Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

Published bySilvia Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,"— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava, 27- 30.06.2005

2 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 2 Outline VOMS vs. plain proxy VOMS proxy creation MyProxy Obtaining VOMS delegation through MyProxy

3 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 3 VOMS generalities Virtual Organisation Membership Services is service which keeps track of VO members and grants users authorization to access resources at the VO level Differently from standard plain proxies, provides support for group membership, roles, and capabilities Each VO has a server, which is contacted from user when he initializes his voms-proxy VOMS server returns a proxy, containing also infos on user (Attribute Certificate), which are included in a unique certificate

4 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 4 VOMS proxy creation voms-proxy-init --voms gildav Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase for this identity: [insert your certificate passphrase] Creating temporary proxy............................................. Done /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms- 01.cnaf.infn.it /C=IT/O=INFN/CN=INFN Certification Authority Creating proxy............................................. Done Your proxy is valid until Mon Jun 13 09:06:00 2005

5 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 5 VOMS proxy creation Principal options –-hours x, create a proxy valid for x hours –-vomslife x, create a proxy with AC valid for x hours –-cert Non-standard location of user certificate –-key Non-standard location of user key –-out Non-standard location of new proxy cert Default maximum value for vomslife is 24, superior requests will be shortened to 86400 seconds (24 h)

6 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 6 Verify your credentials voms-proxy-info Principal options : -all prints all proxy options -file specifies a different location of proxy file WARNING : in gLite 1.0, you may have problems (error 5025) with glite-job-* commands, when in /etc/grid-security/vomsdir there’s more than one host certificate. By pass this creating a directory containing only the host certificate of your VOMS server. [giorgio@glite-tutor:~]$ ls /etc/grid- security/vomsdir.gildav.glite/ gildav-cert-voms-01.cnaf.infn.it.pem Then export X509_VOMS_DIR=/etc/grid- security/vomsdir.gildav.glite/

7 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 7 Verify obtained credentials [giorgio@glite-tutor:~]$ voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 20:59:53 VO : gildav subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms- 01.cnaf.infn.it attribute : /gildav/Role=NULL/Capability=NULL timeleft : 20:58:28

8 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 8 Long term proxy : MyProxy Proxy (and VOMS proxy) have limited lifetime (default is 12 h) –Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time –Grid jobs in HEP Data Challenges on LCG last up to 2 days myproxy server: –Allows to create and store a long term proxy certificate: –myproxy-init -s  -s: specifies the hostname of the myproxy server –myproxy-info  Get information about stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy –Check out the myproxy-xxx - - help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server

9 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 9 myproxy-init [giorgio@glite-tutor:~]$ myproxy-init -s grid001.ct.infn.it Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase for this identity: Creating proxy..................................................... Done Proxy Verify OK Your proxy is valid until: Sun Jun 19 21:18:27 2005 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user giorgio now exists on grid001.ct.infn.it. Principal option -c hours specifies lifetime of the credential stored -t hours specifies the maximum lifetime of credentials retrieved

10 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 10 myproxy-info Useful to retrieve info on stored credentials [giorgio@glite-tutor:~]$ myproxy-info -s grid001.ct.infn.it username: giorgio owner: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it timeleft: 167:55:34 (7.0 days)

11 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 11 myproxy-get-delegation This command can be used to retrieve a proxy stored, It is independent by the machine ! You don’t need to have your certificate on board [giorgio@glite-tutor:~]$ mv.globus dummy [giorgio@glite-tutor:~]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u513 mv dummy/.globus

12 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 12 MyProxy and VOMS myproxy-init works creating a temporary plain proxy, with the “old” grid-proxy-init The plain proxy is stored on the MyProxy Server It will be valid for the desired duration (default is a week, maximum is the certificate lifetime) The proxy retrieved with myproxy-get-delegation will be a plain proxy too….. All the VOMS extensions in these way are lost Resources will rejects jobs from these user How can use delegated credentials keeping VOMS extension ?

13 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 13 Tricking the MyProxy server This procedure is useful for those applications which needs to renew user credentials Store once a plain proxy on myproxy server myproxy-init -s grid001.ct.infn.it Soon get the delegated credentials, specifying lifetime myproxy-get-delegation -s grid001.ct.infn.it -t 27 Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u513 Request a voms proxy signing it with the received delegation (no passphrase requested) voms-proxy-init -t 25 -cert /tmp/x509up_u513 -key /tmp/x509up_u513 -voms gildav Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy/CN=proxy/CN=proxy Creating temporary proxy............................... Done /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it /C=IT/O=INFN/CN=INFN Certification Authority Creating proxy.................................... Done

14 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 14 Problems These trick perfectly works on an uniform gLite testbed The most of testbeds is “hybrid” (UI + RB glite, CE + WN lcg), or fully lcg The reason is already unknown, but seems dued to differences between CE’s, or to the ability of GSI to accept longs proxy chains (like the ones formed by VOMS + MyProxy)

15 Enabling Grids for E-sciencE INFSO-RI-508833 Retreat between GILDA and ESR VO on gLite, Bratislava, 27-30.06.2005 15 Questions…

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,"

Similar presentations

It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.

Riccardo Bruno, INFN.CT Sevilla, 10-14/09/2007 GENIUS Exercises.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security on Grid: Emidio Giorgio INFN – Catania Pisa, EGEE 4 th Conference Training Day, 23.

INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Pisa, EGEE 4 th Conference Training Day, 23.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Installation and configuration of gLite Resource Broker Emidio Giorgio INFN EGEE-EMBRACE tutorial,

INFSO-RI Enabling Grids for E-sciencE Installation and configuration of gLite Resource Broker Emidio Giorgio INFN EGEE-EMBRACE tutorial,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org WMS + LB Installation Emidio Giorgio Giuseppe La Rocca INFN EGEE Tutorial, Rome 02-04.November.2005.

INFSO-RI Enabling Grids for E-sciencE WMS + LB Installation Emidio Giorgio Giuseppe La Rocca INFN EGEE Tutorial, Rome November.2005.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN, 27-28.02.2006.

INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,
Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,

INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
Www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE Apr. 25, 2009 www.eu-egee.org Grid Computing Hands On Training for Users Faculty of Sciences, University.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Apr. 25, Grid Computing Hands On Training for Users Faculty of Sciences, University.

Similar presentations

Ads by Google