Introduction to Programming and Computing for Scientists

Similar documents
NorduGrid ARC Tutorial

ARC Clients User Manual for ARC (client versions 1.0.0) and above

Generating and Installing SSL Certificates on the Cisco ISA500

How to Use Certificates for Additional Security

Getting Started with Amazon EC2 Management in Eclipse

UserGuide ReflectionPKIServicesManager

Sophos Mobile Control Installation guide. Product version: 3

A Brief Guide to Certificate Management

StoneGate SSL VPN Technical Note Adding Bundled Certificates

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

The IVE also supports using the following additional features with CA certificates:

How to Obtain an APNs Certificate for CA MDM

Certificate technology on Pulse Secure Access

Direct Issuance of Proxy Certificate on P-GRADE Grid Portal Without Using MyProxy

Certificate technology on Junos Pulse Secure Access

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Smart Card Authentication. Administrator's Guide

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

Help. F-Secure Online Backup

TELNET CLIENT 5.11 SSH SUPPORT

Using Microsoft s CA Server with SonicWALL Devices

IGI Portal architecture and interaction with a CA- online

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Using the Push Notifications Extension Part 1: Certificates and Setup

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Use Enterprise SSO as the Credential Server for Protected Sites

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

University of Toronto

Smart Card Authentication Client. Administrator's Guide

SecureAssess Local. Install Guide. Release 9.0

ARC Computing Element

1. Product Information

Secure Shell. The Protocol

Beyond Windows: Using the Linux Servers and the Grid

Online Backup Client User Manual Linux

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Setting Up ALERE with Client/Server Data

Bitrix Site Manager ASP.NET. Installation Guide

Sophos Mobile Control Installation guide. Product version: 3.5

Secure Web Access Solution

RecoveryVault Express Client User Manual

MacroLan Azure cloud tutorial.

Egnyte for Power and Standard Users. User Guide

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

Online Backup Linux Client User Manual

Submitting batch jobs Slurm on ecgate. Xavi Abellan User Support Section

How to: Install an SSL certificate

Online Backup Client User Manual

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Handle Tool. User Manual

Generating and Renewing an APNs Certificate. Technical Paper May 2012

Senior Systems Cloud Services

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Crypto Lab Public-Key Cryptography and PKI

Partek Flow Installation Guide

SSL Tunnels. Introduction

Installation and Configuration Guide

Step One: Installing Rsnapshot and Configuring SSH Keys

How to Configure Captive Portal

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

How to Run Spark Application

Implementing Secure Sockets Layer on iseries

Version Control Using Subversion. Version Control Using Subversion 1 / 27

Installation and Deployment

McAfee Cloud Identity Manager

WS_FTP Professional 12

VP-ASP Shopping Cart Quick Start (Free Version) Guide Version 6.50 March

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

ADFS Integration Guidelines

Version Control with. Ben Morgan

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

1 Download & Installation Usernames and... Passwords

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

SBClient SSL. Ehab AbuShmais

SEZ SEZ Online Manual- DSC Signing with Java Applet. V Version 1.0 ersion 1.0

Online Backup Client User Manual

ASUS WebStorage Client-based for Windows [Advanced] User Manual

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

VMware Identity Manager Connector Installation and Configuration

NASA Workflow Tool. User Guide. September 29, 2010

Troubleshooting smart card logon authentication on active directory

Cloud Tools Reference Guide. Version: GA

Enterprise SSL Support

DIGITAL CERTIFICATE INSTALLATION MANUAL

WEBTITAN CLOUD. User Identification Guide BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES

CSE 374 Programming Concepts & Tools. Laura Campbell (Thanks to Hal Perkins) Winter 2014 Lecture 16 Version control and svn

TMA Management Suite. For EAD and TDM products. ABOUT OneAccess. Value-Adding Software Licenses TMA

Editing Locally and Using SFTP: the FileZilla-Sublime-Terminal Flow

Getting Started Guide: Deploying Puppet Enterprise in Microsoft Azure

Installing IBM Websphere Application Server 7 and 8 on OS4 Enterprise Linux

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Apple Client Management with JAMF. Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University

Open Directory. Contents. Before You Start 2. Configuring Rumpus 3. Testing Accessible Directory Service Access 4. Specifying Home Folders 4

IBM WebSphere Application Server Version 7.0

Transcription:

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 1 / 48 Introduction to Programming and Computing for Scientists Oxana Smirnova Lund University Tutorial 7b: Grid certificates and jobs

