Accounts on Grids

• setting up accounts across multiple sites is complex– once done things should be automatic– However, can take several days to get done

• To ‘get on’ you need to:– Get an account on one or more of the machines – Set it up (e.g. ENV)

• Often a prepared script provided by site mgr is used.

• To use it as a grid, you need to set up grid certificate:• Find your grid libraries• run certificate init (grid-cert-request) codes • get cert approved• propagate certificate info to each machine• Identify your Distinguised Name (DN)

– Get DN installed in ‘grid mapfile’• place where user names are mapped to cert DN

Globus Security: the Grid Security Infrastructure (GSI)

• http://www.globus.org/security• Public key encryption for single sign-on

– PEM: Public Encryption Method

• X.509 certificates for credentials• Secure Sockets Layer (SLL) communication

protocol for message security• Standard: most sites conform to

– Generic Security Service API (GSS-API) of the Internet Engineering Task Force (IETF)

• Certificate Authority (CA) blesses process

GSI: Some Terms(http://www.dcoce.ox.ac.uk/glossary)

• IETF: Internet Engineering Task Force• PKI Public Key Infrastructure:

– IETF definition: "The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public-key cryptography".

– OpenSSL provides an Open Source implementation. .• OpenSSL Project:

– Collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

• PKC Public Key Certificate: – IETF definition: "A data structure containing the public key of an

end-entity and some other information, which is digitally signed with the private key of the CA which issued it.“

GSI: Some Terms(from

http://www.dcoce.ox.ac.uk/glossary)• CA: Certification Authority:

– An agency or organization that is able to publish and give out digital certificates– IETF definition: "An authority trusted by one or more users to create and assign

public key certificates. Optionally the CA may create the user's keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime (what includes renewal, revocation, etc.), not just for issuing them.“

• DN:Distinguished Name – X.509 certificates; always contained within the 'subject' field of a digital

certificate. The distinguished name should be unique within all certificates issued by a certification authority. A distinguished name might look like this: C=UK, O=eScience, OU=Authority, CN=CA. The attributes (e.g. C (Country), O (Organisation), OU (Organisational Unit), CN (Common Name), etc.) all combine to form the DN

• X.509: – Recommendation X.509 specifies the authentication service for X.500

directories, as well as the widely adopted X.509 certificate syntax. The initial version of X.509 was published in 1988, version 2 was published in 1993, and version 3 was proposed in 1994 and considered for approval in 1995. Version 3 addresses some of the security concerns and limited flexibility that were issues in versions 1 and 2.

Security: SSL Secure Socket Layer

• SSL designed to secure data exchanges between two applications

– originally between Web server -> browser.

– protocol is widely used and is compatible with most Web browsers.

– At network level, SSL protocol is inserted between TCP/IP and HTTP layers

• SSL has been designed mainly to work with HTTP.

• SSL uses a public key encryption method– technique based on a pair of asymmetric

keys for encryption and decryption: a public key and a private key.

– The private key is used to encrypt data. • sender (e.g. web site) does not give it to

anyone

• Public Key – used to decrypt the information and is

sent to the receivers (Web browsers) through a certificate.

– When using SSL with the Internet, certificate delivered through a certification authority, such as Verisign

– Web site pays CA to deliver a certificate - guaranties the server authentication and contains the public key allowing to exchange data in a secured mode.

(Image courtesy www.4d.fr)

Globus GSI: Public Key Cryptography

• PKI relies not on a single key (a password or a secret "code"), but on two keys. – Asymmetric encryption– keys are numbers that are mathematically related in such a

way that if either key is used to encrypt a message, the other key must be used to decrypt it.

• How it works:– Entity (owner) has two keys -a public and a private key – Data encrypted with one key can only be decrypted with other.– The private key is known only to the entity– The public key is given to the world encapsulated in a X.509

certificate• Important:

– It is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner.

GSI: Certificates• Every user and service on the Grid is identified via a certificate,

– contains information vital to identifying and authenticating user or service. – Certificates are public

• GSI certificates are encoded in the X.509 certificate format and includes four primary pieces of information: – Subject name, identifies the person or object that the certificate represents. – Public Key belonging to the subject. – Identity of a Certificate Authority (CA) that has signed the certificate to

certify that the public key and the identity both belong to the subject. – Digital Signature of the named CA.

