An Introduction to Grid Technologies at NERSC June

An Introduction to Grid Technologies at NERSC June 24, 2004 David Turner NERSC User Services Group dpturner@nersc. gov 510 -486 -4027

Topics • Definitions • Certificates — Acquiring — Using • Tools and Services — Current — Soon — Future • Resources

What is “The Grid”? • The Globus view — Grids are persistent environments that enable software applications to integrate instruments, displays, computational and information resources that are managed by diverse organizations in widespread locations. (http: //www. globus. org) • The NERSC implementation — File transfer and data management — Remote job submission — Portals

What is “Globus”? • The Globus Alliance is a research and development project focused on enabling the application of Grid concepts to scientific and engineering computing. — Argonne National Laboratory’s Mathematics and Computer Science Division — University of Chicago’s Distributed Systems Laboratory — University of Southern California’s Information Sciences Institute — University of Edinburgh — Swedish Center for Parallel Computers

What is “Globus”, Really? • The Globus Toolkit is a middleware package from the Globus Alliance — De facto standard for Grid “platform” — Client software • Command-line tools • Application development libraries • Installed on seaborg, escher, newton, and PDSF — Server software • Installed on seaborg, escher, newton, PDSF, HPSS, and web servers • Version 2. 4. 3 supported on most systems (PDSF is between 2. 2. 4 and 2. 4. 3) • Available for “most” desktop systems

Globus Software Tools • Client software — Certificate management tools • grid-cert-info, grid-proxy-init, grid-proxy-info, grid-proxy-destroy — File transfer commands • globus-url-copy, uberftp, pftp_gsi • Server software — Grid. FTP, Gatekeeper, My. Proxy • “Portals” — Combine characteristics of client and server

Using Globus at NERSC • To use client software: % module load globus % echo $GLOBUS_LOCATION /usr/common/globus/gt 243 • Grid. FTP servers run on: seaborg-g 1. nersc. gov garchive. nersc. gov escher. nersc. gov pdsfgrid[1 -3]. nersc. gov newton 0[1 -4]. eth 1. nersc. gov

Security Definitions • Authentication — Verifying that someone is who they claim to be — Required to run client software — Based on certificates • Authorization — Determining if an authenticated person has access to a particular resource or service — Typically implemented with a grid-mapfile • Globus security model based on Grid Security Infrastructure (GSI)

Certificate Definitions • A document attesting to the truth of certain stated facts. • A document that is used to certify that a user or organization is who they say they are. They contain information about who it belongs to, who it was issued by, expiry date and information that can be used to check out the contents of the certificate. • Implements ISO X. 509 — Public Key Infrastructure (PKI)

Certificate Characteristics • Opaque • Issued by recognized Certificate Authority (CA) • Stored inside a web browser — Netscape/Mozilla Edit->Preferences->Privacy&Security->Certificates->Manage Certificates — Internet Explorer Tools->Internet Options->Content->Certificates — Exported from browser to disk file — Globus tools to query contents of file • Can be exported from browser into file — Move from system to system

Types of Certificates • Personal certificate — a. k. a. client certificate • Host certificate — a. k. a. server certificate • CA certificate — a. k. a. root certificate

Certificates at NERSC • Acquired from a CA — Local institution — DOEGrids (administered by ESnet) — NERSC • Enter Distinguished Name (DN) of Subject and Issuer into NERSC Information Management (NIM) system — Required for authorization (to access servers) — Propagates to local grid-mapfiles — http: //nim. nersc. gov

DOEGrids Certificate Process usercert. pem CA Browser Proxy cert x 509 up_u 12345 “p 12” file userkey. pem NIM Subject DN Issuer DN

Getting a DOEGrids Certificate • To allow your browser to trust DOEGrids: http: //www. doegrids. org/pages/How-To-Import. html — Follow directions, including restarting browser • To acquire personal certificate: https: //pki 1. doegrids. org/ — Provide all requested fields, click “Submit” — Wait for email with further instructions • Click on “Import Your Certificate” • Personal Certificate now stored in browser • Valid for 1 year

DOEGrids Certificate Process usercert. pem CA Browser Proxy cert x 509 up_u 12345 “p 12” file userkey. pem NIM Subject DN Issuer DN

Got a Cert; Now What? • Put certificate into “p 12” file — Netscape Navigator Edit->Preferences->Privacy&Security->Certificates->Manage Certificates • Select certificate, click “Backup” • Provide file name, password(s) — Internet Explorer Tools->Internet Options->Content->Certificates • Select certificate, click “Export” • Provide file name, password(s) — File name extension: . p 12 or. pfx — PROTECT THIS FILE!

DOEGrids Certificate Process usercert. pem CA Browser Proxy cert x 509 up_u 12345 “p 12” file userkey. pem NIM Subject DN Issuer DN

Have “p 12” File; Now What? • If necessary, copy file to machine with globus installed — seaborg, escher, newton, pdsf • Extract certificate (which contains public key) openssl pkcs 12 -in Your. Cert. p 12 -clcerts -nokeys -out ~/. globus/usercert. pem • Extract private key openssl pkcs 12 -in Your. Cert. p 12 -nocerts -out ~/. globus/userkey. pem • Set permissions to owner read/write chmod go-rwx ~/. globus/user*. pem • Protect these files!

