slide1
Download
Skip this Video
Download Presentation
Outline

Loading in 2 Seconds...

play fullscreen
1 / 32

Outline - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

Authentication in the NGS John Kewley [email protected] NGS Support Centre Manager STFC Daresbury Laboratory. Outline. What is the NGS? Growl: VDT installation + helper scripts Some other NGS Authentication projects. Diverse User Community. www.ngs.ac.uk. 25 member institutes

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Outline' - tal


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Authentication in the NGSJohn [email protected] Support Centre ManagerSTFC Daresbury Laboratory

outline
Outline
  • What is the NGS?
  • Growl: VDT installation + helper scripts
  • Some other NGS Authentication projects
slide3

Diverse User Community

www.ngs.ac.uk

25 member institutes

33 heterogeneous resources

15,000 processing cores

> 75 applications

  • In the last 12 months
  • 4,629,127 CPU hrs used
  • 888,862 jobs ran
  • 2nd largest e-Science CA
  • 22,121 certificates issued
  • 4,911 active currently
ngs gsi
NGS + GSI

The NGS uses GSI for its Authentication

To support this we have:

* UK e-Science CA (IGTF accredited, offline)

* RA network across UK academia (61 RAs with 112 RA Operators)

* 2 MyProxy servers

ngs gsi1
NGS + GSI

To support ancillary services mentioned later in this talk we also have

* VOMS server

* Training CA (for short-lived training certificates)

* Test CA (for RA Training)

* 2x SLCS online CAs (SSO and SARoNGS)

3 barriers
3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware
  • Handling of certificates
  • [Job submission in the presence of firewalls]
installing growl scripts
Installing Growl Scripts
  • Download GROWL Scripts

$ cd

$ # possibly tell wget about http_proxy

$ # export http_proxy=http://wwwcache.dl.ac.uk:8080

$ wget http://www.growl.org.uk/GrowlScripts.tar.gz

  • Unpack into home directory

$ tar -zxvf GrowlScripts.tar.gz

  • "Build" VDT client

$ cd Growl

$ make

growl scripts contents
GROWL Scripts: Contents

VDT client installation of globus, gsi-openSSH, VOMS and MyProxy

  • grid-proxy-init, grid-proxy-info
  • globus-job-submit, globus-job-run
  • gsissh, gsiscp, openssl
  • myproxy-init, myproxy-info, myproxy-logon
  • voms-proxy-init, voms-proxy-info

Certificate helper scripts

  • mk-cert
  • growl-info, growl-login, growl-logout

GROWL wrapper scripts

  • growl-submit, growl-status, growl-get-output,
  • growl-sh, growl-cp, growl-mkdir, growl-rm,,
  • growl-pwd, growl-which, growl-get-jobmanager
  • growl-queue

Note: there is also a globus source build for non-VDT-supported platforms

3 barriers1
3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware
  • Handling of certificates
  • [Job submission in the presence of firewalls]
how many passwords
Request Certificate

Request certificate PIN

[Confirm PIN]

Present PIN at photoID check

[Master Password if on FF]

Export Certificate

[Master Password if on FF]

Backup/export password (.p12)

Re-confirm backup/export password (.p12)

Setup .pem files

Unpack .p12 for userkey

Unpack.p12for usercert

Set .pem password

Confirm .pem password

MyProxy Setup

myproxy-init (.pem)

[set myproxy pwd]

[Confirm myproxy pwd]

Obtain Grid proxy

myproxy-logon (myproxy pwd)

How many passwords?
credential conversion
Credential conversion

$ openssl -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out usercert.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out userkey.pem

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

mk cert
$ openssl pkcs12 -clcerts \

-nokeys -in usercred.p12 \

-out usercert.pem

<Pass1>

$ openssl pkcs12 -nocerts \

-in usercred.p12 \

-out userkey.pem

<Pass1>

<Pass2>

<Pass2> [confirm]

