Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

Published byEdgar Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia."— Presentation transcript:

1 Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual virginia.martinrubio@rediris.es RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia 6- 9 Julio 2010

2 SERVER: cg02.ific.uv.es (SL5) cg01.ific.uv.es(SL4) USERNAME: tutXX PASSWORD: ngiXX PASSPHRASE: ngi1234 where XX = 01…24 UI access

3 Locate your personal certificate:.globus: directory which contains our certificate, two separated files (public and private keys). You need them for the authenticated connections with all the other elements. Check the permissions (you won´t be able to create a proxy if they are wrong) [tut25@cg02 ~]$ ls -l.globus/ total 16 -r--r--r-- 1 tut25 tut25 3021 Jun 15 09:42 usercert.pem -r-------- 1 tut25 tut25 963 Jun 15 09:42 userkey.pem Authentication and Authorization

4 Look inside your certificate: grid-cert-info [tut25@cg02 ~]$ grid-cert-info Certificate: Data: … Issuer: C=ES, O=IFCA, CN=IFCA Formacion Grid CA Validity Not Before: May 28 00:00:00 2010 GMT Not After : Jul 12 00:00:00 2010 GMT Subject: C=ES, O=IFCA, CN=tut25 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:…:72:81 Exponent: 65537 (0x10001) … Important Information: Creation and expiration date Name and subject of the CA Common Name (CN) of the certificate owner Certificate subject Authentication and Authorization

5 Creation of a proxy with VOMS extensiones (=VOMS proxy): This step is comparable to a login on the Grid: voms-proxy-init --voms vo.formacion.es-ngi.eu [tut25@cg02 ~]$ voms-proxy-init --voms vo.formacion.es-ngi.eu Cannot find file or dir: /home/tut25/.glite/vomses Enter GRID pass phrase: Your identity: /C=ES/O=IFCA/CN=tut25 Creating temporary proxy............................. Done Contacting voms01.ifca.es:15004 [/DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es] "vo.formacion.es-ngi.eu" Done Creating proxy.................................. Done Your proxy is valid until Mon Jul 5 23:10:44 2010 Authentication and Authorization

6 Check VOMS proxy information: voms-proxy-info -all We show two kind of diferent lifetimes: The first one is the proxy certificate’s lifetime. The second one is for the AC information added by VOMS server. The proxy certificate has a lifetime of 12 hours. [tut25@cg02 ~]$ voms-proxy-info -all subject : /C=ES/O=IFCA/CN=tut25/CN=proxy issuer : /C=ES/O=IFCA/CN=tut25 identity : /C=ES/O=IFCA/CN=tut25 type : proxy strength : 1024 bits path : /tmp/x509up_u5733 timeleft : 11:58:55 === VO vo.formacion.es-ngi.eu extension information === VO : vo.formacion.es-ngi.eu subject : /C=ES/O=IFCA/CN=tut25 issuer : /DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es attribute : /vo.formacion.es-ngi.eu/Role=NULL/Capability=NULL timeleft : 11:58:55 uri : voms01.ifca.es:15004 Authentication and Authorization

7 Logout del grid For deleting the VOMS proxy voms-proxy-destroy Authentication and Authorization

8 Register a long living proxy in the MyProxy server (gridpx01.ifca.es) myproxy-init The –s option alows you to specify the name of the myproxy server you want to contact. Withoout this option the name of the myproxy server is taken of the enviroment variable: MYPROXY_SERVER. The –d option allows you to create and store a long term proxy with your DN. Without this option, the name of the stored proxy is the same of the user in the local machine. The –l option allows you to create and store a long term proxy with a name specified by the user. Each user can create and store several proxies in a myproxy server, but each remote proxy is linked to the specified username. The –c option allows you to specify the myproxy lifetime (hours). myproxy-init –s gridpx01.ifca.es –d –l tut25 –c 48  MyProxy use  Creation

9  [tut25@cg02 ~]$ myproxy-init –s gridpx01.ifca.es –d –l tut25 –c 48 Your identity: /C=ES/O=IFCA/CN=tut25 Enter GRID pass phrase for this identity: Creating proxy............................... Done Proxy Verify OK Your proxy is valid until: Wed Jul 7 15:15:19 2010 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 48 hours (2.0 days) for user tut25 now exists on gridpx01.ifca.es. MyProxy use  Creation

