4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.

Slides:

Advertisements

Similar presentations

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.

Advertisements

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.

Summer School Certificates Diego Romano & Gilda Team.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America GENIUS server installation and configuration.

IST E-infrastructure shared between Europe and Latin America VOMS and MyProxy Server installation and configuration Pedro Henrique.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America BDII Server Installation Vanessa.

E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September.

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

August 13, 2003Eric Hjort Getting Started with Grid Computing in STAR Eric Hjort, LBNL STAR Collaboration Meeting August 13, 2003.

Exporting User Certificate from Internet Explorer.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.

12th EELA Tutorial for Users and System Administrators E-infrastructure shared between Europe and Latin America User Interface installation.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

12th September 2007UK e-Science All Hands Meeting1 John Kewley Grid Technology Group e-Science Centre STFC Daresbury Laboratory GROWL.

Hands-on security Angelines Alberto Morillas Ciemat.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Roberto Barbera Univ. of Catania and INFN SEE-GRID.

Enabling Grids for E-sciencE Workload Management System on gLite middleware - commands Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.

E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security – Infosys -- WMS.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.

Further aspects of EGEE middleware components INFN, Catania EGEE is funded by the European Union under contract IST

12th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin.

INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

1 Egrid portal Stefano Cozzini and Angelo Leto. 2 Egrid portal Based on P-GRADE Portal 2.3 –LCG-2 middleware support: broker, CEs, SEs, BDII –MyProxy.

Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

LCG2 Tutorial Viet Tran Institute of Informatics Slovakia.

INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Singapore, 1st South East Asia Forum -- EGEE.

Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.

Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

INFSO-RI Enabling Grids for E-sciencE GILDA t-Infrastructure Antonio Fuentes Bermejo

First South Africa Grid Training June 2008, Catania (Italy) GILDA t-Infrastructure Valeria Ardizzone INFN Catania.

RI EGI-TF 2010, Tutorial Managing an EGEE/EGI Virtual Organisation (VO) with EDGES bridged Desktop Resources Tutorial Robert Lovas, MTA SZTAKI.

EGEE is a project funded by the European Union under contract IST Job Submission Giuseppe La Rocca EGEE NA4 Generic Applications INFN Catania.

EGEE is a project funded by the European Union under contract IST Grid proxy and MyProxy Giuseppe La Rocca EGEE NA4 Generic Applications GENIUS/GILDA.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Authentication, Authorisation and Security

MyProxy Server Installation

Practicals on VOMS and MyProxy

gLite 1.4. Data Mangement Exercises

Long term job submission and monitoring uing grid services

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Certificates Usage and Simple Job Submission

Presentation transcript:

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa Hamar Universidad de Los Andes 4 th EELA Tutorial Mexico DF, 28/08-01/09,2006

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Overview Accessing to the UI Private and public keys VOMS –voms-proxy-init –voms-proxy-info MyProxy –myproxy-init –myproxy-info –myproxy-get-delegation –myproxy-destroy

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Hostname: eela-132.super.unam.mx Username: mexicocityXX  Where XX is in [01..60] Password: GridME XX  Where XX is in [01..60] Certificate passphrase: MEXICOCITY How to access the User Interface

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) mexicocity14]$ ls -al.globus/u* -rw-r--r-- 1 mexicocity14 eela 1139 Aug 9 16:12 usercert.pem -rw mexicocity14 eela 963 Aug 9 16:12 userkey.pem

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, glite-voms-proxy-init: options Main options glite-voms-proxy-init --voms -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert Non-standard location of user certificate -key Non-standard location of user key -certdir Non-standard location of trusted cert dir -out Non-standard location of new proxy cert -voms > Specify voms server. :command is optional. -order > Specify ordering of attributes. -vomslife Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include Include the contents of the specified files -confile Non-standard location of voms server addresses.. -vomses Non-standard loation of configuration files.

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Verify your credentials Exercise 1 : create a voms proxy requesting your group membership (all of you belong to generic-users group); then verify obtained credentials with: glite-voms-proxy-info –Main options : -all prints all proxy options -file specifies a different location of proxy file

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, glite-voms-proxy-init mexicocity14]$ glite-voms-proxy-init --voms gilda Cannot find file or dir: /home/mexicocity14/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN "gilda" Done Creating proxy Done Your proxy is valid until Tue Aug 22 20:58:

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, mexicocity14]$ glite-voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal proxy issuer : /C=IT/O=GILDA/OU=Personal identity : /C=IT/O=GILDA/OU=Personal type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:53:46 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:55:44 VOMS proxy info Standard globus attributes Voms extensions

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Long term proxy : MyProxy myproxy server: –myproxy-init  Allows to create and store a long term proxy certificate –myproxy-info  Get information about a stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy Check out them with myproxy-xxx --help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, myproxy-init mexicocity14]$ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Tue Aug 29 09:18: Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user mexicocity14 now exists on grid001.ct.infn.it. Principal options -c hours specifies lifetime of stored credentials -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, myproxy-info Useful to retrieve info on stored credentials Need local credentials to be performed If credentials have been initialized with –d switch, you also have to specify the same option there mexicocity14]$ myproxy-info -s grid001.ct.infn.it -v Socket bound to port server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches server name does not match checking if server name matches server name accepted username: mexicocity14 owner: /C=IT/O=GILDA/OU=Personal timeleft: 167:52:13 (7.0 days)

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, myproxy-get-delegation This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server It is independent by the machine! You don’t need to have your certificate on board If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513 mexicocity14]$ myproxy-destroy -s grid001.ct.infn.it Default MyProxy credential for user mexicocity14 was successfully removed.

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Exercise Exercise 2 –Create a myproxy on the server grid001.ct.infn.it –Check information on the created proxy –Create a myproxy with –d option –Check the new proxy –Which differences you note? –Destroy both proxies

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Storing long lived voms proxies myproxy doesn’t support natively VOMS To allow storing of voms ext., myproxy client has been modified The faculty of choosing VO and group/roles has been added, while the previous options have all been kept Proxies retrieved with myproxy-get-delegation will have the requested voms extension but… …there’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation Studying solutions to extend voms extension renewal in get-delegation The “modified” client is available only on GILDA UI’s Will be largely deployed when the above issues will be solved myproxy-init --voms gilda

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 23:59:57 Voms extension lifetime

E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09, Questions