1. 1 Grid Security Alessandro Paolini INFN-CNAF IV Scuola della GRID per utenti

2. 2 Summary Security concepts –Symmetric encryption algorithms –Asymmetric encryption algorithms –PKI –Digital Signature –Digital Certificates Grid Security: –VOMS certificates –myproxy

3. 3 Glossary Principal –An entity: an user, a program, or a machine Credentials –Some data providing a proof of identity Authentication –Verify the identity of the principal Authorization –Map an entity to some set of privileges Confidentiality –Encrypt the message so that only the recipient can understand it Integrity –Ensure that the message has not been altered in the transmission Not-repudiation –Impossibility of denying the authenticity of a digital signature

4. 4 Cryptography Mathematical algorithm that provides important building blocks for the implementation of a security infrastructure Symbology –Plaintext: M –Cyphertext: C –Encryption with key K 1 : E K1 (M) = C –Decryption with key K 2 : D K2 (C) = M Algorithms –Symmetric: K 1 = K 2 –Asymmetric: K 1 ≠ K 2

5. 5 Symmetric Algorithms The same key is used for encryption and decryption Advantages: –Fast Disadvantages: –how to distribute the keys? –the number of keys is O(n 2 )‏ Examples: –DES –3DES –Rijndael (AES)‏ –Blowfish

6. 6 Asymmetric Algorithms (Public Key) Every user has two keys: one private and one public: –it is hard to derive the private key from the public one; –a message encrypted by one key can be decrypted only by the other one. No exchange of secrets is necessary –the sender ciphers using the public key of the receiver; –the receiver decrypts using his private key; –the number of keys is O(n). Examples: –Diffie-Helmann (1977)‏ –RSA (1978)‏

7. 7 One-Way Hash Functions Functions (H) that, given as input a variable-length message (M), produce as output a string of fixed length (h)‏ –the length of h must be at least 128 bits (to avoid birthday attacks)‏ –given M, it must be easy to calculate H(M) = h –given h, it must be difficult to calculate M = H -1 (h)‏ –given M, it must be difficult to find M’ such that H(M) = H(M’)‏ Examples: –MD4/MD5: hash of 128 bits; –SHA (Standard FIPS): hash of 160 bits.

8. 8 Hash Examples [apaolini@ui ~]$ cat prova1 testo di prova [apaolini@ui ~]$ sha1sum prova1 e7ea480a73b5e294e28ff48338c68090c5ce9c49 prova1 [apaolini@ui ~]$ cat prova2 testo di prove [apaolini@ui ~]$ sha1sum prova2 558dd585e789c8d80f2fe6c0fc6939f25a76998f prova2 [apaolini@ui ~]$ ls -l /bin/ls -rwxr-xr-x 1 root root 91240 Feb 24 2010 /bin/ls [apaolini@ui ~]$ sha1sum /bin/ls a60ff215222c413b31920b210fe04dfd1a5d0f7c /bin/ls

9. 9 Digital Signature Paul calculates the hash of the message Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. John calculates the hash of the message and verifies it with the one received by A and decyphered with A’s public key. If hashes equal: message wasn’t modified; Paul cannot repudiate it.

10. 10 Digital Certificates Paul’s digital signature is safe if: 1.Paul’s private key is not compromised 2.John knows Paul’s public key How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? –A third part guarantees the correspondence between public key and owner’s identity –Both A and B must trust this third party Two models: –X.509: hierarchical organization; –PGP: “web of trust”.

11. 11 PGP “web of trust” F knows D and E, who knows A and C, who knows A and B. F is reasonably sure that the key from A is really from A.

12. 12 X.509 Certificates The “third part” is called Certification Authority (CA). Issue Digital Certificates for users, programs and machines Check the identity and the personal data of the requestor –Registration Authorities (RAs) do the actual validation CA’s periodically publish a list of compromised certificates –Certificate Revocation Lists (CRL): contain all the revoked certificates yet to expire CA certificates are self-signed

13. 13 An X.509 Certificate contains: owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; digital signature of the CA Public key Subject:C=IT, O=INFN, OU=Personal Certificate, L=CNAF CN=Daniele Cesini Issuer: C=IT, O=INFN, CN=INFN Certification Authority Expiration date: May 10 14:15:14 2005 GMT Serial number: 080E CA Digital signature Structure of a X.509 certificate X.509 Certificates

14. 14 Certificates on web browsers

15. 15 Certificates on web browsers

16. 16

17. 17 From p12 to pem openssl pkcs12 -clcerts -nokeys -in cesini_2013.p12 -out usercert.pem openssl pkcs12 -nocerts -in cesini_2013.p12 -out userkey.pem [cesini@ui ~]$ ll.globus/ total 24 -rw------- 1 cesini gridops 1801 May 2 13:44 usercert.pem -r-------- 1 cesini gridops 1913 May 2 13:45 userkey.pem

