[PPT] - SINDES Secure INformation DElivery System Poulhis Marc PowerPoint Presentation

SLIDE 1

SINDES

Secure INformation DElivery System

Poulhiès Marc

marc.poulhies@cern.ch

CERN/EPFL

CERN-IT-FIO group meeting – p. 1/17

SLIDE 2

Outline

Motivations
Previous system
New system
General overview
Getting a certificate
Retrieving sensitive files
Shell

CERN-IT-FIO group meeting – p. 2/17

SLIDE 3

Outline

⇒ Motivations

Previous system
New system
General overview
Getting a certificate
Retrieving sensitive files
Shell

CERN-IT-FIO group meeting – p. 2/17

SLIDE 4

Motivations

Goal: Some files (passwords files, certificates, private data, ...) have to be distributed to a large number of machines. Problem: The network can’t be trusted 100%, mainly because the current setup does not prevent someone from faking its identity or sniffing the network traffic. You don’t want to send sensitive informations to an unknown peer (or receive informations from an unknown peer)

CERN-IT-FIO group meeting – p. 3/17

SLIDE 5

Motivations (cont.)

We need a convenient way to transfer data from one central server to a large number of machines in a secure way:

end to end authentication
data integrity and confidentiality

We also need to provide each machine with a unique identifier, which can be used by other software.

CERN-IT-FIO group meeting – p. 4/17

SLIDE 6

Outline

Motivations

⇒ Previous system

New system
General overview
Getting a certificate
Retrieving sensitive files
Shell

CERN-IT-FIO group meeting – p. 5/17

SLIDE 7

Previous system

Technologies:

GPG (GNU Privacy Guard): used to give machines unique

identifiers and encrypt files

SSHv1 and HTTP transfers

Issues:

Clients can’t authenticate received data
Everyone has access to all encrypted files
Only a small set, hardcoded, of predefined data can be

transfered

Not integrated with CDB

CERN-IT-FIO group meeting – p. 6/17

SLIDE 8

Outline

Motivations
Previous system

⇒ New system

General overview
Getting a certificate
Retrieving sensitive files
Shell

CERN-IT-FIO group meeting – p. 7/17

SLIDE 9

General overview

CERN-IT-FIO group meeting – p. 8/17

SLIDE 10

General overview

CERN-IT-FIO group meeting – p. 8/17

SLIDE 11

Getting a certificate

During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed.

CERN-IT-FIO group meeting – p. 9/17

SLIDE 12

Getting a certificate

During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. Solutions:

manual intervention (floppy, USB key,...)

CERN-IT-FIO group meeting – p. 9/17

SLIDE 13

Getting a certificate

During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. Solutions:

manual intervention (floppy, USB key,...): does not scale

very well.

CERN-IT-FIO group meeting – p. 9/17

SLIDE 14

Getting a certificate

During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. Solutions:

manual intervention (floppy, USB key,...): does not scale

very well.

machine can request its certificate within a time-window (as

short as possible) and monitor activity.

CERN-IT-FIO group meeting – p. 9/17

SLIDE 15

General overview

CERN-IT-FIO group meeting – p. 10/17

SLIDE 16

General overview

CERN-IT-FIO group meeting – p. 10/17

SLIDE 17

Retrieving sensitive files

Sensitives files are files that are specific to a group of machines and must be kept private. Examples :

passwords for root/operator accounts.
ssh keys for interactive cluster (lxplus).
certificates
configuration files containing password(s)

CERN-IT-FIO group meeting – p. 11/17

SLIDE 18

Retrieving sensitive files (cont.)

Each machine should only retrieve defined sensitive files: How to make sure machine can only get its files and not the one from another one ?

CERN-IT-FIO group meeting – p. 12/17

SLIDE 19

Retrieving sensitive files (cont.)

Each machine should only retrieve defined sensitive files: How to make sure machine can only get its files and not the one from another one ?

Define items to be transfered in CDB.

"/software/components/sindes/items/passwd-header/method" = script "/software/components/sindes/items/passwd-header/scope" = node "/software/components/sindes/all" = sindes_add("passwd-header"); "/software/components/sindes/items/ssh_key/method" = file "/software/components/sindes/items/ssh_key/scope" = node "/software/components/sindes/all" = sindes_add("ssh_key");

CERN-IT-FIO group meeting – p. 12/17

SLIDE 20

Retrieving sensitive files (cont.)

Each machine should only retrieve defined sensitive files: How to make sure machine can only get its files and not the one from another one ?

Define items to be transfered in CDB.
Solution based on Apache, mod_ssl (HTTPS) and

mod_rewrite to act as a “switched network”.

CERN-IT-FIO group meeting – p. 12/17

SLIDE 21

General overview

CERN-IT-FIO group meeting – p. 13/17

SLIDE 22

General overview

CERN-IT-FIO group meeting – p. 13/17

SLIDE 23

Shell

Common actions:

Prepare a machine

lxplus $ PrepareInstall .... ... Opening time-window and adding machine(s) to ACL... [SUMMARY] 2 item(s) processed successfully. Updating ACL/MAP if necessary [SUMMARY] Updating host map for 1 host(s), mapped to lxdev [SUMMARY] Updating ACL with 1 host(s) [SUMMARY] You _must_ reinstall machine(s) within the next 24hour(s). Preparation OK. ...

