Lab Exercise: Security
-subject: shows your distinguished name (DN)
-enddate: shows when your certificate expires
$ grid-cert-info -subject
/C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon$ grid-cert-info -enddate
Nov 5 07:20:17 2006 GMTThe grid-cert-info command without any arguments will display all available information. Try it!
By entering the following command you will see a list of options that can be used with grid-proxy-init.
$ grid-proxy-init -help
$ grid-proxy-init
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ............................................. Done
Your proxy is valid until: Wed Feb 23 00:47:13 2005Your proxy certificate is now ready to use.
$ grid-proxy-init -debug -verify
User Cert File: /home/mfreemon/.globus/usercert.pem
User Key File: /home/mfreemon/.globus/userkey.pem
Trusted CA Cert Dir: /home/mfreemon/ldg-3.0//globus/TRUSTED_CA
Output File: /tmp/x509up_u500
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ......................++++++++++++
....++++++++++++
Done
Proxy Verify OK
Your proxy is valid until: Wed Feb 23 00:53:13 2005This output tells you where your certificate was retrieved from and what directory was used to for the CA certificate. Your certificate was verified against this CA certificate and then the proxy was created.
$ grid-proxy-info -help You should see a listing of the various options for this command.
$ grid-proxy-info -timeleft This command will tell you how much time is left on your current proxy certificate. If you see a negative number, this means there is no time left on your certificate. If there is time left you will be shown the number of seconds left on the proxy. Now, while knowing the number of seconds left is useful, it is not always the best way to have information displayed.
$ grid-proxy-info
subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy
issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
type : full legacy globus proxy
strength : 512 bits
path : /tmp/x509up_u500
timeleft : 11:59:59
This command gives you all of your user certificate information.
Note the timeleft on the proxy. If there is no time left you will need to obtain a new proxy certificate using grid-proxy-init.
The other information displayed is defined as follows:
- subject Distinguished name (DN) of subject
- issuer DN of issuer (certificate signer)
- identity DN of the identity represented by the proxy
- type Type of proxy (full or limited)
- strength Key size (in bits)
- path Pathname of proxy file
- timeleft Time until proxy expires
$ grid-proxy-init -hours 8
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ................................ Done
Your proxy is valid until: Tue Feb 22 21:19:19 2005
$ grid-proxy-info
subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy
issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
type : full legacy globus proxy
strength : 512 bits
path : /tmp/x509up_u500
timeleft : 7:59:51Note the new timeleft.
$ grid-proxy-destroy $ grid-proxy-info
ERROR: Couldn't find a valid proxy.
Use -debug for further information.As you can see, the proxy certificate has been removed from the system.
$ grid-proxy-init
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ............................... Done
Your proxy is valid until: Wed Feb 23 01:25:46 2005
First, verify that the right ssh is in your path.
$ which ssh
~/ldg-3.0/globus/bin/sshThe ssh that is found should be in the globus directory under your client toolkit software installation directory. If this is not the case, verify that you have run the setup program found in the LSC DataGrid client installation directory (i.e. ~/ldg-3.0/setup.sh). This script updates the environment variables (including PATH) that are needed by the LSC software.
$ ssh ldas-grid.ligo-la.caltech.edu
Posted January 12, 2004:
* The operating system on the cluster has been upgraded to Fedora Core 3.
* Condor has been upgraded to version 6.7.3.
* We have installed the LSC DataGrid Server package on the head node
ldas-grid.ligo.caltech.edu. This package is built on top of the Virtual
Data Toolkit (VDT) server package. It is installed in /ldcg/ldg.
The data grid server contains a number of useful Grid tools like the
Grid-OpenSSH client, the Grid-enabled FTP client, and LSCdataFind.
To setup your environment to use these tools: if you are a bash used add the
following to your .bash_profile:
if [ -f "${LSC_DATAGRID_SERVER_LOCATION}/setup.sh" ]; then
source ${LSC_DATAGRID_SERVER_LOCATION}/setup.sh
fi
or if you are a C shell user, add the following to your .login
if ( -r "${LSC_DATAGRID_SERVER_LOCATION}/setup.sh" ) then
source ${LSC_DATAGRID_SERVER_LOCATION}/setup.csh
endif
You should remove any older environment variables that you may have set up
to access the LSC data grid server.
* Please report any problems to ldas_admin_llo@ligo.caltech.edu
_______________________________________
[mfreemon@ldas-grid ~]$
You are now logged onto the ligo-server site and didn't have to enter your password.
$ grid-proxy-destroy $ ssh ldas-grid.ligo-la.caltech.edu
mfreemon@ldas-grid.ligo-la.caltech.edu's password:
You should now see a request for entering you password.
Without a valid proxy certificate, the ssh client reverts back to it's normal authentication mechanisms. Enter your password and you should be logged onto the server site (if you have one).
In fact, this ssh client is just a normal, standard ssh client with an additional authentication method built-in for grid environments. As a result, it can be used for any SSH connections to any SSH daemons -- not just grid servers.
if [ -f "${LSC_DATAGRID_SERVER_LOCATION}/setup.sh" ]; then
source ${LSC_DATAGRID_SERVER_LOCATION}/setup.sh
fi