User Manual Draft
Contents
1. Figure 23 enter the login details The login details are 1 10 12 19 31 25 Service Name Admin Guide Version 0 1 e Private Key Password This is the password that the user has defined for her his certificate when it requested it from her his certificate authority e MyProxy Username This is the same username used to add the MyProxy information to the CIS Add MyProxy details e MyProxy Password This is the same password used to add the MyProxy information to the CIS Add MyProxy details 1 10 12 19 31 26 Service Name Admin Guide Version 0 1 Appendix B Compute password hash The method String computeHashOf String password returns the hash of the password This method is part of the SecurityUtilities part of the helio shared component Encrypt Grid Information The method String prepare String proxyUserName String proxyPassword returns a crypted string that contains user name and password to access the proxyes stored in the MyProxy server This method is part of the SecurityUtilities part of the helio shared component 1 10 12 19 31 27 Service Name Admin Guide Version 0 1 Works Cited Spring Security n d Retrieved from Spring Security http static springsource org spring security site 1 10 12 19 31 282. EAN AN Heliophysics CU Integrated wy P Observatory Project No 238969 Call FP7 INFRA 2008 2 Community Interaction Service CIS User Manual Draft Title Community Interaction Service User Manual Document No HELIO TCD S3 002 UM Date 01 October 2012 Editor Dr Gabriele Pierantoni Trinity College Dublin Contributors Distribution Project CAPACITIES l e III ee e infrastructure Serice Name User Manual Version 0 1 Revision History 0 1 10 06 2012 Gabriele Pierantoni First Draft 0 1 23 07 2012 Anja Le Blanc Added workflow description 0 2 09 08 2012 Gabriele Pierantoni Second Draft added SOAP interface 0 3 01 10 2012 Gabriele Pierantoni Minor Corrections Note Any notes here 1 10 12 19 31 ii Serice Name User Manual Version 0 1 Table Of gh 1240 ch opment EE Rene Re ene eo RM eee eer T 1 Introd oll usd e reti iode mile Neate tyr We Per E a Ea TE ean ode 2 About thes siete scetoeid o vites detto autagaste tent eed tia dtei itd tend Janta a te xpo E 2 Simple Security Profile dere e e Eaa E A E a RR EEIE 3 Certificate based s c rity ProfHec i asa et eet ie erri oenig ee Eel oeste de seere iiih 5 User Preferences 5 06 ol eol Ne iit Ree Re Bae n i a duds 7 How to Access he CIS ai i ae id utetoh Cordia pe E E E EOE aa Cores hd ene eodd 8 The Graphical User Interface m ER 8 Simple User Operations esce istas te
3. HELIO Community Interaction Service Add MyProxy information for gab Enter your proxy login name gab Enter your proxy password eeccccce Re enter your proxy password Submit Figure 8 Insert MyProxy Information Here a user can add the login and password that HELIO will use to access the Grid Certificate stored in the MyProxy service Choice of admin role actions 7 HELIO Community Interaction Service Community Interaction Service Administrator Page Remove a user Modify or add a standard preference Remove a standard preference Add a user to the administrator list Remove a user from the administrator list Figure 9 Select the administrator actions Here a user that has chosen to operate as an administrator can select the actions to perform Remove an account 1 10 12 19 31 11 Service Name Admin Guide Version 0 1 Here an administrator can remove the account of another user Modify or add standard preferences Here an administrator can modify the default value of a preference add a new field for an existing service or add a new service and a new field gt Now the standard preferences are D a dpas dpas_field_3 gt dpas value 3 dpas dpas field 2 gt dpas value 2 dpas dpas field 1 7 dpas value 1 hfe hfe feld 1 hfe value 1 hfe hfe Reld 2 gt hfe value 2 hfe hfe feld 3 gt hfe value 3 Enter the service Enter the field E
4. correctly within a certain tolerance the page described in Figure 19 allows to test that the time is correct within the required tolerance r CertWizard 0 2 Apply For Manage Your Certificate Use Your Installed Certificate Setup 3 Date Progress Please verify that the date on your machine is correct Below after the date and time you will see an offset which indicates in milliseconds the difference between your clock value and the value that it is supposed to have Pressing the Retest button will update the offset from a time server We recommend that you synchronize your system clock using NTP 12 June 2012 15 48 45 o clock IST offset unknown Retest Your system clock appears to be synchronized offset is within 10 sec tolerance lt Previous Next gt 1 10 12 19 31 Online CA Status Could not Contact CA Server Please check your netw Connection timeout secs s Figure 19 Testing that the time is correct 22 Service Name Admin Guide Version 0 1 Setup the MyProxy server The final step in the setup in the certwizard is to enter the details of the MyProxy server used by Grid Ireland The details of the MyProxy server are defined in Figure 20 E xj MyProxy Server Configuration Prop File home pierang globus myproxyservers tcd myproxy properties Server Name TCD Proxy Server DN Jj op
