Difference between revisions of "Using an Aladdin eToken PRO to generate grid proxies"
From PDP/Grid Wiki
Jump to navigationJump to search| (64 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken. | Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken. | ||
| − | A shell script ( [[Media:Mkproxy|mkproxy script]] ) was written for this purpose. This script requires quite a few special programs and libraries , | + | A shell script ( [[Media:Mkproxy|mkproxy script]] ) was written for this purpose. This script requires quite a few special programs and libraries, which need to be installed before attempting to use the <tt>mkproxy</tt> script. |
| − | * | + | |
| − | * | + | ==Downloading the required files== |
| − | * | + | If you have installed the <tt>etoken-mkproxy</tt> RPM then all required files are already installed. |
| + | |||
| + | Alternatively, for manual installations, you can download and install the appropriate tarball for your platform: | ||
| + | * Windows using Cygwin: [[Media:Mkproxy-cygwin.tar.gz|Mkproxy-cygwin.tar.gz]] | ||
| + | * FC5: [[Media:Mkproxy-fc5.tar.gz|Mkproxy-fc5.tar.gz]] | ||
| + | * RHEL4: [[Media:Mkproxy-rhel4.tar.gz|Mkproxy-rhel4.tar.gz]] | ||
| + | * Suse10: [[Media:Mkproxy-suse10.tar.gz|Mkproxy-suse10.tar.gz]] | ||
| + | All required program files and libraries for running the <tt>mkproxy</tt> script are distributed in this tarball. This tarball also includes the <tt>mkproxy</tt> script itself so there is no need to download it separately. | ||
Please read the instructions on [[Using an Aladdin eToken PRO to store grid certificates]] to install the eToken RTE software before attempting to use this script. | Please read the instructions on [[Using an Aladdin eToken PRO to store grid certificates]] to install the eToken RTE software before attempting to use this script. | ||
| − | The script has been tested on | + | The <tt>mkproxy</tt> script has been tested on |
* Windows XP (using cygwin) | * Windows XP (using cygwin) | ||
| − | |||
* Linux Fedora Core 5 (fc5) | * Linux Fedora Core 5 (fc5) | ||
| − | In the near future we hope to test it on MacOS X as well | + | * Linux CentOS 4, Scientific Linux 4 (rhel4) |
| + | * Linux openSuse 10 (suse10) | ||
| + | In the near future we hope to test it on MacOS X as well. | ||
| − | '''Note''' It does '''NOT''' work on Windows using the MingW/MSys shell. | + | '''Note''' On Windows, the Cygwin toolkit ( http://www.cygwin.com/ ) needs to be installed before attempting to use the <tt>mkproxy</tt> script. It does '''NOT''' work on Windows using either a command shell or the MingW/MSys shell. |
| − | == | + | ==mkproxy script usage== |
| − | + | If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command | |
| + | ./bin/mkproxy | ||
| + | in the directory where you unpacked the <tt>mkproxy-''<platform>''.tar.gz</tt> tarball. This will return | ||
| − | === | + | Starting Aladdin eToken PRO proxy generation |
| + | (detected platform cygwin) | ||
| + | Found X.509 certificate on eToken: | ||
| + | label: (eTCAPI) Jan Just Keijser's NIKHEF ID | ||
| + | id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 | ||
| + | Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
| + | Generating a 512 bit RSA private key | ||
| + | ..........++++++++++++ | ||
| + | ......++++++++++++ | ||
| + | writing new private key to 'proxykey.QjN408' | ||
| + | ----- | ||
| + | engine "pkcs11" set. | ||
| + | Signature ok | ||
| + | subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy | ||
| + | Getting CA Private Key | ||
| + | PKCS#11 token PIN: | ||
| + | Your proxy is valid until: Fri Apr 20 16:51:16 WEST 2007 | ||
| − | + | The default location of your grid proxy is the same as for <tt>grid-proxy-init</tt>: | |
| + | * wherever <tt>$X509_USER_PROXY</tt> is pointing to | ||
| + | otherwise | ||
| + | * /tmp/x509up_u''<id>'', where ''<id>'' is your numeric userid. | ||
| − | + | ==mkproxy Command-line options== | |
| − | + | To see the command-line options for the <tt>mkproxy</tt> script, type | |
| − | + | ./bin/mkproxy --help | |
| − | + | or, in case the <tt>etoken-mkproxy</tt> RPM is installed, type | |
| − | + | /opt/etoken-pro/bin/mkproxy --help | |
| − | |||
| − | |||
| − | |||
| − | |||
Which will return | Which will return | ||
| − | mkproxy version 1. | + | mkproxy version 1.50 |
This script will generate a X509 grid proxy using a public/private | This script will generate a X509 grid proxy using a public/private | ||
key pair found on an attached Aladdin eToken PRO. | key pair found on an attached Aladdin eToken PRO. | ||
| − | + | ||
| − | + | Options | |
| − | + | [--help] Displays usage. | |
| − | + | [--version] Displays version. | |
| − | + | [--debug] Enables extra debug output. | |
