Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

Published byDarleen Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006."— Presentation transcript:

1 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006

2 E-infrastructure shared between Europe and Latin America 2 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Overview Accessing to the UI Private and public keys VOMS –voms-proxy-init –voms-proxy-info MyProxy –myproxy-init –myproxy-info –myproxy-get-delegation –myproxy-destroy

3 E-infrastructure shared between Europe and Latin America 3 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Accesing to the UI You need to have a real Unix account in the UI. User accounts have been created for this tutorial. You have to establish a secure shell connection to the UI. ssh laplataXX@glite-ui.fisica.unlp.edu.ar password: GridLAPXX Where XX = 01 to 20 Grid passphrase: LAPLATA (for all users)

4 E-infrastructure shared between Europe and Latin America 4 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Personal keys.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [laplata01@glite-ui laplata01]$ ls -l.globus/ total 8 -rw-r--r-- 1 laplata01 users 1127 Dec 6 11:16 usercert.pem -r-------- 1 laplata01 users 963 Dec 6 11:16 userkey.pem

5 E-infrastructure shared between Europe and Latin America 5 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms-proxy-init: options Main options voms-proxy-init --voms -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert Non-standard location of user certificate -key Non-standard location of user key -certdir Non-standard location of trusted cert dir -out Non-standard location of new proxy cert -voms > Specify voms server. :command is optional. -order > Specify ordering of attributes. -vomslife Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include Include the contents of the specified files -confile Non-standard location of voms server addresses.. -vomses Non-standard loation of configuration files.

6 E-infrastructure shared between Europe and Latin America 6 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Verify your credentials Exercise 1 : create a voms proxy requesting your group membership (all of you belong to generic-users group); then verify obtained credentials with: voms-proxy-info –Main options : -all prints all proxy options -file specifies a different location of proxy file

7 E-infrastructure shared between Europe and Latin America 7 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms-proxy-init [laplata01@glite-ui laplata01]$ voms-proxy-init --voms gilda Cannot find file or dir: /home/laplata01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.ed u.ar Enter GRID pass phrase: Creating temporary proxy..................................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy..................................................... Done Your proxy is valid until Sat Dec 9 11:18:53 2006

8 E-infrastructure shared between Europe and Latin America 8 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 [laplata01@glite-ui laplata01]$ voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/C N=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar identity : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:55:13 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:54:42 VOMS proxy info Standard globus attributes Voms extensions

9 E-infrastructure shared between Europe and Latin America 9 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Long term proxy : MyProxy myproxy server: – myproxy-init  Allows to create and store a long term proxy certificate – myproxy-info  Get information about a stored long living proxy – myproxy-get-delegation  Get a new proxy from the MyProxy server – myproxy-destroy Check out them with myproxy-xxx --help option

10 E-infrastructure shared between Europe and Latin America 10 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-init [laplata01@glite-ui laplata01]$ myproxy-init -s grid001.ct.infn.it Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar Enter GRID pass phrase for this identity: Creating proxy......................................................... Done Proxy Verify OK Your proxy is valid until: Fri Dec 15 23:36:23 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user laplata01 now exists on grid001.ct.infn.it. Principal options -c hours specifies lifetime of stored credentials. -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

11 E-infrastructure shared between Europe and Latin America 11 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-info Useful to retrieve info on stored credentials. Need local credentials to be performed. If credentials have been initialized with –d switch, you also have to specify the same option there. [laplata01@glite-ui laplata01]$ myproxy-info username: laplata01 owner: /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.e du.ar timeleft: 167:50:16 (7.0 days)

12 E-infrastructure shared between Europe and Latin America 12 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-get-delegation This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server. It is independent of the machine! You don’t need to have your certificate on board. If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request [laplata01@glite-ui laplata01]$ myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user laplata01 in /tmp/x509up_u513

13 E-infrastructure shared between Europe and Latin America 13 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch [laplata01@glite-ui laplata01]$ myproxy-destroy Default MyProxy credential for user laplata01 was successfully removed.

14 E-infrastructure shared between Europe and Latin America 14 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Exercise Exercise 2 –Create a myproxy on the server grid001.ct.infn.it –Check information on the created proxy –Create a myproxy with –d option –Check the new proxy –Which differences you note? –Destroy both proxies

15 E-infrastructure shared between Europe and Latin America 15 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Storing long lived voms proxies myproxy doesn’t support natively VOMS To allow storing of voms ext., myproxy client has been modified The faculty of choosing VO and group/roles has been added, while the previous options have all been kept Proxies retrieved with myproxy-get-delegation will have the requested voms extension but… …there’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation Studying solutions to extend voms extension renewal in get-delegation The “modified” client is available only on GILDA UI’s Will be largely deployed when the above issues will be solved myproxy-init --voms gilda

16 E-infrastructure shared between Europe and Latin America 16 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms extension on a delegated proxy [laplata01@glite-ui laplata01]$ myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user laplata01 in /tmp/x509up_u513 [laplata01@glite-ui laplata01]$ voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy/CN =proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy/CN =proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy/CN =proxy type : unknown strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:59:41 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:55:42 Voms extension lifetime

17 E-infrastructure shared between Europe and Latin America 17 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Exercise Exercise 3 –Create a myproxy on the server grid001.ct.infn.it –Check information on the created proxy –Destroy your local proxy –Get a delegation from myproxy –Destroy myproxy

18 E-infrastructure shared between Europe and Latin America 18 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Questions

Download ppt "Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.
12th EELA Tutorial, Lima, 24-28.09.2007 FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America.

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America GENIUS server installation and configuration.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America GENIUS server installation and configuration.
IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America VOMS and MyProxy Server installation and configuration Pedro Henrique.

IST E-infrastructure shared between Europe and Latin America VOMS and MyProxy Server installation and configuration Pedro Henrique.
Www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September.

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.
5th EELA TUTORIAL - USERS www.eu-eela.org E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

Similar presentations

Ads by Google