10 Gather information about the proxy certificate stored in myproxy server. If in your UI there is no local proxy, it´s not possible to be authenticated in the myproxy server. So you have to delegate the proxy certificate from the myproxy server or create a proxy local certificate: myproxy-get-delegation, you can add VOMS extensions (similar to voms-proxy-init) o without VOMS extensions ( similar to grid-proxy-init). After that you can get the proxy certificate stored in myproxy server information:  MyProxy use  Information

11  [tut25@cg02 ~]$ myproxy-info –s gridpx01.ifca.es –d username: tut25 owner: /C=ES/O=IFCA/CN=tut25 timeleft: 47:59:52 (2.0 days) If the credentials have been initialized with –d or -s, you also have to specify it when using myproxy-info. If the credentials have been initialized with –l, you also have to specify it when using myproxy-info: [tut25@cg02 ~]$ myproxy-infogridpx01.ifca.es –d -l tut25 username: tut25 owner: /C=ES/O=IFCA/CN=tut25 timeleft: 47:58:04 (2.0 days) It’s very important the username of the proxy, because it’s which identifies and makes difference with the other proxies that you can have stored in your local machine. MyProxy use  Information

12 Proxy certificate delegation from myproxy server It allows you to get a proxy certificate from the myproxy server to your local machine. First at all, we have to destroy the proxy certificates that we have created and verify it doesn’t exist anymore: [tut25@cg02 ~]$ voms-proxy-destroy [tut25@cg02 ~]$ voms-proxy-info Couldn't find a valid proxy. Now we can delegate the proxy certificate from the myproxy server: myproxy-get-delegation The –d option allows us to create and store the delegated proxy certificate with our DN as subject. Without this option, the name of the local proxy is the same of the user in the local machine. The –voms option allows us to add VOMS extensions for a specific VO. MyProxy use  Delegation

13 [tut25@cg02 ~]$ myproxy-get-delegation -l tut25 --voms vo.formacion.es-ngi.eu Enter MyProxy pass phrase: Cannot find file or dir: /home/tut25/.glite/vomses Your identity: /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy Creating temporary proxy............................................................................. Done Contacting voms01.ifca.es:15004 [/DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es] "vo.formacion.es-ngi.eu" Done Creating proxy..................................................................................... Done Your proxy is valid until Tue Jul 6 03:07:10 2010 A credential has been received for user tut25 in /tmp/x509up_u5733. Verify now that the user has a local proxy: voms-proxy-info -all MyProxy use  Delegation

14 [tut25@cg02 ~]$ voms-proxy-info -all subject : /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy identity : /C=ES/O=IFCA/CN=tut25/CN=proxy/CN=proxy/CN=proxy type : proxy strength : 1024 bits path : /tmp/x509up_u5733 timeleft : 11:57:53 === VO vo.formacion.es-ngi.eu extension information === VO : vo.formacion.es-ngi.eu subject : /C=ES/O=IFCA/CN=tut25 issuer : /DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es attribute : /vo.formacion.es-ngi.eu/Role=NULL/Capability=NULL timeleft : 11:57:53 uri : voms01.ifca.es:15004 MyProxy use  Delegation

15 Remote proxy destruction (in myproxy server) [tut25@cg02 ~]$ myproxy-destroy -s gridpx01.ifca.es -l tut25 Default MyProxy credential for user tut25 was successfully removed Check your remote proxy: [tut25@cg02 ~]$ myproxy-info -s gridpx01.ifca.es ERROR from myproxy-server (gridpx01.ifca.es): no credentials found for user tut25, owner "/C=ES/O=IFCA/CN=tut25” MyProxy use  Destruction

16 16 Thanks for your attention! Questions?

Download ppt "Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia."

Similar presentations

It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.

1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
Www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September.

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
August 13, 2003Eric Hjort Getting Started with Grid Computing in STAR Eric Hjort, LBNL STAR Collaboration Meeting August 13, 2003.

August 13, 2003Eric Hjort Getting Started with Grid Computing in STAR Eric Hjort, LBNL STAR Collaboration Meeting August 13, 2003.
Exporting User Certificate from Internet Explorer.

Exporting User Certificate from Internet Explorer.
Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,

INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

Similar presentations

Ads by Google