Скачать презентацию Accounts on Grids setting up accounts across Скачать презентацию Accounts on Grids setting up accounts across

a90f830ca181a28f5fcd4eaba3922605.ppt

  • Количество слайдов: 26

Accounts on Grids • setting up accounts across multiple sites is complex – once Accounts on Grids • setting up accounts across multiple sites is complex – once done things should be automatic – However, can take several days to get done • To ‘get on’ you need to: – Get an account on one or more of the machines – Set it up (e. g. ENV) • Often a prepared script provided by site mgr is used. • To use it as a grid, you need to set up grid certificate: • • • Find your grid libraries run certificate init (grid-cert-request) codes get cert approved propagate certificate info to each machine Identify your Distinguised Name (DN) – Get DN installed in ‘grid mapfile’ • place where user names are mapped to cert DN

Globus Security: the Grid Security Infrastructure (GSI) • http: //www. globus. org/security • Public Globus Security: the Grid Security Infrastructure (GSI) • http: //www. globus. org/security • Public key encryption for single sign-on – PEM: Public Encryption Method • X. 509 certificates for credentials • Secure Sockets Layer (SLL) communication protocol for message security • Standard: most sites conform to – Generic Security Service API (GSS-API) of the Internet Engineering Task Force (IETF) • Certificate Authority (CA) blesses process

GSI: Some Terms (http: //www. dcoce. ox. ac. uk/glossary) • IETF: Internet Engineering Task GSI: Some Terms (http: //www. dcoce. ox. ac. uk/glossary) • IETF: Internet Engineering Task Force • PKI Public Key Infrastructure: – IETF definition: "The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public-key cryptography". – Open. SSL provides an Open Source implementation. . • Open. SSL Project: – Collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v 2/v 3) and Transport Layer Security (TLS v 1) protocols as well as a full-strength general purpose cryptography library. • PKC Public Key Certificate: – IETF definition: "A data structure containing the public key of an end-entity and some other information, which is digitally signed with the private key of the CA which issued it. “

GSI: Some Terms • (from http: //www. dcoce. ox. ac. uk/glossary) CA: Certification Authority: GSI: Some Terms • (from http: //www. dcoce. ox. ac. uk/glossary) CA: Certification Authority: – An agency or organization that is able to publish and give out digital certificates – IETF definition: "An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime (what includes renewal, revocation, etc. ), not just for issuing them. “ • DN: Distinguished Name – X. 509 certificates; always contained within the 'subject' field of a digital certificate. The distinguished name should be unique within all certificates issued by a certification authority. A distinguished name might look like this: C=UK, O=e. Science, OU=Authority, CN=CA. The attributes (e. g. C (Country), O (Organisation), OU (Organisational Unit), CN (Common Name), etc. ) all combine to form the DN • X. 509: – Recommendation X. 509 specifies the authentication service for X. 500 directories, as well as the widely adopted X. 509 certificate syntax. The initial version of X. 509 was published in 1988, version 2 was published in 1993, and version 3 was proposed in 1994 and considered for approval in 1995. Version 3 addresses some of the security concerns and limited flexibility that were issues in versions 1 and 2.

Security: SSL Secure Socket Layer • SSL designed to secure data exchanges between two Security: SSL Secure Socket Layer • SSL designed to secure data exchanges between two applications – originally between Web server -> browser. – protocol is widely used and is compatible with most Web browsers. – At network level, SSL protocol is inserted between TCP/IP and HTTP layers • • SSL has been designed mainly to work with HTTP. SSL uses a public key encryption method – technique based on a pair of asymmetric keys for encryption and decryption: a public key and a private key. – The private key is used to encrypt data. • • (Image courtesy sender (e. g. web site) does not givewww. 4 d. fr) it to anyone Public Key – used to decrypt the information and is sent to the receivers (Web browsers) through a certificate. – When using SSL with the Internet, certificate delivered through a certification authority, such as Verisign – Web site pays CA to deliver a certificate - guaranties the server authentication and contains the public key allowing to exchange data in a secured mode.

Globus GSI: Public Key Cryptography • PKI relies not on a single key (a Globus GSI: Public Key Cryptography • PKI relies not on a single key (a password or a secret "code"), but on two keys. – Asymmetric encryption – keys are numbers that are mathematically related in such a way that if either key is used to encrypt a message, the other key must be used to decrypt it. • How it works: – Entity (owner) has two keys -a public and a private key – Data encrypted with one key can only be decrypted with other. – The private key is known only to the entity – The public key is given to the world encapsulated in a X. 509 certificate • Important: – It is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner.

