It’s not about security...

it’s about access!

Grid Security

Pieter van Beek

X.509 Certificates

• On the Life Science Grid (LSG) users need an X.509 certificate.

• This certificate are like a passport: authentication

• Certificates can have VO-extensions, which are like visas: authorization

• Certificates are issued by a Certificate Authorities (CAs). For the Netherlands this is DutchGrid: http://www.dutchgrid.nl/

Outline

• Logging in with PuTTY

• Symmetric and asymmetric encryption

• Digital signatures

• X.509 certificates

• Delegation

• X.509 proxy certificates

• VOMS extensions

• MyProxy

• Workload ManagementSyztemzzzzz…

• tutorGridSession tutor

Logging in on the User Interface (UI):gb-se-ams.els.sara.nl

• Use putty.exe

1. Enter the [Host Name]

2. <Save> as “Grid UI”

3. Click <Open>

4. Login as demoXX

Symmetric and asymmetric cryptography

Inspecting your keypair

cd ~/.globus

ls –l userkey.pem

cat userkey.pem

Digital signatures

• Certificate Body• Issuer The issuer's Distinguished Name

• Validity Validity period of this certificate

• Subject The “Distinguished Name” (DN) of the user.

• Subject's public key

• Extensions Various bits of information

• Digital Signature• Digest of the Certificate Body

• encrypted by the issuer’s private key

X.509 Certificates are signed messages

CA Certificates: self-signed

Web-browsers come with trusted CA-certificates

Credential DelegationThe problem:

Write a “Letter of Proxy”:

The solution:

Delegation works the same

as Certification:

gb-se-ams:~/.globusdemo01$ voms-proxy-init -voms tutorCannot find file or dir: /home/demo01/.glite/vomsesEnter GRID pass phrase: demo01Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01Creating temporary proxy ............................................. DoneContacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" DoneCreating proxy ................................................................................................................. DoneYour proxy is valid until Thu Jun 4 11:43:35 2009

gb-se-ams:~/.globusdemo01$ openssl x509 –in $X509_USER_PROXY –text –noout | less

gb-se-ams:~/.globusdemo01$ voms-proxy-info -allsubject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01/CN=proxyissuer : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01identity : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01type : proxystrength : 1024 bitspath : /tmp/x509up_u1062timeleft : 11:19:25=== VO tutor extension information ===VO : tutorsubject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01issuer : /O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nlattribute : /tutor/Role=NULL/Capability=NULLtimeleft : 11:19:24uri : voms.grid.sara.nl:30007

gb-se-ams:~/.globusdemo01$ |

Certificate: Data: Version: 3 (0x2) Serial Number: 260 (0x104) Signature Algorithm: md5WithRSAEncryption Issuer: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01 Validity Not Before: Jun 3 21:38:35 2009 GMT Not After : Jun 4 09:43:35 2009 GMT Subject: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:e1:2f:d7:81:b8:42:cb:28:8f:ec:c8:cb:89: 16:7f:68:3d:07:ff:67:0d:97:15:91:22:ec:a3:be: 06:e7:d3:69:c9:b9:2a:f2:f5:9c:c7:00:b0:a4:16: fd:6c:cc:2b:85:6d:5c:4c:4b:de:a2:3f:77:85:e6: 2a:90:7a:f8:8f:7b:6f:68:25:44:20:5a:23:6e:9c: 61:2f:b6:ff:36:9a:72:05:06:f5:bf:21:81:f1:b7: 81:6f:9b:50:9e:37:1c:64:34:2b:c8:90:cb:f2:26: 4b:bd:cf:57:77:15:a7:1d:a1:15:5c:cd:2d:e3:fd: 25:10:0c:e1:6d:87:31:4b:df Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.8005.100.100.5: 0...0...0..^M0..v...0}.{0u.s0q1.0....&...,d....org1.0....&...,d....egee-ne1.0...U...Training Services1.0...U....users1.0...U....Demo User 01.....X0V.T0R1.0...U...dutchgrid1.0...U...hosts1.0...U....sara.nl1.0...U....voms.grid.sara.nl0^M..*.H..^M.........~....B;..E^.0{60"..20090603214334Z..20090604094334Z0Y0W.+.....Edd.1I0G.!..tutor://voms.grid.sara.nl:300070". /tutor/Role=NULL/Capability=NULL0...0..+.....Edd...0.0.0...U.8....0...U.#..0.......,~~.......'qp...0....+.....Edd

Trying it out

Starting a Grid session in theory…

1. Create a proxy certificate with short validity (hours)• Contains VOMS credentials

• Allows “Single Sign-On”:Proxy private key doesn’t have a passphrase

2. Delegate this proxy to the Workload Management System(WMS)

3. Delegate another, long-lived proxy to the Proxy Server

… and in practice:

1. normally, just type: startGridsession <VO>but today: tutorGridSession <VO>This returns a session name, needed to submit jobs.

gb-se-ams:~/.globusdemo01$ tutorGridSession tutorNow starting...Please enter your GRID password: demo01voms-proxy-init -voms tutor --valid 120:00 -pwstdinCannot find file or dir: /home/demo01/.glite/vomsesYour identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01Creating temporary proxy ........................................ DoneContacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" DoneCreating proxy .......................................... DoneYour proxy is valid until Tue Jun 9 00:44:51 2009Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01Creating proxy ................................................................................................................. DoneProxy Verify OKYour proxy is valid until: Tue Jun 9 00:44:52 2009A proxy valid for 120 hours (5.0 days) for user /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 now exists on px.grid.sara.nl.Your delegation ID is: demo01

gb-se-ams:~/.globusdemo01$ |