Difference between revisions of "Grid certificates"

From SNIC Documentation
Jump to: navigation, search
(Only swestore cert auth needs cert)
(Swestore documentation moved)
(Tag: New redirect)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:Grid computing]]
+
#REDIRECT[[Swestore Documentation Moved]]
[[Category:SweGrid user guide]]
 
[[Category:Swestore]]
 
[[Category:Swestore user guide]]
 
[[Getting started with SweGrid|< Getting started with SweGrid]]<br>
 
[[Swestore|< Swestore]]
 
 
 
= Introduction =
 
 
 
In order to access to [[Swestore]] using certificate authentication or grid resources a valid eScience client certificate is required. A certificate is similar to an electronic key card in real-life, in the same manner that you must swipe a key card in the lock/reader, the application you are using) must present a certificate. Not having a certificate is similar to not having a key-card, just entering the PIN code is usually not enough.
 
 
 
Keep your certificate safe, just like a physical key or key card. Store them in a safe place, utilizing secure credential store, browser master password, private directories and file permissions as appropriate.
 
 
 
Most importantly, always use a unique passphrase to protect certificates whenever possible.
 
 
 
= Requesting a certificate =
 
 
 
Certificates are issued by a Certificate Authority or CA. The certificate needed for accessing the Swestore or other grid resources should have the ''eScience Personal'' or ''Grid Premium'' type, not all CA:s are certified by [http://www.igtf.net/ The International Grid Trust Federation] to issue these.
 
 
 
For users residing in the Nordics there are two relevant CA:s that can issue grid/eScience/e-Science certificates: ''Digicert'' and ''Nordugrid''. The Digicert CA is preferred if it is available for your university or research group, but some institutions has not enabled this service yet. The Nordugrid CA can also be used but requires more manual labor by all parties.
 
 
 
 
 
Recommended procedure for each university:
 
 
 
{| class="wikitable"
 
!style="text-align:left;"|University
 
! Recommended CA
 
! Specific instructions
 
|-
 
| Chalmers University of Technology (CTH)
 
| Digicert
 
| https://www.c3se.chalmers.se/documentation/personal_certificates/
 
|-
 
| University of Gothenburg (GU)
 
| NorduGrid
 
| [[GU_Certificate_Instructions|more...]]
 
|-
 
| Karolinska Institutet (KI)
 
| Digicert
 
| https://internwebben.ki.se/sv/personliga-certifikat
 
|-
 
| KTH Royal Institute of Technology (KTH)
 
| Digicert
 
| [[KTH_Certificate_Information|more...]]
 
|-
 
| Linköping University (LiU)
 
| Digicert
 
| http://liu.se/insidan/it/irt/personliga-certifikat
 
|-
 
| Luleå University of Technology (LTU)
 
| NorduGrid
 
| [[Requesting_a_grid_certificate_from_the_Nordugrid_CA|Nordugrid CA]]
 
|-
 
| Lund University (LU)
 
| Digicert
 
| http://www.ldc.lu.se/tjanster/it-sakerhet/certifikat
 
|-
 
| Sveriges Lantbruksuniversitet (SLU)
 
| Digicert
 
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]
 
|-
 
| Stockholm University (SU)
 
| Digicert
 
| [[SU_Certificate_Information|more...]]
 
|-
 
| Umeå University (UmU)
 
| Digicert
 
| [[UmU_Certificate_Information|more...]]
 
|-
 
| University of Borås (UB)
 
| Digicert
 
| [[Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal|Digicert]]
 
|-
 
| Uppsala University (UU)
 
| Digicert
 
| [[UU_Certificate_Instructions|more...]]
 
|-
 
|}
 
 
 
 
 
[[Requesting a grid certificate using the Digicert SSO Portal|Instructions for the Digicert CA]]
 
 
 
[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use this only if Digicert isn't available at your site)]]
 
 
 
An eScience certificate is valid for 13 months and thus needs to be renewed yearly.
 
