Using an Aladdin eToken PRO to generate grid proxies
Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken.
A shell script ( mkproxy script ) was written for this purpose. This script requires quite a few special programs and libraries , most of which can be downloaded here . Due to licensing restrictions we cannot supply the eToken libraries in this tarball, these need to be downloaded from Aladdin. You can find the required software on the web:
- Windows: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/2c0/RTE_3.65.zip
- Linux: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/179/eToken_PKI_Client_for_Linux_v3_65.rar
- MacOS: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/973/PKI_3_65_Mac.zip
(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)
Please read the instructions on Using an Aladdin eToken PRO to store grid certificates to install the eToken RTE software before attempting to use this script.
The script has been tested on
- Windows XP (using cygwin)
- Linux CentOS 4 (rhel4)
- Linux Fedora Core 5 (fc5)
In the near future we hope to test it on MacOS X as well
Note It does NOT work on Windows using the MingW/MSys shell.
Installing the mkproxy script
To install the myproxy script, download the tarball and unpack it in Your Favorite Directory. Support for all platforms mentioned above is included, so if you only need support for a single platform (e.g. rhel4) you can delete the cygwin and fc5 directories.
Linux only
After unpacking the tarball, copy over the libetpkcs11.so file from the Aladdin RTE client software (installed usually in /usr/local/lib)
cp /usr/local/lib/libetpkcs11.so <Your Favorite Directory>/<platform>/lib
e.g. if the tarball is unpacked in the current directory and your Favorite Platform is fc5 then type
cp /usr/local/lib/libetpkcs11.so ./fc5/lib
mkproxy script usage
To see the help page for the mkproxy script , type
./mkproxy --help
Which will return
mkproxy version 1.00 This script will generate a X509 grid proxy using a public/private key pair found on an attached Aladdin eToken PRO. Options [--help] Displays usage. [--version] Displays version. [--debug] Enables extra debug output. [--quiet] Quiet mode, minimal output. [--old] Creates a legacy globus proxy. [--rfc] Creates a RFC 3820 compliant proxy. [--days=N] Number of days the proxy is valid (default=1). [--path-length=N] Allow a chain of at most N proxies to be generated from this one (default=2). [--bits=N] Number of bits in key (512, 1024, 2048, default=512). [--out=proxyfile] Non-standard location of new proxy cert. [--slot=N] Slot number where eToken is located (default=0). [--label=string] (Part of) label of X509 certificate on eToken. [--id=string] (Part of) ID of X509 certificate on eToken. [--platform=rhel4|fc5|cygwin|guess] Overrule the system platform.
Note Instead of using '--option=value' you can also use '--option value'.
If you have installed a single grid certificate on your eToken you can now generate a grid proxy using the command
./mkproxy
Which will return
Starting Aladdin eToken PRO proxy generation (detected platform cygwin) Found X.509 certificate on eToken: label: (eTCAPI) Jan Just Keijser's NIKHEF ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Generating a 512 bit RSA private key ..........++++++++++++ ......++++++++++++ writing new private key to 'proxykey.QjN408' ----- engine "pkcs11" set. Signature ok subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Fri Apr 20 16:51:16 WEST 2007
The default location of your grid proxy is the same as for grid-proxy-init:
- wherever $X509_USER_PROXY is pointing to
otherwise
- /tmp/x509up_u<id>, where <id> is your numeric userid.
Note on proxy duration
Grid proxies generated using the mkproxy script have a duration measured in days, with a minimum of 1 day (i.e 24 hours). This is due to missing functionality in the openssl req command, which does not allow you to specify a specific end-date.
Advanced mkproxy usage
'But what if I have more than one X509 certificate stored on my precious eToken' I hear you cry. This is where the --label --id options come into play. You can specify (part of) the label or of the id of a X509 certificate on Your Precious eToken to select a specific X509 certificate. The key which is used to create the grid proxy is found by matching the 'id ' of the X509 public key with that of the RSA private key.
There is no need to specify the full label or id as found on the eToken to select an X509 certificate. The value passed to the --label option is matched against the X509 certificates on Your Precious eToken using a sed-style regular expression. For example, by specifying
--label=NIKHEF
the mkproxy script will select the first X509 certificate on the token matching 'NIKHEF'.
'But now I want stronger encryption!'
I hear you moan. For this the
--bits
option is handy. By specifying
--bits=1024
you can increase the encryption strength of your grid proxy to 1024 bits. Note that the default is 512, which is the same as the grid-proxy-init command.