Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University.

Slides:



Advertisements
Similar presentations
DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
Advertisements

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Introduction of Grid Security
Globus Workshop at CoreGrid Summer School 2006 Dipl.-Inf. Hamza Mehammed Leibniz Computing Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.
12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 26 th January 2007 GROWL Scripts and Web Services John Kewley Grid Technology Group E-Science.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Authentication and Authorization in gLite Antonio Fuentes Bermejo RedIRIS/Red.Es Tutorial de Grid EELA/EGEE/EUMedGrid May, 2007.
User Certificate Application Guide Mason Hsiung. Visit start to request your user certificatehttp://ca.grid.sinica.edu.tw.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
It’s not about security... it’s about access! Grid Security Pieter van Beek.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Public Key Distribution and X.509 Wade Trappe. Distribution of Public Keys There are several techniques proposed for the distribution of public keys:
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.
Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.
Hands-on security Angelines Alberto Morillas Ciemat.
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
Security Mechanisms The European DataGrid Project Team
Installing a SSL Server. Creating a key Before you can create a digital signature/certificate. You need first to create a private key. To do this process.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
Client installation DIRAC Project. DIRAC Client Software  Many operations can be performed through the Web interface  Even more to come  However, certain.
Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
Client installation Beijing, 13-15/11/2013. DIRAC Client Software Beijing, /11/2013 DIRAC Tutorial2  Many operations can be performed through the.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
QuoVadis accreditation with EuGridPMA Alessandro Usai
GRID-FR French CA Alice de Bignicourt.
NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.
Authentication, Authorisation and Security
Authorization and Authentication in gLite
Practicals on VOMS and MyProxy
Security and getting access to the training infrastructure
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Certificate management Miroslav Dobrucký Institute of Informatics SAS
login: clermont-ferrandxx password: GridCLExx
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
Presentation transcript:

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University

Generic Instructions Practices on Security 2

Check your certificate.globus directory now contains your personal public / private keys –[gilda07] /home/beijing01/.globus > ll –total 8 –-rw-r--r-- 1 beijing01 users 1070 Nov 9 17:57 usercert.pem –-r beijing01 users 963 Nov 9 17:57 userkey.pem Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) You can have now a look inside your certificate with the command grid-cert-info Practices on Security 3

grid-cert-info [gilda07] /home/beijing01/.globus > grid-cert-info Certificate: Data: Version: 3 (0x2) Serial Number: 6092 (0x17cc) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=GILDA, CN=GILDA Certification Authority Validity Not Before: Nov 9 09:36: GMT Not After : Dec 4 09:36: GMT Subject: C=IT, O=GILDA, OU=Personal Certificate, L=BEIJING, CN=BEIJING01 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): …………………………………... Practices on Security 4

voms-proxy-init  Before you can run jobs you need to create a proxy, which allows jobs to run on the grid.  Two types can be created, short-term and long term. It is better to get into the habit of always creating a short term one and then a long term one if needed.  Create a short term proxy (lifetime<12h)  Command syntax voms-proxy-init [options] -cert Non-standard location of user certificate -key Non-standard location of user key -userconf Non-standard location for user-defined voms server addresses  You may use voms-proxy-init –voms gilda  Default location for voms server address file is /opt/glite/etc/vomses or $HOME/.glite/vomses  Syntax : “vo-nickname" “voms server FQDN" “port“ “voms server \ certificate subject" “vo name Practices on Security 5

voms-proxy-init If everything is ok, you should have: [gilda07] /home/beijing01/.globus > voms-proxy-init --voms gilda Cannot find file or dir: /home/beijing01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy Done Your proxy is valid until Tue Nov 21 22:19: Practices on Security 6

voms-proxy-info Once that your proxy has been created, you can gather info on it through the voms-proxy-info command. It is much more useful if ran with the -all option, because it will show also the VO related infos added by the VOMS server. You may note also two different lifetimes : first is related to the proxy itself, the second one is referred to the Attributes Certificate info added by the VOMS server. They have to be valid both in order to be fully enabled to perform operations. Practices on Security 7

voms-proxy-info [gilda07] /home/beijing01 > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 type : proxy strength : 512 bits path : /tmp/x509up_u33417 timeleft : 11:59:57 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:59:43 Practices on Security 8

voms-proxy-destroy You may need to destroy one proxy before it naturally expires Use the command voms-proxy-destroy Practices on Security 9

myproxy-init To create and store a long-term proxy certificate on a proxy server, allowing proxies to be renewed and extending their effective lifetime beyond 12 hours. Command Syntax: –myproxy-init --voms –Principal options -c Lifetime of delegated proxy on server (default 1 week) -t Lifetime of proxies delegated by server (default 12 hours) -d Stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) -s Specifies the myproxy server where to store credentials Practices on Security 10

