Grid certificates

From SNIC Documentation
Revision as of 14:56, 27 October 2011 by Jens Larsson (NSC) (talk | contribs) (Introduction to certificates)
Jump to: navigation, search

< Getting started with SweGrid

In order to get access to computer and storage resources on the grid, you must have a valid grid certificate. This certificate is used instead of a regular password as the authentication mechanism when accessing the resource.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A Certificate Authority (CA) has to vouch for your identity and sign your certificate.

Introduction to certificates

A certificate consist of 2 parts a private key and a public key. The private is your secret and should be kept as secure as possible. The public key is used to verify signatures are signed with your private key for the receiving part. The public part is also used to verify that the certficate is correct when you have the public part of the CA certificate.

For more information regarding certificates and public key cryptography:

http://en.wikipedia.org/wiki/Public-key_cryptography

http://en.wikipedia.org/wiki/Public_key_certificate

http://www.nordugrid.org/documents/certificate_howto.html

IMPORTANT

  • The grid certificate consists of 2 files located at ~/.globus at the host(s) from where you will be accessing resources:
     usercert.pem -- grid certificate
     userkey.pem -- the private key, be careful with this file.
  • The certificate is personal and only bound to you as a person (it consists of a name, organisation and an e-mail address). It is not bound to a specific machine or a user name.
  • The certificate is valid for 1 year only, after that it must be renewed again.
  • The private key is encrypted using a password of your choice. Anyone that can decrypt this private key will be able to authenticate as you wherever this grid certificate is used as authentication (the public key, on the other hand, is public, and may be readable by others).
  • The private key should therefore be handled with great care. On every machine that it exists it must only be readable by you (i.e. ``chmod 400 userkey.pem). Any transferring of the private key between computers must only be done using encryption (such as scp, sftp, rsync over ssh, etc.).
  • You must choose a strong password for the private key. This password must not be used anywhere else and should not be easily cracked. You must never ever give away the password to somebody else.

For more information regarding certificates and public key cryptography:

http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public_key_certificate

Requesting a certificate

Certificates are issued by a Certificate Authority or CA. For swedish users there are two relevant CA:s that can issue certificates, Terena and Nordugrid. The Terena CA is preferred if available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Requesting a grid certificate using the Terena eScience Portal

Requesting a grid_certificate from the Nordugrid CA

Requesting membership in the SweGrid VO

To be able to use the SweGrid or Swestore resources a membership in the SweGrid VO and a corresponding group is required. To apply for membership, make sure that your certificate is installed in the browser. Then go to the following URL:

https://voms.ndgf.org:8443/voms/swegrid.se

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SNIC project send a mail to support@swegrid.se and specify your DN as shown in the Terena portal or from the arproxy --info command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to swestore-support@snic.vr.se and specify your DN as shown in the Terena portal or from the arproxy --info command and which Swestore allocation to be added to.

Proxy certificates

Authentication on the grid is done by using special shortlived proxy certificates, which delegate authentication to specific resources. There are serveral tools available for creating, checking and destroying these proxy certificates.

ARC 1.0.x

Creating a proxy certificate

To create a shortlived proxy that can be used for authentication with grid services, the arcproxy command can be used. A 12 hour (default) proxy is created in the following example::

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the /tmp directory with the format x509up_[uid], where uid is the userid number for your user account.

In some cases a longer lived proxy will be needed. This is achieved using the --constraint switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19
$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
................++++++
......++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:15:04

Checking proxy lifetime

The remaining lifetime of a proxy-certificate can be queried using the arcproxy command using the --info switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

Which shows that the proxy certificate is valid for 11 hours 59 minutes.

If a GSI proxy was generated the output would be:

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=proxy
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Time left for proxy: 11 hours 54 minutes 57 seconds
Proxy path: /tmp/x509up_u500
Proxy type: Legacy Globus impersonation proxy

Destroying a proxy certificate

A proxy can be destroyed with the -r or --remove switches.

$ arcproxy -r

or

$ arcproxy --remove

ARC 0.8.x

Creating a proxy certificate

To create a shortlived proxy that can be used for authentication with grid services, the grid-proxy-init command can be used. A 12 hour (default) proxy is created in the following example::

$ grid-proxy-init 
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter GRID pass phrase for this identity:
Creating proxy .................................................... Done
Your proxy is valid until: Tue Jan 25 01:22:59 2011

The proxy file itself will be created in the /tmp directory with the format x509up_[uid], where uid is the userid number for your user account.

In some cases a longer lived proxy will be needed. This is achieved using the -valid switch. A 24-hour can be created by issuing the following command:

$ grid-proxy-init -valid 24:00
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter GRID pass phrase for this identity:
Creating proxy ................................................... Done
Your proxy is valid until: Thu Feb 10 18:48:34 2011

Checking proxy lifetime

The remaining lifetime of a proxy-certificate can be queried using the grid-proxy-info command:

$ grid-proxy-info
subject  : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=704530122
issuer   : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
type     : RFC 3820 compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_u500
timeleft : 0:00:00

In this case the proxy has expired. Creating a new proxy-certificate with the grid-proxy-init command produces the following output from grid-proxy-info:

$ grid-proxy-info
subject  : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1908712807
issuer   : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
type     : RFC 3820 compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_u500
timeleft : 11:59:55

Which shows that the proxy certificate is valid for 11 hours 59 minutes.

Destroying a proxy certificate

A proxy certificate can be destroyed using the grid-proxy-destroy command. This command will essentially just delete the temporary proxy file created with grid-proxy-init

VOMS certificates

To use the SweStore national storage resources a membership in a virtual organisation, VO, is required. When accessing the storage resources a special grid proxy certificate is required which indicates VO membership. The special proxy certificate requires that it is signed by the virtual organisation management server, VOMS. To enable this signing process, configuration files have to be added to the system. First a $HOME/.voms/vomses file with the following contents must be added:

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next the file /etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc with the following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

Creating a VOMS proxy (ARC 0.8.x)

To create a proxy certificate the, voms-proxy-init, command is used. In the following example a voms proxy certificate is created with membership in the ops group.

$ voms-proxy-init -voms swegrid.se:/swegrid.se/ops

Enter GRID pass phrase:
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Creating temporary proxy ............................................................. Done
Contacting  voms.ndgf.org:15009 [/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org] "swegrid.se" Done
Creating proxy .......................................................... Done
Your proxy is valid until Thu Mar 10 23:14:57 2011

Creating a VOMS proxy (ARC 1.x)

VOMS proxies in ARC 1.x can be created using the arcproxy command and the -S or --voms switches as shown in the following example:

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06