GSI: Certificates • Every user and service on the Grid is identified via a GSI: Certificates • Every user and service on the Grid is identified via a certificate, – contains information vital to identifying and authenticating user or service. – Certificates are public • GSI certificates are encoded in the X. 509 certificate format and includes four primary pieces of information: – Subject name, identifies the person or object that the certificate represents. – Public Key belonging to the subject. – Identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject. – Digital Signature of the named CA. • The CA used to certify link between public key and subject in certificate – This is done when you get your certificate – To trust the certificate and its contents, the CA's certificate must be trusted. – The link between the CA and its certificate must be established via some non-cryptographic means, or else the system is not trustworthy.

GSI: How Digital Signatures Work • Using public key cryptography, it is possible to GSI: How Digital Signatures Work • Using public key cryptography, it is possible to digitally "sign" a piece of information. – Signing information essentially means assuring a recipient of the information that the information hasn't been tampered with since it left your hands. • Entity A digitally signs a piece of information: – – – Computes a mathematical Hash (H 1) of the information Encrypt this has using Entity A’s private key (encr-H 1) Attach hash encr-H 1 to the original message Make sure that the Recipient has Entity A’s public key. Make sure Recipient knows algorithm • Recipient must verify that the signed message is authentic: – Compute new hash (H 2) of original message using the same hashing algorithm used by Entity A – Using the CA digital signature in entity A’s public certificate, recipient decrypts hash encr-H 1 that Entity A attached to the message (hash H 3) – IF H 3 == H 2 • Proves that entity A signed the message and that the message has not been changed since you signed it.

GSI: Mutual Authentication • Grid services work based on mutual authentication – If two GSI: Mutual Authentication • Grid services work based on mutual authentication – If two parties have certificates, and if both parties trust the CAs that signed each other's certificates, then the two parties can prove to each other that they are who they say they are. • Before mutual authentication can occur, – parties involved must first trust the CAs that signed each other's certificates. – they must have copies of the CAs' certificates--which contain the CAs' public key – they must trust that these certificates really belong to the CAs. • This is often a very manual process and one of the bottlenecks in setting up a grid: – Site admins (system, security, project, etc)

GSI: Mutual Authentication • • A connects to B and A gives B its GSI: Mutual Authentication • • A connects to B and A gives B its certificate (identity, public key, signing CA) B will first make sure that the certificate is valid – checking the CA's digital signature, check that the certificate hasn't been tampered with. • B must make sure that A really is the person identified in the certificate. – – • B generates a random message and sends it to A, asking A to encrypt it. A encrypts the message using private key, and sends it back to B. B decrypts the message using A's public key. If this results in the original random message, B knows that A is who he says he is. Now B trusts A's identity, the same operation must happen in reverse. – B sends A a certificate – A validates the certificate and sends a challenge message to be encrypted. – B encrypts message, sends back to A, A decrypts it and compares it with the original. – If it matches, then A knows that B is who she says she is. • A and B have established a connection to each other and are certain that they know each others' identities.

GSI: Securing Private Keys • The core GSI software provided by the Globus Toolkit GSI: Securing Private Keys • The core GSI software provided by the Globus Toolkit expects the user's private key to be stored in a file in the local computer's storage. • To prevent other users of the computer from stealing the private key, the file that contains the key is encrypted via a password (also known as a passphrase). • To use the GSI, the user must enter the passphrase required to decrypt the file containing their private key. • We have also prototyped the use of cryptographic smartcards in conjunction with the GSI. • This allows users to store their private key on a smartcard rather than in a filesystem, making it still more difficult for others to gain access to the key.

GSI: Delegation and Single Sign -On • • • The GSI provides a delegation GSI: Delegation and Single Sign -On • • • The GSI provides a delegation capability: an extension of the standard SSL protocol which reduces the number of times the user must enter his passphrase. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user, the need to re-enter the user's passphrase can be avoided by creating a proxy. A proxy consists of a new certificate (with a new public key in it) and a new private key. The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. (See diagram below. ) The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes. The proxy's private key must be kept secure, but because the proxy isn't valid for very long, it doesn't have to kept quite as secure as the owner's private key. It is thus possible to store the proxy's private key in a local storage system without being encrypted, as long as the permissions on the file prevent anyone else from looking at them easily. Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual authentication without entering a password. When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. During mutual authentication, the owner's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate. This establishes a chain of trust from the CA to the proxy through the owner. Note that the GSI and software based on it (notably the Globus Toolkit, GSI-SSH, and Grid. FTP) is currently the only software which supports the delegation extensions to TLS (a. k. a. SSL). The Globus Project is actively working with the Grid Forum and the IETF to establish proxies as a standard extension to TLS so that GSI proxies may be used with other TLS software.

