Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA

Slides:



Advertisements
Similar presentations
Digital Certificate Installation & User Guide For Class-2 Certificates.
Advertisements

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Digital Certificate Installation & User Guide For Class - 2 Certificates.
INFSO-RI Enabling Grids for E-sciencE Gilda experiences and tools in porting application Giuseppe La Rocca INFN – Catania ICTP/INFM-Democritos.
GRACE Project IST EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
1 portal.p-grade.hu Further information on P-GRADE Gergely Sipos MTA SZTAKI Hungarian Academy of Sciences.
Introduction to MCMC and BUGS. Computational problems More parameters -> even more parameter combinations Exact computation and grid approximation become.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
INFSO-RI Enabling Grids for E-sciencE Workload Management System Mike Mineter
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
The huge amount of resources available in the Grids, and the necessity to have the most up-to-date experimental software deployed in all the sites within.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Security, Authorisation and Authentication.
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.
MTA SZTAKI Hungarian Academy of Sciences Introduction to Grid portals Gergely Sipos
FESR Consorzio COMETA - Progetto PI2S2 The COMETA consortium and its activities for Grid adoption by Industry in the context of.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
Next Steps: becoming users of the NGS Mike Mineter
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Status report on Application porting at SZTAKI.
Creating and running an application.
INFSO-RI Enabling Grids for E-sciencE A Grid Approach to Distributed Image Analysis for Early Diagnosis of Alzheimer Disease Livia.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Creating and Managing Digital Certificates Chapter Eleven.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Application Porting INFN Giuseppe.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid2Win : gLite for Microsoft Windows Roberto.
EGI-InSPIRE RI EGI-InSPIRE RI A new “lightweight” Crypto Library for supporting an Advanced Grid Authentication Process.
EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum
Università di Perugia Enabling Grids for E-sciencE Status of and requirements for Computational Chemistry NA4 – SA1 Meeting – 6 th April.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Overview of gLite, the EGEE middleware Mike Mineter Training Outreach Education National.
INFSO-RI Enabling Grids for E-sciencE GILDA t-Infrastructure Antonio Fuentes Bermejo
First South Africa Grid Training June 2008, Catania (Italy) GILDA t-Infrastructure Valeria Ardizzone INFN Catania.
RI EGI-TF 2010, Tutorial Managing an EGEE/EGI Virtual Organisation (VO) with EDGES bridged Desktop Resources Tutorial Robert Lovas, MTA SZTAKI.
Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA Grid2Win : gLite for Microsoft Windows Elisa Ingrà - INFN.
GRID-FR French CA Alice de Bignicourt.
InSilicoLab – Grid Environment for Supporting Numerical Experiments in Chemistry Joanna Kocot, Daniel Harężlak, Klemens Noga, Mariusz Sterzel, Tomasz Szepieniec.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
Accessing the VI-SEEM infrastructure
Operations Management Board 19th Dec. 2013
Giuseppe LA ROCCA INFN - Catania, Italy
How to connect your DG to EDGeS? Zoltán Farkas, MTA SZTAKI
Installation & User Guide
Elisa Ingrà – Consortium GARR
Installation & User Guide
Grid Engine Diego Scardaci (INFN – Catania)
Presentation transcript:

Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA INFN - Catania GRISU' Open Day su Bio-immagini e Grid Napoli, 11 March 2009

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Grid technology allows users to share a wide plethora of distributed computational resources regardless of their geographical location. Virtual services are exposed to the users through rather complex Command Line Interfaces or API languages. Grid security is based on the Public Key Infrastructure (PKI) of X.509 certificates and the procedure to get and manage those certificates is unfortunately not straightforward; Up to now, the high security policy requested to access distributed computing resources has been a big limiting factor when trying to broaden the usage of Grids by wide communities of users; Why do we use Robot Certificates in Science ? + +

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Why do we use Robot Certificates in Science ? User has to adhere to a Virtual Organization (VO) User needs an account on one of the trusted User Interface (UI) + + = Robot certificates and Grid portals provide an added value to make Grids more appealing for non-expert users.

