User:Torben Rasmussen (NSC)/SweGrid old/Grid certificates

From SNIC Documentation
Jump to: navigation, search

A certificate is the equivalent of a passport in real-life. In the same way you have prove your credentials when you aquire a passport the same is true for a certificate. A Certificate Authority (CA) has to vouch for your identity and sign your certificate.

A certificate consist of 2 parts a private key and a public key. The private is your secret and should be kept as secure as possible. The public key is used to verify signatures are signed with your private key for the receiving part. The public part is also used to verify that the certficate is correct when you have the public part of the CA certificate.

For more information regarding certificates and public key cryptography: [http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography] [http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

Requesting a certificate with the Terena eScience Gateway

The Terena eScience Gateway is a joint effort to provide users with a tool for requesting grid-certificate with the credentials from their home-institution or university.

To request a Terena eScience Certificate go to the following URL:

[https://tcs-escience-portal.terena.org]

The procedure is as follows:

1. Click "Login" 2. Click on Sweden in the map. 3. Choose your identity provider in the drop down box. 4. Login using your credentials from your identity provider.

You should now arrive to a "home" page that shown below:

Terena1.png

Requesting a certificate with ARC tools

The first step in aquiring a certificate is to create a certificate request. This is done using the grid-cert-request -int command. (The -int options means interactive usage). When issued, the tool will generate a certificate request and a private key. The tool will also ask for a password to protect the private key. Note, if the password is lost a new certificate must be obtained. The process is shown below:

First the private key is generated:

$ grid-cert-request -int
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.

Using configuration from /etc/grid-security/globus-user-ssl.conf
Generating a 1024 bit RSA private key
.....................................++++++
....................++++++
writing new private key to '/home/jonas/.globus/userkey.pem'

To protect the private key from unauthorized access it is encrypted using a pass phrase. If this pass phrase is empty, anyone with access to your private key and certificate can gain access to the resources you have been granted. The pass phrase should also be different from your normal login password, so if your local system has been compromised the private key is still protected.:

-----
You are about to be asked to enter information that will be
incorporated into your certificate request. What you are about to
enter is what is called a Distinguished Name or a DN. There are
quite a few fields but you can leave some blank For some fields
there will be a default value, If you enter '.', the field will be
left blank.
-----
Level 0 Organization Name (do not modify) [Grid]:
Level 1 Organization Name (do not modify) [NorduGrid]:

The following questions regards your affiliation domain and your email. It is important that your domain and the domain in the email address is the same.:

Your Domain [example.org]:mydomain.org
Name (e.g., Hans Christian Andersen) []:Joe User
Email address (e.g., h.c.andersen@example.org) []:joe.user@
mydomain.org

Finally the private key and a certificate request are generated.:

A private key and a certificate request has been generated with
the subject:

/O=Grid/O=NorduGrid/OU=mydomain.org/CN=Joe User/Email=joe.user@
mydomain.org

If the CN=Joe User/Email=joe.user@mydomain.org is not appropriate,
rerun this script with the -force -cn "Common Name" options.

Your private key is stored in /home/joe/.globus/userkey.pem
Your request is stored in /home/joe/.globus/usercert_request.pem

Please e-mail the request to the NorduGrid Certification Authority
ca@nbi.dk You may use a command similar to the following:

  cat /home/jonas/.globus/usercert_request.pem | mail ca@nbi.dk

Only use the above if this machine can send AND receive e-mail. if
not, please mail using some other method.

Your certificate will be mailed to you within two working days. If
you receive no response, contact NorduGrid Certification Authority
at ca@nbi.dk

The result of the command are 3 files userkey.pem , usercert.pem and usercert_request.pem in a subdirectory called .globus in the user home directory. The userkey.pem your private key and should not be world readable. This can be achieved by using chmod 400 userkey.pem.

The contents of the usercert_request.pem should be sent by mail to you neareast Registration Authority (RA) by mail. The RA will verify your request and varify your identity. This can involve meeting with the RA and proving your identity with a passport or equivalent documents. The current list of RA:s can be found at the following page:

[http://ca.nordugrid.org/ra.html http://ca.nordugrid.org/ra.html]

Installing certificate

When the signed certificate is received from the CA it has to be added to the usercert.pem file in the .globus directory.

The important parts of the mail are shown below::

-----BEGIN CERTIFICATE-----
xasdj ...
-----END CERTIFICATE-----

Copy the part shown above into the file usercert.pem in the .globus directory in your home directory.