 
 
= Proxy certificates =
 
 
 
Authentication to Swestore can by done using your client certificate directly (as done with your web browser). But on the command line it's usually good practice to use a special short lived ''proxy'' certificate. When using other grid resources you must use proxy certificates or other similar mechanisms.
 
 
 
A proxy certificate is bascially a new short lived certificate you issue yourself and then sign using your reglar certificate (or rather your secret key). If you lose this proxy certificate it will shortly expire and then be useless for bad guys. In many grid applications you upload your proxy certificate to the grid resource (the compute element might need your credentials for accessing a storage element as you) and if stolen it can be used to authenticate as you on alla resources you have access to.
 
 
 
There are several tools available for creating, checking and destroying these proxy certificates.
 
The examples below demonstrates the '''arcproxy''' command from the ARC software suite. Another common tool is the grid-proxy-init from the globus packages.
 
 
== Creating a proxy certificate ==
 
 
 
This example requires that the certificate is available for use with grid tools. This is the default with '''Nordugrid certificates''', although you might need to transfer the certificate to the resource where you are using the grid tools.
 
 
 
For '''Digicert certificates''' you must first [[Exporting_a_client_certificate|export the certificate]], transfer it to the resource where you are using the grid tools if needed and [[Preparing_a_client_certificate|prepare it for use with grid tools]].
 
ARC can use the Firefox certificate store directly, as described in the next section.
 
 
 
To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:
 
 
 
$ arcproxy
 
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
 
Enter pass phrase for /home/kalle/.globus/userkey.pem:
 
.++++++
 
.....++++++
 
Proxy generation succeeded
 
Your proxy is valid until: 2016-03-11 03:00:14
 
 
 
The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.
 
 
 
In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:
 
 
 
$ arcproxy --constraint="validityPeriod=24H"
 
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
 
Enter pass phrase for /home/kalle/.globus/userkey.pem:
 
....++++++
 
.....++++++
 
Proxy generation succeeded
 
Your proxy is valid until: 2011-03-11 15:03:19
 
 
 
== Creating a proxy certificate using the Firefox/Thunderbird credential store ==
 
 
 
Using the ARC client tools it is possible to generate a proxy certificate directly from the Firefox or Thunderbird credential stores. To do this the '''-F''' flag is used as shown in the following example:
 
 
 
$ arcproxy -F
 
There are 2 NSS base directories where the certificate, key, and module datbases live
 
Number 1 is: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default
 
Number 2 is: /Users/lindemann/Library/Thunderbird/Profiles/7abb733v.default
 
Please choose the NSS database you would use (1-2): 1
 
 
 
Here ARC finds the available Firefox and Thunderbird profile in which the credential stores are stored. Next the passphrase for the credential store is used to unlock the stored credentials:
 
 
 
NSS database to be accessed: /Users/lindemann/Library/Application Support/Firefox/Profiles/t22f3aj2.default
 
Enter Password or Pin for "internal (software)":
 
 
 
If the passphrase was correct, ARC will list the available certificates in the credential store and ask you for which you would like to use.
 
 
 
There are 2 user certificates existing in the NSS database
 
Number 1 is with nickname: Jonas Lindemann xxxxx@lu.se's TERENA ID (Jonas Lindemann xxxxx@lu.se)
 
    expiration time: 2013-06-04 01:59:59
 
Number 2 is with nickname: Imported Certificate (Jonas Lindemann)
 
    expiration time: 2014-01-18 16:55:52
 
Please choose the one you would use (1-2): 1
 
Certificate to use is: Jonas Lindemann xxxxxx@lu.se's TERENA ID
 
Proxy generation succeeded
 
Your proxy is valid until: 2013-05-01 04:11:37
 
 
 
== Checking proxy lifetime ==
 
 
 
The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.
 
 
 
$ arcproxy --info
 
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
 
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
 
Time left for proxy: 11 hours 55 minutes
 
Proxy path: /tmp/x509up_u500
 
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy
 
 
 
In this example the proxy certificate is valid for 11 hours 55 minutes more.
 
