certificates, user logins, roles
TSI (Target System Interface):
Submits jobs to batch system
Components use SSL connections
07.07.2009 Slide 11
21. The Registry
The Registry:
Provide clients with information about services
Two kinds: global / local
Global or central registry:
Serves as a ‘Grid’
Knows all target systems and workflow services
Services dynamically register with (one or more) registries
Local registry per service container (e.g. unicorex)
For registering service instances
Full WS-RF Service
UNICORE Registry in Gilda:
https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Registry?
07.07.2009 Slide 12
22. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
23. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
24. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
25. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
26. The Global Registry
What resources dopublish
contact of resources know?
list you
07.07.2009 Slide 13
27. Registry Entries
Registry entries as seen with the Eclipe Client (expert view):
07.07.2009 Slide 14
28. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway
unicorex
XUUDB
TSI
07.07.2009 Slide 15
29. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
unicorex
XUUDB
TSI
07.07.2009 Slide 15
30. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex
XUUDB
TSI
07.07.2009 Slide 15
31. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certificate is allowed job execution
XUUDB
TSI
07.07.2009 Slide 15
32. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certificate is allowed job execution
unicorex gets login from XUUDB
XUUDB
TSI
07.07.2009 Slide 15
33. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certificate is allowed job execution
unicorex gets login from XUUDB
XUUDB unicorex translates abstract job into
machine-dependent script
TSI
07.07.2009 Slide 15
34. When a job is being submitted . . .
Client
Client establishes SSL-Connection to Gateway
Gateway Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging to
unicorex
the certificate is allowed job execution
unicorex gets login from XUUDB
XUUDB unicorex translates abstract job into
machine-dependent script
unicorex sends machine dependent script to TSI
TSI
07.07.2009 Slide 15
35. Jobs
Abstract job definitions:
Given in JSDL (Job Submission Description Language)
XML specification from the Global Grid Forum
Contain for example:
Job name, description
Resource requirements (RAM, numer of CPUs needed, . . . )
Information about transferring of files before or after execution
An application name and version
Each job has a life time – after that it’s data is deleted from the
server
07.07.2009 Slide 16
36. The Gateway
The Gateway:
Gateway talks to clients and servers located on other sites
All communication from server components of this sites goes
via Gateway
Gateway must trust the CAs of users
Users must trust the CA of the Gateway
UNICORE Gateway of Gilda:
https://gilda-lb-01.ct.infn.it:8080
The UNICORE Registry of Gilda
https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Regist
A unicorex of Gilda:
https://gilda-lb-01.ct.infn.it:8080/REGISTRY/GILDA-CATANIA
07.07.2009 Slide 17
37. The unicorex
unicorex:
Authorises requests using the authorisation service XUUDB
Translates abstract job into concrete job for target system via
the IDB
Provides storage resources
Provides file transfer services
Provides job management services
07.07.2009 Slide 18
38. The XUUDB
XUUDB:
Maps user certificates to logins on that machine
Assigns roles (user, admin, . . . )
Nr | GcID | Xlogin | Role | Projects | DN
----------------------------------------------------------------
1 | OMII_EI | rbreu | user | | CN = Rebecca Breu , OU = JSC , OU =
2 | OMII_EI | sandra | user | | EMAILADDRESS = s . bergmann@fz - j
07.07.2009 Slide 19
39. The TSI
The TSI . . .
forks a process which runs with the user’s ID
creates a temporary directory on the target system (uspace)
changes current working directory to uspace
submits job to local batch system
Input and ouput:
all input needed for job has to be copied into the uspace
all output that is to survive the end of job execution has to be
copied elsewhere
Terms used:
File import: File tranfer from somewhere into uspace
File export: File tranfer from uspace to somewhere
07.07.2009 Slide 20
42. IDB: Incarnation Database
The IDB is a file with rules for translating abstract jobs into
executable scripts.
< idb:IDBApplication >
< i d b : A p p l i c a t i o n N a m e > Bash shell </ i d b : A p p l i c a t i o n N a m e >
< i d b : A p p l i c a t i o n V e r s i o n > 3.1.16 </ i d b : A p p l i c a t i o n V e r s i o n >
< j s d l : P O S I X A p p l i c a t i o n xmlns:jsdl = " http: // schemas . ggf . org / jsdl
< j sd l: Ex e cu ta bl e >/ bin / bash </ js dl : Ex ec ut a bl e >
< jsdl:Argument > -- debugger $ DEBUG ? </ jsdl:Argument >
< jsdl:Argument > -v $ VERBOSE ? </ jsdl:Argument >
< jsdl:Argument >$ ARGUMENTS ? </ jsdl:Argument >
< jsdl:Argument >$ SOURCE ? </ jsdl:Argument >
</ j s d l : P O S I X A p p l i c a t i o n >
</ i d b: I D B A p p l i c a t i o n >
07.07.2009 Slide 23
43. UNICORE Quickstart
Easy installation and usage
of UNICORE server
components with the
Quickstart bundle
containing:
all needed server
components
demo certificates
easy to use graphical
installer
07.07.2009 Slide 24
44. UNICORE LiveCD
The UNICORE LiveCD contains
complete Linux system
automatically starting server components
pre-configured clients
07.07.2009 Slide 25
45. Visit UNICORE on the internet
Downloads, information, documentation, . . . :
http://www.unicore.eu
07.07.2009 Slide 26