Update of 2014-12-19 Turns out that LU does not issue certificates to the students Still unclear whether it is due to policies or a technical issue Backup solution: we will use pre-installed certificates on the Iridium cluster We issued the certificates ourselves, so they are not good for any real purpose: we are not a trusted Certificate Authority Catch: you will have to do everything on a remote machine (Iridium) No graphical desktop, you ll have to type everything! Actually, this is how people work in Cloud Virtual Machines Log in to Iridium: ssh -X progcoursen@pptest-iridium.lunarc.lu.se Some useful commands a reminder: ls al mkdir something cd something cp ~/dir/file1 file2 geany & firefox & Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 2 / 48

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 3 / 48 Step 1: Install public Certificate Authority certificates Before doing anything on the Grid, you will need to obtain IGTF Certificate Authorities certificates Packages are available from IGTF and some Grid repositories The packages include Certificate Revocation Lists (CRLs) Regular updates for CRL and IGTF packages must be in place Usually happens automagically Our computer has them already Inspect /etc/grid-security/certificates Hint: use ls -al

/etc/grid-security/certificates in the course Virtual Machine Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 4 / 48

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 5 / 48 Step 2: get your own keys and certificates Private key and public certificate Grid uses PEM encoding for keys and certificates (ASCII) Standard file names: userkey.pem and usercert.pem Note: public key is inside the CA-signed certificate usercert.pem PKCS#12 formatted certificate containing private and public keys, as well as CA signature and CRL info PKCS#12 certificate (.p12) is used mostly by browsers, but can also replace PEM files in some Grid tools One can create PKCS#12 from PEM files One can also extract PEM files from PKCS#12

Work with the public and private keys: browser gymnastics Create a hidden directory ~/.globus This is the default location for Grid certificates Find the directory called certs in your home: it will contain two keys: userkey-progcoursen.pem usercert-progcoursen.pem Copy these files to userkey.pem and usercert.pem in ~/.globus Check that userkey.pem is readable only by you! Hint: use ls -al Use openssl command to create a.p12 certificate (one line): openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name "My toy certificate Hint: Google for grid certificate howto to find where to copy-and-paste from pass phrase for PEM key is the same as for SVN Export password is the one you will use in the browser You can use the same password in both cases Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 28 / 48

Summary of the steps: Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 29 / 48

Load the certificate into the browser (start firefox) Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 30 / 48

Go to Advanced Certificates View Certificates Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 31 / 48

In Your Certificates, find yours, and use Import to load one Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 32 / 48

Make sure you can see hidden files: right-click and tick Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 33 / 48

Browse down to.globus Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 34 / 48

Select the.p12 file, use the password you used to create it Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 35 / 48

You should now be able to view your certificate Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 36 / 48 Take some time to view the certificate content

On to Grid: create a proxy! Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 37 / 48 Simply type arcproxy and enter your Grid password (PEM pass phrase for the private key)

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 38 / 48 What actually arcproxy does? A new private/public key pair is created for each proxy When a proxy expires, a new one must be created to continue working Default expiration time is 24 hours A proxy is then constructed of: 1. Public certificate (with public key embedded) Certificate contains modified owner s Distinguished Name (has proxy appended to the name) Owner s DN: /C=UK/O=Grid/OU=CenterA/L=LabX/CN=john doe Proxy DN: /C=UK/O=Grid/OU=CenterA/L=LabX/CN=john doe/cn=proxy Certificate is signed by the proxy owner s real private key Certificate contains validity period 2. Private key 3. Optionally, Attribute Certificates extensions containing additional information

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 39 / 48 The tale of two proxies A user always has to create a proxy certificate P1 Technically, it can be sent to the server, but it is a security breach Any Grid server (e.g. a Computing Element) creates itself a delegated proxy P2 for each user request: 1. Server generates a new private/public key pair (yes, that s a 3 rd one...) 2. Server returns the generated public key as a certificate request to the user 3. User s tool signs that public key and inserts user information (DN etc), thus generating a public certificate. It uses the private key of proxy P1 for performing signing operation. It can also use the actual private key, but that will require entering password every time! 4. User s tool sends the signed public certificate back to the server 5. Server adds generated private key to that certificate and creates a delegated proxy P2

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 40 / 48 What s the use of VOMS A Grid user must become a member of a VO VOMS is the most common VO management system A Grid cluster administrator gets the list of authorised users from the VOMS database VOMS can add extra VO information to your proxy, if necessary For example, your VO role, group etc You should use arcproxy with special command-line options to request such extra information to be added In today s exercise, we won t use it because VOMS servers do not trust our toy certificates

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 41 / 48 Summary of the proxies Luckily, all authentication and delegation procedures are a part of the protocol, you only need to create a proxy You have to create a proxy before every Grid activity Proxies expire quickly! Resist temptation to create long-living proxy: this will undermine your security Proxies may have special extensions, specific to Virtual Organisations If you forget your Grid password (PEM pass phrase), and even the browser Import Password, you will have to request a new certificate

