1 Getting Started with TeraGrid Authentication Jeffrey P. Gardner Pittsburgh Supercomputing Center
2 CIG MCW, Boulder, CO Approaches to TeraGrid Use Log in interactively to a login node at a TeraGrid site and work from there no client software to install/maintain yourself execute tasks from your interactive session Work from your local workstation and authenticate remotely to TeraGrid resources comfort and convenience of working "at home" may have to install/maintain add'l TG software (Eventually we will better support this mode)
3 CIG MCW, Boulder, CO Without coordination of authentication between sites “Traditional” Password Authentication Acct[x], password[x] Acct[y], password[y] Acct[z], password[z] Acct[x], password[x] Acct[y], password[y]
4 CIG MCW, Boulder, CO Certificate-Based Authentication password[k] Certificate No Password
5 CIG MCW, Boulder, CO User Certificates for TeraGrid Why use certificates for authentication? Facilitates Single Sign-On enter your pass-phrase only once per session, regardless of how many systems and services that you access on the Grid during that session one pass-phrase to remember (to protect your private key), instead of one for each system Widespread Use and Acceptance certificate-based authentication is standard for modern Web commerce and secure services
6 CIG MCW, Boulder, CO New TeraGrid Account TODO List 1. Use Secure Shell (SSH) to log into a TeraGrid site 2. Change your Password WE'RE SKIPPING THIS STEP TODAY 3. Obtain a TeraGrid-acceptable User Certificate*, and install it in your home directory *assuming you do not already have one 4. Register your User Certificate in Globus grid-mapfile on TeraGrid systems 5. Test your User Certificate for Remote Authentication
7 CIG MCW, Boulder, CO 1. SSH to a TeraGrid Site ssh (Enter the password provided when prompted to do so) STOP and await further instructions...
8 CIG MCW, Boulder, CO 2a. Change your Account Password Good Password Selection Rules Apply Do not use words that could be in any dictionary, including common or trendy misspellings of words Pick something easy for you to remember, but impossible for others to guess Pick something that you can learn to type quickly, using may different fingers Combine letters, digits, punctuation symbols and capitalization Never use the same password for two different systems, nor for two different accounts If you must write your password down, do so away from prying eyes and lock it securely away! WE'RE SKIPPING THIS STEP TODAY
9 CIG MCW, Boulder, CO 2b. Change your Account Password Means for changing local passwords vary among systems local password on Linux and similar operating systems passwd Kerberos environments (NCSA, PSC) kpasswd Systems managed using NIS yppasswd See site documentation for correct method WE'RE SKIPPING THIS STEP TODAY
10 CIG MCW, Boulder, CO 3a. User Certificate Request For this exercise, we will execute a command-line program to request a new TeraGrid User Certificate from the NCSA CA TeraGrid User Cert instructions (has links to instructions for all TG sites): NCSA CA User Cert instructions:
11 CIG MCW, Boulder, CO Execute the NCSA CA User Certificate request script > ncsa-cert-request (use your new password again to authenticate) STOP and await further instructions... 3c. User Certificate Request NCSA Kerberos
12 CIG MCW, Boulder, CO 3d. User Certificate Request When prompted, enter a Pass-phrase for your new certificate (and a second time to verify) A Pass-phrase may be a sentence with spaces Make it as long as you care to type "in the dark" Good password selection rules apply Write your pass-phrase down but store it securely! Never allow your passphrase to be discovered by others - especially since this gets you in to multiple systems... If you lose your pass-phrase, it cannot be recovered - you must get a new certificate
13 CIG MCW, Boulder, CO 3e. User Certificate Request The Certificate request script will place your new user certificate and private key into a.globus directory in your home directory > ls -la.globus total 24 drwxr-xr-x 3 train00 train Nov 17 13:45. drwx train00 train Oct 17 20:17.. -r--r--r-- 1 train00 train Nov 17 13:55 usercert.pem -r--r--r-- 1 train00 train Nov 17 13:50 usercert_request.pem -r train00 train Nov 17 13:50 userkey.pem Your Pass-phrase protects your private key
14 CIG MCW, Boulder, CO The ~/.globus directory The default location where a user’s private key and certificate are installed The directory in which Globus creates temporary subdirectories and files to handle grid job submission and file transfer $ ls -la ~/.globus total 24 drwxr-xr-x 3 train00 train Nov 17 13:45. drwx train00 train Oct 17 20:17.. -r--r--r-- 1 train00 train Nov 17 13:55 usercert.pem -r--r--r-- 1 train00 train Nov 17 13:50 usercert_request.pem -r train00 train Nov 17 13:50 userkey.pem
15 CIG MCW, Boulder, CO 3f. User Certificate Request Examine your new certificate > grid-cert-info -subject -startdate -enddate /C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner Jun 19 21:16: GMT Jun 18 21:16: GMT Your Certificate's Subject is your Certificate DN DN = Distinguished Name Distinguished Name
16 CIG MCW, Boulder, CO 3g. User Certificate Request Test Globus certificate proxy generation > grid-proxy-init -verify -debug User Cert File: /home/train00/.globus/usercert.pem User Key File: /home/train00/.globus/userkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u500 Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Training User00 Enter GRID pass phrase for this identity: (Enter your pass-phrase) Creating proxy Done Proxy Verify OK Your proxy is valid until: Sat Oct 18 08:39: > grid-proxy-destroy
17 CIG MCW, Boulder, CO Congratulations! You are now “certified” to use the TeraGrid Your certificate is your encrypted “ID badge” that identifies you to TeraGrid sites. Distinguished Name (your unique TeraGrid identity) Start date and end date X.509 encrypted key But before it will work, we need to tell TeraGrid sites (including NCSA) to accept it. Someday soon this will be done automatically
18 CIG MCW, Boulder, CO 4a. Registering your Distinguished Name in a TeraGrid system grid-mapfile Every TeraGrid system has /etc/grid- security/grid-mapfile This files maps your TeraGrid Distinguished Name to your local userid on that machine By the end of the summer, generating a new certificate will automatically cause grid-mapfile s on all TeraGrid machines to be updated with your Distinguished Name But at present, to use a new TeraGrid site, you must place an entry in that site’s grid-mapfile TeraGrid sites provide the gx-map command to simplify this registration process for users gx-map must be executed once per TeraGrid site accessed
19 CIG MCW, Boulder, CO 4b. Registering your Distinguished Name in the NCSA Globus grid-mapfile Recall your TeraGrid User Certificate DN (keep this somewhere copy-able) > grid-cert-info -subject /C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner (or something like this) Execute the gx-map command interactively > gx-map -interactive STOP and await further instructions...
