 |
|
 |
| |
| Main Page |
| Authentication and Authorization |
| VOMS Commands |
Security Concepts
Authentication and AuthorizationFor the Grid to be an effective framework for largely
distributed computation, users, user processes and grid services must
work in a secure environment. Due to this, all interactions between
components, especially those that are network separated, will be
mutually authenticated: depending on the specific interaction, an
entity authenticates itself to the other peer using either its own
credential or a delegated user credential or both.
The user or service identity and their public key are included in a
X.509 certificate signed by a trusted Certification Authority (CA),
whose purpose is to guarantee the association between that public key
and its owner. Usually X.509 Certificates are downloaded using a
browser and managed by the browser itself. Anyway it is possible to
export your certificate in a file PKCS12 (which will probably have the
extension .p12 or .pfx). Unfortunately PKCS12 format is not accepted by
Globus security infrastructure, but you can easily convert it into the
supported standard (PEM). This operation will split your *.p12 file in
two files: the certificate (usercert.pem) and the private key
(userkey.pem), that you must copy under the predefined directory
".globus".
$ ll .globus
total 12
-rw-r--r-- 1 vardizzo users 1650 Apr 18 18:27 usercert.pem
-r-------- 1 vardizzo users 1917 Apr 18 18:26 userkey.pem
Permission must be set as shown not only for security reasons,
but also because the commands to create a proxy will fail if your
private key is not protected as listed above.
Authorization plays a key role in the process of gaining access to
resources in a computational grid: it is based on policies written by
VO's and their agreements with the resource provider’s, that enforce
local authorization. In general a user may be member of any number of
VO’s where a VO can have a complex structure with groups and subgroups
in order to clearly divide its users according to their tasks.
Moreover, a user can be a member of any number of these groups. A user,
both at VO and group level, may be characterized by any number of roles
and capabilities.
Virtual
Organization Membership Service (VOMS) is a system to define
groups, roles and capabilities. Combinations of the names of these
serves as attributes for users, and the combinations of these names
define unique attributes.
voms-proxy-init
This command is used to contact the VOMS server and retrieve an Attribute Certificate (AC) containing user attributes that will be included in the proxy certificates. The proxy certificate will be written in /tmp/x509up_uXXX, where XXX is the Unix UID of the user, unless the environment variable X509 USER PROXY is defined, in which case its value is taken as the proxy file name.
STEP 1: create your local proxy with voms extension using the following command (remember that, for this school, the passphrases of all generic certificates are equal to ISCHIA (all in capitals)):
$ voms-proxy-init --voms gilda
Cannot find file or dir: /home/vardizzo/.glite/vomses
Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania /CN=Valeria Ardizzone/Email=valeria.ardizzone@ct.infn.it
Enter GRID pass phrase:
Creating temporary proxy .................................. Done
Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania /CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it] "gilda" Done
Creating proxy ..................................................... Done
Your proxy is valid until Fri Jun 14 08:35:24 2006
voms-proxy-info
This command is used to print to the screen the informations included in an already generated VOMS proxy.
STEP 2: Verify your local proxy with the following command. If you want also check your voms extension using the option -all:
$ voms-proxy-info -all
subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Valeria Ardizzone /Email=valeria.ardizzone@ct.infn.it/CN=proxy
issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Valeria Ardizzone /Email=valeria.ardizzone@ct.infn.it
identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Valeria Ardizzone /Email=valeria.ardizzone@ct.infn.it
type : proxy
strength : 512 bits
path : /tmp/x509up_u515
timeleft : 11:57:56
=== VO gilda extension information ===
VO : gilda
subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Valeria Ardizzone /Email=valeria.ardizzone@ct.infn.it
issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it /Email=emidio.giorgio@ct.infn.it
attribute : /gilda/Role=NULL/Capability=NULL
attribute : /gilda/tutors/Role=NULL/Capability=NULL
timeleft : 11:57:56
voms-proxy-destroy
This command destroys an already existing VOMS local proxy.
STEP 3: Destroy your local proxy and verify that it was removed with the following commands:
$ voms-proxy-destroy
$ voms-proxy-info -all
Couldn't find a valid proxy.