1 Getting Started with TeraGrid Authentication Jeffrey P. Gardner Pittsburgh Supercomputing Center...
-
Upload
kenneth-wheeler -
Category
Documents
-
view
213 -
download
0
Transcript of 1 Getting Started with TeraGrid Authentication Jeffrey P. Gardner Pittsburgh Supercomputing Center...
1
Getting Started with TeraGrid Authentication
Jeffrey P. GardnerPittsburgh Supercomputing
CIG MCW, Boulder, CO 2
Approaches to TeraGrid Use
Log in interactively to a login node at a TeraGrid site and work from there no client software to install/maintain yourself execute tasks from your interactive session
Work from your local workstation and authenticate remotely to TeraGrid resources comfort and convenience of working "at home" may have to install/maintain add'l TG software (Eventually we will better support this mode)
CIG MCW, Boulder, CO 3
Without coordination of authenticationbetween sites
“Traditional” Password Authentication
Acct[x], password[x]
Acct[y], password[y]
Acct[z], password[z]
Acct[x], passw
ord[x]A
cct[y], password[y]
CIG MCW, Boulder, CO 4
Certificate-Based Authentication
password[k]
Certificate
No P
assword
No P
assword
CIG MCW, Boulder, CO 5
User Certificates for TeraGrid
Why use certificates for authentication? Facilitates Single Sign-On
enter your pass-phrase only once per session, regardless of how many systems and services that you access on the Grid during that session
one pass-phrase to remember (to protect your private key), instead of one for each system
Widespread Use and Acceptance certificate-based authentication is standard for
modern Web commerce and secure services
CIG MCW, Boulder, CO 6
New TeraGrid Account TODO List
1. Use Secure Shell (SSH) to log into a TeraGrid site
2. Change your Password WE'RE SKIPPING THIS STEP TODAY
3. Obtain a TeraGrid-acceptable User Certificate*, and install it in your home directory *assuming you do not already have one
4. Register your User Certificate in Globus grid-mapfile on TeraGrid systems
5. Test your User Certificate for Remote Authentication
CIG MCW, Boulder, CO 7
1. SSH to a TeraGrid Site
(Enter the password provided when prompted to do so)
STOP and await further instructions...
CIG MCW, Boulder, CO 8
2a. Change your Account Password
Good Password Selection Rules Apply Do not use words that could be in any dictionary, including
common or trendy misspellings of words Pick something easy for you to remember, but impossible
for others to guess Pick something that you can learn to type quickly, using
may different fingers Combine letters, digits, punctuation symbols and
capitalization Never use the same password for two different systems,
nor for two different accounts If you must write your password down, do so away from
prying eyes and lock it securely away!
WE'RE SKIPPING THIS STEP TODAY
CIG MCW, Boulder, CO 9
2b. Change your Account Password
Means for changing local passwords vary among systems local password on Linux and similar operating
systems passwd
Kerberos environments (NCSA, PSC) kpasswd
Systems managed using NIS yppasswd
See site documentation for correct method http://www.teragrid.org/docs/
WE'RE SKIPPING THIS STEP TODAY
CIG MCW, Boulder, CO 10
3a. User Certificate Request
For this exercise, we will execute a command-line program to request a new TeraGrid User Certificate from the NCSA CA
TeraGrid User Cert instructions (has links to instructions for all TG sites):
http://teragrid.org/userinfo/guide_access_auth_setup.html
NCSA CA User Cert instructions: http://www.ncsa.uiuc.edu/UserInfo/Grid/Security/GetUserCert.html
CIG MCW, Boulder, CO 11
Execute the NCSA CA User Certificate request script
> ncsa-cert-request
(use your new password again to authenticate)
STOP and await further instructions...
