Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.

Slides:

Advertisements

Similar presentations

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.

Advertisements

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.

Summer School Certificates Diego Romano & Gilda Team.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America GENIUS server installation and configuration.

IST E-infrastructure shared between Europe and Latin America VOMS and MyProxy Server installation and configuration Pedro Henrique.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

Exporting User Certificate from Internet Explorer.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

12th September 2007UK e-Science All Hands Meeting1 John Kewley Grid Technology Group e-Science Centre STFC Daresbury Laboratory GROWL.

Hands-on security Angelines Alberto Morillas Ciemat.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.

Enabling Grids for E-sciencE Workload Management System on gLite middleware - commands Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Alexandre Duarte CERN IT-GD-OPS UFCG LSD 1st EELA Grid School.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.

EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security – Infosys -- WMS.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.

Further aspects of EGEE middleware components INFN, Catania EGEE is funded by the European Union under contract IST

INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

1 Egrid portal Stefano Cozzini and Angelo Leto. 2 Egrid portal Based on P-GRADE Portal 2.3 –LCG-2 middleware support: broker, CEs, SEs, BDII –MyProxy.

Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.

INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Singapore, 1st South East Asia Forum -- EGEE.

Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.

Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

1 Grid Security Alessandro Paolini INFN-CNAF IV Scuola della GRID per utenti.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

INFSO-RI Enabling Grids for E-sciencE GILDA t-Infrastructure Antonio Fuentes Bermejo

First South Africa Grid Training June 2008, Catania (Italy) GILDA t-Infrastructure Valeria Ardizzone INFN Catania.

RI EGI-TF 2010, Tutorial Managing an EGEE/EGI Virtual Organisation (VO) with EDGES bridged Desktop Resources Tutorial Robert Lovas, MTA SZTAKI.

EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

MyProxy Server Installation

Practicals on VOMS and MyProxy

gLite 1.4. Data Mangement Exercises

Long term job submission and monitoring uing grid services

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Presentation transcript:

E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006

E-infrastructure shared between Europe and Latin America 2 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Overview Accessing to the UI Private and public keys VOMS –voms-proxy-init –voms-proxy-info MyProxy –myproxy-init –myproxy-info –myproxy-get-delegation –myproxy-destroy

E-infrastructure shared between Europe and Latin America 3 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [lxplus059] ~ > ls -al.globus/u* -rw-r--r-- 1 aduarte cg 1604 Jun 8 16:50.globus/usercert.pem -r aduarte cg 963 Jun 8 17:12.globus/userkey.pem

E-infrastructure shared between Europe and Latin America 4 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 glite-voms-proxy-init: options Main options glite-voms-proxy-init --voms -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert Non-standard location of user certificate -key Non-standard location of user key -certdir Non-standard location of trusted cert dir -out Non-standard location of new proxy cert -voms > Specify voms server. :command is optional. -order > Specify ordering of attributes. -vomslife Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include Include the contents of the specified files -confile Non-standard location of voms server addresses.. -vomses Non-standard loation of configuration files.

E-infrastructure shared between Europe and Latin America 5 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Verify your credentials Exercise 1 : create a voms proxy requesting your group membership (all of you belong to generic-users group); then verify obtained credentials with: glite-voms-proxy-info –Main options : -all prints all proxy options -file specifies a different location of proxy file

E-infrastructure shared between Europe and Latin America 6 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 glite-voms-proxy-init lxplus059] ~ > glite-voms-proxy-init --voms dteam Cannot find file or dir: /afs/cern.ch/user/a/aduarte/.glite/vomses Your identity: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 Enter GRID pass phrase: Creating temporary proxy Done Contacting lcg-voms.cern.ch:15004 [/C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch] "dteam" Done Creating proxy Done Your proxy is valid until Thu Sep 7 06:37: glite-voms-proxy-init --voms gilda

E-infrastructure shared between Europe and Latin America 7 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 [lxplus059] ~ > glite-voms-proxy-info --all subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026/CN=proxy issuer : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 identity : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 type : proxy strength : 512 bits path : /tmp/x509up_u2913 timeleft : 11:58:53 === VO dteam extension information === VO : dteam subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 issuer : /C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch attribute : /dteam/Role=NULL/Capability=NULL timeleft : 11:58:52 VOMS proxy info Standard globus attributes Voms extensions

E-infrastructure shared between Europe and Latin America 8 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Long term proxy : MyProxy myproxy server: –myproxy-init  Allows to create and store a long term proxy certificate –myproxy-info  Get information about a stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy Check out them with myproxy-xxx --help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server

E-infrastructure shared between Europe and Latin America 9 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-init lxplus059] ~ > myproxy-init Your identity: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Wed Sep 13 18:40: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user aduarte now exists on myproxy.cern.ch. Principal options -c hours specifies lifetime of stored credentials -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

E-infrastructure shared between Europe and Latin America 10 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-info Useful to retrieve info on stored credentials Need local credentials to be performed If credentials have been initialized with –d switch, you also have to specify the same option there [lxplus059] ~ > myproxy-info -s myproxy.cern.ch -v Socket bound to port server name: /C=CH/O=CERN/OU=GRID/CN=host/prod-px.cern.ch checking if server name matches server name does not match checking if server name matches server name accepted username: aduarte owner: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 timeleft: 167:57:48 (7.0 days) myproxy-info -s grid001.ct.infn.it -v

E-infrastructure shared between Europe and Latin America 11 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-get-delegation This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server It is independent by the machine! You don’t need to have your certificate on board If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513

E-infrastructure shared between Europe and Latin America 12 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513 mexicocity14]$ myproxy-destroy -s grid001.ct.infn.it Default MyProxy credential for user mexicocity14 was successfully removed.

E-infrastructure shared between Europe and Latin America 13 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Exercise Exercise 2 –Create a myproxy on the server grid001.ct.infn.it –Check information on the created proxy –Create a myproxy with –d option –Check the new proxy –Which differences you note? –Destroy both proxies

E-infrastructure shared between Europe and Latin America 14 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Storing long lived voms proxies myproxy doesn’t support natively VOMS To allow storing of voms ext., myproxy client has been modified The faculty of choosing VO and group/roles has been added, while the previous options have all been kept Proxies retrieved with myproxy-get-delegation will have the requested voms extension but… …there’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation Studying solutions to extend voms extension renewal in get-delegation The “modified” client is available only on GILDA UI’s Will be largely deployed when the above issues will be solved myproxy-init --voms gilda

E-infrastructure shared between Europe and Latin America 15 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 23:59:57 Voms extension lifetime

E-infrastructure shared between Europe and Latin America 16 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Questions