Currently, there are two technologies are involved in Authentication (AuthN for short) and Authorization (AuthZ) used in the computing grid:
- Virtual Organization Membership Service (VOMS), based on the X.509 standard for SSL certificates;
- JSON Web Token (JWT, also known as SCITOKEN), based on openid-connect and OAuth 2OAuth2.
These technologies They allow users to interact with the grid middleware, for example HTCondor-CE and Arc-CE for computing job submission, StoRM WebDAV, dCache, XRootD, etc... for storage management.This guide provides instructions for using the corresponding command line clients.
VOMS
A VOMS proxy is a file, typically stored in /tmp/x509up_u$UID, that contains a certificate chain and a private key, to be used to interact with grid middleware. The proxy descends from a grid-enabled (i.e. IGTF) personal certificate and is shorter-lived, typically 12 hours.
For generating a proxy certificate , use without VOMS extensions, a user can issue the following command:
| Code Block |
|---|
|
[ashtimmerman@ui-tier1 ~]$ voms-proxy-init
Enter GRID pass phrase for this identity:
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Wed Jun 18 07:04:04 CEST 2025 |
For generating a proxy certificate with VO, use the following command: with VOMS extensions:
| Code Block |
|---|
|
$ voms-proxy-init --voms <VO_name>
[ashtimmerman@ui-tier1 ~]$ voms-proxy-init --voms juno
Enter GRID pass phrase for this identity:
Contacting voms-juno.cloud.cnaf.infn.it:15008 [/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it] "juno"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u10171.
Your proxy is valid until Mon Jun 30 22:14:31 CEST 2025 |
To display For displaying basic information about the current VOMS proxy, use the following command:
| Code Block |
|---|
|
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1171514709
issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type : RFC3820 compliant impersonation proxy
strength : 2048
path : /tmp/x509up_u10171
timeleft : 11:58:42
key usage : Digital Signature, Key Encipherment
=== VO juno extension information ===
VO : juno
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
issuer : /DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it
attribute : /juno/Role=NULL/Capability=NULL
timeleft : 11:58:42
uri : voms-juno.cloud.cnaf.infn.it:15008 |
For displaying Often, for debugging purposes, it is useful to display the entire certificate chain, including intermediate and root certificates used to validate the proxy, use the following command:
| Code Block |
|---|
|
[ashtimmermanus@ui-tier1 ~]$ voms-proxy-info --all --chain
=== Proxy Chain Information ===
X.509 v3 certificate
Subject: CN=1479623907,CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Valid from: Tue Jun 17 19:04:04 CEST 2025
Valid to: Wed Jun 18 07:04:04 CEST 2025
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Serial number: 1479623907
VOMS extensions: no.
X.509 v3 certificate
Subject: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org
Issuer: CN=GEANT TCS Authentication RSA CA 4B,O=GEANT Vereniging,C=NL
Valid from: Fri Nov 22 09:08:54 CET 2024
Valid to: Mon Dec 22 09:08:54 CET 2025
Subject alternative names:
email: aksieniia.shtimmerman@cnaf.infn.it
CA: false
Signature alg: SHA384WITHRSA
Public key type: RSA 2048bit
Allowed usage: digitalSignature keyEncipherment
Allowed extended usage: clientAuth emailProtection
Serial number: 101113208650839486715316733014861942537
=== Proxy Information ===
subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1479623907
issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it
type : RFC3820 compliant impersonation proxy
strength : 2048
path : /tmp/x509up_u10171
timeleft : 11:42:28
key usage : Digital Signature, Key Encipherment |
For removing the current VOMS proxy certificate from the system, use the following command:
| Code Block |
|---|
|
[ashtimmerman@ui-tier1 ~]$ voms-proxy-destroy
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all
Proxy not found: /tmp/x509up_u10171 (No such file or directory) |
JWT
To initialize the OIDC-agent service and obtain an access token:
Once registered within the token issuer (e.g. IAM), an access token can be retrieved using OIDC-agent, which is available in ui-tier1. A full set of commands follows below.
