Virtual Organisations VO and certificate request process in practice Jozsef Patvarczki MTA SZTAKI

1
Virtual Organisations (VO) and certificate
request process in practice Jozsef Patvarczki
MTA SZTAKI
EGEE is a project funded by the European Union
under contract IST-2003-508833
2
Goals of this module and Overview

• Outline
• Virtual Organizations
• Registering process in practice
• The HunGrid VO
• Importance of Certificate Authorities
• How to obtain a certificate
• The EUGridPMA
• User Certificate request
• The Virtual Organization Membership Service
• Proxy certificate
• Required steps for the complete registration

3
What is the Virtual Organization?

• A Virtual Organization (VO) is a collection of
  people in the same administrative domain
• The EGEE Grid works with Virtual Organisations
  (VO)
• A VO is simply a group of Grid users with similar
  interests and requirements
• who are able to work collaboratively with other
  members of the group
• and/or share resources (data, software, cpu,
  storage space, etc) regardless of geographical
  location
• Need to be a member of a VO before we are allowed
  to submit jobs to the Grid
• There are several VOs already established (Alice,
  Atlas, Babar, HunGrid, Central Europe VO)

4
Virtual Organization for New Grid Communities

• I am a representative of a comunity (eg.
  scientific community) that wants to create his
  own Virtual Organization
• for example a computing centre that wants to give
  its users access to its Grid infrastructures
• Depending of the nature of the VO itself, we can
  distinguish two kinds of VOs
• Local VOs to the South West Federation.
• Wider VOs to all EGEE,  containing members of
  other federations that may be involved in this
  community
• Virtual Organization Registration Procedure
• Name the VO, follow the VO acceptance procedure,
  Set-up, Populate, Integrate, Organize
• http//grid-deployment.web.cern.ch/grid-deployment
  /cgi-bin/index.cgi?vargis/vo-deploy

5
Virtual Organization for System Administrators

• I am a system administrator that wants to give
  access to its recources to a given Virtual
  Organization
• In order to support the new Virtual
  Organizations, the system administration must
  configure its testbed to make available the
  resources to these VO
• Currently the procedure of configuring the
  testbed can be done automatically with the
  configuring tools and profiles, which aid the
  automatic installation and configuration of the
  testbed

6
Virtual Organization for Grid Users

• I am a Grid user that wants to belong to a
  Virtual Organization
• To be authorized to submit jobs to the grid you
  have to belong to a Virtual Organisation (VO)
• The request will be evaluated by the VO manager
  deciding if he can join or not
• To be able to register in one of the VO the user
  has to own a valid certificate, issued by one of
  the known and accepted Certificate Authorities
  (CA)
• A list of supported VOs can be found here
• https//lcg-registrar.cern.ch/virtual_organization
  .html

7
User Registration
8
The HunGrid Virtual Organization

• A new virtual organisation (VO) of EGEE
• Created by KFKI-RMKI, SZTAKI and ELTE
• The HunGrid VO is open for anybody who would like
  to use the LHC Grid for educational purpose
  and/or scientific research
• The HunGrid provides 7/24 Grid services
• SEQ and MPI job submission
• Storage services
• Information system
• Data management service
• Register at http//www.lcg.kfki.hu
• To register in the HunGrid VO one has to own a
  valid certificate, issued by one of the known and
  accepted Certificate Authorities

9
Registering process in practiceStep 1 Get a
certificate

• In order to controll the accesses over the Grid,
  every user has to identify her/himself before
  submitting a job
• This is realized via the use of certificates
• The certificate is a digital personal
  identification card
• The certificates are issued by the Certificates
  Authoritites
• Obtain a certificate from the accepted CA
• Get a certificate from the NIIF CA at
  http//www.ca.niif.hu
• The NIIF CA provides PKI (Public Key
  Infrastructure) services for the Hungarian
  academic community
• The NIIF CA is operated by the National
  Information Infrastructure Development Office,
  http//www.niif.hu