5. proxyPassword The those encoded string can be used as input to the authenticationAsString function of the CIS The returned string from this function call should be used as input hitAsString of the functions putFile and executeUserDefinedApplication of the processing Service The remaining notes concern the processing service which follows after the CIS authentication Please note that the order of execution of the functions is significant 1 upload of executable code function putFile parameters file content the string of the code fileContent the file name of the code fileName and the returned security token from the CIS hitAsString 2 execute the code on the processing service function executeUserDefinedApplication with the parameters fastExecution supported values true false jobFileName that is the name you have given your code in Step 1 and the hitAsString the returned security token from the CIS the returned value is the exectuionId which you will need to access your computation 3 check the status of the execution function getStatusOfExecution the parameter is the execution Id returned by the previous step This function need to be called until the status has changed from Running Please note that the execution on Grid facilities usually requires the queuing of the job until it will be executed It is not advisable to check very frequently twic
6. role e public void removeServiceInStandardPreference String userName String computeHashOf String prefService Removes the defined service from the standard preferences The user identified by userName and authenticated with her his password hash must have Administrator role e public void removeFieldInStandardPreference String userName String computeHashOf String prefService String prefField Removes the defined field from the defined service from the standard preferences The user identified by userName and authenticated with her his password hash must have Administrator role e public Set lt String gt getRolesForUser String name Returns all the roles granted to the user e public boolean validateUserAndRole String name String pwdHash String role returns true if the user is valid and if he is granted the defined role e public HashMap lt String HashMap lt String String gt gt getAllPreferencesForUser String name returns all the preferences of a user as an hashmap of hashmaps upper level for services lower level for fields e public HashMap lt String HashMap lt String String gt gt getAllStandardPreferences returns all the standard preferences as an hashmap of hashmaps upper level for services lower level for fields e public Set lt String gt getAllUserNames returns all the names of the users present in the CIS e public Set lt String gt getAllUserNamesWithRole String role returns all the names
7. san eee ata iet menta etc Def onal 18 Load the grid certificate into the certwizard seen 18 Setup the certificate AUCHOTILY soe o pee oo i eoo ri e Papel ie tiber is a vts viso ives 20 Test that the time on the user machine is updated sseeeeeee 22 Setup the M SBPROXVISEDVEE derna o o edu Siu Ue ta nba ee pe 23 Test the validity Of the eert Beate ooo else Ene ele d dies aede pddi 24 Upload th certificate to MYyProx y 4i tetti NUR RR IRR US SANE cousins AR ERE NNI Ee Ee eU Pe eee e etd 25 Fisrsrisip do MR C 24 Works 4160 uud ie eee du EL mu tus fm tA m A ae 28 1 10 12 19 31 ii Service Name Admin Guide Version 0 1 Table of Figures Figure 1 Simple Security use of the CIS cin en oic abla ete dati 3 Ere re 2 Grid Security use Gf the CIS ie oed e or eio inei unde actui be dis 5 Figure 3 Logm screen tor the GS iai eoe eral eae eae hee een cepa Dod cado S 8 Figure 4 Simple User ACUODS iei esi feed aee ee A 9 Fig re 5 Chdnse a passSWOEd osecpotevs irte e T eto tae pi on eo tM e Ec aeie 9 Figure 6 View the user s prefereniBes i sooo ce peni ee ede esa ocho D nuce e Dui Ede eae uuu 10 Figure 7 Modify the users prefetetniCes uae died ire testo Sese ARAS ONU Mae ada i qud 10 Figure 8 Insert MyProxy InfOrmatlogb oer pergit De adt Din edel I HOD ES 11 Figure 9 Select the administrator actions ente saccade saevecaacyesucevsecceueateawadees 11 Figure 10 Modi
