Upload
alana-cervantes
View
41
Download
1
Embed Size (px)
DESCRIPTION
Hands-on on security. Pedro Rausch IF - UFRJ Ninth EELA Tutorial Bogotá, 06.03.2007. Overview. Accessing the UI Private and public keys VOMS voms-proxy-init voms-proxy-info voms-proxy-destroy MyProxy myproxy-init myproxy-info myproxy-get-delegation myproxy-destroy. - PowerPoint PPT Presentation
Citation preview
www.eu-eela.org
E-infrastructure shared between Europe and Latin America
FP6−2004−Infrastructures−6-SSA-026409
Hands-on on security
Pedro RauschIF - UFRJNinth EELA TutorialBogotá, 06.03.2007
2
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
Overview
• Accessing the UI
• Private and public keys
• VOMS– voms-proxy-init– voms-proxy-info– voms-proxy-destroy
• MyProxy– myproxy-init– myproxy-info– myproxy-get-delegation– myproxy-destroy
3
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
• Open the VMWare User Interface on your desktop (click the icon)
• Username: bogotaXX (LOOK AT THE STICKER!) Where XX is in [01..50]
• Password: GridBOGXX Where XX is in [01..50]
• Certificate passphrase: BOGOTA
How to access the User Interface
4
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
Preliminary: .globus directory
• .globus directory contains your personal public / private keys
• Pay attention to permissions – userkey.pem contains your private key, and must be readable
just by yourself (400)– usercert.pem contains your public key, which should be
readable also from outside (644)
•[bogota01@eventogrid1 bogota01]$ ls -la .globus/u*
•-rw-r--r-- 1 bogota01 bogota01 1131 Mar 1 03:27 .globus/usercert.pem
•-r-------- 1 bogota01 bogota01 963 Mar 1 03:27 .globus/userkey.pem
5
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
voms-proxy-init: create credentials
• Main options voms-proxy-init --voms <vo-name:[command]> -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid <h:m> Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -certdir <certdir> Non-standard location of trusted cert dir -out <proxyfile> Non-standard location of new proxy cert -voms <voms<:command>> Specify voms server. :command is optional. -order <group<:role>> Specify ordering of attributes. -vomslife <h:m> Try to get a VOMS pseudocert valid for h hours and m minutes
(default to value of -valid). -include <file> Include the contents of the specified files -confile <file> Non-standard location of voms server addresses.. -vomses <file> Non-standard loation of configuration files.
6
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
voms-proxy-init output
[bogota01@eventogrid1 bogota01]$ voms-proxy-init --voms gilda
Cannot find file or dir: /home/bogota01/.glite/vomses
Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]
Enter GRID pass phrase: ************
Creating temporary proxy ............................... Done
Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done
Creating proxy ................................. Done
Your proxy is valid until Tue Mar 6 23:06:20 2007
7
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
voms-proxy-info: check credentials
• voms-proxy-info– Main options :
-all prints all proxy options
-file specifies a different location of proxy file
8
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
[bogota01@eventogrid1 bogota01]$ voms-proxy-info --all
subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]/CN=proxy
issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]
identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]
type : proxy
strength : 512 bits
path : /tmp/x509up_u501
timeleft : 11:57:40
=== VO gilda extension information ===
VO : gilda
subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]
issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it
attribute : /gilda/Role=NULL/Capability=NULL
timeleft : 11:57:33
voms-proxy-info output
Standard globus attributes
Voms extensions
9
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
voms-proxy-destroy: destroy credentials
• voms-proxy-destroy– Takes no options
• Destroys the proxy certificate pointed by the $X509_USER_PROXY environment variable
10
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
[bogota01@eventogrid1 bogota01]$ echo $X509_USER_PROXY
/tmp/x509up_u501
[bogota01@eventogrid1 bogota01]$ voms-proxy-destroy
[bogota01@eventogrid1 bogota01]$
[bogota01@eventogrid1 bogota01]$ voms-proxy-info --all
Couldn't find a valid proxy.
[bogota01@eventogrid1 bogota01]$
voms-proxy-destroy output
11
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
First Exercise
1. Create a plain voms proxy without requesting group embership;
2. Verify your proxy, checking that it has no VOMS extensions;
3. Destroy the created proxy;
4. Verify your proxy Again;
5. Do steps 1-4 again, this time requesting gilda group membership
12
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
Long term proxy : MyProxy
• myproxy server:– myproxy-init
Allows to create and store a long term proxy certificate
– myproxy-info Get information about a stored long living proxy
– myproxy-get-delegation Get a new proxy from the MyProxy server
– myproxy-destroy
• Check out them with myproxy-xxx --help option • A dedicated service on the RB can renew automatically
the proxy– contacting the myproxy server
13
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-init: store proxy cred.
• Main options • -c hours specifies lifetime of stored credentials • -t hours specifies the maximum lifetime of retrieved
credentials• -s <hostname> specifies the myproxy server used to
store credentials• -d stores credential with the distinguished name in
proxy, instead of user name (mandatory for some data management services and proxy renewal)
• For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)
14
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-init output
[bogota01@eventogrid1 bogota01]$ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal
Certificate/L=BOGOTA/CN=BOGOTA01/[email protected] GRID pass phrase for this identity: ***********Creating proxy ................................. DoneProxy Verify OKYour proxy is valid until: Tue Mar 13 14:00:18 2007Enter MyProxy pass phrase: ***********Verifying password - Enter MyProxy pass phrase:A proxy valid for 168 hours (7.0 days) for user bogota01 now exists on
grid001.ct.infn.it.[bogota01@eventogrid1 bogota01]$
15
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-info: retrieve stored proxy info
• Useful to retrieve info on stored credentials• Need local credentials to be performed• If credentials have been initialized with –d switch, you also
have to specify the same option here
• The user must have a valid proxy to issue this command
16
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-info output
[bogota01@eventogrid1 bogota01]$ myproxy-info -v
Socket bound to port 20000.
server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it
checking if server name matches "[email protected]"
server name does not match
checking if server name matches "[email protected]"
server name accepted
username: bogota01
owner: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/[email protected]
timeleft: 167:54:03 (7.0 days)
17
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-get-delegation: get proxy
• This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server
• It is independent by the machine! You don’t need to have your certificate on board
• If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request
18
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-get-delegation: output
[bogota01@eventogrid1 bogota01]$ myproxy-get-delegation
Enter MyProxy pass phrase:
A proxy has been received for user bogota01 in /tmp/x509up_u501
19
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-destroy: destroy proxy
• Delete, if existing, the long lived credentials on the specified myproxy server
• To specify the myproxy server you should use the -s switch
• Again, the user must have a valid proxy certificate
20
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
myproxy-destroy: output
[bogota01@eventogrid1 bogota01]$ myproxy-destroy -vSocket bound to port 20000.
server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.itchecking if server name matches "[email protected]"server name does not matchchecking if server name matches "[email protected]"server name acceptedDefault MyProxy credential for user bogota01 was successfully removed.
21
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
Second Exercise
1. Create a myproxy on the server grid001.ct.infn.it
2. Fetch a delegation from the myproxy server
3. Check information on the created proxy on the myproxy server
4. Destroy both the delegated proxy and the proxy stored on the myproxy server
5. Repeat steps 1-4 using the –d option
6. Which differences you note between the two proxies?
22
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
Voms extensions on a delegated proxy
• myproxy doesn’t support natively VOMS
• In order to overcome this issue:– Fetch the proxy without the delegation– Issue the command voms-proxy-init, with the –noregen option
24
E-infrastructure shared between Europe and Latin America
Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409
Questions