Grid Security Tutorial 2007 by techmaster

VIEWS: 0 PAGES: 45

									                                Enabling Grids for E-sciencE




                  Grid Security
                  Tutorial 2007
                  David Groep
                  NIKHEF




www.eu-egee.org


INFSO-RI-508833
                                                    Grid Security Tutorial
                     Enabling Grids for E-sciencE



   • You and the Grid
        – organising collaborations in virtual organisations
        – trust and your identity
        – cryptography and signing
   • Getting access to resources
        – attribute-based authorization and VOMS
        – proxies, delegation, forwarding and renewal


   • How it works in practice: grid security commands
        –   getting your certificate
        –   the GSI protocol
        –   getting a voms-enabled proxy
        –   what happens on the server side

INFSO-RI-508833                                         Grid Security, Groningen Tutorial 2006   2
                                                           Virtual Organisations
                            Enabling Grids for E-sciencE



    What is a Virtual Organisation?

    A set of individuals or organisations, not under single hierarchical
    control, (temporarily) joining forces to solve a particular problem at hand,
    bringing to the collaboration a subset of their resources, sharing those
    at their discretion and each under their own conditions.




graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke
INFSO-RI-508833                                                   Grid Security, Groningen Tutorial 2006   3
                                                                                   VOs
                  Enabling Grids for E-sciencE



   Typical VO examples
   • Each of the VL-e application sub programmes
   • Collaborations like the LHC experiments, or LOFAR, or …
   • testing/deployment groups like “pvier”
   • …

   • Users (you) are usually a member of more than one VO
   • Any “large” VO will have an internal structure,
     with groups, subgroups, and various roles




INFSO-RI-508833                                  Grid Security, Groningen Tutorial 2006   4
                                             VOs and the infrastructure
                  Enabling Grids for E-sciencE



   • The word “VO” is used in many different ways
   • The EGEE infrastructure and the VL-e PoC
     provide a “bus-like” interface for VOs,
     where VOs are essentially user communities




INFSO-RI-508833                                       Grid Security, Groningen Tutorial 2006   5
                                                                                   VOs
                  Enabling Grids for E-sciencE




INFSO-RI-508833                                  Grid Security, Groningen Tutorial 2006   6
                                                                                Trust relationships
                           Enabling Grids for E-sciencE



    • For the VO model to work, parties need to (minimally)
      trust each other in their VO interactions
         – the alternative would be that every user would have to register at
           and every resource provider…


                            Org. Certification                                             Org. Certification
                               Authority                                                      Authority



                                                  Policy                      Policy
                                                 Authority                   Authority

                                    Sub-Domain A1                             Sub-Domain B1



                     Domain A                                                                             Domain B
                                       Task
                                                                 AuthZ
                                                                Service
                                                               Federation
                                                                   GSI

                                                 Server X       Virtual        Server Y
                                                             Organization
                                                               Domain




                                                              Federated
                                                             Certification
                                                             Authorities

INFSO-RI-508833 Siebenlist, Argonne Natl. Lab, Globus Alliance
graphic from: Frank                                                                      Grid Security, Groningen Tutorial 2006   7
                                                          VO federation needs
                           Enabling Grids for E-sciencE



    • Trust establishment within the VO is separated in:
         – user identity (the user‟s passport)
         – group and roles within the VO (visa)
           as these are different from a persons organisational role




graphic: OGSA Architecture 1.0, OGF GFD-I.030
INFSO-RI-508833                                             Grid Security, Groningen Tutorial 2006   8
                                                                User Identity
                      Enabling Grids for E-sciencE


   • Users and resources are typically part of more than one VO,
   • but don‟t want many passwords

   • Users and resource get a single authentication token
     (identity certificate)
        –   that works across virtual organisations
        –   issued by a party trusted by all (“CA”),
        –   recognised by many resource providers, users, and VOs
        –   satisfy traceability and persistency requirement
        –   in itself does not grant any access, but provides
            a unique binding between an identifier and the subject

   • This is called your (identity) certificate
   • It is a cryptographically protected statement by the CA
   • that you can use to prove your identity
     in combination with a private key and its passphrase


INFSO-RI-508833                                      Grid Security, Groningen Tutorial 2006   9
                                                            Digital signatures at work
                             Enabling Grids for E-sciencE


