Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

Slides:

Advertisements

Similar presentations

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Advertisements

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Grid Security. Typical Grid Scenario Users Resources.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

August 13, 2003Eric Hjort Getting Started with Grid Computing in STAR Eric Hjort, LBNL STAR Collaboration Meeting August 13, 2003.

Exporting User Certificate from Internet Explorer.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.

Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

E-NMR (RI ) is funded by the European Commission under the Research Infrastructure Programme Introduction to e-NMR hands-on e-NMR gLite.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

12th September 2007UK e-Science All Hands Meeting1 John Kewley Grid Technology Group e-Science Centre STFC Daresbury Laboratory GROWL.

Hands-on security Angelines Alberto Morillas Ciemat.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.

Enabling Grids for E-sciencE Workload Management System on gLite middleware - commands Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.

E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.

Security in WLCG/EGEE. Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to.

Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione.

Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.

Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

1 Grid Security Alessandro Paolini INFN-CNAF IV Scuola della GRID per utenti.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.

Entorno De Prácticas Gabriel Amorós (IFIC). vo.formacion.es-ngi.eu: is a Virtual Organisation (VO) from the Spanish National Grid Initiative (NGI) devoted.

Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,

EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Authentication, Authorisation and Security

MyProxy Server Installation

Authorization and Authentication in gLite

Practicals on VOMS and MyProxy

gLite 1.4. Data Mangement Exercises

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Grid Security Jinny Chien Academia Sinica Grid Computing.

Certificate management Miroslav Dobrucký Institute of Informatics SAS

Long term job submission and monitoring uing grid services

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Presentation transcript:

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia 6- 9 Julio 2010

SERVER: cg02.ific.uv.es (SL5) cg01.ific.uv.es(SL4) USERNAME: tutXX PASSWORD: ngiXX PASSPHRASE: ngi1234 where XX = 01…24 UI access

Locate your personal certificate:.globus: directory which contains our certificate, two separated files (public and private keys). You need them for the authenticated connections with all the other elements. Check the permissions (you won´t be able to create a proxy if they are wrong) ~]$ ls -l.globus/ total 16 -r--r--r-- 1 tut25 tut Jun 15 09:42 usercert.pem -r tut25 tut Jun 15 09:42 userkey.pem Authentication and Authorization

Look inside your certificate: grid-cert-info ~]$ grid-cert-info Certificate: Data: … Issuer: C=ES, O=IFCA, CN=IFCA Formacion Grid CA Validity Not Before: May 28 00:00: GMT Not After : Jul 12 00:00: GMT Subject: C=ES, O=IFCA, CN=tut25 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:…:72:81 Exponent: (0x10001) … Important Information: Creation and expiration date Name and subject of the CA Common Name (CN) of the certificate owner Certificate subject Authentication and Authorization

Creation of a proxy with VOMS extensiones (=VOMS proxy): This step is comparable to a login on the Grid: voms-proxy-init --voms vo.formacion.es-ngi.eu ~]$ voms-proxy-init --voms vo.formacion.es-ngi.eu Cannot find file or dir: /home/tut25/.glite/vomses Enter GRID pass phrase: Your identity: /C=ES/O=IFCA/CN=tut25 Creating temporary proxy Done Contacting voms01.ifca.es:15004 [/DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es] "vo.formacion.es-ngi.eu" Done Creating proxy Done Your proxy is valid until Mon Jul 5 23:10: Authentication and Authorization

Check VOMS proxy information: voms-proxy-info -all We show two kind of diferent lifetimes: The first one is the proxy certificate’s lifetime. The second one is for the AC information added by VOMS server. The proxy certificate has a lifetime of 12 hours. ~]$ voms-proxy-info -all subject : /C=ES/O=IFCA/CN=tut25/CN=proxy issuer : /C=ES/O=IFCA/CN=tut25 identity : /C=ES/O=IFCA/CN=tut25 type : proxy strength : 1024 bits path : /tmp/x509up_u5733 timeleft : 11:58:55 === VO vo.formacion.es-ngi.eu extension information === VO : vo.formacion.es-ngi.eu subject : /C=ES/O=IFCA/CN=tut25 issuer : /DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es attribute : /vo.formacion.es-ngi.eu/Role=NULL/Capability=NULL timeleft : 11:58:55 uri : voms01.ifca.es:15004 Authentication and Authorization