• The CA used to certify link between public key and subject in certificate – This is done when you get your certificate– To trust the certificate and its contents, the CA's certificate must be trusted. – The link between the CA and its certificate must be established via some

non-cryptographic means, or else the system is not trustworthy.

GSI: How Digital Signatures Work

• Using public key cryptography, it is possible to digitally "sign" a piece of information. – Signing information essentially means assuring a recipient of the information

that the information hasn't been tampered with since it left your hands.• Entity A digitally signs a piece of information:

– Computes a mathematical Hash (H1) of the information – Encrypt this has using Entity A’s private key (encr-H1)– Attach hash encr-H1 to the original message – Make sure that the Recipient has Entity A’s public key. – Make sure Recipient knows algorithm

• Recipient must verify that the signed message is authentic:– Compute new hash (H2) of original message using the same hashing

algorithm used by Entity A– Using the CA digital signature in entity A’s public certificate, recipient

decrypts hash encr-H1 that Entity A attached to the message (hash H3)– IF H3 == H2

• Proves that entity A signed the message and that the message has not been changed since you signed it.

GSI: Mutual Authentication

• Grid services work based on mutual authentication – If two parties have certificates, and if both parties trust the

CAs that signed each other's certificates, then the two parties can prove to each other that they are who they say they are.

• Before mutual authentication can occur, – parties involved must first trust the CAs that signed each

other's certificates. – they must have copies of the CAs' certificates--which contain

the CAs' public key– they must trust that these certificates really belong to the CAs.

• This is often a very manual process and one of the bottlenecks in setting up a grid:– Site admins (system, security, project, etc)

GSI: Mutual Authentication • A connects to B and A gives B its certificate (identity, public key, signing

CA)• B will first make sure that the certificate is valid

– checking the CA's digital signature, check that the certificate hasn't been tampered with.

• B must make sure that A really is the person identified in the certificate. – B generates a random message and sends it to A, asking A to encrypt it. – A encrypts the message using private key, and sends it back to B. – B decrypts the message using A's public key. – If this results in the original random message, B knows that A is who he says he

is. • Now B trusts A's identity, the same operation must happen in reverse.

– B sends A a certificate– A validates the certificate and sends a challenge message to be encrypted. – B encrypts message, sends back to A, A decrypts it and compares it with the

original. – If it matches, then A knows that B is who she says she is.

• A and B have established a connection to each other and are certain that they know each others' identities.

GSI: Securing Private Keys

• The core GSI software provided by the Globus Toolkit expects the user's private key to be stored in a file in the local computer's storage.

• To prevent other users of the computer from stealing the private key, the file that contains the key is encrypted via a password (also known as a passphrase).

• To use the GSI, the user must enter the passphrase required to decrypt the file containing their private key.

• We have also prototyped the use of cryptographic smartcards in conjunction with the GSI.

• This allows users to store their private key on a smartcard rather than in a filesystem, making it still more difficult for others to gain access to the key.

GSI: Delegation and Single Sign-On

• The GSI provides a delegation capability: an extension of the standard SSL protocol which reduces the number of times the user must enter his passphrase. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user, the need to re-enter the user's passphrase can be avoided by creating a proxy.

• A proxy consists of a new certificate (with a new public key in it) and a new private key. The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. (See diagram below.) The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes.

• • The proxy's private key must be kept secure, but because the proxy isn't valid for very long, it

doesn't have to kept quite as secure as the owner's private key. It is thus possible to store the proxy's private key in a local storage system without being encrypted, as long as the permissions on the file prevent anyone else from looking at them easily. Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual authentication without entering a password.

• When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. During mutual authentication, the owner's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate. This establishes a chain of trust from the CA to the proxy through the owner.

• Note that the GSI and software based on it (notably the Globus Toolkit, GSI-SSH, and GridFTP) is currently the only software which supports the delegation extensions to TLS (a.k.a. SSL). The Globus Project is actively working with the Grid Forum and the IETF to establish proxies as a standard extension to TLS so that GSI proxies may be used with other TLS software.

