Authentication in the NGS
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Outline PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Authentication in the NGS John Kewley [email protected] NGS Support Centre Manager STFC Daresbury Laboratory. Outline. What is the NGS? Growl: VDT installation + helper scripts Some other NGS Authentication projects. Diverse User Community. 25 member institutes

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Authentication in the NGSJohn [email protected] Support Centre ManagerSTFC Daresbury Laboratory



  • What is the NGS?

  • Growl: VDT installation + helper scripts

  • Some other NGS Authentication projects


Diverse User Community

25 member institutes

33 heterogeneous resources

15,000 processing cores

> 75 applications

  • In the last 12 months

  • 4,629,127 CPU hrs used

  • 888,862 jobs ran

  • 2nd largest e-Science CA

  • 22,121 certificates issued

  • 4,911 active currently

Ngs gsi


The NGS uses GSI for its Authentication

To support this we have:

* UK e-Science CA (IGTF accredited, offline)

* RA network across UK academia (61 RAs with 112 RA Operators)

* 2 MyProxy servers

Ngs gsi1


To support ancillary services mentioned later in this talk we also have

* VOMS server

* Training CA (for short-lived training certificates)

* Test CA (for RA Training)

* 2x SLCS online CAs (SSO and SARoNGS)

3 barriers

3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware

  • Handling of certificates

  • [Job submission in the presence of firewalls]

Installing growl scripts

Installing Growl Scripts

  • Download GROWL Scripts

    $ cd

    $ # possibly tell wget about http_proxy

    $ # export http_proxy=

    $ wget

  • Unpack into home directory

    $ tar -zxvf GrowlScripts.tar.gz

  • "Build" VDT client

    $ cd Growl

    $ make

Growl scripts contents

GROWL Scripts: Contents

VDT client installation of globus, gsi-openSSH, VOMS and MyProxy

  • grid-proxy-init, grid-proxy-info

  • globus-job-submit, globus-job-run

  • gsissh, gsiscp, openssl

  • myproxy-init, myproxy-info, myproxy-logon

  • voms-proxy-init, voms-proxy-info

    Certificate helper scripts

  • mk-cert

  • growl-info, growl-login, growl-logout

    GROWL wrapper scripts

  • growl-submit, growl-status, growl-get-output,

  • growl-sh, growl-cp, growl-mkdir, growl-rm,,

  • growl-pwd, growl-which, growl-get-jobmanager

  • growl-queue

Note: there is also a globus source build for non-VDT-supported platforms

3 barriers1

3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware

  • Handling of certificates

  • [Job submission in the presence of firewalls]

How many passwords

Request Certificate

Request certificate PIN

[Confirm PIN]

Present PIN at photoID check

[Master Password if on FF]

Export Certificate

[Master Password if on FF]

Backup/export password (.p12)

Re-confirm backup/export password (.p12)

Setup .pem files

Unpack .p12 for userkey

Unpack.p12for usercert

Set .pem password

Confirm .pem password

MyProxy Setup

myproxy-init (.pem)

[set myproxy pwd]

[Confirm myproxy pwd]

Obtain Grid proxy

myproxy-logon (myproxy pwd)

How many passwords?

Credential conversion

Credential conversion

$ openssl -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out usercert.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out userkey.pem

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

Mk cert

$ openssl pkcs12 -clcerts \

-nokeys -in usercred.p12 \

-out usercert.pem


$ openssl pkcs12 -nocerts \

-in usercred.p12 \

-out userkey.pem



<Pass2> [confirm]

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

$ mv userkey.pem ~/.globus

$ mv usercert.pem ~/.globus

$ chmod 700 ~/.globus

$ mk-cert mykey.p12




Proxy helper scripts

Proxy helper scripts

  • growl-login wraps grid-proxy-init, myproxy-init and myproxy-logon

  • growl-logout wraps grid-proxy-destroy and myproxy-destroy

  • growl-info wraps grid-cert-info, myproxy-info and grid-proxy-infoandopenssl and can be used with certificates in several formats

Growl logon


Only does what is needed

Generates a local proxy (if there isn't a valid one there already)


  • -m : Uploads a credential to the myproxy server (but only if required)

  • -v myVO : proxies generated or uploaded will contain a VOMS Attribute Certificate for myVO (VDT only - not in source build yet)

  • -f : force generation / upload

  • -D : debugging information

Uses of growl login

Uses of growl-login

  • Generation of a proxy credential from a grid certificate (c.f. grid-proxy-init)

  • Uploading a proxy credential to a MyProxy server for use from other clients or portals (c.f. myproxy-init)

  • Retrieving a proxy credential without a grid certificate (c.f. myproxy-logon)

Use case 2







Use Case 2


$ myproxy-init

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ myproxy-logon

<MyProxy Password>

$ myproxy-init -L

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ growl-login -m

<Grid Pass Phrase>

<MyProxy Password>

Grid Resource



Growl info


  • Combines certificate info into one package

    • grid-cert-info

    • myproxy-info

    • grid-proxy-info

    • voms-proxy-info

  • Reports on only certs and credentials it finds

  • Issues warnings

  • Notes when other certs are present (but are not the ones that growl-login would use)

  • Can also be used with any certificate file to dispay its DN and validity and so can be used to check host, CA and VOMS-issuing certificate

Growl logout


  • Removes local proxy

  • With –m option will also remove MyProxy credential from MyProxy server.



  • Symmetry

    growl-login vs growl-logout

    c.f.myproxy-logon vs grid-proxy-destroy

  • Generally less passwords to type

  • Single command automagically "does the right thing™ "

    • Does nothing if no need

    • Utilises myproxy if credential present and valid

    • Uses existing local proxy if still valid

There are two types of grid user

There are two types of Grid User

  • Linux/Unix (command line?)

  • Windows (GUI?)


GSI-SSH terminal

NGS Authentication

Direct access


NGS Portal/



Certificate Wizard

Gsi enabled sshterm


Gsi enabled sshterm1


Certificate wizard

Certificate Wizard

Voms plugin

VOMS plugin

Myproxy enabled gsisshd meg

MyProxy-enabled GSISSHD (MEG)

  • Permits any ssh client to access the Grid

  • User must previously have uploaded a myproxy credential

  • Users like username + password

  • Multiple myproxy servers are supported

  • Simultaneously supports GSI authentication with a proxy

  • drop-in replacement for gsisshd

Stfc sso


  • Credential conversion service for STFC employees to any grid resource requiring X509 access

  • Federal ID and password

  • MyProxy server acts as a CA and issues Short Lived Certification Service (SLCS) certificates on the fly

  • Integrated with MEG for STFC resources

Sarongs ngs portal

SARoNGS / NGS Portal

Sarongs ngs portal1

SARoNGS / NGS Portal

Sarongs ngs portal2

SARoNGS / NGS Portal



  • Growl Scripts gives command-line users an easy way to install essential Grid middleware

  • The NGS provides different authentication tools for different users:

    • gsissh (using globus, VDT, Growl)

    • GSI-enabled SSHTERM

    • Certificate Wizard

    • Any ssh client (PuTTY, cygwin ssh) using MEG

    • STFC staff: MyProxySSO

    • UK academics: Shibboleth login via SARoNGS

Acknowledgements and refs

Acknowledgements and refs

Much of this work has been done by other STFC and NGS colleagues, too numerous to mention.



  • Login