Скачать презентацию Consorzio COMETA — Progetto PI 2 S 2 Скачать презентацию Consorzio COMETA — Progetto PI 2 S 2

9d349d51a477b1056bf5ee0460d796f5.ppt

  • Количество слайдов: 24

Consorzio COMETA - Progetto PI 2 S 2 UNIONE EUROPEA The GENIUS Grid Portal Consorzio COMETA - Progetto PI 2 S 2 UNIONE EUROPEA The GENIUS Grid Portal and robot certificates Giuseppe LA ROCCA giuseppe. larocca@ct. infn. it INFN - Catania GRISU' Open Day su Bio-immagini e Grid Napoli, 11 March 2009 www. consorzio-cometa. it

Why do we use Robot Certificates in Science ? • Grid technology allows users Why do we use Robot Certificates in Science ? • Grid technology allows users to share a wide plethora of distributed computational resources regardless of their geographical location. Virtual services are exposed to the users through rather complex Command Line Interfaces or API languages. + Grid security is based on the Public Key Infrastructure (PKI) of X. 509 certificates and the procedure to get and manage those certificates is unfortunately not straightforward; + Up to now, the high security policy requested to access distributed computing resources has been a big limiting factor when trying to broaden the usage of Grids by wide communities of users; G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Why do we use Robot Certificates in Science ? + User has to adhere Why do we use Robot Certificates in Science ? + User has to adhere to a Virtual Organization (VO) + User needs an account on one of the trusted User Interface (UI) = Robot certificates and Grid portals provide an added value to make Grids more appealing for non-expert users. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Robot certificates - overview https: //security. fi. infn. it/CA/mgt/restricted/ucert_robot. php 1. Since Feb. 2008 Robot certificates - overview https: //security. fi. infn. it/CA/mgt/restricted/ucert_robot. php 1. Since Feb. 2008 also the Italian INFN CA started to issue Robot Certificates. Thanks to these new certificates scientists will be able to access the Grid sharing the certificate installed on the portal. 2. Other CAs issuing robot certificates are the UK and NL ones. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Robot certificates - overview • Robot certificates have been introduced to permit users, who Robot certificates - overview • Robot certificates have been introduced to permit users, who are not familiar with the Grid Security Infrastructure, to experience the Grid paradigm for research activity reducing the initial barriers. – They are extremely useful, for instance, to automate grid service monitoring, data processing production, distributed data collection systems, etc. – Basically these certificates can be used to identify a person responsible for an unattended service or process acting as client and/or server. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Robot Certificates & tokens • In order to strongly reduce the risks to have Robot Certificates & tokens • In order to strongly reduce the risks to have the portal certificate compromised or lost, the INFN CA has decided to issue this new certificate on board of the Aladdin e. Token PRO 32 K smart card. • Each smart card can support several robot certificates: one for each application user wants to share with other people. – A user’s PIN is prompted every time user tries to read the certificate on board of the smart card to generate a proxy. – A first prototype of Grid Portal using robot certificate on board of this hardware has been successfully designed. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Using an Aladdin e. Token PRO to generate Grid Proxies • Once your grid Using an Aladdin e. Token PRO to generate Grid Proxies • Once your grid certificate and private key are safely stored on your e. Token, you can generate proxies directly from it. • A shell script mkproxy script was written for this purpose. – This script requires quite a few special programs and libraries, which need to be installed beforehand. • The mkproxy script has been tested on: – Windows XP (using cygwin) – Linux Fedora Core 5 and 8 – Linux Cent. OS 4 – Scientific Linux 4 and 5 – Linux Open. Suse 10 (suse 10) – In the near future we hope to test it on Mac. OS X as well. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Download the required files • Install the following packages for the Linux distribution from Download the required files • Install the following packages for the Linux distribution from these web links: www. nikhef. nl/pub/projects/gridwiki/images/1/1 c/Mkproxy-rhel 4. tar. gz • Due to licensing restrictions, we cannot supply the e. Token drivers and libraries. These need to be downloaded from Aladdin website. You can find all the required software on the web: www. aladdin. ru/upload/iblock/609/e. Token_PKI_Client_4_55_Linux. rar • See the extra slides at the end of this presentation for installation tips G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

utput 4. get o y prox e a t reat robo. c 2 he utput 4. get o y prox e a t reat robo. c 2 he ith t ficate w i cert 3. e xecu te a ction . 1 & Robot Certificates

