1 / 32

Outline

Authentication in the NGS John Kewley john.kewley@stfc.ac.uk NGS Support Centre Manager STFC Daresbury Laboratory. Outline. What is the NGS? Growl: VDT installation + helper scripts Some other NGS Authentication projects. Diverse User Community. www.ngs.ac.uk. 25 member institutes

tal
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication in the NGSJohn Kewleyjohn.kewley@stfc.ac.ukNGS Support Centre ManagerSTFC Daresbury Laboratory

  2. Outline • What is the NGS? • Growl: VDT installation + helper scripts • Some other NGS Authentication projects

  3. Diverse User Community www.ngs.ac.uk 25 member institutes 33 heterogeneous resources 15,000 processing cores > 75 applications • In the last 12 months • 4,629,127 CPU hrs used • 888,862 jobs ran • 2nd largest e-Science CA • 22,121 certificates issued • 4,911 active currently

  4. NGS + GSI The NGS uses GSI for its Authentication To support this we have: * UK e-Science CA (IGTF accredited, offline) * RA network across UK academia (61 RAs with 112 RA Operators) * 2 MyProxy servers

  5. NGS + GSI To support ancillary services mentioned later in this talk we also have * VOMS server * Training CA (for short-lived training certificates) * Test CA (for RA Training) * 2x SLCS online CAs (SSO and SARoNGS)

  6. 3 Barriers Three main barriers that newcomers find when using the Grid for the first time: • Setting up the client-side middleware • Handling of certificates • [Job submission in the presence of firewalls]

  7. Installing Growl Scripts • Download GROWL Scripts $ cd $ # possibly tell wget about http_proxy $ # export http_proxy=http://wwwcache.dl.ac.uk:8080 $ wget http://www.growl.org.uk/GrowlScripts.tar.gz • Unpack into home directory $ tar -zxvf GrowlScripts.tar.gz • "Build" VDT client $ cd Growl $ make

  8. GROWL Scripts: Contents VDT client installation of globus, gsi-openSSH, VOMS and MyProxy • grid-proxy-init, grid-proxy-info • globus-job-submit, globus-job-run • gsissh, gsiscp, openssl • myproxy-init, myproxy-info, myproxy-logon • voms-proxy-init, voms-proxy-info Certificate helper scripts • mk-cert • growl-info, growl-login, growl-logout GROWL wrapper scripts • growl-submit, growl-status, growl-get-output, • growl-sh, growl-cp, growl-mkdir, growl-rm,, • growl-pwd, growl-which, growl-get-jobmanager • growl-queue Note: there is also a globus source build for non-VDT-supported platforms

  9. 3 Barriers Three main barriers that newcomers find when using the Grid for the first time: • Setting up the client-side middleware • Handling of certificates • [Job submission in the presence of firewalls]

  10. Request Certificate Request certificate PIN [Confirm PIN] Present PIN at photoID check [Master Password if on FF] Export Certificate [Master Password if on FF] Backup/export password (.p12) Re-confirm backup/export password (.p12) Setup .pem files Unpack .p12 for userkey Unpack.p12for usercert Set .pem password Confirm .pem password MyProxy Setup myproxy-init (.pem) [set myproxy pwd] [Confirm myproxy pwd] Obtain Grid proxy myproxy-logon (myproxy pwd) How many passwords?

  11. Credential conversion $ openssl -clcerts -nokeys -in JK.p12 -out userkey.pem $ openssl -nocerts -in JK.p12 -out usercert.pem $ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out userkey.pem $ openssl pkcs12 -nocerts -in JK.p12 -out usercert.pem $ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out usercert.pem $ openssl pkcs12 -nocerts -in JK.p12 -out userkey.pem $ chmod 444 usercert.pem $ chmod 400 userkey.pem √

