Difference between revisions of "PUSP from MyProxy"
Line 18: | Line 18: | ||
Edit the server configuration <tt>/etc/myproxy-server.config</tt> to look something like: | Edit the server configuration <tt>/etc/myproxy-server.config</tt> to look something like: | ||
# Set the correct DNs | # Set the correct DNs | ||
− | authorized_retrievers <ALLOWED RETRIEVERS DN> | + | authorized_retrievers "<ALLOWED RETRIEVERS DN>" |
− | trusted_retrievers <TRUSTED RETRIEVERS DN> | + | trusted_retrievers "<TRUSTED RETRIEVERS DN>" |
− | default_trusted_retrievers <DEFAULT TRUSTED RETRIEVERS DN> | + | default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>" |
# Trusted certificates directory | # Trusted certificates directory | ||
Line 42: | Line 42: | ||
# Extensions to create a valid RFC proxy certificate | # Extensions to create a valid RFC proxy certificate | ||
certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf | certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf | ||
+ | |||
+ | See [http://grid.ncsa.illinois.edu/myproxy/man/myproxy-server.config.5.html myproxy-server.config man-page] for details on each option. | ||
== Extra files used to create the PUSP == | == Extra files used to create the PUSP == |
Revision as of 14:12, 9 December 2015
Introduction
This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates. The rest of this page assumes the myproxy-server is already installed, including the necessary (IGTF) CA distributions.
'Simple CA' setup
Create a MyProxy 'simple CA' directory structure:
/var/lib/globus/simple_robotca/ /var/lib/globus/simple_robotca/newcerts/ /var/lib/globus/simple_robotca/private/
Now store the robot certificate and key as if they are CA certificate and key:
/var/lib/globus/simple_robotca/cacert.pem /var/lib/globus/simple_robotca/private/cakey.pem
Initialize a new 'CA':
touch /var/lib/globus/simple_robotca/index.txt echo 01 > /var/lib/globus/simple_robotca/serial
Configuration of the MyProxy server
Edit the server configuration /etc/myproxy-server.config to look something like:
# Set the correct DNs authorized_retrievers "<ALLOWED RETRIEVERS DN>" trusted_retrievers "<TRUSTED RETRIEVERS DN>" default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>" # Trusted certificates directory cert_dir /etc/grid-security/certificates # Robot certificate and private key, update paths where needed certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem # Set the correct robot private key password certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>" certificate_serialfile /var/lib/globus/simple_robotca/serial certificate_out_dir /var/lib/globus/simple_robotca/newcerts # Next option is needed to include the robot EEC in the returned proxy chain certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem # Script to produce the correct PUSP subject DN certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp # Extensions to create a valid RFC proxy certificate certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf
See myproxy-server.config man-page for details on each option.
Extra files used to create the PUSP
Mapping script
The contents of the mapping script myproxy-certificate-mapapp is something like:
#!/bin/sh username=$1 if [ X"$username" = X ]; then # no username given exit 1 fi # DN must match robot DN. echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}" exit 0
Certificate extensions file
And the proxy_extensions.cnf contains something like:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:normal_policy [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1
A more generic file would be:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:$ENV::PROXY_POLICY [ rfc3820_seq_sect ] field1 = INTEGER:$ENV::PROXY_PATHLENGTH field2 = SEQUENCE:$ENV::PROXY_POLICY [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1 [ limited_policy ] p1 = OID:1.3.6.1.4.1.3536.1.1.1.9
where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:
export PROXY_INFO=rfc3820_seq_sect export PROXY_PATHLENGTH=42 export PROXY_POLICY=limited_policy
which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.