Download presentation
Presentation is loading. Please wait.
1
www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006
2
E-infrastructure shared between Europe and Latin America 2 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Overview Accessing to the UI Private and public keys VOMS –voms-proxy-init –voms-proxy-info MyProxy –myproxy-init –myproxy-info –myproxy-get-delegation –myproxy-destroy
3
E-infrastructure shared between Europe and Latin America 3 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [lxplus059] ~ > ls -al.globus/u* -rw-r--r-- 1 aduarte cg 1604 Jun 8 16:50.globus/usercert.pem -r-------- 1 aduarte cg 963 Jun 8 17:12.globus/userkey.pem
![E-infrastructure shared between Europe and Latin America 3 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [lxplus059] ~ > ls -al.globus/u* -rw-r--r-- 1 aduarte cg 1604 Jun 8 16:50.globus/usercert.pem -r aduarte cg 963 Jun 8 17:12.globus/userkey.pem](http://images.slideplayer.com./28/9290671/slides/slide_3.jpg "E-infrastructure shared between Europe and Latin America 3 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [lxplus059] ~ > ls -al.globus/u* -rw-r--r-- 1 aduarte cg 1604 Jun 8 16:50.globus/usercert.pem -r aduarte cg 963 Jun 8 17:12.globus/userkey.pem")
4
E-infrastructure shared between Europe and Latin America 4 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 glite-voms-proxy-init: options Main options glite-voms-proxy-init --voms -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert Non-standard location of user certificate -key Non-standard location of user key -certdir Non-standard location of trusted cert dir -out Non-standard location of new proxy cert -voms > Specify voms server. :command is optional. -order > Specify ordering of attributes. -vomslife Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include Include the contents of the specified files -confile Non-standard location of voms server addresses.. -vomses Non-standard loation of configuration files.
5
E-infrastructure shared between Europe and Latin America 5 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Verify your credentials Exercise 1 : create a voms proxy requesting your group membership (all of you belong to generic-users group); then verify obtained credentials with: glite-voms-proxy-info –Main options : -all prints all proxy options -file specifies a different location of proxy file
6
E-infrastructure shared between Europe and Latin America 6 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 glite-voms-proxy-init lxplus059] ~ > glite-voms-proxy-init --voms dteam Cannot find file or dir: /afs/cern.ch/user/a/aduarte/.glite/vomses Your identity: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 Enter GRID pass phrase: Creating temporary proxy................................. Done Contacting lcg-voms.cern.ch:15004 [/C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch] "dteam" Done Creating proxy................................................................................. Done Your proxy is valid until Thu Sep 7 06:37:31 2006 glite-voms-proxy-init --voms gilda
![E-infrastructure shared between Europe and Latin America 6 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 glite-voms-proxy-init lxplus059] ~ > glite-voms-proxy-init --voms dteam Cannot find file or dir: /afs/cern.ch/user/a/aduarte/.glite/vomses Your identity: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 Enter GRID pass phrase: Creating temporary proxy](http://images.slideplayer.com./28/9290671/slides/slide_6.jpg "Done Contacting lcg-voms.cern.ch:15004 [/C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch] dteam Done Creating proxy Done Your proxy is valid until Thu Sep 7 06:37: glite-voms-proxy-init --voms gilda.")
7
E-infrastructure shared between Europe and Latin America 7 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 [lxplus059] ~ > glite-voms-proxy-info --all subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026/CN=proxy issuer : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 identity : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 type : proxy strength : 512 bits path : /tmp/x509up_u2913 timeleft : 11:58:53 === VO dteam extension information === VO : dteam subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 issuer : /C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch attribute : /dteam/Role=NULL/Capability=NULL timeleft : 11:58:52 VOMS proxy info Standard globus attributes Voms extensions
![E-infrastructure shared between Europe and Latin America 7 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 [lxplus059] ~ > glite-voms-proxy-info --all subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026/CN=proxy issuer : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 identity : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 type : proxy strength : 512 bits path : /tmp/x509up_u2913 timeleft : 11:58:53 === VO dteam extension information === VO : dteam subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 issuer : /C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch attribute : /dteam/Role=NULL/Capability=NULL timeleft : 11:58:52 VOMS proxy info Standard globus attributes Voms extensions](http://images.slideplayer.com./28/9290671/slides/slide_7.jpg "E-infrastructure shared between Europe and Latin America 7 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 [lxplus059] ~ > glite-voms-proxy-info --all subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026/CN=proxy issuer : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 identity : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 type : proxy strength : 512 bits path : /tmp/x509up_u2913 timeleft : 11:58:53 === VO dteam extension information === VO : dteam subject : /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 issuer : /C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch attribute : /dteam/Role=NULL/Capability=NULL timeleft : 11:58:52 VOMS proxy info Standard globus attributes Voms extensions")
8
E-infrastructure shared between Europe and Latin America 8 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Long term proxy : MyProxy myproxy server: –myproxy-init Allows to create and store a long term proxy certificate –myproxy-info Get information about a stored long living proxy –myproxy-get-delegation Get a new proxy from the MyProxy server –myproxy-destroy Check out them with myproxy-xxx --help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server
9
E-infrastructure shared between Europe and Latin America 9 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-init lxplus059] ~ > myproxy-init Your identity: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 Enter GRID pass phrase for this identity: Creating proxy........................................................................... Done Proxy Verify OK Your proxy is valid until: Wed Sep 13 18:40:20 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user aduarte now exists on myproxy.cern.ch. Principal options -c hours specifies lifetime of stored credentials -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)
![E-infrastructure shared between Europe and Latin America 9 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-init lxplus059] ~ > myproxy-init Your identity: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 Enter GRID pass phrase for this identity: Creating proxy](http://images.slideplayer.com./28/9290671/slides/slide_9.jpg "Done Proxy Verify OK Your proxy is valid until: Wed Sep 13 18:40: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user aduarte now exists on myproxy.cern.ch. Principal options -c hours specifies lifetime of stored credentials -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal).")