3c. User Certificate Request
NCSA Kerberos
CIG MCW, Boulder, CO 12
3d. User Certificate Request
When prompted, enter a Pass-phrase for your new certificate (and a second time to verify) A Pass-phrase may be a sentence with spaces
Make it as long as you care to type "in the dark" Good password selection rules apply
Write your pass-phrase down but store it securely! Never allow your passphrase to be discovered by others -
especially since this gets you in to multiple systems... If you lose your pass-phrase, it cannot be recovered - you
must get a new certificate
CIG MCW, Boulder, CO 13
3e. User Certificate Request
The Certificate request script will place your new user certificate and private key into a .globus directory in your home directory
> ls -la .globus
total 24drwxr-xr-x 3 train00 train00 4096 Nov 17 13:45 .drwx------ 33 train00 train00 4096 Oct 17 20:17 ..-r--r--r-- 1 train00 train00 2703 Nov 17 13:55 usercert.pem-r--r--r-- 1 train00 train00 1420 Nov 17 13:50 usercert_request.pem-r-------- 1 train00 train00 963 Nov 17 13:50 userkey.pem
Your Pass-phrase protects your private key
CIG MCW, Boulder, CO 14
The ~/.globus directory
The default location where a user’s private key and certificate are installed
The directory in which Globus creates temporary subdirectories and files to handle grid job submission and file transfer
$ ls -la ~/.globus
total 24drwxr-xr-x 3 train00 train00 4096 Nov 17 13:45 .drwx------ 33 train00 train00 4096 Oct 17 20:17 ..-r--r--r-- 1 train00 train00 2703 Nov 17 13:55 usercert.pem-r--r--r-- 1 train00 train00 1420 Nov 17 13:50 usercert_request.pem-r-------- 1 train00 train00 963 Nov 17 13:50 userkey.pem
CIG MCW, Boulder, CO 15
3f. User Certificate Request
Examine your new certificate > grid-cert-info -subject -startdate -enddate
/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner
Jun 19 21:16:05 2005 GMTJun 18 21:16:05 2006 GMT
Your Certificate's Subject is your Certificate DN DN = Distinguished Name
Distinguished Name
CIG MCW, Boulder, CO 16
3g. User Certificate Request
Test Globus certificate proxy generation > grid-proxy-init -verify -debug
User Cert File: /home/train00/.globus/usercert.pemUser Key File: /home/train00/.globus/userkey.pemTrusted CA Cert Dir: /etc/grid-security/certificatesOutput File: /tmp/x509up_u500Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Training User00Enter GRID pass phrase for this identity:
(Enter your pass-phrase)Creating proxy .++++++++++++...........++++++++++++ DoneProxy Verify OKYour proxy is valid until: Sat Oct 18 08:39:43 2003
> grid-proxy-destroy
CIG MCW, Boulder, CO 17
Congratulations! You are now “certified” to use the TeraGrid
Your certificate is your encrypted “ID badge” that identifies you to TeraGrid sites. Distinguished Name (your unique TeraGrid
identity) Start date and end date X.509 encrypted key
But before it will work, we need to tell TeraGrid sites (including NCSA) to accept it. Someday soon this will be done automatically
CIG MCW, Boulder, CO 18
4a. Registering your Distinguished Name in a TeraGrid system grid-mapfile
Every TeraGrid system has /etc/grid-security/grid-mapfile
This files maps your TeraGrid Distinguished Name to your local userid on that machine
By the end of the summer, generating a new certificate will automatically cause grid-mapfiles on all TeraGrid machines to be updated with your Distinguished Name
But at present, to use a new TeraGrid site, you must place an entry in that site’s grid-mapfile
TeraGrid sites provide the gx-map command to simplify this registration process for users
gx-map must be executed once per TeraGrid site accessed
CIG MCW, Boulder, CO 19
4b. Registering your Distinguished Name in the NCSA Globus grid-mapfile
Recall your TeraGrid User Certificate DN (keep this somewhere copy-able) > grid-cert-info -subject
/C=US/O=National Center for Supercomputing
Applications/CN=Jeffrey Gardner (or something like this)
Execute the gx-map command interactively > gx-map -interactive
STOP and await further instructions...
CIG MCW, Boulder, CO 20
4c. Registering your Distinguished Name in the NCSA Globus grid-mapfile
...(a) Add a grid-mapfile entry(r) Remove a grid-mapfile entry(q) Query a grid-mapfile entry(u) Request an update of the grid-mapfiles(x) ExitWhat do you want to do? [arqux] a (return)
What user name do you want to map (default is username) ? (return)
STOP and await further instructions...
(This prompt may no longer appear)
CIG MCW, Boulder, CO 21
4d. Registering your Distinguished Name in the NCSA Globus grid-mapfile
...(a) Add a grid-mapfile entry(r) Remove a grid-mapfile entry(q) Query a grid-mapfile entry(u) Request an update of the grid-mapfiles(x) ExitWhat do you want to do? [arqux] a (return)
STOP and await further instructions...
