Difference between revisions of "PUSP from MyProxy"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 16: Line 16:
  
 
== Configuration of the MyProxy server ==
 
== Configuration of the MyProxy server ==
 +
We need to configure among others, the clients (hosts) that are allowed to retrieve PUSPs.
 +
 +
Additionally we point to the correct robot certificate and key. Ideally the key would be stored on a HSM (see [http://grid.ncsa.illinois.edu/myproxy/ca/engine/ MyProxy CA HSM Support] for more details).
 +
 +
Finally we need to configure a tool for obtaining the right DN.
 +
 
Edit the server configuration <tt>/etc/myproxy-server.config</tt> to look something like:
 
Edit the server configuration <tt>/etc/myproxy-server.config</tt> to look something like:
  # Set the correct DNs
+
  # Set the correct DNs: typically the DN of a single Science Gateway.
 
  authorized_retrievers "<ALLOWED RETRIEVERS DN>"
 
  authorized_retrievers "<ALLOWED RETRIEVERS DN>"
 
  trusted_retrievers "<TRUSTED RETRIEVERS DN>"
 
  trusted_retrievers "<TRUSTED RETRIEVERS DN>"

Revision as of 15:16, 9 December 2015

Introduction

This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates. The rest of this page assumes the myproxy-server is already installed, including the necessary (IGTF) CA distributions.

'Simple CA' setup

Create a MyProxy 'simple CA' directory structure:

/var/lib/globus/simple_robotca/
/var/lib/globus/simple_robotca/newcerts/
/var/lib/globus/simple_robotca/private/

Now store the robot certificate and key as if they are CA certificate and key:

/var/lib/globus/simple_robotca/cacert.pem
/var/lib/globus/simple_robotca/private/cakey.pem

Initialize a new 'CA':

touch /var/lib/globus/simple_robotca/index.txt
echo 01 > /var/lib/globus/simple_robotca/serial

Configuration of the MyProxy server

We need to configure among others, the clients (hosts) that are allowed to retrieve PUSPs.

Additionally we point to the correct robot certificate and key. Ideally the key would be stored on a HSM (see MyProxy CA HSM Support for more details).

Finally we need to configure a tool for obtaining the right DN.

Edit the server configuration /etc/myproxy-server.config to look something like:

# Set the correct DNs: typically the DN of a single Science Gateway.
authorized_retrievers "<ALLOWED RETRIEVERS DN>"
trusted_retrievers "<TRUSTED RETRIEVERS DN>"
default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>"

# Trusted certificates directory
cert_dir /etc/grid-security/certificates

# Robot certificate and private key, update paths where needed
certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem
certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem
# Set the correct robot private key password
certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>"

certificate_serialfile /var/lib/globus/simple_robotca/serial
certificate_out_dir /var/lib/globus/simple_robotca/newcerts

# Next option is needed to include the robot EEC in the returned proxy chain
certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem

# Script to produce the correct PUSP subject DN
certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp

# Extensions to create a valid RFC proxy certificate
certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf

See myproxy-server.config man-page for details on each option.

Extra files used to create the PUSP

Mapping script

The contents of the mapping script myproxy-certificate-mapapp is something like:

#!/bin/sh
username=$1
if [ X"$username" = X ]; then
    # no username given
    exit 1
fi
# DN must match robot DN.
echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}"
exit 0

Certificate extensions file

And the proxy_extensions.cnf contains something like:

keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite

[ rfc3820_seq_sect_infinite ]
field1 = SEQUENCE:normal_policy

[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1

A more generic file would be:

keyUsage = critical,digitalSignature,keyEncipherment
1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO

[ rfc3820_seq_sect_infinite ]
field1 = SEQUENCE:$ENV::PROXY_POLICY

[ rfc3820_seq_sect ]
field1 = INTEGER:$ENV::PROXY_PATHLENGTH
field2 = SEQUENCE:$ENV::PROXY_POLICY

[ normal_policy ]
p1 = OID:1.3.6.1.5.5.7.21.1

[ limited_policy ]
p1 = OID:1.3.6.1.4.1.3536.1.1.1.9

where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:

export PROXY_INFO=rfc3820_seq_sect
export PROXY_PATHLENGTH=42
export PROXY_POLICY=limited_policy

which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.