GSI: Securing Private Keys

• You get a cert by running grid-cert-request

• GSI expects the user's private key to be stored in a file in the local user filespace – Directory only readable by owner– file that contains the key is encrypted via a

password (also known as a passphrase). – To use GSI, user must enter the passphrase

required to decrypt the file containing their private key.

Using GSI: grid-cert-request –h displays all options

grid-cert-request [-help] [ options ...] Example Usage: Creating a user certifcate: grid-cert-request Creating a host or gatekeeper certifcate: grid-cert-request -host [my.host.fqdn] Creating a LDAP server certificate: grid-cert-request -service ldap -host [my.host.fqdn]

Options: -version : Display version -?, -h, -help, : Display usage -usage -cn <name>, : Common name of the user -commonname <name> -service <service> : Create certificate for a service.

Requires the -host option and implies that the

generated key will not be password protected (ie

implies -nopw). -host <FQDN> : Create certificate for a host

named <FQDN>

-dir <dir_name> : Changes the directory the private key and certificate

request will be placed in. By default user certificates are placed in

/home/mthomas/.globus, host certificates are placed in /etc/grid-

security and service certificates are place in /etc/grid-security/<service>. -prefix <prefix> : Causes the generated files to be named <prefix>cert.pem, <prefix>key.pem and <prefix>cert_request.pem -nopw, : Create certificate without a passwd -nodes, -nopassphrase, -verbose : Don't clear the screen -int[eractive] : Prompt user for each component of the DN -force : Overwrites preexisting certifictes -ca : Will ask which CA is to be used (interactive) -ca <hash> : Will use the CA with hash value <hash>

grid-cert-request –ca(lists CA’s recognized by host)

[mthomas@buda ~]$ /usr/local/globus/globus-3.0.2/bin/grid-cert-request -verbose -canondefaultca=true

The available CA configurations installed on this host are:

1) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 12) 42864e48 - /C=US/O=Globus/CN=Globus Certification Authority3) 5fb2fc80 - /O=Louisiana State University/OU=CCT/OU=ca.cct.lsu.edu/CN=CCT CA4) 6349a761 - /O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager5) 860e3429 - /C=US/ST=Virginia/L=Charlottesville/O=University of Virginia/Email=pkimaster@virginia.edu/CN=UVA Standard Assurance SKP 16) 9a1da9f9 - /C=US/O=UTAustin/OU=TACC/CN=TACC Certification

Authority/0.9.2342.19200300.100.1.1=caman7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science Grid/CN=pki18) ad478c3d - /C=US/ST=Virginia/L=Charlottesville/O=NMI Testbed Grid/OU=Bridge CA/CN=BridgeCA9) c4d34612 - /C=US/ST=Alabama/L=Birmingham/O=University of Alabama at

Birmingham/OU=UABGrid/CN=UABGridCA10) cd88b13f - /O=Grid/OU=Texas Tech HPCC/OU=onera/CN=Globus Simple CA11) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1

Enter the index number of the CA you want to sign your cert request:

Requesting a Certificate

• To request a certificate a user starts by generating a key pair

• The private key is stored encrypted with a pass phrase the user gives

• The public key is put into a certificate request

CertificateRequest

Public Key

Private KeyEncryptedOn local

disk

Certificate Issuance

• The user then takes the certificate to the CA

• The CA usually includes a Registration Authority (RA) which verifies the request:– name unique with

respect to the CA– It is real name of the

user (often by phone, etc.)

• The CA then signs the certificate request and issues a certificate for the user

CertificateRequest

Public Key

NameIssuerPublic KeySignature

Sign

(image courtesty R. Buyya)

Creating a Cert: “Simple” steps

• Get account on host – e.g. buda.tacc.utexas.edu

• Run grid-cert-request– ~/.globus directory created with PEM files

• Email contents from usercert_request.pem file to CA of choice – ca@tacc.utexas.edu

• CA emails back to you your signed and encrypted public key file (usercert.pem)

• Place in ~/.globus on machines you want to do grid jobs on

Creating the Certificate:output from grid-cert-request

[mthomas@buda ~]$ /usr/local/globus/globus-3.0.2/bin/grid-cert-request

A certificate request and private key is being created.You will be asked to enter a PEM pass phrase.This pass phrase is akin to your account password, and is

used to protect your key file.If you forget your pass phrase, you will need to obtain a

new certificate.

