Presentation is loading. Please wait.

Presentation is loading. Please wait.

Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA

Published byJeremy Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA"— Presentation transcript:

1 www.consorzio-cometa.it Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA giuseppe.larocca@ct.infn.it INFN - Catania GRISU' Open Day su Bio-immagini e Grid Napoli, 11 March 2009

2 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Grid technology allows users to share a wide plethora of distributed computational resources regardless of their geographical location. Virtual services are exposed to the users through rather complex Command Line Interfaces or API languages. Grid security is based on the Public Key Infrastructure (PKI) of X.509 certificates and the procedure to get and manage those certificates is unfortunately not straightforward; Up to now, the high security policy requested to access distributed computing resources has been a big limiting factor when trying to broaden the usage of Grids by wide communities of users; Why do we use Robot Certificates in Science ? + +

3 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Why do we use Robot Certificates in Science ? User has to adhere to a Virtual Organization (VO) User needs an account on one of the trusted User Interface (UI) + + = Robot certificates and Grid portals provide an added value to make Grids more appealing for non-expert users.

4 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy 1.Since Feb. 2008 also the Italian INFN CA started to issue Robot Certificates. Thanks to these new certificates scientists will be able to access the Grid sharing the certificate installed on the portal. 2.Other CAs issuing robot certificates are the UK and NL ones. https://security.fi.infn.it/CA/mgt/restricted/ucert_robot.php Robot certificates - overview

5 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Robot certificates - overview Robot certificates have been introduced to permit users, who are not familiar with the Grid Security Infrastructure, to experience the Grid paradigm for research activity reducing the initial barriers. – They are extremely useful, for instance, to automate grid service monitoring, data processing production, distributed data collection systems, etc. – Basically these certificates can be used to identify a person responsible for an unattended service or process acting as client and/or server.

6 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy In order to strongly reduce the risks to have the portal certificate compromised or lost, the INFN CA has decided to issue this new certificate on board of the Aladdin eToken PRO 32K smart card. Each smart card can support several robot certificates: one for each application user wants to share with other people. – A user’s PIN is prompted every time user tries to read the certificate on board of the smart card to generate a proxy. – A first prototype of Grid Portal using robot certificate on board of this hardware has been successfully designed. Robot Certificates & tokens

7 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Using an Aladdin eToken PRO to generate Grid Proxies Once your grid certificate and private key are safely stored on your eToken, you can generate proxies directly from it. A shell script mkproxy script was written for this purpose.mkproxy script – This script requires quite a few special programs and libraries, which need to be installed beforehand. The mkproxy script has been tested on: – Windows XP (using cygwin) – Linux Fedora Core 5 and 8 – Linux CentOS 4 – Scientific Linux 4 and 5 – Linux OpenSuse 10 (suse10) – In the near future we hope to test it on MacOS X as well.

8 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Download the required files Install the following packages for the Linux distribution from these web links: www.nikhef.nl/pub/projects/grid/gridwiki/images/1/1c/Mkproxy-rhel4.tar.gz Due to licensing restrictions, we cannot supply the eToken drivers and libraries. These need to be downloaded from Aladdin website. You can find all the required software on the web: www.aladdin.ru/upload/iblock/609/eToken_PKI_Client_4_55_Linux.rar See the extra slides at the end of this presentation for installation tips

9 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy 1. ask for a service 2. create a proxy with the robot certificate 5. get the results 3. execute action 4. get output 2’,3’. track user User Admin GENIUS/EnginFrame 4.1 & Robot Certificates

10 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Porting the „MrBayes” application to GRID with robot certificate Case study from INFN CNR - ITB

11 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy MrBayes overview MrBayes is a program for the Bayesian estimation of phylogeny. Bayesian inference of phylogeny is based on the posterior probability distribution of trees, which is the probability of a tree conditioned on the observations. – To approximate the posterior probability distribution of trees MrBayes uses a simulation technique called Markov Chain Monte Carlo (or MCMC). – The program takes as input a character matrix in a NEXUS file format. – The output is several files with the parameters that were sampled by the MCMC algorithm. The application is CPU demanding, especially if the MPI version of the software is used.