DOEGrids Certificate Process usercert. pem CA Browser Proxy cert x 509 up_u 12345 “p 12” file userkey. pem NIM Subject DN Issuer DN

Querying Your Certificate % grid-cert-info Certificate: Data: Version: 3 (0 x 2) Serial Number: 1918 (0 x 77 e) Signature Algorithm: sha 1 With. RSAEncryption Issuer: DC=org, DC=DOEGrids, OU=Certificate Authorities, CN=DOEGrids CA 1 Validity Not Before: Jun 17 17: 32: 11 2004 GMT Not After : Jun 17 17: 32: 11 2005 GMT Subject: DC=org, DC=doegrids, OU=People, CN=David Turner 460392 Subject Public Key Info: Public Key Algorithm: rsa. Encryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00: f 5: b 9: 2 a: d 1: e 3: 89: cb: 49: 6 d: 99: 00: 93: b 1: fe: 4 a: 56: 9 e: c 4: a 2: 59: 00: 3 e: 0 f: 02: 56: c 2: 5 c: 2 d: ce: bb: 4 f: f 9: 44: 89: 01: 9 b: 42: 4 b: ad: 8 f: 25: 53: 07: c 1: 8 e: 88: c 2: 3 d: 0 c: 1 e: bd: 6 b: 5 f: 12: 1 d: b 7: 57: bd: df: 22: 6 e: 50: 88: 63: c 5: 59: d 6: e 5: 65: 9 e: 34: cd: c 9: dd: 00: 2 e: bd: ef: 8 d: 65: 03: 20: dc: 86: 33: b 3: d 9: 2 d: 15: cd: 20: d 3: 14: d 3: 63: 05: 21: 82: e 3: ab: b 5: 12: f 4: 2 e: 45: 5 b: 50: 72: a 3: 71: d 6: 10: cb: e 3: 8 d: ec: 1 a: e 0: 3 c: 16: 9 c: f 1: 71: 4 e: 45: 8 c: 04: 49: 9 c: 4 d: eb: be: 79: f 6: 0 c: 76: cb: 66: 48: 54: a 6: d 9: 94: 3 c: 54: 82: c 8: 46: 72: 74: 36: 99: c 1: e 4: 45: c 9: c 5: f 8: d 4: 74: a 1: 6 b: fe: ff: 2 c: ad: 43: 13: b 0: 47: 76: 5 d: 7 f: 65: b 0: b 9: 02: e 2: 3 f: 53: 5 d: 77: cb: 30: 50: 42: 1 a: dd: 3 e: df: a 3: 2 f: 49: 27: 66: d 9: 63: bf: c 5: 56: 07: c 4: 8 d: de: 78: c 0: 08: fd: f 8: 5 f: b 4: ae: 5 d: 61: e 4: 6 d: 52: 86: d 3: cb: d 6: 76: 28: 95: 8 e: 1 c: b 7: 3 f: d 6: 63: 87: 82: 4 b: c 7: d 1: b 6: 18: b 3: 76: 99: 0 c: a 9: 13: d 6: 2 f: 20: 56: 5 d: 56: a 8: dd: 87: f 6: fd Exponent: 65537 (0 x 10001) X 509 v 3 extensions: Netscape Cert Type: SSL Client, SSL Server, S/MIME X 509 v 3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X 509 v 3 Authority Key Identifier: keyid: CA: 19: 1 D: 12: 8 E: 6 E: A 4: 38: 5 D: 42: D 4: 31: 0 E: 08: DB: D 9: 8 D: 17: 0 D: 5 D X 509 v 3 Subject Alternative Name: email: dpturner@lbl. gov Signature Algorithm: sha 1 With. RSAEncryption 16: 80: 67: ef: 45: d 3: 0 d: c 8: 15: 86: 64: 16: ca: b 1: 0 e: 64: e 7: 46: b 6: da: b 7: cc: e 5: 3 c: 54: 3 f: c 6: 7 d: 62: f 9: b 4: 02: b 5: e 4: 3 e: 74: ed: 5 f: 61: 98: df: 1 f: 45: cb: 16: 2 a: 17: 48: 28: 8 e: 56: 11: e 6: 52: 93: 71: 44: bf: 7 d: 24: f 8: c 8: 69: 15: e 2: 7 b: dd: 38: 68: 15: a 7: de: e 4: d 6: 7 a: c 7: da: 41: c 5: 3 e: dd: a 9: b 2: 15: 2 b: 74: 6 f: 87: 32: 4 a: e 5: 38: db: fc: e 6: e 4: 49: b 6: 95: 25: c 6: f 8: 77: 32: e 2: b 7: 29: 46: 21: f 9: 7 d: 93: 11: 3 e: 97: b 7: 6 c: 5 b: ac: a 1: a 8: b 0: 28: eb: 44: 99: 10: d 7: 16: 6 a: 39: 6 a: dc: 9 e: ef: 94: 47: 2 f: ab: 1 b: 02: be: 94: 96: a 8: 3 a: 83: 5 c: 56: 58: 13: c 7: d 6: ae: 4 b: 25: 49: d 1: aa: 20: c 4: d 8: f 2: 0 a: 01: 40: 67: 18: 11: d 3: 5 b: 69: 43: 4 f: 5 c: 61: 71: 45: 2 c: 06: fb: 95: ae: 2 d: b 9: f 7: d 1: 0 f: eb: 5 b: 91: 73: 7 d: 8 e: 4 b: 8 b: f 9: a 6: e 4: 78: c 0: 51: 14: a 5: f 6: 00: db: 00: 91: 75: f 9: b 5: 42: 5 b: 43: 46: 1 a: ca: 36: 25: 21: 73: b 0: 1 b: 21: bb: 35: 6 f: f 6: 3 e: 21: df: c 6: 50: 96: 5 b: ac: 0 f: a 5: 48: 3 b: 88: 68: c 6: eb: 8 d: 0 a: a 5: fe: 97: b 9

