This exercise will provide hands-on experience in using various tools to setup and use the Grid Security Infrastructure (GSI) for working on the grid. The first few sections delve into certificates and proxies and demonstarate how pre-configured credentials can be used to run some grid enable programs. The later sections discuss steps involved in obtaining a new certificate and using them on the grid. (more information)
Use the grid-proxy-init command to create proxies.
$grid-proxy-init -verify -cert ~/.globus/johncert.pem -key ~/.globus/johnkey.pemYour identity: /O=Grid/OU=OSG/CN=Your Name 1234 Enter GRID pass phrase for this identity:PASSWORDCreating proxy .......................................... Done Your proxy is valid until: Fri Jun 23 22:00:10 2006 [YOURLOGIN ~]$
The proxy is created using the user certificate and key.
The passphrase is used to decrypt the private key file.
The -verify option is not required, but is
useful for debugging. -verify will warn you if an
expected Certificate Authority (CA) certificate
is missing.
Use grid-proxy-info to show information about your proxy.
Use the -all parameter to display information your proxy:
[YOURLOGIN ~]$ grid-proxy-info -all
subject : /O=Grid/OU=OSG/CN=Your Name 1234/CN=203360020
issuer : /O=Grid/OU=OSG/CN=Your Name 1234
identity : /O=Grid/OU=OSG/CN=Your Name 1234
type : Proxy draft (pre-RFC) compliant impersonation proxy
strength : 512 bits
path : /tmp/x509up_u539
timeleft : 11:58:58Grid Proxy Details
subjectThe distingushed name (DN) from the certificate, appended with a uniqe string of numbers.
issuer The distinguished name of the user certificate itself.
pathThe file system location where the your proxy is stored.
timeleftHow much longer the proxy will be valid, in hours, minutes and seconds.
As you can see, the issuer of the grid certificate is the user certificate. This shows the chain of trust: CA -> user certificate -> proxy certificate.
The proxy certificate contains the private key generated for proxy, correspnding public key and is signed like a certificate by the user certificate.
Now list the contents of the proxy using grid-cert-info, specifying the full path to your proxy.
$ grid-cert-info -file /path/to/proxy/proxyFileName
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 203360020 (0xc1f0714)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=SDSC, OU=SDSC, CN=Account Train31/UID=train31
Validity
Not Before: Jun 23 14:55:10 2006 GMT
Not After : Jun 24 03:00:10 2006 GMT
Subject: C=US, O=SDSC, OU=SDSC, CN=Account Train31/UID=train31, CN=203360020
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b8:75:e3:a4:3c:31:9e:b9:71:e8:b0:4e:fc:18:
69:e6:79:15:90:f4:0f:49:20:f0:e3:62:9f:e2:92:
d0:96:4c:9b:b5:97:12:b3:bd:87:c7:8c:2f:bb:b0:
fe:79:8c:3d:61:5e:49:f6:c1:46:e1:1e:08:d1:d7:
89:a0:e3:8a:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.3536.1.222: critical
0.0
..+.......
Signature Algorithm: md5WithRSAEncryption
45:05:52:c7:9f:a7:35:32:d9:a8:be:58:92:a7:b0:61:e4:7a:
2a:a2:36:0f:eb:65:0e:0f:ca:40:3d:0e:27:8b:38:14:a6:af:
51:7d:28:2f:ac:3e:3e:05:7b:ea:d6:0e:fc:78:7d:eb:60:80:
6a:74:43:64:ef:ca:e8:25:fe:d3:07:a9:4d:e0:54:4a:75:9f:
c9:8e:9a:1e:82:19:a4:fc:72:a3:6f:0d:de:33:57:d8:f8:cd:
da:d2:bc:8a:ee:48:34:4b:00:3e:7e:b7:5e:66:fa:2e:5c:22:
4a:50:98:02:32:c6:e3:a9:07:b7:bb:e6:4d:02:e8:6c:d4:48:
5e:55:ec:ed:a9:38:ee:b8:33:60:88:c1:ab:38:ce:d8:53:a3:
ac:c3:a2:c1:d8:1e:95:5b:e5:3a:3f:d1:e0:51:c2:5e:82:e0:
a4:48:d3:e6:82:66:56:d9:6b:e0:a5:1e:85:4d:3d:d7:e0:4e:
03:ce:f7:5a:63:cd:5c:9a:38:96:59:0f:92:11:6b:eb:ed:34:
1a:55:73:e1:c0:b0:91:ea:b4:1e:3b:8d:0f:2d:53:83:10:98:
44:19:ac:39:6d:1a:6b:37:90:60:6a:35:9b:c6:41:2e:5a:ef:
ae:54:6c:9e:51:b8:68:c2:97:83:2f:72:25:df:90:b9:bc:31:
92:23:45:77
[YOURLOGIN ~]$ The contents are similar to your user certificate, but there are some differences; for example, the issuer is the DN of the user certificate, rather than of the certificate authority.
grid-cert-info is useful to see how long your proxy certificate will last (the Not Before and Not After lines under Validity).
