Hands-on on security

www.eu-eela.org

E-infrastructure shared between Europe and Latin America

FP6−2004−Infrastructures−6-SSA-026409

Hands-on on security

Pedro RauschIF - UFRJNinth EELA TutorialBogotá, 06.03.2007

2


Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409

Overview

• Accessing the UI

• Private and public keys

• VOMS– voms-proxy-init– voms-proxy-info– voms-proxy-destroy

• MyProxy– myproxy-init– myproxy-info– myproxy-get-delegation– myproxy-destroy

3



• Open the VMWare User Interface on your desktop (click the icon)

• Username: bogotaXX (LOOK AT THE STICKER!) Where XX is in [01..50]

• Password: GridBOGXX Where XX is in [01..50]

• Certificate passphrase: BOGOTA

How to access the User Interface

4



Preliminary: .globus directory

• .globus directory contains your personal public / private keys

• Pay attention to permissions – userkey.pem contains your private key, and must be readable

just by yourself (400)– usercert.pem contains your public key, which should be

readable also from outside (644)

•[bogota01@eventogrid1 bogota01]$ ls -la .globus/u*

•-rw-r--r-- 1 bogota01 bogota01 1131 Mar 1 03:27 .globus/usercert.pem

•-r-------- 1 bogota01 bogota01 963 Mar 1 03:27 .globus/userkey.pem

5



voms-proxy-init: create credentials

• Main options voms-proxy-init --voms <vo-name:[command]> -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid <h:m> Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -certdir <certdir> Non-standard location of trusted cert dir -out <proxyfile> Non-standard location of new proxy cert -voms <voms<:command>> Specify voms server. :command is optional. -order <group<:role>> Specify ordering of attributes. -vomslife <h:m> Try to get a VOMS pseudocert valid for h hours and m minutes

(default to value of -valid). -include <file> Include the contents of the specified files -confile <file> Non-standard location of voms server addresses.. -vomses <file> Non-standard loation of configuration files.

6



voms-proxy-init output

[bogota01@eventogrid1 bogota01]$ voms-proxy-init --voms gilda

Cannot find file or dir: /home/bogota01/.glite/vomses

Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]

Enter GRID pass phrase: ************

Creating temporary proxy ............................... Done

Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done

Creating proxy ................................. Done

Your proxy is valid until Tue Mar 6 23:06:20 2007

7



voms-proxy-info: check credentials

• voms-proxy-info– Main options :

-all prints all proxy options

-file specifies a different location of proxy file

8



[bogota01@eventogrid1 bogota01]$ voms-proxy-info --all

subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]/CN=proxy

issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]

identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]

type : proxy

strength : 512 bits

path : /tmp/x509up_u501

timeleft : 11:57:40

=== VO gilda extension information ===

VO : gilda

subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]

issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it

attribute : /gilda/Role=NULL/Capability=NULL

timeleft : 11:57:33

voms-proxy-info output

Standard globus attributes

Voms extensions

9



voms-proxy-destroy: destroy credentials

• voms-proxy-destroy– Takes no options

• Destroys the proxy certificate pointed by the $X509_USER_PROXY environment variable

10



[bogota01@eventogrid1 bogota01]$ echo $X509_USER_PROXY

/tmp/x509up_u501

[bogota01@eventogrid1 bogota01]$ voms-proxy-destroy

[bogota01@eventogrid1 bogota01]$

[bogota01@eventogrid1 bogota01]$ voms-proxy-info --all

Couldn't find a valid proxy.

[bogota01@eventogrid1 bogota01]$

voms-proxy-destroy output

11



First Exercise

1. Create a plain voms proxy without requesting group embership;

2. Verify your proxy, checking that it has no VOMS extensions;

3. Destroy the created proxy;

4. Verify your proxy Again;

5. Do steps 1-4 again, this time requesting gilda group membership

12



Long term proxy : MyProxy

• myproxy server:– myproxy-init

Allows to create and store a long term proxy certificate

– myproxy-info Get information about a stored long living proxy

– myproxy-get-delegation Get a new proxy from the MyProxy server

– myproxy-destroy

• Check out them with myproxy-xxx --help option • A dedicated service on the RB can renew automatically

the proxy– contacting the myproxy server

13



myproxy-init: store proxy cred.

• Main options • -c hours specifies lifetime of stored credentials • -t hours specifies the maximum lifetime of retrieved

credentials• -s <hostname> specifies the myproxy server used to

store credentials• -d stores credential with the distinguished name in

proxy, instead of user name (mandatory for some data management services and proxy renewal)

• For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

14



myproxy-init output

[bogota01@eventogrid1 bogota01]$ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal

Certificate/L=BOGOTA/CN=BOGOTA01/[email protected] GRID pass phrase for this identity: ***********Creating proxy ................................. DoneProxy Verify OKYour proxy is valid until: Tue Mar 13 14:00:18 2007Enter MyProxy pass phrase: ***********Verifying password - Enter MyProxy pass phrase:A proxy valid for 168 hours (7.0 days) for user bogota01 now exists on

grid001.ct.infn.it.[bogota01@eventogrid1 bogota01]$

15



myproxy-info: retrieve stored proxy info

• Useful to retrieve info on stored credentials• Need local credentials to be performed• If credentials have been initialized with –d switch, you also

have to specify the same option here

• The user must have a valid proxy to issue this command

16



myproxy-info output

[bogota01@eventogrid1 bogota01]$ myproxy-info -v

Socket bound to port 20000.

server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it

checking if server name matches "[email protected]"

server name does not match

checking if server name matches "[email protected]"

server name accepted

username: bogota01

owner: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]

timeleft: 167:54:03 (7.0 days)

17



myproxy-get-delegation: get proxy

• This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server

• It is independent by the machine! You don’t need to have your certificate on board

• If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request

18



myproxy-get-delegation: output

[bogota01@eventogrid1 bogota01]$ myproxy-get-delegation

Enter MyProxy pass phrase:

A proxy has been received for user bogota01 in /tmp/x509up_u501

19



myproxy-destroy: destroy proxy

• Delete, if existing, the long lived credentials on the specified myproxy server

• To specify the myproxy server you should use the -s switch

• Again, the user must have a valid proxy certificate

20



myproxy-destroy: output

[bogota01@eventogrid1 bogota01]$ myproxy-destroy -vSocket bound to port 20000.

server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.itchecking if server name matches "[email protected]"server name does not matchchecking if server name matches "[email protected]"server name acceptedDefault MyProxy credential for user bogota01 was successfully removed.

21



Second Exercise

1. Create a myproxy on the server grid001.ct.infn.it

2. Fetch a delegation from the myproxy server

3. Check information on the created proxy on the myproxy server

4. Destroy both the delegated proxy and the proxy stored on the myproxy server

5. Repeat steps 1-4 using the –d option

6. Which differences you note between the two proxies?

22



Voms extensions on a delegated proxy

• myproxy doesn’t support natively VOMS

• In order to overcome this issue:– Fetch the proxy without the delegation– Issue the command voms-proxy-init, with the –noregen option

24



Questions

Documents

Hands-on on security