Authentication in the NGS
1 / 32

Outline - PowerPoint PPT Presentation

  • Uploaded on

Authentication in the NGS John Kewley NGS Support Centre Manager STFC Daresbury Laboratory. Outline. What is the NGS? Growl: VDT installation + helper scripts Some other NGS Authentication projects. Diverse User Community. 25 member institutes

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Outline' - tal

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Authentication in the NGSJohn Support Centre ManagerSTFC Daresbury Laboratory


  • What is the NGS?

  • Growl: VDT installation + helper scripts

  • Some other NGS Authentication projects


Diverse User Community

25 member institutes

33 heterogeneous resources

15,000 processing cores

> 75 applications

  • In the last 12 months

  • 4,629,127 CPU hrs used

  • 888,862 jobs ran

  • 2nd largest e-Science CA

  • 22,121 certificates issued

  • 4,911 active currently

Ngs gsi

The NGS uses GSI for its Authentication

To support this we have:

* UK e-Science CA (IGTF accredited, offline)

* RA network across UK academia (61 RAs with 112 RA Operators)

* 2 MyProxy servers

Ngs gsi1

To support ancillary services mentioned later in this talk we also have

* VOMS server

* Training CA (for short-lived training certificates)

* Test CA (for RA Training)

* 2x SLCS online CAs (SSO and SARoNGS)

3 barriers
3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware

  • Handling of certificates

  • [Job submission in the presence of firewalls]

Installing growl scripts
Installing Growl Scripts

  • Download GROWL Scripts

    $ cd

    $ # possibly tell wget about http_proxy

    $ # export http_proxy=

    $ wget

  • Unpack into home directory

    $ tar -zxvf GrowlScripts.tar.gz

  • "Build" VDT client

    $ cd Growl

    $ make

Growl scripts contents
GROWL Scripts: Contents

VDT client installation of globus, gsi-openSSH, VOMS and MyProxy

  • grid-proxy-init, grid-proxy-info

  • globus-job-submit, globus-job-run

  • gsissh, gsiscp, openssl

  • myproxy-init, myproxy-info, myproxy-logon

  • voms-proxy-init, voms-proxy-info

    Certificate helper scripts

  • mk-cert

  • growl-info, growl-login, growl-logout

    GROWL wrapper scripts

  • growl-submit, growl-status, growl-get-output,

  • growl-sh, growl-cp, growl-mkdir, growl-rm,,

  • growl-pwd, growl-which, growl-get-jobmanager

  • growl-queue

Note: there is also a globus source build for non-VDT-supported platforms

3 barriers1
3 Barriers

Three main barriers that newcomers find when using the Grid for the first time:

  • Setting up the client-side middleware

  • Handling of certificates

  • [Job submission in the presence of firewalls]

How many passwords

Request Certificate

Request certificate PIN

[Confirm PIN]

Present PIN at photoID check

[Master Password if on FF]

Export Certificate

[Master Password if on FF]

Backup/export password (.p12)

Re-confirm backup/export password (.p12)

Setup .pem files

Unpack .p12 for userkey

Unpack.p12for usercert

Set .pem password

Confirm .pem password

MyProxy Setup

myproxy-init (.pem)

[set myproxy pwd]

[Confirm myproxy pwd]

Obtain Grid proxy

myproxy-logon (myproxy pwd)

How many passwords?

Credential conversion
Credential conversion

$ openssl -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out userkey.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out usercert.pem

$ openssl pkcs12 -clcerts -nokeys -in JK.p12 -out usercert.pem

$ openssl pkcs12 -nocerts -in JK.p12 -out userkey.pem

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

Mk cert

$ openssl pkcs12 -clcerts \

-nokeys -in usercred.p12 \

-out usercert.pem


$ openssl pkcs12 -nocerts \

-in usercred.p12 \

-out userkey.pem



<Pass2> [confirm]

$ chmod 444 usercert.pem

$ chmod 400 userkey.pem

$ mv userkey.pem ~/.globus

$ mv usercert.pem ~/.globus

$ chmod 700 ~/.globus

$ mk-cert mykey.p12




Proxy helper scripts
Proxy helper scripts

  • growl-login wraps grid-proxy-init, myproxy-init and myproxy-logon

  • growl-logout wraps grid-proxy-destroy and myproxy-destroy

  • growl-info wraps grid-cert-info, myproxy-info and grid-proxy-infoandopenssl and can be used with certificates in several formats

Growl logon

Only does what is needed

Generates a local proxy (if there isn't a valid one there already)


  • -m : Uploads a credential to the myproxy server (but only if required)

  • -v myVO : proxies generated or uploaded will contain a VOMS Attribute Certificate for myVO (VDT only - not in source build yet)

  • -f : force generation / upload

  • -D : debugging information

Uses of growl login
Uses of growl-login

  • Generation of a proxy credential from a grid certificate (c.f. grid-proxy-init)

  • Uploading a proxy credential to a MyProxy server for use from other clients or portals (c.f. myproxy-init)

  • Retrieving a proxy credential without a grid certificate (c.f. myproxy-logon)

Use case 2







Use Case 2


$ myproxy-init

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ myproxy-logon

<MyProxy Password>

$ myproxy-init -L

<Grid Pass Phrase>

<MyProxy Password>

<MyProxy Password>

$ growl-login -m

<Grid Pass Phrase>

<MyProxy Password>

Grid Resource



Growl info

  • Combines certificate info into one package

    • grid-cert-info

    • myproxy-info

    • grid-proxy-info

    • voms-proxy-info

  • Reports on only certs and credentials it finds

  • Issues warnings

  • Notes when other certs are present (but are not the ones that growl-login would use)

  • Can also be used with any certificate file to dispay its DN and validity and so can be used to check host, CA and VOMS-issuing certificate

Growl logout

  • Removes local proxy

  • With –m option will also remove MyProxy credential from MyProxy server.


  • Symmetry

    growl-login vs growl-logout

    c.f.myproxy-logon vs grid-proxy-destroy

  • Generally less passwords to type

  • Single command automagically "does the right thing™ "

    • Does nothing if no need

    • Utilises myproxy if credential present and valid

    • Uses existing local proxy if still valid

There are two types of grid user
There are two types of Grid User

  • Linux/Unix (command line?)

  • Windows (GUI?)


GSI-SSH terminal

NGS Authentication

Direct access


NGS Portal/



Certificate Wizard

Myproxy enabled gsisshd meg
MyProxy-enabled GSISSHD (MEG)

  • Permits any ssh client to access the Grid

  • User must previously have uploaded a myproxy credential

  • Users like username + password

  • Multiple myproxy servers are supported

  • Simultaneously supports GSI authentication with a proxy

  • drop-in replacement for gsisshd

Stfc sso

  • Credential conversion service for STFC employees to any grid resource requiring X509 access

  • Federal ID and password

  • MyProxy server acts as a CA and issues Short Lived Certification Service (SLCS) certificates on the fly

  • Integrated with MEG for STFC resources


  • Growl Scripts gives command-line users an easy way to install essential Grid middleware

  • The NGS provides different authentication tools for different users:

    • gsissh (using globus, VDT, Growl)

    • GSI-enabled SSHTERM

    • Certificate Wizard

    • Any ssh client (PuTTY, cygwin ssh) using MEG

    • STFC staff: MyProxySSO

    • UK academics: Shibboleth login via SARoNGS

Acknowledgements and refs
Acknowledgements and refs

Much of this work has been done by other STFC and NGS colleagues, too numerous to mention.