Porting the „Mr. Bayes” application to GRID with robot certificate Case study from INFN Porting the „Mr. Bayes” application to GRID with robot certificate Case study from INFN CNR - ITB G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Mr. Bayes overview • Mr. Bayes is a program for the Bayesian estimation of Mr. Bayes overview • Mr. Bayes is a program for the Bayesian estimation of phylogeny. • Bayesian inference of phylogeny is based on the posterior probability distribution of trees, which is the probability of a tree conditioned on the observations. – To approximate the posterior probability distribution of trees Mr. Bayes uses a simulation technique called Markov Chain Monte Carlo (or MCMC). – The program takes as input a character matrix in a NEXUS file format. – The output is several files with the parameters that were sampled by the MCMC algorithm. • The application is CPU demanding, especially if the MPI version of the software is used. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Phylogenetic analysis on a large scale LFC Catalog Resource Broker Computing Element(s) SE Worker Phylogenetic analysis on a large scale LFC Catalog Resource Broker Computing Element(s) SE Worker Node(s) User’s workstation Worker Node(s) Robot Certificate UI + GENIUS Portal Worker Node(s) Job Submission Tool G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Porting the „Grid. SPM ” application to EGEE Case study from Italian Portal of Porting the „Grid. SPM ” application to EGEE Case study from Italian Portal of Nueroinformatics G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

GRIDSPM’s application overview See Andrea Schenone’s talk for further information • GRIDSPM a neuroinformatics GRIDSPM’s application overview See Andrea Schenone’s talk for further information • GRIDSPM a neuroinformatics service that allows the statistical analysis of SPECT and PET cerebral images through the Statistical Parameter Mapping (SPM) system. • The service allows certified and authorized users (Authorizations): – to access and use the analysis software – SPM to access to database of SPECT and PET cerebral images of normal subjects, required for the comparison between the pathological subject and the normal population. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

References JST : – webcms. ba. infn. it/cmssoftware/index. html/index. php/Main/Job. Submission. Tool Multi Mr. References JST : – webcms. ba. infn. it/cmssoftware/index. html/index. php/Main/Job. Submission. Tool Multi Mr. Bayes with JST & robot certificate Web site : https: //glite-tutor 1. ct. infn. it Video : https: //gilda. ct. infn. it/Bari/LAROCCA_Mr. Bayes_AVI. avi The Italian Portal of Neuroinformatics : www. neuroinf. it Statistical analysis of PET and SPET images : – www. neuroinf. it/medico/Analisi/ Java PKCS#11 Reference Guide : – – java. sun. com/j 2 se/1. 5. 0/docs/guide/security/p 11 guide. html nikhef. nl/gridwiki/index. php/Using_an_Aladdin_e. To ken_PRO_to_generate_grid_proxies [Jan Just Keijser] janjust@nikhef. nl G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Summary & Conclusions • This work is particularly relevant for all users who are Summary & Conclusions • This work is particularly relevant for all users who are not familiar with personal digital certificates. • The valuable benefits introduced by robot certificates in e-Science can so be extended to users belonging to several scientific domains, providing an asset in raising Grid awareness to a wide number of potential users. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Extra slides follows. . . G. LA ROCCA - GRISU' Open Day su Bio-immagini Extra slides follows. . . G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Pre-installation /1 • Before installing PKI Client 4. 55, PCSC-lite-lib and CCID must be Pre-installation /1 • Before installing PKI Client 4. 55, PCSC-lite-lib and CCID must be installed – Maybe you can find these packages in your repo. These packages have dependencies between each other. • Start the daemon : /etc/init. d/pcscd start • Untar e. Token_PKI_Client_4_55_Linux. rar which will extract the files: G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Pre-installation /2 • The Mkproxy-rhel 4. tar. gz tarball contains all the required binaries Pre-installation /2 • The Mkproxy-rhel 4. tar. gz tarball contains all the required binaries for RHEL 4 compatible platforms. • After unpacking the tarball, copy over the files to their respective locations: cp -rp bin/* /usr/local/bin cp -rp lib/* /usr/local/lib cp –rp etc/openssl. cnf /usr/local/etc G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Pre-installation /3 • Change /usr/local/bin/mkproxy script as follow : For further information … G. Pre-installation /3 • Change /usr/local/bin/mkproxy script as follow : For further information … G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Testing • If you have installed a single grid certificate on your e. Token Testing • If you have installed a single grid certificate on your e. Token you can now generate a grid proxy by issuing the command mkproxy –-label=”Robot: Mr. Bayes” Starting Aladdin e. Token PRO proxy generation Found X. 509 certificate on e. Token: label: (e. TCAPI) Robot: Mr. Bayes – Giuseppe La Rocca's GILDA ID id: 3945373335312 d 333545442 d 343031612 d 384637302 d 3238463636393036363042 303 a 31 Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot: Genius – Giuseppe La Rocca Generating a 512 bit RSA private key. . ++++++. . . ++++++ writing new private key to 'proxykey. D 17633' ----- engine "pkcs 11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot: Genius – Giuseppe La Rocca /CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03: 58: 09 CEST 2008 -02 -23 Add VOMS extentions running the command : voms-proxy-init --noregen -voms G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