20 CIG MCW, Boulder, CO 4c. Registering your Distinguished Name in the NCSA Globus grid-mapfile... (a) Add a grid-mapfile entry (r) Remove a grid-mapfile entry (q) Query a grid-mapfile entry (u) Request an update of the grid-mapfiles (x) Exit What do you want to do? [arqux] a (return) What user name do you want to map (default is username) ? (return) STOP and await further instructions... (This prompt may no longer appear)
21 CIG MCW, Boulder, CO 4d. Registering your Distinguished Name in the NCSA Globus grid-mapfile... (a) Add a grid-mapfile entry (r) Remove a grid-mapfile entry (q) Query a grid-mapfile entry (u) Request an update of the grid- mapfiles (x) Exit What do you want to do? [arqux] a (return) STOP and await further instructions...
22 CIG MCW, Boulder, CO 4e. Registering your Distinguished Name in the NCSA Globus grid-mapfile You can specify the DN in one of three ways: (c) Certificate, extract from /home/gardnerj/.globus/usercert.pem (f) File, extract from a specified certificate file (i) Input the DN directly (x) Exit How do you want to specify the DN? [cfix] i (return) Enter distinguished name: address ( for none):(return) STOP and await further instructions...
23 CIG MCW, Boulder, CO 4f. Registering your User Certificate in the NCSA Globus grid-mapfile Ignore the subsequent prompts - just press (return) until you get to: About to map distinguished name "/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner" to user gardnerj Proceed? [yn] y (return) Mapping request submitted. The grid-mapfile(s) should be updated in a few minutes STOP and await further instructions...
24 CIG MCW, Boulder, CO 5a. Registering your Distinguished Name in a TACC grid-mapfile Recall your TeraGrid User Certificate DN (keep your DN somewhere copy-able ) > grid-cert-info -subject /C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner (or something like this) SSH to TACC the old fashioned way > ssh Execute the gx-map command interactively > gx-map -interactive STOP and await further instructions...
25 CIG MCW, Boulder, CO 5b. Registering your Distinguished Name in a TACC grid-mapfile... (a) Add a grid-mapfile entry (r) Remove a grid-mapfile entry (q) Query a grid-mapfile entry (u) Request an update of the grid- mapfiles (x) Exit What do you want to do? [arqux] a (return) STOP and await further instructions...
26 CIG MCW, Boulder, CO 5c. Registering your Distinguished Name in a TACC grid-mapfile You can specify the DN in one of three ways: (c) Certificate, extract from /home/gardnerj/.globus/usercert.pem (f) File, extract from a specified certificate file (i) Input the DN directly (x) Exit How do you want to specify the DN? [cfix] i (return) Enter distinguished name: address ( for none):(return) STOP and await further instructions...
27 CIG MCW, Boulder, CO 5d. Registering your User Certificate in the TACC Globus grid-mapfile Ignore the subsequent prompts - just press (return) until you get to: About to map distinguished name "/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner" to user gardnerj Proceed? [yn] y (return) Mapping request submitted. The grid-mapfile(s) are updated at the beginning of each hour STOP and await further instructions...
28 CIG MCW, Boulder, CO 5e. Registering your User Certificate in the TACC Globus grid-mapfile Log out of TACC exit STOP and await further instructions...
29 CIG MCW, Boulder, CO Authentication Setup Summary Certificate generation (Step 3) is done only once for the entire TeraGrid! Until your certificate expires after 2 years, or you delete your.globus directory
30 CIG MCW, Boulder, CO Authentication Setup Summary Updating /etc/grid-security/grid-mapfile (Step 4) is done the first time you use each TeraGrid site. How this is done depends on the site: NCSA, TACC, SDSC, Caltech/CACR, IU, US/ANL: gx-map PSC: Edit grid-mapfile directly using webpage
31 CIG MCW, Boulder, CO 6. Verifying your User Certificate in a TeraGrid system Globus grid-mapfile Login to TeraGrid system Check that your certificate DN and user account name have been entered into the local host's grid-mapfile > grep -i userid /etc/grid-security/grid-mapfile "/C=US/O=National Center for Supercomputing Applications/CN=Jeff Gardner" gardnerj STOP and await further instructions...
32 CIG MCW, Boulder, CO Questions Phew! Any Questions regarding TeraGrid User Certificates and Authentication?
33 CIG MCW, Boulder, CO Links Obtaining TeraGrid User Certificates TeraGrid Certificate and DN setup TeraGrid Proxy setup TeraGrid User Guide