18. 18 Which CA are trusted in EGI? http://www.eugridpma.org/ “The EUGridPMA is the international organization to coordinate the trust fabric for e- Science grid authentication in Europe. It collaborates with the regional peers APGridPMA for the Asia-Pacific and The Americas Grid PMA in the International Grid Trust Federation. The charter document defines the group's objective, scope and operation. It is the basis for the guidelines documents on the accreditation procedure, the Authentication profile for X.509 secured "classic" certification authorities and other IGTF recognised Profiles. “ The lcg-CA are installed on machine trough rpms. The official production yum CA repository is: yum install lcg-CA  a metapackage that install all the lcg CAs # less /etc/yum.repos.d/egi-trustanchors.repo [EGI-trustanchors] name=EGI-trustanchors baseurl=http://repository.egi.eu/sw/production/cas/1/current/ gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA- RPM-3 gpgcheck=1 enabled=1

19. 19 cat.globus/usercert.pem -----BEGIN CERTIFICATE----- MIIF1zCCBL+gAwIBAgICCA4wDQYJKoZIhvcNAQEEBQAwQzELMAkGA1UEBhMCSVQx DTALBgNVBAoTBElORk4xJTAjBgNVBAMTHElORk4gQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDQwNTEwMTMxNTIyWhcNMDUwNTEwMTMxNTIyWjCBjzELMAkGA1UE BhMCSVQxDTALBgNVBAoTBElORk4xHTAbBgNVBAsTFFBlcnNvbmFsIENlcnRpZmlj YXRlMQ0wCwYDVQQHEwRDTkFGMRcwFQYDVQQDEw5EYW5pZWxlIENlc2luaTEqMCgG CSqGSIb3DQEJARYbZGFuaWVsZS5jZXNpbmlAY25hZi5pbmZuLml0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEvVPBpTjKLA4F0K+Zgc8pWyEPGDnwLW glktBI6+mYTLuemPzgkZ4CTyrZL7bw5ywXUe717e1Rmg6wDfPANRLkxxRNKNaron kS19eNKjPYpklEKNq2gSGsK0/SsYB2YUG4kWLqtFC93x1Ffdc1Tz0xgrXH3kC0jq NqHImDrbpB7VtvAGC7/e/EJhy9MvlPA4W2vbUnwBocjMA/en3GXs2KY19tbFA3Tg jyIpCMbIeu3GlyTnbSJFoy3eeHkNLsf9c29RAJ5gWxMF7arM++NyURQ9qaEdMINj Cqb7dHJEj8E/AwSsYeWmWHfaPXnjj5aP23UlRTc31nSwh+5y0bMnFwIDAQABo4IC hjCCAoIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBPAwNgYDVR0fBC8wLTAr oCmgJ4YlaHR0cDovL3NlY3VyaXR5LmZpLmluZm4uaXQvQ0EvY3JsLmNybDAXBgNV HSAEEDAOMAwGCisGAQQB0SMKAQQwHQYDVR0OBBYEFCM+8mfoaenmQ76tHy+7hX+5 RKJ6MGsGA1UdIwRkMGKAFMoR710dBwSYqaW1WBpmTgoWK+BJoUekRTBDMQswCQYD VQQGEwJJVDENMAsGA1UEChMESU5GTjElMCMGA1UEAxMcSU5GTiBDZXJ0aWZpY2F0 -----END CERTIFICATE----- Something is needed to understand what is written inside a certificate You can use grid-cert-info command (i.e. on a UI) Usage: grid-cert-info - -f cert_file.pem where can be: -all-startdate -subject-enddate -issuer-help Try to look inside a certificate with a text editor grid-cert-info

20. 20 grid-cert-info [apaolini@ui ~]$ grid-cert-info -f.globus/usercert.pem -subject -issuer -startdate - enddate /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini /C=IT/O=INFN/CN=INFN CA Jan 26 14:29:57 2011 GMT Jan 26 14:29:57 2012 GMT Try to run a grid-cert-info on you certificate