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy 1.Since Feb also the Italian INFN CA started to issue Robot Certificates. Thanks to these new certificates scientists will be able to access the Grid sharing the certificate installed on the portal. 2.Other CAs issuing robot certificates are the UK and NL ones. Robot certificates - overview

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Robot certificates - overview Robot certificates have been introduced to permit users, who are not familiar with the Grid Security Infrastructure, to experience the Grid paradigm for research activity reducing the initial barriers. – They are extremely useful, for instance, to automate grid service monitoring, data processing production, distributed data collection systems, etc. – Basically these certificates can be used to identify a person responsible for an unattended service or process acting as client and/or server.

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy In order to strongly reduce the risks to have the portal certificate compromised or lost, the INFN CA has decided to issue this new certificate on board of the Aladdin eToken PRO 32K smart card. Each smart card can support several robot certificates: one for each application user wants to share with other people. – A user’s PIN is prompted every time user tries to read the certificate on board of the smart card to generate a proxy. – A first prototype of Grid Portal using robot certificate on board of this hardware has been successfully designed. Robot Certificates & tokens

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Using an Aladdin eToken PRO to generate Grid Proxies Once your grid certificate and private key are safely stored on your eToken, you can generate proxies directly from it. A shell script mkproxy script was written for this purpose.mkproxy script – This script requires quite a few special programs and libraries, which need to be installed beforehand. The mkproxy script has been tested on: – Windows XP (using cygwin) – Linux Fedora Core 5 and 8 – Linux CentOS 4 – Scientific Linux 4 and 5 – Linux OpenSuse 10 (suse10) – In the near future we hope to test it on MacOS X as well.

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Download the required files Install the following packages for the Linux distribution from these web links: Due to licensing restrictions, we cannot supply the eToken drivers and libraries. These need to be downloaded from Aladdin website. You can find all the required software on the web: See the extra slides at the end of this presentation for installation tips

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy 1. ask for a service 2. create a proxy with the robot certificate 5. get the results 3. execute action 4. get output 2’,3’. track user User Admin GENIUS/EnginFrame 4.1 & Robot Certificates

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Porting the „MrBayes” application to GRID with robot certificate Case study from INFN CNR - ITB

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy MrBayes overview MrBayes is a program for the Bayesian estimation of phylogeny. Bayesian inference of phylogeny is based on the posterior probability distribution of trees, which is the probability of a tree conditioned on the observations. – To approximate the posterior probability distribution of trees MrBayes uses a simulation technique called Markov Chain Monte Carlo (or MCMC). – The program takes as input a character matrix in a NEXUS file format. – The output is several files with the parameters that were sampled by the MCMC algorithm. The application is CPU demanding, especially if the MPI version of the software is used.

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Computing Element(s) Resource Broker LFC Catalog SE Worker Node(s) Phylogenetic analysis on a large scale Worker Node(s) Robot Certificate UI + GENIUS Portal User’s workstation Job Submission Tool

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Porting the „ GridSPM ” application to EGEE Case study from Italian Portal of Nueroinformatics

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy GRIDSPM’s application overview GRIDSPM a neuroinformatics service that allows the statistical analysis of SPECT and PET cerebral images through the Statistical Parameter Mapping (SPM) system. The service allows certified and authorized users (Authorizations): – to access and use the analysis software SPM – to access to database of SPECT and PET cerebral images of normal subjects, required for the comparison between the pathological subject and the normal population. See Andrea Schenone’s talk for further information

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy References JST : – webcms.ba.infn.it/cms- software/index.html/index.php/Main/JobSubmissionTool webcms.ba.infn.it/cms- software/index.html/index.php/Main/JobSubmissionTool Multi MrBayes with JST & robot certificate Web site : Video : The Italian Portal of Neuroinformatics : Statistical analysis of PET and SPET images : – Java PKCS#11 Reference Guide : – java.sun.com/j2se/1.5.0/docs/guide/security/p11guide. html java.sun.com/j2se/1.5.0/docs/guide/security/p11guide. html – nikhef.nl/grid/gridwiki/index.php/Using_an_Aladdin_eT oken_PRO_to_generate_grid_proxies nikhef.nl/grid/gridwiki/index.php/Using_an_Aladdin_eT oken_PRO_to_generate_grid_proxies [Jan Just Keijser]

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Summary & Conclusions This work is particularly relevant for all users who are not familiar with personal digital certificates. The valuable benefits introduced by robot certificates in e-Science can so be extended to users belonging to several scientific domains, providing an asset in raising Grid awareness to a wide number of potential users.

