Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practicals on VOMS and MyProxy

Published byMabel Morrison Modified over 6 years ago

Similar presentations

Presentation on theme: "Practicals on VOMS and MyProxy"— Presentation transcript:

1 Practicals on VOMS and MyProxy
Emidio Giorgio Valerio Venturi INFN First gLite tutorial on GILDA, Catania,

2 Outline VOMS vs. plain proxy VOMS proxy creation MyProxy
Obtaining VOMS delegation through MyProxy First gLite tutorial on GILDA, Catania,

3 VOMS generalities Virtual Organisation Membership Services is service which keeps track of VO members and grants users authorization to access resources at the VO level Differently from standard plain proxies, provides support for group membership, roles, and capabilities Each VO has a server, which is contacted from user when he initialize his proxy VOMS server returns infos which are included in user proxy certificate First gLite tutorial on GILDA, Catania,

4 VOMS proxy creation voms-proxy-init --voms gildav
Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Enter GRID pass phrase for this identity: [insert your certificate passphrase] Creating temporary proxy Done /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it /C=IT/O=INFN/CN=INFN Certification Authority Creating proxy Done Your proxy is valid until Mon Jun 13 09:06: First gLite tutorial on GILDA, Catania,

5 VOMS proxy creation Principal options -hours x, create a proxy valid for x hours -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -out <proxyfile> Non-standard location of new proxy cert Maximum value for hours is 24, with superior values validity will be shortened to hours First gLite tutorial on GILDA, Catania,

6 Verify your credentials
voms-proxy-info Principal options : -all prints all proxy options -file specifies a different location of proxy file WARNING : in gLite 1.0, you may have problems (error 5025) with glite-job-* commands, when in /etc/grid-security/vomsdir there’s more than one host certificate. By pass this creating a directory containing only the host certificate of your VOMS server. ls /etc/grid-security/vomsdir.gildav.glite/ gildav-cert-voms-01.cnaf.infn.it.pem Then export X509_VOMS_DIR=/etc/grid-security/vomsdir.gildav.glite/ First gLite tutorial on GILDA, Catania,

7 Verify obtained credentials
voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 20:59:53 VO : gildav subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it attribute : /gildav/Role=NULL/Capability=NULL timeleft : 20:58:28 First gLite tutorial on GILDA, Catania,

8 Long term proxy : MyProxy
Proxy (and VOMS proxy) have limited lifetime (default is 12 h) Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 days myproxy server: Allows to create and store a long term proxy certificate: myproxy-init -s <host_name> -s: <host_name> specifies the hostname of the myproxy server myproxy-info Get information about stored long living proxy myproxy-get-delegation Get a new proxy from the MyProxy server myproxy-destroy Chech out the myproxy-xxx - - help option A dedicated service on the RB can renew automatically the proxy contacts the myproxy server First gLite tutorial on GILDA, Catania,

9 myproxy-init Principal option
myproxy-init -s grid001.ct.infn.it Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Sun Jun 19 21:18: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user giorgio now exists on grid001.ct.infn.it. Principal option -c hours specifies lifetime of the credential stored -t hours specifies the maximum lifetime of credentials retrieved First gLite tutorial on GILDA, Catania,

10 myproxy-info Useful to retrieve info on stored credentials
myproxy-info -s grid001.ct.infn.it username: giorgio owner: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio timeleft: 167:55:34 (7.0 days) First gLite tutorial on GILDA, Catania,

11 myproxy-get-delegation
This command can be used to retrieve a proxy stored, It is independent by the machine ! You don’t need to have your certificate on board mv .globus dummy myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u513 mv dummy/ .globus First gLite tutorial on GILDA, Catania,

12 MyProxy and VOMS myproxy-init works creating a temporary plain proxy, with the “old” grid-proxy-init The plain proxy is stored on the MyProxy Server It will be valid for the desired duration (default is a week, maximum is the certificate lifetime) The proxy retrieved with myproxy-get-delegation will be a plain proxy too….. All the VOMS extensions in these way are lost Resources will rejects jobs from these user How can use delegated credentials keeping VOMS extension ? First gLite tutorial on GILDA, Catania,

13 Tricking the MyProxy server
These procedure is valid for the applications which needs to renew user credentials Store once a plain proxy on myproxy server myproxy-init -s grid001.ct.infn.it Soon get the delegated credentials, specifying lifetime myproxy-get-delegation -s grid001.ct.infn.it -t 27 Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u513 Request a voms proxy signing it with the received delegation (no passphrase requested) voms-proxy-init -t 25 -cert /tmp/x509up_u513 -key /tmp/x509up_u513 -voms gildav Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Creating temporary proxy Done /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it /C=IT/O=INFN/CN=INFN Certification Authority Creating proxy Done First gLite tutorial on GILDA, Catania,

14 Problems These trick perfectly works on an uniform testbed (entirely gLite or lcg) Not like the one you’re using now  (UI + RB glite, CE + WN lcg) The reason is already unknown, but seems dued to differences between CE’s First gLite tutorial on GILDA, Catania,

15 Questions… First gLite tutorial on GILDA, Catania,

Download ppt "Practicals on VOMS and MyProxy"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Practical using EGEE middleware: AA and simple job submission.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
12th EELA Tutorial, Lima, 24-28.09.2007 FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America.

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN, 27-28.02.2006.

INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,
Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,

INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
Www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
Www.cs.wisc.edu/Condor Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.

Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Hands-on security Angelines Alberto Morillas Ciemat.

Hands-on security Angelines Alberto Morillas Ciemat.
EGEE is a project funded by the European Union under contract IST-2003-508833 Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

Similar presentations

Ads by Google