1 Getting Started with TeraGrid Authentication Jeffrey P. Gardner Pittsburgh Supercomputing Center...

1

Getting Started with TeraGrid Authentication

Jeffrey P. GardnerPittsburgh Supercomputing

[email protected]

CIG MCW, Boulder, CO 2

Approaches to TeraGrid Use

Log in interactively to a login node at a TeraGrid site and work from there no client software to install/maintain yourself execute tasks from your interactive session

Work from your local workstation and authenticate remotely to TeraGrid resources comfort and convenience of working "at home" may have to install/maintain add'l TG software (Eventually we will better support this mode)


Without coordination of authenticationbetween sites

“Traditional” Password Authentication

Acct[x], password[x]

Acct[y], password[y]

Acct[z], password[z]

Acct[x], passw

ord[x]A

cct[y], password[y]


Certificate-Based Authentication

password[k]

Certificate

No P

assword

No P

assword


User Certificates for TeraGrid

Why use certificates for authentication? Facilitates Single Sign-On

enter your pass-phrase only once per session, regardless of how many systems and services that you access on the Grid during that session

one pass-phrase to remember (to protect your private key), instead of one for each system

Widespread Use and Acceptance certificate-based authentication is standard for

modern Web commerce and secure services


New TeraGrid Account TODO List

1. Use Secure Shell (SSH) to log into a TeraGrid site

2. Change your Password WE'RE SKIPPING THIS STEP TODAY

3. Obtain a TeraGrid-acceptable User Certificate*, and install it in your home directory *assuming you do not already have one

4. Register your User Certificate in Globus grid-mapfile on TeraGrid systems

5. Test your User Certificate for Remote Authentication


1. SSH to a TeraGrid Site

ssh [email protected]

(Enter the password provided when prompted to do so)

STOP and await further instructions...


2a. Change your Account Password

Good Password Selection Rules Apply Do not use words that could be in any dictionary, including

common or trendy misspellings of words Pick something easy for you to remember, but impossible

for others to guess Pick something that you can learn to type quickly, using

may different fingers Combine letters, digits, punctuation symbols and

capitalization Never use the same password for two different systems,

nor for two different accounts If you must write your password down, do so away from

prying eyes and lock it securely away!

WE'RE SKIPPING THIS STEP TODAY


2b. Change your Account Password

Means for changing local passwords vary among systems local password on Linux and similar operating

systems passwd

Kerberos environments (NCSA, PSC) kpasswd

Systems managed using NIS yppasswd

See site documentation for correct method http://www.teragrid.org/docs/

WE'RE SKIPPING THIS STEP TODAY


3a. User Certificate Request

For this exercise, we will execute a command-line program to request a new TeraGrid User Certificate from the NCSA CA

TeraGrid User Cert instructions (has links to instructions for all TG sites):

http://teragrid.org/userinfo/guide_access_auth_setup.html

NCSA CA User Cert instructions: http://www.ncsa.uiuc.edu/UserInfo/Grid/Security/GetUserCert.html


Execute the NCSA CA User Certificate request script

> ncsa-cert-request

(use your new password again to authenticate)


3c. User Certificate Request

NCSA Kerberos


3d. User Certificate Request

When prompted, enter a Pass-phrase for your new certificate (and a second time to verify) A Pass-phrase may be a sentence with spaces

Make it as long as you care to type "in the dark" Good password selection rules apply

Write your pass-phrase down but store it securely! Never allow your passphrase to be discovered by others -

especially since this gets you in to multiple systems... If you lose your pass-phrase, it cannot be recovered - you

must get a new certificate


3e. User Certificate Request

The Certificate request script will place your new user certificate and private key into a .globus directory in your home directory

> ls -la .globus

total 24drwxr-xr-x 3 train00 train00 4096 Nov 17 13:45 .drwx------ 33 train00 train00 4096 Oct 17 20:17 ..-r--r--r-- 1 train00 train00 2703 Nov 17 13:55 usercert.pem-r--r--r-- 1 train00 train00 1420 Nov 17 13:50 usercert_request.pem-r-------- 1 train00 train00 963 Nov 17 13:50 userkey.pem

Your Pass-phrase protects your private key


The ~/.globus directory

The default location where a user’s private key and certificate are installed

The directory in which Globus creates temporary subdirectories and files to handle grid job submission and file transfer

$ ls -la ~/.globus

total 24drwxr-xr-x 3 train00 train00 4096 Nov 17 13:45 .drwx------ 33 train00 train00 4096 Oct 17 20:17 ..-r--r--r-- 1 train00 train00 2703 Nov 17 13:55 usercert.pem-r--r--r-- 1 train00 train00 1420 Nov 17 13:50 usercert_request.pem-r-------- 1 train00 train00 963 Nov 17 13:50 userkey.pem


3f. User Certificate Request

Examine your new certificate > grid-cert-info -subject -startdate -enddate

/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner

Jun 19 21:16:05 2005 GMTJun 18 21:16:05 2006 GMT

Your Certificate's Subject is your Certificate DN DN = Distinguished Name

Distinguished Name


3g. User Certificate Request

Test Globus certificate proxy generation > grid-proxy-init -verify -debug

User Cert File: /home/train00/.globus/usercert.pemUser Key File: /home/train00/.globus/userkey.pemTrusted CA Cert Dir: /etc/grid-security/certificatesOutput File: /tmp/x509up_u500Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Training User00Enter GRID pass phrase for this identity:

(Enter your pass-phrase)Creating proxy .++++++++++++...........++++++++++++ DoneProxy Verify OKYour proxy is valid until: Sat Oct 18 08:39:43 2003

> grid-proxy-destroy


Congratulations! You are now “certified” to use the TeraGrid

Your certificate is your encrypted “ID badge” that identifies you to TeraGrid sites. Distinguished Name (your unique TeraGrid

identity) Start date and end date X.509 encrypted key

But before it will work, we need to tell TeraGrid sites (including NCSA) to accept it. Someday soon this will be done automatically


4a. Registering your Distinguished Name in a TeraGrid system grid-mapfile

Every TeraGrid system has /etc/grid-security/grid-mapfile

This files maps your TeraGrid Distinguished Name to your local userid on that machine

By the end of the summer, generating a new certificate will automatically cause grid-mapfiles on all TeraGrid machines to be updated with your Distinguished Name

But at present, to use a new TeraGrid site, you must place an entry in that site’s grid-mapfile

TeraGrid sites provide the gx-map command to simplify this registration process for users

gx-map must be executed once per TeraGrid site accessed


4b. Registering your Distinguished Name in the NCSA Globus grid-mapfile

Recall your TeraGrid User Certificate DN (keep this somewhere copy-able) > grid-cert-info -subject

/C=US/O=National Center for Supercomputing

Applications/CN=Jeffrey Gardner (or something like this)

Execute the gx-map command interactively > gx-map -interactive



4c. Registering your Distinguished Name in the NCSA Globus grid-mapfile

...(a) Add a grid-mapfile entry(r) Remove a grid-mapfile entry(q) Query a grid-mapfile entry(u) Request an update of the grid-mapfiles(x) ExitWhat do you want to do? [arqux] a (return)

What user name do you want to map (default is username) ? (return)


(This prompt may no longer appear)


4d. Registering your Distinguished Name in the NCSA Globus grid-mapfile




4e. Registering your Distinguished Name in the NCSA Globus grid-mapfile

You can specify the DN in one of three ways:(c) Certificate, extract from/home/gardnerj/.globus/usercert.pem(f) File, extract from a specified certificate file(i) Input the DN directly(x) ExitHow do you want to specify the DN? [cfix] i (return)

Enter distinguished name:<Paste your distinguised name here>

E-mail address (<return> for none):(return)



4f. Registering your User Certificate in the NCSA Globus grid-mapfile

Ignore the subsequent prompts - just press (return) until you get to:

About to map distinguished name"/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner" to user gardnerjProceed? [yn] y (return)

Mapping request submitted.The grid-mapfile(s) should be updated in a few minutes



5a. Registering your Distinguished Name in a TACC grid-mapfile

Recall your TeraGrid User Certificate DN (keep your DN somewhere copy-able )

> grid-cert-info -subject/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner (or something like this)

SSH to TACC the old fashioned way > ssh [email protected]

Execute the gx-map command interactively > gx-map -interactive



5b. Registering your Distinguished Name in a TACC grid-mapfile




5c. Registering your Distinguished Name in a TACC grid-mapfile

You can specify the DN in one of three ways:(c) Certificate, extract from/home/gardnerj/.globus/usercert.pem(f) File, extract from a specified certificate file(i) Input the DN directly(x) ExitHow do you want to specify the DN? [cfix] i (return)

Enter distinguished name:<Paste your distinguised name here>

E-mail address (<return> for none):(return)



5d. Registering your User Certificate in the TACC Globus grid-mapfile

Ignore the subsequent prompts - just press (return) until you get to:

About to map distinguished name"/C=US/O=National Center for Supercomputing Applications/CN=Jeffrey Gardner" to user gardnerjProceed? [yn] y (return)

Mapping request submitted.The grid-mapfile(s) are updated at the beginning of each hour



5e. Registering your User Certificate in the TACC Globus grid-mapfile

Log out of TACC exit



Authentication Setup Summary

Certificate generation (Step 3) is done only once for the entire TeraGrid! Until your certificate expires after 2

years, or you delete your .globus directory


Authentication Setup Summary

Updating /etc/grid-security/grid-mapfile (Step 4) is done the first time you use each TeraGrid site.

How this is done depends on the site: NCSA, TACC, SDSC, Caltech/CACR, IU,

US/ANL: gx-map

PSC: Edit grid-mapfile directly using webpage

https://dirs.psc.edu/teragrid/userpage


6. Verifying your User Certificate in a TeraGrid system Globus grid-mapfile

Login to TeraGrid system

Check that your certificate DN and user account name have been entered into the local host'sgrid-mapfile

> grep -i userid /etc/grid-security/grid-mapfile

"/C=US/O=National Center for Supercomputing Applications/CN=Jeff Gardner" gardnerj



Questions

Phew!

Any Questions regarding TeraGrid User Certificates and Authentication?


Links

Obtaining TeraGrid User Certificates http://www.ncsa.uiuc.edu/UserInfo/Grid/Security/GetUserCert.html

TeraGrid Certificate and DN setup http://www.teragrid.org/userinfo/

guide_access_auth_setup.html

TeraGrid Proxy setup http://www.teragrid.org/userinfo/

guide_access_auth_proxy.html

TeraGrid User Guide http://teragrid.org/docs/user-guide.html

1 Getting Started with TeraGrid Authentication Jeffrey P. Gardner Pittsburgh Supercomputing Center...

Documents

Transcript of 1 Getting Started with TeraGrid Authentication Jeffrey P. Gardner Pittsburgh Supercomputing Center...