10
How to obtain a certificate?

• Read the relevant policy documents (Certification
  Practice Statement CPS)
• Make sure you understand and accept all the rules
  and obligations
• Download the Pre-Authorization Request Form
• fill it out and sign it
• attach the requested documents and send it to the
  CA Registration Authority
• the Registration Authority (RA) is responsible
  for the communication with the certificate
  requestors and owners.
• it is also responsible for the identification and
  authorization of the certificate subjects.
• Wait for the response
• Follow the instructions in the response mail, ie.
  visit the specified web page and prepare and
  submit your on-line CA request
• Visit the RA administrator personally during the
  published RA office hours, in order to identify
  yourself. Don't forget to take your photo ID with
  you!
• Wait for your signed certificate which will be
  sent to you by email

11
How to obtain a certificate?

• Requested documents for the Pre-Authorization
  Request Form (you must provide appropriate
  documentary evidence of identity when you apply
  for a certificate through a Registration
  Authority)
• Copy of the Photo ID
• Statement about the employment status
• Data Protection Information and Statement form
  (In case of requestor not included in the NIIF
  Directory)
• Statement about the domain name ownership (In
  case of server certificate)
• Statement about the domain name usability (In
  case of server certificate)

12
The EU Grid PMA

• The European Policy Management Authority for Grid
  Authentication in e-Science, http//www.eugridpma.
  org
• Its main activity the EUGridPMA coordinates a
  Public Key Infrastructure (PKI) for use with Grid
  authentication middleware
• All of the CAs must fulfill the requirements of
  the EU Grid PMA, for example
• According to CA certificate and its profile
• Revocation
• The CA must publish a CRL (Certificate Revocation
  List)
• The CA must react as soon as possible, but within
  one working day, to any revocation request
  received
• etc

13
Certificate Request in practice

• Obtaining a certificate involves creating a
  request with the grid-cert-request command
• This will generate the following files
• userkey.pem contains the private key associated
  with the certificate, this should be set with
  permissions so that only the owner can read it)
  (i.e. chmod 400 userkey.pem)
• userreq.pem (newreq.pem) contains the request
  for the user certificate
• Then the userreq.pem file is sent (usually by
  e-mail using a particular format) to the desired
  CA, which will, after approval, return the signed
  new certificate usercert.pem
• To be used in the LCG-2 Grid, the certificate
  must be in PEM format
• The userkey.pem and the usercert.pem need to be
  stored in the .globus directory under the home
  directory of the user

14
User Certificate request with grid-cert-request
in practice
15
User Certificate request with openssl in practice

• OpenSSL is a cryptography toolkit implementing
  the Secure Sockets Layer (SSL v2/v3) and
  Transport Layer Security (TLS v1) network
  protocols and related cryptography standards
  required by them
• It can be used for
• Creation of RSA, DH and DSA key parameters
• Creation of X.509 certificates, etc
• openssl req -new -keyout newkey.pem -out
  newreq.pem -days 7 -config /usr/share/ssl/openssl.
  cnf
• openssl req -new -newkey rsa1024 -subj
  '/CNwww.mydom.com/OMy Dom, Inc./CUS/STOregon/L
  Portland' -keyout mykey.pem -out myreq.pem
• An important property of a certificate is the
  subject, a string containing information about
  the user

16
User Certificate request with openssl in practice
17
certreq.pem

• How can the user view the request in human
  format?
• login
• cd .globus
• openssl req -in newreq.pem -noout -text -config
  /usr/share/ssl/openssl.cnf

18
certreq.pem
19
Verify your private key

• openssl req -in newreq.pem -noout -verify -key
  userkey.pem -config /usr/share/ssl/openssl.cnf

20
Further steps

• After when the user got the signed
  certificate(usercert.pem)
• the usercert.pem needs to be in the .globus
  directory of the user
• The certificate that you present to others
  contains
• Your distinguished name (DN)
• Your public key
• The identity of the CA who issued the certificate
• Its expiry date
• Digital signature of the CA which issued it
• Continue the process of the VO registration

