1 / 23

Hands-on on security

Hands-on on security . Pedro Rausch IF - UFRJ Ninth EELA Tutorial Bogotá, 06.03.2007. Overview. Accessing the UI Private and public keys VOMS voms-proxy-init voms-proxy-info voms-proxy-destroy MyProxy myproxy-init myproxy-info myproxy-get-delegation myproxy-destroy.

Download Presentation

Hands-on on security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hands-on on security Pedro Rausch IF - UFRJ Ninth EELA Tutorial Bogotá, 06.03.2007

  2. Overview • Accessing the UI • Private and public keys • VOMS • voms-proxy-init • voms-proxy-info • voms-proxy-destroy • MyProxy • myproxy-init • myproxy-info • myproxy-get-delegation • myproxy-destroy Bogotá, Ninth EELA Tutorial, 06.03.2007

  3. How to access the User Interface • Open the VMWare User Interface on your desktop (click the icon) • Username: bogotaXX (LOOK AT THE STICKER!) • Where XX is in [01..50] • Password: GridBOGXX • Where XX is in [01..50] • Certificate passphrase: BOGOTA Bogotá, Ninth EELA Tutorial, 06.03.2007

  4. Preliminary: .globus directory • .globus directory contains your personal public / private keys • Pay attention to permissions • userkey.pemcontains your private key, and must be readable just by yourself (400) • usercert.pemcontains your public key, which should be readable also from outside (644) • [bogota01@eventogrid1 bogota01]$ ls -la .globus/u* • -rw-r--r-- 1 bogota01 bogota01 1131 Mar 1 03:27 .globus/usercert.pem • -r-------- 1 bogota01 bogota01 963 Mar 1 03:27 .globus/userkey.pem Bogotá, Ninth EELA Tutorial, 06.03.2007

  5. voms-proxy-init: create credentials • Main options voms-proxy-init --voms<vo-name:[command]> -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid <h:m> Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -certdir <certdir> Non-standard location of trusted cert dir -out <proxyfile> Non-standard location of new proxy cert -voms <voms<:command>> Specify voms server. :command is optional. -order <group<:role>> Specify ordering of attributes. -vomslife <h:m> Try to get a VOMS pseudocert valid for h hours and m minutes (default to value of -valid). -include <file> Include the contents of the specified files -confile <file> Non-standard location of voms server addresses.. -vomses <file> Non-standard loation of configuration files. Bogotá, Ninth EELA Tutorial, 06.03.2007

  6. voms-proxy-init output [bogota01@eventogrid1 bogota01]$voms-proxy-init --voms gilda Cannot find file or dir: /home/bogota01/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it Enter GRID pass phrase: ************ Creating temporary proxy ............................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy ................................. Done Your proxy is valid until Tue Mar 6 23:06:20 2007 Bogotá, Ninth EELA Tutorial, 06.03.2007

  7. voms-proxy-info: check credentials • voms-proxy-info • Main options : -all prints all proxy options -file specifies a different location of proxy file Bogotá, Ninth EELA Tutorial, 06.03.2007

  8. voms-proxy-info output [bogota01@eventogrid1 bogota01]$voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:57:40 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11:57:33 Standard globus attributes Voms extensions Bogotá, Ninth EELA Tutorial, 06.03.2007

  9. voms-proxy-destroy: destroy credentials • voms-proxy-destroy • Takes no options • Destroys the proxy certificate pointed by the $X509_USER_PROXY environment variable Bogotá, Ninth EELA Tutorial, 06.03.2007

  10. voms-proxy-destroy output [bogota01@eventogrid1 bogota01]$ echo $X509_USER_PROXY /tmp/x509up_u501 [bogota01@eventogrid1 bogota01]$ voms-proxy-destroy [bogota01@eventogrid1 bogota01]$ [bogota01@eventogrid1 bogota01]$voms-proxy-info --all Couldn't find a valid proxy. [bogota01@eventogrid1 bogota01]$ Bogotá, Ninth EELA Tutorial, 06.03.2007