8. 1 Creation of an account with HELIO 1 1 The user creates her his own account in the CIS This step can also be performed programmatically through the API 2 Authentication and Authorization 2 1 The program running on behalf of the user when it needs an Authentication Token HELIO Identity Token or HIT to be issued on her his behalf invokes the authentication method form the CIS 2 2 The CIS checks that the user is a HELIO registered user and issues the Authentication Token 2 3 The Authentication Token is then sent to the services that can use it to perform spring compliant authentication and authorization 1 10 12 19 31 3 Service Name Admin Guide Version 0 1 Step 1 has to be performed only once steps 2 1 2 3 are executed whenever a user uses the HELIO system through its main front end or through other means such as the TAVERNA workbench 1 10 12 19 31 4 Service Name Admin Guide Version 0 1 Certificate based security Profile HELIO also interacts with services that require authentication and authorization based on grid certificates to support this scenario the CIS connects to the HELIO components as sketched in Figure 2 In addition to the components and steps of Figure 1 the user has a Grid Certificate and uploads it to the CIS whenever she he wants to use it for her his authentication Personal Certificate Interaction Service Eum i f A D oani RE y Community C3 M
9. 4 Service Name Admin Guide Version 0 1 Upload the certificate to MyProxy Once the certwizard has been configured the user can upload her his certificate to the MyProxy server Once this last step has been completed the user will be able to use grid enabled security In order to perform the upload the user must select the right MyProxy server Figure 22 and then upload the certificate to the MyProxy server Figure 23 m CertWizard 0 2 x Apply For Manage Your Certificate Use Your Installed Certificate Create VOMS Proxy Credentials Create local time limited proxy credentials on your system for local applications that use the Grid grid proxy init and voms proxy init Upload Download Credentials to a MyProxy Server Allows you and other applications to access your credentials remotely and when you are travelling MyProxy Local Proxy Certificate Key Management Status Selected MyProxy Serv TCD Proxy cagraidsvr20 cs tcd ie Upload Download Check or Dest EN Online CA Status Could not Contact CA Server Please check your netw Connection timeout secs Figure 22 Select the MyProxy server A Upload to MyProxy Server EE Upload Options TCD Proxy Proxy Type GT2 full legacy globus proxy default Private Key Password MyProxy Username MyProxy Password
10. Figure 16 Select the pkcs7 format for the Grid Ireland Certificate Authority 3 sand cat 11 jpg 3 sanddunecat jpg ib aS x 3 xscreensaver getimage cache File Name Figure 17 Select the downloaded certificates 21 Service Name Admin Guide Version 0 1 m n Certificate Authorities My CA Certificate Locations Provided CA Certificates E certificates home pierang Add Provided UK e Science Root CA C tacar_certs p7b home pier Pe Em UK e Science CA C UK O ew UK e Science CA 2A C UI Remove UK e Science CA 2B C U View Get Trust Ro 4 Jl Ii 4 i D gt lt Previous Next gt Online CA Status Could not Contact CA Server Please check your netw Connection timeout secs le Retry CertWizard 0 2 mE Apply For Manage Your Certificate if Use Your Installed Certificate f Setup 4 2 CA Setup Help Progress imd My CA Certificate Locations panel lists your configured CA certificates I You can add remove certificates and directories that contain certificates to from My CA Certificate Locations Ex Figure 18 Setup the Grid Ireland Certificate Authority Test that the time on the user machine is updated Certificate based security requires that the machine where the wizard runs has the time set
11. an add her his MyProxy account information This information will be added to her his HELIO Authentication Token and will be used by the services that require certificate based security Administrator Operations A user which is granted administrator privileges can modify the standard preferences that are given to all news users and can promote demote users to the administrator role Login or create an account Here a user can either login or create your account When a new account is created it will be awarded simple user i e not administrator privileges q HELIO Community Interaction Service If you are already registered in HELIO enter your details belojs Enter your name Enter your password Submit Query If you are not a registered user please follow this link to Create an account Figure 3 Login Screen for the CIS To create a new account the following fields must be entered 1 10 12 19 31 8 Service Name Admin Guide Version 0 1 e name e email not mandatory e password Choice of role Here a user that has successfully logged can choose the profile she he wants to use simple or if she he is entitled administrator Choice of simple role actions Here a user can select the actions to perform C HELIO Community Interaction Service Change My Password Add MyProxy Information See my preferences Modify my preferences Delete my account Figure 4 Simple User Actions Change password He
