Difference between revisions of "RCauth Delegation Server & MasterPortal - Credential Lifetimes"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
The [[RCauth.eu_and_MasterPortal_overview | RCauth and MasterPortal scenario] deals with serveral different user and proxy certificates.
+
The [[RCauth.eu_and_MasterPortal_overview | RCauth and MasterPortal scenario]] deals with serveral different user and proxy certificates.
 
The credential released to the VO Portal (Science Gateway) is a proxy certificate chain containing:
 
The credential released to the VO Portal (Science Gateway) is a proxy certificate chain containing:
 
* a short lived RFC3820 proxy certificate (optionally with VOMS extensions)
 
* a short lived RFC3820 proxy certificate (optionally with VOMS extensions)
 
* a long lived RFC3820 proxy certificate
 
* a long lived RFC3820 proxy certificate
 
* an end entity certificate (EEC) signed by the RCauth CA.
 
* an end entity certificate (EEC) signed by the RCauth CA.
All three certificates can be created with a different [[RCauth.eu_and_MasterPortal_overview#Credential_Lifetimes lifetime]], therefore configuring those lifetimes can be confusing.
+
All three certificates can be created with a different [[RCauth.eu_and_MasterPortal_overview#Credential_Lifetimes | lifetime]], therefore configuring those lifetimes can be confusing.
 
This page gives a detailed explanation of every lifetime configuration you might encounter in the setup, including the configuration location, default value and function.  
 
This page gives a detailed explanation of every lifetime configuration you might encounter in the setup, including the configuration location, default value and function.  
  
Line 33: Line 33:
 
|| [[OAuth_for_MyProxy_GetProxy_Endpoint | /getproxy]] request
 
|| [[OAuth_for_MyProxy_GetProxy_Endpoint | /getproxy]] request
 
|| Client requested lifetime value.
 
|| Client requested lifetime value.
 +
 +
|-
 +
| style="background-color: red;" |
 +
|| SSH host
 +
||-
 +
|| lifetime
 +
|| 12h
 +
|| /usr/local/sbin/myproxy_cmd script or [https://github.com/rcauth-eu/aarc-ansible-master-portal/blob/0.2-devel/roles/sshhost/templates/myproxy_cmd.j2 ansible template].
 +
|| Default lifetime of proxies returned in the [[RCauth.eu_and_MasterPortal_SSH_Key_Portal#SSH_Key_usage_flow | SSH flow]].
 +
 +
|-
 +
| style="background-color: blue;" |
 +
|| SSH host
 +
||-
 +
|| maxlifetime
 +
|| 72h
 +
|| /usr/local/sbin/myproxy_cmd script or [https://github.com/rcauth-eu/aarc-ansible-master-portal/blob/0.2-devel/roles/sshhost/templates/myproxy_cmd.j2 ansible template].
 +
|| Maximum lifetime of proxies returned in the [[RCauth.eu_and_MasterPortal_SSH_Key_Portal#SSH_Key_usage_flow | SSH flow]].
  
 
|-
 
|-
Line 41: Line 59:
 
|| 12h
 
|| 12h
 
|| [[Master_Portal_Administrator_Guide#Configuration | MP Server configuration]]
 
|| [[Master_Portal_Administrator_Guide#Configuration | MP Server configuration]]
|| In case of missing ''proxylifetime'' from the [[OAuth_for_MyProxy_GetProxy_Endpoint | /getproxy]] request, this value is used to request a short lived proxy.
+
|| In case the ''proxylifetime'' value is missing from the [[OAuth_for_MyProxy_GetProxy_Endpoint | /getproxy]] request issued by the client, this value is used to request a short lived proxy.
  
 
|-
 
|-
Line 48: Line 66:
 
|| MP Server
 
|| MP Server
 
|| ''max_proxy_lifetime - tolerance''
 
|| ''max_proxy_lifetime - tolerance''
|| (11d - 1d) == 10d
+
|| (11d - 1d)<br>i.e. 10d
 
|| [[Master_Portal_Administrator_Guide#Configuration | MP Server configuration]]
 
|| [[Master_Portal_Administrator_Guide#Configuration | MP Server configuration]]
|| Used within LifetimeValidator for validating the requested proxy lifetime value. Note: These values are only used for validation and they do not SET the actual effective proxy lifetime. The ''max_proxy_lifetime'' value here should match the value of the lifetime configuration with the same name in the Credential Store, see next line.
+
|| Used within LifetimeValidator for validating the requested proxy lifetime value. Note: These values are only used for validation and they do not SET the actual effective proxy lifetime. The ''max_proxy_lifetime'' value here should match the value of the lifetime configuration with the same name in the Credential Store, see next row.
  
 
|-
 
|-
Line 59: Line 77:
 
|| 11d
 
|| 11d
 
|| [[Master_Portal_Administrator_Guide#MyProxy_Server | Credential Store configuration]]
 
|| [[Master_Portal_Administrator_Guide#MyProxy_Server | Credential Store configuration]]
|| Server side maximum enforced by the MyProxy Store on every released proxy. This should match the value of the MP Server configuration with the same name.
+
|| Server side maximum enforced by the MyProxy server on every released proxy. This should match the value of the MP Server configuration with the same name, see previous row.
  
