PUSP from MyProxy

From PDP/Grid Wiki
Jump to navigationJump to search

Introduction

This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates. The rest of this page assumes the myproxy-server is already installed, including the necessary (IGTF) CA distributions.

'Simple CA' setup

Create a MyProxy 'simple CA' directory structure:

/var/lib/globus/simple_robotca/
/var/lib/globus/simple_robotca/newcerts/
/var/lib/globus/simple_robotca/private/

Now store the robot certificate and key as if they are CA certificate and key:

/var/lib/globus/simple_robotca/cacert.pem
/var/lib/globus/simple_robotca/private/cakey.pem

Initialize a new 'CA':

touch /var/lib/globus/simple_robotca/index.txt
echo 01 > /var/lib/globus/simple_robotca/serial

Configuration of the MyProxy server

We need to configure among others, the clients (hosts) that are allowed to retrieve PUSPs.

Additionally we point to the correct robot certificate and key. Ideally the key would be stored on a HSM (see MyProxy CA HSM Support for more details).

Finally we need to configure a tool for obtaining the right DN and a extensions file for adding the right proxy extensions.

Edit the server configuration /etc/myproxy-server.config to look something like:

# Set the correct DNs: typically the DN of a single Science Gateway.
authorized_retrievers "<ALLOWED RETRIEVERS DN>"
trusted_retrievers "<TRUSTED RETRIEVERS DN>"
default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>"

# Trusted certificates directory
cert_dir /etc/grid-security/certificates

# Robot certificate and private key, update paths where needed
certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem
certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem
# Set the correct robot private key password
certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>"

certificate_serialfile /var/lib/globus/simple_robotca/serial
certificate_out_dir /var/lib/globus/simple_robotca/newcerts

# Next option is needed to include the robot EEC in the returned proxy chain
certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem

# Script to produce the correct PUSP subject DN
certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp

# Extensions to create a valid RFC proxy certificate
certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf

Effectively only the last three options are specific for the PUSP configuration compared to a normal MyProxy CA configuration.

See myproxy-server.config man-page for details on each option.

Extra files used to create the PUSP

Mapping script

The contents of the mapping script myproxy-certificate-mapapp is something like:

#!/bin/sh
username=$1
if [ X"$username" = X ]; then
    # no username given
    exit 1
fi
# DN must match robot DN.
echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}"
exit 0

Certificate extensions file

And the proxy_extensions.cnf contains something like:

keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite

[ rfc3820_seq_sect_infinite ]
field1 = SEQUENCE:normal_policy

[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1

A more generic file would be:

keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO

[ rfc3820_seq_sect_infinite ]
field1 = SEQUENCE:$ENV::PROXY_POLICY

[ rfc3820_seq_sect ]
field1 = INTEGER:$ENV::PROXY_PATHLENGTH
field2 = SEQUENCE:$ENV::PROXY_POLICY

[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1

[ limited_policy ]
p1 = OID:1.3.6.1.4.1.3536.1.1.1.9

where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:

export PROXY_INFO=rfc3820_seq_sect
export PROXY_PATHLENGTH=42
export PROXY_POLICY=limited_policy

which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.

Test your setup

From the 'trusted retriever' machine, you should be able to run

export X509_USER_CERT=/etc/grid-security/hostcert.pem
export X509_USER_KEY=/etc/grid-security/hostkey.pem
myproxy-logon -s <MYPROXY SERVER> -l <USERNAME> -n

This essentially runs a MyProxy GET command (see MyProxy protocol). See the myproxy-logon man-page for more information on the available command-line options for myproxy-logon.

The output can then be verified using

grid-proxy-info

or

voms-proxy-info

which should output something like:

subject  : /DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:John Doe
issuer   : /DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin
identity : /DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin
type     : RFC 3820 compliant impersonation proxy
strength : 2048 bits
path     : /tmp/x509up_u1000
timeleft : 11:59:18

Security considerations

In addition to all the normal security considerations already applicable to e.g. PUSP a few specific points are applicable here.

  • Obviously the robot private key must be well protected, ideally on a hardware token, see MyProxy CA HSM Support for details.
  • When the private key is stored in file, such as described above, its password should only be configured inside the myproxy-server.config file.
  • Furthermore, the MyProxy CA should not (and does not need to) be reachable from any host other than the client portal, i.e. the Science Gateway.
  • The client portal/Science Gateway should also carefully protect its private key, since it provides access to unlimited proxy certificates from the robot certificate.