Authentication and Authorization Tutorial

Basic Operations

We present the basic operations on Grid certificates and the use of VOMS proxies. We assume you are logged on a User Interface and you have valid certificates under .globus directory.

Inspecting personal certificate

Your personal certificate is split in two separate files in a directory called .globus. These files are effectively your public and private keys, which will be used for the authenticated connections with all the other grid elements. It is essential that they have the correct file permissions otherwise you won't be able to create a proxy. Check the permissions with the command

[morgan@grid003 morgan]$ ls -l .globus/
total 8
-rw-------    1 morgan   wheel        1798 Aug 27  2007 usercert.pem
-r--------    1 morgan   wheel        1920 Aug 27  2007 userkey.pem

To obtain a valid certificate and create the usercert/userkey files plase follow this link.

You can have now a look inside your certificate with

[morgan@grid003 morgan]$ grid-cert-info 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7871 (0x1ebf)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IT, O=INFN, CN=INFN CA
        Validity
            Not Before: Aug 27 13:31:50 2007 GMT
            Not After : Aug 26 13:31:50 2008 GMT
        Subject: C=IT, O=INFN, OU=Personal Certificate, L=INAF Trieste, CN=Giuliano Taffoni
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a3:a5:2e:1e:48:e0:8f:bc:cf:4b:45:14:fc:ac:
                    [...]
                    d6:b3:8d:da:b1:0a:e0:66:b2:dd:be:e1:c4:10:b2:
                    b4:a9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 CRL Distribution Points: 
                URI:http://security.fi.infn.it/CA/INFNCA_crl.der

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.10403.10.1.5

            X509v3 Subject Key Identifier: 
                61:EB:19:F5:A2:6C:95:45:7C:CB:03:ED:90:EC:E0:F7:15:70:5E:93
            X509v3 Authority Key Identifier: 
                keyid:D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20
                DirName:/C=IT/O=INFN/CN=INFN CA
                serial:00

            X509v3 Subject Alternative Name: 
                email:taffoni@oats.inaf.it
    Signature Algorithm: sha1WithRSAEncryption
        16:db:19:f5:bd:c0:64:f0:44:16:

Worth noting things are certificate creation and expiration date, the name and subject of the Certification Autority which issued the certificate, the Common Name (CN) of the certificate owner, and the certificate subject, which uniquely identifies the certificate owner.

Creation of a proxy with voms extensions

This step is comparable to a login on the Grid, because without it you can do very little. The command to do it is voms-proxy-init --voms VO-NAME

If everything is ok you should have

[morgan@grid003 morgan]$ voms-proxy-init --voms planck
Cannot find file or dir: /home/morgan/.glite/vomses
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy .................................................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Creating proxy ............................................................... Done
Your proxy is valid until Thu Aug 14 00:49:54 2008

Check your voms proxy

Once that your proxy has been created, you can gather info on it through the voms-proxy-info command. It is much more useful if ran with the -all option, because it will also show the VO related infos added by the VOMS server, such as belonging groups or roles. You may note also two different lifetimes : first is related to the proxy itself, the second one is referred to the AC infos added by the VOMS server. They have to be valid both in order to be fully enabled to perform operations.

[morgan@grid003 morgan]$ voms-proxy-info --all
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni/CN=proxy
issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
identity  : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u2001
timeleft  : 11:59:01
=== VO planck extension information ===
VO        : planck
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
issuer    : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it
attribute : /planck/Role=NULL/Capability=NULL
attribute : /planck/dbusers/Role=NULL/Capability=NULL
attribute : /planck/dbusers/world/Role=NULL/Capability=NULL
attribute : /planck/dbusers/world/select/Role=NULL/Capability=NULL
attribute : /planck/dbusers/demo/Role=NULL/Capability=NULL
attribute : /planck/dbusers/demo/select/Role=NULL/Capability=NULL
attribute : /planck/dbusers/demo/insert/Role=NULL/Capability=NULL
attribute : /planck/dbusers/world/insert/Role=NULL/Capability=NULL
timeleft  : 11:57:11

To print only the VOMS attribute you can use the command:

[morgan@grid003 morgan]$ voms-proxy-info --fqan
/planck/Role=NULL/Capability=NULL
/planck/dbusers/Role=NULL/Capability=NULL
/planck/dbusers/world/Role=NULL/Capability=NULL
/planck/dbusers/world/select/Role=NULL/Capability=NULL
/planck/dbusers/demo/Role=NULL/Capability=NULL
/planck/dbusers/demo/select/Role=NULL/Capability=NULL
/planck/dbusers/demo/insert/Role=NULL/Capability=NULL
/planck/dbusers/world/insert/Role=NULL/Capability=NULL

Advanced usage of VOMS

One of the main features of VOMS is its capability to create groups and roles which allows VO administrator to differentiate users' privileges and right. Users, if already belonging to a group, or already assigned to a Role, can apply the request while creating the proxy with voms-proxy-init command. In this way, the information will be signed by the VOMS server and inserted in the proxy AC; resources will be able to parse them assigning to the user the expected rights.