10
E-infrastructure shared between Europe and Latin America 10 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-info Useful to retrieve info on stored credentials Need local credentials to be performed If credentials have been initialized with –d switch, you also have to specify the same option there [lxplus059] ~ > myproxy-info -s myproxy.cern.ch -v Socket bound to port 20000. server name: /C=CH/O=CERN/OU=GRID/CN=host/prod-px.cern.ch checking if server name matches "myproxy@prod-px.cern.ch" server name does not match checking if server name matches "host@prod-px.cern.ch" server name accepted username: aduarte owner: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 timeleft: 167:57:48 (7.0 days) myproxy-info -s grid001.ct.infn.it -v
![E-infrastructure shared between Europe and Latin America 10 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-info Useful to retrieve info on stored credentials Need local credentials to be performed If credentials have been initialized with –d switch, you also have to specify the same option there [lxplus059] ~ > myproxy-info -s myproxy.cern.ch -v Socket bound to port](http://images.slideplayer.com./28/9290671/slides/slide_10.jpg "server name: /C=CH/O=CERN/OU=GRID/CN=host/prod-px.cern.ch checking if server name matches server name does not match checking if server name matches server name accepted username: aduarte owner: /C=CH/O=CERN/OU=GRID/CN=Alexandre Duarte 8026 timeleft: 167:57:48 (7.0 days) myproxy-info -s grid001.ct.infn.it -v.")
11
E-infrastructure shared between Europe and Latin America 11 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-get-delegation This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server It is independent by the machine! You don’t need to have your certificate on board If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request [mexicocity14@eela-132 mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513
12
E-infrastructure shared between Europe and Latin America 12 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch [mexicocity14@eela-132 mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513 [mexicocity14@eela-132 mexicocity14]$ myproxy-destroy -s grid001.ct.infn.it Default MyProxy credential for user mexicocity14 was successfully removed.
![E-infrastructure shared between Europe and Latin America 12 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513 mexicocity14]$ myproxy-destroy -s grid001.ct.infn.it Default MyProxy credential for user mexicocity14 was successfully removed.](http://images.slideplayer.com./28/9290671/slides/slide_12.jpg "E-infrastructure shared between Europe and Latin America 12 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513 mexicocity14]$ myproxy-destroy -s grid001.ct.infn.it Default MyProxy credential for user mexicocity14 was successfully removed.")
13
E-infrastructure shared between Europe and Latin America 13 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Exercise Exercise 2 –Create a myproxy on the server grid001.ct.infn.it –Check information on the created proxy –Create a myproxy with –d option –Check the new proxy –Which differences you note? –Destroy both proxies
14
E-infrastructure shared between Europe and Latin America 14 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Storing long lived voms proxies myproxy doesn’t support natively VOMS To allow storing of voms ext., myproxy client has been modified The faculty of choosing VO and group/roles has been added, while the previous options have all been kept Proxies retrieved with myproxy-get-delegation will have the requested voms extension but… …there’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation Studying solutions to extend voms extension renewal in get-delegation The “modified” client is available only on GILDA UI’s Will be largely deployed when the above issues will be solved myproxy-init --voms gilda
15
E-infrastructure shared between Europe and Latin America 15 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 23:59:57 Voms extension lifetime
![E-infrastructure shared between Europe and Latin America 15 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 23:59:57 Voms extension lifetime](http://images.slideplayer.com./28/9290671/slides/slide_15.jpg "E-infrastructure shared between Europe and Latin America 15 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 23:59:57 Voms extension lifetime")
16
E-infrastructure shared between Europe and Latin America 16 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006 Questions
Similar presentations
