Certificate management Miroslav Dobrucký Institute of Informatics SAS

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Introduction of Grid Security
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
It’s not about security... it’s about access! Grid Security Pieter van Beek.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.
1c.1 Assignment 2 Preliminaries Review Full details in assignment write-up. ITCS 4146/5146 Grid Computing, 2007, UNC-Charlotte, B. Wilkinson. Jan 24, 2007.
Summer School Certificates Diego Romano & Gilda Team.
1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Security Mechanisms The European DataGrid Project Team
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security, Authorisation and Authentication.
Exporting User Certificate from Internet Explorer.
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
GRID-FR French CA Alice de Bignicourt.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Continue by your own… Riccardo Bruno
Security Mechanisms The European DataGrid Project Team
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Security, Authorisation and Authentication Mike Mineter,
Security in gLite Gergely Sipos MTA SZTAKI
Authentication, Authorisation and Security
Grid Security.
Authorization and Authentication in gLite
Practicals on VOMS and MyProxy
Security and getting access to the training infrastructure
Getting Started with TeraGrid Authentication
HellasGrid CA & euGridPMA
Security, Authorisation and Authentication
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Tweaking the Certificate Lifecycle for the UK eScience CA
Grid Security Jinny Chien Academia Sinica Grid Computing.
Viet Tran Institute of Informatics Slovakia
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
Public Key Infrastructure from the Most Trusted Name in e-Security
The EU DataGrid Security Services
Installation & User Guide
The EU DataGrid Security Services
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Grid Security Overview
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
The GENIUS Security Services
Certificates Usage and Simple Job Submission
AD RMS Templates Active Directory Rights Management Services (AD RMS)
Grid Security Infrastructure
Presentation transcript:

Certificate management Miroslav Dobrucký Institute of Informatics SAS Training event: Application development course 10.March 2005, IISAS Bratislava Certificate management Miroslav Dobrucký Institute of Informatics SAS

Contents How do I login on the Grid? Grid certificates Creating the key/request pair Obtaining the certificate Installing the certificate Creating the proxy

How do I login on the Grid? Distribution of resources: secure access is a basic requirement Secure communication (SSL) Security across organisational boundaries (PKI, X.509) Single “sign-on” for users of the Grid (proxy certificates) Two basic concepts: Authentication: Who am I? Equivalent to ID card, passport, ... Certificates Authorisation: What can I do? Certain permissions, duties, etc. Virtual organizations

Grid certificates Each user must have a valid X.509 certificate issued by a recognized Certification Authority (CA) Before doing any Grid operation, user must log in User Interface (UI) machine and create a proxy certificate A proxy certificate is a delegated user credential that authenticates the user in every secure interaction, and has a limited lifetime (security reasons)

Creating the key/request pair grid-cert-request command [miro@cluster2 miro]$ grid-cert-request Enter your name, e.g., John Smith: Miroslav Dobrucky A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Using configuration from /etc/grid-security/globus-user-ssl.conf Generating a 1024 bit RSA private key ......................++++++ ...........................++++++ writing new private key to '/home/miro/.globus/userkey.pem' Enter PEM pass phrase:************

Obtaining the certificate Mail the request to the relevant CA [miro@cluster2 miro]$ cat home/miro/.globus/usercert_request.pem | mail ca.ui@savba.sk User should deliver his/her request to the relevant Registration or Certification Authority (RA or CA) and personally authenticate by his/her ID card, passport or similar official document with his/her photo included. The RA will deliver his/her request to the CA. The CA will sign the request and send back the certificate. Usually it is valid for 1 year, before that period finishes, the user can create a rekey request using his valid certificate. It means no further personal travel is needed.

Relevant trusted CAs C=CZ, O=CESNET, CN=CESNET CA C=ES, O=DATAGRID-ES, CN=DATAGRID-ES CA C=FR, O=CNRS, CN=CNRS C=GR, O=HellasGrid, CN=HellasGrid CA C=PT, O=LIPCA, CN=LIP Certification Authority C=SK, O=SlovakGrid, CN=SlovakGrid CA C=UK, O=eScience, OU=Authority, CN=CA/Email=ca- operator@grid-support.ac.uk ... They are accredited by “The European Policy Management Authority for Grid Authentication in e-Science” www.eugridpma.org

Installing the certificate Install the certificate to the UI machine into the ~/.globus directory: [miro@cluster2 .globus]$ ls -l -r--r--r-- 1 miro miro 4774 Oct 8 13:11 usercert.pem -r--r--r-- 1 miro miro 1270 Oct 8 10:51 usercert_request.pem -r-------- 1 miro miro 963 Oct 8 10:51 userkey.pem

Creating the proxy grid-proxy-init command grid-proxy-info [miro@cluster2 miro]$ grid-proxy-init Your identity: /C=SK/O=SlovakGrid/O=IISAS/CN=Miroslav Dobrucky Enter GRID pass phrase for this identity: Creating proxy ....................................... Done Your proxy is valid until: Fri Nov 12 12:37:05 2004 grid-proxy-info grid-proxy-destroy

Thank you. http://public.eu-egee.org http://ups.savba.sk/ca/