CIG MCW, Boulder, CO 22
4e. Registering your Distinguished Name in the NCSA Globus grid-mapfile
You can specify the DN in one of three ways:(c) Certificate, extract from/home/gardnerj/.globus/usercert.pem(f) File, extract from a specified certificate file(i) Input the DN directly(x) ExitHow do you want to specify the DN? [cfix] i (return)
Enter distinguished name:<Paste your distinguised name here>
E-mail address (<return> for none):(return)
STOP and await further instructions...
CIG MCW, Boulder, CO 23
4f. Registering your User Certificate in the NCSA Globus grid-mapfile
Ignore the subsequent prompts - just press (return) until you get to:
About to map distinguished name"/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner" to user gardnerjProceed? [yn] y (return)
Mapping request submitted.The grid-mapfile(s) should be updated in a few minutes
STOP and await further instructions...
CIG MCW, Boulder, CO 24
5a. Registering your Distinguished Name in a TACC grid-mapfile
Recall your TeraGrid User Certificate DN (keep your DN somewhere copy-able )
> grid-cert-info -subject/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner (or something like this)
SSH to TACC the old fashioned way > ssh [email protected]
Execute the gx-map command interactively > gx-map -interactive
STOP and await further instructions...
CIG MCW, Boulder, CO 25
5b. Registering your Distinguished Name in a TACC grid-mapfile
...(a) Add a grid-mapfile entry(r) Remove a grid-mapfile entry(q) Query a grid-mapfile entry(u) Request an update of the grid-mapfiles(x) ExitWhat do you want to do? [arqux] a (return)
STOP and await further instructions...
CIG MCW, Boulder, CO 26
5c. Registering your Distinguished Name in a TACC grid-mapfile
You can specify the DN in one of three ways:(c) Certificate, extract from/home/gardnerj/.globus/usercert.pem(f) File, extract from a specified certificate file(i) Input the DN directly(x) ExitHow do you want to specify the DN? [cfix] i (return)
Enter distinguished name:<Paste your distinguised name here>
E-mail address (<return> for none):(return)
STOP and await further instructions...
CIG MCW, Boulder, CO 27
5d. Registering your User Certificate in the TACC Globus grid-mapfile
Ignore the subsequent prompts - just press (return) until you get to:
About to map distinguished name"/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner" to user gardnerjProceed? [yn] y (return)
Mapping request submitted.The grid-mapfile(s) are updated at the beginning of each hour
STOP and await further instructions...
CIG MCW, Boulder, CO 28
5e. Registering your User Certificate in the TACC Globus grid-mapfile
Log out of TACC exit
STOP and await further instructions...
CIG MCW, Boulder, CO 29
Authentication Setup Summary
Certificate generation (Step 3) is done only once for the entire TeraGrid! Until your certificate expires after 2
years, or you delete your .globus directory
CIG MCW, Boulder, CO 30
Authentication Setup Summary
Updating /etc/grid-security/grid-mapfile (Step 4) is done the first time you use each TeraGrid site.
How this is done depends on the site: NCSA, TACC, SDSC, Caltech/CACR, IU,
US/ANL: gx-map
PSC: Edit grid-mapfile directly using webpage
https://dirs.psc.edu/teragrid/userpage
CIG MCW, Boulder, CO 31
6. Verifying your User Certificate in a TeraGrid system Globus grid-mapfile
Login to TeraGrid system
Check that your certificate DN and user account name have been entered into the local host'sgrid-mapfile
> grep -i userid /etc/grid-security/grid-mapfile
"/C=US/O=National Center for Supercomputing Applications/CN=Jeff Gardner" gardnerj
STOP and await further instructions...
CIG MCW, Boulder, CO 32
Questions
Phew!
Any Questions regarding TeraGrid User Certificates and Authentication?
CIG MCW, Boulder, CO 33
Links
Obtaining TeraGrid User Certificates http://www.ncsa.uiuc.edu/UserInfo/Grid/Security/GetUserCert.html
TeraGrid Certificate and DN setup http://www.teragrid.org/userinfo/
guide_access_auth_setup.html
TeraGrid Proxy setup http://www.teragrid.org/userinfo/
guide_access_auth_proxy.html
TeraGrid User Guide http://teragrid.org/docs/user-guide.html