troubleshooting grid authentication from the client side
play

Troubleshooting Grid authentication from the client side By Adriaan - PowerPoint PPT Presentation

Sep 04, 2023 •124 likes •257 views

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies and delegations

  1. Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04

  2. Contents • The Grid @NIKHEF • The project • Grid components and interactions • X.509 certificates, proxies and delegations • Possible authentication problems • Problem identification tool • Sample output

  3. The Grid @NIKHEF • Tier-1 location of the Worldwide LHC Computing Grid • Consists of multiple clusters of multi-core machines for parallel processing • Intended for computation with data from LHC experiments at CERN • Also used for other sciences such as bio- informatics and medicine

  4. The Project To what extent can authentication failures in the Grid be identified and resolved from the client side? • What are the possible causes of GSI authentication failures? • Which Grid components are involved in GSI authentication for standard job submission and execution? • How can a client determine which systems are probable causes of authentication failure for a job? • Is it possible for a client to test authentication by contacting such systems directly?

  5. Grid components Virtual Organisation Membership Service VOMS MyProxy Logging and request proxy Bookkeeping Request LB Request VOMS status credentials submit proxy update status submit job forward job run job UI WMS CE WN User Interface Workload Computing Worker Management Element Node System

  6. X.509 certificates, proxies and delegation • Proxy certificates are used for single sign-on and delegation – Not protected with a passphrase, but short-lived – Single sign-on: user can submit multiple jobs without re-entering passphrase – Delegation: a job can be sent further into the Grid on the user’s behalf – A MyProxy service can be used by a Grid component to renew a proxy

  7. Possible authentication problems - 1 • Unknown CA – CA certificates not installed on UI, or environment variable missing • (Proxy) certificate expired, or not yet valid – Really expired, or clock skew • Certificate Revocation List (CRL) out of date – Failed to renew CRL, or clock skew

  8. Possible authentication problems - 2 • VOMS attributes missing – Proxy not set up properly • Misconfigured User Interface – Can cause all of the above…

  9. Problem identification tool - 1 • No interactions with other systems, due to – Lack of support for proxy certificates in instaled version of openssl – Involved systems are job-specific – Different communication methods used by different components, even between versions of the same component

  10. Problem identification tool - 2 • Checks that are included – System time checked against NTP – Basic UI environment check – Trusted CA directory check – User certificate verification – Proxy certificate chain verification – Proxy contents check

  11. Sample output - 1 bash-3.00$ ./grid-auth-verify.sh INFO: Trying to check time difference with chime2.surfnet.nl INFO: Local time differs 0 seconds from network time, which is within set limit of 60 INFO: Trying to locate directory with trusted certificates INFO: Will use /global/ices/lcg/glite3.1.23/external/etc/gridsecurity/certificates from evironment variable X509_CERT_DIR for trusted certificates INFO: Trying to verify user certificate INFO: Will use /user/adriaanz/.globus/usercert.pem as user certificate INFO: User certificate verification succeeded INFO: Trying to verify proxy certificate chain INFO: Will use /tmp/x509up_u7899 as proxy certificate INFO: Proxy certificate chain verified succesfully INFO: Trying to check proxy content INFO: No irregularities found in proxy contents

  12. Sample output - 2 bash-3.00$ ./grid-auth-verify.sh INFO: Trying to check time difference with chime2.surfnet.nl INFO: Local time differs 0 seconds from network time, which is within set limit of 60 INFO: Trying to locate directory with trusted certificates INFO: Will use /global/ices/lcg/glite3.1.23/external/etc/gridsecurity/certificates from evironment variable X509_CERT_DIR for trusted certificates INFO: Trying to verify user certificate INFO: Will use /user/adriaanz/.globus/usercert.pem as user certificate INFO: User certificate verification succeeded INFO: Trying to verify proxy certificate chain INFO: Will use /tmp/x509up_u7899 as proxy certificate ERROR: Verifying proxy: Proxy certificate expired. ERROR: Verifying certificate chain: certificate has expired

  13. Sample output - 3 bash-3.00$ ./grid-auth-verify.sh INFO: Trying to check time difference with chime2.surfnet.nl INFO: Local time differs 0 seconds from network time, which is within set limit of 60 INFO: Trying to locate directory with trusted certificates ERROR: Cannot find trsted certificates directory in either the environment variable X509_CERT_DIR, or /etc/grid-security/certificates or /user/adriaanz/.globus/certificates

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted Selker 3 Digitrust, Loria, Universit e de Lorraine, www.koliaza.com Bsecure, Paris University of Maryland, Baltimore County 9th International

