Versions Compared

Old Version 3

changes.mady.by.user Andrea Rendina

Saved on

compared with

New Version 4

changes.mady.by.user Carmelo Pellegrino

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Two Currently, two technologies are involved in Authentication (AuthN for short) and Authorization (AuthZ) for in the computing grid:

  • Virtual Organization Membership Service (VOMS), based on the X.509 standard for SSL certificates;
  • JSON Web Token (JWT), based on openid-connect and OAuth2.

...

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ voms-proxy-init --voms juno
Enter GRID pass phrase for this identity:
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Wed Jun 18 07:04:04 CEST 2025

...

Code Block
languagejs
themeMidnight
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all 
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1171514709
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:58:42
key usage : Digital Signature, Key Encipherment
=== VO juno extension information ===
VO        : juno
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it
attribute : /juno/Role=NULL/Capability=NULL
timeleft  : 11:58:42
uri       : voms-juno.cloud.cnaf.infn.it:15008

For displaying Often for debugging purposes, is useful to display the entire certificate chain, including intermediate and root certificates used to validate the proxy: 

Code Block
languagejs
themeMidnight
[ashtimmermanus@ui-tier1 ~]$ voms-proxy-info --all --chain
=== Proxy Chain Information ===
X.509 v3 certificate
Subject: CN=1479623907,CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Valid from: Tue Jun 17 19:04:04 CEST 2025
Valid to: Wed Jun 18 07:04:04 CEST 2025
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Serial number: 1479623907
VOMS extensions: no.

X.509 v3 certificate
Subject: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=GEANT TCS Authentication RSA CA 4B,O=GEANT Vereniging,C=NL
Valid from: Fri Nov 22 09:08:54 CET 2024
Valid to: Mon Dec 22 09:08:54 CET 2025
Subject alternative names: 
  email: aksieniia.shtimmerman@cnaf.infn.it
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Allowed extended usage: clientAuth emailProtection
Serial number: 101113208650839486715316733014861942537

=== Proxy Information ===
subject   : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1479623907
issuer    : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity  : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u10171
timeleft  : 11:42:28
key usage : Digital Signature, Key Encipherment

Whereas, for For removing the current VOMS proxy certificate: 

...

Once registered within the token inssuer issuer (e.g. IAM), an access token can be retrieved using OIDC-agent, which is available in ui-tier1. A full set of commands follows below.

...

Code Block
languagejs
themeMidnight
 eval "$(oidc-agent-service use)"

to the .bashrc file.  and apply load the changes with: source ~/.bashrc.

Then, one needs to register his its own client (this has to be done just the first time to create a new local IAM client):

Code Block
languagebash
themeMidnight
$ oidc-gen -w device <device name>

following the steps required by the application, and namely:

...