Authentication and Authorisation
From EUAGwiki
This page will show you through the stages of inspecting your certificates and then creating and testing a VOMS proxy. We assume you are logged on a User Interface supporting the euasia VO.
Contents |
[edit] Inspecting personal certificate
Your personal certificate is split in two separate files in a directory called .globus. These files are effectively your public and private keys. They must have the correct file permissions otherwise you won't be able to create a proxy. Check the permissions with the command
ls -l .globus
[marco@localhost ~]$ ls -l .globus/ total 8 -rw-r--r-- 1 marco marco 1796 May 15 15:51 usercert.pem -r-------- 1 marco marco 1914 May 15 15:51 userkey.pem
You can have now a look inside your certificate with
grid-cert-info
[marco@localhost ~]$ grid-cert-info
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12344 (0x3038)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, O=INFN, CN=INFN CA
Validity
Not Before: Jan 19 14:08:38 2009 GMT
Not After : Jan 19 14:08:38 2010 GMT
Subject: C=IT, O=INFN, OU=Personal Certificate, L=Catania, CN=Marco Fargetta
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:9c:16:14:fe:ee:1e:83:5b:04:9a:b3:aa:af:
b3:37:69:8d:cf:7a:90:48:5d:4b:83:e4:0a:68:b5:
c1:a6:bd:65:be:6f:6e:b8:65:40:42:b1:de:1c:ef:
59:71:6e:68:03:b7:03:2f:d8:d5:b8:5f:d7:09:d7:
34:1a:06:b3:97:2e:1d:6f:28:65:29:76:ec:02:3a:
ab:da:db:cf:1c:a6:49:42:16:f8:13:88:41:20:06:
42:57:f9:54:c0:8e:1d:0f:9c:b5:1e:9f:b7:7b:21:
4f:cd:00:50:97:b7:b2:f0:e6:15:f9:6a:e2:46:71:
e5:d7:43:a0:7d:8e:d5:2e:2b:64:9e:52:bf:12:a5:
ae:56:9e:fe:5b:d7:a5:ef:94:ab:e3:a3:75:2e:be:
6c:16:3c:a0:d4:fa:3b:6b:cc:d2:fe:7d:bc:cc:0e:
81:3f:6c:96:3f:53:e5:ca:7b:68:e3:90:5e:b3:06:
5e:ea:b4:e0:27:11:50:20:e8:d0:c3:fe:7d:5b:b4:
d4:c0:ec:3b:96:19:76:d2:2f:28:6c:99:f8:cd:a6:
b0:43:98:fd:a8:e2:36:19:b7:4f:58:03:ac:33:66:
99:f3:91:d5:26:2b:8b:ce:43:9d:3f:74:c9:42:3a:
e3:d0:e3:dd:d6:77:fa:fd:08:af:22:97:4c:4d:41:
27:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 CRL Distribution Points:
URI:http://security.fi.infn.it/CA/INFNCA_crl.der
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.10403.10.1.7
Policy: 1.2.840.113612.5.2.2.1
X509v3 Subject Key Identifier:
19:47:82:42:26:15:4C:40:41:74:7F:DE:15:0E:7D:E6:7E:1B:35:B1
X509v3 Authority Key Identifier:
keyid:D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20
DirName:/C=IT/O=INFN/CN=INFN CA
serial:00
X509v3 Subject Alternative Name:
email:Marco.Fargetta@ct.infn.it
Signature Algorithm: sha1WithRSAEncryption
8f:78:48:e9:fd:a3:3a:ad:09:31:32:cc:a1:07:1c:78:82:2a:
71:91:7d:e4:b8:40:1d:a9:0a:6c:80:85:f9:79:a6:88:04:c3:
2e:fa:62:64:7f:a9:7b:e0:aa:77:e6:37:59:51:81:be:2f:0a:
0e:84:59:ff:81:77:c4:7d:80:5d:f5:eb:41:b9:ac:f4:f4:21:
80:c0:f2:36:97:9a:c7:4c:5c:c7:90:b6:0f:0c:2b:4e:ac:05:
9e:3d:1f:4a:f9:48:17:db:d1:c0:7d:6d:12:0e:df:43:e5:90:
90:63:6b:09:9c:8b:ab:a7:de:c1:2a:da:2f:f0:25:aa:59:f3:
25:02:54:a4:32:47:9d:06:bb:48:e7:b9:44:d4:2a:c9:1e:49:
6a:38:da:3a:2e:01:33:82:52:d5:70:8e:13:f5:28:fc:94:ec:
5e:2e:d8:ab:63:ed:ad:31:76:45:c1:d3:e1:3e:fb:b2:3e:3f:
e2:57:21:d1:ab:35:e6:03:b9:c4:01:93:61:22:2e:9a:44:30:
15:f3:3c:fa:d6:43:f0:b7:5b:7e:af:c6:2b:c0:bb:f5:c0:a1:
1d:3f:20:25:a0:74:d1:01:c7:33:ce:d5:20:92:78:7a:f6:99:
f8:a6:2a:7f:13:ed:31:63:be:47:cc:3a:0b:be:2a:6f:88:f5:
f2:5f:8f:86
The main elements to check are the Subject, the Validity and the Issuer.
