Practicals on VOMS and MyProxy

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
Advertisements

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Summer School Certificates Diego Romano & Gilda Team.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Hands-on security Angelines Alberto Morillas Ciemat.
EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
Enabling Grids for E-sciencE Workload Management System on gLite middleware - commands Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –
LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
INFSO-RI Enabling Grids for E-sciencE GILDA t-Infrastructure Antonio Fuentes Bermejo
First South Africa Grid Training June 2008, Catania (Italy) GILDA t-Infrastructure Valeria Ardizzone INFN Catania.
GRID commands lines Original presentation from David Bouvet CC/IN2P3/CNRS.
EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.
EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Introduction to Grid Computing
Security in gLite Gergely Sipos MTA SZTAKI
Authentication, Authorisation and Security
Security on gLite middleware
GILDA t-Infrastructure
MyProxy Server Installation
Authorization and Authentication in gLite
gLite 1.4. Data Mangement Exercises
Security and getting access to the training infrastructure
Introductions Using gLite Grid Miguel Angel Díaz Corchero
Corso di Calcolo Parallelo Grid Computing
UI Installation and Configuration
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Grid Security Jinny Chien Academia Sinica Grid Computing.
Certificate management Miroslav Dobrucký Institute of Informatics SAS
login: clermont-ferrandxx password: GridCLExx
Update on EDG Security (VOMS)
Long term job submission and monitoring uing grid services
The New Virtual Organization Membership Service (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Security in gLite Valeria Ardizzone INFN EGEE User Tutorial
Certificates Usage and Simple Job Submission
Certificates Usage and Simple Job Submission
Certificates Usage and Simple Job Submission
UI Installation and Configuration
GENIUS Grid portal Hands on
Presentation transcript:

Practicals on VOMS and MyProxy Emidio Giorgio Valerio Venturi INFN First gLite tutorial on GILDA, Catania, 13-15.06.2005

Outline VOMS vs. plain proxy VOMS proxy creation MyProxy Obtaining VOMS delegation through MyProxy First gLite tutorial on GILDA, Catania, 13-15.06.2005

VOMS generalities Virtual Organisation Membership Services is service which keeps track of VO members and grants users authorization to access resources at the VO level Differently from standard plain proxies, provides support for group membership, roles, and capabilities Each VO has a server, which is contacted from user when he initialize his proxy VOMS server returns infos which are included in user proxy certificate First gLite tutorial on GILDA, Catania, 13-15.06.2005

VOMS proxy creation voms-proxy-init --voms gildav Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase for this identity: [insert your certificate passphrase] Creating temporary proxy ............................................. Done /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it /C=IT/O=INFN/CN=INFN Certification Authority Creating proxy ............................................. Done Your proxy is valid until Mon Jun 13 09:06:00 2005 First gLite tutorial on GILDA, Catania, 13-15.06.2005

VOMS proxy creation Principal options -hours x, create a proxy valid for x hours -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -out <proxyfile> Non-standard location of new proxy cert Maximum value for hours is 24, with superior values validity will be shortened to 86400 hours First gLite tutorial on GILDA, Catania, 13-15.06.2005

Verify your credentials voms-proxy-info Principal options : -all prints all proxy options -file specifies a different location of proxy file WARNING : in gLite 1.0, you may have problems (error 5025) with glite-job-* commands, when in /etc/grid-security/vomsdir there’s more than one host certificate. By pass this creating a directory containing only the host certificate of your VOMS server. [giorgio@glite-tutor:~]$ ls /etc/grid-security/vomsdir.gildav.glite/ gildav-cert-voms-01.cnaf.infn.it.pem Then export X509_VOMS_DIR=/etc/grid-security/vomsdir.gildav.glite/ First gLite tutorial on GILDA, Catania, 13-15.06.2005

Verify obtained credentials [giorgio@glite-tutor:~]$ voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 20:59:53 VO : gildav subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it attribute : /gildav/Role=NULL/Capability=NULL timeleft : 20:58:28 First gLite tutorial on GILDA, Catania, 13-15.06.2005

Long term proxy : MyProxy Proxy (and VOMS proxy) have limited lifetime (default is 12 h) Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 days myproxy server: Allows to create and store a long term proxy certificate: myproxy-init -s <host_name> -s: <host_name> specifies the hostname of the myproxy server myproxy-info Get information about stored long living proxy myproxy-get-delegation Get a new proxy from the MyProxy server myproxy-destroy Chech out the myproxy-xxx - - help option A dedicated service on the RB can renew automatically the proxy contacts the myproxy server First gLite tutorial on GILDA, Catania, 13-15.06.2005

myproxy-init Principal option [giorgio@glite-tutor:~]$ myproxy-init -s grid001.ct.infn.it Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase for this identity: Creating proxy ..................................................... Done Proxy Verify OK Your proxy is valid until: Sun Jun 19 21:18:27 2005 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user giorgio now exists on grid001.ct.infn.it. Principal option -c hours specifies lifetime of the credential stored -t hours specifies the maximum lifetime of credentials retrieved First gLite tutorial on GILDA, Catania, 13-15.06.2005

myproxy-info Useful to retrieve info on stored credentials [giorgio@glite-tutor:~]$ myproxy-info -s grid001.ct.infn.it username: giorgio owner: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it timeleft: 167:55:34 (7.0 days) First gLite tutorial on GILDA, Catania, 13-15.06.2005

myproxy-get-delegation This command can be used to retrieve a proxy stored, It is independent by the machine ! You don’t need to have your certificate on board [giorgio@glite-tutor:~]$ mv .globus dummy [giorgio@glite-tutor:~]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u513 mv dummy/ .globus First gLite tutorial on GILDA, Catania, 13-15.06.2005

MyProxy and VOMS myproxy-init works creating a temporary plain proxy, with the “old” grid-proxy-init The plain proxy is stored on the MyProxy Server It will be valid for the desired duration (default is a week, maximum is the certificate lifetime) The proxy retrieved with myproxy-get-delegation will be a plain proxy too….. All the VOMS extensions in these way are lost Resources will rejects jobs from these user How can use delegated credentials keeping VOMS extension ? First gLite tutorial on GILDA, Catania, 13-15.06.2005

Tricking the MyProxy server These procedure is valid for the applications which needs to renew user credentials Store once a plain proxy on myproxy server myproxy-init -s grid001.ct.infn.it Soon get the delegated credentials, specifying lifetime myproxy-get-delegation -s grid001.ct.infn.it -t 27 Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u513 Request a voms proxy signing it with the received delegation (no passphrase requested) voms-proxy-init -t 25 -cert /tmp/x509up_u513 -key /tmp/x509up_u513 -voms gildav Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy/CN=proxy/CN=proxy Creating temporary proxy ............................... Done /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it /C=IT/O=INFN/CN=INFN Certification Authority Creating proxy .................................... Done First gLite tutorial on GILDA, Catania, 13-15.06.2005

Problems These trick perfectly works on an uniform testbed (entirely gLite or lcg) Not like the one you’re using now  (UI + RB glite, CE + WN lcg) The reason is already unknown, but seems dued to differences between CE’s First gLite tutorial on GILDA, Catania, 13-15.06.2005

Questions… First gLite tutorial on GILDA, Catania, 13-15.06.2005

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.