Syntax

The group/role request is done by users appending a request command to the --voms option of voms-proxy-init

voms-proxy-init --voms YourVO:/YourVO/Desired-Group in case of group request;

voms-proxy-init --voms YourVO:/YourVO/Role=Desired-Role in case of role request;

voms-proxy-init --voms YourVO:/YourVO/Desired-Group/Role=Desired-Role in case of mixed (group + role) request.

Let's make it plain by some examples

Group request

Suppose you want to create a voms proxy for the planck VO, requesting the membership of dbusers/world group.

[morgan@grid003 morgan]$ voms-proxy-init --voms planck:/planck/dbusers/world
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy ........................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Creating proxy ......................................... Done
Your proxy is valid until Thu Aug 14 00:55:57 2008

Of course this wouldn't work if you don't belong to the plank VO or either you don't belong to the dbusers/world group. You can verify that the command has run successfully with

[morgan@grid003 morgan]$ voms-proxy-info --fqan
/planck/dbusers/world/Role=NULL/Capability=NULL
/planck/Role=NULL/Capability=NULL
/planck/dbusers/Role=NULL/Capability=NULL
/planck/dbusers/world/select/Role=NULL/Capability=NULL
/planck/dbusers/demo/Role=NULL/Capability=NULL
/planck/dbusers/demo/select/Role=NULL/Capability=NULL
/planck/dbusers/demo/insert/Role=NULL/Capability=NULL
/planck/dbusers/world/insert/Role=NULL/Capability=NULL

Note that the active role/group is printed as first.

Role request

If you belong to planck VO and want to get the Role root within your proxy, you have to run just

voms-proxy-init --voms planck:/planck/Role=root

[morgan@grid003 morgan]$ voms-proxy-init --voms planck:/planck/Role=root
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy ....................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Creating proxy ................................................. Done
Your proxy is valid until Thu Aug 14 01:04:56 2008

Group + Role

You may have noticed that both when requesting a Role or a VO membership, the first part of the command you append starts always with /planck : that's because the group with the VO name is the default group where all the VO members belong; even if it's a default, it is to be always specified. As a consequence, the request

:/planck/Role=root

and

/planck/dbusers/world/Role=root

are different, as you can verify by executing them and confronting the first attribute inserted in the created voms proxies. In the former you are requesting the Role within the default group, while in the latter you're requesting the Role within the group * dbusers/world*.

The use of myproxy

MyProxy is open source software for managing X.509 security credentials (certificates and private keys). MyProxy combines an online credential repository with an online certificate authority to allow users to securely obtain credentials when and where needed.

Here we presents the steps needed to create and test a second level proxy (delegation) using MyProxy server.

Register a long living proxy in the MyProxy server server.myproxy.fqhn

This step allows you to create and store a long term proxy certificate:

[morgan@localhost ~]$ myproxy-init --voms planck
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy .................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Proxy Verify OK
Your proxy is valid until: Mon Aug 25 12:37:17 2008
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user morgan now exists on server.myproxy.fqhn.

The -s option allows you to specify the name of the myproxy server you want to contact for example

By default the client stores the credential using the Unix username of the user and a pass phrase selected by the user (we suggest to use a strong pass phase) however it is possible to modify this behaviour, for example the -l options allows to create and store a long term proxy with a name specified by the user, while the -d option allows to create and store a long term proxy with the user DN.

Each user can create and store several proxies in a myproxy server, but each remote proxy is linked to the specified username. Otherwise it is possible to store different credential associated to the same user specifying a credential name (-k option).

[morgan@localhost ~]$ myproxy-init --voms planck -k another
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy .................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Proxy Verify OK
Your proxy is valid until: Mon Aug 25 12:51:56 2008
A proxy valid for 168 hours (7.0 days) for user morgan now exists on myproxy.cnaf.infn.it.