GSI: Securing Private Keys • You get a cert by running grid-cert-request • GSI GSI: Securing Private Keys • You get a cert by running grid-cert-request • GSI expects the user's private key to be stored in a file in the local user filespace – Directory only readable by owner – file that contains the key is encrypted via a password (also known as a passphrase). – To use GSI, user must enter the passphrase required to decrypt the file containing their private key.

Using GSI: grid-cert-request –h displays all options grid-cert-request [-help] [ options. . . ] Using GSI: grid-cert-request –h displays all options grid-cert-request [-help] [ options. . . ] Example Usage: Creating a user certifcate: grid-cert-request Creating a host or gatekeeper certifcate: grid-cert-request -host [my. host. fqdn] Creating a LDAP server certificate: grid-cert-request -service ldap -host [my. host. fqdn] -dir : Changes the directory the private key and certificate request will be placed in. By default user certificates are placed in /home/mthomas/. globus, host certificates are placed in /etc/gridsecurity and service certificates are place in /etc/grid-security/. Options: -version : Display version -? , -help, : Display usage -cn , : Common name of the user -commonname -service : Create certificate for a service. Requires the -host option and implies that the generated key will not be password protected (ie implies -nopw). -host : Create certificate for a host named -prefix : Causes the generated files to be named cert. pem, key. pem and cert_request. pem -nopw, : Create certificate without a passwd -nodes, -nopassphrase, -verbose : Don't clear the screen -int[eractive] : Prompt user for each component of the DN -force : Overwrites preexisting certifictes -ca : Will ask which CA is to be used (interactive) -ca : Will use the CA with hash value

grid-cert-request –ca (lists CA’s recognized by host) [mthomas@buda ~]$ /usr/local/globus-3. 0. 2/bin/grid-cert-request -verbose -ca grid-cert-request –ca (lists CA’s recognized by host) [[email protected] ~]$ /usr/local/globus-3. 0. 2/bin/grid-cert-request -verbose -ca nondefaultca=true The available CA configurations installed on this host are: 1) 1 c 3 f 2 ca 8 - /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 2) 42864 e 48 - /C=US/O=Globus/CN=Globus Certification Authority 3) 5 fb 2 fc 80 - /O=Louisiana State University/OU=CCT/OU=ca. cct. lsu. edu/CN=CCT CA 4) 6349 a 761 - /O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager 5) 860 e 3429 - /C=US/ST=Virginia/L=Charlottesville/O=University of Virginia/[email protected] edu/CN=UVA Standard Assurance SKP 1 6) 9 a 1 da 9 f 9 - /C=US/O=UTAustin/OU=TACC/CN=TACC Certification Authority/0. 9. 2342. 19200300. 1. 1=ca man 7) 9 d 8753 eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science Grid/CN=pki 1 8) ad 478 c 3 d - /C=US/ST=Virginia/L=Charlottesville/O=NMI Testbed Grid/OU=Bridge CA/CN= Bridge. CA 9) c 4 d 34612 - /C=US/ST=Alabama/L=Birmingham/O=University of Alabama at Birmingham/OU=UABGrid/CN=UAB Grid. CA 10) cd 88 b 13 f - /O=Grid/OU=Texas Tech HPCC/OU=onera/CN=Globus Simple CA 11) d 1 b 603 c 3 - /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1 Enter the index number of the CA you want to sign your cert request:

Requesting a Certificate • To request a certificate a user starts by generating a Requesting a Certificate • To request a certificate a user starts by generating a key pair • The private key is stored encrypted with a pass phrase the user gives • The public key is put into a certificate request Private Key Encrypted On local disk Certificate Request Public Key

Certificate Issuance • The user then takes the certificate to the CA • The Certificate Issuance • The user then takes the certificate to the CA • The CA usually includes a Registration Authority (RA) which verifies the request: – name unique with respect to the CA – It is real name of the user (often by phone, etc. ) • The CA then signs the certificate request and issues a certificate for the (image courtesty R. Buyya) user Certificate Request Public Key Sign Name Issuer Public Key Signature

Creating a Cert: “Simple” steps • Get account on host – e. g. buda. Creating a Cert: “Simple” steps • Get account on host – e. g. buda. tacc. utexas. edu • Run grid-cert-request – ~/. globus directory created with PEM files • Email contents from usercert_request. pem file to CA of choice – [email protected] utexas. edu • CA emails back to your signed and encrypted public key file (usercert. pem) • Place in ~/. globus on machines you want to do grid jobs on