Globus services (for example, GRAM and GridFTP) use a
grid mapfile located in /etc/grid-security/grid-mapfile on
each server.
This file has restricted write access, but the file can be read by anyone.
You can look at the gridmap file on terminable like this:
$ cat /etc/grid-security/grid-mapfile
#
# Automatically generated by gx-gen-mapfile (gx-map 0.5.1)
# at Fri 2006-06-23 15:26:02 UTC on terminable.ci.uchicago.edu.
# DO NOT EDIT THIS FILE. ANY CHANGES YOU MAKE WILL BE LOST ON THE NEXT UPDATE.
#
"/C=US/O=Globus Alliance/OU=User/CN=101497d3dcd.3dcd5aef" ranantha
"/C=US/O=Globus Alliance/OU=User/CN=10bd8f410f6.5f0086b4" benc
"/C=US/O=Globus Alliance/OU=User/CN=10bf234e01a.ac286cfa" ranantha
"/C=US/O=SDSC/OU=SDSC/CN=Account Train10/UID=train10" train10
"/C=US/O=SDSC/OU=SDSC/CN=Account Train11/UID=train11" train11
"/C=US/O=SDSC/OU=SDSC/CN=Account Train12/UID=train12" train12
...
"/C=US/O=SDSC/OU=SDSC/CN=Account Train58/UID=train58" train58
"/C=US/O=SDSC/OU=SDSC/CN=Account Train59/UID=train59" train59
"/C=US/O=SDSC/OU=SDSC/CN=Account Train60/UID=train60" train60
"/DC=org/DC=doegrids/OU=People/CN=Gaurang Mehta 998137" gmehta
Grid mapfiles can be created by system administrators by hand or using a number of tools. In this workshop, the grid mapfile is maintained by a tool called gx-map.
Only the listed DNs are allowed to access Globus services running on terminable.
Each entry is a mapping from DN to username. For example, DN /O=Grid/OU=OSG/CN=Your Name 1234 is mapped to usename YOURLOGIN.
Typically an administrator is required to add users to the gridmap file and is an out of band activity. The tool gx-request, if set up by the admnistator, can be used by anyone who has access to a machine to add an identity to the gridmap file. The actual addition is not instant and will take a few minutes to appear in the gridmap file.
$gx-request -quick-addAbout to map distinguished name "/C=US/O=SDSC/OU=SDSC/CN=Account Train55/UID=YOURLOGIN" to user YOURLOGIN Proceed? [yn]yMapping request submitted. The grid-mapfile should be updated in a few minutes $
This update will take a few minutes. You can look for the update by searching the gridmap file for your DN.
$grep "/O=Grid/OU=OSG/CN=Your Name 1234" /etc/grid-security/grid-mapfile$grep "/O=Grid/OU=OSG/CN=Your Name 1234" /etc/grid-security/grid-mapfile"/O=Grid/OU=OSG/CN=Your Name 1234" YOURLOGIN $
To get grid access to gridlab2 with your new credential, you have to do something similar there.
First, let us get the DN we want mapped on the remote machine.
$ grid-proxy-info -identity
/O=Grid/OU=OSG/CN=Your Name 1234
The output needs to be pasted in the command you run on remote machine.