Gather information about the proxy in the MyProxy server:

Once that your second level proxy has been created on a myproxy server, you can gather info on it using the myproxy-info command

[morgan@localhost ~]$ myproxy-info
username: morgan
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  timeleft: 167:45:15  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: another
  timeleft: 167:59:54  (7.0 days)

If the credentials have been initialized with the -d switch, you also have to specify it when using myproxy-info

[morgan@localhost ~]$ myproxy-info  -d
username: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  timeleft: 167:57:12  (7.0 days)

Notice that is you have stored your credential with a different name you have to use the -l option.

Get a delegated proxy from the Myproxy server

This steps allow you to get a proxy from the myproxy server.

Destroy the proxy in the local machine and verify it doesn't exist anymore

[morgan@localhost ~]$ voms-proxy-destroy 
[morgan@localhost ~]$ voms-proxy-info 

Couldn't find a valid proxy.

Now in your UI (Virtual o real), there is no local proxy. With myproxy-logon is possible to get a proxy from the myproxy server

[morgan@localhost ~]$ myproxy-init -k renew -A
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy .................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Proxy Verify OK
Your proxy is valid until: Mon Aug 25 13:03:01 2008
A proxy valid for 168 hours (7.0 days) for user morgan now exists on myproxy.cnaf.infn.it.
[morgan@localhost ~]$ myproxy-info 
username: morgan
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  timeleft: 167:58:00  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: another
  timeleft: 167:58:48  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: renew
  renewal policy: *
  timeleft: 167:59:49  (7.0 days)

I store a new proxy with name renew, using the -A any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repository. If I want to restrict the access to the credential to a specific client (example.test.it) I can use the -R option.

[morgan@localhost ~]$ myproxy-init -k renew2 -R grid003.oats.inaf.it 
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Creating temporary proxy .................................... Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Proxy Verify OK
Your proxy is valid until: Mon Aug 25 13:08:50 2008
A proxy valid for 168 hours (7.0 days) for user morgan now exists on myproxy.cnaf.infn.it.
[morgan@localhost ~]$ myproxy-info 
username: morgan
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  timeleft: 167:52:15  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: another
  timeleft: 167:53:03  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: renew
  renewal policy: *
  timeleft: 167:54:04  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: renew2
  renewal policy: */CN=grid003.oats.inaf.it
  timeleft: 167:59:53  (7.0 days)

Get the credentials with the command myproxy=logon

[morgan@localhost ~]$ myproxy-logon -k renew
Enter MyProxy pass phrase:
A credential has been received for user morgan in /tmp/x509up_u500.

Check the new credential:

[morgan@localhost ~]$ voms-proxy-info
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni/CN=proxy
issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
identity  : /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u500
timeleft  : 11:59:55

Destroy remote proxy

Finally, you can destroy your remote proxy

[morgan@localhost ~]$ myproxy-destroy 
Default MyProxy credential for user morgan was successfully removed.
[morgan@localhost ~]$ myproxy-info
username: morgan
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: renew
  timeleft: 167:49:32  (7.0 days)
owner: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
  name: renew2
  renewal policy: *
  timeleft: 167:52:15  (7.0 days)

you destroyed only the default credential. To delete also the other you must specify their name

[morgan@localhost ~]$ myproxy-destroy -k renew
MyProxy credential 'renew' for user morgan was successfully removed.
[morgan@localhost ~]$ myproxy-destroy -k renew2
MyProxy credential 'renew2' for user morgan was successfully removed.
[morgan@localhost ~]$ myproxy-info
ERROR from myproxy-server (myproxy.cnaf.infn.it):
Credentials do not exist
no credentials found for user morgan, owner "/C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni"

Bugs

On myproxy MYPROXYv2 (v4.2 10 Jan 2008 PAM OCSP) there is a known bug about the use of voms.