myproxy-info  This command is used to retrieve info on stored credentials  Need local credentials to be performed  You nee to execute voms-proxy-init or myproxy-get-delegation before running myproxy-info  If credentials have been initialized with –d switch, you have also to specify it there, otherwise such error may occur: [gilda07] /home/beijing01 > myproxy-info Received ERROR_RESPONSE: Credentials do not exist no credentials found for user beijing01, owner "/C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01" Practices on Security 11

myproxy-get-delegation  This command is used to retrieve a delegation from a long lived proxy stored on myproxy server  It is independent by the machine ! You don’t need to have your certificate on board  If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request Practices on Security 12

myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server Need local credentials to be performed –You need to execute voms-proxy-init or myproxy-get-delegation before running myproxy-destroy If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request Practices on Security 13

Example1 [gilda07] /home/beijing01 > myproxy-init –voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Tue Nov 28 11:53: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user beijing01 now exists on grid001.ct.infn.it. [gilda07] /home/beijing01 > myproxy-init –d –voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Tue Nov 28 11:54: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 now exists on grid001.ct.infn.it. Practices on Security 14

Example2 [gilda07] /home/beijing01 > voms-proxy-destroy [gilda07] /home/beijing01 > voms-proxy-info Couldn't find a valid proxy. [gilda07] /home/beijing01 > myproxy-init –d --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Tue Nov 28 12:31: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 now exists on grid001.ct.infn.it. [gilda07] /home/beijing01 > myproxy-get-delegation Enter MyProxy pass phrase: ERROR from server: Credentials do not exist Unable to retrieve credential information Failed to receive a proxy. Practices on Security 15 Local proxy has been destroyed !!! –d parameter is needed

Example2 [gilda07] /home/beijing01 > myproxy-get-delegation -d Enter MyProxy pass phrase: A proxy has been received for user /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 in /tmp/x509up_u33417 [gilda07] /home/beijing01 > voms-proxy-info WARNING: Unable to verify signature! Server certificate possibly not installed. Error: VOMS extension not found! subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u33417 timeleft : 11:59:57 Practices on Security 16 Get a new proxy from MyProxy server

Example3 [gilda07] /home/beijing01 > myproxy-init -c 100 -t 10 --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Sat Nov 25 15:57: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 100 hours (4.2 days) for user beijing01 now exists on grid001.ct.infn.it. [gilda07] /home/beijing01 > myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user beijing01 in /tmp/x509up_u33417 [gilda07] /home/beijing01 > voms-proxy-info subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u33417 timeleft : 9:59:51 Practices on Security 17

Exercise Create a proxy with voms-proxy-init, then verify obtained credentials with voms-proxy-info Destroy the local proxy Create a myproxy with –d option Get delegaion from myproxy server Check the status of the local proxy Try other options of myproxy commands Practices on Security 18

How to obtain a certificate Visit Practices on Security 19

How to obtain a certificate Step1: Submit the User Certificate Application Form Step2: Online request for certificate – –Organization: PKU –Organization Unit: PHYS Step3: Get your certificate – Step4: Export the certificate Practices on Security 20

Manage your certificate Exporting the digital certificate with the private key from IE Open the IE browser, choice the "Tools" menu, click "Internet Options". Click the "Content" tab, then choose "Certificates". Click your certificate that you want to export. Click the "Export" button Click "Next" in the "Export Wizard" window Select "Export private key". Click "Next" Make sure "Personal Information Exchange -PKCS#12" is checked, and also the "Enable strong protection". The "Delete private key if successful" must be unchecked. The "Include all certificate in path" button should be unchecked, too. Click "Next". Type the passphrase(twice) that you use to protect your private key. We recommend you choice 8 characters pass phrase. Click "Next". Type the name of the file where you want to store your certificate. Click "Next". Click "Finish" Practices on Security 21

Convert certificate formats How to convert certificate format between PKCS12 and PEM ? For user certificate: To get the key and certificate from a PKCS12 file (.p12 or.pfx) –openssl pkcs12 -in user.p12 -out userkey.pem -nocerts –openssl pkcs12 -in user.p12 -out usercert.pem -nokeys -clcerts To convert pem (.crt and.key files) to a PKCS12 file –openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out user.p12 PKCS12 files can be imported to your web browser Practices on Security 22

Exercise Convert your certificate, which is located in.globus directory, to PKCS12 format Import the.p12 files into Internet Explorer –You may need to set a pass phrase for the certificate Export the certificate from Internet Explorer, using a different file name in saving Convert the exported certificate into PEM format Practices on Security 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.