 
 
== Destroying a proxy certificate ==
 
 
 
A proxy can be destroyed with the '''-r''' or '''--remove''' switch.
 
 
 
$ arcproxy -r
 
 
 
or
 
 
 
$ arcproxy --remove
 
 
 
= Requesting membership in the SweGrid VO =
 
 
 
'''This was previously needed for Swestore, but Swestore users are now managed in the [https://supr.snic.se SUPR] portal.
 
'''
 
== Introduction ==
 
 
 
SweGrid resources are allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required.
 
 
 
== Preparations ==
 
 
 
To apply for membership, make sure that the NorduGrid root CA 2015 certificate and your personal certificate is installed in the browser.
 
 
 
The NorduGrid CA certificate can be installed by clicking on the following link:
 
 
 
[http://ca.nordugrid.org/NorduGrid-2015.crt http://ca.nordugrid.org/NorduGrid-2015.crt]
 
 
 
Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.
 
 
 
 
 
[[File:certinstall.png]]
 
 
 
== Step 1 - Apply for VO membership ==
 
 
 
When the NorduGrid CA certificate have been installed in the browser go to the following URL:
 
 
 
[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]
 
 
 
and follow the instructions. After a manual review, normally within a couple of hours, you will be added to the SweGrid VO.
 
 
 
== Step 2 - Request group membership ==
 
 
 
After being added to the Swegrid VO you need to be added to the correct project/allocation group to use that allocation. Use the '''Request membership''' function in the '''Your groups and roles section''' of your VOMS homepage at https://voms.ndgf.org:8443/voms/swegrid.se/user/home.action as shown in the following screenshot, selecting the project in the dropdown box and clicking the '''Request membership''' button. No further actions need to be taken on that page after requesting the membership.
 
 
 
[[File:request-vo-membership.png]]
 
 
 
The request is handled manually, usually within a few hours. Allow for a couple more hours for the membership to propagate to Swestore.
 
 
 
== If it doesn't work ==
 
 
 
If things doesn't work for some reason, contact SweGrid support at [mailto:support@swegrid.se support@swegrid.se] or Swestore support at [mailto:support@swestore.se support@swestore.se] as appropriate.
 
 
 
= More information =
 
 
 
A certificate consist of a public key, some user information and the signature of the CA. In addition to the certificate you have a corresponding private key. The private key is secret and should be kept as secure as possible.
 
 
 
The grid certificate and private key is stored in your web browser and/or in your home directory on the host where you will be accessing the resource. Standard file names are:
 
      ~/.globus/usercert.pem
 
      ~/.globus/userkey.pem
 
 
 
The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
 
 
 
The private key should be handled with great care. It should only be readable by you and not by the group or others (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
 
 
 
On shared file systems make sure that ~/.globus is not readable by everybody:
 
chmod 700 ~/.globus
 
and on AFS:
 
fs sa ~/.globus system:anyuser none
 
 
 
The private key should be encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away or share the certificate, passphrase or the unencrypted key to someone else.
 
 
 
For more information regarding certificates and public key cryptography:
 
 
 
* http://en.wikipedia.org/wiki/Public-key_cryptography
 
* http://en.wikipedia.org/wiki/Public_key_certificate
 
* http://www.nordugrid.org/documents/certificate_howto.html
 
 
 
= VOMS proxy certificates =
 
 
 
As long as you are a member of only one VO or VO group, you can
 
authenticate to a grid service with the regular grid proxy certificate
 
as defined in the previous section. If you are a member of more than
 
one VO or VO group you may want to select which membership you want to
 
be authenticated as. For example, if you are a member of
 
''swegrid.se:/swegrid.se/ops'' (operations staff) and
 
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
 
be the owner? Ops or bils? You need to provide some additional
 
information. In the grid world this is done with a voms proxy
 
certificate which basically is a regular proxy certificate but with a
 
so called voms extension that contains a list of your VO group
 
memberships (and roles and attributes, which we don't use in
 
Swegrid/Swestore at the moment).
 
