VO membership
Prev Section 3. VOMS and gPlazma Next
dCache Workshop > VOMS and gPlazma > VO membership

VO membership

This section expands some material that has been presented earlier in passing.

Each grid user is expected to have an X509 certificate. This certificate is signed by a trustworthy certification authority (CA) stating the identity of the person. If one trusts the CA, then one can be sure that the certificate was issued to the person named in the certificate.

The certificate contains the public part of a (public-private) key-pair, so may be freely distributed. The private part of the pair must be kept secret. The whole X509 security infrastructure critically depends on the secrecy of the private key.

A user may dispatch an agent to work on a user's behalf; for example, a user may request a job be run on a remote site. This agent may undertake activity on behalf of the user; for example, to upload the results from a job. Since the user's private key must be kept secret, how does the agent identify itself?

To solve this problem, a short-lived key-pair is generated. The public key is signed by the user's certificate and both are given to the agent. This is referred to as a proxy certificate. If the private key is compromised, it will expire automatically, so limiting the damage that can be done.

In addition to being signed by the user's certificate, the public key of the short-lived public key may be signed by the VOMS server, along with some attributes. These attributes declare which groups a user is in and with which specific roles (if any).

The Fully-Qualified Attribute Name (FQAN) is a representation of a user's VO membership. It has the form /vo-name[/groups][/Role=role]. The following are examples of FQANs: 

/gks
/gks/gks08
/gks/dech
/dech

To create a simple proxy certificate without any VO membership information, the voms-proxy-init command is used. The -all option to voms-proxy-info is specified so it will also display VO information; although, in this example, no VO membership information is present. 

[user@ui-node] $ voms-proxy-init
Enter GRID pass phrase:
Your identity: Your DN is here
Creating proxy ................................................... Done
Your proxy is valid until Sun Sep  7 10:21:38 2008

and check the certificate
[user@ui-node] $ voms-proxy-info -all
WARNING: Unable to verify signature! Server certificate possibly not installed.
Error: VOMS extension not found!
subject   : Your DN is here/CN=proxy
issuer    : Your DN is here
identity  : Your DN is here
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u100099
timeleft  : 11:59:55

With the -voms option the voms-proxy-init will contact the VOMS server and ask for the server to sign the proxy certificate, indicating VO membership, along with any groups and roles the user may have. 

Generate a proxy certificate that also include membership of VO gks
[user@ui-node] $ voms-proxy-init -voms gks
Enter GRID pass phrase:
Your identity: Your DN is here
Creating temporary proxy ................................... Done
Contacting  dgrid-voms.fzk.de:15025 [/O=GermanGrid/OU=FZK/CN=host/dgrid-voms.fzk.de] "gks" Done
Creating proxy .............................................. Done
Your proxy is valid until Sun Sep  7 10:25:36 2008

We check the generated certificate.  Note how the certificate has three FQANs, listed as attributes
[user@ui-node] $ voms-proxy-info -all
subject   : Your DN is here/CN=proxy
issuer    : Your DN is here
identity  : Your DN is here
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u100099
timeleft  : 11:59:48
=== VO gks extension information ===
VO        : gks
subject   : Your DN is here
issuer    : /O=GermanGrid/OU=FZK/CN=host/dgrid-voms.fzk.de
attribute : /gks/Role=NULL/Capability=NULL
attribute : /gks/gks08/Role=NULL/Capability=NULL
attribute : /gks/dech/Role=NULL/Capability=NULL
timeleft  : 12:00:04

The VOMS server will always list all groups and roles a user has been assigned; however, the order in which they are listed can be adjusted. This is achieved by specifying one or more -order options. 

Generate a certificate, but emphasis the dech group membership  (FQAN: /gks/dech) above the others
[user@ui-node] $ voms-proxy-init -voms gks -order /gks/dech
Enter GRID pass phrase:
Your identity: Your DN is here
Creating temporary proxy ..................................................... Done
Contacting  dgrid-voms.fzk.de:15025 [/O=GermanGrid/OU=FZK/CN=host/dgrid-voms.fzk.de] "gks" Done
Creating proxy .................................... Done
Your proxy is valid until Sun Sep  7 10:42:19 2008

... and verify the certificate
[user@ui-node] $ voms-proxy-info -all
subject   : Your DN is here/CN=proxy
issuer    : Your DN is here
identity  : Your DN is here
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u100099
timeleft  : 11:59:58
=== VO gks extension information ===
VO        : gks
subject   : Your DN is here
issuer    : /O=GermanGrid/OU=FZK/CN=host/dgrid-voms.fzk.de
attribute : /gks/dech/Role=NULL/Capability=NULL
attribute : /gks/gks08/Role=NULL/Capability=NULL
attribute : /gks/Role=NULL/Capability=NULL
timeleft  : 12:00:13
Prev Up Next
Section 3. VOMS and gPlazma Home Checking host certificates