Difference between revisions of "PUSP from MyProxy"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 18: Line 18:
 
Edit the server configuration <tt>/etc/myproxy-server.config</tt> to look something like:
 
Edit the server configuration <tt>/etc/myproxy-server.config</tt> to look something like:
 
  # Set the correct DNs
 
  # Set the correct DNs
  authorized_retrievers <ALLOWED RETRIEVERS DN>
+
  authorized_retrievers "<ALLOWED RETRIEVERS DN>"
  trusted_retrievers <TRUSTED RETRIEVERS DN>
+
  trusted_retrievers "<TRUSTED RETRIEVERS DN>"
  default_trusted_retrievers <DEFAULT TRUSTED RETRIEVERS DN>
+
  default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>"
 
   
 
   
 
  # Trusted certificates directory
 
  # Trusted certificates directory
Line 42: Line 42:
 
  # Extensions to create a valid RFC proxy certificate
 
  # Extensions to create a valid RFC proxy certificate
 
  certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf
 
  certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf
 +
 +
See [http://grid.ncsa.illinois.edu/myproxy/man/myproxy-server.config.5.html myproxy-server.config man-page] for details on each option.
  
 
== Extra files used to create the PUSP ==
 
== Extra files used to create the PUSP ==

Revision as of 14:12, 9 December 2015

Introduction

This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates. The rest of this page assumes the myproxy-server is already installed, including the necessary (IGTF) CA distributions.

'Simple CA' setup

Create a MyProxy 'simple CA' directory structure:

/var/lib/globus/simple_robotca/
/var/lib/globus/simple_robotca/newcerts/
/var/lib/globus/simple_robotca/private/

Now store the robot certificate and key as if they are CA certificate and key:

/var/lib/globus/simple_robotca/cacert.pem
/var/lib/globus/simple_robotca/private/cakey.pem

Initialize a new 'CA':

touch /var/lib/globus/simple_robotca/index.txt
echo 01 > /var/lib/globus/simple_robotca/serial

Configuration of the MyProxy server

Edit the server configuration /etc/myproxy-server.config to look something like:

# Set the correct DNs
authorized_retrievers "<ALLOWED RETRIEVERS DN>"
trusted_retrievers "<TRUSTED RETRIEVERS DN>"
default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>"

# Trusted certificates directory
cert_dir /etc/grid-security/certificates

# Robot certificate and private key, update paths where needed
certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem
certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem
# Set the correct robot private key password
certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>"

certificate_serialfile /var/lib/globus/simple_robotca/serial
certificate_out_dir /var/lib/globus/simple_robotca/newcerts

# Next option is needed to include the robot EEC in the returned proxy chain
certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem

# Script to produce the correct PUSP subject DN
certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp

# Extensions to create a valid RFC proxy certificate
certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf

See myproxy-server.config man-page for details on each option.

Extra files used to create the PUSP

Mapping script

The contents of the mapping script myproxy-certificate-mapapp is something like:

#!/bin/sh
username=$1
if [ X"$username" = X ]; then
    # no username given
    exit 1
fi
# DN must match robot DN.
echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}"
exit 0

Certificate extensions file

And the proxy_extensions.cnf contains something like:

keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite

[ rfc3820_seq_sect_infinite ]
field1 = SEQUENCE:normal_policy

[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1

A more generic file would be:

keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO

[ rfc3820_seq_sect_infinite ]
field1 = SEQUENCE:$ENV::PROXY_POLICY

[ rfc3820_seq_sect ]
field1 = INTEGER:$ENV::PROXY_PATHLENGTH
field2 = SEQUENCE:$ENV::PROXY_POLICY

[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1

[ limited_policy ]
p1 = OID:1.3.6.1.4.1.3536.1.1.1.9

where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:

export PROXY_INFO=rfc3820_seq_sect
export PROXY_PATHLENGTH=42
export PROXY_POLICY=limited_policy

which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.