Creating the Certificate: output from grid-cert-request [mthomas@buda ~]$ /usr/local/globus 3. 0. 2/bin/grid-cert-request A certificate Creating the Certificate: output from grid-cert-request [[email protected] ~]$ /usr/local/globus 3. 0. 2/bin/grid-cert-request A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Level 0 Organization [Grid]: Level 1 Organization [Globus]: Level 0 Organizational Unit [tacc. utexas. edu]: Name (e. g. , John M. Smith) []: A private key and a certificate request has been generatedm with the subject: Using configuration from /etc/grid-security/globus-userssl. conf Generating a 1024 bit RSA private key. . . ++++++. . . . ++++++ writing new private key to '/home/mthomas/. globus/userkey. pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '. ', the field will be left blank. - If the CN=Mary Thomas is not appropriate, rerun this script with the -force -cn "Common Name" options. /O=Grid/O=Globus/OU=tacc. utexas. edu/CN=Mary Thomas Your private key is stored in /home/mthomas/. globus/userkey. pem Your request is stored in /home/mthomas/. globus/usercert_request. pem Please e-mail the request to the Globus CA [email protected] org You may use a command similar to the following: cat /home/mthomas/. globus/usercert_request. pem | mail [email protected] org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus CA at

Distinguished Names (DN) • Globally unique identifier that represents you individually – /O=Grid/O=Globus/OU=tacc. utexas. Distinguished Names (DN) • Globally unique identifier that represents you individually – /O=Grid/O=Globus/OU=tacc. utexas. edu/CN= Mary Thomas • Mapfiles: map user login/account to DN’s • E. g. on on Texas systems, username is mthomas, so mapfile looks like:

Creating the Certificate: files created by grid-cert-request [mthomas@buda ~/. globus]$ pwd /home/mthomas/. globus [mthomas@buda Creating the Certificate: files created by grid-cert-request [[email protected] ~/. globus]$ pwd /home/mthomas/. globus [[email protected] ~/. globus]$ls -al total 16 drwxr-xr-x 2 mthomas G-1130 4096 Jan 29 23: 41. drwx------ 5 mthomas G-1130 4096 Jan 29 23: 40. . -rw-r--r-- 1 mthomas G-1130 0 Jan 29 23: 40 usercert. pem -rw-r--r-- 1 mthomas G-1130 1274 Jan 29 23: 41 usercert_request. pem -r---- 1 mthomas G-1130 963 Jan 29 23: 41 userkey. pem [[email protected] ~/. globus]$

Contents of usercert_request. pem File This is a Certificate Request file: It should be Contents of usercert_request. pem File This is a Certificate Request file: It should be mailed to [email protected] org ====================== === Certificate Subject: /O=Grid/O=Globus/OU=tacc. utexas. edu/CN=Mary Thomas The above string is known as your user certificate subject, and it uniquely identifies this user. To install this user certificate, please save this e-mail message into the following file. /home/mthomas/. globus/usercert. pem You need not edit this message in any way. Simply save this e-mail message to the file. If you have any questions about the certificate contact the Globus CA at [email protected] org -----BEGIN CERTIFICATE REQUEST----Bg. NVBAs. TD 3 Rh. Y 2 Mud. XRle. GFz. Lm. Vkd. TEUMBIGA 1 UE Ax. MLTWFye. SBUa. G 9 t. YXMwg. Z 8 w DQYJKo. ZIhvc. NAQEBBQADg. Y 0 AMIGJAo. GBAJv. Ov. U 8 P sb. H 4 q. Ika. Ya. Jkm. Gewc. A/k. C 1 Bx 8 y. Bah. G 8 Uab 1 B 5 z 2 GR 0 x. WIGv+IWoyp+04/+X 2071 CLpe b. OX 0 A+/39 foxz. E+z 7 a. Xj. I Fm 14 WL 22 Yn/K 3 u. IGNSRw. Jo. WOu+c. ENr. Nrrl 2 Jf. IQq. EIi. V G 5 d. Wy. T+VMk. X/wx 9 C 69 X 3 84 iy 0 cq 1 So 5 VAg. MBAAGg. ADANBgkqhki. G 9 w 0 BAQQFA AOBg. QAE 5 q. Yw. JVl. Fe 2 y. QDgmu /b 0 ICwjx. J 77 k. Ni. NZRvc. Ifo 23 N 4 e. XMi 0 s 3 YWv. WAI 6/nd 2 cg s. Jyf. DOEr. Uh. XRte. Lj. FS p. LSyr 7 njgfs 2 Jm 26 u 4248 P 8 LJb. N 6 d. AVN 4 JGFdo. WAKPN YXb. L 7 v 30 MQF 8 G 93 obv. SB+ r 3 Jacg. Aqcz. OM 1 v. Qci 3 HBn. St. X 3 Q== -----END CERTIFICATE REQUEST----[[email protected] ~/. globus]$

