PUSP from MyProxy
Introduction
This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates. The rest of this page assumes the myproxy-server is already installed, including the necessary (IGTF) CA distributions.
'Simple CA' setup
Create a MyProxy 'simple CA' directory structure:
/var/lib/globus/simple_robotca/ /var/lib/globus/simple_robotca/newcerts/ /var/lib/globus/simple_robotca/private/
Now store the robot certificate and key as if they are CA certificate and key:
/var/lib/globus/simple_robotca/cacert.pem /var/lib/globus/simple_robotca/private/cakey.pem
Initialize a new 'CA':
touch /var/lib/globus/simple_robotca/index.txt echo 01 > /var/lib/globus/simple_robotca/serial
Configuration of the MyProxy server
We need to configure among others, the clients (hosts) that are allowed to retrieve PUSPs.
Additionally we point to the correct robot certificate and key. Ideally the key would be stored on a HSM (see MyProxy CA HSM Support for more details).
Finally we need to configure a tool for obtaining the right DN and a extensions file for adding the right proxy extensions.
Edit the server configuration /etc/myproxy-server.config to look something like:
# Set the correct DNs: typically the DN of a single Science Gateway. authorized_retrievers "<ALLOWED RETRIEVERS DN>" trusted_retrievers "<TRUSTED RETRIEVERS DN>" default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>" # Trusted certificates directory cert_dir /etc/grid-security/certificates # Robot certificate and private key, update paths where needed certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem # Set the correct robot private key password certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>" certificate_serialfile /var/lib/globus/simple_robotca/serial certificate_out_dir /var/lib/globus/simple_robotca/newcerts # Next option is needed to include the robot EEC in the returned proxy chain certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem # Script to produce the correct PUSP subject DN certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp # Extensions to create a valid RFC proxy certificate certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf
Effectively only the last three options are specific for the PUSP configuration compared to a normal MyProxy CA configuration.
See myproxy-server.config man-page for details on each option.
Extra files used to create the PUSP
Mapping script
The contents of the mapping script myproxy-certificate-mapapp is something like:
#!/bin/sh username=$1 if [ X"$username" = X ]; then # no username given exit 1 fi # DN must match robot DN. echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}" exit 0
Certificate extensions file
And the proxy_extensions.cnf contains something like:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:normal_policy [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1
A more generic file would be:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:$ENV::PROXY_POLICY [ rfc3820_seq_sect ] field1 = INTEGER:$ENV::PROXY_PATHLENGTH field2 = SEQUENCE:$ENV::PROXY_POLICY [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1 [ limited_policy ] p1 = OID:1.3.6.1.4.1.3536.1.1.1.9
where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:
export PROXY_INFO=rfc3820_seq_sect export PROXY_PATHLENGTH=42 export PROXY_POLICY=limited_policy
which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.
Test your setup
From the 'trusted retriever' machine, you should be able to run
export X509_USER_CERT=/etc/grid-security/hostcert.pem export X509_USER_KEY=/etc/grid-security/hostkey.pem myproxy-logon -s <MYPROXY SERVER> -l <USERNAME> -n
This essentially runs a MyProxy GET command (see MyProxy protocol). See the myproxy-logon man-page for more information on the available command-line options for myproxy-logon.
The output can then be verified using
grid-proxy-info
or
voms-proxy-info
which should output something like:
subject : /DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:John Doe issuer : /DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin identity : /DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin type : RFC 3820 compliant impersonation proxy strength : 2048 bits path : /tmp/x509up_u1000 timeleft : 11:59:18
Security considerations
In addition to all the normal security considerations already applicable to e.g. PUSP a few specific points are applicable here.
- Obviously the robot private key must be well protected, ideally on a hardware token, see MyProxy CA HSM Support for details.
- When the private key is stored in file, such as described above, its password should only be configured inside the myproxy-server.config file.
- Furthermore, the MyProxy CA should not (and does not need to) be reachable from any host other than the client portal, i.e. the Science Gateway.
- The client portal/Science Gateway should also carefully protect its private key, since it provides access to unlimited proxy certificates from the robot certificate.