Title: Virtual Organisations VO and certificate request process in practice Jozsef Patvarczki MTA SZTAKI
1Virtual Organisations (VO) and certificate
request process in practice Jozsef Patvarczki
MTA SZTAKI
EGEE is a project funded by the European Union
under contract IST-2003-508833
2Goals of this module and Overview
- Outline
- Virtual Organizations
- Registering process in practice
- The HunGrid VO
- Importance of Certificate Authorities
- How to obtain a certificate
- The EUGridPMA
- User Certificate request
- The Virtual Organization Membership Service
- Proxy certificate
- Required steps for the complete registration
3What is the Virtual Organization?
- A Virtual Organization (VO) is a collection of
people in the same administrative domain - The EGEE Grid works with Virtual Organisations
(VO) - A VO is simply a group of Grid users with similar
interests and requirements - who are able to work collaboratively with other
members of the group - and/or share resources (data, software, cpu,
storage space, etc) regardless of geographical
location - Need to be a member of a VO before we are allowed
to submit jobs to the Grid - There are several VOs already established (Alice,
Atlas, Babar, HunGrid, Central Europe VO)
4Virtual Organization for New Grid Communities
- I am a representative of a comunity (eg.
scientific community) that wants to create his
own Virtual Organization - for example a computing centre that wants to give
its users access to its Grid infrastructures - Depending of the nature of the VO itself, we can
distinguish two kinds of VOs - Local VOs to the South West Federation.
- Wider VOs to all EGEE, containing members of
other federations that may be involved in this
community - Virtual Organization Registration Procedure
- Name the VO, follow the VO acceptance procedure,
Set-up, Populate, Integrate, Organize - http//grid-deployment.web.cern.ch/grid-deployment
/cgi-bin/index.cgi?vargis/vo-deploy
5Virtual Organization for System Administrators
- I am a system administrator that wants to give
access to its recources to a given Virtual
Organization - In order to support the new Virtual
Organizations, the system administration must
configure its testbed to make available the
resources to these VO - Currently the procedure of configuring the
testbed can be done automatically with the
configuring tools and profiles, which aid the
automatic installation and configuration of the
testbed
6Virtual Organization for Grid Users
- I am a Grid user that wants to belong to a
Virtual Organization - To be authorized to submit jobs to the grid you
have to belong to a Virtual Organisation (VO) - The request will be evaluated by the VO manager
deciding if he can join or not - To be able to register in one of the VO the user
has to own a valid certificate, issued by one of
the known and accepted Certificate Authorities
(CA) - A list of supported VOs can be found here
- https//lcg-registrar.cern.ch/virtual_organization
.html
7User Registration
8The HunGrid Virtual Organization
- A new virtual organisation (VO) of EGEE
- Created by KFKI-RMKI, SZTAKI and ELTE
- The HunGrid VO is open for anybody who would like
to use the LHC Grid for educational purpose
and/or scientific research - The HunGrid provides 7/24 Grid services
- SEQ and MPI job submission
- Storage services
- Information system
- Data management service
- Register at http//www.lcg.kfki.hu
- To register in the HunGrid VO one has to own a
valid certificate, issued by one of the known and
accepted Certificate Authorities
9Registering process in practiceStep 1 Get a
certificate
- In order to controll the accesses over the Grid,
every user has to identify her/himself before
submitting a job - This is realized via the use of certificates
- The certificate is a digital personal
identification card - The certificates are issued by the Certificates
Authoritites - Obtain a certificate from the accepted CA
- Get a certificate from the NIIF CA at
http//www.ca.niif.hu - The NIIF CA provides PKI (Public Key
Infrastructure) services for the Hungarian
academic community - The NIIF CA is operated by the National
Information Infrastructure Development Office,
http//www.niif.hu
10How to obtain a certificate?
- Read the relevant policy documents (Certification
Practice Statement CPS) - Make sure you understand and accept all the rules
and obligations - Download the Pre-Authorization Request Form
- fill it out and sign it
- attach the requested documents and send it to the
CA Registration Authority - the Registration Authority (RA) is responsible
for the communication with the certificate
requestors and owners. - it is also responsible for the identification and
authorization of the certificate subjects. - Wait for the response
- Follow the instructions in the response mail, ie.
visit the specified web page and prepare and
submit your on-line CA request - Visit the RA administrator personally during the
published RA office hours, in order to identify
yourself. Don't forget to take your photo ID with
you! - Wait for your signed certificate which will be
sent to you by email
11How to obtain a certificate?
- Requested documents for the Pre-Authorization
Request Form (you must provide appropriate
documentary evidence of identity when you apply
for a certificate through a Registration
Authority) - Copy of the Photo ID
- Statement about the employment status
- Data Protection Information and Statement form
(In case of requestor not included in the NIIF
Directory) - Statement about the domain name ownership (In
case of server certificate) - Statement about the domain name usability (In
case of server certificate)
12The EU Grid PMA
- The European Policy Management Authority for Grid
Authentication in e-Science, http//www.eugridpma.
