Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.

Published byLesley Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN."— Presentation transcript:

1 http://www.libi.it Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN Catania giuseppe.larocca@ct.infn.it Tutorial on “Grid Computing” EMBnet Conference 2008 giuseppe.larocca@ct.infn.it

2 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Private and Public keys Grid security is based on the concept of public key encryption. Each user (or other entity like a server) has a private key, generated randomly. – The private key must therefore be kept totally secure; if someone can steal it they can impersonate the owner completely. Each private key is mathematically related to another number called the public key. – As the name suggests this can be known to everyone. – Formally it’s possible to calculate the private key from the public key, but in practice such a calculation is expected to take an unfeasibly long time (the time grows exponentially with the size of the keys).

3 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Encryption The keys are used with an encryption algorithm, i.e. a mathematical function which can be applied to any data to produce a coded version of the data. – The algorithm has the property that data encrypted using the private key can be decrypted with the public key, and vice versa. Advangtages(s)Disadvantage(s) Symmetric Algorithms FastExchange the secret keys to all the entities Asymmetric Algorithms No need to exchange keys between the entities. More secure Slow

4 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Certificates To be useful, the public key has to be connected to some information about who the entity is. This is stored in a specific format known as an X.509 certificate An X.509 Certificate contains: –o–owner’s public key; –i–identity of the owner; –i–info on the CA; –t–time of validity; –S–Serial number; –d–digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature

5 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Certification Authorities Certificates are issued by a Certification Authority (CA) How to obtain a certificate: The RA will provide the user with a key to be used in the registration form to obtain a personal user’s Certificate. The user wants to get a certificate The users meets the RA (Registration Authority) that will verify the user’s identity

6 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Proxies To interact directly with a remote service a certificate can be used to prove identity. – However, in the Grid world it is often necessary for a remote service to act on a user’s behalf (e.g. a job running on a remote site needs to be able to talk to other servers to transfer files) – The solution is the use a proxy.  To make a proxy a new public/private key pair is created /C=UK/O=eScience/OU=CLRC/L=RAL/CN=john smith/CN=proxy  Proxies normally have a rather short lifetime, typically 12 hours.  Proxy placed in /tmp must be readable only by the owner; User certificate file Private Key (Encrypted) Pass Phrase User Proxy certificate file

7 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 VO & VOMS Grid users MUST belong to Virtual Organization (VO) – Groups, Role and Capability Virtual Organization Membership Service (VOMS) is a service responsible to maintain information about roles and privileges of users within a VO. It grants users authorization to access the resource at VO level. When the proxy is created one or more VOMS servers are contacted, and they return a mini certificate known as an Attribute Certificate (AC) which is signed by the VO and contains information about group membership and any associated roles within the VO

8 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 [larocca@glite-tutor:~]$ voms-proxy-init --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/Email=giuseppe.larocca@ct.infn.it Enter GRID pass phrase: Your proxy is valid until Sat Feb 4 01:08:28 2006 Creating temporary proxy............................................ Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it] "gilda“ Done Creating proxy...................................... Done Your proxy is valid until Sat Feb 4 01:08:38 2006 voms-proxy-init

9 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 [larocca@glite-tutor:~]$ voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/Email=giuseppe.larocca@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/Email=giuseppe.larocca@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/Email=giuseppe.larocca@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u512 timeleft : 11:55:52 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/Email=giuseppe.larocca@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:55:41 Standard globus attributes Attribute Certificate voms-proxy-init

10 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 1.Starting from Feb. 2008 also the Italian INFN CA will start to issue Robot Certificates. Thanks to these new certificates biologists will be able to access the grid sharing the certificate installed on the portal. 2.UK and NL CA are already issuing robot certificates 3.A personal credential which can perform automated tasks on behalf of the user. Robot Certificates https://security.fi.infn.it/CA/mgt/restricted/ucert_robot.php

11 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Your identity: /C=IT/O=GILDA/OU=Robots/L=INFN Catania/CN=Robot: MrBayes - Giuseppe La Rocca Creating temporary proxy................................ Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy............................................................................... Done Your proxy is valid until Thu May 8 21:42:05 2008 A glance at a robot certificate

12 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 In order to strong reduce the risks of having the portal certificate compromised and improve the security, the INFN CA has decided to issue this new certificate on board of the Aladdin eToken PRO 32K smart card. Each smart card can support several robot certificates: one for each application user wants to share with the other. – An user’s PIN is prompted every time user try to read the certificate on board of the smart card to generate a proxy. – A first prototype of Grid Portal using robot certificate on board of this hardware has been successfully designed. Robot Certificates

13 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Using the eToken PRO to generate proxies Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken. A shell script mkproxy script was written for this purpose.mkproxy script – This script requires quite a few special programs and libraries, which need to be installed before attempting to use the mkproxy script. The mkproxy script has been tested on – Windows XP (using cygwin) – Linux Fedora Core 5 (fc5) – Linux CentOS 4, Scientific Linux 4 (rhel4) – Linux OpenSuse 10 (suse10) – In the near future we hope to test it on MacOS X as well

14 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 Testing If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command mkproxy –-label=”Robot:MrBayes” Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) Robot:MrBayes – Giuseppe La Rocca's GILDA ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042 303a31 Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca Generating a 512 bit RSA private key..........++++++++++++......++++++++++++ writing new private key to 'proxykey.D17633' ----- engine "pkcs11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot:MrBayes – Giuseppe La Rocca /CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03:58:09 CEST 2008-02-23 Add VOMS extentions running the command : voms-proxy-init --noregen -voms

15 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 mkproxy command line options. /bin/mkproxy --help mkproxy version 1.40 This script will generate a X509 grid proxy using a public/private key pair found on an attached Aladdin eToken PRO. Options [--help]Displays usage. [--version] Displays version. [--debug] Enables extra debug output. [--quiet] Quiet mode, minimal output. [--limited] Creates a limited globus proxy. [--old] Creates a legacy globus proxy (default). [--gt3] Creates a pre-RFC3820 compliant proxy. [--rfc] Creates a RFC3820 compliant proxy. [--days=N] Number of days the proxy is valid. [--valid=HH:MM]Proxy is valid for HH hours and MM minutes (default=12:00). [--path-length=N] Allow a chain of at most N proxies to be generated from this one (default=2). [--bits=N] Number of bits in key (512, 1024, 2048, default=512). [--out=proxyfile] Non-standard location of new proxy cert.

16 Tutorial on "GRID Computing“, EMBnet Conference 2008, 17 September 2008 References & Questions http://www.nikhef.nl/grid/gridwiki/index.php/Using_an_Aladdin _eToken_PRO_to_generate_grid_proxieshttp://www.nikhef.nl/grid/gridwiki/index.php/Using_an_Aladdin _eToken_PRO_to_generate_grid_proxies [Jan Just Keijser] janjust@nikhef.nljanjust@nikhef.nl http://security.fi.infn.it/CA/CPS/CPS-2.3.pdf

Download ppt "Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

Similar presentations

Ads by Google