GSI Public Key Contents: usercert. pem qe 2 (17) % cat usercert. pem Certificate: GSI Public Key Contents: usercert. pem qe 2 (17) % cat usercert. pem Certificate: Data: Version: 3 (0 x 2) Serial Number: 503 (0 x 1 f 7) Signature Algorithm: md 5 With. RSAEncryption Issuer: C=US, O=SDSC, OU=SDSC-CA, CN=Certificate Authority/UID=certman Validity Not Before: Jan 30 03: 23: 05 2005 GMT Not After : Jan 30 03: 23: 05 2009 GMT Subject: C=US, O=SDSC, OU=SDSC, CN=Mary Thomas/UID=mthomas Subject Public Key Info: Public Key Algorithm: rsa. Encryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00: ba: 1 d: 62: 9 c: 07: ce: 24: 28: 72: 87: 17: 2 b: 9 d: c 9: ed: 9 a: d 5: 89: b 9: 2 e: 83: 4 f: 9 c: 50: 8 a: 57: cd: 31: 36: 6 b: 5 e: 9 b: ce: 80: a 9: 71: 0 d: 79: 26: d 6: ca: 7 a: 37: 8 b: 23: d 9: 39: 1 e: 97: ab: 62: 53: cc: d 3: cb: a 3: 99: 41: 2 c: 9 e: fc: 33: 84: ca: 15: fa: 05: 5 b: 06: f 7: 68: 4 d: c 0: 13: 1 b: 89: ee: 32: b 3: 9 d: 11: 7 a: 50: c 2: cd: d 4: d 3: 2 a: 9 b: ae: 40: 18: 61: 72: 98: 4 d: fd: 6 b: 0 d: ea: b 5: 8 e: c 1: d 5: 77: 2 e: a 1: f 2: 5 e: 57: aa: 81: e 6: aa: c 9: eb: f 5: 26: d 8: 67: 1 a: 6 d: 00: 99: e 4: 6 d: 82: b 5: f 9: 47: 02: cf: e 9: 6 c: b 6: cb: 30: 96: c 6: b 0: a 9: 7 c: 33: f 2: 6 f: 91: f 4: e 4: 5 a: 3 f: b 1: 9 e: 3 d: 7 b: 7 c: 4 f: 72: ad: 89: 72: 84: 2 a: 0 b: 1 b: a 8: b 0: c 3: 4 e: 50: e 4: 42: fc: 7 f: 4 d: c 2: 89: 07: ed: 72: 6 d: fb: ad: 68: c 5: 9 a: 29: 3 f: 9 c: 27: af: 3 d: c 7: ba: d 5: 62: 63: f 5: a 3: 36: 6 e: 82: 41: 4 d: d 3: d 2: 49: 11: 0 a: 9 c: 05: 57: 38: 1 f: f 7: 7 d: ea: 8 f: 0 e: cd: e 9: 51: 09: be: 49: b 8: ef: 02: 86: c 8: 6 c: 3 b: e 9: d 5: 52: a 6: 06: 44: b 1: 02: 39: 7 d: 62: 67: ce: 9 f: 9 e: ae: 8 b: 3 b: be: 1 e: 91 Exponent: 65537 (0 x 10001) X 509 v 3 extensions: X 509 v 3 Basic Constraints: CA: FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: Open. SSL Generated Certificate Netscape CA Revocation Url: http: //www. sdsc. edu/CA/SDSC_CRL. pem X 509 v 3 Subject Key Identifier: 26: 45: B 2: 53: 39: 11: AE: E 7: 9 E: 8 F: 24: 72: D 8: 77: 48: 7 D: EA: 54: 55: E 0 X 509 v 3 Authority Key Identifier: keyid: BF: A 3: 87: 2 C: F 6: 0 D: 74: BD: 48: 6 C: 0 E: 27: BF: 01: E 4: F 2: 4 F: 46: BA: 27 Dir. Name: /C=US/O=SDSC/OU=SDSC-CA/CN=Certificate Authority/UID=certman serial: 00 Signature Algorithm: md 5 With. RSAEncryption 7 e: 51: 45: 34: c 8: 41: 2 d: 54: c 4: 03: 5 e: c 9: 2 f: da: 7 f: c 5: 32: 9 a: 4 c: 0 c: d 3: e 4: d 3: d 9: a 1: df: 60: 27: 5 b: 2 e: 7 f: dc: 6 e: 39: 16: 5 c: 73: 7 a: 76: 0 e: 83: 5 a: c 4: ab: 97: c 5: 80: 41: eb: 25: 05: 6 c: 51: 95: 82: 72: 4 d: 1 a: 73: 0 b: 83: c 5: 76: dd: b 2: 97: 5 e: 19: aa: 2 a: df: b 4: ab: 4 b: c 5: eb: e 5: c 2: cd: 43: e 6: 40: a 4: 06: 8 d: 66: b 4: a 3: 3 f: 4 f: 20: d 7: dc: 5 b: 09: 70: e 4: 19: 2 e: 09: 6 f: 88: dd: 00: 7 e: 49: ba: d 3: ff: d 6: dd: a 5: 40: 00: 27: 0 f: 11: 4 f: 2 b: c 3: 98: 96: 86: 42: 2 c: c 1: b 8: b 4: e 6: dc: dd: b 0: 9 c: c 6: b 2: 6 d: 09: e 3: 87: 1 f: 85: e 2: cc: 12: f 2: 04: ac: 3 c: b 4: 98: 00: bc: 31: e 7: d 3: 36: dc: eb: 0 f: 60: 2 c: 6 a: c 5: 67: 46: 07: 4 c: c 6: 00: 7 a: de: 71: b 9: d 8: ca: e 9: de: 86: 52: 9 b: 76: 98: 7 a: 26: 8 a: 55: 20: 5 b: 7 d: 2 e: 4 a: f 0: 01: e 1: 78: 49: 48: 1 f: 56: 3 e: 6 f: 78: 7 c: 7 b: e 3: 5 c: c 1: b 1: 03: 7 a: 59: 66: 7 f: fb: 26: 98: c 1: a 1: fe: f 7: aa: fc: 06: 96: 67: 19: b 8: b 9: 57: 70: cb: 74: 18: cc: fe: 95: b 5: 2 e: a 0: df: 93: 57: 46: 88: 18: 86: 91: ea: d 2: 2 a: 9 e: 8 d: 76 -----BEGIN CERTIFICATE----MIIEdj. CCA 16 g. Aw. IBAg. ICAfcw. DQYJKo. ZIhvc. NAQEEBQAw. Zz. ELMAk. GA 1 UEBh. MCVVMx DTALBg. NVBAo. TBFNEU 0 Mx. EDAOBg. NVBAs. TB 1 NEU 0 Mt. Q 0 Ex. Hj. Ac. Bg. NVBAMTFUNlcn. Rp Zmlj. YXRl. IEF 1 d. Ghvcml 0 e. TEXMBUGCgm. SJom. T 8 ixk. AQETB 2 Nlcn. Rt. YW 4 w. Hhc. NMDUw MTMw. MDMy. Mz. A 1 Whc. NMDkw. MTMw. MDMy. Mz. A 1 Wj. Ba. MQsw. CQYDVQQGEw. JVUz. ENMAs. GA 1 UE