1 / 26

Accounts on Grids

Accounts on Grids. setting up accounts across multiple sites is complex once done things should be automatic However, can take several days to get done To ‘get on’ you need to: Get an account on one or more of the machines Set it up (e.g. ENV)

yered
Download Presentation

Accounts on Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accounts on Grids • setting up accounts across multiple sites is complex • once done things should be automatic • However, can take several days to get done • To ‘get on’ you need to: • Get an account on one or more of the machines • Set it up (e.g. ENV) • Often a prepared script provided by site mgr is used. • To use it as a grid, you need to set up grid certificate: • Find your grid libraries • run certificate init (grid-cert-request) codes • get cert approved • propagate certificate info to each machine • Identify your Distinguised Name (DN) • Get DN installed in ‘grid mapfile’ • place where user names are mapped to cert DN

  2. Globus Security: the Grid Security Infrastructure (GSI) • http://www.globus.org/security • Public key encryption for single sign-on • PEM: Public Encryption Method • X.509 certificates for credentials • Secure Sockets Layer (SLL) communication protocol for message security • Standard: most sites conform to • Generic Security Service API (GSS-API) of the Internet Engineering Task Force (IETF) • Certificate Authority (CA) blesses process

  3. GSI: Some Terms(http://www.dcoce.ox.ac.uk/glossary) • IETF: Internet Engineering Task Force • PKIPublic Key Infrastructure: • IETF definition: "The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public-key cryptography". • OpenSSL provides an Open Source implementation. . • OpenSSL Project: • Collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. • PKCPublic Key Certificate: • IETF definition: "A data structure containing the public key of an end-entity and some other information, which is digitally signed with the private key of the CA which issued it.“

  4. GSI: Some Terms(from http://www.dcoce.ox.ac.uk/glossary) • CA: Certification Authority: • An agency or organization that is able to publish and give out digital certificates • IETF definition: "An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime (what includes renewal, revocation, etc.), not just for issuing them.“ • DN:Distinguished Name • X.509 certificates; always contained within the 'subject' field of a digital certificate. The distinguished name should be unique within all certificates issued by a certification authority. A distinguished name might look like this: C=UK, O=eScience, OU=Authority, CN=CA. The attributes (e.g. C (Country), O (Organisation), OU (Organisational Unit), CN (Common Name), etc.) all combine to form the DN • X.509: • Recommendation X.509 specifies the authentication service for X.500 directories, as well as the widely adopted X.509 certificate syntax. The initial version of X.509 was published in 1988, version 2 was published in 1993, and version 3 was proposed in 1994 and considered for approval in 1995. Version 3 addresses some of the security concerns and limited flexibility that were issues in versions 1 and 2.

  5. SSL designed to secure data exchanges between two applications originally between Web server -> browser. protocol is widely used and is compatible with most Web browsers. At network level, SSL protocol is inserted between TCP/IP and HTTP layers SSL has been designed mainly to work with HTTP. SSL uses a public key encryption method technique based on a pair of asymmetric keys for encryption and decryption: a public key and a private key. The private key is used to encrypt data. sender (e.g. web site) does not give it to anyone Public Key used to decrypt the information and is sent to the receivers (Web browsers) through a certificate. When using SSL with the Internet, certificate delivered through a certification authority, such as Verisign Web site pays CA to deliver a certificate - guaranties the server authentication and contains the public key allowing to exchange data in a secured mode. Security: SSL Secure Socket Layer (Image courtesy www.4d.fr)

  6. Globus GSI: Public Key Cryptography • PKI relies not on a single key (a password or a secret "code"), but on two keys. • Asymmetric encryption • keys are numbers that are mathematically related in such a way that if either key is used to encrypt a message, the other key must be used to decrypt it. • How it works: • Entity (owner) has two keys -a public and a private key • Data encrypted with one key can only be decrypted with other. • The private key is known only to the entity • The public key is given to the world encapsulated in a X.509 certificate • Important: • It is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner.

