Getting Started with TeraGrid Authentication

1
Getting Started with TeraGrid Authentication

• Jeffrey P. Gardner
• Pittsburgh Supercomputing Center
• gardnerj_at_psc.edu

2
Approaches to TeraGrid Use

• Log in interactively to a login node at a
  TeraGrid site and work from there
• no client software to install/maintain yourself
• execute tasks from your interactive session
• Work from your local workstation and authenticate
  remotely to TeraGrid resources
• comfort and convenience of working "at home"
• may have to install/maintain add'l TG software
• (Eventually we will better support this mode)

3
Traditional Password Authentication

• Without coordination of authenticationbetween
  sites

Acctx, passwordx
Acctx, passwordx
Accty, passwordy
Acctz, passwordz
Accty, passwordy
4
Certificate-Based Authentication
No Password
passwordk
No Password
5
User Certificates for TeraGrid

• Why use certificates for authentication?
• Facilitates Single Sign-On
• enter your pass-phrase only once per session,
  regardless of how many systems and services that
  you access on the Grid during that session
• one pass-phrase to remember (to protect your
  private key), instead of one for each system
• Widespread Use and Acceptance
• certificate-based authentication is standard for
  modern Web commerce and secure services

6
New TeraGrid Account TODO List

• Use Secure Shell (SSH) to log into a TeraGrid
  site
• Change your Password WE'RE SKIPPING THIS STEP
  TODAY
• Obtain a TeraGrid-acceptable User Certificate,
  and install it in your home directory assuming
  you do not already have one
• Register your User Certificate in Globus
  grid-mapfile on TeraGrid systems
• Test your User Certificate for Remote
  Authentication

7
1. SSH to a TeraGrid Site

• ssh userid_at_tg-login1.ncsa.teragrid.org(Enter
  the password provided when prompted to do
  so)STOP and await further instructions...

8
2a. Change your Account Password
WE'RE SKIPPING THIS STEP TODAY

• Good Password Selection Rules Apply
• Do not use words that could be in any dictionary,
  including common or trendy misspellings of words
• Pick something easy for you to remember, but
  impossible for others to guess
• Pick something that you can learn to type
  quickly, using may different fingers
• Combine letters, digits, punctuation symbols and
  capitalization
• Never use the same password for two different
  systems, nor for two different accounts
• If you must write your password down, do so away
  from prying eyes and lock it securely away!

9
2b. Change your Account Password
WE'RE SKIPPING THIS STEP TODAY

• Means for changing local passwords vary among
  systems
• local password on Linux and similar operating
  systems
• passwd
• Kerberos environments (NCSA, PSC)
• kpasswd
• Systems managed using NIS
• yppasswd
• See site documentation for correct method
• http//www.teragrid.org/docs/

10
3a. User Certificate Request

• For this exercise, we will execute a command-line
  program to request a new TeraGrid User
  Certificate from the NCSA CA
• TeraGrid User Cert instructions (has links to
  instructions for all TG sites)
• http//teragrid.org/userinfo/guide_access_auth_set
  up.html
• NCSA CA User Cert instructions
• http//www.ncsa.uiuc.edu/UserInfo/Grid/Security/Ge
  tUserCert.html

11
3c. User Certificate Request

• Execute the NCSA CA User Certificate request
  script
• gt ncsa-cert-request(use your new password again
  to authenticate)STOP and await further
  instructions...

NCSA Kerberos
12
3d. User Certificate Request

• When prompted, enter a Pass-phrase for your new
  certificate (and a second time to verify)
• A Pass-phrase may be a sentence with spaces
• Make it as long as you care to type "in the dark"
• Good password selection rules apply
• Write your pass-phrase down but store it
  securely!
• Never allow your passphrase to be discovered by
  others - especially since this gets you in to
  multiple systems...
• If you lose your pass-phrase, it cannot be
  recovered - you must get a new certificate

13
3e. User Certificate Request

• The Certificate request script will place your
  new user certificate and private key into a
  .globus directory in your home directory
• gt ls -la .globustotal 24drwxr-xr-x 3 train00
  train00 4096 Nov 17 1345 .drwx------ 33
  train00 train00 4096 Oct 17 2017 ..-r--r--r--
  1 train00 train00 2703 Nov 17 1355
  usercert.pem-r--r--r-- 1 train00 train00 1420
  Nov 17 1350 usercert_request.pem-r-------- 1
  train00 train00 963 Nov 17 1350 userkey.pem
• Your Pass-phrase protects your private key

