troubleshooting grid authentication from the client side
play

Troubleshooting Grid authentication from the client side By Adriaan - PowerPoint PPT Presentation

Sep 04, 2023 •124 likes •257 views

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies and delegations

  1. Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04

  2. Contents • The Grid @NIKHEF • The project • Grid components and interactions • X.509 certificates, proxies and delegations • Possible authentication problems • Problem identification tool • Sample output

  3. The Grid @NIKHEF • Tier-1 location of the Worldwide LHC Computing Grid • Consists of multiple clusters of multi-core machines for parallel processing • Intended for computation with data from LHC experiments at CERN • Also used for other sciences such as bio- informatics and medicine

  4. The Project To what extent can authentication failures in the Grid be identified and resolved from the client side? • What are the possible causes of GSI authentication failures? • Which Grid components are involved in GSI authentication for standard job submission and execution? • How can a client determine which systems are probable causes of authentication failure for a job? • Is it possible for a client to test authentication by contacting such systems directly?

  5. Grid components Virtual Organisation Membership Service VOMS MyProxy Logging and request proxy Bookkeeping Request LB Request VOMS status credentials submit proxy update status submit job forward job run job UI WMS CE WN User Interface Workload Computing Worker Management Element Node System

  6. X.509 certificates, proxies and delegation • Proxy certificates are used for single sign-on and delegation – Not protected with a passphrase, but short-lived – Single sign-on: user can submit multiple jobs without re-entering passphrase – Delegation: a job can be sent further into the Grid on the user’s behalf – A MyProxy service can be used by a Grid component to renew a proxy

  7. Possible authentication problems - 1 • Unknown CA – CA certificates not installed on UI, or environment variable missing • (Proxy) certificate expired, or not yet valid – Really expired, or clock skew • Certificate Revocation List (CRL) out of date – Failed to renew CRL, or clock skew

  8. Possible authentication problems - 2 • VOMS attributes missing – Proxy not set up properly • Misconfigured User Interface – Can cause all of the above…

  9. Problem identification tool - 1 • No interactions with other systems, due to – Lack of support for proxy certificates in instaled version of openssl – Involved systems are job-specific – Different communication methods used by different components, even between versions of the same component

  10. Problem identification tool - 2 • Checks that are included – System time checked against NTP – Basic UI environment check – Trusted CA directory check – User certificate verification – Proxy certificate chain verification – Proxy contents check

  11. Sample output - 1 bash-3.00$ ./grid-auth-verify.sh INFO: Trying to check time difference with chime2.surfnet.nl INFO: Local time differs 0 seconds from network time, which is within set limit of 60 INFO: Trying to locate directory with trusted certificates INFO: Will use /global/ices/lcg/glite3.1.23/external/etc/gridsecurity/certificates from evironment variable X509_CERT_DIR for trusted certificates INFO: Trying to verify user certificate INFO: Will use /user/adriaanz/.globus/usercert.pem as user certificate INFO: User certificate verification succeeded INFO: Trying to verify proxy certificate chain INFO: Will use /tmp/x509up_u7899 as proxy certificate INFO: Proxy certificate chain verified succesfully INFO: Trying to check proxy content INFO: No irregularities found in proxy contents

  12. Sample output - 2 bash-3.00$ ./grid-auth-verify.sh INFO: Trying to check time difference with chime2.surfnet.nl INFO: Local time differs 0 seconds from network time, which is within set limit of 60 INFO: Trying to locate directory with trusted certificates INFO: Will use /global/ices/lcg/glite3.1.23/external/etc/gridsecurity/certificates from evironment variable X509_CERT_DIR for trusted certificates INFO: Trying to verify user certificate INFO: Will use /user/adriaanz/.globus/usercert.pem as user certificate INFO: User certificate verification succeeded INFO: Trying to verify proxy certificate chain INFO: Will use /tmp/x509up_u7899 as proxy certificate ERROR: Verifying proxy: Proxy certificate expired. ERROR: Verifying certificate chain: certificate has expired

  13. Sample output - 3 bash-3.00$ ./grid-auth-verify.sh INFO: Trying to check time difference with chime2.surfnet.nl INFO: Local time differs 0 seconds from network time, which is within set limit of 60 INFO: Trying to locate directory with trusted certificates ERROR: Cannot find trsted certificates directory in either the environment variable X509_CERT_DIR, or /etc/grid-security/certificates or /user/adriaanz/.globus/certificates

Recommend

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted Selker 3 Digitrust, Loria, Universit e de Lorraine, www.koliaza.com Bsecure, Paris University of Maryland, Baltimore County 9th International

1.02k views • 18 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP setup Access Target Client NAS Network Network AAA server S 2 A new EAP setup Authentication AuthToken AuthServer Integrity Client

628 views • 7 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

1 SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1 Side 2 Side 1 Side 3 Side 4 1 2 2 1 Side 3 3 2 1 Counter-clockwise convention 1 2 3 3 y s 2 2 x s 1 2 i i 1 N i 1 2 N i i

647 views • 53 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant http://www.2ndquadrant.com/ 2017-02-05 Part I Authentication Why Authentication? Too complicated Nobody knows my database Nobody will attack us

813 views • 39 slides
In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep David Groep Nikhef Amsterdam PDP & Grid In Grid ... where many participants have no a-priori

309 views • 26 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
User Authentication using the Client Principle Object Presented By: Chris Longo User

User Authentication using the Client Principle Object Presented By: Chris Longo User

User Authentication using the Client Principle Object Presented By: Chris Longo User Authentication using the Client Principle Object Agenda What is the Client Principal Object? Why is it useful? How do I implement the CP Object?

697 views • 36 slides
World Community Grid Mass Installation and Customizing Client Behavior World Community Grid Mass

World Community Grid Mass Installation and Customizing Client Behavior World Community Grid Mass

World Community Grid Mass Installation and Customizing Client Behavior World Community Grid Mass Installation What are some situations where members are performing mass installations of the World Community Grid Client? University Labs

341 views • 10 slides
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti <sergio.maffioletti@gc3.uzh.ch> Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/ GridCertLib EGI

383 views • 26 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides

More recommend