Hands-on on security

www.eu-eela.org

E-infrastructure shared between Europe and Latin America

FP6−2004−Infrastructures−6-SSA-026409

Pedro RauschIF - UFRJNinth EELA TutorialBogotá, 06.03.2007

Bogotá, Ninth EELA Tutorial, 06.03.2007FP6−2004−Infrastructures−6-SSA-026409

Overview

• Accessing the UI

• Private and public keys

• VOMS– voms-proxy-init– voms-proxy-info– voms-proxy-destroy

• MyProxy– myproxy-init– myproxy-info– myproxy-get-delegation– myproxy-destroy

• Open the VMWare User Interface on your desktop (click the icon)

• Username: bogotaXX (LOOK AT THE STICKER!) Where XX is in [01..50]

• Password: GridBOGXX Where XX is in [01..50]

• Certificate passphrase: BOGOTA

How to access the User Interface

Preliminary: .globus directory

• .globus directory contains your personal public / private keys

• Pay attention to permissions – userkey.pem contains your private key, and must be readable

just by yourself (400)– usercert.pem contains your public key, which should be

readable also from outside (644)

•[bogota01@eventogrid1 bogota01]$ ls -la .globus/u*

•-rw-r--r-- 1 bogota01 bogota01 1131 Mar 1 03:27 .globus/usercert.pem

•-r-------- 1 bogota01 bogota01 963 Mar 1 03:27 .globus/userkey.pem

voms-proxy-init: create credentials

• Main options voms-proxy-init --voms <vo-name:[command]> -help, -usage Displays usage -version Displays version -debug Enables extra debug output -quiet, -q Quiet mode, minimal output -verify Verifies certificate to make proxy for -pwstdin Allows passphrase from stdin -limited Creates a limited proxy -valid <h:m> Proxy is valid for h hours and m minutes (default to 12:00) -hours H Proxy is valid for H hours (default:12) -bits Number of bits in key {512|1024|2048|4096} -cert <certfile> Non-standard location of user certificate -key <keyfile> Non-standard location of user key -certdir <certdir> Non-standard location of trusted cert dir -out <proxyfile> Non-standard location of new proxy cert -voms <voms<:command>> Specify voms server. :command is optional. -order <group<:role>> Specify ordering of attributes. -vomslife <h:m> Try to get a VOMS pseudocert valid for h hours and m minutes

(default to value of -valid). -include <file> Include the contents of the specified files -confile <file> Non-standard location of voms server addresses.. -vomses <file> Non-standard loation of configuration files.

voms-proxy-init output

[bogota01@eventogrid1 bogota01]$ voms-proxy-init --voms gilda

Cannot find file or dir: /home/bogota01/.glite/vomses

Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it

Enter GRID pass phrase: ************

Creating temporary proxy ............................... Done

Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done

Creating proxy ................................. Done

Your proxy is valid until Tue Mar 6 23:06:20 2007

voms-proxy-info: check credentials

• voms-proxy-info– Main options :

-all prints all proxy options

-file specifies a different location of proxy file

[bogota01@eventogrid1 bogota01]$ voms-proxy-info --all

subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it/CN=proxy

issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it

identity : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it

type : proxy

strength : 512 bits

path : /tmp/x509up_u501

timeleft : 11:57:40

=== VO gilda extension information ===

VO : gilda

subject : /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it

issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it

attribute : /gilda/Role=NULL/Capability=NULL

timeleft : 11:57:33

voms-proxy-info output

Standard globus attributes

Voms extensions

voms-proxy-destroy: destroy credentials

• voms-proxy-destroy– Takes no options

• Destroys the proxy certificate pointed by the $X509_USER_PROXY environment variable

[bogota01@eventogrid1 bogota01]$ echo $X509_USER_PROXY

/tmp/x509up_u501

[bogota01@eventogrid1 bogota01]$ voms-proxy-destroy

[bogota01@eventogrid1 bogota01]$

[bogota01@eventogrid1 bogota01]$ voms-proxy-info --all

Couldn't find a valid proxy.

[bogota01@eventogrid1 bogota01]$

voms-proxy-destroy output

First Exercise

1. Create a plain voms proxy without requesting group embership;

2. Verify your proxy, checking that it has no VOMS extensions;

3. Destroy the created proxy;

4. Verify your proxy Again;

5. Do steps 1-4 again, this time requesting gilda group membership

Long term proxy : MyProxy

• myproxy server:– myproxy-init

Allows to create and store a long term proxy certificate

– myproxy-info Get information about a stored long living proxy

– myproxy-get-delegation Get a new proxy from the MyProxy server

– myproxy-destroy

• Check out them with myproxy-xxx --help option • A dedicated service on the RB can renew automatically

the proxy– contacting the myproxy server

myproxy-init: store proxy cred.