21
Commands to get the certificate information

• For the full breadth of information
• openssl x509 -text -in usercert.pem
• Other options will provide more targeted sets of
  data.
• who issued the cert?
• openssl x509 -noout -in usercert.pem -issuer
• to whom was it issued?
• openssl x509 -noout -in usercert.pem -subject
• for what dates is it valid?
• openssl x509 -noout -in usercert.pem -dates
• the above, all at once
• openssl x509 -noout -in usercert.pem -issuer
  -subject -dates
• what is its hash value?
• openssl x509 -noout -in usercert.pem -hash

22
Registering process in practiceStep 2 Register
in a Virtual Organisation

• You have to be the member of at least one Virtual
  Organisation in order to be able to use the Grid
• After that you can use the resources of all those
  sites which support the VO (in this case the
  HunGrid VO) where you are registered
• For the registering it is necessary to use a WWW
  browser with the user certificate installed for
  the request to be properly authenticated
• The root certificate of the CA needs to be
  installed in the browser
• Browsers (including Internet Explorer and
  Netscape) use a different format for certificates
  to LCG grid software. Browsers require a format
  called PKCS12 whereas grid software uses PEM
  format
• Use openssl pkcs12 -export -inkey userkey.pem
  -in usercert.pem -out my_cert.p12 command for
  the conversion
• Instructions to load certificates into some
  common browsers
• http//lcg.web.cern.ch/LCG/users/registration/load
  -cert.html

Remark How to convert pkcs12 format to pem
format openssl pkcs12 -in cert.p12 -clcerts
-nokeys -out usercert.pem and openssl pkcs12 -in
cert.p12 -nocerts -out userkey.pem
23
Further steps

• Step 3 Get an account on the User Interface
• Step 4 Login and create directory .globus
• Step 5 Copy the usercert.pem and userkey.pem
  into the .globus directory
• Generate proxy certificate and submit a job

24
Generate proxy certificate to submit a job

• A proxy certificate is a delegated user
  credential that authenticates the user in every
  secure interaction, and has a limited lifetime
• The command to create a proxy certificate is
  grid-proxy-init, which prompts for the user pass
  phrase
• If the command is successful, the output will be
  like
• Your identity /OGrid/OCERN/OUcern.ch/CNJo
  hn Doe Enter GRID pass phrase for this identity
• Creating proxy ...............................
  ................ Done
• Your proxy is valid until Tue Jun 24
  234844 2003
• The proxy certificate will be written in
  /tmp/x509up_ultuidgt, where ltuidgt is the Unix UID
  of the user

25
The Virtual Organization Membership Service
(VOMS)

• Provides information on the user's relationship
  with her Virtual Organization
• Single login using voms-proxy-init only at the
  beginning of the session (was grid-proxy-init)
• Expiration time the authorization information is
  only valid for a limited period of time as the
  proxy certificate itself
• Multiple VOs the user may "log-in" into multiple
  VOs and create an aggregate proxy certificate,
  which enables her to access resources in any of
  them
• The service is basically a simple account
  database, which serves the information in a
  special format (VOMS credential)

26
Grid proxy commands

• Create a proxy certificate using the command
  grid-proxy-init
• To see information about your proxy
  grid-proxy-info
• To destroy an existing proxy certificate before
  its expiration grid-proxy-destroy
• Creating a long-term proxy and storing it in a
  Proxy Server myproxy-init -s lthost_namegt -d -n

27
Required steps for the complete registration
LDAP (Lightweight Directory Access Protocol) is a
directory service which allows to locate
organizations, individuals, and other resources
such as files and devices in a network
28
Get your user Certificate from the NIIF CA
We will go to the CA to get the user certificates
(10 persons/group) Meantime we will verify the
newreq.pem file with openssl commands !THANK
YOU VERY MUCH FOR YOUR ATTENTION!