CERN-IT-FIO group meeting – p. 14/17

SLIDE 24

Shell

Common actions:

Prepare a machine
See scheduled installation

lxplus $ ssh sindes@sindes-server "acl -print -target lxdev06,lxdev12,lxdev03"

|

hostname TTL Request Right|

|

CERN-IT-FIO group meeting – p. 14/17

SLIDE 25

Shell

Common actions:

Prepare a machine
See scheduled installation
Check certificate authority

lxplus $ ssh sindes@sindes-server "cert -check -target lxplus00[1-4],lxb1008"

|

hostname valid |

|

CERN-IT-FIO group meeting – p. 14/17

SLIDE 26

Shell

Common actions:

Prepare a machine
See scheduled installation
Check certificate authority
Display errors messages

+ ’[’ -x /usr/sbin/sindes-get-certificate ’]’ + /usr/sbin/sindes-get-certificate Generating key-pair: [RSA/1024] OK Creating certificate request All went fine. Private key in /var/tmp/get-crt-Hp7990/client.key Certificate request in /var/tmp/get-crt-Hp7990/client.csr Sending the request to sindes-server.cern.ch... Something went wrong while contacting CA (curl returned 22) Cleaning /var/tmp/get-crt-Hp7990 + fail ’sindes-get-certificate failed (1)’ + cat /root/ks-post-reboot.log + mail -s ’install failed on itrb5808: sindes-get-certificate failed (1)’

CERN-IT-FIO group meeting – p. 14/17

SLIDE 27

Shell (cont)

Interactive shell gives more control over the system and has

nline help. You can access it with

lxplus $ ssh sindes@sindes-server:

SINDESsh > help acl acl -set -target <targetname> [-type node|cluster] [-length <secs>] [-grant] [-deny] [-nodomain] acl -remove -target <targetname> [-type node|cluster] [-nodomain] acl -print [-target <targetname> -type node|cluster] [-nodomain] [-length <secs>] [-grant] [-deny] acl -clean [-clean] [-nodomain] targetname : host(s) (comma separated) or cluster name type: cluster or node length: time window size in seconds (in print, only lines where ttl <= length) grant: permit the target(s) to request a certificate (in print, only lines where csr = YES) deny: prevent the target(s) from requesting a certificate (in print, only lines where csr = NO) clean: cleans the ACL by removing expired entries where certificate right is 0. Repeat -clean if you want to clean all expired entries (no matter what the certificate right is) nodomain: won’t handle domain name (DANGEROUS) SINDESsh > acl -print -target lxdc -type cluster -grant

|

hostname TTL Request Right|

|

CERN-IT-FIO group meeting – p. 15/17

SLIDE 28

Shell (cont)

Interactive shell gives more control over the system and has

nline help. You can access it with

lxplus $ ssh sindes@sindes-server:

SINDESsh > help cert cert -target <targetname> [-type node|cluster] [-revoke] [-check [-digest] [-[no]issued]] [-nodomain] targetname : host(s) (comma separated) or cluster name. type: cluster or node. revoke: ask for a revocation. check:

uputs a quick summary of valid/revoked certificates for given hosts.

digest:

nly with ’check’. Do not display host with nothing (NONE/NONE)

[no]issued:

nly displays lines where there is (or not) a valid certificate

nodomain: don’t append any domain name after the hostnames (DANGEROUS) SINDESsh > cert -check -target lxdc -type cluster

|

hostname valid revoked|

|

CERN-IT-FIO group meeting – p. 15/17

SLIDE 29

Shell (cont)

Interactive shell gives more control over the system and has

nline help. You can access it with

lxplus $ ssh sindes@sindes-server:

SINDESsh > help listitems listitems -target <targetname> [-type cluster|node] [-[no]check] targetname: host(s) (comma separated) or cluster name to be listed type : node or cluster (default: node) check : checks for files/scripts needed by nodes (default: yes) SINDESsh > listitems -target

|

Name Scope Method Hostname Cluster File Script|

|

passwd-header cluster script N/A lxplus OK OK(clu.)| | group-header cluster file N/A lxplus OK

|

| ssh_key cluster file N/A lxplus OK

|
CERN-IT-FIO group meeting – p. 15/17

SLIDE 30

Other commands

acl

manipulates ACL (time windows & certificate request right)

cert

handles certificate operations

listitems - lists items for a given target map

manipulates the "host/cluster" map

prepare

prepares files for a given target (run scripts, test file existence)

remove

Removes items files or scripts from server

verbose

logging facility for debugging

CERN-IT-FIO group meeting – p. 16/17

SLIDE 31

Conclusion

Current status:

2200+ valid certificates issued
Deployed on all SLC3/4 and RHES3 nodes
Ported to Solaris

Future:

Server side is SLC4 ready

CERN-IT-FIO group meeting – p. 17/17