1 GridSite security update Andrew McNab University of Manchester
2 Outline Credential types Attribute URIs New chain checking API clarifications Logging Level of Assurance Shibboleth
3 GridSite GridSite consists of A grid security toolkit for C/C++ Parses GACL policies, X.509, GSI, VOMS credentials An Apache module which adds support for these credentials This lets people host webservices for Grids, written in C/C++/scripts/Java etc etc.
4 Credential types Four credential types supported up to GridSite 1.4.x X.509 Distinguished Name VOMS Fully Qualified Attribute Name DN List groups Client DNS hostname Stored in GRSTgaclCred structs in memory And as different < credential > containers in GACL 0.1 access policies.
6 Additional credentials Several new credential types in the air Have added Shibboleth support to GridSite, which introduces LDAP derived DNs. OpenID has http: URL based IDs (and now xri:) Applications may need more Verified address Kerberos/AFS All of these look like URIs...
7 Attribute URIs Represent all credentials in URI scheme:path form dn:/dc=com/dc=example/cn=joe fqan:/vo/group https://example.com/group dns:example.com ip: https://example.com/openid/joe
9 In GACL 1.0 <gacl version= > <entry><cred><auri>scheme:path</auri></cred> <allow><read/></allow></entry> </gacl> <cred> can also optionally include <loa>level</loa> for Level of Assurance and <delegation>level</delegation> for GSI Proxy Delegation
10 Bag of attributes GridSite onwards handle users as a set of semi opaque attributes which policy engine checks for Currently, some credentials are like this (eg X.509 DNs) But others (eg DN Lists) are checked by the policy engine itself, finding the list of DNs that defines that group Now all attributes are loaded at the start This means that downstream users of GridSite will get a list of DN Lists for that user too So VOMS DN Lists can now be pre fetched by sites, which are indistinguishable from FQANs from attribute certificates. This allows attribute pull, which is esp. convenient for websites
11 GRSTx509ChainLoadCheck New function for checking and loading X.509 certificate chain Takes STACK_OF(X509) as input GSI aware checking of chain back to CA root certs Verifies VOMS attributes if present Puts all of these into GRSTx509Chain struct This function is now (1.5.x) used by mod_gridsite within Apache, and by command line clients (htproxyinfo) This avoids some duplication of code, and means only a single pass through the chain within Apache to verify and extract credentials
12 htproxyinfo output localhost.mcnab:./htproxyinfo 0 (CA) /C=UK/O=eScienceCA/OU=Authority/CN=CA Status : 0 ( OK ) Start : Fri Jul 14 17:32: Finish : Fri Jul 15 17:32: Delegation : 0 Serial : 1 Issuer : /C=UK/O=eScienceRoot/OU=Authority/L=Root/CN=CA 1 (EEC) /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab Status : 0 ( OK ) Start : Mon Oct 23 16:29: Finish : Thu Nov 22 15:29: Delegation : 1 Serial : 8700 Issuer : /C=UK/O=eScienceCA/OU=Authority/CN=CA 2 (PC) /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab/cn=proxy Status : 0 ( OK ) Start : Tue Jun 12 10:10: Finish : Tue Jun 12 22:15: Delegation : 0 Serial : 8700 Issuer : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab 3 (AC) /dteam/role=null/capability=null Status : 0 ( OK ) Start : Tue Jun 12 10:15: Finish : Tue Jun 12 22:15: Delegation : 0 User DN : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab VOMS DN : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
13 API clarifications Rationalising and properly documenting C API Aim to have a clean API by 2.0 Already quite modular GRSThttpXXX(), GRSTx509XXX(), GRSTgaclXXX(),... Object orientated with objects as structs and NounVerb access functions But currently lacking proper documentation on how to use all this in applications / services C++ / Perl / Python wrappers still on the roadmap
14 Logging GridSite library functions have to work inside command line tools, CGI programs, Apache modules and standalone servers Four quite different logging environments: stderr, /dev/null, ErrorLog, and syslog Now provide GRSTerrorLogFunc modelled on Apache ap_log_error() and syslog() Can be overridden to use Apache, Syslog or stderr Apache error and access logs can themselves be sent to syslog, potentially including client DN etc.