At first, we have to start the process with the commandTo start the OIDC agent, use the following command:
| Code Block |
|---|
|
[ashtimmerman@ui-tier1 ~]$ eval $(oidc-agent-service use)
54956 |
To avoid having to manually run run eval $(oidc-agent-service use) every time you open a user opens a new terminal session, you can add the following line to your .bashrc file. Add the line at the end of the file and apply the changes with: source ~/.bashrc:it is possible to add
| Code Block |
|---|
|
eval "$(oidc-agent-service use)" |
Use oidc-gen to register a client and obtain tokens, you must include the following scopes: compute.read, compute.create, compute.cancel, compute.modify, openid, profile, offline_access to use HTCondor .bashrc file. and load the changes with: source ~/.bashrc.
Then, one needs to register its own client (this has to be done just the first time to create a new local IAM client):
| Code Block |
|---|
| language | jsbash |
|---|
| theme | Midnight |
|---|
|
$ oidc-gen -w device <device name> |
following the steps required by the application, and namely:
- initialise his OIDC client's name
- insert IAM URL (e.g. https://iam-t1-computing.cloud.cnaf.infn.it/)
- when a web page for authentication opens, enter the credentials of the IAM account
- authorise the new client
- set a password for your client, by typing it twice on the terminal prompt.
For example:
| Code Block |
|---|
|
<client_name>
[ashtimmerman@ui-tier1 ~]$ oidc-gen -w device axy
[1] https://iam-t1-computing.cloud.cnaf.infn.it/
[...]
Issuer [https://iam-t1-computing.cloud.cnaf.infn.it/]:
The following scopes are supported: openid profile email address phone offline_access eduperson_scoped_affiliation eduperson_entitlement eduperson_assurance entitlements wlcg.groups compute.read compute.create compute.cancel compute.modify storage.read storage.create storage.modify storage.stage
Scopes or 'max' (space separated) [openid profile offline_access]: compute.read compute.create compute.cancel compute.modify openid profile offline_access
Registering Client ...
Generating account configuration ...
accepted
Using a browser on any device, visit:
https://iam-t1-computing.cloud.cnaf.infn.it/device
And enter the code: REDACTED
Alternatively you can use the following QR code to visit the above listed URL.
Enter encryption password for account configuration <client_name>:
Confirm encryption password:
Everything setup correctly! |
To load an From the second time on, it will enough to load the existing account configuration, use the following command:
| Code Block |
|---|
|
$ oidc-add <client_name>)
[ashtimmerman@ui-tier1 ~]$ oidc-add axy
Enter decryption password for account config 'axy':
success |
To give a list of all existing account configurationsand eventually get the access token and save it in the BEARER_TOKEN environment variable:
| Code Block |
|---|
|
[ashtimmerman@ui-tier1 ~]$ oidc-add -l
The following account configurations are usable:
axy
myobolicatest
t1-computing
[ashtimmerman@ui-tier1 ~]$ oidc-gen -l export BEARER_TOKEN=$(oidc-token <client_name>)
|
To inspect the content of the JWT, the jq tool can be usedTo list of the currently loaded accounts can be retrieved with:
| Code Block |
|---|
|
[ashtimmermanus@ui-tier1 ~]$ oidc-add -a
The following account configurations are currently loaded:
axy
token axy | jq -R 'split(".")[1] | @base64d | fromjson' |
The token will be valid for 60 minutes, but a new token can be obtained issuing the oidc-token command again.
At the end, stop oidc-agent daemon:To verify the correct setup, use the following command:
| Code Block |
|---|
| language | jsbash |
|---|
| theme | Midnight |
|---|
|
oidc-token <client_name>)
agent-service stop |
A user can also get the list of all existing account configurations issuing
| Code Block |
|---|
|
[ashtimmerman@ui-tier1 ~]$ oidc-token axy
[eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ............]-add -l
The following account configurations are usable:
axy
myobolicatest
t1-computing |
Finally, the list of the currently loaded accounts can be retrieved with:To obtain an OIDC bearer token and store it in the BEARER_TOKEN environment variable, use the following command:
| Code Block |
|---|
|
[ashtimmerman@uiashtimmermanus@ui-tier1 ~]$ export BEARER_TOKEN=$(oidc-token <client_name>)
oidc-add -a
The following account configurations are currently loaded:
axy
|