org - Its main activity the EUGridPMA coordinates a
Public Key Infrastructure (PKI) for use with Grid
authentication middleware - All of the CAs must fulfill the requirements of
the EU Grid PMA, for example - According to CA certificate and its profile
- Revocation
- The CA must publish a CRL (Certificate Revocation
List) - The CA must react as soon as possible, but within
one working day, to any revocation request
received - etc
13Certificate Request in practice
- Obtaining a certificate involves creating a
request with the grid-cert-request command - This will generate the following files
- userkey.pem contains the private key associated
with the certificate, this should be set with
permissions so that only the owner can read it)
(i.e. chmod 400 userkey.pem) - userreq.pem (newreq.pem) contains the request
for the user certificate - Then the userreq.pem file is sent (usually by
e-mail using a particular format) to the desired
CA, which will, after approval, return the signed
new certificate usercert.pem - To be used in the LCG-2 Grid, the certificate
must be in PEM format - The userkey.pem and the usercert.pem need to be
stored in the .globus directory under the home
directory of the user
14User Certificate request with grid-cert-request
in practice
15User Certificate request with openssl in practice
- OpenSSL is a cryptography toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) network
protocols and related cryptography standards
required by them - It can be used for
- Creation of RSA, DH and DSA key parameters
- Creation of X.509 certificates, etc
- openssl req -new -keyout newkey.pem -out
newreq.pem -days 7 -config /usr/share/ssl/openssl.
cnf - openssl req -new -newkey rsa1024 -subj
'/CNwww.mydom.com/OMy Dom, Inc./CUS/STOregon/L
Portland' -keyout mykey.pem -out myreq.pem - An important property of a certificate is the
subject, a string containing information about
the user
16User Certificate request with openssl in practice
17certreq.pem
- How can the user view the request in human
format? - login
- cd .globus
- openssl req -in newreq.pem -noout -text -config
/usr/share/ssl/openssl.cnf
18certreq.pem
19Verify your private key
- openssl req -in newreq.pem -noout -verify -key
userkey.pem -config /usr/share/ssl/openssl.cnf
20Further steps
- After when the user got the signed
certificate(usercert.pem) - the usercert.pem needs to be in the .globus
directory of the user - The certificate that you present to others
contains - Your distinguished name (DN)
- Your public key
- The identity of the CA who issued the certificate
- Its expiry date
- Digital signature of the CA which issued it
- Continue the process of the VO registration
21Commands to get the certificate information
- For the full breadth of information
- openssl x509 -text -in usercert.pem
- Other options will provide more targeted sets of
data. - who issued the cert?
- openssl x509 -noout -in usercert.pem -issuer
- to whom was it issued?
- openssl x509 -noout -in usercert.pem -subject
- for what dates is it valid?
- openssl x509 -noout -in usercert.pem -dates
- the above, all at once
- openssl x509 -noout -in usercert.pem -issuer
-subject -dates - what is its hash value?
- openssl x509 -noout -in usercert.pem -hash
22Registering process in practiceStep 2 Register
in a Virtual Organisation
- You have to be the member of at least one Virtual
Organisation in order to be able to use the Grid - After that you can use the resources of all those
sites which support the VO (in this case the
HunGrid VO) where you are registered - For the registering it is necessary to use a WWW
browser with the user certificate installed for
the request to be properly authenticated - The root certificate of the CA needs to be
installed in the browser - Browsers (including Internet Explorer and
Netscape) use a different format for certificates
to LCG grid software. Browsers require a format
called PKCS12 whereas grid software uses PEM
format - Use openssl pkcs12 -export -inkey userkey.pem
-in usercert.pem -out my_cert.p12 command for
the conversion - Instructions to load certificates into some
common browsers - http//lcg.web.cern.ch/LCG/users/registration/load
-cert.html
Remark How to convert pkcs12 format to pem
format openssl pkcs12 -in cert.p12 -clcerts
-nokeys -out usercert.pem and openssl pkcs12 -in
cert.p12 -nocerts -out userkey.pem
23Further steps
- Step 3 Get an account on the User Interface
- Step 4 Login and create directory .globus
- Step 5 Copy the usercert.pem and userkey.pem
into the .globus directory - Generate proxy certificate and submit a job
24Generate proxy certificate to submit a job
- A proxy certificate is a delegated user
credential that authenticates the user in every
secure interaction, and has a limited lifetime - The command to create a proxy certificate is
grid-proxy-init, which prompts for the user pass
phrase - If the command is successful, the output will be
like - Your identity /OGrid/OCERN/OUcern.ch/CNJo
hn Doe Enter GRID pass phrase for this identity - Creating proxy ...............................
................ Done - Your proxy is valid until Tue Jun 24
234844 2003 - The proxy certificate will be written in
/tmp/x509up_ultuidgt, where ltuidgt is the Unix UID
of the user
25The Virtual Organization Membership Service
(VOMS)
- Provides information on the user's relationship
with her Virtual Organization - Single login using voms-proxy-init only at the
beginning of the session (was grid-proxy-init) - Expiration time the authorization information is
only valid for a limited period of time as the
proxy certificate itself - Multiple VOs the user may "log-in" into multiple
VOs and create an aggregate proxy certificate,
which enables her to access resources in any of
them - The service is basically a simple account
database, which serves the information in a
special format (VOMS credential)
26Grid proxy commands
- Create a proxy certificate using the command
grid-proxy-init - To see information about your proxy
grid-proxy-info - To destroy an existing proxy certificate before
its expiration grid-proxy-destroy - Creating a long-term proxy and storing it in a
Proxy Server myproxy-init -s lthost_namegt -d -n
27Required steps for the complete registration
LDAP (Lightweight Directory Access Protocol) is a
directory service which allows to locate
organizations, individuals, and other resources
such as files and devices in a network
28Get your user Certificate from the NIIF CA
We will go to the CA to get the user certificates
(10 persons/group) Meantime we will verify the
newreq.pem file with openssl commands !THANK
YOU VERY MUCH FOR YOUR ATTENTION!