Difference between revisions of "PUSP from MyProxy"
(Created page with "We here describe a how to configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see [[https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Federated_AAI:per-user_sub-p...") |
|||
| Line 1: | Line 1: | ||
| − | + | == Introduction == | |
| + | This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see [https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Federated_AAI:per-user_sub-proxy EGI wiki on PUSP]) instead of End-Entity Certificates. | ||
== 'Simple CA' setup == | == 'Simple CA' setup == | ||
Revision as of 14:02, 9 December 2015
Introduction
This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates.
'Simple CA' setup
Create a MyProxy 'simple CA' directory structure:
/var/lib/globus/simple_robotca/ /var/lib/globus/simple_robotca/newcerts/ /var/lib/globus/simple_robotca/private/
Now store the robot certificate and key as if they are CA certificate and key:
/var/lib/globus/simple_robotca/cacert.pem /var/lib/globus/simple_robotca/private/cakey.pem
Initialize a new 'CA':
touch /var/lib/globus/simple_robotca/index.txt echo 01 > /var/lib/globus/simple_robotca/serial
Configuration of the MyProxy server
Edit the server configuration /etc/myproxy-server.config to look something like:
cert_dir /etc/grid-security/certificates # Robot certificate and private key, update paths where needed certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem # Set the correct robot private key password certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>" certificate_serialfile /var/lib/globus/simple_robotca/serial certificate_out_dir /var/lib/globus/simple_robotca/newcerts # Next option is needed to include the robot EEC in the returned proxy chain certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem # Script to produce the correct PUSP subject DN certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp # Extensions to create a valid RFC proxy certificate certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf
Extra files used to create the PUSP
Mapping script
The contents of the mapping script myproxy-certificate-mapapp is something like:
#!/bin/sh
username=$1
if [ X"$username" = X ]; then
# no username given
exit 1
fi
# DN must match robot DN.
echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}"
exit 0
Certificate extensions file
And the proxy_extensions.cnf contains something like:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:normal_policy [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1
A more generic file would be:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:$ENV::PROXY_POLICY [ rfc3820_seq_sect ] field1 = INTEGER:$ENV::PROXY_PATHLENGTH field2 = SEQUENCE:$ENV::PROXY_POLICY [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1 [ limited_policy ] p1 = OID:1.3.6.1.4.1.3536.1.1.1.9
where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:
export PROXY_INFO=rfc3820_seq_sect export PROXY_PATHLENGTH=42 export PROXY_POLICY=limited_policy
which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.
