Using an Aladdin eToken PRO to generate grid proxies

From PDP/Grid Wiki
Jump to navigationJump to search

Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken.

A shell script ( mkproxy script ) was written for this purpose. This script requires quite a few special programs and libraries , most of which can be downloaded here . Due to licensing restrictions we cannot supply the eToken libraries in this tarball, these need to be downloaded from Aladdin. You can find the required software on the web:

(the files on Aladdin's Russian site do not require a password to unpack them, the ones on the US site do...)

Please read the instructions on Using an Aladdin eToken PRO to store grid certificates to install the eToken RTE software before attempting to use this script.

The script has been tested on

  • Windows XP (using cygwin)
  • Linux CentOS 4 (rhel4)
  • Linux Fedora Core 5 (fc5)

In the near future we hope to test it on MacOS X as well

Note It does NOT work on Windows using the MingW/MSys shell.

Installing the mkproxy script

To install the myproxy script, download the tarball and unpack it in Your Favorite Directory. Support for all platforms mentioned above is included, so if you only need support for a single platform (e.g. rhel4) you can delete the cygwin and fc5 directories.

Linux only

After unpacking the tarball, copy over the libetpkcs11.so file from the Aladdin RTE client software (installed usually in /usr/local/lib)

cp /usr/local/lib/libetpkcs11.so <Your Favorite Directory>/<platform>/lib

e.g. if the tarball is unpacked in the current directory and your Favorite Platform is fc5 then type

cp /usr/local/lib/libetpkcs11.so ./fc5/lib

mkproxy script usage

To see the help page for the mkproxy script , type

./mkproxy --help

Which will return

 mkproxy version 1.00
 This script will generate a X509 grid proxy using a public/private
 key pair found on an attached Aladdin eToken PRO.
                                                                                                   
  Options
  [--help]          Displays usage.
  [--version]       Displays version.
  [--debug]         Enables extra debug output.
  [--quiet]         Quiet mode, minimal output.
  [--old]           Creates a legacy globus proxy.
  [--rfc]           Creates a RFC 3820 compliant proxy.
  [--days=N]        Number of days the proxy is valid (default=1).
  [--path-length=N] Allow a chain of at most N proxies to be generated
                    from this one (default=2).
  [--bits=N]        Number of bits in key (512, 1024, 2048, default=512).
  [--out=proxyfile] Non-standard location of new proxy cert.
                                                                                                    
  [--slot=N]        Slot number where eToken is located (default=0).
  [--label=string]  (Part of) label of X509 certificate on eToken.
  [--id=string]     (Part of) ID of X509 certificate on eToken.
  [--platform=rhel4|fc5|cygwin|guess]
                    Overrule the system platform.

Note Instead of using '--option=value' you can also use '--option value'.

If you have installed a single grid certificate on your eToken you can now generate a grid proxy using the command

./mkproxy

Which will return

Starting Aladdin eToken PRO proxy generation
  (detected platform cygwin)
Found X.509 certificate on eToken:
  label: (eTCAPI) Jan Just Keijser's NIKHEF ID
  id:    39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser
Generating a 512 bit RSA private key
..........++++++++++++
......++++++++++++
writing new private key to 'proxykey.QjN408'
-----
engine "pkcs11" set.
Signature ok
subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy
Getting CA Private Key
PKCS#11 token PIN: 
Your proxy is valid until: Fri Apr 20 16:51:16 WEST 2007

The default location of your grid proxy is the same as for grid-proxy-init:

  • wherever $X509_USER_PROXY is pointing to

otherwise

  • /tmp/x509up_u<id>, where <id> is your numeric userid.

Note on proxy duration

Grid proxies generated using the mkproxy script have a duration measured in days, with a minimum of 1 day (i.e 24 hours). This is due to missing functionality in the openssl req command, which does not allow you to specify a specific end-date.

Advanced mkproxy usage

'But what if I have more than one X509 certificate stored on my precious eToken' I hear you cry. This is where the --label --id options come into play. You can specify (part of) the label or of the id of a X509 certificate on Your Precious eToken to select a specific X509 certificate. The key which is used to create the grid proxy is found by matching the 'id ' of the X509 public key with that of the RSA private key.

There is no need to specify the full label or id as found on the eToken to select an X509 certificate. The value passed to the --label option is matched against the X509 certificates on Your Precious eToken using a sed-style regular expression. For example, by specifying

--label=NIKHEF

the mkproxy script will select the first X509 certificate on the token matching 'NIKHEF'.


'But now I want stronger encryption!' I hear you moan. For this the --bits option is handy. By specifying

--bits=1024 

you can increase the encryption strength of your grid proxy to 1024 bits. Note that the default is 512, which is the same as the grid-proxy-init command.