mkproxy command line options. /bin/mkproxy --help mkproxy version 1. 40 This script will generate mkproxy command line options. /bin/mkproxy --help mkproxy version 1. 40 This script will generate a X 509 grid proxy using a public/private key pair found on an attached Aladdin e. Token PRO. Options [--help] Displays usage. [--version] Displays version. [--debug] Enables extra debug output. [--quiet] Quiet mode, minimal output. [--limited] Creates a limited globus proxy. [--old] Creates a legacy globus proxy (default). [--gt 3] Creates a pre-RFC 3820 compliant proxy. [--rfc] Creates a RFC 3820 compliant proxy. [--days=N] Number of days the proxy is valid. [--valid=HH: MM] Proxy is valid for HH hours and MM minutes (default=12: 00). [--path-length=N] Allow a chain of at most N proxies to be generated from this one (default=2). [--bits=N] Number of bits in key (512, 1024, 2048, default=512). [--out=proxyfile] Non-standard location of new proxy cert. G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Supported API /1 • The following APIs are supported in the Linux version of Supported API /1 • The following APIs are supported in the Linux version of e. Token PKI Client 4. 55: – PKCS#11 – SAPI G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy

Supported API /2 [main] INFO e. Token - -----------------------------------------[main] INFO e. Token - [ Supported API /2 [main] INFO e. Token - -----------------------------------------[main] INFO e. Token - [ Testing. . . . Aladdin e. Token PRO 32 K 4. 2 B ] [main] INFO e. Token Provider Name. . Sun. PKCS 11 -e. Token [main] INFO e. Token Version. . . . 1. 6 [main] INFO e. Token Size. . . 29 [main] INFO e. Token - >> Several key item(s) found - Proceed! << [main] INFO e. Token - -----------------------------------------[main] INFO e. Token - Number of entities found : 1 [main] INFO e. Token - Alias(es) found : (e. TCAPI) Robot: Mr. Bayes - Giuseppe La Rocca's INFN ID [main] INFO e. Token - Private Key : Sun. PKCS 11 -e. Token RSA private key, 2048 bits (id 3696295941, token object, sensitive, unextractable) [main] INFO e. Token - Version: V 3 Subject: CN=Robot: Mr. Bayes - Giuseppe La Rocca, L=Catania, OU=Robot, O=INFN, C=IT Signature Algorithm: SHA 1 with. RSA, OID = 1. 2. 840. 113549. 1. 1. 5 Key: Sun. PKCS 11 -e. Token RSA public key, 2048 bits (id 522780681, session object) modulus: 2040805419664349377089078525877271822969157892421597835467121053678580610844061813005810353296417868264039598444303939848193130844470 1679262947948524301822534706464784165889206731662739853195409448757419021561712656640873688717212975160828433264294451697933451155931 5798185673509012903785659134803355270922191368582640849661572581573500204221362245542563486399688439790367151513942836013824707301554 8256582137767770839472721080349420513977053327925631567472211079990398551713566088707426152954713759557516416417639307698180620258835 0329738437283062617255748238112781461915219751211349996577773404620089176017100547951 public exponent: 65537 [main] INFO e. Token - Public Key : Sun. PKCS 11 -e. Token RSA public key, 2048 bits (id 522780681, session object) modulus: 2040805419664349377089078525877271822969157892421597835467121053678580610844061813005810353296417868264039598444303939848193130844470 1679262947948524301822534706464784165889206731662739853195409448757419021561712656640873688717212975160828433264294451697933451155931 5798185673509012903785659134803355270922191368582640849661572581573500204221362245542563486399688439790367151513942836013824707301554 8256582137767770839472721080349420513977053327925631567472211079990398551713566088707426152954713759557516416417639307698180620258835 0329738437283062617255748238112781461915219751211349996577773404620089176017100547951 publicexponent: 65537 [main] [main] [main] [main] INFO INFO INFO INFO e. Token e. Token - Public Key encoded : [B@140 c 281 Public Key format : X. 509 Algorithm : RSA >> Get Certificate << -----------------------------------Subject Name : CN=Robot: Mr. Bayes - Giuseppe La Rocca, L=Catania, OU=Robot, O=INFN, C=IT Certificate Issued by : CN=INFN CA, O=INFN, C=IT Valid from : Mon Sep 08 16: 04: 47 CEST 2008 Valid to : Tue Sep 08 16: 04: 47 CEST 2009 Serial Number : 11248 Generated with : SHA 1 with. RSA Version : 3 ------------------------------------ G. LA ROCCA - GRISU' Open Day su Bio-immagini e Grid - 11 March 2009 Naples - Italy