14
The /.globus directory

• The default location where a users private key
  and certificate are installed
• The directory in which Globus creates temporary
  subdirectories and files to handle grid job
  submission and file transfer

ls -la /.globustotal 24drwxr-xr-x 3
train00 train00 4096 Nov 17 1345 .drwx------
33 train00 train00 4096 Oct 17 2017
..-r--r--r-- 1 train00 train00 2703 Nov 17
1355 usercert.pem-r--r--r-- 1 train00 train00
1420 Nov 17 1350 usercert_request.pem-r--------
1 train00 train00 963 Nov 17 1350 userkey.pem
15
3f. User Certificate Request

• Examine your new certificate
• gt grid-cert-info -subject -startdate
  -enddate/CUS/ONational Center for
  Supercomputing Applications/CNJeffrey
  GardnerJun 19 211605 2005 GMTJun 18 211605
  2006 GMT
• Your Certificate's Subject is your Certificate DN
  
• DN Distinguished Name

16
3g. User Certificate Request

• Test Globus certificate proxy generation
• gt grid-proxy-init -verify -debugUser Cert File
  /home/train00/.globus/usercert.pemUser Key File
  /home/train00/.globus/userkey.pemTrusted CA Cert
  Dir /etc/grid-security/certificatesOutput File
  /tmp/x509up_u500Your identity /CUS/ONational
  Center for Supercomputing Applications/CNTraining
  User00Enter GRID pass phrase for this identity
• (Enter your pass-phrase)Creating proxy
  ............ DoneProxy
  Verify OKYour proxy is valid until Sat Oct 18
  083943 2003
• gt grid-proxy-destroy

17
Congratulations! You are now certified to use
the TeraGrid

• Your certificate is your encrypted ID badge
  that identifies you to TeraGrid sites.
• Distinguished Name (your unique TeraGrid
  identity)
• Start date and end date
• X.509 encrypted key
• But before it will work, we need to tell TeraGrid
  sites (including NCSA) to accept it.
• Someday soon this will be done automatically

18
4a. Registering your Distinguished Name in a
TeraGrid system grid-mapfile

• Every TeraGrid system has /etc/grid-security/grid-
  mapfile
• This files maps your TeraGrid Distinguished Name
  to your local userid on that machine
• By the end of the summer, generating a new
  certificate will automatically cause
  grid-mapfiles on all TeraGrid machines to be
  updated with your Distinguished Name
• But at present, to use a new TeraGrid site, you
  must place an entry in that sites grid-mapfile
• TeraGrid sites provide the gx-map command to
  simplify this registration process for users
• gx-map must be executed once per TeraGrid site
  accessed

19
4b. Registering your Distinguished Name in the
NCSA Globus grid-mapfile

• Recall your TeraGrid User Certificate DN (keep
  this somewhere copy-able)
• gt grid-cert-info -subject/CUS/ONational Center
  for Supercomputing Applications/CNJeffrey
  Gardner (or something like this)
• Execute the gx-map command interactively
• gt gx-map -interactiveSTOP and await further
  instructions...

20
4c. Registering your Distinguished Name in the
NCSA Globus grid-mapfile

• ...(a) Add a grid-mapfile entry(r) Remove a
  grid-mapfile entry(q) Query a grid-mapfile
  entry(u) Request an update of the
  grid-mapfiles(x) ExitWhat do you want to do?
  arqux a (return)
• What user name do you want to map (default is
  username) ? (return)STOP and await further
  instructions...

(This prompt may no longer appear)
21
4d. Registering your Distinguished Name in the
NCSA Globus grid-mapfile

• ...(a) Add a grid-mapfile entry(r) Remove a
  grid-mapfile entry(q) Query a grid-mapfile
  entry(u) Request an update of the
  grid-mapfiles(x) ExitWhat do you want to do?
  arqux a (return)STOP and await further
  instructions...