    • Paul calculates the hash of the
      message
                                                                               Paul
    • Paul encrypts the hash using his
      private key: the encrypted hash is
                                                                                                                  This is some
      the digital signature.                                                   This is some       Hash(A)
                                                                                                                     message
                                                                                message
                                                            Paul keys
    • Paul sends the signed                                                                   Digital Signature
                                                                                                                  Digital Signature
      message to John.
                                                            public   private


    • John calculates the hash of the
      message and verifies it with A,
      decyphered with Paul‟s public                                            John
      key.
                                                                                                                   This is some
    • If hashes equal: message wasn‟t                                                                  Hash(B)
                                                                                                                      message
                                                                                                     =?
      modified; Paul cannot
       repudiate it.                                                                          Hash(A)              Digital Signature



slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                                                   Grid Security, Groningen Tutorial 2006               10
                                                            Trusting the signature
                             Enabling Grids for E-sciencE



    • Paul‟s digital signature is safe if:
         1.   Paul‟s private key is not compromised
         2.   John knows Paul‟s public key
    • How can John be sure that Paul‟s public key is really
      Paul‟s public key and not someone else‟s?
         – A third party guarantees the correspondence between public key
           and owner‟s identity.
         – Both A and B must trust this third party




slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                                 Grid Security, Groningen Tutorial 2006   11
                                                            X.509 Certificates
                             Enabling Grids for E-sciencE


    • Authentication (proving your identity to another party) works the same way
    • in that case the CA as signed a message that contains identifiers
    • which is done in a specific standard format: X.509

   • An X.509 Certificate contains:
         – owner‟s public key;                                            Public key

                                                            Subject:C=CH, O=CERN,
         – identity of the owner;
                                                            OU=GRID, CN=Andrea Sciaba
                                                            8968
         – info on the CA;                                  Issuer: C=CH, O=CERN,
                                                            OU=GRID, CN=CERN CA
         – time of validity;                                Expiration date: Aug 26 08:08:14
                                                            2005 GMT
                                                            Serial number: 625 (0x271)
         – Serial number;
                                                                   CA Digital signature
         – digital signature of the CA
slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                             Grid Security, Groningen Tutorial 2006   12
                                                                 Public Key Infrastructures
                                  Enabling Grids for E-sciencE




       Based on X.509 PKI:                                                John                                            Paul
                                                                                            John’s certificate
   •    every user/host/service has an X.509 certificate;
   •    certificates are signed by trusted (by the local sites) CA‟s;
   •
                                              VERY IMPORTANT Verify CA signature
        every Grid transaction is mutually authenticated:
          1. John sends his certificate;
          2. Paul verifies signature in John‟s certificate;
          3. Paul sends to John a challenge string;                                         Random phrase
                          Private keys must be stored only:
          4. John encrypts the challenge string with his private key;
          5. John sends encrypted challenge to Paul
          6. Paul uses John‟s public key to decrypt the challenge.                  Encrypt with J.’ s private key
                                               in protected places
          7. Paul compares the decrypted string with the original
              challenge
         8.   If they match, Paul verified John‟s identity and John can                  Encrypted phrase
              not repudiate it.
                                                                  AND
                                                                             Decrypt with J.’ s public key
                                                 in encrypted form
                                                                            Compare with original phrase



slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                                                  Grid Security, Groningen Tutorial 2006     13
                                                 Trusted third parties
                  Enabling Grids for E-sciencE



   • All research grid infrastructures share
     the same base set of trusted third parties („CAs‟)
   • There is typically one in each country
   • The credentials they issue are comparable in quality




INFSO-RI-508833                                     Grid Security, Groningen Tutorial 2006   14
                         Requirements for (inter)national trust
                     Enabling Grids for E-sciencE


   • Identity vetting procedures
        – Based on (national) photo ID‟s
        – Face-to-face verification of applicants
          via a network of Registration Authorities
        – possible to trace the user in case of unlawful misconduct
        – Secure binding between the request and the identity vetting
        – Periodic renewal (once every year)

   • Secure operation
        – off-line signing key or HSM-backed on-line secured systems

   • Response to incidents
        – Timely revocation of compromised certificates

   new models and guidelines are being agreed on right now, but are
     not yet available.


