Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ.

Published byDomenic Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ."— Presentation transcript:

1 www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ Ninth EELA Tutorial Bogotá, 06.03.2007

2 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 2 Bogotá, Ninth EELA Tutorial, 06.03.2007 Overview Accessing the UI Private and public keys VOMS –voms-proxy-init –voms-proxy-info –voms-proxy-destroy MyProxy –myproxy-init –myproxy-info –myproxy-get-delegation –myproxy-destroy

3 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 3 Bogotá, Ninth EELA Tutorial, 06.03.2007 Open the VMWare User Interface on your desktop (click the icon) Username: bogotaXX (LOOK AT THE STICKER!)  Where XX is in [01..50] Password: GridBOG XX  Where XX is in [01..50] Certificate passphrase: BOGOTA How to access the User Interface

4 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 4 Bogotá, Ninth EELA Tutorial, 06.03.2007 Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [bogota01@eventogrid1 bogota01]$ ls -la.globus/u* -rw-r--r-- 1 bogota01 bogota01 1131 Mar 1 03:27.globus/usercert.pem -r-------- 1 bogota01 bogota01 963 Mar 1 03:27.globus/userkey.pem

5 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 5 Bogotá, Ninth EELA Tutorial, 06.03.2007 voms-proxy-init: create credentials Main options voms-proxy-init --voms -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert Non-standard location of user certificate -key Non-standard location of user key -certdir Non-standard location of trusted cert dir -out Non-standard location of new proxy cert -voms > Specify voms server. :command is optional. -order > Specify ordering of attributes. -vomslife Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include Include the contents of the specified files -confile Non-standard location of voms server addresses.. -vomses Non-standard loation of configuration files.

6 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 6 Bogotá, Ninth EELA Tutorial, 06.03.2007 voms-proxy-init output [bogota01@eventogrid1 bogota01]$ voms-proxy-init --voms gilda Cannot find file or dir: /home/bogota01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it Enter GRID pass phrase: ************ Creating temporary proxy............................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy................................. Done Your proxy is valid until Tue Mar 6 23:06:20 2007

7 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 7 Bogotá, Ninth EELA Tutorial, 06.03.2007 voms-proxy-info: check credentials voms-proxy-info –Main options : -all prints all proxy options -file specifies a different location of proxy file

8 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 8 Bogotá, Ninth EELA Tutorial, 06.03.2007 [bogota01@eventogrid1 bogota01]$ voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:57:40 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:57:33 voms-proxy-info output Standard globus attributes Voms extensions

9 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 9 Bogotá, Ninth EELA Tutorial, 06.03.2007 voms-proxy-destroy: destroy credentials voms-proxy-destroy –Takes no options Destroys the proxy certificate pointed by the $X509_USER_PROXY environment variable

10 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 10 Bogotá, Ninth EELA Tutorial, 06.03.2007 [bogota01@eventogrid1 bogota01]$ echo $X509_USER_PROXY /tmp/x509up_u501 [bogota01@eventogrid1 bogota01]$ voms-proxy-destroy [bogota01@eventogrid1 bogota01]$ [bogota01@eventogrid1 bogota01]$ voms-proxy-info --all Couldn't find a valid proxy. [bogota01@eventogrid1 bogota01]$ voms-proxy-destroy output

11 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 11 Bogotá, Ninth EELA Tutorial, 06.03.2007 First Exercise 1.Create a plain voms proxy without requesting group embership; 2.Verify your proxy, checking that it has no VOMS extensions; 3.Destroy the created proxy; 4.Verify your proxy Again; 5.Do steps 1-4 again, this time requesting gilda group membership

12 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 12 Bogotá, Ninth EELA Tutorial, 06.03.2007 Long term proxy : MyProxy myproxy server: –myproxy-init  Allows to create and store a long term proxy certificate –myproxy-info  Get information about a stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy Check out them with myproxy-xxx --help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server

