Revision as of 15:21, 28 October 2011

Introduction to certificates

In order to get access to computer and storage resources on the grid or SweStore you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.

A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.

For more information regarding certificates and public key cryptography:

http://en.wikipedia.org/wiki/Public-key_cryptography

http://en.wikipedia.org/wiki/Public_key_certificate

http://www.nordugrid.org/documents/certificate_howto.html

The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:

     usercert.pem
     userkey.pem

The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
The certificate is valid for 13 month and should be renewed yearly.
The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
You should not share the certificate with someone. It's personal.

For more information regarding certificates and public key cryptography:

http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public_key_certificate

Requesting a certificate

Certificates are issued by a Certificate Authority or CA. For swedish users there are two CA:s that can issue certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Requesting a grid certificate using the Terena eScience Portal

Requesting a grid_certificate from the Nordugrid CA

Requesting membership in the SweGrid VO

To be able to use the SweGrid or Swestore resources a membership in the SweGrid VO and a corresponding group is required. To apply for membership, make sure that your certificate is installed in the browser. Then go to the following URL:

https://voms.ndgf.org:8443/voms/swegrid.se

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SNIC project send a mail to support@swegrid.se and specify your DN as shown in the Terena portal or from the arproxy --info command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to swestore-support@snic.vr.se and specify your DN as shown in the Terena portal or from the arproxy --info command and which Swestore allocation to be added to.

Proxy certificates

Authentication on the grid is done using special short lived proxy certificates. There are several tools available for creating, checking and destroying these proxy certificates.

ARC 1.*

Creating a proxy certificate

To create a short lived proxy that can be used for authentication with grid services, the arcproxy command can be used. A 12 hour (default) proxy is created in the following example:

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the /tmp directory with the format x509up_uid, where uid is the user id number for your account.

In some cases a longer lived proxy will be needed. This is achieved using the --constraint switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

Checking proxy lifetime

The remaining lifetime of a proxy certificate can be checked using the arcproxy command with the --info switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

In this example the proxy certificate is valid for 11 hours 55 minutes more.

Destroying a proxy certificate

A proxy can be destroyed with the -r or --remove switch.

$ arcproxy -r

or

$ arcproxy --remove

VOMS certificates

To use the SweStore national storage resources a membership in a virtual organisation, VO, is required. When accessing the storage resources a special grid proxy certificate is required which indicates VO membership. The special proxy certificate requires that it is signed by the virtual organisation management server, VOMS. To enable this signing process, configuration files have to be added to the system. First a $HOME/.voms/vomses file with the following contents must be added:

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next the file /etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc with the following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

Creating a VOMS proxy

VOMS proxies in ARC1 can be created using the arcproxy command and the -S or --voms switches as shown in the following example:

