Www.egi.eu EGI-InSPIRE RI-261323 Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

It’s not about security... it’s about access! Grid Security Pieter van Beek.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Grid Security. Typical Grid Scenario Users Resources.

Summer School Certificates Diego Romano & Gilda Team.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

Security Mechanisms The European DataGrid Project Team

1c.1 Assignment 2 Preliminaries Review (Full details in assignment write-up.)‏ © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

Exporting User Certificate from Internet Explorer.

Enabling Grids for E-sciencE Authentication & Authorization Assaf Gottlieb Material from: Andrea Sciabà Åke Edlund, JRA3 Manager, KTH David.

INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.

Jan 31, 2006 SEE-GRID Nis Training Session Hands-on V: Standard Grid Usage Dušan Vudragović SCL and ATLAS group Institute of Physics, Belgrade.

Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

E-NMR (RI ) is funded by the European Commission under the Research Infrastructure Programme Introduction to e-NMR hands-on e-NMR gLite.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Hands-on security Angelines Alberto Morillas Ciemat.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.

E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.

Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

1 Grid Security Alessandro Paolini INFN-CNAF IV Scuola della GRID per utenti.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

EGI-InSPIRE RI EGI Hands On Training for AEGIS Users EGI-InSPIRE N G I A E G I S EGI Hands On Training for AEGIS Users Institute of Physics.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Continue by your own… Riccardo Bruno

EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.

EGI-InSPIRE RI EGI Training for AEGIS Site Administrators EGI-InSPIRE N G I A E G I S EGI Training for AEGIS Site Administrators Institute.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Authentication, Authorisation and Security

Authorization and Authentication in gLite

Practicals on VOMS and MyProxy

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Grid Security Jinny Chien Academia Sinica Grid Computing.

Certificate management Miroslav Dobrucký Institute of Informatics SAS

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Grid Security Infrastructure

Presentation transcript:

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade EGI-InSPIRE RI Grid Training for Power Users Hands-On Session: Setting up the user account Vladimir Slavnic Nikola Grkic SCL, Institute of Physics Belgrade Serbia 28/05/2012

EGI-InSPIRE RI Grid Training for Power Users Overview User Interface (UI) Grid Security Infrastructure (GSI) Certificate obtaining procedure How to use certificate Proxies My Proxy service Certificates renewal

EGI-InSPIRE RI Grid Training for Power Users User interface – UI (1) Access point to Grid User must have a local account on the machine It provides CLI tools to perform different Grid operations: −list all the resources suitable to execute a given job; −submit jobs for execution; −cancel jobs; −query the status of jobs and retrieve their output; −copy, replicate and delete files from the Grid; −retrieve the status of different resources from the Information System;

EGI-InSPIRE RI Grid Training for Power Users User interface – UI (2)

EGI-InSPIRE RI Grid Training for Power Users Grid Security Infrastructure (GSI) Basic Security Concepts: −Private and Public Keys - Encryption −Signing Grid credentials: digital certificate and private key −Grid passport −Based on PKI X.509 standard −A public key connected to some information about who the user (or server) is, signed by the CA −CA signs certificates. Trust relationship National Certification Authority (CA) – AEGIS CA −The most important thing in the certificate is the Subject Name (SN): /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic

EGI-InSPIRE RI Grid Training for Power Users Certificate obtaining procedure Via browser or from UI Command issued on UI: $ grid-cert-request −PEM pass phrase (do not forget it!!!).globus directory −userkey.pem −usercert_request.pem −usercert.pem usercert_request.pem to be send by RA to CA to be signed Signed certificate will be sent back to user Confirmation mail signed with new certificate to be send to CA by the user

EGI-InSPIRE RI Grid Training for Power Users Taking care of private keys Keep your private key secure Right permissions: 444 usercert.pem 400 userkey.pem Do not loan your certificate to anyone Report to your CA if your certificate has been compromised Private key and certificate can be stored: −In your browser and mail client −Stored in files using different file format (PEM, P12, …)

