1 GridSite 1.5.x update Andrew McNab University of Manchester
2 Outline Credential types Attribute URIs New chain checking API clarifications Logging Level of Assurance Shibboleth SlashGrid
3 Credential types Four credential types supported up to GridSite 1.4.x X.509 Distinguished Name VOMS Fully Qualified Attribute Name DN List groups Client DNS hostname Stored in GRSTgaclCred structs in memory And as different < credential > containers in GACL 0.1 access policies.
5 Additional credentials Several new credential types in the air Have added Shibboleth support to GridSite, which introduces LDAP derived DNs. OpenID has http: URL based IDs (and now xri:) Applications may need more Verified address Kerberos/AFS All of these look like URIs...
6 Attribute URIs Represent all credentials in URI scheme:path form dn:/dc=com/dc=example/cn=joe fqan:/vo/group https://example.com/group dns:example.com ip: https://example.com/openid/joe
8 In GACL 1.0 <gacl version= > <entry><cred><auri>scheme:path</auri></cred> <allow><read/></allow></entry> </gacl> <cred> can also optionally include <nist loa>level</nist loa> for NIST Level of Assurance and <delegation>level</delegation> for GSI Proxy Delegation
9 Bag of attributes GridSite onwards handle users as a set of semi opaque attributes which policy engine checks for Currently, some credentials are like this (eg X.509 DNs) But others (eg DN Lists) are checked by the policy engine itself, finding the list of DNs that defines that group Now all attributes are loaded at the start This means that downstream users of GridSite will get a list of DN Lists for that user too So VOMS DN Lists can now be pre fetched by sites, which are indistinguishable from FQANs from attribute certificates. This allows attribute pull, which is esp. convenient for websites
10 GRSTx509ChainLoadCheck New function for checking and loading X.509 certificate chain Takes STACK_OF(X509) as input GSI aware checking of chain back to CA root certs Verifies VOMS attributes if present Puts all of these into GRSTx509Chain struct This function is now (1.5.x) used by mod_gridsite within Apache, and by command line clients (htproxyinfo) This avoids some duplication of code, and means only a single pass through the chain within Apache to verify and extract credentials
11 htproxyinfo output localhost.mcnab:./htproxyinfo 0 (CA) /C=UK/O=eScienceCA/OU=Authority/CN=CA Status : 0 ( OK ) Start : Fri Jul 14 17:32: Finish : Fri Jul 15 17:32: Delegation : 0 Serial : 1 Issuer : /C=UK/O=eScienceRoot/OU=Authority/L=Root/CN=CA 1 (EEC) /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab Status : 0 ( OK ) Start : Mon Oct 23 16:29: Finish : Thu Nov 22 15:29: Delegation : 1 Serial : 8700 Issuer : /C=UK/O=eScienceCA/OU=Authority/CN=CA 2 (PC) /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab/cn=proxy Status : 0 ( OK ) Start : Tue Jun 12 10:10: Finish : Tue Jun 12 22:15: Delegation : 0 Serial : 8700 Issuer : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab 3 (AC) /dteam/role=null/capability=null Status : 0 ( OK ) Start : Tue Jun 12 10:15: Finish : Tue Jun 12 22:15: Delegation : 0 User DN : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=andrew mcnab VOMS DN : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
12 API clarifications Rationalising and properly documenting C API Aim to have a clean API by 2.0 Already quite modular GRSThttpXXX(), GRSTx509XXX(), GRSTgaclXXX(),... Object orientated with objects as structs and NounVerb access functions But currently lacking proper documentation on how to use all this in applications / services C++ / Perl / Python wrappers still on the roadmap
13 Logging GridSite library functions have to work inside command line tools, CGI programs, Apache modules and standalone servers Four quite different logging environments: stderr, /dev/null, ErrorLog, and syslog Now provide GRSTerrorLogFunc modelled on Apache ap_log_error() and syslog() Can be overridden to use Apache, Syslog or stderr Apache error and access logs can themselves be sent to syslog, potentially including client DN etc.
14 Level of Assurance As part of FAME project we added NIST inspired LoA conditions to GridSite/GACL Can put requirement on a particular credential's LoA This information can either come from FAME extensions to Shibboleth Or be inserted by mod_gridsite itself Map level 2 to GSI proxies Map level 3 to user certificates Potentially use level 4 for certificates on hardware tokens
15 Shibboleth Again as part of FAME, can acquire DNs via assertions from Shibboleth These then enter the policy engine as if the client had supplied a certificate LoA conditions very useful here Also investigating OpenID very similar to Shibboleth, but with a wider take up in the mainstream web
16 SlashGrid Now included in the main GridSite distribution Uses FUSE kernel module on Linux, which is included in SL 4.4 and available for all 2.4.x/2.6.x kernels HTTP(S) to retrieve remote files, with GSI proxy if available URLs mapped to local paths: /grid/https/node42.site.name/dir/file.dat Can act as a local storage system (with multicast location of files on the local network) But most immediately useful as a client of remote files
17 Plans Finish 1.5.x developments describe and publish as Now dependent on me understanding ETICS better Then start on 1.7.x Intend to add support for VOMS server certificates in proxies and DNS named dynamic VOs Complete API clean up / documentation More cookbook examples eg GridSite/mod_jk Release as later this year?