Ch. MEU 0 RTQz. ENMAs. GA 1 UECx. MEU 0 RTQz. EUMBIGA 1 UEAx. MLTWFye. SBUa. G 9 t. YXMx. Fz. AV Bgo. Jkia. Jk/Is. ZAEBEwdtd. Ghvb. WFz. MIIBIj. ANBgkqhki. G 9 w 0 BAQEFAAOCAQ 8 AMIIB Cg. KCAQEAuh 1 in. Af. OJChyhxcrncntmt. WJu. S 6 DT 5 x. Qilf. NMTZr. Xpv. Og. Klx. DXkm 1 sp 6 N 4 sj 2 Tk 5 Hper. Yl. PM 08 ujm. UEsnvwzg 4 TKFfo. FWwb 3 a. E 3 AExu. J 7 j. Kzn. RF 6 el. DCzd. TT Kpuu. QBAYYXKYTf 1 r. Deq 1 js. HVdy 6 h 8 l 5 Xqo. Hmqsnr 9 Sb. YZxpt. AJnkb. YK 1+Uc. Cz+ls tsswlsawq. Xwz 8 m+R 9 ORa. P 7 Ge. PXt 8 T 3 Kti. XKEKgsbq. LDDTl. Dk. Qvx/Tc. KJB+1 ybfut a. MWa. KT+c. J 689 x 7 r. VYm. P 1 oz. Zugk. FN 09 JJEQqc. BVc 4 H/d 96 o 8 Ozel. RCb 5 Ju. O 8 Chshs O+n. VUq. YGRLECOX 1 i. Z 86 fnq 6 LO 74 ek. QIDAQABo 4 IBNz. CCATMw. CQYDVR 0 TBAIw. ADAR Bglghkg. Bhvh. CAQEEBAMCBLAw. LAYJYIZIAYb 4 Qg. ENBB 8 WHU 9 w. ZW 5 TU 0 wg. R 2 Vu. ZXJh d. GVk. IENlcn. Rp. Zmlj. YXRl. MDIGCWCGSAGG+EIBBAQl. Fi. Nod. HRw. Oi 8 vd 3 d 3 Ln. Nkc 2 Mu ZWR 1 L 0 NBL 1 NEU 0 Nf. Q 1 JMLn. Blb. TAd. Bg. NVHQ 4 EFg. QUJk. Wy. Uzk. Rrueejy. Ry 2 Hd. Ifep. U Ve. Awg. ZEGA 1 Ud. Iw. SBi. TCBho. AUv 6 OHLPYNd. L 1 Ib. A 4 nvw. Hk 8 k 9 Guieha 6 Rp. MGcx. Cz. AJ Bg. NVBAYTAl. VTMQ 0 w. Cw. YDVQQKEw. RTRFNDMRAw. Dg. YDVQQLEwd. TRFNDLUNBMR 4 w. HAYD VQQDEx. VDZXJ 0 a. WZp. Y 2 F 0 ZSBBd. XRob 3 Jpd. Hkx. Fz. AVBgo. Jkia. Jk/Is. ZAEBEwdj. ZXJ 0 b. WFugg. EAMA 0 GCSq. GSIb 3 DQEBBAUAA 4 IBAQB+UUU 0 y. EEt. VMQDXskv 2 n/FMpp. MDNPk 09 mh 32 An. Wy 5/3 G 45 Flxzen. YOg 1 r. Eq 5 f. Fg. IBB 6 y. UFb. FGVgn. JNGn. MLg 8 V 23 b. KXXhmq Kt+0 q 0 v. F 6+XCz. UPm. QKQGj. Wa 0 oz 9 PINfc. Wwlw 5 Bku. CW+I 3 QB+Sbr. T/9 bdp. UAAJw 8 R Ty 8 rw 5 i. Whk. Iswbi 05 tzds. Jz. Gsm 0 J 44 cfhe. LMEv. IEr. Dy 0 m. AC 8 Mef. TNtzr. D 2 Asas. Vn Rgd. Mxg. B 63 n. G 52 Mrp 3 o. ZSm 3 a. Yeia. KVSBbf. S 5 K 8 AHhe. El. IH 1 Y+b 3 h 8 e+Ncwb. EDellm f/smm. MGh/veq/Aa. WZxm 4 u. Vdwy 3 QYz. P 6 Vt. S 6 g 35 NXR 0 a. IGIa. R 6 t. Iqno 12 -----END CERTIFICATE-----

