1 / 18

Grid Security Tutorial: Access & Authentication Guide

Learn how to securely access the UI servers and authenticate using personal certificates, proxies, and VOMS extensions. Ensure proper permissions and lifetime management for secure grid operations.

enrique-rios
Download Presentation

Grid Security Tutorial: Access & Authentication Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hands-on security Angelines Alberto Morillas Ciemat

  2. How to access to the UI • SERVER:glite-tutor.ct.infn.it • glite-tutor2.ct.infn.it • USERNAME: sevillaXX • PASSWORD:GridSEVXX • PASSPHRASE: SEVILLA • where XX = 01…30

  3. Authentication and Authorization • INSPECTING PERSONAL CERTIFICATE • .globus: your personal certificate, two separate files (public and private keys) • You need them for the authenticated connections with all the other elements. • Check the permissions (you won´t be able to create a proxy if they are wrong) ls –l .globus -rw-r--r-- usercert.pem -r-------- userkey.pem

  4. Authentication and Authorization • INSPECTING PERSONAL CERTIFICATE • Look inside your certificate grid-cert-info • Important information • Creation and expiration date • Name and subject of the CA • Common Name (CN) of the certificate owner • Certificate subject

  5. Authentication and Authorization • Creation of a proxy with voms extensions • This step is comparable to a login on the grid. voms-proxy-init --voms gilda

  6. Authentication and Authorization • CHECK YOUR VOMS PROXY • To get info about your proxy voms-proxy-info -all • It shows two different lifetimes: • First is related to the proxy itself • The second one is referred to the AC infos added by the VOMS server. • Important: your proxy has 12 hours of live

  7. MyProxyUse • Register a long living proxy in the MyProxy server (grid001.ct.infn.it) • Allows you to create and store a long term proxy certificate myproxy-init --voms gilda • The –s option allows you to specify the name of the myproxy server you want to contact myproxy-init --voms gilda –s grid001.ct.infn.it

  8. MyProxyUse • Register a long living proxy in the MyProxy server (grid001.ct.infn.it) • The –d option allows you to create and store a long term proxy with your DN. myproxy-init --voms gilda –s grid001.ct.infn.it -d • Without this option, the name of the stored proxy is the same of the user in the local machine

  9. MyProxyUse • Register a long living proxy in the MyProxy server (grid001.ct.infn.it) • The –l option allows you to create and store a long term proxy with a name specified by the user myproxy-init --voms gilda –s grid001.ct.infn.it –l GILDA_TUTOR • Each user can create and store several proxies in a myproxy server, but each remote proxy is linked to the specified username

  10. MyProxyUse • Gather information about the proxy in the MyProxy server • You can get info on myproxy server about your proxy myproxy-info –s grid001.ct.infn.it • If the credentials have been initialized with the –d switch, you also have to specify it when using myproxy-info myproxy-info –s grid001.ct.infn.it -d

  11. MyProxyUse • Gather information about the proxy in the MyProxy server • If the credentials have been initialized with the –l switch, you also have to specify it when using myproxy-info myproxy-info –s grid001.ct.infn.it –l GILDA_TUTOR • Note the differences in the usename of each proxy

  12. MyProxyUse • Gather information about the proxy in the MyProxy server • If in your UI there is no local proxy, it´s not possible to be authenticated in the myproxy server • In this case is needed to get a delegate proxy form the MyProxy sever or create a local proxy with voms-proxy-init

  13. MyProxyUse • Get a delegated proxy from the MyProxy server • It allow you to get a proxy from the myproxy server • Destroy the proxy in the local machine and verify it doesn-t exist anymore voms-proxy-destroy voms-proxy-info couldn´t find a valid proxy

  14. MyProxyUse • Get a delegated proxy from the MyProxy server • Now in your UI (virtual o real), there is no local proxy. • To get a proxy from the myproxy sever myproxy-get-delegation –s grid001.ct.infn.it

  15. MyProxyUse • Get a delegated proxy from the MyProxy server • With –d option myproxy-get-delegation –s grid001.ct.infn.it –d • Verify now that the user has a local proxy voms-proxy-info

  16. MyProxyUse • Destroy remote proxy • You can destroy your remote proxy myproxy-destroy –s grid001.ct.infn.it • Check your remote proxy myproxy-info –s grid001.ct.infn.it

  17. MyProxyUse • Destroy remote proxy • Destroy your remote proxy with -d myproxy-destroy –s grid001.ct.infn.it -d • Check your remote proxy with -d myproxy-info –s grid001.ct.infn.it -d

  18. MyProxyUse • Destroy remote proxy • Destroy your remote proxy with -l myproxy-destroy –s grid001.ct.infn.it –l GILDA_TUTOR • Check your remote proxy with -L myproxy-info –s grid001.ct.infn.it –l GILDA_TUTOR

More Related