  12. $ openssl pkcs12 -clcerts \ -nokeys -in usercred.p12 \ -out usercert.pem <Pass1> $ openssl pkcs12 -nocerts \ -in usercred.p12 \ -out userkey.pem <Pass1> <Pass2> <Pass2> [confirm] $ chmod 444 usercert.pem $ chmod 400 userkey.pem $ mv userkey.pem ~/.globus $ mv usercert.pem ~/.globus $ chmod 700 ~/.globus $ mk-cert mykey.p12 <Pass1> [<Pass2>] mk-cert

  13. Proxy helper scripts • growl-login wraps grid-proxy-init, myproxy-init and myproxy-logon • growl-logout wraps grid-proxy-destroy and myproxy-destroy • growl-info wraps grid-cert-info, myproxy-info and grid-proxy-infoandopenssl and can be used with certificates in several formats

  14. growl-logon Only does what is needed Generates a local proxy (if there isn't a valid one there already) Options: • -m : Uploads a credential to the myproxy server (but only if required) • -v myVO : proxies generated or uploaded will contain a VOMS Attribute Certificate for myVO (VDT only - not in source build yet) • -f : force generation / upload • -D : debugging information

  15. Uses of growl-login • Generation of a proxy credential from a grid certificate (c.f. grid-proxy-init) • Uploading a proxy credential to a MyProxy server for use from other clients or portals (c.f. myproxy-init) • Retrieving a proxy credential without a grid certificate (c.f. myproxy-logon)

  16. JK JK 12h 365d JK 7d Use Case 2 Client $ myproxy-init <Grid Pass Phrase> <MyProxy Password> <MyProxy Password> $ myproxy-logon <MyProxy Password> $ myproxy-init -L <Grid Pass Phrase> <MyProxy Password> <MyProxy Password> $ growl-login -m <Grid Pass Phrase> <MyProxy Password> Grid Resource MyProxy Server

  17. growl-info • Combines certificate info into one package • grid-cert-info • myproxy-info • grid-proxy-info • voms-proxy-info • Reports on only certs and credentials it finds • Issues warnings • Notes when other certs are present (but are not the ones that growl-login would use) • Can also be used with any certificate file to dispay its DN and validity and so can be used to check host, CA and VOMS-issuing certificate

  18. growl-logout • Removes local proxy • With –m option will also remove MyProxy credential from MyProxy server.

  19. Advantages • Symmetry growl-login vs growl-logout c.f.myproxy-logon vs grid-proxy-destroy • Generally less passwords to type • Single command automagically "does the right thing™ " • Does nothing if no need • Utilises myproxy if credential present and valid • Uses existing local proxy if still valid

  20. There are two types of Grid User • Linux/Unix (command line?) • Windows (GUI?)

  21. GSI-SSH terminal NGS Authentication Direct access MEG NGS Portal/ Applications Repository Certificate Wizard

  22. GSI-Enabled SSHTERM

  23. GSI-Enabled SSHTERM

  24. Certificate Wizard

  25. VOMS plugin

  26. MyProxy-enabled GSISSHD (MEG) • Permits any ssh client to access the Grid • User must previously have uploaded a myproxy credential • Users like username + password • Multiple myproxy servers are supported • Simultaneously supports GSI authentication with a proxy • drop-in replacement for gsisshd

  27. STFC SSO • Credential conversion service for STFC employees to any grid resource requiring X509 access • Federal ID and password • MyProxy server acts as a CA and issues Short Lived Certification Service (SLCS) certificates on the fly • Integrated with MEG for STFC resources

  28. SARoNGS / NGS Portal

  29. SARoNGS / NGS Portal

  30. SARoNGS / NGS Portal

  31. Summary • Growl Scripts gives command-line users an easy way to install essential Grid middleware • The NGS provides different authentication tools for different users: • gsissh (using globus, VDT, Growl) • GSI-enabled SSHTERM • Certificate Wizard • Any ssh client (PuTTY, cygwin ssh) using MEG • STFC staff: MyProxySSO • UK academics: Shibboleth login via SARoNGS

  32. Acknowledgements and refs Much of this work has been done by other STFC and NGS colleagues, too numerous to mention. • http://tyne.dl.ac.uk/GROWL/Scripts • http://ww.ngs.ac.uk/tools/overview

More Related