  7. GSI: Certificates • Every user and service on the Grid is identified via a certificate, • contains information vital to identifying and authenticating user or service. • Certificates are public • GSI certificates are encoded in the X.509 certificate format and includes four primary pieces of information: • Subject name, identifies the person or object that the certificate represents. • Public Key belonging to the subject. • Identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject. • Digital Signature of the named CA. • The CA used to certify link between public key and subject in certificate • This is done when you get your certificate • To trust the certificate and its contents, the CA's certificate must be trusted. • The link between the CA and its certificate must be established via some non-cryptographic means, or else the system is not trustworthy.

  8. GSI: How Digital Signatures Work • Using public key cryptography, it is possible to digitally "sign" a piece of information. • Signing information essentially means assuring a recipient of the information that the information hasn't been tampered with since it left your hands. • Entity A digitally signs a piece of information: • Computes a mathematical Hash (H1) of the information • Encrypt this has using Entity A’s private key (encr-H1) • Attach hash encr-H1 to the original message • Make sure that the Recipient has Entity A’s public key. • Make sure Recipient knows algorithm • Recipient must verify that the signed message is authentic: • Compute new hash (H2) of original message using the same hashing algorithm used by Entity A • Using the CA digital signature in entity A’s public certificate, recipient decrypts hash encr-H1 that Entity A attached to the message (hash H3) • IF H3 == H2 • Proves that entity A signed the message and that the message has not been changed since you signed it.

  9. GSI: Mutual Authentication • Grid services work based on mutual authentication • If two parties have certificates, and if both parties trust the CAs that signed each other's certificates, then the two parties can prove to each other that they are who they say they are. • Before mutual authentication can occur, • parties involved must first trust the CAs that signed each other's certificates. • they must have copies of the CAs' certificates--which contain the CAs' public key • they must trust that these certificates really belong to the CAs. • This is often a very manual process and one of the bottlenecks in setting up a grid: • Site admins (system, security, project, etc)

  10. GSI: Mutual Authentication • A connects to B and A gives B its certificate (identity, public key, signing CA) • B will first make sure that the certificate is valid • checking the CA's digital signature, check that the certificate hasn't been tampered with. • B must make sure that A really is the person identified in the certificate. • B generates a random message and sends it to A, asking A to encrypt it. • A encrypts the message using private key, and sends it back to B. • B decrypts the message using A's public key. • If this results in the original random message, B knows that A is who he says he is. • Now B trusts A's identity, the same operation must happen in reverse. • B sends A a certificate • A validates the certificate and sends a challenge message to be encrypted. • B encrypts message, sends back to A, A decrypts it and compares it with the original. • If it matches, then A knows that B is who she says she is. • A and B have established a connection to each other and are certain that they know each others' identities.

  11. GSI: Securing Private Keys • The core GSI software provided by the Globus Toolkit expects the user's private key to be stored in a file in the local computer's storage. • To prevent other users of the computer from stealing the private key, the file that contains the key is encrypted via a password (also known as a passphrase). • To use the GSI, the user must enter the passphrase required to decrypt the file containing their private key. • We have also prototyped the use of cryptographic smartcards in conjunction with the GSI. • This allows users to store their private key on a smartcard rather than in a filesystem, making it still more difficult for others to gain access to the key.

  12. GSI: Delegation and Single Sign-On • The GSI provides a delegation capability: an extension of the standard SSL protocol which reduces the number of times the user must enter his passphrase. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user, the need to re-enter the user's passphrase can be avoided by creating a proxy. • A proxy consists of a new certificate (with a new public key in it) and a new private key. The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. (See diagram below.) The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes. • The proxy's private key must be kept secure, but because the proxy isn't valid for very long, it doesn't have to kept quite as secure as the owner's private key. It is thus possible to store the proxy's private key in a local storage system without being encrypted, as long as the permissions on the file prevent anyone else from looking at them easily. Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual authentication without entering a password. • When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. During mutual authentication, the owner's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate. This establishes a chain of trust from the CA to the proxy through the owner. • Note that the GSI and software based on it (notably the Globus Toolkit, GSI-SSH, and GridFTP) is currently the only software which supports the delegation extensions to TLS (a.k.a. SSL). The Globus Project is actively working with the Grid Forum and the IETF to establish proxies as a standard extension to TLS so that GSI proxies may be used with other TLS software.