12. and Caribbean Catch all Grid CA UFF 278kB LACGrid CA offers a free X 509 IGTF accredited certification service for academic research and development activities in e Science and Grid Computing in Latin American and Caribbean countries Visit website Install SHA 1 6B6B422C82812E025A682E5942440F769DOBE99B O UFFBrGrid CA Certificate Policy The UFF Brazilian Grid Cerification Authority UFF BrGrid CA 255kB offers a free X509 certification service for academic research and development activities in the Brazilian e Science and Grid Computing Communities Visit website Install SHA 1 EBES934D048FA072A30171CB4357EGCDFC59DFBD CO UK e Science CA Certificate Policy UK e Science Certification Authority provides X 509 certificates for 230 kB the UK e Science community UK e Science CA is a subordinate CA so its root is also provided Visit website Install SHA 1 41C7C4A031F7070281C761D57E924801DF87C906 O UK e Science Root Certificate Policy UK e Science Root 117 kB Visit website Install SHA 1 A139B0F3046COBF9F50A1B3300064F836B7D4F3E O UNLP PKIGrid CA Certificate Policy UNLP Grid PKI is the infrastructure to support the eScience 496KB activities in Argentina Visit website Install SHA 1 88C2FEA4157CC6EA33ECD222E7FFAGS00AA29C 64 Download selection as pkes7 Je TACAR is a TERENA Trademark All rights reserved K Find lt Previous gt Next Highlight all C Match case 1 10 12 19 31
13. c Hx Y US UV A EE TEA EA e ERa Eai 8 Gru USer Operalols 6e ba eee perius cu diei c 8 Administrator Opera Ons 5 eie Ble ei hee le ee da ide 8 Logm or reate an account senunni ai Aa E E E Na 8 Choice GEIDIe c cote cus op cto beu a c tos A E aKa ta Dd 9 CHOICE OL SIMPLE TONE ACTIONS osi pet ith adus ese id e amato te Reese atre 9 Change pass WV a oss bbs bue desi a eb a A LM dee 9 See the TIERS preferences usse doof io i ep LI E od io oce ereis 10 Modify the User s preferences uii rere REPE E OT IURI de RES CI ESI EUR tS 10 Remove your ACC OUR ass as nan iia RE a amies fad cese md Mt Du obe 11 Persii egerit TE 11 Choice of admin role actions ode D Re eei Lore dr whan 11 Remove am Accont sse teedste eU dane ute oec eli Erdbeeren uel ee itech east D esee oblate 11 Modify or add standard preferences e e Cete oet een enced 12 R mov standard Pre levenCes mins lost obep OLD disiiss aha ea dedu M e idu 12 To remove a field of an existing service ioi cud eor ere aa duce Snape EUR gua Re bases o e EROR NN RARUS 12 Add a user to the administrator list eeeeesseeseeeseeeesee seen enne eee enne 13 Other Interfaces ose Gesehen pea eee o ma e ea da M ben ea 14 Sample WOLELOWS So bnt osa duae taie oum cuts d ee ee Tee 16 How to Use the CIS ni eee enn n deii cc et sA T ans 17 JOH X UM csset o eR ON EO Qu asas aut dae educa yale dci ans nn s tadiet du docs cutie die 18 Setup thecerwIzard os sak cit crest rnc ex dete gen uedutetes
14. d to upload the certificates into MyProxy are available in Upload the certificate to MyProxy 3 2 The user adds her his MyProxy login and password to her his account on the CIS 4 The user access HELIO with certificate based security 4 The program running on behalf of the user when it needs an Authentication Token HELIO Identity Token or HIT to be issued on her his behalf invokes the authentication method form the CIS 4 2 The CIS checks that the user is a HELIO registered user issues the Authentication Token with the embedded MyProxy information 4 3 The Authentication Token is then sent to the services that need to perform Authentication and Authorization If a services needs grid security it can then locally download the proxy file from the MyProxy service Step 1 has to be performed only once although depending on the different national policies Grid Certificates are usually re issued on a yearly basis Step 2 has to be performed only once Step 3 has to be when the user wants to start using certificated based security The validity of an update certificate is usually of a week Steps 4 1 4 3 are executed whenever a user uses the HELIO system through its main front end or through other means such as the TAVERNA workbench and requests certificate based authentication 1 10 12 19 31 6 Service Name Admin Guide Version 0 1 User Preferences All HELIO users can define a set of preferences with which
15. e a minute is sufficient 4 request results function getOutputOfExecution with the input parameter of the execution Id output of step 2 As result of this operation you receive the URL to the location of your output directory There are usually two directories in that one with the results and one with the error message 1 10 12 19 31 17 Service Name Admin Guide Version 0 1 Appendix A The Certwizard is a tool that allows the management of Grid Certificates and the connections to the MyProxy services Setup the certwizard Once the certwizard has been installed in the user s computer it must be configured with the following actions Load the grid certificate into the certwizard The first step once the user has obtained her his certificate from her his national certificate authority is to configure the certwizard to use it If the certificate is available as pem files then the procedure is described in Figure 13 if the certificate is available as p12 file then the procedure is described in Figure 14 rm CertWizard 0 2 Apply For Manage Your Certificate Use Your Installed Certificate Setup fi x E32 1 Your Installed Certificate and Key Help Progress _ If you already have an e Science Certificate Export your certificate from your browser In the Apply For Manage Your Certificate tab Click the Import button to import your certificate into the too