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 42 / 48 Workflow: Grid vs PC/cluster PC/cluster Grid Log in via SSH Different logins on different machines Create proxy One for all machines Familiarize with the environment Customize the environment Prepare for batch submission OS, installed software, storage space, batch system, sysadmin etc Pathes, environment variables, own software, scripts, data files etc Interactive execution of short jobs, optimization of batch scripts Create a Grid job description document Test a couple of jobs, fix job description Generalization of batch scripts, plus input/output data location etc Submit jobs to the batch system, check their status Different batch systems (or none) on different machines Submit jobs to the Grid, check their status Same commands for all machines Log out Watch output appearing in the desired location Or fetch it manually Log in later to fetch the output

Simplest Grid job submission Oxana Smirnova (Lund University) Programming for Scientists Grid CE Batch system Tutorial 7b 43 / 48 Your Grid client should: Create a proxy: arcproxy Submit the job description document to the cluster: arcsub c arc-iridium.lunarc.lu.se hello_grid.xrsl arcsub will refuse submission if the cluster does not meet job requirements See the ARC Clients manual for info about all ARC client commands: http://www.nordugrid.org/documents/arc-ui.pdf The CE on the cluster should: Check whether you are authorised Fetch input file (if requested) Convert job description to a batch script and start a batch job Upload output file (if requested) PC Grid client Cluster 1 CPU CPU CPU CPU

Simplest Grid job description: hello_grid.xrsl &( executable = "/bin/echo" ) ( arguments = "hello grid" ) ( stdout = "stdout_file" ) ( stderr = "error_file" ) ( cputime = "13" ) ( gmlog = "grid_log" ) ( jobname = "hello_grid" ) attribute value Yes, this is yet another language: XRSL extended Resource Specification Language File extension is.xrsl XRSL is not a standard language, but no standard exists There are many other Grid languages and meta-languages XRSL is an ARC extension of the original Grid language by Globus It was actually modelled on the LDAP database query language Is a list of attribute-value pairs Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 44 / 48

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 45 / 48 Main attributes of job description Job attribute description Attribute name (XRSL) Example value Main executable (binary or script) executable MyAnalysis.py Arguments of the executable arguments -i input.dat -o output.dat Input files inputfiles https://store.lu.se/physlab/2012/file1.dat Output files outputfiles https://store.lu.se/physlab/2014/file1.dat Standard input file stdin stdin.txt Standard output file stdout stdout.txt Standard error file stderr stderr.txt Time (used by CPU) cputime 1 hour Memory (maximum needed, Mbytes) memory 1000 Disk space (maximum needed, Mbytes) disk 1000 Job name jobname My data analysis Number of slots (cores) for the job count 36 and many others: ARC job description language XRSL has 37 attributes, see http://www.nordugrid.org/documents/xrsl.pdf

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 46 / 48 Create and submit your hello_grid.xrsl Prepare job description for the Hello Grid task: Use Geany to create a file hello_grid.xrsl Use at least the following XRSL attributes: executable, arguments, jobname Hint: copy the example from the previous slide Submit your first Grid job to our Iridium cluster: First, make sure you have a valid proxy: arcproxy -I Use the arcsub command with explicit cluster selection: arcsub c arc-iridium.lunarc.lu.se hello_grid.xrsl Find the returned job ID (a long string that looks like a URL) Check the job s status: arcstat <jobid> Check what the job session directory looks like on the cluster: arcls <jobid> Check what does the job print out: arccat <jobid>

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 47 / 48 Manipulate the jobs: kill, retrieve Submit a couple more jobs You may want to change the job names in hello_grid.xrsl Or you may even want to change what do the jobs produce Check the status of all your jobs: arcstat -a Terminate some of them and check the status afterwards: arckill k <jobid> arcstat <jobid> -k here means keep the job files, otherwise they will be wiped out Retrieve job results (download job output): arcget -k <jobid> -k here has the same meaning as for arckill Find where the downloaded files are, and look what is there Inspect the content of the gmlog sub-directory: it has files useful for error diagnostics and debugging

Oxana Smirnova (Lund University) Programming for Scientists Tutorial 7b 48 / 48 If you have some time left Find the hidden directory ~/.arc and file client.conf therein Open client.conf in Geany (or any other editor) Find blocks [registry/index1], [registry/index2] etc and uncomment them and their content Save client.conf and quit the editor Try to submit hello_grid.xrsl to the entire Grid arcsub hello_grid.xrsl

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information