180 likes | 303 Views
Security Hands-on . Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006. Overview. Accessing to the UI Private and public keys VOMS voms-proxy-init voms-proxy-info MyProxy myproxy-init myproxy-info myproxy-get-delegation myproxy-destroy. Accesing to the UI.
E N D
Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006
Overview • Accessing to the UI • Private and public keys • VOMS • voms-proxy-init • voms-proxy-info • MyProxy • myproxy-init • myproxy-info • myproxy-get-delegation • myproxy-destroy 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Accesing to the UI • You need to have a real Unix account in the UI. User accounts have been created for this tutorial. • You have to establish a secure shell connection to the UI. ssh laplataXX@glite-ui.fisica.unlp.edu.ar password: GridLAPXX Where XX = 01 to 20 Grid passphrase: LAPLATA (for all users) 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Personal keys • .globus directory contains your personal public / private keys • Pay attention to permissions • userkey.pemcontains your private key, and must be readable just by yourself (400) • usercert.pemcontains your public key, which should be readable also from outside (644) [laplata01@glite-ui laplata01]$ ls -l .globus/ total 8 -rw-r--r-- 1 laplata01 users 1127 Dec 6 11:16 usercert.pem -r-------- 1 laplata01 users 963 Dec 6 11:16 userkey.pem 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
voms-proxy-init: options • Main options voms-proxy-init --voms<vo-name:[command]> -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid <h:m> Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -certdir <certdir> Non-standard location of trusted cert dir -out <proxyfile> Non-standard location of new proxy cert -voms <voms<:command>> Specify voms server. :command is optional. -order <group<:role>> Specify ordering of attributes. -vomslife <h:m> Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include <file> Include the contents of the specified files -confile <file> Non-standard location of voms server addresses.. -vomses <file> Non-standard loation of configuration files. 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Verify your credentials Exercise 1 : create a voms proxy requesting your group membership(all of you belong to generic-users group); then verify obtained credentials with: voms-proxy-info • voms-proxy-info • Main options : -all prints all proxy options -file specifies a different location of proxy file 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
voms-proxy-init [laplata01@glite-ui laplata01]$ voms-proxy-init --vomsgilda Cannot find file or dir: /home/laplata01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar Enter GRID pass phrase: Creating temporary proxy ..................................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy ..................................................... Done Your proxy is valid until Sat Dec 9 11:18:53 2006 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
VOMS proxy info [laplata01@glite-ui laplata01]$ voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar identity : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:55:13 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:54:42 Standard globus attributes Voms extensions 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Long term proxy : MyProxy • myproxy server: • myproxy-init • Allows to create and store a long term proxy certificate • myproxy-info • Get information about a stored long living proxy • myproxy-get-delegation • Get a new proxy from the MyProxy server • myproxy-destroy • Check out them with myproxy-xxx--help option 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
myproxy-init [laplata01@glite-ui laplata01]$ myproxy-init -s grid001.ct.infn.it Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar Enter GRID pass phrase for this identity: Creating proxy ......................................................... Done Proxy Verify OK Your proxy is valid until: Fri Dec 15 23:36:23 2006 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user laplata01 now exists on grid001.ct.infn.it. Principal options -chours specifies lifetime of stored credentials. -t hours specifies the maximum lifetime of retrieved credentials -s <hostname> specifies the myproxy server used to store credentials -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal) 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
myproxy-info • Useful to retrieve info on stored credentials. • Need local credentials to be performed. • If credentials have beeninitialized with–dswitch, you also have to specify the same option there. [laplata01@glite-ui laplata01]$ myproxy-info username: laplata01 owner: /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar timeleft: 167:50:16 (7.0 days) 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
myproxy-get-delegation • This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server. • It is independent of the machine! You don’t need to have your certificate on board. • If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request [laplata01@glite-ui laplata01]$ myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user laplata01 in /tmp/x509up_u513 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
myproxy-destroy • Delete, if existing, the long lived credentials on the specified myproxy server • To specify the myproxy server you should use the -s switch [laplata01@glite-ui laplata01]$ myproxy-destroy Default MyProxy credential for user laplata01 was successfully removed. 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Exercise • Exercise 2 • Create a myproxy on the server grid001.ct.infn.it • Check information on the created proxy • Create a myproxy with –d option • Check the new proxy • Which differences you note? • Destroy both proxies 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Storing long lived voms proxies • myproxy doesn’t support natively VOMS • To allow storing of voms ext., myproxy client has been modified • The faculty of choosing VO and group/roles has been added, while the previous options have all been kept • Proxies retrieved with myproxy-get-delegation will have the requested voms extension but… • …there’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation • Studying solutions to extend voms extension renewal in get-delegation • The “modified” client is available only on GILDA UI’s • Will be largely deployed when the above issues will be solved myproxy-init --voms gilda 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
voms extension on a delegated proxy [laplata01@glite-ui laplata01]$ myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user laplata01 in /tmp/x509up_u513 [laplata01@glite-ui laplata01]$ voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:59:41 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=LAPLATA/CN=LAPLATA01/Email=veiga@fisica.unlp.edu.ar issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:55:42 Voms extension lifetime 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Exercise • Exercise 3 • Create a myproxy on the server grid001.ct.infn.it • Check information on the created proxy • Destroy your local proxy • Get a delegation from myproxy • Destroy myproxy 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006
Questions 5th EELA TUTORIAL - USERS - Santiago, 06/09-07/09,2006