Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 32

Outline - PowerPoint PPT Presentation

  • Uploaded on

Authentication in the NGS John Kewley [email protected] NGS Support Centre Manager STFC Daresbury Laboratory. Outline. What is the NGS? Growl: VDT installation + helper scripts Some other NGS Authentication projects. Diverse User Community. 25 member institutes

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Outline' - tal

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Authentication in the NGSJohn [email protected] Support Centre ManagerSTFC Daresbury Laboratory

  • What is the NGS?
  • Growl: VDT installation + helper scripts
  • Some other NGS Authentication projects

Diverse User Community

25 member institutes

33 heterogeneous resources

15,000 processing cores

> 75 applications

  • In the last 12 months
  • 4,629,127 CPU hrs used
  • 888,862 jobs ran
  • 2nd largest e-Science CA
  • 22,121 certificates issued
  • 4,911 active currently
ngs gsi

The NGS uses GSI for its Authentication

To support this we have:

* UK e-Science CA (IGTF accredited, offline)

* RA network across UK academia (61 RAs with 112 RA Operators)

* 2 MyProxy servers

ngs gsi1

To support ancillary services mentioned later in this talk we also have

* VOMS server

* Training CA (for short-lived training certificates)

* Test CA (for RA Training)

* 2x SLCS online CAs (SSO and SARoNGS)

3 barriers
3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware
  • Handling of certificates
  • [Job submission in the presence of firewalls]
installing growl scripts
Installing Growl Scripts
  • Download GROWL Scripts

$ cd

$ # possibly tell wget about http_proxy

$ # export http_proxy=

$ wget

  • Unpack into home directory

$ tar -zxvf GrowlScripts.tar.gz

  • "Build" VDT client

$ cd Growl

$ make

growl scripts contents
GROWL Scripts: Contents

VDT client installation of globus, gsi-openSSH, VOMS and MyProxy

  • grid-proxy-init, grid-proxy-info
  • globus-job-submit, globus-job-run
  • gsissh, gsiscp, openssl
  • myproxy-init, myproxy-info, myproxy-logon
  • voms-proxy-init, voms-proxy-info

Certificate helper scripts

  • mk-cert
  • growl-info, growl-login, growl-logout

GROWL wrapper scripts

  • growl-submit, growl-status, growl-get-output,
  • growl-sh, growl-cp, growl-mkdir, growl-rm,,
  • growl-pwd, growl-which, growl-get-jobmanager
  • growl-queue

Note: there is also a globus source build for non-VDT-supported platforms

3 barriers1
3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware
  • Handling of certificates
  • [Job submission in the presence of firewalls]
how many passwords
Request Certificate

Request certificate PIN

[Confirm PIN]

Present PIN at photoID check

[Master Password if on FF]

Export Certificate

[Master Password if on FF]

Backup/export password (.p12)

Re-confirm backup/export password (.p12)

Setup .pem files

Unpack .p12 for userkey

Unpack.p12for usercert

Set .pem password

Confirm .pem password

MyProxy Setup

myproxy-init (.pem)

[set myproxy pwd]

[Confirm myproxy pwd]

Obtain Grid proxy

myproxy-logon (myproxy pwd)

How many passwords?
credential conversion
Credential conversion

$ openssl -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out usercert.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out userkey.pem

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

mk cert
$ openssl pkcs12 -clcerts \

-nokeys -in usercred.p12 \

-out usercert.pem


$ openssl pkcs12 -nocerts \

-in usercred.p12 \

-out userkey.pem



<Pass2> [confirm]

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

$ mv userkey.pem ~/.globus

$ mv usercert.pem ~/.globus

$ chmod 700 ~/.globus

$ mk-cert mykey.p12



proxy helper scripts
Proxy helper scripts
  • growl-login wraps grid-proxy-init, myproxy-init and myproxy-logon
  • growl-logout wraps grid-proxy-destroy and myproxy-destroy
  • growl-info wraps grid-cert-info, myproxy-info and grid-proxy-infoandopenssl and can be used with certificates in several formats
growl logon

Only does what is needed

Generates a local proxy (if there isn\'t a valid one there already)


  • -m : Uploads a credential to the myproxy server (but only if required)
  • -v myVO : proxies generated or uploaded will contain a VOMS Attribute Certificate for myVO (VDT only - not in source build yet)
  • -f : force generation / upload
  • -D : debugging information
uses of growl login
Uses of growl-login
  • Generation of a proxy credential from a grid certificate (c.f. grid-proxy-init)
  • Uploading a proxy credential to a MyProxy server for use from other clients or portals (c.f. myproxy-init)
  • Retrieving a proxy credential without a grid certificate (c.f. myproxy-logon)
use case 2







Use Case 2


$ myproxy-init

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ myproxy-logon

<MyProxy Password>

$ myproxy-init -L

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ growl-login -m

<Grid Pass Phrase>

<MyProxy Password>

Grid Resource



growl info
  • Combines certificate info into one package
    • grid-cert-info
    • myproxy-info
    • grid-proxy-info
    • voms-proxy-info
  • Reports on only certs and credentials it finds
  • Issues warnings
  • Notes when other certs are present (but are not the ones that growl-login would use)
  • Can also be used with any certificate file to dispay its DN and validity and so can be used to check host, CA and VOMS-issuing certificate
growl logout
  • Removes local proxy
  • With –m option will also remove MyProxy credential from MyProxy server.
  • Symmetry

growl-login vs growl-logout

c.f.myproxy-logon vs grid-proxy-destroy

  • Generally less passwords to type
  • Single command automagically "does the right thing™ "
    • Does nothing if no need
    • Utilises myproxy if credential present and valid
    • Uses existing local proxy if still valid
there are two types of grid user
There are two types of Grid User
  • Linux/Unix (command line?)
  • Windows (GUI?)

GSI-SSH terminal

NGS Authentication

Direct access


NGS Portal/



Certificate Wizard

myproxy enabled gsisshd meg
MyProxy-enabled GSISSHD (MEG)
  • Permits any ssh client to access the Grid
  • User must previously have uploaded a myproxy credential
  • Users like username + password
  • Multiple myproxy servers are supported
  • Simultaneously supports GSI authentication with a proxy
  • drop-in replacement for gsisshd
stfc sso
  • Credential conversion service for STFC employees to any grid resource requiring X509 access
  • Federal ID and password
  • MyProxy server acts as a CA and issues Short Lived Certification Service (SLCS) certificates on the fly
  • Integrated with MEG for STFC resources
  • Growl Scripts gives command-line users an easy way to install essential Grid middleware
  • The NGS provides different authentication tools for different users:
    • gsissh (using globus, VDT, Growl)
    • GSI-enabled SSHTERM
    • Certificate Wizard
    • Any ssh client (PuTTY, cygwin ssh) using MEG
    • STFC staff: MyProxySSO
    • UK academics: Shibboleth login via SARoNGS
acknowledgements and refs
Acknowledgements and refs

Much of this work has been done by other STFC and NGS colleagues, too numerous to mention.