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

$ mv userkey.pem ~/.globus

$ mv usercert.pem ~/.globus

$ chmod 700 ~/.globus

$ mk-cert mykey.p12

<Pass1>

[<Pass2>]

mk-cert
proxy helper scripts
Proxy helper scripts
  • growl-login wraps grid-proxy-init, myproxy-init and myproxy-logon
  • growl-logout wraps grid-proxy-destroy and myproxy-destroy
  • growl-info wraps grid-cert-info, myproxy-info and grid-proxy-infoandopenssl and can be used with certificates in several formats
growl logon
growl-logon

Only does what is needed

Generates a local proxy (if there isn\'t a valid one there already)

Options:

  • -m : Uploads a credential to the myproxy server (but only if required)
  • -v myVO : proxies generated or uploaded will contain a VOMS Attribute Certificate for myVO (VDT only - not in source build yet)
  • -f : force generation / upload
  • -D : debugging information
uses of growl login
Uses of growl-login
  • Generation of a proxy credential from a grid certificate (c.f. grid-proxy-init)
  • Uploading a proxy credential to a MyProxy server for use from other clients or portals (c.f. myproxy-init)
  • Retrieving a proxy credential without a grid certificate (c.f. myproxy-logon)
use case 2

JK

JK

12h

365d

JK

7d

Use Case 2

Client

$ myproxy-init

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ myproxy-logon

<MyProxy Password>

$ myproxy-init -L

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ growl-login -m

<Grid Pass Phrase>

<MyProxy Password>

Grid Resource

MyProxy

Server

growl info
growl-info
  • Combines certificate info into one package
    • grid-cert-info
    • myproxy-info
    • grid-proxy-info
    • voms-proxy-info
  • Reports on only certs and credentials it finds
  • Issues warnings
  • Notes when other certs are present (but are not the ones that growl-login would use)
  • Can also be used with any certificate file to dispay its DN and validity and so can be used to check host, CA and VOMS-issuing certificate
growl logout
growl-logout
  • Removes local proxy
  • With –m option will also remove MyProxy credential from MyProxy server.
advantages
Advantages
  • Symmetry

growl-login vs growl-logout

c.f.myproxy-logon vs grid-proxy-destroy

  • Generally less passwords to type
  • Single command automagically "does the right thing™ "
    • Does nothing if no need
    • Utilises myproxy if credential present and valid
    • Uses existing local proxy if still valid
there are two types of grid user
There are two types of Grid User
  • Linux/Unix (command line?)
  • Windows (GUI?)
slide21

GSI-SSH terminal

NGS Authentication

Direct access

MEG

NGS Portal/

Applications

Repository

Certificate Wizard

myproxy enabled gsisshd meg
MyProxy-enabled GSISSHD (MEG)
  • Permits any ssh client to access the Grid
  • User must previously have uploaded a myproxy credential
  • Users like username + password
  • Multiple myproxy servers are supported
  • Simultaneously supports GSI authentication with a proxy
  • drop-in replacement for gsisshd
stfc sso
STFC SSO
  • Credential conversion service for STFC employees to any grid resource requiring X509 access
  • Federal ID and password
  • MyProxy server acts as a CA and issues Short Lived Certification Service (SLCS) certificates on the fly
  • Integrated with MEG for STFC resources
summary
Summary
  • Growl Scripts gives command-line users an easy way to install essential Grid middleware
  • The NGS provides different authentication tools for different users:
    • gsissh (using globus, VDT, Growl)
    • GSI-enabled SSHTERM
    • Certificate Wizard
    • Any ssh client (PuTTY, cygwin ssh) using MEG
    • STFC staff: MyProxySSO
    • UK academics: Shibboleth login via SARoNGS
acknowledgements and refs
Acknowledgements and refs

Much of this work has been done by other STFC and NGS colleagues, too numerous to mention.

  • http://tyne.dl.ac.uk/GROWL/Scripts
  • http://ww.ngs.ac.uk/tools/overview
ad