Hands-on on security

Hands-on on security Pedro Rausch IF - UFRJ Ninth EELA Tutorial Bogotá, 06.03.2007

Overview • Accessing the UI • Private and public keys • VOMS • voms-proxy-init • voms-proxy-info • voms-proxy-destroy • MyProxy • myproxy-init • myproxy-info • myproxy-get-delegation • myproxy-destroy Bogotá, Ninth EELA Tutorial, 06.03.2007

How to access the User Interface • Open the VMWare User Interface on your desktop (click the icon) • Username: bogotaXX (LOOK AT THE STICKER!) • Where XX is in [01..50] • Password: GridBOGXX • Where XX is in [01..50] • Certificate passphrase: BOGOTA Bogotá, Ninth EELA Tutorial, 06.03.2007

Preliminary: .globus directory • .globus directory contains your personal public / private keys • Pay attention to permissions • userkey.pemcontains your private key, and must be readable just by yourself (400) • usercert.pemcontains your public key, which should be readable also from outside (644) • [bogota01@eventogrid1 bogota01]$ ls -la .globus/u* • -rw-r--r-- 1 bogota01 bogota01 1131 Mar 1 03:27 .globus/usercert.pem • -r-------- 1 bogota01 bogota01 963 Mar 1 03:27 .globus/userkey.pem Bogotá, Ninth EELA Tutorial, 06.03.2007

voms-proxy-init: create credentials • Main options voms-proxy-init --voms<vo-name:[command]> -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid <h:m> Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -certdir <certdir> Non-standard location of trusted cert dir -out <proxyfile> Non-standard location of new proxy cert -voms <voms<:command>> Specify voms server. :command is optional. -order <group<:role>> Specify ordering of attributes. -vomslife <h:m> Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include <file> Include the contents of the specified files -confile <file> Non-standard location of voms server addresses.. -vomses <file> Non-standard loation of configuration files. Bogotá, Ninth EELA Tutorial, 06.03.2007

voms-proxy-init output [bogota01@eventogrid1 bogota01]$voms-proxy-init --voms gilda Cannot find file or dir: /home/bogota01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it Enter GRID pass phrase: ************ Creating temporary proxy ............................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy ................................. Done Your proxy is valid until Tue Mar 6 23:06:20 2007 Bogotá, Ninth EELA Tutorial, 06.03.2007

voms-proxy-info: check credentials • voms-proxy-info • Main options : -all prints all proxy options -file specifies a different location of proxy file Bogotá, Ninth EELA Tutorial, 06.03.2007

voms-proxy-info output [bogota01@eventogrid1 bogota01]$voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:57:40 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:57:33 Standard globus attributes Voms extensions Bogotá, Ninth EELA Tutorial, 06.03.2007

voms-proxy-destroy: destroy credentials • voms-proxy-destroy • Takes no options • Destroys the proxy certificate pointed by the $X509_USER_PROXY environment variable Bogotá, Ninth EELA Tutorial, 06.03.2007

voms-proxy-destroy output [bogota01@eventogrid1 bogota01]$ echo $X509_USER_PROXY /tmp/x509up_u501 [bogota01@eventogrid1 bogota01]$ voms-proxy-destroy [bogota01@eventogrid1 bogota01]$ [bogota01@eventogrid1 bogota01]$voms-proxy-info --all Couldn't find a valid proxy. [bogota01@eventogrid1 bogota01]$ Bogotá, Ninth EELA Tutorial, 06.03.2007

First Exercise • Create a plain voms proxy without requesting group embership; • Verifyyour proxy, checking that it has no VOMS extensions; • Destroy the created proxy; • Verifyyour proxy Again; • Do steps 1-4 again, this time requesting gilda group membership Bogotá, Ninth EELA Tutorial, 06.03.2007

Long term proxy : MyProxy • myproxy server: • myproxy-init • Allows to create and store a long term proxy certificate • myproxy-info • Get information about a stored long living proxy • myproxy-get-delegation • Get a new proxy from the MyProxy server • myproxy-destroy • Check out them with myproxy-xxx --help option • A dedicated service on the RB can renew automatically the proxy • contacting the myproxy server Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-init: store proxy cred. • Main options • -c hours specifies lifetime of stored credentials • -t hours specifies the maximum lifetime of retrieved credentials • -s <hostname> specifies the myproxy server used to store credentials • -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) • For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal) Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-init output [bogota01@eventogrid1 bogota01]$myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it Enter GRID pass phrase for this identity: *********** Creating proxy ................................. Done Proxy Verify OK Your proxy is valid until: Tue Mar 13 14:00:18 2007 Enter MyProxy pass phrase: *********** Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user bogota01 now exists on grid001.ct.infn.it. [bogota01@eventogrid1 bogota01]$ Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-info: retrieve stored proxy info • Useful to retrieve info on stored credentials • Need local credentials to be performed • If credentials have beeninitialized with–dswitch, you also have to specify the same option here • The user must have a valid proxy to issue this command Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-info output [bogota01@eventogrid1 bogota01]$myproxy-info -v Socket bound to port 20000. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted username: bogota01 owner: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it timeleft: 167:54:03 (7.0 days) Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-get-delegation: get proxy • This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server • It is independent by the machine! You don’t need to have your certificate on board • If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-get-delegation: output [bogota01@eventogrid1 bogota01]$myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user bogota01 in /tmp/x509up_u501 Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-destroy: destroy proxy • Delete, if existing, the long lived credentials on the specified myproxy server • To specify the myproxy server you should use the -s switch • Again, the user must have a valid proxy certificate Bogotá, Ninth EELA Tutorial, 06.03.2007

myproxy-destroy: output [bogota01@eventogrid1 bogota01]$myproxy-destroy -v Socket bound to port 20000. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted Default MyProxy credential for user bogota01 was successfully removed. Bogotá, Ninth EELA Tutorial, 06.03.2007

Second Exercise • Create a myproxy on the server grid001.ct.infn.it • Fetch a delegation from the myproxy server • Check information on the created proxy on the myproxy server • Destroy both the delegated proxy and the proxy stored on the myproxy server • Repeat steps 1-4 using the –d option • Which differences you note between the two proxies? Bogotá, Ninth EELA Tutorial, 06.03.2007

Voms extensions on a delegated proxy • myproxy doesn’t support natively VOMS • In order to overcome this issue: • Fetch the proxy without the delegation • Issue the command voms-proxy-init, with the –noregen option Bogotá, Ninth EELA Tutorial, 06.03.2007

Questions Bogotá, Ninth EELA Tutorial, 06.03.2007

Hands-on on security

Hands-on on security

Presentation Transcript

HANDS-On EQUATIONS

Hands-On NSLDS

Eczema On Hands

Hands on

Hands on Spirometry

Hands-on #03

LAMBERT: Hands On!

Hands-On Flash

Hands-On Universe

Hands-on on data management

Hands-on Computer Security

Security Hands-on

Hands-on security

Hands-on security

GENIUS Hands On

Hands-on Activities

Hands-on on R-GMA

Minds-on Hands-on

Hands on Portlets

Hands On #1