[morgan@localhost ~]$ myproxy-init --voms planck
voms-proxy-init: unrecognized option `-old'
voms-proxy-init: 
    Options
    -help, -usage                  Displays usage
    -version                       Displays version
    -debug                         Enables extra debug output
    -quiet, -q                     Quiet mode, minimal output
    -verify                        Verifies certificate to make proxy for
    -pwstdin                       Allows passphrase from stdin
    -limited                       Creates a limited proxy
    -valid                    Proxy and AC are valid for h hours and m minutes
                                   (defaults to 12:00)
    -hours H                       Proxy is valid for H hours (default:12)
    -bits                          Number of bits in key {512|1024|2048|4096}
    -cert                Non-standard location of user certificate
    -key                  Non-standard location of user key
    -certdir              Non-standard location of trusted cert dir
    -out                Non-standard location of new proxy cert
    -voms >         Specify voms server. :command is optional,
                                   and is used to ask for specific attributes
                                   (e.g: roles)
    -order >          Specify ordering of attributes.
    -target              Targets the AC against a specific hostname.
    -vomslife                 Try to get a VOMS pseudocert valid for h hours
                                   and m minutes (default to value of -valid).
    -include                 Include the contents of the specified file.
    -conf                    Read options from .
    -confile                 Non-standard location of voms server addresses. Deprecated
    -userconf                Non-standard location of user-defined voms server addresses. Deprecated
    -vomses                  Non-standard location of configuration files.
    -policy            File containing policy to store in the ProxyCertInfo extension.
    -pl, -policy-language     OID string for the policy language.
    -policy-language          OID string for the policy language.
    -path-length                Allow a chain of at most l proxies to be generated from this ones.
    -globus               Globus version. (MajorMinor)
    -proxyver                      Version of proxy certificate.
    -noregen                       Use existing proxy certificate to connect to server and sign the new proxy.
    -separate                Saves the informations returned by the server on file .
    -ignorewarn                    Ignore warnings.
    -failonwarn                    Treat warnings as errors.
    -list                          Show all available attributes.
    -rfc                           Creates RFC 3820 compliant proxy (synonymous with -proxyver 4)


Error authenticating: GSS Major Status: General failure
GSS Minor Status Error Chain:
globus_gsi_gssapi: Error with GSI credential
globus_gsi_gssapi: Error with gss credential handle
globus_credential: Valid credentials could not be found in any of the poss
[...]

You can overcome the bug by using a different procedure to store the credentials:

[morgan@localhost ~]$ voms-proxy-init --voms planck -proxyver 2 -hours 168 -debug
Detected Globus version: 22
Number of bits in key :512
Using configuration file /home/morgan/.glite/vomses
Using configuration file /opt/glite/etc/vomses
Cannot find file or dir: /home/morgan/.glite/vomses
Files being used:
 CA certificate file: none
 Trusted certificates directory : /etc/grid-security/certificates
 Proxy certificate file : /tmp/x509up_u500
 User certificate file: /home/morgan/.globus/usercert.pem
 User key file: /home/morgan/.globus/userkey.pem
Output to /tmp/x509up_u500
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni
Using configuration file /home/morgan/.glite/vomses
Using configuration file /home/morgan/.glite/vomses
Using configuration file /opt/glite/etc/vomses
Using configuration file /opt/glite/etc/vomses
Using configuration file /home/morgan/.glite/vomses
Using configuration file /opt/glite/etc/vomses
Creating temporary proxy to /tmp/tmp_x509up_u500_16682 ..............++++++++++++
.................++++++++++++
 Done
Contacting  voms.cnaf.infn.it:15002 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "planck" Done
Creating proxy to /tmp/x509up_u500 .........++++++++++++
.....................++++++++++++
 Done
Your proxy is valid until Mon Aug 25 13:56:03 2008
[morgan@localhost ~]$ myproxy-init --verbose --certfile /tmp/x509up_u500 --keyfile /tmp/x509up_u500 -c 0
MyProxy v4.2 10 Jan 2008 PAM OCSP
Socket bound to port 20000. 
Attempting to connect to 131.154.100.157:7512 

User Cert File: /tmp/x509up_u500
User Key File: /tmp/x509up_u500

Trusted CA Cert Dir: /etc/grid-security/certificates

Output File: /tmp/myproxy-proxy.500.16727
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INAF Trieste/CN=Giuliano Taffoni/CN=proxy
Creating proxy ..++++++
..................++++++
 Done
Proxy Verify OK
Your proxy is valid until: Mon Aug 25 13:56:03 2008
using trusted certificates directory /etc/grid-security/certificates
server name: /C=IT/O=INFN/OU=Host/L=CNAF/CN=myproxy.cnaf.infn.it
checking that server name is acceptable...
server name does not match "myproxy@myproxy.cnaf.infn.it"
server name matches "host@myproxy.cnaf.infn.it"
authenticated server name is acceptable
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 167 hours (7.0 days) for user morgan now exists on myproxy.cnaf.infn.it.

References

• MyProxy Site
• MyProxy User Guide

-- TaffoniGiuliano - 13 Aug 2008