15 Level of Assurance As part of FAME project we added NIST inspired LoA conditions to GridSite/GACL Can put requirement on a particular credential's LoA This information can either come from FAME extensions to Shibboleth Or be inserted by mod_gridsite itself Map level 2 to GSI proxies Map level 3 to user certificates Potentially use level 4 for certificates on hardware tokens
16 Shibboleth Again as part of FAME, can acquire DNs via assertions from Shibboleth These then enter the policy engine as if the client had supplied a certificate LoA conditions very useful here Also investigating OpenID very similar to Shibboleth, but with a wider take up in the mainstream web
17 Summary Have changed internal representation of credentials to Attribute URI ( AURI ) form This allows easier extension of GridSite based systems by applications / services Improving functionality and clarity of C API GRSTx509ChainLoadCheck() Logging LoA and Shibboleth now supported
Parallels Panel Contents About This Document 3 Integration and Automation Capabilities 4 Command-Line Interface (CLI) 8 API RPC Protocol 9 Event Handlers 11 Panel Notifications 13 APS Packages 14 C H A
1 SerialMailer Manual For SerialMailer 7.2 Copyright 2010-2011 Falko Axmann. All rights reserved. 2 Contents 1 Getting Started 4 1.1 Configuring SerialMailer 4 1.2 Your First Serial Mail 7 1.2.1 Database
Using Delphix Server with Microsoft SQL Server (BETA) Table of Contents Architecture High level components in linking a SQL Server database to Delphix High level components in provisioning a SQL Server
DEPLOYMENT GUIDE Version 1.2 Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Microsoft IIS Prerequisites and configuration
Product Guide McAfee Enterprise Mobility Management 11.0 Software For use with epolicy Orchestrator 4.6.5-5.0 Software COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS
This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.
ISA Server Plugins Setup Guide Secure Web (Webwasher) Version 1.3 Copyright 2008 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed,
Tech Note 4 NBAC (NetBackup Access Control) UNIX Quick Install Non HA This section includes the following topics About NBAC (NetBackup Access Control) About NBAC (NetBackup Access Control) Starting Checklist
HASSO - PLATTNER - INSTITUT für Softwaresystemtechnik an der Universität Potsdam The Apache Modeling Project Bernhard Gröne, Andreas Knöpfel, Rudolf Kugel und Oliver Schmidt Technische Berichte des Hasso-Plattner-Instituts
www.novell.com/documentation Implementation Guide Identity Manager Driver for Scripting 4.0.2 April 29, 2013 Legal Notices Novell, Inc. and Omnibond make no representations or warranties with respect to
Installation and Upgrade Guide Copyright Statement Copyright Acronis International GmbH, 2002-2014. All rights reserved. Acronis and Acronis Secure Zone are registered trademarks of Acronis International
Copyright EVS Broadcast Equipment S.A. Copyright 2013. All rights reserved. Disclaimer The information in this manual is furnished for informational use only and subject to change without notice. While
MULTI LICENSES The information in this document is subject to change without notice and does not represent a commitment on the part of Propellerhead Software AB. The software described herein is subject
Elfiq Link Balancer (Link LB) Quick Web Configuration Guide Elfiq Operating System (EOS) - Version 3.5.0 and higher Document Version 2.0 -January 2012 Elfiq Networks (Elfiq Inc.) www.elfiq.com 1. About
Ipswitch WhatsUp Professional and Premium Edition 2006 User s Guide Software Version 2 Ipswitch, Inc Ipswitch Inc. Web: HTTP://www.ipswitch.com 10 Maguire Rd, Suite 220 Phone: 781.676.5700 Lexington, MA
Best Practices for Deploying and Managing Linux with Red Hat Network Abstract This technical whitepaper provides a best practices overview for companies deploying and managing their open source environment
IceWarp Unified Communications Reference Version 11.1 Published on 11/4/2014 Contents... 4 About... 5 The Big Picture... 7 Reference... 8 General... 8 Dial Plan... 9 Dial Plan Examples... 12 Devices...
FileMaker Server 12 Getting Started Guide 2007 2012 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
Connect for Dragon Medical 360 Network Edition Administrator Guide Copyright 2013. Connect for Dragon Medical 360 Network Edition. Nuance Communications, Inc. has patents or pending patent applications
International Conference on Emerging Security Information, Systems and Technologies Distributed Identity Management Model for Digital Ecosystems Hristo Koshutanski Computer Science Department University
MaaS360 Cloud Extender Installation Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software described
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
MaaS360 On-Premises Cloud Extender Installation Guide Copyright 2014 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software
C H A P T E R 4 Layer 7 Load Balancing and Content Customization This chapter will discuss the methods and protocols involved in accomplishing a Layer 7 load-balancing solution. The reasons for and benefits
4. Client-Level Administration Introduction to Client Usage The Client Home Page Overview Managing Your Client Account o Editing Your Client Record View Account Status Report Domain Administration Page
Installation Guide for contineo Sebastian Stein Michael Scholz 2007-02-07, contineo version 2.5 Contents 1 Overview 2 2 Installation 2 2.1 Server and Database....................... 2 2.2 Deployment............................