Using configuration from /etc/grid-security/globus-user-ssl.conf

Generating a 1024 bit RSA private key........................++++++.......++++++writing new private key to

'/home/mthomas/.globus/userkey.pem'Enter PEM pass phrase:Verifying password - Enter PEM pass phrase:-----You are about to be asked to enter information that will be

incorporated into your certificate request.What you are about to enter is what is called a

Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-

Level 0 Organization [Grid]:Level 1 Organization [Globus]:Level 0 Organizational Unit [tacc.utexas.edu]:Name (e.g., John M. Smith) []:

A private key and a certificate request has been generatedm with the subject:

/O=Grid/O=Globus/OU=tacc.utexas.edu/CN=Mary Thomas

If the CN=Mary Thomas is not appropriate, rerun thisscript with the -force -cn "Common Name" options.

Your private key is stored in /home/mthomas/.globus/userkey.pem

Your request is stored in /home/mthomas/.globus/usercert_request.pem

Please e-mail the request to the Globus CA ca@globus.orgYou may use a command similar to the following:

cat /home/mthomas/.globus/usercert_request.pem | mail ca@globus.org

Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method.

Your certificate will be mailed to you within two working days.If you receive no response, contact Globus CA at

ca@globus.org

Distinguished Names (DN)

• Globally unique identifier that represents you individually– /O=Grid/O=Globus/OU=tacc.utexas.edu/

CN=Mary Thomas

• Mapfiles: map user login/account to DN’s

• E.g. on on Texas systems, username is mthomas, so mapfile looks like:

Creating the Certificate:files created by grid-cert-request

[mthomas@buda ~/.globus]$ pwd/home/mthomas/.globus[mthomas@buda ~/.globus]$ls -altotal 16drwxr-xr-x 2 mthomas G-1130 4096 Jan 29 23:41 .drwx------ 5 mthomas G-1130 4096 Jan 29 23:40 ..-rw-r--r-- 1 mthomas G-1130 0 Jan 29 23:40 usercert.pem-rw-r--r-- 1 mthomas G-1130 1274 Jan 29 23:41

usercert_request.pem-r-------- 1 mthomas G-1130 963 Jan 29 23:41 userkey.pem[mthomas@buda ~/.globus]$

Contents of usercert_request.pem File

This is a Certificate Request file:

It should be mailed to ca@globus.org

==============================================

Certificate Subject:

/O=Grid/O=Globus/OU=tacc.utexas.edu/CN=Mary Thomas

The above string is known as your user certificate subject, and it

uniquely identifies this user.

To install this user certificate, please save this e-mail message

into the following file.

/home/mthomas/.globus/usercert.pem

You need not edit this message in any way. Simply save this e-mail message to the file.

If you have any questions about the certificate contactthe Globus CA at ca@globus.org

-----BEGIN CERTIFICATE REQUEST-----BgNVBAsTD3RhY2MudXRleGFzLmVkdTEUMBIGA1UE

AxMLTWFyeSBUaG9tYXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJvOvU8P

sbH4qIkaYaJkmGewcA/kC1Bx8yBahG8Uab1B5z2GR0xWIGv+IWoyp+04/+X2071CLpe

bOX0A+/39foxzE+z7aXjIFm14WL22Yn/

K3uIGNSRwJoWOu+cENrNrrl2JfIQqEIiVG5dWyT+VMkX/wx9C69X3

84iy0cq1So5VAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAE5qYwJVlFe2yQDgmu

/b0ICwjxJ77kNiNZRvcIfo23N4eXMi0s3YWvWAI6/nd2cgsJyfDOErUhXRteLjFS

pLSyr7njgfs2Jm26u4248P8LJbN6dAVN4JGFdoWAKPNYXbL7v30MQF8G93obvSB+

r3JacgAqczOM1vQci3HBnStX3Q==-----END CERTIFICATE REQUEST-----[mthomas@buda ~/.globus]$