INFSO-RI-508833                                     Grid Security, Groningen Tutorial 2006   15
                                                               VO affiliation
                     Enabling Grids for E-sciencE



   • Per-VO Authorisations (“visa”)
        –   granted to a person or service by a virtual organisation
        –   based on the „passport‟ name
        –   acknowledged by the resource owners
        –   providers can still ban individual users,
            and decide which privileges are granted to which VO attributes


   • In your case, these „visa‟ are called VOMS credentials
   • It is a cryptographically protected statement by the VO
   • which is bound (by the VO) to your subject name
                                                             C=IT/O=INFN
                                                             /L=CNAF              Pinco’s
                                                             /CN=Pinco Palla         VO
                                                             /CN=proxy           attributes




INFSO-RI-508833                                     Grid Security, Groningen Tutorial 2006    16
                                    Single sign-on and delegation
                      Enabling Grids for E-sciencE



   • To authenticate with your certificate directly you would have
     to type a passphrase every time
   • Also you need a way to send you VOMS credentials across

   • In the Grid Security Infrastructure today, this is solved by
     ‘proxy certificates’
        –   a temporary key pair
        –   in a temporary certificate signed by your ‘long term’ private key
        –   valid for a limited time (default: 12 hours)
        –   and itself not protected by a passphrase




INFSO-RI-508833                                      Grid Security, Groningen Tutorial 2006   17
                                                                   grid-proxy-init
                             Enabling Grids for E-sciencE




   • User enters pass phrase, which is used to decrypt private key.

   • Private key is used to sign a proxy certificate with its own, new
     public/private key pair.
         – User‟s private key not exposed after proxy has been signed

                                    User
                               certificate file                  User Proxy
                                 Private Key                    certificate file
          Pass                   (Encrypted)
         Phrase

   • Proxy placed in /tmp
         – the private key of the Proxy is not encrypted:
         – stored in local file: must be readable only by the owner;
         – proxy lifetime is short (typically 12 h) to minimize security risks.
   • NOTE: No network traffic!
slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                             Grid Security, Groningen Tutorial 2006   18
                                                Delegation and limited proxy
                             Enabling Grids for E-sciencE




    • Delegation = remote creation of a (second level) proxy credential
          – New key pair generated remotely on server
          – Client signs proxy cert and returns it
          – for GT2 services it is built into the protocol,
            for GT4 WS use the delegation service (gLite: it’s implicit in the service)
    • Allows remote process to authenticate on behalf of the user
          – Remote process “impersonates” the user
    • The client can elect to delegate a “limited proxy”
          – Each service decides whether it will allow authentication with a limited
            proxy
          – Job manager service requires a full proxy
          – GridFTP server allows either full or limited proxy to be used




slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                             Grid Security, Groningen Tutorial 2006   19
                                                                Proxy again …
                             Enabling Grids for E-sciencE




   • grid-proxy-init ≡ “login to the Grid”
   • To “logout” you have to destroy your proxy:
         – grid-proxy-destroy
         – This does NOT destroy any proxies that were delegated from this
           proxy.
         – You cannot revoke a remote proxy
         – Usually create proxies with short lifetimes
   • To gather information about your proxy:
         – grid-proxy-info
         – Options for printing proxy information
             -subject                       -issuer
             -type                          -timeleft
             -strength                      -help
slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                             Grid Security, Groningen Tutorial 2006   20
                                               Embedding your VOMS credentials
                                    Enabling Grids for E-sciencE



   • The proxy can also be used as a container for other stuff
        – the standard SSL protocol has no other way of adding stuff to
          the secure session
        – but a „plain‟ grid proxy does not indicate which VO you belong to
        – the VOMS credential is embedded as an extension in the proxy
                                                                   [davidg@tbn01 davidg]$ voms-proxy-info -all
           Authentication
                                                                   …
                                                                   Type          : proxy
              Request
                                                                   Bits          : 512
                                                                   Valid From    : Jun 2 06:22:02 2004 GMT
              VOMS                                                 Validity left : Jun 2 18:27:02 2004 GMT
              pseudo
               -cert                                               VO            : wpsix
                                                                   Holder Subject: /O=dutchgrid…/O=nikhef/CN=David
                                                                   Groep
                                                                   …
                                                                   Issuer Subject:/C=FR/O=CNRS/OU=UREC/
              C=IT/O=INFN
              /L=CNAF
                            VOMS
                          pseudo-
                                                                                       CN=vo-iteam.datagrid.cnrs.fr
              /CN=Pinco Pallacert                     Auth         …
              /CN=proxy                                DB
                                                                   Valid from    : Jun 2 06:26:09 2004 GMT
                                                                   Valid to      : Jun 2 18:26:09 2004 GMT
                                                                   Attribute     : /wpsix/Role=NULL/Capability=NULL