Verifying the certificate

To verify that the certificate is correctly installed, issue the following command::

$ grid-cert-info -subject
/O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann

This should display your Distinguished Name (DN) of the installed certificate.

Checking certificate expiration

To check the expiration date of a certifcate, issue the following command::

$ grid-cert-info -enddate
Mar 18 15:10:41 2011 GMT

Proxy certificates

Authentication on the grid is done by using special shortlived proxy certificates, which delegate authentication to specific resources.

Creating a proxy certificate

To create a shortlived proxy that can be used for authentication with grid services, the grid-proxy-init command can be used. A 12 hour (default) proxy is created in the following example::

$ grid-proxy-init 
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter GRID pass phrase for this identity:
Creating proxy .................................................... Done
Your proxy is valid until: Tue Jan 25 01:22:59 2011

The proxy file itself will be created in the /tmp directory with the format x509up_[uid], where uid is the userid number for your user account.

In some cases a longer lived proxy will be needed. This is achieved using the -valid switch. A 24-hour can be created by issuing the following command:

[jonas@localhost ~]$ grid-proxy-init -valid 24:00
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter GRID pass phrase for this identity:
Creating proxy ................................................... Done
Your proxy is valid until: Thu Feb 10 18:48:34 2011 

Checking proxy lifetime

The remaining lifetime of a proxy-certificate can be queried using the grid-proxy-info command:

$ grid-proxy-info
subject  : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=704530122
issuer   : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
type     : RFC 3820 compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_u500
timeleft : 0:00:00

In this case the proxy has expired. Creating a new proxy-certificate with the grid-proxy-init command produces the following output from grid-proxy-info:

$ grid-proxy-info
subject  : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1908712807
issuer   : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
type     : RFC 3820 compliant impersonation proxy
strength : 512 bits
path     : /tmp/x509up_u500
timeleft : 11:59:55

Which shows that the proxy certificate is valid for 11 hours 59 minutes.

Destroying a proxy certificate

A proxy certificate can be destroyed using the grid-proxy-destroy command. This command will essentially just delete the temporary proxy file created with grid-proxy-init

Creating a proxy certificate (ARC 1.x)

To create a shortlived proxy that can be used for authentication with grid services, the arcproxy command can be used. A 12 hour (default) proxy is created in the following example::

[jonas@localhost ~]$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the /tmp directory with the format x509up_[uid], where uid is the userid number for your user account.

In some cases a longer lived proxy will be needed. This is achieved using the --constraint switch. A 24-hour can be created by issuing the following command:

[jonas@localhost ~]$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

NOTE: When using ARC 0.8.x a GSI proxy is required. To generate a GSI proxy, the --old or -O switches can be used:

[jonas@localhost ~]$ arcproxy -O
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
................++++++
......++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:15:04

Checking proxy lifetime (ARC 1.x)

The remaining lifetime of a proxy-certificate can be queried using the arcproxy command using the --info switch.

$ arcproxy --info
[jonas@localhost ~]$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

Which shows that the proxy certificate is valid for 11 hours 59 minutes.

If a GSI proxy was generated the output would be:

[jonas@localhost ~]$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=proxy
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Time left for proxy: 11 hours 54 minutes 57 seconds
Proxy path: /tmp/x509up_u500
Proxy type: Legacy Globus impersonation proxy

Destroying a proxy certificate (ARC 1.x)

ARC 1.x does not have a explicit command for destroying a proxy.

VOMS certificates

To use the SweStore national storage resources a membership in a virtual organisation, VO, is required. When accessing the storage resources a special grid proxy certificate is required which indicates VO membership. The special proxy certificate requires that it is signed by the virtual organisation management server, VOMS. To enable this signing process, configuration files have to be added to the system. First a $HOME/.voms/vomses file with the following contents must be added:

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next the file /etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc with the following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

Creating a VOMS proxy (ARC 0.8.x)

To create a proxy certificate the, voms-proxy-init, command is used. In the following example a voms proxy certificate is created with membership in the ops group.

[jonas@localhost ~]$ voms-proxy-init -voms swegrid.se:/swegrid.se/ops

Enter GRID pass phrase:
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Creating temporary proxy ............................................................. Done
Contacting  voms.ndgf.org:15009 [/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org] "swegrid.se" Done
Creating proxy .......................................................... Done
Your proxy is valid until Thu Mar 10 23:14:57 2011

Creating a VOMS proxy (ARC 1.x)

VOMS proxies in ARC 1.x can be created using the arcproxy command and the -S or --voms switches as shown in the following example:

[jonas@localhost ~]$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann
Enter pass phrase for /home/jonas/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06