  11. First Exercise • Create a plain voms proxy without requesting group embership; • Verifyyour proxy, checking that it has no VOMS extensions; • Destroy the created proxy; • Verifyyour proxy Again; • Do steps 1-4 again, this time requesting gilda group membership Bogotá, Ninth EELA Tutorial, 06.03.2007

  12. Long term proxy : MyProxy • myproxy server: • myproxy-init • Allows to create and store a long term proxy certificate • myproxy-info • Get information about a stored long living proxy • myproxy-get-delegation • Get a new proxy from the MyProxy server • myproxy-destroy • Check out them with myproxy-xxx --help option • A dedicated service on the RB can renew automatically the proxy • contacting the myproxy server Bogotá, Ninth EELA Tutorial, 06.03.2007

  13. myproxy-init: store proxy cred. • Main options • -c hours specifies lifetime of stored credentials • -t hours specifies the maximum lifetime of retrieved credentials • -s <hostname> specifies the myproxy server used to store credentials • -d stores credential with the distinguished name in proxy, instead of user name (mandatory for some data management services and proxy renewal) • For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal) Bogotá, Ninth EELA Tutorial, 06.03.2007

  14. myproxy-init output [bogota01@eventogrid1 bogota01]$myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it Enter GRID pass phrase for this identity: *********** Creating proxy ................................. Done Proxy Verify OK Your proxy is valid until: Tue Mar 13 14:00:18 2007 Enter MyProxy pass phrase: *********** Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user bogota01 now exists on grid001.ct.infn.it. [bogota01@eventogrid1 bogota01]$ Bogotá, Ninth EELA Tutorial, 06.03.2007

  15. myproxy-info: retrieve stored proxy info • Useful to retrieve info on stored credentials • Need local credentials to be performed • If credentials have beeninitialized with–dswitch, you also have to specify the same option here • The user must have a valid proxy to issue this command Bogotá, Ninth EELA Tutorial, 06.03.2007

  16. myproxy-info output [bogota01@eventogrid1 bogota01]$myproxy-info -v Socket bound to port 20000. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted username: bogota01 owner: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it timeleft: 167:54:03 (7.0 days) Bogotá, Ninth EELA Tutorial, 06.03.2007

  17. myproxy-get-delegation: get proxy • This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server • It is independent by the machine! You don’t need to have your certificate on board • If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request Bogotá, Ninth EELA Tutorial, 06.03.2007

  18. myproxy-get-delegation: output [bogota01@eventogrid1 bogota01]$myproxy-get-delegation Enter MyProxy pass phrase: A proxy has been received for user bogota01 in /tmp/x509up_u501 Bogotá, Ninth EELA Tutorial, 06.03.2007

  19. myproxy-destroy: destroy proxy • Delete, if existing, the long lived credentials on the specified myproxy server • To specify the myproxy server you should use the -s switch • Again, the user must have a valid proxy certificate Bogotá, Ninth EELA Tutorial, 06.03.2007

  20. myproxy-destroy: output [bogota01@eventogrid1 bogota01]$myproxy-destroy -v Socket bound to port 20000. server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it checking if server name matches "myproxy@grid001.ct.infn.it" server name does not match checking if server name matches "host@grid001.ct.infn.it" server name accepted Default MyProxy credential for user bogota01 was successfully removed. Bogotá, Ninth EELA Tutorial, 06.03.2007

  21. Second Exercise • Create a myproxy on the server grid001.ct.infn.it • Fetch a delegation from the myproxy server • Check information on the created proxy on the myproxy server • Destroy both the delegated proxy and the proxy stored on the myproxy server • Repeat steps 1-4 using the –d option • Which differences you note between the two proxies? Bogotá, Ninth EELA Tutorial, 06.03.2007

  22. Voms extensions on a delegated proxy • myproxy doesn’t support natively VOMS • In order to overcome this issue: • Fetch the proxy without the delegation • Issue the command voms-proxy-init, with the –noregen option Bogotá, Ninth EELA Tutorial, 06.03.2007

  23. Questions Bogotá, Ninth EELA Tutorial, 06.03.2007

More Related