INFSO-RI-508833                                                                Grid Security, Groningen Tutorial 2006   21
                                                            Getting a VOMS proxy
                             Enabling Grids for E-sciencE



    • VOMS credential consists of a list of attributes
    • short for Fully Qualified Attribute Name, is what VOMS uses to express
      membership and other authorization info
    • Groups membership, roles and capabilities may be expressed in a
      format that bounds them together
           <group>/Role=[<role>][/Capability=<capability>]


[glite-tutor] /home/giorgio > voms-proxy-init --voms gilda
Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio
   Giorgio/Email=emidio.giorgio@ct.infn.it
Enter GRID pass phrase: ******
Your proxy is valid until Mon Jan 30 23:35:51 2006
Creating temporary proxy.................................Done
Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN
Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it] "gilda"
Creating proxy ...................................... Done
Your proxy is valid until Mon Jan 30 23:35:51 2006

slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                                 Grid Security, Groningen Tutorial 2006   22
                                                              Long term proxies
                             Enabling Grids for E-sciencE


   •    Proxy has limited lifetime (default is 12 h)
         – Bad idea to have longer proxy
   •    However, a grid task might need to use a proxy for a much longer time
         – Grid jobs in HEP Data Challenges on LCG last up to 2 days
   •    myproxy server:
         – Allows to create and store a long term proxy certificate:
         – myproxy-init -s <host_name>
                -s: <host_name> specifies the hostname of the myproxy server
         – myproxy-info
                Get information about stored long living proxy
         – myproxy-get-delegation
                Get a new proxy from the MyProxy server
         – myproxy-destroy
         – Chech out the myproxy-xxx - - help option
   •    A dedicated service on the RB can renew automatically the proxy
   •    File transfer services in gLite validates user request and eventually renew
        proxies
         – contacting myproxy server
slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                                   Grid Security, Groningen Tutorial 2006   23
                                        Grid authentication with MyProxy
                             Enabling Grids for E-sciencE




                     UI                                                                           MyProxy
                                                                                                   Server
                                                        myproxy-init




                                                             Web
                                                             Portal
              WEB                                             (UI)
             Browser

                Local
                 WS                                                                     the Grid
slide from EGEE NA3 Tutorial repository
INFSO-RI-508833                                                        Grid Security, Groningen Tutorial 2006   24
                                         Enabling Grids for E-sciencE




                  But what do I have to do?

                  A Grid Security walk-through




www.eu-egee.org


INFSO-RI-508833
                                                           A walk-through
                  Enabling Grids for E-sciencE




                                                 CA



   user                                                                             service




                                                 VO




INFSO-RI-508833                                       Grid Security, Groningen Tutorial 2006   26
                                                          Certificate request
                     Enabling Grids for E-sciencE




                                                    CA

 grid-cert-request

   user                                                                                      service

      cert-request




                                             once every year
                                                    VO




INFSO-RI-508833                                                Grid Security, Groningen Tutorial 2006   27
                                                    Contacting the CA
                     Enabling Grids for E-sciencE



   • Each CA has different policies and practices

   • Generate a cryptographic key pair
        – using a script like grid-cert-request
        – with your web browser
        – using a Java Applet
   • Appear in-person to the Registration Authority (RA)
   • RA approves your request
   • CA signs the approved request and sends you the cert
        – via mail: copy to your home directory
        – via the web: download into your browser and export to disk
   • All use a network of RAs close to you

INFSO-RI-508833                                      Grid Security, Groningen Tutorial 2006   28
                                                         DutchGrid CA
                  Enabling Grids for E-sciencE




                  http://ca.dutchgrid.nl/
INFSO-RI-508833                                  Grid Security, Groningen Tutorial 2006   29
                                  Making the request (DutchGrid
                       Enabling Grids for E-sciencE        CA)
   triode:davidg:1004$ sh makerequest.sh
   Generating user request and private key in /tmp    run request script
   Do NOT delete the private key in this directory
   NOTICE: you are about to create the cryptographic key pair you need
           in your certificate. The private key is highly confidential
           information! Do not share it with anyone and do not send it
           by mail to the Certification Authority
           Your private key is stored in a file named ‘userkey.pem'