GSI Public Key Contents: usercert.pem

qe2 (17) % cat usercert.pemCertificate: Data: Version: 3 (0x2) Serial Number: 503 (0x1f7) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=SDSC, OU=SDSC-CA, CN=Certificate Authority/UID=certman Validity Not Before: Jan 30 03:23:05 2005 GMT Not After : Jan 30 03:23:05 2009 GMT Subject: C=US, O=SDSC, OU=SDSC, CN=Mary Thomas/UID=mthomas Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ba:1d:62:9c:07:ce:24:28:72:87:17:2b:9d:c9: ed:9a:d5:89:b9:2e:83:4f:9c:50:8a:57:cd:31:36: 6b:5e:9b:ce:80:a9:71:0d:79:26:d6:ca:7a:37:8b: 23:d9:39:39:1e:97:ab:62:53:cc:d3:cb:a3:99:41: 2c:9e:fc:33:83:84:ca:15:fa:05:5b:06:f7:68:4d: c0:13:1b:89:ee:32:b3:9d:11:7a:7a:50:c2:cd:d4: d3:2a:9b:ae:40:10:18:61:72:98:4d:fd:6b:0d:ea: b5:8e:c1:d5:77:2e:a1:f2:5e:57:aa:81:e6:aa:c9: eb:f5:26:d8:67:1a:6d:00:99:e4:6d:82:b5:f9:47: 02:cf:e9:6c:b6:cb:30:96:c6:b0:a9:7c:33:f2:6f: 91:f4:e4:5a:3f:b1:9e:3d:7b:7c:4f:72:ad:89:72: 84:2a:0b:1b:a8:b0:c3:4e:50:e4:42:fc:7f:4d:c2: 89:07:ed:72:6d:fb:ad:68:c5:9a:29:3f:9c:27:af: 3d:c7:ba:d5:62:63:f5:a3:36:6e:82:41:4d:d3:d2: 49:11:0a:9c:05:57:38:1f:f7:7d:ea:8f:0e:cd:e9: 51:09:be:49:b8:ef:02:86:c8:6c:3b:e9:d5:52:a6: 06:44:b1:02:39:7d:62:67:ce:9f:9e:ae:8b:3b:be: 1e:91 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: OpenSSL Generated Certificate Netscape CA Revocation Url: http://www.sdsc.edu/CA/SDSC_CRL.pem X509v3 Subject Key Identifier: 26:45:B2:53:39:11:AE:E7:9E:8F:24:72:D8:77:48:7D:EA:54:55:E0 X509v3 Authority Key Identifier: keyid:BF:A3:87:2C:F6:0D:74:BD:48:6C:0E:27:BF:01:E4:F2:4F:46:BA:27 DirName:/C=US/O=SDSC/OU=SDSC-CA/CN=Certificate Authority/UID=certman serial:00