16. es Network ESnet US DOE Visit website Install GARR CA GARR CA is the certification authority which issues x 509 certificates for the GARR community Grid CA The Grid Ireland Certification Authority provides X 509 certificates for identification and authentication purposes limited to Irish institutions of higher education involved in Grid projects Visit website Install GRID2 FR CA The GRID2 FR Certification Authority is a sub Certification Authority of the CNRS2 Projets Certification Authority Visit website Install GridKa CA GridKa CA is the Certification Authority at Karlsruhe Institute of Technology which provides x509 certificates for Grid purposes in Germanv lt Previous gt Next Highlight all 7 Match case Certificate Policy Certificate Policy 1 Certificate Policy Certificate Policy Certificate Policy kB Certificate Policy 7 TACAR Mozilla Firefox J eJ x Ble Edit View History Bookmarks Tools Help Tacar Lel E f os tacarorg amp ae I t Ej Blocked 1 of 1 1 10 12 19 31 20 Figure 15 Select the certificates for the Grid Ireland Certificate Authority Service Name Admin Guide Version 0 1 e TACAR Mozilla Firefox iex file Edit View History Bookmarks pols Help Quen Lel EPT E amp Hy co ae SHA I AZJISECESUAFD96DF44A5931IFZE5D2U539ECIDFU l O UFFLACGrid CA Certificate Policy The UFF Latin American
17. fy the default preferences Leod dored idees ciae eens ects 12 Figure 11 Promote a user to Administrator nennen 13 Figure 12 Example workflow using CIS for authentication eee 16 Figure 13 Load the grid certificate as pem files into the certwizard 18 Figure 14 Load the grid certificate as p12 files into the certwizard 19 Figure 15 Select the certificates for the Grid Ireland Certificate Authority 20 Figure 16 Select the pkcs7 format for the Grid Ireland Certificate Authority 21 Figure 17 Select the downloaded certificates 2l Figure 18 Setup the Grid Ireland Certificate Authority eee 22 Figure 19 Testing that the time is COITeCL unde Int e Qteddeidg je et Due dd iet aded eo qicdi 22 Figure 20 Enter the MyProxy details for Grid Ireland eee 23 Figure 21 test if the settings dre correct cos oe dero orto eod perse ot epe sot de vidi tee dang 24 Figure 22 Select the MyProxy Server asd oe eeu Pee dps a edu Gees a i 25 Figure 23 enter the logit detalls s dnas tih eripe ib eei T ia canes Gere ies 25 1 10 12 19 31 1 Service Name Admin Guide Version 0 1 Introduction Community Interaction Service or CIS offers services for authentication authorization and the management of user s preferences About the CIS Authentication and Authorizat
18. ion or more broadly the security services deal in HELIO with two main types of services the first with simple requirements perform only locally authentication and authorization while the second type of services with more stringent requirements not only need local authentication and authorization but also use services that need high security levels like grids or distributed storage To cater for both services the CIS issues a spring compliant security token for the services that perform only local authentication and authorization that can also include information for higher level security services The following sections describe the usage of the CIS for each of these functionalities 1 10 12 19 31 2 Service Name Admin Guide Version 0 1 Simple Security Profile The CIS offers the means to manage accounts for HELIO and issues an authentication token that is compliant to the spring security framework Spring Security for local authorization The interaction with the first type of service is sketched in Figure 1 D a p C Community Interaction f Service Workflow 7m Engine D Desktop 7 A HELIO Identity Token With no certificate Information Workflow Engine S D Server J Service Figure 1 Simple Security use of the CIS To use the CIS for authentication and authorization with a simple security profile the steps described in Figure 1 should be performed