   Using configuration from /tmp/certreq15061.cnf
   Generating a 1024 bit RSA private key
   .....++++++
   ..................++++++
   writing new private key to '/tmp/userkey.pem'
   -----
   Mailing [CA:medium] certificate request to the DutchGrid CA
   …
   In the authentication process by the CA, you may be asked to
   provide a proof-of-possession of the keypair you submitted. This
   may involve you providing part of your public keydata displayed
   below:
                          Proof of Possession Challenge
   BA806384C5FDBA0CB079049AF252BF8532014E9A13DB6E9FF9259ED67D10E07B3B76376723D3FB17D25770629EF
   A3CE6F27533E468CFD9D2CBBD861ADBDF6677EE203B8133B77EC6F7FC74904A055D54BCD613BB753A9BCF81AF3B
   400CB43C917C29E41C4354AE452166B19D84B03C132971D7A951140D077BB0D0022F7AE065

   *** Fill in the registration form now, and go to your RA.




INFSO-RI-508833                                                 Grid Security, Groningen Tutorial 2006   30
                                                                                 Your request
                             Enabling Grids for E-sciencE




      • openssl req –in ~/.globus/user_request.pem –text
        Data:
          Version: 0 (0x0)
          Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos Frohner              User information
          Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                  Modulus (1024 bit):                                       Public key
                    00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58: [...]
      Exponent: 65537 (0x10001)
      Signature Algorithm: md5WithRSAEncryption                             Signature on the public
          29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e: [...]      key and user information
      -----BEGIN CERTIFICATE REQUEST-----                                   PEM encoded request
      MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC [...]
      -----END CERTIFICATE REQUEST-----




INFSO-RI-508833                                                       Grid Security, Groningen Tutorial 2006   31
                                                  Private Key Details
                   Enabling Grids for E-sciencE




      • openssl rsa -in ~/.globus/userkey.pem –text
      Enter PEM pass phrase: ***************
      Private-Key: (1024 bit)
      modulus: [...]
      publicExponent: ..... (0x......)
      privateExponent: [...]
      prime1: [...]                      private parameters
      prime2: [...]
      exponent1: [...]
      exponent2: [...]
      coefficient: [...]
      writing RSA key
      -----BEGIN RSA PRIVATE KEY-----    PEM encoded private key
      -----END RSA PRIVATE KEY-----




INFSO-RI-508833                                    Grid Security, Groningen Tutorial 2006   32
                                                         Certificate signing
                     Enabling Grids for E-sciencE




                                                    CA

 grid-cert-request

   user                   cert signing                                                  service

      cert-request
      certificate



                                                    VO




INFSO-RI-508833                                           Grid Security, Groningen Tutorial 2006   33
                             Importing your certificate in the
                     Enabling Grids for E-sciencE    browser
                                                    CA

 grid-cert-request

   user                   cert signing                                                 service

      cert-request
      certificate
                     convert
      cert.pkcs12


                                                    VO




INFSO-RI-508833                                          Grid Security, Groningen Tutorial 2006   34
                                                   Browser certificates
                    Enabling Grids for E-sciencE




   •    Your our certificate must be in PKCS#12 format
   openssl pkcs12 –export \
      –in ~/.globus/usercert.pem \
      –inkey ~/.globus/userkey.pem \
      –out user.p12 \
      –name ’Joe Smith’

   •    Use the “certificate store” of your browser
        – Windows: double-click on the “.p12” file
        – Explorer: Internet Options – tab: Content
        – Netscape 6: Preferences –
          Privacy&Sec – Certificates, then
          use “Restore”

   •    And SET THE MASTER PASSWORD
INFSO-RI-508833                                      Grid Security, Groningen Tutorial 2006   35
                                                                 Usage Guidelines
                     Enabling Grids for E-sciencE




                                                    CA

 grid-cert-request

   user                   cert signing                                                         service

      cert-request                                       Account
                                                           Registration
      certificate
                     convert
      cert.pkcs12
                            registration

                                                    VO


               once for the
           lifetime of the VO
           (based on your DN)
                                                             Usage
                                                               guidelines
INFSO-RI-508833                                                  Grid Security, Groningen Tutorial 2006   36
                                                 Registering with your VO
                  Enabling Grids for E-sciencE



                                                 for ‘national’ VOs use:
                                                 https://register.matrix.sara.nl/
                                                 or https://voms.grid.sara.nl:8443/vomses




for LCG use:
                                                                    Agree to VO AUP!
http://lcg-registrar.cern.ch/
INFSO-RI-508833                                                 Grid Security, Groningen Tutorial 2006   37
                                                          Starting a session
                      Enabling Grids for E-sciencE