12 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Computing Element(s) Resource Broker LFC Catalog SE Worker Node(s) Phylogenetic analysis on a large scale Worker Node(s) Robot Certificate UI + GENIUS Portal User’s workstation Job Submission Tool

13 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Porting the „ GridSPM ” application to EGEE Case study from Italian Portal of Nueroinformatics

14 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy GRIDSPM’s application overview GRIDSPM a neuroinformatics service that allows the statistical analysis of SPECT and PET cerebral images through the Statistical Parameter Mapping (SPM) system. The service allows certified and authorized users (Authorizations): – to access and use the analysis software SPM – to access to database of SPECT and PET cerebral images of normal subjects, required for the comparison between the pathological subject and the normal population. See Andrea Schenone’s talk for further information

15 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy References JST : – webcms.ba.infn.it/cms- software/index.html/index.php/Main/JobSubmissionTool webcms.ba.infn.it/cms- software/index.html/index.php/Main/JobSubmissionTool Multi MrBayes with JST & robot certificate Web site : https://glite-tutor1.ct.infn.ithttps://glite-tutor1.ct.infn.it Video : https://gilda.ct.infn.it/Bari/LAROCCA_MrBayes_AVI.avihttps://gilda.ct.infn.it/Bari/LAROCCA_MrBayes_AVI.avi The Italian Portal of Neuroinformatics : www.neuroinf.itwww.neuroinf.it Statistical analysis of PET and SPET images : – www.neuroinf.it/medico/Analisi/ www.neuroinf.it/medico/Analisi/ Java PKCS#11 Reference Guide : – java.sun.com/j2se/1.5.0/docs/guide/security/p11guide. html java.sun.com/j2se/1.5.0/docs/guide/security/p11guide. html – nikhef.nl/grid/gridwiki/index.php/Using_an_Aladdin_eT oken_PRO_to_generate_grid_proxies nikhef.nl/grid/gridwiki/index.php/Using_an_Aladdin_eT oken_PRO_to_generate_grid_proxies [Jan Just Keijser] janjust@nikhef.nljanjust@nikhef.nl

16 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Summary & Conclusions This work is particularly relevant for all users who are not familiar with personal digital certificates. The valuable benefits introduced by robot certificates in e-Science can so be extended to users belonging to several scientific domains, providing an asset in raising Grid awareness to a wide number of potential users.

17 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Extra slides follows...

18 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Pre-installation /1 Before installing PKI Client 4.55, PCSC-lite, PCSC-lite-lib and CCID must be installed – Maybe you can find these packages in your repo. These packages have dependencies between each other. Start the daemon : /etc/init.d/pcscd start Untar eToken_PKI_Client_4_55_Linux.rar which will extract the files: eToken_PKI_Client_4_55_Linux.rar

19 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Pre-installation /2 The Mkproxy-rhel4.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. Mkproxy-rhel4.tar.gz After unpacking the tarball, copy over the files to their respective locations: cp -rp bin/* /usr/local/bin cp -rp lib/* /usr/local/lib cp –rp etc/openssl.cnf /usr/local/etc

20 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Pre-installation /3 Change /usr/local/bin/mkproxy script as follow : For further information …

21 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Testing If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command mkproxy –-label=”Robot:MrBayes” Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) Robot:MrBayes – Giuseppe La Rocca's GILDA ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042 303a31 Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca Generating a 512 bit RSA private key..........++++++++++++......++++++++++++ writing new private key to 'proxykey.D17633' ----- engine "pkcs11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca /CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03:58:09 CEST 2008-02-23 Add VOMS extentions running the command : voms-proxy-init --noregen -voms

22 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy mkproxy command line options. /bin/mkproxy --help mkproxy version 1.40 This script will generate a X509 grid proxy using a public/private key pair found on an attached Aladdin eToken PRO. Options [--help]Displays usage. [--version] Displays version. [--debug] Enables extra debug output. [--quiet] Quiet mode, minimal output. [--limited] Creates a limited globus proxy. [--old] Creates a legacy globus proxy (default). [--gt3] Creates a pre-RFC3820 compliant proxy. [--rfc] Creates a RFC3820 compliant proxy. [--days=N] Number of days the proxy is valid. [--valid=HH:MM]Proxy is valid for HH hours and MM minutes (default=12:00). [--path-length=N] Allow a chain of at most N proxies to be generated from this one (default=2). [--bits=N] Number of bits in key (512, 1024, 2048, default=512). [--out=proxyfile] Non-standard location of new proxy cert.