19. l Click Install If you do not have an e Science Certificate In the Apply For Manage Your Certificate tab Install from pfx p12 file Locate pem files J Cert file home pierang globus usercert pem Browse Key file home pierang globus userkey pem Browse Personal certificate file successfully located E s F3 Test Private key file successfully located 2 lt Previous Next gt Online CA Status Could not Contact CA Server Please check your netw Connection timeout secs e Retry Figure 13 Load the grid certificate as pem files into the certwizard 1 10 12 19 31 18 Service Name Admin Guide Version 0 1 Apply For Manage Your Certificate use Your Installed Certificate Setup 1 Your Installed Certificate and Key Help gt DIDUISSS If you already have an e Science Certificate Ill Export your certificate from your browser In the Apply For Manage Your Certificate tab Click the Import button to import your certificate into the tool Click Install If you do not have an e Science Certificate In the Apply For Manage Your Certificate tab Install from pfx p12file Locate pem files Browse for your certificate as pfx p12 file and Install pfx file Browse Install Personal cer
20. nistrator 1 10 12 19 31 13 Service Name Admin Guide Version 0 1 Other Interfaces The CIS functionalities are also accessible through SOAP protocol using the WSDL present at http cagnode58 cs tcd ie 8080 helio cis server cisService wsdl and http cagnode58 cs tcd ie 8080 helio cis server cisService cisService wsdl This interface exposes the following methods e String test String parameter a simple method to test that the service is running the parameter is not relevant but it will be returned as part of the string being returned e Boolean validateUser String name String pwdHash returns true if the user defined by the name and the password hash the function to obtain the password hash is part of the security utilities explained in Compute password hash e void addUser String name String pwdHash adds a user and the password hash to the CIS the user will be given the standard preferences and will have only simple user role at first e public void addUserWithEmail String name String email String pwdHash adds a user her his email and the password hash to the CIS the user will be given the standard preferences and will have only simple user role at first e public void removeUser String name String pwdHash removes the user defined by name with credential pwdHash if the hash of the password does not match with that stored in CIS the method will raise an exception and will not remove the user e public
21. nter the value Submit Query Figure 10 Modify the default preferences To modify the default value e Put an existing service in the Enter the service box e Put an existing field for that service in the Enter the field box e Put the default value Enter the value box To add a new field with a default value to an existing service e Put an existing service in the Enter the service box e Puta new field in the Enter the field box e Put the default value Enter the value box To add a new field with a default value for a new service e Put anew service in the Enter the service box e Put anew field in the Enter the field box e Put the default value Enter the value box Remove standard preferences Here an administrator can remove a field for an existing service or remove a service with all its preferences To remove a field of an existing service 1 10 12 19 31 12 Service Name Admin Guide Version 0 1 e Put the service in the Enter the service box e Put the field you want to remove in the Enter the field box To remove a service with all its preferences e Put the service in the Enter the service box Add a user to the administrator list Here an administrator can promote a simple user to administrator HELIO Community Interaction Service Select the account from this list gab anja Enter the account to be promoted to administrator Submit Query Figure 11 Promote a user to Admi
22. of user that are granted a certain role present in the CIS e public void promoteAnotherUserToAdministrator String userName String computeHashOf String anotherAccount grants a user anotherAccount administrator role the user identified by userName and authenticated with her his password hash must have Administrator role e public void demoteAnotherUserFromAdministrator String userName String computeHashOf String anotherAccount revokes the administrator role to a user anotherAccount the user identified by userName and authenticated with her his password hash must have Administrator role void addGridInfoForUser String name String pwdHash String gridInfo Allows a user to add the crypted information that will be used by high security services to use grid certificate based security The string gridInfo contains in crypted version the username and 1 10 12 19 31 15 Service Name Admin Guide Version 0 1 password of the proxy user the function to obtain the gridInfo is part of the security utilities explained in The method String computeHashOf String password returns the hash of the password This method is part of the SecurityUtilities part of the helio shared component e Encrypt Grid Information Sample Workflows statusOfExecution Raeessessocssccsossotusocsscstostostostsosccssestsestoessesseoseccscsessitscet Figure 12 Example workflow using CIS for authentication 1 10 12 19 31 16 Ser