• Main options • -c hours specifies lifetime of stored credentials • -t hours specifies the maximum lifetime of retrieved

credentials• -s <hostname> specifies the myproxy server used to

store credentials• -d stores credential with the distinguished name in

proxy, instead of user name (mandatory for some data management services and proxy renewal)

• For proxy renewal it’s also mandatory –n (no passphrase). You also have to specify the subject of principals that can renew a delegation (-R subject, or -A for any principal)

myproxy-init output

[bogota01@eventogrid1 bogota01]$ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal

Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.itEnter GRID pass phrase for this identity: ***********Creating proxy ................................. DoneProxy Verify OKYour proxy is valid until: Tue Mar 13 14:00:18 2007Enter MyProxy pass phrase: ***********Verifying password - Enter MyProxy pass phrase:A proxy valid for 168 hours (7.0 days) for user bogota01 now exists on

grid001.ct.infn.it.[bogota01@eventogrid1 bogota01]$

myproxy-info: retrieve stored proxy info

• Useful to retrieve info on stored credentials• Need local credentials to be performed• If credentials have been initialized with –d switch, you also

have to specify the same option here

• The user must have a valid proxy to issue this command

myproxy-info output

[bogota01@eventogrid1 bogota01]$ myproxy-info -v

Socket bound to port 20000.

server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.it

checking if server name matches "myproxy@grid001.ct.infn.it"

server name does not match

checking if server name matches "host@grid001.ct.infn.it"

server name accepted

username: bogota01

owner: /C=IT/O=GILDA/OU=Personal Certificate/L=BOGOTA/CN=BOGOTA01/Email=claudio.cherubino@ct.infn.it

timeleft: 167:54:03 (7.0 days)

myproxy-get-delegation: get proxy

• This command is used to retrieve a delegation from a long lived proxy stored on a myproxy server

• It is independent by the machine! You don’t need to have your certificate on board

• If credentials have been initialized with –d switch, you have to specify it also in myproxy-get-delegation request

myproxy-get-delegation: output

[bogota01@eventogrid1 bogota01]$ myproxy-get-delegation

Enter MyProxy pass phrase:

A proxy has been received for user bogota01 in /tmp/x509up_u501

myproxy-destroy: destroy proxy

• Delete, if existing, the long lived credentials on the specified myproxy server

• To specify the myproxy server you should use the -s switch

• Again, the user must have a valid proxy certificate

myproxy-destroy: output

[bogota01@eventogrid1 bogota01]$ myproxy-destroy -vSocket bound to port 20000.

server name: /C=IT/O=INFN/OU=Host/L=Catania/CN=grid001.ct.infn.itchecking if server name matches "myproxy@grid001.ct.infn.it"server name does not matchchecking if server name matches "host@grid001.ct.infn.it"server name acceptedDefault MyProxy credential for user bogota01 was successfully removed.

Second Exercise

1. Create a myproxy on the server grid001.ct.infn.it

2. Fetch a delegation from the myproxy server

3. Check information on the created proxy on the myproxy server

4. Destroy both the delegated proxy and the proxy stored on the myproxy server

5. Repeat steps 1-4 using the –d option

6. Which differences you note between the two proxies?

Voms extensions on a delegated proxy

• myproxy doesn’t support natively VOMS

• In order to overcome this issue:– Fetch the proxy without the delegation– Issue the command voms-proxy-init, with the –noregen option

Questions

Hands-on on security

Documents

Transcript of Hands-on on security

HARDWARE SECURITY - Cleveland State University1)-fpga... · 2015-10-06 · 1 HARDWARE SECURITY EEC 492/592, CIS 493 Hands-on Experience on Computer System Security Chan Yu Cleveland

In-Depth, Hands-On InfoSec Skills - SANS Hands-On InfoSec Skills – Embrace the Challenge ... PIVOT TO INTRANET SECURITY Penetration Testing Web App Pen Testing Metasploit DEfEND,

Splunk Enterpise for Information Security Hands-On

Anatomy of the Hack - Hands-on Security | Information Assurance Club

OpenNebulaConf 2016 - Security, Federation & Hybrid Hands-on Workshop by Carlos Martin, OpenNebula

Hands on Security - Disrupting the Kill Chain Breakout Session

Implementing Network and Perimeter Security. Prerequisite Knowledge Understanding of network security essentials Hands-on experience with Windows®

CCNP Security SENSS · Cisco Certified Network Professional Security (CCNP Security) certification. * Additionally, it will prepare you with the knowledge and hands-on experience

EXCELLENCE Professional Hands-On Trainings in Cyber Security, … · Professional Hands-On Trainings in Cyber Security, Cloud Computing, Big Data Analytics, Artificial Intelligence

Hack & Fix, Hands on ColdFusion Security Training

Application Certified Application Security Engineer · The Certified Application Security Engineer (CASE) focuses on secure application software development processes. It is a, hands-on,

A hands-on Workshop on SDN and Network Security

Hands-on with AWS Security Hub · © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on with AWS Security Hub

Hands on oracle application express security

Applied Information Security: A Hands-on Guide to ... · Applied Information Security: A Hands-on Guide to Information Security Software, 2009, 226 pages, Randy Boyle, 0136122035,

Information Security Hands-On Breakout Session

IndustryOrientedTrainingand! !CapacityBuildingProgram!on ... · To provide in-depth knowledge of through hands-on for Web Security, Android Security and IOS security practices. !

Hands-On Ethical Hacking and Network Defense Chapter 13 Protecting Networks with Security Devices.

CIS5930/4930 Internet Security Hands-on Lab Set 4b: Remote ...sudhir/courses/2020scis5930/LabSet... · CIS5930/4930 Internet Security Hands-on February 16, 2020 . Lab Set 4b: Remote

Over 30 Hands-On, Instructor-Led Cyber Security Courses · LearningTree.ca/Cyber • 1-800-843-8733 Over 30 Hands-On, Instructor-Led Cyber Security Courses TIONS ENDPOINT SECURITY