EGI-InSPIRE RI Grid Training for Power Users Checking a certificate $ grid-cert-info [-subject |-enddate|-issuer] ~]$ grid-cert-info -subject /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic ~]$ grid-cert-info -issuer /C=RS/O=AEGIS/CN=AEGIS-CA ~]$ grid-cert-info -enddate Jun 26 08:03: GMT Verify a user certificate: ~]$ openssl verify -CApath /etc/grid- security/certificates/ ~/.globus/usercert.pem /home/slavnic/.globus/usercert.pem: OK

EGI-InSPIRE RI Grid Training for Power Users pkcs12 bundle creation and VO registration Creating p12 certificate $ opensslpkcs12 -export -in ~/.globus/usercert.pem -inkey~/.globus/userkey.pem -name "My Certificate" -out mycertificate.p12 Importing certificate into the mail client and web browser Virtual Organization – VO −Entity which typically corresponds to a particular organization or group of people in the real world VO membership request (web interface): −AEGIS VOMS Web application is located on the following address: AEGIS CA :

EGI-InSPIRE RI Grid Training for Power Users Proxies (1) Proxy certificates: Temporary self-signed certs Types of proxies: −Standard proxy −VOMS proxy VOMS proxies – proxies with VO extensions −Group −Role

EGI-InSPIRE RI Grid Training for Power Users Proxies (2) VOMS proxy UI commands: $ voms-proxy-init -voms $ voms-proxy-init -voms : :[Role= ] $ voms-proxy-info (-all) $ voms-proxy-destroy Creating VOMS proxy: ~]$ voms-proxy-init -voms aegis Enter GRID pass phrase: Your identity: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic Creating temporary proxy Done Contacting voms.ipb.ac.rs:15001 [/C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=host/voms.ipb.ac.rs] "aegis" Done Creating proxy Done Your proxy is valid until Mon May 28 00:34:

EGI-InSPIRE RI Grid Training for Power Users Proxies (3) Checking VOMS proxy: ~]$ voms-proxy-info -all subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic/CN=proxy issuer : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic identity : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic type : proxy strength : 1024 bits path : /tmp/x509up_u501 timeleft : 11:50:33 === VO aegis extension information === VO : aegis subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic issuer : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=host/voms.ipb.ac.rs attribute : /aegis/Role=NULL/Capability=NULL attribute : /aegis/scl/Role=NULL/Capability=NULL timeleft : 11:50:33 uri : voms.ipb.ac.rs:15001

EGI-InSPIRE RI Grid Training for Power Users Proxy renewal – MyProxy (1) MyProxy - proxy credential repository system User can create and store a long-term proxy in a dedicated server (MyProxy server) MyProxy commands on UI: $ myproxy-init -s -d -n $ myproxy-info -s -d $ myproxy-destroy -s -d

EGI-InSPIRE RI Grid Training for Power Users Proxy renewal – MyProxy (2) Show MyProxy server evironment variable: ~]$ echo $MYPROXY_SERVER myproxy.ipb.ac.rs Creating and storing a long-term proxy: ~]$ myproxy-init -d -n Your identity: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Sun Jun 3 12:37: A proxy valid for 168 hours (7.0 days) for user /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic now exists on myproxy.ipb.ac.rs.

EGI-InSPIRE RI Grid Training for Power Users Proxy renewal – MyProxy (3) Show long-term proxy information: ~]$ myproxy-info -d username: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic owner: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Vladimir Slavnic timeleft: 167:59:02 (7.0 days)

EGI-InSPIRE RI Grid Training for Power Users Certificate renewal CAs issue certificates with a limited duration (usually one year) User needs to send a request for renewal signed with the old certificate to CA before old certificate expires Users should try to be aware of the renewal date Renewed certificates have the same SN as the old ones

EGI-InSPIRE RI Grid Training for Power Users Links AEGIS CA − Glite user guide −