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Extra slides follows...

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Pre-installation /1 Before installing PKI Client 4.55, PCSC-lite, PCSC-lite-lib and CCID must be installed – Maybe you can find these packages in your repo. These packages have dependencies between each other. Start the daemon : /etc/init.d/pcscd start Untar eToken_PKI_Client_4_55_Linux.rar which will extract the files: eToken_PKI_Client_4_55_Linux.rar

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Pre-installation /2 The Mkproxy-rhel4.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. Mkproxy-rhel4.tar.gz After unpacking the tarball, copy over the files to their respective locations: cp -rp bin/* /usr/local/bin cp -rp lib/* /usr/local/lib cp –rp etc/openssl.cnf /usr/local/etc

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Pre-installation /3 Change /usr/local/bin/mkproxy script as follow : For further information …

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Testing If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command mkproxy –-label=”Robot:MrBayes” Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) Robot:MrBayes – Giuseppe La Rocca's GILDA ID id: d d d d a31 Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca Generating a 512 bit RSA private key writing new private key to 'proxykey.D17633' engine "pkcs11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca /CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03:58:09 CEST Add VOMS extentions running the command : voms-proxy-init --noregen -voms

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy mkproxy command line options. /bin/mkproxy --help mkproxy version 1.40 This script will generate a X509 grid proxy using a public/private key pair found on an attached Aladdin eToken PRO. Options [--help]Displays usage. [--version] Displays version. [--debug] Enables extra debug output. [--quiet] Quiet mode, minimal output. [--limited] Creates a limited globus proxy. [--old] Creates a legacy globus proxy (default). [--gt3] Creates a pre-RFC3820 compliant proxy. [--rfc] Creates a RFC3820 compliant proxy. [--days=N] Number of days the proxy is valid. [--valid=HH:MM]Proxy is valid for HH hours and MM minutes (default=12:00). [--path-length=N] Allow a chain of at most N proxies to be generated from this one (default=2). [--bits=N] Number of bits in key (512, 1024, 2048, default=512). [--out=proxyfile] Non-standard location of new proxy cert.

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Supported API /1 The following APIs are supported in the Linux version of eToken PKI Client 4.55: – PKCS#11 – SAPI

G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Supported API /2 [main] INFO eToken [main] INFO eToken - [ Testing Aladdin eToken PRO 32K 4.2B ] [main] INFO eToken - Provider Name.. SunPKCS11-eToken [main] INFO eToken - Version [main] INFO eToken - Size [main] INFO eToken - >> Several key item(s) found - Proceed! << [main] INFO eToken [main] INFO eToken - Number of entities found : 1 [main] INFO eToken - Alias(es) found : (eTCAPI) Robot: MrBayes - Giuseppe La Rocca's INFN ID [main] INFO eToken - Private Key : SunPKCS11-eToken RSA private key, 2048 bits (id , token object, sensitive, unextractable) [main] INFO eToken - Version: V3 Subject: CN=Robot: MrBayes - Giuseppe La Rocca, L=Catania, OU=Robot, O=INFN, C=IT Signature Algorithm: SHA1withRSA, OID = Key: SunPKCS11-eToken RSA public key, 2048 bits (id , session object) modulus: public exponent: [main] INFO eToken - Public Key: SunPKCS11-eToken RSA public key, 2048 bits (id , session object) modulus: public exponent: [main] INFO eToken - Public Key encoded : [main] INFO eToken - Public Key format : X.509 [main] INFO eToken - Algorithm : RSA [main] INFO eToken - >> Get Certificate << [main] INFO eToken [main] INFO eToken - Subject Name: CN=Robot: MrBayes - Giuseppe La Rocca, L=Catania, OU=Robot, O=INFN, C=IT [main] INFO eToken - Certificate Issued by : CN=INFN CA, O=INFN, C=IT [main] INFO eToken - Valid from : Mon Sep 08 16:04:47 CEST 2008 [main] INFO eToken - Valid to : Tue Sep 08 16:04:47 CEST 2009 [main] INFO eToken - Serial Number: [main] INFO eToken - Generated with: SHA1withRSA [main] INFO eToken - Version: 3 [main] INFO eToken

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.