Security and Credential Management on the Grid

Article Index

Step 3: Creating a Certificate

Once you have distributed the CA setup package you generated in Step 2 to the users on your Grid, they will need to request a certificate. This is done using the command

# grid-cert-request

After you have entered a passphrase for the private key, the command will provide you with the following information:

  • Your Certificate Subject - As an example, if my account username were sam and my machines were in sams-domain.org domain, the subject for my user certificate request would be:
    /0=Grid/0=SamsLittleCA/OU=sams-domain.org/CN=sam
    
  • CA Email - As you will notice, this is the same email address as you entered during CA setup back in Step 2.

This will generate a request for the certificate, which must be transferred to you (the CA) for signing. Once you receive this certificate request, you should do the following:

  1. Verify the authenticity of the requestor. If the certificate request file contains a subject that doesn't agree with the sender of the request (by email or other means), the request should be rejected. If you as the CA verify the subject matches the sender, the certificate can be signed. More stringent methods of request verification exist, such as person-to-person or contact by phone.
  2. Sign the cerificate request. To do this, you must run the grid-ca-sign command, with the certificate request as input. The output of the certificate request is the certificate that must be returned to the user. In our current example, the request generated above is signed as follows:
    # grid-ca-sign -in usercert_request.pem -out usercert.pem
    
    The request and signed certificate by default should be located in the ~/.globus/ directory of the user.

We note that in the future, the Globus Simple CA will be included in the Globus Toolkit distribution. This will allow users to bypass the download and installation steps of that software component.

Creating a Proxy Certificate

Once you have acquired a certificate from a CA, you are ready to begin using Grid security tools. Only one step remains: generating a proxy certificate. The proxy can be generated simply by running the command

# grid-proxy-init

Because the proxy is generated from the user certificate and private key, this command will require the password of the user's private key. Once run, the command writes the proxy certificate to /tmp/x509up_u[user-id], where the [user-id] is replaced with your user id for the system. The grid-proxy-init command does not automatically verify the validity of the user certificate and will continue to generate the proxy without error even for an invalid (e.g., expired) user certificate. The user can elect to use the -verify option to grid-proxy-init to verify the validity of the generated proxy certificate. The above command becomes

# grid-proxy-init -verify

Using the -verify option is a good way to find problems with your proxy certificate that might not otherwise appear. Not only will the -verify option catch expired or revoked user certificates, but it will also check a user's security configuration, which includes verifying that the CA's certificate is installed on the machine. These are all checks that secured Grid applications will perform anyway, so using the -verify option can be seen as a trial run for the security components of the Globus Toolkit.

Sidebar Three: What if I need a host certificate?

Host certificates are generated the same way as user certificates are except that the -host option is used. On a machine with the hostname myhost, the resulting command would be

# grid-cert-request -host myhost.sams-domain.org

Where to Go from Here

We've just outlined basic credential management of Grid security with the Globus Toolkit. There are many directions to go from here. While the Globus Simple CA does provide useful functionality for many simple Grid environments, it may not provide all the functionality you require. Drawbacks of using the Simple CA include the following:
  1. The CA you create and manage from the Globus Simple CA package is trusted only by a small group of users (namely, you, and anyone you convince should trust it as well).
  2. The Globus Simple CA is designed with simplicity in mind. There is no central user interface for certificate management, and (although possible to extend) the Globus Simple CA does not include specific tools for certificate revokation.

If you see the potential of constructing your own Grid with a group of organizations, you will want to seriously consider the various CA software choices. Commercial and the more serious noncommercial CAs will generally publish a certification practice statement detailing the certificate issuance process. This document may help in your evaluation. Also, if you are aware of any legal issues, you may want to enlist the help of a lawyer. Numerous different CAs exist, and picking a CA that meets your needs can be a tricky business that should be undertaken with care.

Globus Toolkit is a registered trademark held by the University of Chicago.

This work was supported in part by the Mathematical, Information, and Computational Sciences Division subprogram of the Office of Advanced Scientific Computing Research, Office of Science, U.S. Department of Energy, under Contract W-31-109-ENG-38; by the National Science Foundation; by the NASA Information Power Grid program; and by IBM.

{mosgoogle right} This article was originally published in ClusterWorld Magazine. It has been updated and formated for the web. If you want to read more about HPC clusters and Linux you may wish to visit Linux Magazine.

Sidebar One: Grid Resources

Globus Website

Globus Tool Kit

Documentation

Sam Meder coordinates development of the Globus Toolkit security and Grid services core infrastructure areas.

Sam Lang implemented and continues to provide support for the Globus Simple CA software. He is currently an active developer on Globus Toolkit.

    Search

    Feedburner

    Login Form

    Share The Bananas


    Creative Commons License
    ©2005-2012 Copyright Seagrove LLC, Some rights reserved. Except where otherwise noted, this site is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. The Cluster Monkey Logo and Monkey Character are Trademarks of Seagrove LLC.