  13. GSI: Securing Private Keys • You get a cert by running grid-cert-request • GSI expects the user's private key to be stored in a file in the local user filespace • Directory only readable by owner • file that contains the key is encrypted via a password (also known as a passphrase). • To use GSI, user must enter the passphrase required to decrypt the file containing their private key.

  14. grid-cert-request [-help] [ options ...] Example Usage: Creating a user certifcate: grid-cert-request Creating a host or gatekeeper certifcate: grid-cert-request -host [my.host.fqdn] Creating a LDAP server certificate: grid-cert-request -service ldap -host [my.host.fqdn] Options: -version : Display version -?, -h, -help, : Display usage -usage -cn <name>, : Common name of the user -commonname <name> -service <service> : Create certificate for a service. Requires the -host option and implies that the generated key will not be password protected (ie implies -nopw). -host <FQDN> : Create certificate for a host named <FQDN> -dir <dir_name> : Changes the directory the private key and certificate request will be placed in. By default user certificates are placed in /home/mthomas/.globus, host certificates are placed in /etc/grid-security and service certificates are place in /etc/grid-security/<service>. -prefix <prefix> : Causes the generated files to be named <prefix>cert.pem, <prefix>key.pem and <prefix>cert_request.pem -nopw, : Create certificate without a passwd -nodes, -nopassphrase, -verbose : Don't clear the screen -int[eractive] : Prompt user for each component of the DN -force : Overwrites preexisting certifictes -ca : Will ask which CA is to be used (interactive) -ca <hash> : Will use the CA with hash value <hash> Using GSI: grid-cert-request –h displays all options

  15. grid-cert-request –ca(lists CA’s recognized by host) [mthomas@buda ~]$ /usr/local/globus/globus-3.0.2/bin/grid-cert-request -verbose -ca nondefaultca=true The available CA configurations installed on this host are: 1) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 2) 42864e48 - /C=US/O=Globus/CN=Globus Certification Authority 3) 5fb2fc80 - /O=Louisiana State University/OU=CCT/OU=ca.cct.lsu.edu/CN=CCT CA 4) 6349a761 - /O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager 5) 860e3429 - /C=US/ST=Virginia/L=Charlottesville/O=University of Virginia/Email=pkimaster@virginia .edu/CN=UVA Standard Assurance SKP 1 6) 9a1da9f9 - /C=US/O=UTAustin/OU=TACC/CN=TACC Certification Authority/0.9.2342.19200300.100.1.1=ca man 7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science Grid/CN=pki1 8) ad478c3d - /C=US/ST=Virginia/L=Charlottesville/O=NMI Testbed Grid/OU=Bridge CA/CN=BridgeCA 9) c4d34612 - /C=US/ST=Alabama/L=Birmingham/O=University of Alabama at Birmingham/OU=UABGrid/CN=UAB GridCA 10) cd88b13f - /O=Grid/OU=Texas Tech HPCC/OU=onera/CN=Globus Simple CA 11) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1 Enter the index number of the CA you want to sign your cert request:

  16. Requesting a Certificate • To request a certificate a user starts by generating a key pair • The private key is stored encrypted with a pass phrase the user gives • The public key is put into a certificate request Private Key Encrypted On local disk Certificate Request Public Key

  17. Name Issuer Public Key Signature Certificate Issuance Certificate Request Public Key Certificate Authority • The user then takes the certificate to the CA • The CA usually includes a Registration Authority (RA) which verifies the request: • name unique with respect to the CA • It is real name of the user (often by phone, etc.) • The CA then signs the certificate request and issues a certificate for the user Sign (image courtesty R. Buyya)

  18. Creating a Cert: “Simple” steps • Get account on host • e.g. buda.tacc.utexas.edu • Run grid-cert-request • ~/.globus directory created with PEM files • Email contents from usercert_request.pem file to CA of choice – ca@tacc.utexas.edu • CA emails back to you your signed and encrypted public key file (usercert.pem) • Place in ~/.globus on machines you want to do grid jobs on

