Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University.

Published byAshton Helm Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University."— Presentation transcript:

1 www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University

2 Generic Instructions Practices on Security 2

3 Check your certificate.globus directory now contains your personal public / private keys –[gilda07] /home/beijing01/.globus > ll –total 8 –-rw-r--r-- 1 beijing01 users 1070 Nov 9 17:57 usercert.pem –-r-------- 1 beijing01 users 963 Nov 9 17:57 userkey.pem Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) You can have now a look inside your certificate with the command grid-cert-info Practices on Security 3

4 grid-cert-info [gilda07] /home/beijing01/.globus > grid-cert-info Certificate: Data: Version: 3 (0x2) Serial Number: 6092 (0x17cc) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=GILDA, CN=GILDA Certification Authority Validity Not Before: Nov 9 09:36:33 2006 GMT Not After : Dec 4 09:36:33 2006 GMT Subject: C=IT, O=GILDA, OU=Personal Certificate, L=BEIJING, CN=BEIJING01 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): …………………………………... Practices on Security 4

5 voms-proxy-init  Before you can run jobs you need to create a proxy, which allows jobs to run on the grid.  Two types can be created, short-term and long term. It is better to get into the habit of always creating a short term one and then a long term one if needed.  Create a short term proxy (lifetime<12h)  Command syntax voms-proxy-init [options] -cert Non-standard location of user certificate -key Non-standard location of user key -userconf Non-standard location for user-defined voms server addresses  You may use voms-proxy-init –voms gilda  Default location for voms server address file is /opt/glite/etc/vomses or $HOME/.glite/vomses  Syntax : “vo-nickname" “voms server FQDN" “port“ “voms server \ certificate subject" “vo name Practices on Security 5

6 voms-proxy-init If everything is ok, you should have: [gilda07] /home/beijing01/.globus > voms-proxy-init --voms gilda Cannot find file or dir: /home/beijing01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase: Creating temporary proxy....................................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy........................................... Done Your proxy is valid until Tue Nov 21 22:19:23 2006 Practices on Security 6

7 voms-proxy-info Once that your proxy has been created, you can gather info on it through the voms-proxy-info command. It is much more useful if ran with the -all option, because it will show also the VO related infos added by the VOMS server. You may note also two different lifetimes : first is related to the proxy itself, the second one is referred to the Attributes Certificate info added by the VOMS server. They have to be valid both in order to be fully enabled to perform operations. Practices on Security 7

8 voms-proxy-info [gilda07] /home/beijing01 > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 type : proxy strength : 512 bits path : /tmp/x509up_u33417 timeleft : 11:59:57 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:59:43 Practices on Security 8

9 voms-proxy-destroy You may need to destroy one proxy before it naturally expires Use the command voms-proxy-destroy Practices on Security 9

10 myproxy-init To create and store a long-term proxy certificate on a proxy server, allowing proxies to be renewed and extending their effective lifetime beyond 12 hours. Command Syntax: –myproxy-init --voms –Principal options -c Lifetime of delegated proxy on server (default 1 week) -t Lifetime of proxies delegated by server (default 12 hours) -d Stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) -s Specifies the myproxy server where to store credentials Practices on Security 10

11 myproxy-info  This command is used to retrieve info on stored credentials  Need local credentials to be performed  You nee to execute voms-proxy-init or myproxy-get-delegation before running myproxy-info  If credentials have been initialized with –d switch, you have also to specify it there, otherwise such error may occur: [gilda07] /home/beijing01 > myproxy-info Received ERROR_RESPONSE: Credentials do not exist no credentials found for user beijing01, owner "/C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01" Practices on Security 11

12 myproxy-get-delegation  This command is used to retrieve a delegation from a long lived proxy stored on myproxy server  It is independent by the machine ! You don’t need to have your certificate on board  If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request Practices on Security 12

13 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server Need local credentials to be performed –You need to execute voms-proxy-init or myproxy-get-delegation before running myproxy-destroy If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request Practices on Security 13

14 Example1 [gilda07] /home/beijing01 > myproxy-init –voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy..................................... Done Proxy Verify OK Your proxy is valid until: Tue Nov 28 11:53:52 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user beijing01 now exists on grid001.ct.infn.it. [gilda07] /home/beijing01 > myproxy-init –d –voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy..................................................... Done Proxy Verify OK Your proxy is valid until: Tue Nov 28 11:54:39 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 now exists on grid001.ct.infn.it. Practices on Security 14

15 Example2 [gilda07] /home/beijing01 > voms-proxy-destroy [gilda07] /home/beijing01 > voms-proxy-info Couldn't find a valid proxy. [gilda07] /home/beijing01 > myproxy-init –d --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy................................. Done Proxy Verify OK Your proxy is valid until: Tue Nov 28 12:31:33 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 now exists on grid001.ct.infn.it. [gilda07] /home/beijing01 > myproxy-get-delegation Enter MyProxy pass phrase: ERROR from server: Credentials do not exist Unable to retrieve credential information Failed to receive a proxy. Practices on Security 15 Local proxy has been destroyed !!! –d parameter is needed