22
4e. Registering your Distinguished Name in the
NCSA Globus grid-mapfile

• You can specify the DN in one of three ways(c)
  Certificate, extract from/home/gardnerj/.globus/u
  sercert.pem(f) File, extract from a specified
  certificate file(i) Input the DN directly(x)
  ExitHow do you want to specify the DN? cfix i
  (return)
• Enter distinguished nameltPaste your distinguised
  name heregt
• E-mail address (ltreturngt for none)(return)
• STOP and await further instructions...

23
4f. Registering your User Certificate in the NCSA
Globus grid-mapfile

• Ignore the subsequent prompts - just press
  (return) until you get to
• About to map distinguished name"/CUS/ONational
  Center for Supercomputing Applications/CNJeffrey
  Gardner" to user gardnerjProceed? yn y
  (return)Mapping request submitted.The
  grid-mapfile(s) should be updated in a few
  minutesSTOP and await further instructions...

24
5a. Registering your Distinguished Name in a TACC
grid-mapfile

• Recall your TeraGrid User Certificate DN (keep
  your DN somewhere copy-able )
• gt grid-cert-info -subject/CUS/ONational Center
  for Supercomputing Applications/CNJeffrey
  Gardner (or something like this)
• SSH to TACC the old fashioned way
• gt ssh myTACCuserid_at_tg-login.tacc.teragrid.org
• Execute the gx-map command interactively
• gt gx-map -interactiveSTOP and await further
  instructions...

25
5b. Registering your Distinguished Name in a TACC
grid-mapfile

• ...(a) Add a grid-mapfile entry(r) Remove a
  grid-mapfile entry(q) Query a grid-mapfile
  entry(u) Request an update of the
  grid-mapfiles(x) ExitWhat do you want to do?
  arqux a (return)STOP and await further
  instructions...

26
5c. Registering your Distinguished Name in a TACC
grid-mapfile

• You can specify the DN in one of three ways(c)
  Certificate, extract from/home/gardnerj/.globus/u
  sercert.pem(f) File, extract from a specified
  certificate file(i) Input the DN directly(x)
  ExitHow do you want to specify the DN? cfix i
  (return)
• Enter distinguished nameltPaste your distinguised
  name heregt
• E-mail address (ltreturngt for none)(return)
• STOP and await further instructions...

27
5d. Registering your User Certificate in the TACC
Globus grid-mapfile

• Ignore the subsequent prompts - just press
  (return) until you get to
• About to map distinguished name"/CUS/ONational
  Center for Supercomputing Applications/CNJeffrey
  Gardner" to user gardnerjProceed? yn y
  (return)Mapping request submitted.The
  grid-mapfile(s) are updated at the beginning of
  each hourSTOP and await further instructions...

28
5e. Registering your User Certificate in the TACC
Globus grid-mapfile

• Log out of TACC
• exit
• STOP and await further instructions...

29
Authentication Setup Summary

• Certificate generation (Step 3) is done only once
  for the entire TeraGrid!
• Until your certificate expires after 2 years, or
  you delete your .globus directory

30
Authentication Setup Summary

• Updating /etc/grid-security/grid-mapfile (Step 4)
  is done the first time you use each TeraGrid
  site.
• How this is done depends on the site
• NCSA, TACC, SDSC, Caltech/CACR, IU, US/ANL
• gx-map
• PSC
• Edit grid-mapfile directly using webpage
  https//dirs.psc.edu/teragrid/userpage

31
6. Verifying your User Certificate in a TeraGrid
system Globus grid-mapfile

• Login to TeraGrid system
• Check that your certificate DN and user account
  name have been entered into the local
  host'sgrid-mapfile
• gt grep -i userid /etc/grid-security/grid-mapfile
  "/CUS/ONational Center for Supercomputing
  Applications/CNJeff Gardner" gardnerjSTOP and
  await further instructions...

32
Questions

• Phew!
• Any Questions regarding TeraGrid User
  Certificates and Authentication?

33
Links

• Obtaining TeraGrid User Certificates
• http//www.ncsa.uiuc.edu/UserInfo/Grid/Security/Ge
  tUserCert.html
• TeraGrid Certificate and DN setup
• http//www.teragrid.org/userinfo/guide_access_auth
  _setup.html
• TeraGrid Proxy setup
• http//www.teragrid.org/userinfo/guide_access_auth
  _proxy.html
• TeraGrid User Guide
• http//teragrid.org/docs/user-guide.html