  19. [mthomas@buda ~]$ /usr/local/globus/globus-3.0.2/bin/grid-cert-request A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Using configuration from /etc/grid-security/globus-user-ssl.conf Generating a 1024 bit RSA private key ........................++++++ .......++++++ writing new private key to '/home/mthomas/.globus/userkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Level 0 Organization [Grid]:Level 1 Organization [Globus]:Level 0 Organizational Unit [tacc.utexas.edu]:Name (e.g., John M. Smith) []: A private key and a certificate request has been generatedm with the subject: /O=Grid/O=Globus/OU=tacc.utexas.edu/CN=Mary Thomas If the CN=Mary Thomas is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/mthomas/.globus/userkey.pem Your request is stored in /home/mthomas/.globus/usercert_request.pem Please e-mail the request to the Globus CA ca@globus.org You may use a command similar to the following: cat /home/mthomas/.globus/usercert_request.pem | mail ca@globus.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus CA at ca@globus.org Creating the Certificate:output from grid-cert-request

  20. Distinguished Names (DN) • Globally unique identifier that represents you individually • /O=Grid/O=Globus/OU=tacc.utexas.edu/CN=Mary Thomas • Mapfiles: map user login/account to DN’s • E.g. on on Texas systems, username is mthomas, so mapfile looks like:

  21. Creating the Certificate:files created by grid-cert-request [mthomas@buda ~/.globus]$ pwd /home/mthomas/.globus [mthomas@buda ~/.globus]$ls -al total 16 drwxr-xr-x 2 mthomas G-1130 4096 Jan 29 23:41 . drwx------ 5 mthomas G-1130 4096 Jan 29 23:40 .. -rw-r--r-- 1 mthomas G-1130 0 Jan 29 23:40 usercert.pem -rw-r--r-- 1 mthomas G-1130 1274 Jan 29 23:41 usercert_request.pem -r-------- 1 mthomas G-1130 963 Jan 29 23:41 userkey.pem [mthomas@buda ~/.globus]$

  22. This is a Certificate Request file: It should be mailed to ca@globus.org ============================================== Certificate Subject: /O=Grid/O=Globus/OU=tacc.utexas.edu/CN=Mary Thomas The above string is known as your user certificate subject, and it uniquely identifies this user. To install this user certificate, please save this e-mail message into the following file. /home/mthomas/.globus/usercert.pem You need not edit this message in any way. Simply save this e-mail message to the file. If you have any questions about the certificate contact the Globus CA at ca@globus.org -----BEGIN CERTIFICATE REQUEST----- BgNVBAsTD3RhY2MudXRleGFzLmVkdTEUMBIGA1UEAxMLTWFyeSBUaG9tYXMwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJvOvU8PsbH4qIkaYaJkmGewcA/kC1Bx 8yBahG8Uab1B5z2GR0xWIGv+IWoyp+04/+X2071CLpebOX0A+/39foxzE+z7aXjI Fm14WL22Yn/K3uIGNSRwJoWOu+cENrNrrl2JfIQqEIiVG5dWyT+VMkX/wx9C69X3 84iy0cq1So5VAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAE5qYwJVlFe2yQDgmu /b0ICwjxJ77kNiNZRvcIfo23N4eXMi0s3YWvWAI6/nd2cgsJyfDOErUhXRteLjFS pLSyr7njgfs2Jm26u4248P8LJbN6dAVN4JGFdoWAKPNYXbL7v30MQF8G93obvSB+ r3JacgAqczOM1vQci3HBnStX3Q== -----END CERTIFICATE REQUEST----- [mthomas@buda ~/.globus]$ Contents of usercert_request.pem File