16 Example2 [gilda07] /home/beijing01 > myproxy-get-delegation -d Enter MyProxy pass phrase: A proxy has been received for user /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 in /tmp/x509up_u33417 [gilda07] /home/beijing01 > voms-proxy-info WARNING: Unable to verify signature! Server certificate possibly not installed. Error: VOMS extension not found! subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u33417 timeleft : 11:59:57 Practices on Security 16 Get a new proxy from MyProxy server

17 Example3 [gilda07] /home/beijing01 > myproxy-init -c 100 -t 10 --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01 Enter GRID pass phrase for this identity: Creating proxy............................... Done Proxy Verify OK Your proxy is valid until: Sat Nov 25 15:57:20 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 100 hours (4.2 days) for user beijing01 now exists on grid001.ct.infn.it. [gilda07] /home/beijing01 > myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user beijing01 in /tmp/x509up_u33417 [gilda07] /home/beijing01 > voms-proxy-info subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BEIJING/CN=BEIJING01/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u33417 timeleft : 9:59:51 Practices on Security 17

18 Exercise Create a proxy with voms-proxy-init, then verify obtained credentials with voms-proxy-info Destroy the local proxy Create a myproxy with –d option Get delegaion from myproxy server Check the status of the local proxy Try other options of myproxy commands Practices on Security 18

19 How to obtain a certificate Visit https://gridca.ihep.ac.cn/https://gridca.ihep.ac.cn/ Practices on Security 19

20 How to obtain a certificate Step1: Submit the User Certificate Application Form Step2: Online request for certificate –https://gridca.ihep.ac.cn/cgi-public/pki?cmd=user_csrhttps://gridca.ihep.ac.cn/cgi-public/pki?cmd=user_csr –Organization: PKU –Organization Unit: PHYS Step3: Get your certificate –https://gridca.ihep.ac.cn/getcert.htmlhttps://gridca.ihep.ac.cn/getcert.html Step4: Export the certificate Practices on Security 20

21 Manage your certificate Exporting the digital certificate with the private key from IE Open the IE browser, choice the "Tools" menu, click "Internet Options". Click the "Content" tab, then choose "Certificates". Click your certificate that you want to export. Click the "Export" button Click "Next" in the "Export Wizard" window Select "Export private key". Click "Next" Make sure "Personal Information Exchange -PKCS#12" is checked, and also the "Enable strong protection". The "Delete private key if successful" must be unchecked. The "Include all certificate in path" button should be unchecked, too. Click "Next". Type the passphrase(twice) that you use to protect your private key. We recommend you choice 8 characters pass phrase. Click "Next". Type the name of the file where you want to store your certificate. Click "Next". Click "Finish" Practices on Security 21

22 Convert certificate formats How to convert certificate format between PKCS12 and PEM ? For user certificate: To get the key and certificate from a PKCS12 file (.p12 or.pfx) –openssl pkcs12 -in user.p12 -out userkey.pem -nocerts –openssl pkcs12 -in user.p12 -out usercert.pem -nokeys -clcerts To convert pem (.crt and.key files) to a PKCS12 file –openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out user.p12 PKCS12 files can be imported to your web browser Practices on Security 22

23 Exercise Convert your certificate, which is located in.globus directory, to PKCS12 format Import the.p12 files into Internet Explorer –You may need to set a pass phrase for the certificate Export the certificate from Internet Explorer, using a different file name in saving Convert the exported certificate into PEM format Practices on Security 23

Download ppt "Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Practices on Security Liang ZHAO Peking University."

Similar presentations

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Practical using EGEE middleware: AA and simple job submission.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Introduction of Grid Security

Introduction of Grid Security
Globus Workshop at CoreGrid Summer School 2006 Dipl.-Inf. Hamza Mehammed 27.07.2006 Leibniz Computing Centre.

Globus Workshop at CoreGrid Summer School 2006 Dipl.-Inf. Hamza Mehammed Leibniz Computing Centre.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.
12th EELA Tutorial, Lima, 24-28.09.2007 FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America.

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.

John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 26 th January 2007 GROWL Scripts and Web Services John Kewley Grid Technology Group E-Science.

John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 26 th January 2007 GROWL Scripts and Web Services John Kewley Grid Technology Group E-Science.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Authentication and Authorization in gLite Antonio Fuentes Bermejo RedIRIS/Red.Es Tutorial de Grid EELA/EGEE/EUMedGrid May, 2007.

Authentication and Authorization in gLite Antonio Fuentes Bermejo RedIRIS/Red.Es Tutorial de Grid EELA/EGEE/EUMedGrid May, 2007.
User Certificate Application Guide Mason Hsiung. Visit start to request your user certificatehttp://ca.grid.sinica.edu.tw.

User Certificate Application Guide Mason Hsiung. Visit start to request your user certificatehttp://ca.grid.sinica.edu.tw.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Similar presentations

Ads by Google