23. re a user can change her his password HELIO Community Interaction Service Change Password for gab Enter your new password Re enter your new password Submit Query Figure 5 Change a password 1 10 12 19 31 9 Service Name Admin Guide Version 0 1 See the user s preferences Here a user can see her his preferences HELIO Community Interaction Service Preferences for gab dpas dpas_field_3 gt dpas_value_3 dpas dpas_field_2 gt dpas value 2 dpas dpas_field_1 gt dpas value 1 hfe hfe_field_1 gt hfe value 1 hfe hfe_field_2 gt hfe_value_2 hfe hfe_field_3 gt hfe_value_3 You have normal user privileges Click here to modify your account Figure 6 View the user s preferences Modify the user s preferences Here a user can modify the value of her his preferences A normal user cannot modify the general schema of the preferences i e add remove services or add remove fields for services 1 10 12 19 31 dpas dpas_field_3 gt dpas value 3 dpas dpas_field_2 gt dpas value 2 dpas dpas_field_1 gt dpas value 1 hfe hfe_field_1 gt hfe value 1 hfe hfe field _2 gt hfe value 2 hfe hfe field 3 gt hfe value 3 Enter the service Enter the field Enter the value Submit Query Figure 7 Modify the user s preferences 10 Service Name Admin Guide Version 0 1 Remove your account Here a user can remove her his account Add MyProxy details
24. they can define how to access the HELIO services and display their results Once a user is created it is assigned a set of standard preferences that can be edited only by administrators these standard preferences once they are assigned to the user can be customized to her his liking The preferences structure is based on the structure of HELIO services e Service the HELIO service that has to apply the user defined preferences An administrator can add or remove any number of services o Field the field of the HELIO service that has to apply the user defined preferences Administrators can be remove or add any number of fields for each service o Value each field have a value associated with it All users can modify this value administrators can set the default value that is applied to all new users 1 10 12 19 31 7 Service Name Admin Guide Version 0 1 How to Access the CIS The service is now accessible at http cagnode58 cs tcd ie 8080 helio cis server The Graphical User Interface The CIS exposes a simple user interface http cagnode58 cs tcd ie 8080 helio cis server to manage the accounts The CIS caters for four main kinds of operations Simple User Operations These operations are allowed for all HELIO users Simple HELIO users can create and remove their account change their password and modify the user preferences associated to their profile Grid User Operations If a user owns a Grid Certificate it c
25. tificate file successfully located Private key file successfully located B pest lt Previous Next gt _ Online CA Status Could not Contact CA Server Please check your netw Connection timeout secs 8 Retry Figure 14 Load the grid certificate as p12 files into the certwizard 1 10 12 19 31 19 Service Name Admin Guide Version 0 1 Setup the certificate authority After loading the user certificate to the wizard the user must set the Certificate Authority to the wizard to add the Grid Ireland Certificate Authority to the wizard the user must e Download the Grid Ireland Certificate Authority certificate from https www tacar org cert list in pkcs7 format Figure 15 and Figure 16 e Setup the Grid Ireland Certificate Authority in the certwizard by pressing the Add New button and selecting the location of the downloaded certificate Figure 18 and Figure 18 X Find x D ireland able to obtain suitable certificates for these services from a CA local to them The certificates are issued in accordance with the Trust Profiles defined by eduPKI PMA to meet the demands of G ANT Services Currently the eduPKI CA is accredited under TACAR s eduPKI eduroam and eduPKI GN MDNS Category Visit website Install D75 EGCA EstonianGrid Estonian Grid Certification Authority Visit website Install ESNET Root CA Energy Scienc
26. tional Server Host cagraidsvr20 cs tcd ie Server Port 7512 Upload Options Proxy Strength bits 512 1024 2048 4096 Max Lifetime of retrieved proxy 2h 10h v 24h 1 week Custom Cho days Credential Storage Lifetime Q 24h 1 week 1 month 6 months Figure 20 Enter the MyProxy details for Grid Ireland 1 10 12 19 31 23 Service Name Admin Guide Version 0 1 Test the validity of the certificate Once the certwizard has been configured the user can test if the settings are correct by checking the status of her his certificate as described in Figure 21 m CertWizard 0 2 Se z Apply For Manage Your Certificate Use Your Installed Certificate Setup Create VOMS Proxy Credentials Create local time limited proxy credentials on your system for local applications that use the Grid grid proxy init and voms proxy init v Upload Download Credentials to a MyProxy Server Allows you and other applications to access your credentials remotely and when you are travelling Status MyProxy Local Proxy Certificate Key Management CN Gabriele Pierantoni L RA TCD OU cs tcd ie O Grid Ireland C IE 854 days before expiry e No local proxy located Online CA Status Could not Contact CA Server Please check your netw Connection timeout secs s Figure 21 test if the settings are correct 1 10 12 19 31 2