  23. qe2 (17) % cat usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 503 (0x1f7) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=SDSC, OU=SDSC-CA, CN=Certificate Authority/UID=certman Validity Not Before: Jan 30 03:23:05 2005 GMT Not After : Jan 30 03:23:05 2009 GMT Subject: C=US, O=SDSC, OU=SDSC, CN=Mary Thomas/UID=mthomas Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ba:1d:62:9c:07:ce:24:28:72:87:17:2b:9d:c9: ed:9a:d5:89:b9:2e:83:4f:9c:50:8a:57:cd:31:36: 6b:5e:9b:ce:80:a9:71:0d:79:26:d6:ca:7a:37:8b: 23:d9:39:39:1e:97:ab:62:53:cc:d3:cb:a3:99:41: 2c:9e:fc:33:83:84:ca:15:fa:05:5b:06:f7:68:4d: c0:13:1b:89:ee:32:b3:9d:11:7a:7a:50:c2:cd:d4: d3:2a:9b:ae:40:10:18:61:72:98:4d:fd:6b:0d:ea: b5:8e:c1:d5:77:2e:a1:f2:5e:57:aa:81:e6:aa:c9: eb:f5:26:d8:67:1a:6d:00:99:e4:6d:82:b5:f9:47: 02:cf:e9:6c:b6:cb:30:96:c6:b0:a9:7c:33:f2:6f: 91:f4:e4:5a:3f:b1:9e:3d:7b:7c:4f:72:ad:89:72: 84:2a:0b:1b:a8:b0:c3:4e:50:e4:42:fc:7f:4d:c2: 89:07:ed:72:6d:fb:ad:68:c5:9a:29:3f:9c:27:af: 3d:c7:ba:d5:62:63:f5:a3:36:6e:82:41:4d:d3:d2: 49:11:0a:9c:05:57:38:1f:f7:7d:ea:8f:0e:cd:e9: 51:09:be:49:b8:ef:02:86:c8:6c:3b:e9:d5:52:a6: 06:44:b1:02:39:7d:62:67:ce:9f:9e:ae:8b:3b:be: 1e:91 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: OpenSSL Generated Certificate Netscape CA Revocation Url: http://www.sdsc.edu/CA/SDSC_CRL.pem X509v3 Subject Key Identifier: 26:45:B2:53:39:11:AE:E7:9E:8F:24:72:D8:77:48:7D:EA:54:55:E0 X509v3 Authority Key Identifier: keyid:BF:A3:87:2C:F6:0D:74:BD:48:6C:0E:27:BF:01:E4:F2:4F:46:BA:27 DirName:/C=US/O=SDSC/OU=SDSC-CA/CN=Certificate Authority/UID=certman serial:00 Signature Algorithm: md5WithRSAEncryption 7e:51:45:34:c8:41:2d:54:c4:03:5e:c9:2f:da:7f:c5:32:9a: 4c:0c:d3:e4:d3:d9:a1:df:60:27:5b:2e:7f:dc:6e:39:16:5c: 73:7a:76:0e:83:5a:c4:ab:97:c5:80:80:41:eb:25:05:6c:51: 95:82:72:4d:1a:73:0b:83:c5:76:dd:b2:97:5e:19:aa:2a:df: b4:ab:4b:c5:eb:e5:c2:cd:43:e6:40:a4:06:8d:66:b4:a3:3f: 4f:20:d7:dc:5b:09:70:e4:19:2e:09:6f:88:dd:00:7e:49:ba: d3:ff:d6:dd:a5:40:00:27:0f:11:4f:2f:2b:c3:98:96:86:42: 2c:c1:b8:b4:e6:dc:dd:b0:9c:c6:b2:6d:09:e3:87:1f:85:e2: cc:12:f2:04:ac:3c:b4:98:00:bc:31:e7:d3:36:dc:eb:0f:60: 2c:6a:c5:67:46:07:4c:c6:00:7a:de:71:b9:d8:ca:e9:de:86: 52:9b:76:98:7a:26:8a:55:20:5b:7d:2e:4a:f0:01:e1:78:49: 48:1f:56:3e:6f:78:7c:7b:e3:5c:c1:b1:03:7a:59:66:7f:fb: 26:98:c1:a1:fe:f7:aa:fc:06:96:67:19:b8:b9:57:70:cb:74: 18:cc:fe:95:b5:2e:a0:df:93:57:47:46:88:18:86:91:ea:d2: 2a:9e:8d:76 -----BEGIN CERTIFICATE----- MIIEdjCCA16gAwIBAgICAfcwDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMx DTALBgNVBAoTBFNEU0MxEDAOBgNVBAsTB1NEU0MtQ0ExHjAcBgNVBAMTFUNlcnRp ZmljYXRlIEF1dGhvcml0eTEXMBUGCgmSJomT8ixkAQETB2NlcnRtYW4wHhcNMDUw MTMwMDMyMzA1WhcNMDkwMTMwMDMyMzA1WjBaMQswCQYDVQQGEwJVUzENMAsGA1UE ChMEU0RTQzENMAsGA1UECxMEU0RTQzEUMBIGA1UEAxMLTWFyeSBUaG9tYXMxFzAV BgoJkiaJk/IsZAEBEwdtdGhvbWFzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAuh1inAfOJChyhxcrncntmtWJuS6DT5xQilfNMTZrXpvOgKlxDXkm1sp6 N4sj2Tk5HperYlPM08ujmUEsnvwzg4TKFfoFWwb3aE3AExuJ7jKznRF6elDCzdTT KpuuQBAYYXKYTf1rDeq1jsHVdy6h8l5XqoHmqsnr9SbYZxptAJnkbYK1+UcCz+ls tsswlsawqXwz8m+R9ORaP7GePXt8T3KtiXKEKgsbqLDDTlDkQvx/TcKJB+1ybfut aMWaKT+cJ689x7rVYmP1ozZugkFN09JJEQqcBVc4H/d96o8OzelRCb5JuO8Chshs O+nVUqYGRLECOX1iZ86fnq6LO74ekQIDAQABo4IBNzCCATMwCQYDVR0TBAIwADAR BglghkgBhvhCAQEEBAMCBLAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh dGVkIENlcnRpZmljYXRlMDIGCWCGSAGG+EIBBAQlFiNodHRwOi8vd3d3LnNkc2Mu ZWR1L0NBL1NEU0NfQ1JMLnBlbTAdBgNVHQ4EFgQUJkWyUzkRrueejyRy2HdIfepU VeAwgZEGA1UdIwSBiTCBhoAUv6OHLPYNdL1IbA4nvwHk8k9Guieha6RpMGcxCzAJ BgNVBAYTAlVTMQ0wCwYDVQQKEwRTRFNDMRAwDgYDVQQLEwdTRFNDLUNBMR4wHAYD VQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgoJkiaJk/IsZAEBEwdjZXJ0 bWFuggEAMA0GCSqGSIb3DQEBBAUAA4IBAQB+UUU0yEEtVMQDXskv2n/FMppMDNPk 09mh32AnWy5/3G45FlxzenYOg1rEq5fFgIBB6yUFbFGVgnJNGnMLg8V23bKXXhmq Kt+0q0vF6+XCzUPmQKQGjWa0oz9PINfcWwlw5BkuCW+I3QB+SbrT/9bdpUAAJw8R Ty8rw5iWhkIswbi05tzdsJzGsm0J44cfheLMEvIErDy0mAC8MefTNtzrD2AsasVn RgdMxgB63nG52Mrp3oZSm3aYeiaKVSBbfS5K8AHheElIH1Y+b3h8e+NcwbEDellm f/smmMGh/veq/AaWZxm4uVdwy3QYzP6VtS6g35NXR0aIGIaR6tIqno12 -----END CERTIFICATE----- GSI Public Key Contents: usercert.pem

