Monday, October 01, 2007

Java Cog Setup

Today, I downloaded and installed JavaCog. Detailed Information:
Prerequisite
To use grid services, one must obtain the certificate/credential from administrator of the grid. Generally, public/private key mechanism is used. There are two files:
usercert.pem
This file contains the certificate which is requested by server to authenticate the user.
userkey.pem
This file contains the private key which should be kept secretly by user. Usually, this file is encrypted based on the passphase provided by user so that a attacker cannot get useful information even if he gets this file.
Note: the names of those two files do not matter. What you must do is correctly configure the JavaCOG so that it can find those two files. File cog.properties contains corresponding information. Usercert.pem and userkey.pem are default names for those two files.
Setup Steps:
(1) download JavaCOG 4.1.5
Note: I installed the binary archive. If you prefer to install it from the source code, consult the documentation.
(2) unpack the tarball( .tar.gz or .zip)
Suppose the unpacked files are put into directory COGDIR.
(3) cd COGDIR/bin
(4) run cog-setup(under linux/unix) or cog-setup.bat(under windows)
Then a GUI is displayed to guide you to set up JavaCOG step by step. This GUI is just an auxiliary tool to make the setup easier. Actually, all configuration is written into a file called cog.properties. This file is located under directory $(HOME)/.globus.Suppose username is USER1:
In Linux, $(HOME) is /home/USER1.
In Windows, $(HOME) is C:\Documents and Settings\USER1\ (if operating system is installed into partition C)
(5)Put the certificate of the grid service under directory $(HOME)/.globus/cog-certificates.
(6) Modify the file cog.properties to indicate that the newly added certificate should be trusted by JavaCOG and JavaCOG can use the certificate to authenticate the grid server. Actually, more options can be specified. In my case, those two files are 84ff0685.0 and 84ff0685.signing_policy.
So, related lines in cog.properties are:
cacert=C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\84ff0685.0
A sample cog.properties file:
#Java CoG Kit Configuration File
#Mon Oct 01 16:20:20 EDT 2007
usercert=C\:\\Documents and Settings\\gerald\\.globus\\usercert.pem
userkey=C\:\\Documents and Settings\\gerald\\.globus\\userkey.pem
proxy=C\:\\DOCUME~1\\gerald\\LOCALS~1\\Temp\\x509up_u_gerald
cacert=C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\44879c16.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\1c3f2ca8.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\84ff0685.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\aaaddcdf.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\4a6cd8b1.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\5aba75cb.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\3deda549.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\b89793e4.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\9a1da9f9.0,C\:\\Documents and Settings\\gerald\\.globus\\cog-certificates\\2c7969d0.0
ip=xxx.xxx.xxx.xxx
Note: Generally, you want to change the passphase which is used to encrypt/decrypt your private key file. You can use command: grid-change-pass-phase
JavaCOG toolkit
In addition to cog-setup, JavaCOG provides many more tools which makes configuration/execution easier. These tools are under directory bin. Here you can find the documentation about those tools. However, the documentation does not cover all those tools.
Credential Management
If you have several computers, you must save credentials (certificates/private keys) on these different machines. It is a boring work. You can use a credential management server to relieve the burden. Myproxy is a popular credential repository. You can store your credentials in a MyProxy repository and retrieve a proxy credential from the MyProxy repository when needed. The actual work is the user generates a proxy certificate and then uploads it to Myproxy server.
MyProxy commands:
  • myproxy-init - Store a proxy credential for later retrieval
    The myproxy-init command uploads a credential to a myproxy-server for later retrieval. In the default mode, the command first prompts for the user's Grid pass phrase (if needed), which is used to create a proxy credential. The command then prompts for a MyProxy pass phrase, which will be required to later retrieve the credential. By default, myproxy-init will create a proxy credential from the user's end-entity credentials at ~/.globus/usercert.pem and ~/.globus/userkey.pem to delegate to the myproxy-server.
  • myproxy-store - Store end-entity credential for later retrieval
    Unlike myproxy-init, this command transfers the private key over the network (over a private channel). In the default mode, the command will take the credentials found in ~/.globus/usercert.pem and ~/.globus/userkey.pem and store them in the myproxy-server repository.
  • myproxy-logon - Retrieve a credential
    The myproxy-logon command retrieves a credential from the myproxy-server that was previously stored using myproxy-init. In the default mode, the command prompts for the MyProxy pass phrase associated with the credential to be retrieved and stores the retrieved credential in the standard location (/tmp/x509up_u).
  • myproxy-retrieve - Retrieve an end-entity credential
    The myproxy-retrieve command retrieves a credential directly from the myproxy-server(8) that was previously stored using myproxy-init(1) or myproxy-store(1). Unlike myproxy-logon(1), this command transfers the private key in the repository over the network (over a private channel). To obtain a proxy credential, we recommend using myproxy-logon(1) instead.
    In the default mode, the command prompts for the pass phrase associated with the credential to be retrieved and stores the retrieved credential in the standard location ( ~/.globus/usercert.pem and ~/.globus/userkey.pem). You could then run grid-proxy-init to create a proxy credential from the retrieved credentials.
  • myproxy-info - Display information about credentials
  • myproxy-destroy - Remove a credential from the repository
  • myproxy-change-pass-phrase - Change a credential's passphrase
  • myproxy-admin-adduser - Add a new user credential
  • myproxy-admin-change-pass - Change credential passphrase
  • myproxy-admin-query - Query repository contents
  • myproxy-admin-load-credential - Directly load repository
  • myproxy-server - Store credentials in an online repository
COG command:
However, the related command in JavaCOG is
cog-myproxy
This command is similar to the myproxy-init/myproxy-logon/myproxy-store/myproxy-store commands in Myproxy client. In other words, you can store/retrieve credentials(proxy credentials or original certificates/keys).
Some typical examples:
cog-myproxy -h gf1.ucs.indiana.edu put #upload the certificate to the myproxy server.
cog-myproxy -h gf1.ucs.indiana.edu get #download the certificate from myproxy server
Proxy Credential
Every time the service you are interacting with needs your certificate to do authentication, you must input the pass phase. GSI provides a delegation capability: an extension of the standard SSL protocol which reduces the number of times the user must enter his passphrase. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user, the need to re-enter the user's passphrase can be avoided by creating a proxy.
A proxy consists of a new certificate and a private key. The key pair that is used for the proxy, i.e. the public key embedded in the certificate and the private key, may either be regenerated for each proxy or obtained by other means. The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes.
When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. During mutual authentication, the owner's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate. This establishes a chain of trust from the CA to the proxy through the owner.
cog-proxy-init
It provides a GUI to generate the proxy certificate. The default name of the proxy file is x509up_u_username which is stored in the temporary directory. (Of course, you can change it by modifying the configuration file.). During the generation, you can specify some options: proxy lifetime, key strength...

If you prefer command line tool to generate the proxy certificate, you should use grid-proxy-init command. Roughly, grid-proxy-init and cog-proxy-init provide the same functionality except the user interface. You can choose either one you like.
grid-proxy-init - Generate a new proxy certificate
grid-proxy-destroy - Destroy the current proxy certificate
grid-proxy-info - Display information obtained from a proxy certificate

No comments: