Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.


Similar presentations
12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.
INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.
Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
E-NMR (RI ) is funded by the European Commission under the Research Infrastructure Programme Introduction to e-NMR hands-on e-NMR gLite.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Hands-on security Angelines Alberto Morillas Ciemat.
EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
Further aspects of EGEE middleware components INFN, Catania EGEE is funded by the European Union under contract IST
INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –
Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.
LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.
Security in WLCG/EGEE. Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to.
Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
1 Grid Security Alessandro Paolini INFN-CNAF IV Scuola della GRID per utenti.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication Dr. Mike Mineter National e-Science Centre, Edinburgh / UK.
Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.
Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.
EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Authentication, Authorisation and Security
MyProxy Server Installation
Authorization and Authentication in gLite
Practicals on VOMS and MyProxy
gLite 1.4. Data Mangement Exercises
Security and getting access to the training infrastructure
Grid Security Jinny Chien Academia Sinica Grid Computing.
Long term job submission and monitoring uing grid services
Certificates Usage and Simple Job Submission
Certificates Usage and Simple Job Submission
Certificates Usage and Simple Job Submission
GENIUS Grid portal Hands on
Presentation transcript:

Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008

SERVER: glite-tutor.ct.infn.it glite-tutor2.ct.infn.it USERNAME: barcellonaXX PASSWORD: GridBARXX PASSPHRASE: BARCELLONA where XX = 01…30 How to access to the UI

Authentication and Authorization INSPECTING PERSONAL CERTIFICATE .globus: your personal certificate, two separate files (public and private keys)  You need them for the authenticated connections with all the other elements.  Check the permissions (you won´t be able to create a proxy if they are wrong) ls –l.globus -rw-r--r--usercert.pem -r userkey.pem

Authentication and Authorization INSPECTING PERSONAL CERTIFICATE  Look inside your certificate grid-cert-info  Important information  Creation and expiration date  Name and subject of the CA  Common Name (CN) of the certificate owner  Certificate subject

Authentication and Authorization Creation of a proxy with voms extensions  This step is comparable to a login on the grid. voms-proxy-init --voms gilda carlos]$ voms-proxy-init --voms gilda Your identity: /DC=es/DC=irisgrid/O=rediris/CN=carlos.fuentes Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy Done Your proxy is valid until Mon Feb 1 22:36:

Authentication and Authorization CHECK YOUR VOMS PROXY  To get info about your proxy voms-proxy-info -all  It shows two different lifetimes:  First is related to the proxy itself  The second one is referred to the AC infos added by the VOMS server.  Important: your proxy has 12 hours of live carlos]$ voms-proxy-info --all subject : /DC=es/DC=irisgrid/O=rediris/CN=carlos.fuentes/CN=proxy issuer : /DC=es/DC=irisgrid/O=rediris/CN=carlos.fuentes identity : /DC=es/DC=irisgrid/O=rediris/CN=carlos.fuentes type : proxy strength : 1024 bits path : /tmp/x509up_u505 timeleft : 11:58:01 === VO gilda extension information === VO : gilda subject : /DC=es/DC=irisgrid/O=rediris/CN=carlos.fuentes issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:58:00 uri : voms.ct.infn.it:15001

Authentication and Authorization LOGOUT FROM THE GRID  To delete your proxy voms-proxy-destroy

MyProxyUse Register a long living proxy in the MyProxy server (grid001.ct.infn.it)  Allows you to create and store a long term proxy certificate myproxy-init  The –s option allows you to specify the name of the myproxy server you want to contact myproxy-init –s grid001.ct.infn.it

MyProxyUse Register a long living proxy in the MyProxy server (grid001.ct.infn.it)  The –d option allows you to create and store a long term proxy with your DN. myproxy-init –s grid001.ct.infn.it -d  Without this option, the name of the stored proxy is the same of the user in the local machine

MyProxyUse Register a long living proxy in the MyProxy server (grid001.ct.infn.it)  The –l option allows you to create and store a long term proxy with a name specified by the user myproxy-init –s grid001.ct.infn.it –l GILDA_TUTOR  Each user can create and store several proxies in a myproxy server, but each remote proxy is linked to the specified username

MyProxyUse Gather information about the proxy in the MyProxy server  I f in your UI there is no local proxy, it´s not possible to be authenticated in the myproxy server  In this case is needed to get a delegate proxy form the MyProxy sever or create a local proxy with voms-proxy-init

MyProxyUse Get a delegated proxy from the MyProxy server  It allow you to get a proxy from the myproxy server  Destroy the proxy in the local machine and verify it doesn-t exist anymore voms-proxy-destroy voms-proxy-info couldn´t find a valid proxy

MyProxyUse Get a delegated proxy from the MyProxy server  Now in your UI (virtual o real), there is no local proxy.  To get a proxy from the myproxy sever myproxy-get-delegation –s grid001.ct.infn.it

MyProxyUse Get a delegated proxy from the MyProxy server  With –d option myproxy-get-delegation –s grid001.ct.infn.it –d  Verify now that the user has a local proxy voms-proxy-info

MyProxyUse Gather information about the proxy in the MyProxy server  You can get info on myproxy server about your proxy myproxy-info –s grid001.ct.infn.it  If the credentials have been initialized with the –d switch, you also have to specify it when using myproxy-info myproxy-info –s grid001.ct.infn.it -d

MyProxyUse Gather information about the proxy in the MyProxy server  If the credentials have been initialized with the –l switch, you also have to specify it when using myproxy-info myproxy-info –s grid001.ct.infn.it –l GILDA_TUTOR  Note the differences in the usename of each proxy

MyProxyUse Destroy remote proxy  You can destroy your remote proxy myproxy-destroy –s grid001.ct.infn.it  Check your remote proxy myproxy-info –s grid001.ct.infn.it

MyProxyUse Destroy remote proxy  Destroy your remote proxy with -d myproxy-destroy –s grid001.ct.infn.it -d  Check your remote proxy with -d myproxy-info –s grid001.ct.infn.it -d

MyProxyUse Destroy remote proxy  Destroy your remote proxy with -l myproxy-destroy –s grid001.ct.infn.it –l GILDA_TUTOR  Check your remote proxy with -L myproxy-info –s grid001.ct.infn.it –l GILDA_TUTOR