21. 21 grid-cert-info [apaolini@ui ~]$ grid-cert-info -all -f /etc/grid-security/certificates/2f3fadf6.0 [cesini@lcg-ui cesini]$ grid-cert-info -file /etc/grid-security/certificates/2f3fadf6.0 Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IT, O=INFN, CN=INFN CA Validity Not Before: Oct 3 14:16:47 2006 GMT Not After : Oct 3 14:16:47 2016 GMT Subject: C=IT, O=INFN, CN=INFN CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ce:95:8e:0e:83:95:9d:42:a9:ca:29:23:ca:b7: 63:f9:0a:49:ba:82:5e:2a:4a:85:e1:f6:dd:e8:ba: ea:79:02:f4:76:a0:22:96:e5:51:f0:3e:32:fd:3d: ……. Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20 X509v3 Authority Key Identifier: keyid:D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20 DirName:/C=IT/O=INFN/CN=INFN CA serial:00 Signature Algorithm: sha1WithRSAEncryption 78:d7:d3:3f:b7:3f:72:72:40:62:01:23:96:80:5c:e4:b7:36: e0:c4:7f:43:1d:a8:22:c5:20:6b:17:8e:db:c8:9b:69:03:48: c4:86:40:e8:39:b9:99:c9:2d:30:21:69:3f:a0:5f:97:8d:90: 37:73:86:eb:89:12:05:b5:14:f1:83:cb:62:1f:eb:38:03:e1: …….. Gather info about a certificate in your CE directory /etc/grid-security/certificates/ [apaolini@ui ~]$ openssl verify /etc/grid-security/certificates/2f3fadf6.0 /etc/grid-security/certificates/2f3fadf6.0: /C=IT/O=INFN/CN=INFN CA error 18 at 0 depth lookup:self signed certificate OK

22. 22 The Grid Security Infrastructure (GSI) John’s certificate Verify CA signature Random phrase + timestamp Encrypt hash with J.’ s private key Encrypted hash Decrypt with J.’ s public key Compare with hash of original phrase Based on X.509 PKI: John Paul Every Grid transaction is mutually authenticated: 1. John sends his certificate; 2. Paul verifies CA signature in John’s certificate; 3. Paul sends to John a challenge string; 4. John encrypts the hash of the challenge string with his private key; 5. John sends encrypted hash challenge to Paul 6. Paul uses John’s public key to decrypt the hash. 7. Paul compares the decrypted string with the hash of original challenge 8. If they match, Paul verified John’s identity and John can not repudiate it. Attention: if Bill is in the middle and manages to have John’s private key he can impersonate John!! Private keys must be stored in protected places and in encrypted form

23. 23 The Grid Security Infrastructure (GSI) On the Grid who is John and who is Paul? Which are the entities that need a certificate? WMS CE WN LFC BDII SE User A Certificate is needed for: USER (NOT UI) WMS CEVOMS SELFC FTSMYPROXY glite-wms-job-submit A Certificate is NOT needed for: WN BDII UI

24. 24 X.509 Proxy Certificate On the Grid the user does not use its own long living certificate  Security problems may arise. X.509 Proxy Certificate GSI extension to X.509 Identity Certificates Has a limited lifetime Is signed by the normal end entity certificate or by another proxy Delegation = remote creation of a (second level) proxy credential Allows remote process to authenticate on behalf of the user

25. 25 Virtual Organizations and voms-proxy-init To submit to the Grid, personal certificates are not the end of the story: users MUST join at least one of the group allowed to use the Grid resources = Virtual Organization (VO) The proxy obtained with grid-proxy-init does not contain information about your VO The VOMS ( Virtual Organization Membership Service) e xtends the proxy info with VO membership, group, role and capabilities. Related commands: voms-proxy-init voms-proxy-destroy voms-proxy-info

26. 26 Groups and Roles in VOMS Every user in a VO belongs to at least one group: –E.g: /infngrid And may also belong to some subgroups: –E.g: /infngrid/g1, /infngrid/g2, meaning subgroups g1 and g2 of /infngrid There are also Roles: –E.g: /Role=VO-Admin Roles make sense only in the contest of a group: –E.g: /Role=VO-Admin in the group /infngrid. Compact way of describing it: (FQAN)‏ –/infngrid/Role=VO-Admin Holding the role of VO-Admin in the group /infngrid

27. 27 Voms proxy voms-proxy-init creates your proxy for the grid –If you forget this command, nothing will work! Many, many options. –Most advanced –Will show only basic usage. But two things are important: –If you are reporting a bug, add –debug to voms-proxy- init’s command line before reporting the output –‘voms-proxy-init –version’ to discover which version you have. The version of gLite or LCG you have is useless.

28. 28 voms-proxy-init: what really happens in the background voms-proxy-init –Creates a proxy locally –Contacts the VOMS server and extends the proxy with a role VOMS server signs the proxy –Sites of the VO recognise and accept signature of VOMS voms-proxy-init –voms alice Allows VOs to centrally manage user roles

29. 29 voms-proxy-init: basic usage [apaolini@ui ~]$ voms-proxy-init -voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy....................................... Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy......................................... Done Your proxy is valid until Thu Feb 10 04:18:50 2011 [apaolini@ui ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 11:59:27 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:59:27 uri : voms.cnaf.infn.it:15000 VO

30. 30 voms-proxy-init: basic usage [apaolini@ui ~]$ voms-proxy-list --voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy............................................................ Done Contacting voms-01.pd.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it] "infngrid" Done Available attributes: /infngrid/Role=NULL/Capability=NULL /infngrid/Role=SoftwareManager/Capability=NULL /infngrid/Role=VO-Admin/Capability=NULL /infngrid/TEST/Role=NULL/Capability=NULL What Attributes can you request?