Logout del grid For deleting the VOMS proxy voms-proxy-destroy Authentication and Authorization

Register a long living proxy in the MyProxy server (gridpx01.ifca.es) myproxy-init The –s option alows you to specify the name of the myproxy server you want to contact. Withoout this option the name of the myproxy server is taken of the enviroment variable: MYPROXY_SERVER. The –d option allows you to create and store a long term proxy with your DN. Without this option, the name of the stored proxy is the same of the user in the local machine. The –l option allows you to create and store a long term proxy with a name specified by the user. Each user can create and store several proxies in a myproxy server, but each remote proxy is linked to the specified username. The –c option allows you to specify the myproxy lifetime (hours). myproxy-init –s gridpx01.ifca.es –d –l tut25 –c 48  MyProxy use  Creation

 ~]$ myproxy-init –s gridpx01.ifca.es –d –l tut25 –c 48 Your identity: /C=ES/O=IFCA/CN=tut25 Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Wed Jul 7 15:15: Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 48 hours (2.0 days) for user tut25 now exists on gridpx01.ifca.es. MyProxy use  Creation

Gather information about the proxy certificate stored in myproxy server. If in your UI there is no local proxy, it´s not possible to be authenticated in the myproxy server. So you have to delegate the proxy certificate from the myproxy server or create a proxy local certificate: myproxy-get-delegation, you can add VOMS extensions (similar to voms-proxy-init) o without VOMS extensions ( similar to grid-proxy-init). After that you can get the proxy certificate stored in myproxy server information:  MyProxy use  Information

 ~]$ myproxy-info –s gridpx01.ifca.es –d username: tut25 owner: /C=ES/O=IFCA/CN=tut25 timeleft: 47:59:52 (2.0 days) If the credentials have been initialized with –d or -s, you also have to specify it when using myproxy-info. If the credentials have been initialized with –l, you also have to specify it when using myproxy-info: ~]$ myproxy-infogridpx01.ifca.es –d -l tut25 username: tut25 owner: /C=ES/O=IFCA/CN=tut25 timeleft: 47:58:04 (2.0 days) It’s very important the username of the proxy, because it’s which identifies and makes difference with the other proxies that you can have stored in your local machine. MyProxy use  Information

Proxy certificate delegation from myproxy server It allows you to get a proxy certificate from the myproxy server to your local machine. First at all, we have to destroy the proxy certificates that we have created and verify it doesn’t exist anymore: ~]$ voms-proxy-destroy ~]$ voms-proxy-info Couldn't find a valid proxy. Now we can delegate the proxy certificate from the myproxy server: myproxy-get-delegation The –d option allows us to create and store the delegated proxy certificate with our DN as subject. Without this option, the name of the local proxy is the same of the user in the local machine. The –voms option allows us to add VOMS extensions for a specific VO. MyProxy use  Delegation

~]$ myproxy-get-delegation -l tut25 --voms vo.formacion.es-ngi.eu Enter MyProxy pass phrase: Cannot find file or dir: /home/tut25/.glite/vomses Your identity: /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy Creating temporary proxy Done Contacting voms01.ifca.es:15004 [/DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es] "vo.formacion.es-ngi.eu" Done Creating proxy Done Your proxy is valid until Tue Jul 6 03:07: A credential has been received for user tut25 in /tmp/x509up_u5733. Verify now that the user has a local proxy: voms-proxy-info -all MyProxy use  Delegation

~]$ voms-proxy-info -all subject : /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy identity : /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy type : proxy strength : 1024 bits path : /tmp/x509up_u5733 timeleft : 11:57:53 === VO vo.formacion.es-ngi.eu extension information === VO : vo.formacion.es-ngi.eu subject : /C=ES/O=IFCA/CN=tut25 issuer : /DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es attribute : /vo.formacion.es-ngi.eu/Role=NULL/Capability=NULL timeleft : 11:57:53 uri : voms01.ifca.es:15004 MyProxy use  Delegation

Remote proxy destruction (in myproxy server) ~]$ myproxy-destroy -s gridpx01.ifca.es -l tut25 Default MyProxy credential for user tut25 was successfully removed Check your remote proxy: ~]$ myproxy-info -s gridpx01.ifca.es ERROR from myproxy-server (gridpx01.ifca.es): no credentials found for user tut25, owner "/C=ES/O=IFCA/CN=tut25” MyProxy use  Destruction

16 Thanks for your attention! Questions?