27. vice Name Admin Guide Version 0 1 The workflow in Figure 12 uses the CIS to authenticate to the service which returns the string of the authentication token The authentication token can be presented to the processing service HPS to accept user code for execution on the grid In this workflow the URL to the users execution code is given as an input to the workflow Additionally the users need the HELIO login and password and the login and password to the myProxy service Note the user s certificate must be member with the HELIO group in the virtual organization How to Use the CIS Before using the CIS you need to upload your Grid certificate to the myProxy service see Upload the certificate to MyProxy in Appendix We assume the user is successfully registered and their grid identity certificate is associated with the HELIO virtual organisation To enable security the user has to encode his usernames and password before sending them to the CIS service Helio shared version jar URL provides the functionality to encode this information import eu heliovo shared common SecurityUtils import eu heliovo shared common SerializationUtils import eu heliovo shared common HIT SecurityUtils secUtilities new SecurityUtils SerializationUtils serUtilities new SerializationUtils stringEncodedPW serUtilities toString new HIT userName secUtilities computeHashOf password secUtilities prepare proxyUserName
28. void removeAnotherUser String user String requester String requesterPwdHash removes the user defined by user in order for this command to succed the requester identity requester and her his password hash requesterPwdHash must belong to a valid user with administrator role e public boolean isUserPresent String name returns true is the user is present e public void changePwdHashForUser String name String oldPwdHash String newPwdHash Changes the stored password hash for the user the old password hash OldPwdHash must be the one stored in the CIS otherwise the method will raise an exception e public String getPreferenceForUser String user String service String field returns all the preferences for the user expressed as a single string e void setPreferenceForUser String name String pwdHash String service String field String value sets the preferences for the service and field for the user identified by name and authenticated with her his password hash The structure of preferences in the CIS is explained in See the user s preferences e public void setStandardPreference String userName String computeHashOf String prefService String prefField String prefValue sets the standard preferences that apply to all new users for the service and field The user identified 1 10 12 19 31 14 Service Name Admin Guide Version 0 1 by userName and authenticated with her his password hash must have Administrator
29. yProxy HELIO Identity Token With certificate Information Workflow Pe Engine NM D Desktop Workflow Engine Server Service Proxy Certificate J Figure 2 Grid Security use of the CIS To use the CIS for certificate based authentication and authorization the steps described in Figure 1 should be performed l The user requests a certificate if she he does not have one already 1 1 Depending on the Nationality the user who wants to obtain a Grid Certificate should contact her his national Certificate Authority 1 2 The user requests membership to the HELIO Virtual Organization in https cagraidsvr10 cs tcd ie 8443 voms vo helio vo eu StartRegistration do Creation of an account with HELIO 2 1 The user creates her his own account in the CIS This step can also be performed programmatically through the API The user uploads her his certificate to the CIS 1 10 12 19 31 5 Service Name Admin Guide Version 0 1 3 1 The user uploads her his own certificate to the MyProxy Service connected to the CIS and defines her his proxy login and password on the MyProxy service This step can be performed using the tool available in http tools ngs ac uk ngstools certwizard myproxy jnlp and the instructions available in http www ngs ac uk tools certwizard Details on the procedure to setup the certwizard are available in Setup the certwizard Details on the procedure to use the certwizar
Download Pdf Manuals
Related Search