 
 
'''Please note, if you only have one membership you can skip this section!'''
 
 
 
The voms extension of the certificate is signed by the virtual
 
organization management server, or VOMS server. The very same VOMS server
 
you used when applying for the swegrid.se VO membership in the first
 
place. To enable this signing process you need to add a few
 
configuration files to your system. First add this to the file
 
'''~/.arc/vomses''' or '''/etc/vomses''':
 
 
 
  "swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"
 
 
 
<strike>
 
Next create the necessary directories and the file
 
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
 
following contents:
 
 
 
  /O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
 
  /O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority 2015
 
</strike>
 
== Creating a VOMS proxy ==
 
 
 
VOMS proxies in ARC1 can be created using the '''arcproxy''' command
 
and the '''-S''' or '''--voms''' switches as shown in the following
 
example (if you are a member of the /swegrid.se/ops group. Adjust as
 
necessary):
 
 
 
$ arcproxy -S swegrid.se:/swegrid.se/ops
 
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
 
Enter pass phrase for /home/kalle/.globus/userkey.pem:
 
.....++++++
 
............++++++
 
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
 
Proxy generation succeeded
 
Your proxy is valid until: 2015-12-10 23:33:06
 
 
 
= Signing your e-mail with your certificate =
 
 
 
First, you will need your grid certificate in PKCS12 format:
 
== How to transform your certificate from PEM format into PKCS#12 format ==
 
 
 
This is how you transform your cert into PKCS12 format that can be used within your web browser or email program:
 
You first will have to change directory into where you created and keep the certificate, historically this is often in ~/.globus
 
 
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12
 
 
 
First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. '''cert+key.p12 contains your private key, and is therefore as valuable as userkey.pem'''. See also [[#More information]]. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.
 
 
 
Remarks: openssl will either need the variable RANDFILE to be set or that ~/.rnd is writable. So you have to make sure that the current $HOME is yours if you have pagshed away, otherwise the command will fail with ''unable to write 'random state''.
 
 
 
 
 
=== Thunderbird ===
 
 
 
Mozilla Thunderbird is a graphical email program available for many platforms. More information at https://www.mozilla.org/thunderbird
 
 
 
 
 
In Thunderbird, Navigate ''options->security->digitally sign this message''.
 
 
 
If you do this for the first time and haven't defined yet the certificate to sign with, thunderbird will pop up the according preferences [Account settings/Security], where you can choose between your imported certificates in PKCS12 format.
 
 
 
In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on [View Certificates]. In the new window that opens you can import the certificate.
 
 
 
Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.
 
 
 
Don't forget to actually check that you then really sign the corresponding mail.
 
 
 
=== Mew ===
 
 
 
Mew is a mail reader for Emacs. More information at https://www.mew.org/
 
 
 
Mew uses gpgsm.
 
 
 
<pre>
 
1. Import the nordugrid root cert
 
 
 
1.1. get 1f0e8352.0 from nordugrid web
 
 
 
1.2. gpgsm --import 1f0e8352.0
 
 
 
1.2. Make it trusted:
 
    gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRINT-YOU-WANT >> .gnupg/trustlist.txt
 
 
 
2. Add your own key from the cert+key.p12 file in this case
 
 
 
2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys
 
 
 
2.2. gpgsm --import tmp.pem ; rm tmp.pem
 
 
 
2.3. Tell gpgsm not to use revocation lists (bad bad security)
 
    echo disable-crl-checks >> .gnupg/gpgsm.conf
 
 
 
3. Test
 
  gpgsm --detach-sign file > sign  # should ask for passphrase and give some kind of sign file
 
 
 
4. Use:
 
  C-uC-cC-s  then enter your email address (must match email in cert) and passphrase
 
 
 
</pre>
 

Latest revision as of 10:00, 8 February 2023