  24. GSI Private Key Contents: userkey.pem qe2 (15) % cat userkey.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,4B20B8150256AE62 rOYybs+Rq0XXzWJJqRYty7l/HUWR9W5e8ZkYYldoX97Fc5J+ztvxihC931SX6QHY 5nN3wb6jcCWG23aGN6IPiYkZGmgaAAgGrochrHQ78O2TRW88/RxIAlP3IqYgctEl a0AwC44z5X0fcItRwuEozbiaOSc/RJhIsYkUu66nfXTWJZjLk0Kh42s1y+qzN+2g zGpCA46/9w6fBWrXOo0RI0DUQciVJ0jbnlKyaOJjVclgFDguwRxAd73fS90BAqTC t01NbJbr9wvAfcdg8lrObUpNOhXIv77MT5I4um+479m4So1GxXsgaaHVVo7Y1TX5 If5WtRN5HOH0oVgfKBOZmEbpz1Uwy1hj3cXMrJMCtgOZlBWzcKK/rugkurPM8jpu OqNV+1fK4LfVu8okvUcZa2iNGmH8xEXv8GG+y9d84Ciw8eViM1LROKlBFsKHUl9k jd6QScfFEutx7qqfWOGWlK9WZgJEtEKZxx8Ydv9zzOrYvo0twxlteP6Dn5R3gwrp hSjY6Fw7GKiqoBwmMA8/rZMU/BES/a57luHyiEpzro4xPqrsGyoGBgliXAorSsOi frHz5h1esRaXKtpeNos5DimWQ3dPz5cjLAtgKEPUYTe591aLLqDURi/hUZAzhSfG jCZnc9mOE7zIY0fv0Vo057JH4SXk7YqRqvP5oZeyhVntGAOO82SgM0e+QTKTcs/N ag7ZItavpoF2HH8P3yC6X7P0KiyqGdS5Rz3BQixMsi9K9DuuwNj9mHee0dvCGvwy kKA0CLYiYI9lFVpvCL0oKGCxgBAqZnWGd7btE/iSdLT4QKbTED8gw10F9IjBCPNl uTlssNwmRLJrkpCS4tcGrfJCPSKwAgUo0Wv36ft0VKsUJcx+3Otgz3KFUufPxXEa F8vKWAwb3OKsoE4Ly9azAo9HlK0a/K+4u9cg/mKOHoxgjJ9FkntyB2rk272X2ZlQ 0a6s05JO0MoUt4mfXaAck4uQJbqIvZOyeu/ZwfovD1zYsN/yXUVFK7/3oSK7IlEm XbvX0XlZhJWp1CpM2p/J77cfh4Q+K88BmbQ5MjzNKduvKIYFeBd29AzbLfZOy0lv ECriCdOKa5jfGaoVSVKGvh2Nz6VuwUxBlJEU6zjx5/WLNMnXnsuF+K8r+KVL74+v a9kynmjNqvjgzwTuB8wZBHfh0bxFzh5IHn8saOhhaRgT+dJ7h+PjQN/kI43yjhVi cqmE7FDqL44gE4jnn5VJ/gqMRXHKnaNFnmaUBKbRTuIgi6yjJwUaDBA5XXHFOdgP 3uEl5FbKVZzRt5/P4OGYLVILFTZ0a3YBeHB9EhBj4cANa4E9mNxS7a5M07hs2Y87 v/i2bWNktllHyu6Z1wrsYSFswKiU0S4uGmN+rYUoIChrxYvH7msnu0sD0q947aFy +QMH1YbdtWmOMAZS4C0e8KS/ZZrIkSIksoLbuVzxN4iIUaNB++8+WiZuAl4wrYOi Ti4YUCVULfC1vlL1+iUlY4K3CoQe9lDUXtHaWRY3it7nJlw08gvPXMLRPvZm6Huu 9+vsyzhDHLnCE6nxoQBIbZptomy9k9Y41QMsPBJrMRgZQHSjNSyMUyQWf+JI2M8g -----END RSA PRIVATE KEY-----

  25. Certificate Operations • Certificate creation • Grid-cert-request • grid-change-pass-phrase • Certificate info & management • Grid-proxy-init • Grid-proxy-destroy • Grid-proxy-info Grid-cert-info • Grid-default-ca • Mapfiles: • grid-mapfile-add-entry • grid-mapfile-check-consistency • grid-mapfile-delete-entry • For more details see: • http://www-unix.globus.org/toolkit/docs/development/3.9.3/security/prewsaa/user/#commandline • Note: on the machine I was testing, not all commands were installed, not all worked.

More Related