 
|}
 
|}
Line 83: Line 101:
 
|| 11d
 
|| 11d
 
|| [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration]
 
|| [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration]
|| This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate.  
+
|| This is a standard OA4MP Client configuration used for requesting a certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both the long lived proxy and the requested end entity certificate.  
  
 
|}
 
|}
Line 89: Line 107:
 
= End Entity Certificate =
 
= End Entity Certificate =
  
The lifetime of a End Entity Certificate is determined by the following configuration. Note that the ''lifetime'' configuration effects both Long Lived Proxy Certificate and End Entity Certificate. This is conscious design choice because the two credentials should match up.
+
The lifetime of an End Entity Certificate (EEC) is determined by the following configuration. Note that the ''lifetime'' configuration in the first row affects both Long Lived Proxy Certificate and EEC, which is a design choice of the MasterPortal.
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 115: Line 133:
 
|| -
 
|| -
 
|| 10d
 
|| 10d
|| [https://sourceforge.net/p/cilogon/code/HEAD/tree/trunk/edu.uiuc.ncsa/myproxy/oa4mp-server-api/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/server/servlet/ACS2.java#l62 Hardcoded by OA4MP]
+
|| [https://github.com/rcauth-eu/OA4MP/blob/4.2-RCauth-1-release/oa4mp-server-api/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/server/servlet/ACS2.java#L77 Hardcoded by OA4MP]
 
|| In case the ''lifetime'' value is missing from the /getcert request issued by the Master Portal, the lifetime of the requested certificate will default to this value.
 
|| In case the ''lifetime'' value is missing from the /getcert request issued by the Master Portal, the lifetime of the requested certificate will default to this value.
  
Line 124: Line 142:
 
|| ''MAX_LIFETIME''
 
|| ''MAX_LIFETIME''
 
|| 11d
 
|| 11d
|| sysconfig value of the [http://ndpfsvn.nikhef.nl/viewvc/pdpsoft/trunk/eu.rcauth.pilot-ica/CA/etoken-ca/ etoken-ca]
+
|| sysconfig value of the [[eToken-ca]]
|| Server side maximum enforced by the Online CA on every released certificate.   
+
|| Server side maximum enforced by the back-end CA on every released certificate.   
  
 
|}
 
|}

Latest revision as of 13:45, 5 September 2019

Introduction

The RCauth and MasterPortal scenario deals with serveral different user and proxy certificates. The credential released to the VO Portal (Science Gateway) is a proxy certificate chain containing:

  • a short lived RFC3820 proxy certificate (optionally with VOMS extensions)
  • a long lived RFC3820 proxy certificate
  • an end entity certificate (EEC) signed by the RCauth CA.

All three certificates can be created with a different lifetime, therefore configuring those lifetimes can be confusing. This page gives a detailed explanation of every lifetime configuration you might encounter in the setup, including the configuration location, default value and function.

  • The entries marked below with red are client side input parameters usually used in a request for a credential.
  • The entries marked below with blue are server side maximum values used to enforce the actual lifetimes.

Short Lived Proxy

The lifetime of a Short Lived Proxy Certificate is determined by the following set of configurations.

Component Sub-Component Name Default Location Description
Client Portal (e.g. Science Gateway) - proxylifetime - /getproxy request Client requested lifetime value.
SSH host - lifetime 12h /usr/local/sbin/myproxy_cmd script or ansible template. Default lifetime of proxies returned in the SSH flow.
SSH host - maxlifetime 72h /usr/local/sbin/myproxy_cmd script or ansible template. Maximum lifetime of proxies returned in the SSH flow.
Master Portal MP Server defaultLifetime 12h MP Server configuration In case the proxylifetime value is missing from the /getproxy request issued by the client, this value is used to request a short lived proxy.
Master Portal MP Server max_proxy_lifetime - tolerance (11d - 1d)
i.e. 10d
MP Server configuration Used within LifetimeValidator for validating the requested proxy lifetime value. Note: These values are only used for validation and they do not SET the actual effective proxy lifetime. The max_proxy_lifetime value here should match the value of the lifetime configuration with the same name in the Credential Store, see next row.
Master Portal Credential Store max_proxy_lifetime 11d Credential Store configuration Server side maximum enforced by the MyProxy server on every released proxy. This should match the value of the MP Server configuration with the same name, see previous row.

Long Lived Proxy

The lifetime of a Long Lived Proxy Certificate is determined by the following configuration.

Component Sub-Component Name Default Location Description
Master Portal MP Client lifetime 11d OA4MP Client configuration This is a standard OA4MP Client configuration used for requesting a certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both the long lived proxy and the requested end entity certificate.

End Entity Certificate

The lifetime of an End Entity Certificate (EEC) is determined by the following configuration. Note that the lifetime configuration in the first row affects both Long Lived Proxy Certificate and EEC, which is a design choice of the MasterPortal.

Component Sub-Component Name Default Location Description
Master Portal MP Client lifetime 11d OA4MP Client configuration This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate.
Delegation Server Delegation Server - 10d Hardcoded by OA4MP In case the lifetime value is missing from the /getcert request issued by the Master Portal, the lifetime of the requested certificate will default to this value.
Delegation Server Online CA MAX_LIFETIME 11d sysconfig value of the eToken-ca Server side maximum enforced by the back-end CA on every released certificate.