Certificate Information in NIM • Login in to NIM • Click “Grid Certificates” tab in lower frame

Informing NIM of Your Cert % grid-cert-info -subject /DC=org/DC=doegrids/OU=People/CN=David Turner 460392 % grid-cert-info -issuer /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 • In NIM, click “Add existing certificate to NIM” • Cut-and-paste Subject and Issuer DN • Click “Add Certificate”

DOEGrids Certificate Process usercert. pem CA Browser Proxy cert x 509 up_u 12345 “p 12” file userkey. pem NIM Subject DN Issuer DN

Have “pem” Files; Now What? • Create “proxy certificate” — Usually has a limited lifetime • Default 12 hours • Maximum 1 year — Creates $HOME/. globus/x 509 up_u 12345 grid-proxy-init [-valid h: m]

DOEGrids Certificate Process usercert. pem CA Browser Proxy cert x 509 up_u 12345 “p 12” file userkey. pem NIM Subject DN Issuer DN

Querying Your Proxy Cert % grid-proxy-info subject : /DC=org/DC=doegrids/OU=People/CN=David Turner 460392/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=David Turner 460392 identity : /DC=org/DC=doegrids/OU=People/CN=David Turner 460392 type : full legacy globus proxy strength : 512 bits path : /usr/common/homes/d/dpturner/. globus/x 509 up_u 17931 timeleft : 11: 58: 33

Proxy Certificate Issues • Managing Grid credential files (“pem” files containing certificate/public key and private key) is a nuisance. • Security — Keys can be stolen if account compromised. — Copies on multiple machines increase exposure. • One solution: My. Proxy server

Using My. Proxy • To place Grid credentials into My. Proxy server: myproxy-init [-t hours] — Default lifetime on server is one week. — Can now remove “pem” files from local file system. • To retrieve proxy delegation: myproxy-get-delegation • To query credentials on server: myproxy-info • To remove credentials from server: myproxy-destroy

Using My. Proxy Delegation • A My. Proxy delegation is another form of a proxy certificate: grid-proxy-info grid-proxy-destroy • Once delegation in place, user can run Globus client software.

Isn’t There a Simpler Way? • NERSC-managed certificates — Issued by “NERSC CA” (actually “DOEGrids CA 2”) — Created entirely in NIM — Delivered directly to My. Proxy server — One-year lifetime — User never handles “p 12” file or “pem” files — Not widely trusted (YET!)

Getting a NERSC Certificate • Login to NIM • Click “Grid Certificates” tab • Click “Create a new NERSC-managed certificate in NIM” link

But What Does Globus Do? • Grid. FTP file transfer commands — globus-url-copy -nodcau gsiftp: //seaborg-g 1. nersc. gov/path 1/file 1 gsiftp: //garchive. nersc. gov/path 2/file 2 — uberftp • Complete Grid. FTP interactive client • Third-party transfers using “lopen” command uberftp -a GSI -P 2811 -H garchive. nersc. gov — pftp_gsi • NERSC-developed pftp client with GSI authentication pftp_gsi garchive. nersc. gov

Other File Transfer Tools • Grid. FTP API — Transfer data directly from batch jobs to visualization system at PPPL • Grid File Yanker (GFY) portal — Reliable transfer • Vis. Portal

Globus Future at NERSC • Remote job submission and monitoring • NERSC Portal • Continuing evolution of authentication and authorization — Grid. Logon

Resources • Web http: //www. nersc. gov/nusers/help/access/globus. php http: //nim. nersc. gov/ http: //www. doegrids. org/ http: //www. globus. org/ http: //dims. ncsa. uiuc. edu/set/uberftp/ http: //www. google. com/ • Human — consult@nersc. gov — 1 -800 -66 -NERSC, option 3 — 1 -510 -486 -8600, option 3

The End This page intentionally left blank.

Still The End This page intentionally left blank.

Still The End, Really This page intentionally left blank.