GSI Private Key Contents: userkey. pem qe 2 (15) % cat userkey. pem -----BEGIN GSI Private Key Contents: userkey. pem qe 2 (15) % cat userkey. pem -----BEGIN RSA PRIVATE KEY----Proc-Type: 4, ENCRYPTED DEK-Info: DES-EDE 3 -CBC, 4 B 20 B 8150256 AE 62 r. OYybs+Rq 0 XXz. WJJq. RYty 7 l/HUWR 9 W 5 e 8 Zk. YYldo. X 97 Fc 5 J+ztvxih. C 931 SX 6 QHY 5 n. N 3 wb 6 jc. CWG 23 a. GN 6 IPi. Yk. ZGmga. AAg. Grochr. HQ 78 O 2 TRW 88/Rx. IAl. P 3 Iq. Ygct. El a 0 Aw. C 44 z 5 X 0 fc. It. Rwu. Eozbia. OSc/RJh. Is. Yk. Uu 66 nf. XTWJZj. Lk 0 Kh 42 s 1 y+qz. N+2 g z. Gp. CA 46/9 w 6 f. BWr. XOo 0 RI 0 DUQci. VJ 0 jbnl. Kya. OJj. Vclg. FDguw. Rx. Ad 73 f. S 90 BAq. TC t 01 Nb. Jbr 9 wv. Afcdg 8 lr. Ob. Up. NOh. XIv 77 MT 5 I 4 um+479 m 4 So 1 Gx. Xsgaa. HVVo 7 Y 1 TX 5 If 5 Wt. RN 5 HOH 0 o. Vgf. KBOZm. Ebpz 1 Uwy 1 hj 3 c. XMr. JMCtg. OZl. BWzc. KK/rugkur. PM 8 jpu Oq. NV+1 f. K 4 Lf. Vu 8 okv. Uc. Za 2 i. NGm. H 8 x. EXv 8 GG+y 9 d 84 Ciw 8 e. Vi. M 1 LROKl. BFs. KHUl 9 k jd 6 QScf. FEutx 7 qqf. WOGWl. K 9 WZg. JEt. EKZxx 8 Ydv 9 zz. Or. Yvo 0 twxlte. P 6 Dn 5 R 3 gwrp h. Sj. Y 6 Fw 7 GKiqo. Bwm. MA 8/r. ZMU/BES/a 57 lu. Hyi. Epzro 4 x. Pqrs. Gyo. GBgli. XAor. Ss. Oi fr. Hz 5 h 1 es. Ra. XKtpe. Nos 5 Dim. WQ 3 d. Pz 5 cj. LAtg. KEPUYTe 591 a. LLq. DURi/h. UZAzh. Sf. G j. CZnc 9 m. OE 7 z. IY 0 fv 0 Vo 057 JH 4 SXk 7 Yq. Rqv. P 5 o. Zeyh. Vnt. GAOO 82 Sg. M 0 e+QTKTcs/N ag 7 ZItavpo. F 2 HH 8 P 3 y. C 6 X 7 P 0 Kiyq. Gd. S 5 Rz 3 BQix. Msi 9 K 9 Duuw. Nj 9 m. Hee 0 dv. CGvwy k. KA 0 CLYi. YI 9 l. FVpv. CL 0 o. KGCxg. BAq. Zn. WGd 7 bt. E/i. Sd. LT 4 QKb. TED 8 gw 10 F 9 Ij. BCPNl u. Tlss. Nwm. RLJrkp. CS 4 tc. Grf. JCPSKw. Ag. Uo 0 Wv 36 ft 0 VKs. UJcx+3 Otgz 3 KFUuf. Px. XEa F 8 v. KWAwb 3 OKso. E 4 Ly 9 az. Ao 9 Hl. K 0 a/K+4 u 9 cg/m. KOHoxgj. J 9 Fknty. B 2 rk 272 X 2 Zl. Q 0 a 6 s 05 JO 0 Mo. Ut 4 mf. Xa. Ack 4 u. QJbq. Iv. ZOyeu/Zwfov. D 1 z. Ys. N/y. XUVFK 7/3 o. SK 7 Il. Em Xbv. X 0 Xl. Zh. JWp 1 Cp. M 2 p/J 77 cfh 4 Q+K 88 Bmb. Q 5 Mjz. NKduv. KIYFe. Bd 29 Azb. Lf. ZOy 0 lv ECri. Cd. OKa 5 jf. Gao. VSVKGvh 2 Nz 6 Vuw. Ux. Bl. JEU 6 zjx 5/WLNMn. Xnsu. F+K 8 r+KVL 74+v a 9 kynmj. Nqvjgzw. Tu. B 8 w. ZBHfh 0 bx. Fzh 5 IHn 8 sa. Ohha. Rg. T+d. J 7 h+Pj. QN/k. I 43 yjh. Vi cqm. E 7 FDq. L 44 g. E 4 jnn 5 VJ/gq. MRXHKna. NFnma. UBKb. RTu. Igi 6 yj. Jw. Ua. DBA 5 XXHFOdg. P 3 u. El 5 Fb. KVZz. Rt 5/P 4 OGYLVILFTZ 0 a 3 YBe. HB 9 Eh. Bj 4 c. ANa 4 E 9 m. Nx. S 7 a 5 M 07 hs 2 Y 87 v/i 2 b. WNktll. Hyu 6 Z 1 wrs. YSFsw. Ki. U 0 S 4 u. Gm. N+r. YUo. IChrx. Yv. H 7 msnu 0 s. D 0 q 947 a. Fy +QMH 1 Ybdt. Wm. OMAZS 4 C 0 e 8 KS/ZZr. Ik. SIkso. Lbu. Vzx. N 4 i. IUa. NB++8+Wi. Zu. Al 4 wr. YOi Ti 4 YUCVULf. C 1 vl. L 1+i. Ul. Y 4 K 3 Co. Qe 9 l. DUXt. Ha. WRY 3 it 7 n. Jlw 08 gv. PXMLRPv. Zm 6 Huu 9+vsyzh. DHLn. CE 6 nxo. QBIb. Zptomy 9 k 9 Y 41 QMs. PBJr. MRg. ZQHSj. NSy. MUy. QWf+JI 2 M 8 g -----END RSA PRIVATE KEY-----

Certificate Operations • Certificate creation – Grid-cert-request – grid-change-pass-phrase • Certificate info & management Certificate Operations • Certificate creation – Grid-cert-request – grid-change-pass-phrase • Certificate info & management – – • Grid-proxy-init Grid-proxy-destroy Grid-proxy-info Grid-cert-info Grid-default-ca Mapfiles: – grid-mapfile-add-entry – grid-mapfile-check-consistency – grid-mapfile-delete-entry • For more details see: – http: //wwwunix. globus. org/toolkit/docs/development/3. 9. 3/security/prewsaa/user/#command line – Note: on the machine I was testing, not all commands were installed, not all worked.