31. 31 voms-proxy-init: basic usage [apaolini@ui ~]$ voms-proxy-init --voms infngrid:all Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy........................... Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy................................................. Done Your proxy is valid until Thu Feb 10 04:28:59 2011 [apaolini@ui ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 11:59:50 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/Role=SoftwareManager/Capability=NULL attribute : /infngrid/Role=VO-Admin/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:59:50 uri : voms.cnaf.infn.it:15000 Values

32. 32 voms-proxy-init: basic usage [apaolini@ui ~]$ voms-proxy-init --voms infngrid:/infngrid/Role=SoftwareManager Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy.................................................. Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy.................................................. Done Your proxy is valid until Thu Feb 10 04:40:08 2011 [apaolini@ui ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 11:59:55 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=SoftwareManager/Capability=NULL attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:59:55 uri : voms.cnaf.infn.it:15000 Role

33. 33 voms-proxy-init: advanced usage [apaolini@ui ~]$ voms-proxy-init --voms infngrid --valid 10:00 Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy............................................................................................ Done Contacting voms-01.pd.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it] "infngrid" Done Creating proxy.................................................................................................................................................................. Done Your proxy is valid until Thu Feb 10 02:42:41 2011 [apaolini@ui ~]$ voms-proxy-init --voms infngrid --valid 1000:00 Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy..................................................................... Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Warning: voms.cnaf.infn.it:15000: The validity of this VOMS AC in your proxy is shortened to 86400 seconds! Creating proxy...................... Done Your proxy is valid until Wed Mar 23 08:42:58 2011 Be Aware!!!

34. 34 voms-proxy-init: advanced usage [apaolini@ui ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 999:53:09 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 23:53:09 uri : voms.cnaf.infn.it:15000 Length has been shortened

35. 35 voms-proxy-init: basic usage Destroying proxy credentials: [apaolini@ui ~]$ voms-proxy-destroy [apaolini@ui ~]$

36. 36 Long term proxy - myproxy Grid tasks may need a time longer than the proxy lifetime (short for security reasons) A myproxy server is used to create and store a long term proxy which is used to renew short term proxies when they are going to expire. Related commands: myproxy-initmyproxy-info myproxy-logon myproxy-destroy A dedicated service on the WMS can renew automatically the proxy on behalf of you contacting the myproxy server (the myproxy server should by indicated in the job description)

37. 37 MyProxy usage credentials generation: [apaolini@ui ~]$ myproxy-init -d Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Enter GRID pass phrase for this identity: Creating proxy........................................ Done Proxy Verify OK Your proxy is valid until: Wed Feb 16 17:06:33 2011 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini now exists on myproxy.cnaf.infn.it. check the validity: [apaolini@ui ~]$ myproxy-info -d username: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini owner: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini timeleft: 167:59:24 (7.0 days)

38. 38 MyProxy usage voms credentials recover from myproxy server for a certain VO: [apaolini@ui ~]$ myproxy-logon -d --voms infngrid Enter MyProxy pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy/CN=proxy/CN=proxy Contacting voms-01.pd.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it] "infngrid" Done Creating proxy..................................................................................................... Done Your proxy is valid until Thu Feb 10 04:07:33 2011 A credential has been received for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini in /tmp/x509up_u9003. check their validity: [apaolini@ui ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy/CN=proxy/CN=proxy identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy/CN=proxy/CN=proxy type : proxy strength : 2048 bits path : /tmp/x509up_u9003 timeleft : 10:59:49 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:58:48 uri : voms-01.pd.infn.it:15000

39. 39 MyProxy usage Destroying the Credential: [apaolini@ui ~]$ myproxy-destroy -d Default MyProxy credential for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini was successfully removed. [apaolini@ui ~]$ myproxy-logon -d --voms infngrid Enter MyProxy pass phrase: Failed to receive credentials. ERROR from myproxy-server: No credentials exist for username "/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini". Avoid directly using MyProxy for job submissions! myproxy-init overwrites your existing credentials Means that you cannot specify roles! Use proxyrenewal instead! Details in tomorrow session.

40. 40 Bibliography Cryptography –“The Handbook of Applied Cryptography” by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone – http://www.cacr.math.uwaterloo.ca/hac/ – “Applied Cryptography” by Bruce Schneier Grid Security –LCG Security: http://proj-lcg-security.web.cern.ch/proj-lcg-security/ http://proj-lcg-security.web.cern.ch/proj-lcg-security/ –Globus Security: http://www.globus.org/security/ http://www.globus.org/security/ IGI web site: http://www.italiangrid.org/ http://www.italiangrid.org/