18 Summary Have changed internal representation of credentials to Attribute URI ( AURI ) form This allows easier extension of GridSite based systems by applications / services Improving functionality and clarity of C API GRSTx509ChainLoadCheck() Logging LoA, Shibboleth, and SlashGrid supported
Installation and Upgrade Guide Copyright Statement Copyright Acronis International GmbH, 2002-2014. All rights reserved. Acronis and Acronis Secure Zone are registered trademarks of Acronis International
Parallels Panel Contents About This Document 3 Integration and Automation Capabilities 4 Command-Line Interface (CLI) 8 API RPC Protocol 9 Event Handlers 11 Panel Notifications 13 APS Packages 14 C H A
www.novell.com/documentation Implementation Guide Identity Manager Driver for Scripting 4.0.2 April 29, 2013 Legal Notices Novell, Inc. and Omnibond make no representations or warranties with respect to
Best Practices for Deploying and Managing Linux with Red Hat Network Abstract This technical whitepaper provides a best practices overview for companies deploying and managing their open source environment
DEPLOYMENT GUIDE Version 1.2 Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Microsoft IIS Prerequisites and configuration
Product Guide McAfee Enterprise Mobility Management 11.0 Software For use with epolicy Orchestrator 4.6.5-5.0 Software COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS
HASSO - PLATTNER - INSTITUT für Softwaresystemtechnik an der Universität Potsdam The Apache Modeling Project Bernhard Gröne, Andreas Knöpfel, Rudolf Kugel und Oliver Schmidt Technische Berichte des Hasso-Plattner-Instituts
Using Delphix Server with Microsoft SQL Server (BETA) Table of Contents Architecture High level components in linking a SQL Server database to Delphix High level components in provisioning a SQL Server
Installation Guide for contineo Sebastian Stein Michael Scholz 2007-02-07, contineo version 2.5 Contents 1 Overview 2 2 Installation 2 2.1 Server and Database....................... 2 2.2 Deployment............................
Documentation Amazon EC 2 Cloud Deployment Guide Jahia delivers the first Web Content Integration Software by combining Enterprise Web Content Management with Document and Portal Management features. Jahia
ISA Server Plugins Setup Guide Secure Web (Webwasher) Version 1.3 Copyright 2008 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed,
Tech Note 4 NBAC (NetBackup Access Control) UNIX Quick Install Non HA This section includes the following topics About NBAC (NetBackup Access Control) About NBAC (NetBackup Access Control) Starting Checklist
FileMaker Server 12 Getting Started Guide 2007 2012 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
IBM MaaS360 Mobile Device Management (MDM) Installation Guide Version 2, Release 2 Copyright 2015 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without
International Conference on Emerging Security Information, Systems and Technologies Distributed Identity Management Model for Digital Ecosystems Hristo Koshutanski Computer Science Department University
Ipswitch WhatsUp Professional and Premium Edition 2006 User s Guide Software Version 2 Ipswitch, Inc Ipswitch Inc. Web: HTTP://www.ipswitch.com 10 Maguire Rd, Suite 220 Phone: 781.676.5700 Lexington, MA
bbc Configuring LiveCycle Application Server Clusters Using WebSphere 6.0 Adobe LiveCycle June 2007 Version 7.2 2007 Adobe Systems Incorporated. All rights reserved. Adobe LiveCycle 7.2 Configuring LiveCycle
WebObjects Deployment Guide Using JavaMonitor (Legacy) Contents Introduction to WebObjects Deployment Guide Using JavaMonitor 7 Organization of This Document 7 See Also 8 WebObjects Deployment 9 The WebObjects
This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.
DEPLOYMENT GUIDE Deploying the BIG-IP LTM with the Cacti Open Source Network Monitoring System Version 1.0 Deploying F5 with Cacti Open Source Network Monitoring System Welcome to the F5 and Cacti deployment
Comparative analysis - Web-based Identity Management Systems Oscar Manso, Morten Christiansen and Gert Mikkelsen THE ALEXANDRA INSTITUTE 15 December 2014 2/45 Contents 1. Introduction... 2 2. Current State
FileMaker Server 12 FileMaker Server Help 2010-2012 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker is a trademark of FileMaker, Inc.
Connect for Dragon Medical 360 Network Edition Administrator Guide Copyright 2013. Connect for Dragon Medical 360 Network Edition. Nuance Communications, Inc. has patents or pending patent applications
MaaS360 Cloud Extender Installation Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software described