1.02k views • 18 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP setup Access Target Client NAS Network Network AAA server S 2 A new EAP setup Authentication AuthToken AuthServer Integrity Client

628 views • 7 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

1 SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1 Side 2 Side 1 Side 3 Side 4 1 2 2 1 Side 3 3 2 1 Counter-clockwise convention 1 2 3 3 y s 2 2 x s 1 2 i i 1 N i 1 2 N i i

647 views • 53 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant http://www.2ndquadrant.com/ 2017-02-05 Part I Authentication Why Authentication? Too complicated Nobody knows my database Nobody will attack us

813 views • 39 slides
In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep David Groep Nikhef Amsterdam PDP & Grid In Grid ... where many participants have no a-priori

309 views • 26 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
Mid Fidelity Simulation Expanding Experience into Expertise IASS 2018 November 12-14 Seattle,

Mid Fidelity Simulation Expanding Experience into Expertise IASS 2018 November 12-14 Seattle,

Mid Fidelity Simulation Expanding Experience into Expertise IASS 2018 November 12-14 Seattle, USA Capt. Mark Cameron - Emirates From this Report 22 / ACCID / 2001 p17 We got to this Wee in YYC (AvHerald) - 2010 And finally

378 views • 25 slides
The spanning laceability of k-ary The spanning laceability of k ary n-cubes when k is even

The spanning laceability of k-ary The spanning laceability of k ary n-cubes when k is even

The spanning laceability of k-ary The spanning laceability of k ary n-cubes when k is even : : 1 Outline Introd ction Introduction Preliminaries Definition Theorem 1

618 views • 35 slides
THE TRUCKEE TAHOE AIRPORT How Do We Solve the Noise Annoyance Problem? John B. Jones, Jr. TTAD

THE TRUCKEE TAHOE AIRPORT How Do We Solve the Noise Annoyance Problem? John B. Jones, Jr. TTAD

THE TRUCKEE TAHOE AIRPORT How Do We Solve the Noise Annoyance Problem? John B. Jones, Jr. TTAD Board President SPECIAL DISTRICT LEADERSHIP ACADEMY CONFERENCE NOV. 2013 NAPA VALLEY Moderator Brent Ives Mayor Tracy, Calif. o When

449 views • 18 slides
HIGH SPEED UK ..connecting the nation ..connecting the nation Colin Elliff BSc CEng MICE Civil

HIGH SPEED UK ..connecting the nation ..connecting the nation Colin Elliff BSc CEng MICE Civil

HIGH SPEED UK ..connecting the nation ..connecting the nation Colin Elliff BSc CEng MICE Civil Engineering Principal HS2 50 billion GL EH Thats what the Thats what the NE Government is LS LI MA SH planning to NG spend on

1.05k views • 72 slides
SACO MAIN STREET 2017 BUDGET PRESENTATION TO THE CITY OF SACO, ME MAJOR INFLUENCES FY16

SACO MAIN STREET 2017 BUDGET PRESENTATION TO THE CITY OF SACO, ME MAJOR INFLUENCES FY16

SACO MAIN STREET 2017 BUDGET PRESENTATION TO THE CITY OF SACO, ME MAJOR INFLUENCES FY16 The Rebuilding of Saco Main Street New Energy, New Board, Refocused, New Director in Place Renewed Effort and Focus on Business Vitality

218 views • 7 slides
Cebu Air, Inc. 3 rd Quarter Results of Operations November 14, 2019 Disclaimer The information

Cebu Air, Inc. 3 rd Quarter Results of Operations November 14, 2019 Disclaimer The information

Cebu Air, Inc. 3 rd Quarter Results of Operations November 14, 2019 Disclaimer The information provided in this presentation is provided only for your reference. Such information has not been independently verified and, as such, is not

802 views • 14 slides
h p . m o c . g n i l l e S e r P . w w w S E L L E R S B R I E F I N G

h p . m o c . g n i l l e S e r P . w w w S E L L E R S B R I E F I N G

h p . m o c . g n i l l e S e r P . w w w S E L L E R S B R I E F I N G A Y A L A L A N D S L A R G E S T M I X E D - U S E E S T A T E h p . m o c . g n i l l e S e r P . w w w 2,290 HECTARES

668 views • 53 slides
Wel elco come me to th to the Next meeting Monday 9 th December 2019 Please Pl se place

Wel elco come me to th to the Next meeting Monday 9 th December 2019 Please Pl se place

Wel elco come me to th to the Next meeting Monday 9 th December 2019 Please Pl se place mobil ile phones nes to si silent nt or sw switc tch h off, f, thank nks www.gwpr .gwpra.or a.org. g.uk uk Facebook Group Great

548 views • 23 slides

More recommend