[edit] Creation of a proxy with voms extensions
To create a proxy and, in some way log-in to the Grid, the user will use the command voms-proxy-init with the VO to access. The command will ask for the private key pass-phrase and generate the proxy as follows:
[marco@localhost ~]$ voms-proxy-init --voms euasia Cannot find file or dir: /home/marco/.glite/vomses Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta Creating temporary proxy ............................................................... Done Contacting voms.grid.sinica.edu.tw:15015 [/C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw] "euasia" Done Creating proxy ...................................................................................... Done Your proxy is valid until Fri Jul 17 04:57:02 2009
[edit] Check your voms proxy
Once that your proxy has been created, you can gather info on it through the voms-proxy-info command. with the -all option the command will show any relevant detail of the proxy and the VO extensions provided by the VOMS server. You may note also two different lifetimes : first is related to the proxy itself, the second one is referred to the AC info added by the VOMS server. They have to be valid both in order to be fully enabled to perform operations.
[marco@localhost ~]$ voms-proxy-info -all subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta identity : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta type : proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:57:08 === VO euasia extension information === VO : euasia subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta issuer : /C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw attribute : /euasia/Role=NULL/Capability=NULL timeleft : 11:54:12
[edit] Delegation
The delegation mechanism allows the users to store a long living proxy on a server for later use. This is based on MyProxy Server.
[edit] Register a long living proxy in the MyProxy server
The command myproxy-init allows you to create and store a long term proxy certificate. The -s option allows to specify the name of the MyProxy server to use.
[marco@localhost ~]$ myproxy-init Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta Enter GRID pass phrase for this identity: Creating proxy ............................... Done Proxy Verify OK Your proxy is valid until: Thu Jul 23 18:28:20 2009 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user marco now exists on myproxy.ct.infn.it.
The -d option allows you to create and store a long term proxy with your DN. Without this option, the name of the stored proxy is the same of the user in the local machine.
[marco@localhost ~]$ myproxy-init -d Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta Enter GRID pass phrase for this identity: Creating proxy ......................................................... Done Proxy Verify OK Your proxy is valid until: Thu Jul 23 18:29:10 2009 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta now exists on myproxy.ct.infn.it.
The -l options allows to create and store a long term proxy with a name specified by the user so each user can create and store several proxies in a myproxy server, but each remote proxy is linked to the specified username.
[edit] Proxy renewal by WMS
The proxy stored on MyProxy server requires a pass phrase to be retrieved. Hence the WMS should know this information to re-new the user proxy for the running application.
To allow the proxy renewal by the WMS, the proxy stored on the server has to be created with the options -d -n. The first option allows the WMS to identify the proxy by the subject of the user certificate, whereas the second avoid the pass phrase protecting the proxy access.
Proxy stored in MyProxy server for renewal cannot be used for delegation, since a pass phrase is required to get a delegated proxy (this behaviour can be modified in the server configuration).
For security reasons it is possible to specify the certificate of the host requiring the renewal so only a trusted machine can perform the operation.
Finally, the server has to be configured to accept renewal requests from delegated servers.
[edit] Get a delegated proxy from the Myproxy server
The proxy can be retrieved from the server by the command myproxy-get-delegation. In order to be sure about the orgin of the proxy destroy any existing proxy from the UI:
[marco@localhost ~]$ voms-proxy-destroy [marco@localhost ~]$ voms-proxy-info Couldn't find a valid proxy.
Now you can get the proxy previously stored on the server
[marco@localhost ~]$ myproxy-get-delegation Enter MyProxy pass phrase: A credential has been received for user marco in /tmp/x509up_u501.
Take care to use the same name used for the generation (-d or -l options) because they are considered different proxies.
The retrieved proxy has no AC from VOMS that should be added by the user.
[marco@localhost ~]$ voms-proxy-info --all WARNING: Unable to verify signature! Server certificate possibly not installed. Error: VOMS extension not found! subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy identity : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy type : unknown strength : 1024 bits path : /tmp/x509up_u501 timeleft : 11:59:28
The voms-proxy-init command can be used to add the VOMS AC in a existing proxy by the option -noregen.
[marco@localhost ~]$ voms-proxy-init --noregen --voms euasia Cannot find file or dir: /home/marco/.glite/vomses Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy/CN=proxy Contacting voms.grid.sinica.edu.tw:15015 [/C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw] "euasia" Done Creating proxy ....................................... Done Warning: your certificate and proxy will expire Fri Jul 17 06:30:24 2009 which is within the requested lifetime of the proxy [marco@localhost ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy/CN=proxy identity : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta/CN=proxy/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:57:18 === VO euasia extension information === VO : euasia subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta issuer : /C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw attribute : /euasia/Role=NULL/Capability=NULL timeleft : 11:56:26
[edit] Gather information about the proxy in the MyProxy server
After the second level proxy has been created on a myproxy server, its info can be gathered from the server with the myproxy-info command. To use the command a valid proxy has to be available on the user interface in order to create a secure communication with the server, therefore before to run the command you have to get the proxy from the server or create a new one.
[marco@localhost ~]$ myproxy-info username: marco owner: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta timeleft: 167:59:31 (7.0 days)
If you have generated a proxy with -d option, its info can be gathered using the same option.
[marco@localhost ~]$ myproxy-info -d username: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta owner: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta timeleft: 167:34:33 (7.0 days)
In the same way, if you have used the -l option then you have to use again this option to get the proxy info.
[edit] Destroy remote proxy
Finally, you can destroy your remote proxy with myproxy-destroy command.
[marco@localhost ~]$ myproxy-info username: marco owner: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta timeleft: 167:52:15 (7.0 days) [marco@localhost ~]$ myproxy-destroy Default MyProxy credential for user marco was successfully removed. [marco@localhost ~]$ myproxy-info ERROR from myproxy-server (myproxy.ct.infn.it): no credentials found for user marco, owner "/C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Marco Fargetta"
Similarly to the other commands, take care to destroy the correct proxy by specifying the same name used for the creation.
