View
266
Download
0
Category
Tags:
Preview:
Citation preview
X.509 Certificates
• On the Life Science Grid (LSG) users need an X.509 certificate.
• This certificate are like a passport: authentication
• Certificates can have VO-extensions, which are like visas: authorization
• Certificates are issued by a Certificate Authorities (CAs). For the Netherlands this is DutchGrid: http://www.dutchgrid.nl/
Outline
• Logging in with PuTTY
• Symmetric and asymmetric encryption
• Digital signatures
• X.509 certificates
• Delegation
• X.509 proxy certificates
• VOMS extensions
• MyProxy
• Workload ManagementSyztemzzzzz…
• tutorGridSession tutor
Logging in on the User Interface (UI):gb-se-ams.els.sara.nl
• Use putty.exe
1. Enter the [Host Name]
2. <Save> as “Grid UI”
3. Click <Open>
4. Login as demoXX
• Certificate Body• Issuer The issuer's Distinguished Name
• Validity Validity period of this certificate
• Subject The “Distinguished Name” (DN) of the user.
• Subject's public key
• Extensions Various bits of information
• Digital Signature• Digest of the Certificate Body
• encrypted by the issuer’s private key
X.509 Certificates are signed messages
gb-se-ams:~/.globusdemo01$ voms-proxy-init -voms tutorCannot find file or dir: /home/demo01/.glite/vomsesEnter GRID pass phrase: demo01Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01Creating temporary proxy ............................................. DoneContacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" DoneCreating proxy ................................................................................................................. DoneYour proxy is valid until Thu Jun 4 11:43:35 2009
gb-se-ams:~/.globusdemo01$ openssl x509 –in $X509_USER_PROXY –text –noout | less
gb-se-ams:~/.globusdemo01$ voms-proxy-info -allsubject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01/CN=proxyissuer : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01identity : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01type : proxystrength : 1024 bitspath : /tmp/x509up_u1062timeleft : 11:19:25=== VO tutor extension information ===VO : tutorsubject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01issuer : /O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nlattribute : /tutor/Role=NULL/Capability=NULLtimeleft : 11:19:24uri : voms.grid.sara.nl:30007
gb-se-ams:~/.globusdemo01$ |
Certificate: Data: Version: 3 (0x2) Serial Number: 260 (0x104) Signature Algorithm: md5WithRSAEncryption Issuer: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01 Validity Not Before: Jun 3 21:38:35 2009 GMT Not After : Jun 4 09:43:35 2009 GMT Subject: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:e1:2f:d7:81:b8:42:cb:28:8f:ec:c8:cb:89: 16:7f:68:3d:07:ff:67:0d:97:15:91:22:ec:a3:be: 06:e7:d3:69:c9:b9:2a:f2:f5:9c:c7:00:b0:a4:16: fd:6c:cc:2b:85:6d:5c:4c:4b:de:a2:3f:77:85:e6: 2a:90:7a:f8:8f:7b:6f:68:25:44:20:5a:23:6e:9c: 61:2f:b6:ff:36:9a:72:05:06:f5:bf:21:81:f1:b7: 81:6f:9b:50:9e:37:1c:64:34:2b:c8:90:cb:f2:26: 4b:bd:cf:57:77:15:a7:1d:a1:15:5c:cd:2d:e3:fd: 25:10:0c:e1:6d:87:31:4b:df Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.8005.100.100.5: 0...0...0..^M0..v...0}.{0u.s0q1.0....&...,d....org1.0....&...,d....egee-ne1.0...U...Training Services1.0...U....users1.0...U....Demo User 01.....X0V.T0R1.0...U...dutchgrid1.0...U...hosts1.0...U....sara.nl1.0...U....voms.grid.sara.nl0^M..*.H..^M.........~....B;..E^.0{60"..20090603214334Z..20090604094334Z0Y0W.+.....Edd.1I0G.!..tutor://voms.grid.sara.nl:300070". /tutor/Role=NULL/Capability=NULL0...0..+.....Edd...0.0.0...U.8....0...U.#..0.......,~~.......'qp...0....+.....Edd
Trying it out
Starting a Grid session in theory…
1. Create a proxy certificate with short validity (hours)• Contains VOMS credentials
• Allows “Single Sign-On”:Proxy private key doesn’t have a passphrase
2. Delegate this proxy to the Workload Management System(WMS)
3. Delegate another, long-lived proxy to the Proxy Server
… and in practice:
1. normally, just type: startGridsession <VO>but today: tutorGridSession <VO>This returns a session name, needed to submit jobs.
gb-se-ams:~/.globusdemo01$ tutorGridSession tutorNow starting...Please enter your GRID password: demo01voms-proxy-init -voms tutor --valid 120:00 -pwstdinCannot find file or dir: /home/demo01/.glite/vomsesYour identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01Creating temporary proxy ........................................ DoneContacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" DoneCreating proxy .......................................... DoneYour proxy is valid until Tue Jun 9 00:44:51 2009Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01Creating proxy ................................................................................................................. DoneProxy Verify OKYour proxy is valid until: Tue Jun 9 00:44:52 2009A proxy valid for 120 hours (5.0 days) for user /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 now exists on px.grid.sara.nl.Your delegation ID is: demo01
gb-se-ams:~/.globusdemo01$ |
Recommended