Signature Algorithm: md5WithRSAEncryption 7e:51:45:34:c8:41:2d:54:c4:03:5e:c9:2f:da:7f:c5:32:9a: 4c:0c:d3:e4:d3:d9:a1:df:60:27:5b:2e:7f:dc:6e:39:16:5c: 73:7a:76:0e:83:5a:c4:ab:97:c5:80:80:41:eb:25:05:6c:51: 95:82:72:4d:1a:73:0b:83:c5:76:dd:b2:97:5e:19:aa:2a:df: b4:ab:4b:c5:eb:e5:c2:cd:43:e6:40:a4:06:8d:66:b4:a3:3f: 4f:20:d7:dc:5b:09:70:e4:19:2e:09:6f:88:dd:00:7e:49:ba: d3:ff:d6:dd:a5:40:00:27:0f:11:4f:2f:2b:c3:98:96:86:42: 2c:c1:b8:b4:e6:dc:dd:b0:9c:c6:b2:6d:09:e3:87:1f:85:e2: cc:12:f2:04:ac:3c:b4:98:00:bc:31:e7:d3:36:dc:eb:0f:60: 2c:6a:c5:67:46:07:4c:c6:00:7a:de:71:b9:d8:ca:e9:de:86: 52:9b:76:98:7a:26:8a:55:20:5b:7d:2e:4a:f0:01:e1:78:49: 48:1f:56:3e:6f:78:7c:7b:e3:5c:c1:b1:03:7a:59:66:7f:fb: 26:98:c1:a1:fe:f7:aa:fc:06:96:67:19:b8:b9:57:70:cb:74: 18:cc:fe:95:b5:2e:a0:df:93:57:47:46:88:18:86:91:ea:d2: 2a:9e:8d:76-----BEGIN CERTIFICATE-----MIIEdjCCA16gAwIBAgICAfcwDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBFNEU0MxEDAOBgNVBAsTB1NEU0MtQ0ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGCgmSJomT8ixkAQETB2NlcnRtYW4wHhcNMDUwMTMwMDMyMzA1WhcNMDkwMTMwMDMyMzA1WjBaMQswCQYDVQQGEwJVUzENMAsGA1UEChMEU0RTQzENMAsGA1UECxMEU0RTQzEUMBIGA1UEAxMLTWFyeSBUaG9tYXMxFzAVBgoJkiaJk/IsZAEBEwdtdGhvbWFzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuh1inAfOJChyhxcrncntmtWJuS6DT5xQilfNMTZrXpvOgKlxDXkm1sp6N4sj2Tk5HperYlPM08ujmUEsnvwzg4TKFfoFWwb3aE3AExuJ7jKznRF6elDCzdTTKpuuQBAYYXKYTf1rDeq1jsHVdy6h8l5XqoHmqsnr9SbYZxptAJnkbYK1+UcCz+lstsswlsawqXwz8m+R9ORaP7GePXt8T3KtiXKEKgsbqLDDTlDkQvx/TcKJB+1ybfutaMWaKT+cJ689x7rVYmP1ozZugkFN09JJEQqcBVc4H/d96o8OzelRCb5JuO8ChshsO+nVUqYGRLECOX1iZ86fnq6LO74ekQIDAQABo4IBNzCCATMwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBLAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMDIGCWCGSAGG+EIBBAQlFiNodHRwOi8vd3d3LnNkc2MuZWR1L0NBL1NEU0NfQ1JMLnBlbTAdBgNVHQ4EFgQUJkWyUzkRrueejyRy2HdIfepUVeAwgZEGA1UdIwSBiTCBhoAUv6OHLPYNdL1IbA4nvwHk8k9Guieha6RpMGcxCzAJBgNVBAYTAlVTMQ0wCwYDVQQKEwRTRFNDMRAwDgYDVQQLEwdTRFNDLUNBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgoJkiaJk/IsZAEBEwdjZXJ0bWFuggEAMA0GCSqGSIb3DQEBBAUAA4IBAQB+UUU0yEEtVMQDXskv2n/FMppMDNPk09mh32AnWy5/3G45FlxzenYOg1rEq5fFgIBB6yUFbFGVgnJNGnMLg8V23bKXXhmqKt+0q0vF6+XCzUPmQKQGjWa0oz9PINfcWwlw5BkuCW+I3QB+SbrT/9bdpUAAJw8RTy8rw5iWhkIswbi05tzdsJzGsm0J44cfheLMEvIErDy0mAC8MefTNtzrD2AsasVnRgdMxgB63nG52Mrp3oZSm3aYeiaKVSBbfS5K8AHheElIH1Y+b3h8e+NcwbEDellmf/smmMGh/veq/AaWZxm4uVdwy3QYzP6VtS6g35NXR0aIGIaR6tIqno12-----END CERTIFICATE-----