13 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 13 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-init: store proxy cred. Main options -c hours specifies lifetime of stored credentials -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

14 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 14 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-init output [bogota01@eventogrid1 bogota01]$ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it Enter GRID pass phrase for this identity: *********** Creating proxy................................. Done Proxy Verify OK Your proxy is valid until: Tue Mar 13 14:00:18 2007 Enter MyProxy pass phrase: *********** Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user bogota01 now exists on grid001.ct.infn.it. [bogota01@eventogrid1 bogota01]$

15 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 15 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-info: retrieve stored proxy info Useful to retrieve info on stored credentials Need local credentials to be performed If credentials have been initialized with –d switch, you also have to specify the same option here The user must have a valid proxy to issue this command

16 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 16 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-info output [bogota01@eventogrid1 bogota01]$ myproxy-info -v Socket bound to port 20000. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted username: bogota01 owner: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it timeleft: 167:54:03 (7.0 days)

17 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 17 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-get-delegation: get proxy This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server It is independent by the machine! You don’t need to have your certificate on board If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request

18 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 18 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-get-delegation: output [bogota01@eventogrid1 bogota01]$ myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user bogota01 in /tmp/x509up_u501

19 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 19 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-destroy: destroy proxy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch Again, the user must have a valid proxy certificate

20 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 20 Bogotá, Ninth EELA Tutorial, 06.03.2007 myproxy-destroy: output [bogota01@eventogrid1 bogota01]$ myproxy-destroy -v Socket bound to port 20000. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted Default MyProxy credential for user bogota01 was successfully removed.

21 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 21 Bogotá, Ninth EELA Tutorial, 06.03.2007 Second Exercise 1.Create a myproxy on the server grid001.ct.infn.it 2.Fetch a delegation from the myproxy server 3.Check information on the created proxy on the myproxy server 4.Destroy both the delegated proxy and the proxy stored on the myproxy server 5.Repeat steps 1-4 using the –d option 6.Which differences you note between the two proxies?

22 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 22 Bogotá, Ninth EELA Tutorial, 06.03.2007 Voms extensions on a delegated proxy myproxy doesn’t support natively VOMS In order to overcome this issue: –Fetch the proxy without the delegation –Issue the command voms-proxy-init, with the –noregen option

23 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 23 Bogotá, Ninth EELA Tutorial, 06.03.2007 Sample output Voms extension added [bogota01@eventogrid1 bogota01]$ myproxy-get-delegation Enter MyProxy pass phrase: ************ A proxy has been received for user bogota01 in /tmp/x509up_u501 [bogota01@eventogrid1 bogota01]$ voms-proxy-init --voms gilda -noregen Cannot find file or dir: /home/bogota01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it/CN=pro xy/CN=proxy/CN=proxy Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy............................ Done Warning: your certificate and proxy will expire Wed Mar 7 02:18:10 2007 which is within the requested lifetime of the proxy

24 E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 24 Bogotá, Ninth EELA Tutorial, 06.03.2007 Questions

Download ppt "Www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ."

Similar presentations

12th EELA Tutorial, Lima, 24-28.09.2007 FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America.

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The GENIUS Grid portal Moisés Hernández.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The GENIUS Grid portal Moisés Hernández.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
Ninth EELA Tutorial for Users and Managers www.eu-eela.org E-infrastructure shared between Europe and Latin America LFC Server Installation and Configuration.

Ninth EELA Tutorial for Users and Managers E-infrastructure shared between Europe and Latin America LFC Server Installation and Configuration.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America GENIUS server installation and configuration.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America GENIUS server installation and configuration.
IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America VOMS and MyProxy Server installation and configuration Pedro Henrique.

IST E-infrastructure shared between Europe and Latin America VOMS and MyProxy Server installation and configuration Pedro Henrique.
Www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September.

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.
5th EELA TUTORIAL - USERS www.eu-eela.org E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

Similar presentations

Ads by Google