Presentation is loading. Please wait.

Presentation is loading. Please wait.

4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.

Similar presentations


Presentation on theme: "4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa."— Presentation transcript:

1 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa Hamar Universidad de Los Andes 4 th EELA Tutorial Mexico DF, 28/08-01/09,2006

2 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 2 Overview Accessing to the UI Private and public keys VOMS –voms-proxy-init –voms-proxy-info MyProxy –myproxy-init –myproxy-info –myproxy-get-delegation –myproxy-destroy

3 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 3 Hostname: eela-132.super.unam.mx Username: mexicocityXX  Where XX is in [01..60] Password: GridME XX  Where XX is in [01..60] Certificate passphrase: MEXICOCITY How to access the User Interface

4 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 4 Preliminary:.globus directory.globus directory contains your personal public / private keys Pay attention to permissions – userkey.pem contains your private key, and must be readable just by yourself (400) – usercert.pem contains your public key, which should be readable also from outside (644) [mexicocity14@eela-132 mexicocity14]$ ls -al.globus/u* -rw-r--r-- 1 mexicocity14 eela 1139 Aug 9 16:12 usercert.pem -rw------- 1 mexicocity14 eela 963 Aug 9 16:12 userkey.pem

5 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 5 glite-voms-proxy-init: options Main options glite-voms-proxy-init --voms -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert Non-standard location of user certificate -key Non-standard location of user key -certdir Non-standard location of trusted cert dir -out Non-standard location of new proxy cert -voms > Specify voms server. :command is optional. -order > Specify ordering of attributes. -vomslife Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include Include the contents of the specified files -confile Non-standard location of voms server addresses.. -vomses Non-standard loation of configuration files.

6 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 6 Verify your credentials Exercise 1 : create a voms proxy requesting your group membership (all of you belong to generic-users group); then verify obtained credentials with: glite-voms-proxy-info –Main options : -all prints all proxy options -file specifies a different location of proxy file

7 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 7 glite-voms-proxy-init [mexicocity14@eela-132 mexicocity14]$ glite-voms-proxy-init --voms gilda Cannot find file or dir: /home/mexicocity14/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it Enter GRID pass phrase: Creating temporary proxy..................................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it] "gilda" Done Creating proxy................................... Done Your proxy is valid until Tue Aug 22 20:58:04 2006

8 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 8 [mexicocity14@eela-132 mexicocity14]$ glite-voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it/CN= proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:53:46 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:55:44 VOMS proxy info Standard globus attributes Voms extensions

9 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 9 Long term proxy : MyProxy myproxy server: –myproxy-init  Allows to create and store a long term proxy certificate –myproxy-info  Get information about a stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy Check out them with myproxy-xxx --help option A dedicated service on the RB can renew automatically the proxy –contacting the myproxy server

10 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 10 myproxy-init [mexicocity14@eela-132 mexicocity14]$ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it Enter GRID pass phrase for this identity: Creating proxy............................................... Done Proxy Verify OK Your proxy is valid until: Tue Aug 29 09:18:58 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user mexicocity14 now exists on grid001.ct.infn.it. Principal options -c hours specifies lifetime of stored credentials -t hours specifies the maximum lifetime of retrieved credentials -s specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

11 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 11 myproxy-info Useful to retrieve info on stored credentials Need local credentials to be performed If credentials have been initialized with –d switch, you also have to specify the same option there [mexicocity14@eela-132 mexicocity14]$ myproxy-info -s grid001.ct.infn.it -v Socket bound to port 20001. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted username: mexicocity14 owner: /C=IT/O=GILDA/OU=Personal Certificate/L=MEXICOCITY/CN=MEXICOCITY14/Email=roberto.barbera@ct.infn.it timeleft: 167:52:13 (7.0 days)

12 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 12 myproxy-get-delegation This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server It is independent by the machine! You don’t need to have your certificate on board If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request [mexicocity14@eela-132 mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513

13 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 13 myproxy-destroy Delete, if existing, the long lived credentials on the specified myproxy server To specify the myproxy server you should use the -s switch [mexicocity14@eela-132 mexicocity14]$ myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user mexicocity14 in /tmp/x509up_u513 [mexicocity14@eela-132 mexicocity14]$ myproxy-destroy -s grid001.ct.infn.it Default MyProxy credential for user mexicocity14 was successfully removed.

14 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 14 Exercise Exercise 2 –Create a myproxy on the server grid001.ct.infn.it –Check information on the created proxy –Create a myproxy with –d option –Check the new proxy –Which differences you note? –Destroy both proxies

15 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 15 Storing long lived voms proxies myproxy doesn’t support natively VOMS To allow storing of voms ext., myproxy client has been modified The faculty of choosing VO and group/roles has been added, while the previous options have all been kept Proxies retrieved with myproxy-get-delegation will have the requested voms extension but… …there’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation Studying solutions to extend voms extension renewal in get-delegation The “modified” client is available only on GILDA UI’s Will be largely deployed when the above issues will be solved myproxy-init --voms gilda

16 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 16 voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 23:59:57 Voms extension lifetime

17 E-infrastructure shared between Europe and Latin America 4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS - Mexico DF, 28/08-01/09,2006 17 Questions


Download ppt "4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa."

Similar presentations


Ads by Google