23 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Supported API /1 The following APIs are supported in the Linux version of eToken PKI Client 4.55: – PKCS#11 – SAPI

24 G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy Supported API /2 [main] INFO eToken - ----------------------------------------------------------------------------------- [main] INFO eToken - [ Testing........ Aladdin eToken PRO 32K 4.2B ] [main] INFO eToken - Provider Name.. SunPKCS11-eToken [main] INFO eToken - Version........ 1.6 [main] INFO eToken - Size........... 29 [main] INFO eToken - >> Several key item(s) found - Proceed! << [main] INFO eToken - ----------------------------------------------------------------------------------- [main] INFO eToken - Number of entities found : 1 [main] INFO eToken - Alias(es) found : (eTCAPI) Robot: MrBayes - Giuseppe La Rocca's INFN ID [main] INFO eToken - Private Key : SunPKCS11-eToken RSA private key, 2048 bits (id 3696295941, token object, sensitive, unextractable) [main] INFO eToken - Version: V3 Subject: CN=Robot: MrBayes - Giuseppe La Rocca, L=Catania, OU=Robot, O=INFN, C=IT Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: SunPKCS11-eToken RSA public key, 2048 bits (id 522780681, session object) modulus: 2040805419664349377089078525877271822969157892421597835467121053678580610844061813005810353296417868264039598444303939848193130844470 1679262947948524301822534706464784165889206731662739853195409448757419021561712656640873688717212975160828433264294451697933451155931 5798185673509012903785659134803355270922191368582640849661572581573500204221362245542563486399688439790367151513942836013824707301554 8256582137767770839472721080349420513977053327925631567472211079990398551713566088707426152954713759557516416417639307698180620258835 0329738437283062617255748238112781461915219751211349996577773404620089176017100547951 public exponent: 65537 [main] INFO eToken - Public Key: SunPKCS11-eToken RSA public key, 2048 bits (id 522780681, session object) modulus: 2040805419664349377089078525877271822969157892421597835467121053678580610844061813005810353296417868264039598444303939848193130844470 1679262947948524301822534706464784165889206731662739853195409448757419021561712656640873688717212975160828433264294451697933451155931 5798185673509012903785659134803355270922191368582640849661572581573500204221362245542563486399688439790367151513942836013824707301554 8256582137767770839472721080349420513977053327925631567472211079990398551713566088707426152954713759557516416417639307698180620258835 0329738437283062617255748238112781461915219751211349996577773404620089176017100547951 public exponent: 65537 [main] INFO eToken - Public Key encoded : [B@140c281 [main] INFO eToken - Public Key format : X.509 [main] INFO eToken - Algorithm : RSA [main] INFO eToken - >> Get Certificate << [main] INFO eToken - ----------------------------------------------------------------------- [main] INFO eToken - Subject Name: CN=Robot: MrBayes - Giuseppe La Rocca, L=Catania, OU=Robot, O=INFN, C=IT [main] INFO eToken - Certificate Issued by : CN=INFN CA, O=INFN, C=IT [main] INFO eToken - Valid from : Mon Sep 08 16:04:47 CEST 2008 [main] INFO eToken - Valid to : Tue Sep 08 16:04:47 CEST 2009 [main] INFO eToken - Serial Number: 11248 [main] INFO eToken - Generated with: SHA1withRSA [main] INFO eToken - Version: 3 [main] INFO eToken - -----------------------------------------------------------------------

Download ppt "Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Digital Certificate Installation & User Guide For Class - 2 Certificates.

Digital Certificate Installation & User Guide For Class - 2 Certificates.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Gilda experiences and tools in porting application Giuseppe La Rocca INFN – Catania ICTP/INFM-Democritos.

INFSO-RI Enabling Grids for E-sciencE Gilda experiences and tools in porting application Giuseppe La Rocca INFN – Catania ICTP/INFM-Democritos.
GRACE Project IST-2001-38100 EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.

GRACE Project IST EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
1 portal.p-grade.hu Further information on P-GRADE Gergely Sipos MTA SZTAKI Hungarian Academy of Sciences.

1 portal.p-grade.hu Further information on P-GRADE Gergely Sipos MTA SZTAKI Hungarian Academy of Sciences.
Introduction to MCMC and BUGS. Computational problems More parameters -> even more parameter combinations Exact computation and grid approximation become.

Introduction to MCMC and BUGS. Computational problems More parameters -> even more parameter combinations Exact computation and grid approximation become.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.

The gLite API – PART I Giuseppe LA ROCCA INFN Catania ACGRID-II School 2-14 November 2009 Kuala Lumpur - Malaysia.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
Unit 1: Protection and Security for Grid Computing Part 2

Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
INFSO-RI-508833 Enabling Grids for E-sciencE Workload Management System Mike Mineter

INFSO-RI Enabling Grids for E-sciencE Workload Management System Mike Mineter

Similar presentations

Ads by Google