                                                     CA

 grid-cert-request

   user                    cert signing                                                 service

      cert-request
      certificate
                      convert
      cert.pkcs12
                             registration

                                                     VO
      proxy-cert
                     voms-proxy-init


                                                               every 12/24
                                                                  hours

INFSO-RI-508833                                           Grid Security, Groningen Tutorial 2006   38
                                            Configuration on the Server
                      Enabling Grids for E-sciencE




                                                     CA

 grid-cert-request                                            cert signing grid-cert-request

   user                    cert signing                                                         service

      cert-request                                                             host-request
                                                     cert/crl update
      certificate                                                              host-cert
                      convert                                                  ca-certificate
      cert.pkcs12
                             registration                                      crl
                                                     VOMS
      proxy-cert
                     voms-proxy-init

                                                                  automatically
                                                                  updated every
                                                                   night/week


INFSO-RI-508833                                                   Grid Security, Groningen Tutorial 2006   39
                                                                         Using a Service
                        Enabling Grids for E-sciencE




                                                       CA

 grid-cert-request                                              cert signing grid-cert-request

   user                      cert signing                                                         service

      cert-request                                                               host-request
                                                       cert/crl update
      certificate                                                                host-cert
                        convert                                                  ca-certificate
      cert.pkcs12
                               registration                                      crl
                                                       VOMS                      gridmap
                                                                  optional:
      proxy-cert                                                 mkgridmap
                       voms-proxy-init


                  host/proxy certs and VOMS attributes exchanged



INFSO-RI-508833                                                     Grid Security, Groningen Tutorial 2006   40
                                                                       Summary
                    Enabling Grids for E-sciencE




      CA: authentication
      VO: AUP, authorization and access

      • new certificate: follow the web page instructions
      • send to the appropriate CA (e.g. ca@dutchgrid.nl)
      • save the answer
           – ~/.globus/usercert.pem
      • import in web browser (.p12) and register with VO

      • new proxy certificate: voms-proxy-init –voms foobar
           – /tmp/x509up_u<uid>
      • use the Grid

INFSO-RI-508833                                    Grid Security, Groningen Tutorial 2006   41
                                                    Extra: certificate renewal
                     Enabling Grids for E-sciencE



   • Your certificate has a validity of 12 months, then you will have to renew
        – you get an email warning 4 weeks in advance (and at ~ 2 weeks)
        – download the script from the web site
        – run it on a unix system with OpenSSL installed (no macs!)


   • The script generates a signed email message
        – send the signed message to ca@dutchgrid.nl
        – do not modify the message in any way, preferably use
            sendmail –t < newrequest.txt
          as the script tells you at the end
        – your Registration Authority will be contacted for confirmation
        – after response from the RA, a new certificate is mailed to you

   • When you get the new certificate, remember to also put the
     newkey.pem file in the proper place!

INFSO-RI-508833                                            Grid Security, Groningen Tutorial 2006   42
                                     Extra: managing a VOMS VO
                  Enabling Grids for E-sciencE




INFSO-RI-508833                                  Grid Security, Groningen Tutorial 2006   43
                        VOMS management through the web
                  Enabling Grids for E-sciencE



   • VOMS groups and roles can be managed by the VO-admin
     through the VOMS-Admin web interface
   • Connect to https://voms.grid.sara.nl:8443/voms/voname




INFSO-RI-508833                                  Grid Security, Groningen Tutorial 2006   44
                                                  extra: on the USB key
                   Enabling Grids for E-sciencE


   1. go to the CA web site at http://ca.dutchgrid.nl/
   2. complete all web forms, and print out the paper
   3. download the Unix shell script
   4. run the makerequest.sh script, specifying where the keys should be
      created:
          mkdir /mnt/flash/.globus
          sh makerequest.sh /mnt/flash/.globus/
   5. write down the proof-of-possession challenge on the paper
   6. submit the request to http://ra.dutchgrid.nl/ra/public/submit
   Back home
   1. receive the mail from the CA
   2. insert your USB flash drive again, and copy the mail to
          /mnt/flash/.globus/usercert.pem
   3. make a symlink in your home directory on the UI:
          ln –s /mnt/flash/.globus $HOME/.globus
   4. login to the grid with grid-proxy-init


INFSO-RI-508833                                       Grid Security, Groningen Tutorial 2006   45

								
To top