GSI Private Key Contents: userkey.pem

qe2 (15) % cat userkey.pem-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,4B20B8150256AE62

rOYybs+Rq0XXzWJJqRYty7l/HUWR9W5e8ZkYYldoX97Fc5J+ztvxihC931SX6QHY5nN3wb6jcCWG23aGN6IPiYkZGmgaAAgGrochrHQ78O2TRW88/RxIAlP3IqYgctEla0AwC44z5X0fcItRwuEozbiaOSc/RJhIsYkUu66nfXTWJZjLk0Kh42s1y+qzN+2gzGpCA46/9w6fBWrXOo0RI0DUQciVJ0jbnlKyaOJjVclgFDguwRxAd73fS90BAqTCt01NbJbr9wvAfcdg8lrObUpNOhXIv77MT5I4um+479m4So1GxXsgaaHVVo7Y1TX5If5WtRN5HOH0oVgfKBOZmEbpz1Uwy1hj3cXMrJMCtgOZlBWzcKK/rugkurPM8jpuOqNV+1fK4LfVu8okvUcZa2iNGmH8xEXv8GG+y9d84Ciw8eViM1LROKlBFsKHUl9kjd6QScfFEutx7qqfWOGWlK9WZgJEtEKZxx8Ydv9zzOrYvo0twxlteP6Dn5R3gwrphSjY6Fw7GKiqoBwmMA8/rZMU/BES/a57luHyiEpzro4xPqrsGyoGBgliXAorSsOifrHz5h1esRaXKtpeNos5DimWQ3dPz5cjLAtgKEPUYTe591aLLqDURi/hUZAzhSfGjCZnc9mOE7zIY0fv0Vo057JH4SXk7YqRqvP5oZeyhVntGAOO82SgM0e+QTKTcs/Nag7ZItavpoF2HH8P3yC6X7P0KiyqGdS5Rz3BQixMsi9K9DuuwNj9mHee0dvCGvwykKA0CLYiYI9lFVpvCL0oKGCxgBAqZnWGd7btE/iSdLT4QKbTED8gw10F9IjBCPNluTlssNwmRLJrkpCS4tcGrfJCPSKwAgUo0Wv36ft0VKsUJcx+3Otgz3KFUufPxXEaF8vKWAwb3OKsoE4Ly9azAo9HlK0a/K+4u9cg/mKOHoxgjJ9FkntyB2rk272X2ZlQ0a6s05JO0MoUt4mfXaAck4uQJbqIvZOyeu/ZwfovD1zYsN/yXUVFK7/3oSK7IlEmXbvX0XlZhJWp1CpM2p/J77cfh4Q+K88BmbQ5MjzNKduvKIYFeBd29AzbLfZOy0lvECriCdOKa5jfGaoVSVKGvh2Nz6VuwUxBlJEU6zjx5/WLNMnXnsuF+K8r+KVL74+va9kynmjNqvjgzwTuB8wZBHfh0bxFzh5IHn8saOhhaRgT+dJ7h+PjQN/kI43yjhVicqmE7FDqL44gE4jnn5VJ/gqMRXHKnaNFnmaUBKbRTuIgi6yjJwUaDBA5XXHFOdgP3uEl5FbKVZzRt5/P4OGYLVILFTZ0a3YBeHB9EhBj4cANa4E9mNxS7a5M07hs2Y87v/i2bWNktllHyu6Z1wrsYSFswKiU0S4uGmN+rYUoIChrxYvH7msnu0sD0q947aFy+QMH1YbdtWmOMAZS4C0e8KS/ZZrIkSIksoLbuVzxN4iIUaNB++8+WiZuAl4wrYOiTi4YUCVULfC1vlL1+iUlY4K3CoQe9lDUXtHaWRY3it7nJlw08gvPXMLRPvZm6Huu9+vsyzhDHLnCE6nxoQBIbZptomy9k9Y41QMsPBJrMRgZQHSjNSyMUyQWf+JI2M8g-----END RSA PRIVATE KEY-----

Certificate Operations• Certificate creation

– Grid-cert-request– grid-change-pass-phrase

• Certificate info & management– Grid-proxy-init– Grid-proxy-destroy– Grid-proxy-info Grid-cert-info– Grid-default-ca

• Mapfiles:– grid-mapfile-add-entry– grid-mapfile-check-consistency– grid-mapfile-delete-entry

• For more details see: – http://www-unix.globus.org/toolkit/docs/development/3.9.3/security/prewsaa/user/

#commandline– Note: on the machine I was testing, not all commands were installed, not all

worked.