Open an ssh connection to gridlab2.ci.uchicago.edu and run gx-request there.
gridlab2$gx-request -interactiveThe gx-request command lets you submit a request to modify the Globus grid-mapfile(s) on one or more machines. Once the request is submitted, the updates should occur within a few minutes. A grid-mapfile entry maps a DN (Distinguished Name) to a Unix user name. For example, an entry like "/O=Big University/OU=Small Department/CN=John Doe" jdoe allows a user holding a Globus certificate with the specified DN to run Globus jobs under the Unix account "jdoe". gx-request can be run interactively or with command-line arguments. In this interactive mode, you will be asked a series of questions. Enter your responses followed by >return>. Single-letter menu responses are case-insensitive; other responses must be entered exactly. enter it by just typing >return>. (a) Add a grid-mapfile entry (r) Remove a grid-mapfile entry (u) Request an update of the grid-mapfiles (x) Exit (The "set" operation is not currently available in interactive mode.) What do you want to do? [arux]aYou can specify the DN in one of the following ways: (c) Certificate, extract from /home/YOURLOGIN/.globus/usercert.pem (f) File, extract from a specified certificate file (i) Input the DN directly (x) Exit How do you want to specify the DN? [cfix]iEnter distinguished name:/O=Grid/OU=OSG/CN=Your Name 1234You may provide your e-mail address if you wish. It will be recorded in the request log, and may be used to contact you if there is a problem with your certificate. E-mail address (>return> for none): You may provide an optional comment. If you do, it will be recorded in the request log. Press return if you don't wish to provide a comment. Comment: About to map distinguished name "/O=Grid/OU=OSG/CN=Your Name 1234" to user YOURLOGIN Proceed? [yn]yMapping request submitted. The grid-mapfile should be updated in a few minutes
The update takes a few minutes.
[YOURLOGIN ~]$globus-url-copy gsiftp://localhost:2811/home/YOURLOGIN/tempFile gsiftp://localhost:2811/home/YOURLOGIN/destFile[YOURLOGIN ~]$ls -lt destFilerw-r--r-- 1 YOURLOGIN YOURLOGIN 43 Jun 23 10:04 destFile [YOURLOGIN ~]$more destFileTemporary file for testing globus-url-copy [YOURLOGIN ~]$
globus-url-copy picks up the proxy from the default location and uses that to authenticate with the GridFTP server. Authentication establishes your identity. Note that the identity in proxy certificate is still your certificate's identity.
Upon successful authentication, the server knows the client is who it claims to be. It then checks to see if the identity to authorized to transfer files and uses grid map authorization to determine this. We have already set up the gridmap to allow your identity. You will learn more about this later in the exercise.
By default, grid-proxy-init creates a proxy valid for 12 hours. However, the duration of a proxy can be specified on the command line.
[YOURLOGIN ~]$dateFri Jun 23 10:06:01 CDT 2006 [YOURLOGIN ~]$grid-proxy-init -valid 0:1Your identity: /O=Grid/OU=OSG/CN=Your Name 1234 Enter GRID pass phrase for this identity: Creating proxy ........................................ Done Your proxy is valid until: Fri Jun 23 10:07:10 2006 [YOURLOGIN ~]$grid-proxy-infosubject : /O=Grid/OU=OSG/CN=Your Name 1234/CN=24915772 issuer : /O=Grid/OU=OSG/CN=Your Name 1234 identity : /O=Grid/OU=OSG/CN=Your Name 1234 type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u539 timeleft : 0:00:52 [YOURLOGIN ~]$
The proxy requested was for 1 minute. grid-proxy-info shows the valid time left. You should see it is just less than a minute. If you run grid-proxy-info again, you should see it is even shorter. Eventually it will reach 0.
Wait for your proxy to expire. You can check this by watching the timeleft field in the output of grid-proxy-info and waiting for it to reach zero.
Now you have a proxy, but the proxy is invalid because it has expired.
$dateFri Jun 23 10:07:35 CDT 2006 $grid-proxy-infosubject : /O=Grid/OU=OSG/CN=Your Name 1234/CN=24915772 issuer : /O=Grid/OU=OSG/CN=Your Name 1234 identity : /O=Grid/OU=OSG/CN=Your Name 1234 type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u539 timeleft : 0:00:00 $globus-url-copy gsiftp://localhost:2811/home/YOURLOGIN/tempFile gsiftp://localhost:2811/home/YOURLOGIN/expiredTesterror: globus_ftp_control: gss_init_sec_context failed globus_gsi_gssapi: Error with GSI credential globus_gsi_gssapi: Error with gss credential handle globus_credential: Error with credential: The proxy credential: /tmp/x509up_u539 with subject: /O=Grid/OU=OSG/CN=Your Name 1234/CN=24915772 expired 1 minutes ago. $ls -lt expiredTestls: expiredTest: No such file or directory
The error indicates that the proxy file has expired. So the client was not able to successfully authenticate with server and the file was not transfered.