1. Enabling Grids for E-sciencE www.eu-egee.org gLite security pratical tutorial Dario Russo INFN Catania Catania, 08.02.2006

2. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 2 Introduction: Pourpose of the tutorial Creation of credentials to access the grid Using certificates to log in the grid Using Proxy server to store the proxy

3. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 3 Certificate request and creation Users needs to request a certificate stating his identity and his role over the grid to the Certification Authority (CA) in order to access grid : Install the CA Certificate in your web browser; Request your personal Certificate ; Install your Personal Certificate in your web browser, using the same browser from which you submitted the request; this is mandatory because the private key of the certificate is generated by the browser at the time you submit ; Export your Personal Certificate from your browser on a secure support (for future uses or direct grid access from ui or for importing the certificate for other browsers/machines) ;

4. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 4 Installing the CA Certificate To Install the CA Certificate in your web browser: Open your favourite browser and reach the Certification Authority. Select der format Click Download certificate to install the CA Certificate in the browser

5. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 5 Wait for the arrival of the email Request your personal Certificate To Request your personal Certificate: Fill in the Certification Authority form double checking yourdata Submit your data to Certification Authority And wait certification creation. Follow instruction to obtain your personal certification

6. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 6 Uploading and converting certificate Before access to the grid the certificate must be uploaded and converted to pem format to the User Interface (UI): Export the certificate to file system mycertificate.p12 using your browser certificate exporter Login the UI Create.globus directory Upload mycertificate.p12 using openssl: Create userkey.pem Create usercert.pem Delete *.p12 and chmod private key Now grid access is enabled. Remember to renew periodically (365 days) the certificates

7. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 7 Voms-proxy-init Voms-proxy-init create an extended x.509 certificate stating identity, Virtual Organization (VO) membership and roles Voms-proxy-init –voms create a certificate Voms-proxy-info visualizes proxy informations Voms-proxy-info --all visualizes proxy informations and voms extensions Voms-proxy-info –-help shows options: - voms where command is :/ /group for group specify (default none) :/ /Role= for Role choice (default none) -valid x:y, create a proxy valid for x hours and y minutes -vomslife x, create a proxy with AC for x hours (< 24 h) -cert Non-standard location of user certificate -key Non-standard location of user key -out Non-standard location of new proxy cert -userconf Non-standard location for user- defined voms server addresses Default location for voms server address file is /opt/glite/etc/vomses or ~/.glite/vomses.

8. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 8 Long term proxy : MyProxy-init myproxy server: –myproxy-init  Allows to create and store a long term proxy certificate: –myproxy-info  Get information about stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy –Check out them with myproxy-xxx --help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server File Transfer Services in gLite (< 1.5) validates user request contacting myproxy server

9. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 9 myproxy-init myproxy-init usage and options: -c hours specifies lifetime of stored credentials --voms specifies the virtual organization which the user belongs to -s specifies the myproxy server where to store is credentials (env variable MYPROXY_SERVER is used by default) -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You’ve to specify also subject of principals that can renew a delegation (-R subject, or -A for any principal) --voms gilda Common pitfall: Dont forget –voms !! option

10. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 10 myproxy-get-delegation This command is used to retrieve a delegation from a long lived proxy stored on myproxy server It is independent by the machine ! You don’t need to have your certificate on board If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request

11. Enabling Grids for E-sciencE Ing. Dario Russo. EMail: dario.russo@ct.infn.it Test Tutorial Catania 11 Myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server