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06

@@ Line 3: / Line 3: @@
 [[Category:SweStore]]
 [[Category:SweStore user guide]]
+[[Getting started with SweGrid|< Getting started with SweGrid]]
-[[Getting started with SweGrid|< Getting started with SweGrid]]<br>
-[[SweStore|< SweStore]]
-In order to get access to computer and storage resources on the grid, you must have a valid grid certificate. This certificate is used instead of a regular password as the authentication mechanism when accessing the resource.
+=Introduction to certificates=
-A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A Certificate Authority (CA) has to vouch for your identity and sign your certificate.
+In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.
-=Introduction to certificates=
+A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.
-A certificate consist of 2 parts a private key and a public key. The private is your secret and should be kept as secure as possible. The public key is used to verify signatures are signed with your private key for the receiving part. The public part is also used to verify that the certficate is correct when you have the public part of the CA certificate.
+A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.
 For more information regarding certificates and public key cryptography:
@@ Line 23: / Line 22: @@
 [http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]
-==IMPORTANT==
+* The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
-* The grid certificate and the private key are stored in your web browser or located in ~/.globus at the host(s) from where you will be accessing grid resources:
        usercert.pem
        userkey.pem
-* The certificate is personal contains your public RSA key, your name and organization. It is does not contain a user name.
+* The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
 * The certificate is valid for 13 month and should be renewed yearly.
-* The private key is encrypted using a passphrase. Anyone that can decrypt this private key will be able to authenticate as you wherever this grid certificate is used as authentication (the public key, on the other hand, is public, and may be readable by others).
 * The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
-* You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
+* The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
 * You should not share the certificate with someone. It's personal.
@@ Line 42: / Line 38: @@
 = Requesting a certificate =
-Certificates are issued by a Certificate Authority or CA. For swedish users there are two relevant CA:s that can issue certificates, Terena and Nordugrid. The Terena CA is preferred if available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.
+Certificates are issued by a Certificate Authority or CA. For swedish users there are two CA:s that can issue certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.
 [[Requesting a grid certificate using the Terena eScience Portal]]
@@ Line 62: / Line 58: @@
 = Proxy certificates =
-Authentication on the grid is done by using special shortlived proxy certificates, which delegate authentication to specific resources. There are serveral tools available for creating, checking and destroying these proxy certificates.
+Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.
-== ARC 1.0.x ==
+== ARC 1.* ==
 === Creating a proxy certificate ===
-To create a shortlived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example::
+To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:
   $ arcproxy
-  Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
+  Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
-  Enter pass phrase for /home/jonas/.globus/userkey.pem:
+  Enter pass phrase for /home/kalle/.globus/userkey.pem:
   .++++++
   .....++++++
@@ Line 76: / Line 73: @@
   Your proxy is valid until: 2011-03-11 03:00:14
-The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_[uid]''', where uid is the userid number for your user account.
+The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.
 In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:
   $ arcproxy --constraint="validityPeriod=24H"
-  Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
+  Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
-  Enter pass phrase for /home/jonas/.globus/userkey.pem:
+  Enter pass phrase for /home/kalle/.globus/userkey.pem:
   ....++++++
   .....++++++
   Proxy generation succeeded
   Your proxy is valid until: 2011-03-11 15:03:19
- $ arcproxy
- Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- Enter pass phrase for /home/jonas/.globus/userkey.pem:
- ................++++++
- ......++++++
- Proxy generation succeeded
- Your proxy is valid until: 2011-03-11 03:15:04
 === Checking proxy lifetime ===
-The remaining lifetime of a proxy-certificate can be queried using the '''arcproxy''' command using the '''--info''' switch.
+The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.
   $ arcproxy --info
-  Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1567862803
+  Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
-  Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
+  Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
   Time left for proxy: 11 hours 55 minutes
   Proxy path: /tmp/x509up_u500
   Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy
-Which shows that the proxy certificate is valid for 11 hours 59 minutes.
+In this example the proxy certificate is valid for 11 hours 55 minutes more.
-If a GSI proxy was generated the output would be:
- $ arcproxy --info
- Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=proxy
- Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- Time left for proxy: 11 hours 54 minutes 57 seconds
- Proxy path: /tmp/x509up_u500
- Proxy type: Legacy Globus impersonation proxy
 === Destroying a proxy certificate ===
-A proxy can be destroyed with the '''-r''' or '''--remove''' switches.
+A proxy can be destroyed with the '''-r''' or '''--remove''' switch.
   $ arcproxy -r
@@ Line 128: / Line 108: @@
   $ arcproxy --remove
-== ARC 0.8.x ==
-=== Creating a proxy certificate ===
-To create a shortlived proxy that can be used for authentication with grid services, the '''grid-proxy-init''' command can be used. A 12 hour (default) proxy is created in the following example::
- $ grid-proxy-init
- Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- Enter GRID pass phrase for this identity:
- Creating proxy .................................................... Done
- Your proxy is valid until: Tue Jan 25 01:22:59 2011
-The proxy file itself will be created in the <tt>/tmp</tt> directory with the format <tt>x509up_[uid]</tt>, where uid is the userid number for your user account.
-In some cases a longer lived proxy will be needed. This is achieved using the '''-valid''' switch. A 24-hour can be created by issuing the following command:
- $ grid-proxy-init -valid 24:00
- Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- Enter GRID pass phrase for this identity:
- Creating proxy ................................................... Done
- Your proxy is valid until: Thu Feb 10 18:48:34 2011
-=== Checking proxy lifetime ===
-The remaining lifetime of a proxy-certificate can be queried using the '''grid-proxy-info''' command:
- $ grid-proxy-info
- subject  : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=704530122
- issuer   : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- type     : RFC 3820 compliant impersonation proxy
- strength : 512 bits
- path     : /tmp/x509up_u500
- timeleft : 0:00:00
-In this case the proxy has expired. Creating a new proxy-certificate with the '''grid-proxy-init''' command produces the following output from '''grid-proxy-info''':
- $ grid-proxy-info
- subject  : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1908712807
- issuer   : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- type     : RFC 3820 compliant impersonation proxy
- strength : 512 bits
- path     : /tmp/x509up_u500
- timeleft : 11:59:55
-Which shows that the proxy certificate is valid for 11 hours 59 minutes.
-=== Destroying a proxy certificate ===
-A proxy certificate can be destroyed using the '''grid-proxy-destroy''' command. This command will essentially just delete the temporary proxy file created with '''grid-proxy-init'''
 = VOMS certificates =
@@ Line 190: / Line 120: @@
 /O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</pre>
-== Creating a VOMS proxy (ARC 0.8.x) ==
+== Creating a VOMS proxy ==
-To create a proxy certificate the, '''voms-proxy-init''', command is used. In the following example a voms proxy certificate is created with membership in the '''ops''' group.
- $ voms-proxy-init -voms swegrid.se:/swegrid.se/ops
- Enter GRID pass phrase:
- Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
- Creating temporary proxy ............................................................. Done
- Contacting  voms.ndgf.org:15009 [/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org] "swegrid.se" Done
- Creating proxy .......................................................... Done
- Your proxy is valid until Thu Mar 10 23:14:57 2011
-== Creating a VOMS proxy (ARC 1.x) ==
-VOMS proxies in ARC 1.x can be created using the '''arcproxy''' command and the '''-S''' or '''--voms''' switches as shown in the following example:
+VOMS proxies in ARC1 can be created using the '''arcproxy''' command and the '''-S''' or '''--voms''' switches as shown in the following example:
   $ arcproxy -S swegrid.se:/swegrid.se/ops
-  Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
+  Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
-  Enter pass phrase for /home/jonas/.globus/userkey.pem:
+  Enter pass phrase for /home/kalle/.globus/userkey.pem:
   .....++++++
   ............++++++

Difference between revisions of "Grid certificates"

Revision as of 15:21, 28 October 2011

Contents

Introduction to certificates

Requesting a certificate

Requesting membership in the SweGrid VO

Proxy certificates

ARC 1.*

Creating a proxy certificate

Checking proxy lifetime

Destroying a proxy certificate

VOMS certificates

Creating a VOMS proxy

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

People

For Staff

Tools