PUSP from MyProxy
Introduction
This page describes how one can configure a MyProxy server (in 'CA' mode) to produce PUSP proxies (see EGI wiki on PUSP) instead of End-Entity Certificates. The rest of this page assumes the myproxy-server is already installed, including the necessary (IGTF) CA distributions.
'Simple CA' setup
Create a MyProxy 'simple CA' directory structure:
/var/lib/globus/simple_robotca/ /var/lib/globus/simple_robotca/newcerts/ /var/lib/globus/simple_robotca/private/
Now store the robot certificate and key as if they are CA certificate and key:
/var/lib/globus/simple_robotca/cacert.pem /var/lib/globus/simple_robotca/private/cakey.pem
Initialize a new 'CA':
touch /var/lib/globus/simple_robotca/index.txt echo 01 > /var/lib/globus/simple_robotca/serial
Configuration of the MyProxy server
We need to configure among others, the clients (hosts) that are allowed to retrieve PUSPs.
Additionally we point to the correct robot certificate and key. Ideally the key would be stored on a HSM (see MyProxy CA HSM Support for more details).
Finally we need to configure a tool for obtaining the right DN.
Edit the server configuration /etc/myproxy-server.config to look something like:
# Set the correct DNs: typically the DN of a single Science Gateway. authorized_retrievers "<ALLOWED RETRIEVERS DN>" trusted_retrievers "<TRUSTED RETRIEVERS DN>" default_trusted_retrievers "<DEFAULT TRUSTED RETRIEVERS DN>" # Trusted certificates directory cert_dir /etc/grid-security/certificates # Robot certificate and private key, update paths where needed certificate_issuer_cert /var/lib/globus/simple_robotca/cacert.pem certificate_issuer_key /var/lib/globus/simple_robotca/private/cakey.pem # Set the correct robot private key password certificate_issuer_key_passphrase "<ROBOT CERTIFICATE PASSPHRASE>" certificate_serialfile /var/lib/globus/simple_robotca/serial certificate_out_dir /var/lib/globus/simple_robotca/newcerts # Next option is needed to include the robot EEC in the returned proxy chain certificate_issuer_subca_certfile /var/lib/globus/simple_robotca/cacert.pem # Script to produce the correct PUSP subject DN certificate_mapapp /opt/myproxy/bin/myproxy-certificate-mapapp # Extensions to create a valid RFC proxy certificate certificate_extfile /opt/myproxy/share/etc/proxy_extensions.cnf
See myproxy-server.config man-page for details on each option.
Extra files used to create the PUSP
Mapping script
The contents of the mapping script myproxy-certificate-mapapp is something like:
#!/bin/sh
username=$1
if [ X"$username" = X ]; then
# no username given
exit 1
fi
# DN must match robot DN.
echo "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:${username}"
exit 0
Certificate extensions file
And the proxy_extensions.cnf contains something like:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:rfc3820_seq_sect_infinite [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:normal_policy [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1
A more generic file would be:
keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.5.5.7.1.14 = critical,ASN1:SEQUENCE:$ENV::PROXY_INFO [ rfc3820_seq_sect_infinite ] field1 = SEQUENCE:$ENV::PROXY_POLICY [ rfc3820_seq_sect ] field1 = INTEGER:$ENV::PROXY_PATHLENGTH field2 = SEQUENCE:$ENV::PROXY_POLICY [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1 [ limited_policy ] p1 = OID:1.3.6.1.4.1.3536.1.1.1.9
where PROXY_INFO, PROXY_PATHLENGTH and PROXY_POLICY should be defined as environment variables, e.g. in /etc/sysconfig/myproxy-server For example:
export PROXY_INFO=rfc3820_seq_sect export PROXY_PATHLENGTH=42 export PROXY_POLICY=limited_policy
which would result in limited RFC proxies with a maximum proxyPathLength constraint of 42.