| − | + | [--quiet] Quiet mode, minimal output. | |
| − | + | [--limited] Creates a limited globus proxy. | |
| − | + | [--old] Creates a legacy globus proxy (default). | |
| − | + | [--gt3] Creates a pre-RFC3820 compliant proxy. | |
| − | + | [--rfc] Creates a RFC3820 compliant proxy. | |
| − | + | [--days=N] Number of days the proxy is valid. | |
| − | + | [--valid=HH:MM] Proxy is valid for HH hours and MM minutes | |
| − | + | (default=12:00). | |
| − | + | [--path-length=N] Allow a chain of at most N proxies to be generated | |
| − | + | from this one (default=2). | |
| − | + | [--bits=N] Number of bits in key (512, 1024, 2048, default=512). | |
| − | + | [--out=proxyfile] Non-standard location of new proxy cert. | |
| − | + | ||
| − | + | [--slot=N] Slot number where eToken is located (default=0). | |
| + | [--label=string] (Part of) label of X509 certificate on eToken. | ||
| + | [--id=string] (Part of) ID of X509 certificate on eToken. | ||
| − | '''Note''' | + | '''Note''' Instead of using '--option=value' you can also use '--option value'. |
| − | Instead of using '--option=value' you can also use '--option value' | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | == | + | These option resemble the options of the <tt>grid-proxy-init</tt> command but there are some additions: |
| − | + | --slot=N | |
| + | specify the ''slot'' in which the eToken USB token is insert. If you use only a single token then the | ||
| + | default of 0 applies. If you use multiple tokens then increase this number. | ||
| + | --label=string | ||
| + | --id=string | ||
| + | By default, the <tt>mkproxy</tt> script will use the first X509 certificate found on the eToken to generate a proxy. If there are multiple X509 certificates stored on your eToken then you can specify (part of) the label or of the id of a X509 certificate to select a specific X509 certificate. The RSA private key which is used to create the grid proxy is found by matching the '''id'' ' of the X509 public certificate with that of the private key. For example, to explicitly select a certificate with a specific ID, use | ||
| + | --id=39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 | ||
| + | Fortunately, there is no need to specify the full <tt>label</tt> or <tt>id</tt> as found on the eToken to select an X509 certificate. The value passed to the <tt>--label</tt> option is matched against the X509 certificates on Your Precious eToken using a <tt>sed</tt>-style regular expression. For example, by specifying | ||
| + | --label=NIKHEF | ||
| + | the <tt>mkproxy</tt> script will select the ''first'' X509 certificate on the token with a label matching 'NIKHEF'. | ||
==Advanced mkproxy usage== | ==Advanced mkproxy usage== | ||
| − | + | A more advanced example to use the <tt>mkproxy</tt> script is | |
| − | |||
| − | |||
| − | <tt> | ||
| − | |||
| − | + | # /opt/etoken-pro/bin/mkproxy --slot=0 --label=NIK --rfc --bits 1024 | |
| − | + | Starting Aladdin eToken PRO proxy generation | |
| − | + | (detected platform fc5) | |
| + | Found X.509 certificate on eToken: | ||
| + | label: (eTCAPI) Jan Just Keijser's NIKHEF ID | ||
| + | id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 | ||
| + | Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
| + | Generating a 1024 bit RSA private key | ||
| + | ............................++++++ | ||
| + | .........++++++ | ||
| + | writing new private key to 'proxykey.Cz3139' | ||
| + | ----- | ||
| + | engine "pkcs11" set. | ||
| + | Signature ok | ||
| + | subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=5815075619841 | ||
| + | Getting CA Private Key | ||
| + | PKCS#11 token PIN: | ||
| + | Your proxy is valid until: Sat Apr 21 14:10:50 CEST 2007 | ||
| + | which | ||
| + | * selects the first X509 certificate found in slot '''0''' matching label '''NIK''' | ||
| + | * creates an RFC 3820 compliant proxy | ||
| + | * using a 1024 bit RSA key | ||
| − | + | ==Changelog for mkproxy script== | |
| − | + | version 1.50 (rpm version 1.3) | |
| − | + | - Set the proxy serial number to the cert serial number for old style proxies. | |
| − | + | This is required to make certain VOMS plugins happy. | |
| − | -- | + | |
| − | + | version 1.40 (rpm version 1.2) | |
| + | - Added LC_ALL=C to fix internationalisation problem on Darwin | ||
| + | - Bugfix: option parsing for --out= | ||
| + | - Added Darwin support | ||
| + | - Added kernel 2.6.22 support (OpenSuSE 10.3, FC7+, Ubuntu 7.10) | ||
| + | |||
| + | version 1.32 (rpm version 1.1) | ||
| + | - Fix SLOT bug for the umpteenth time | ||
| + | - Fix support for multiple tokens | ||
| + | - Merge the 2 different branches of mkproxy | ||
| + | - Add support for gt3 and limited proxies; use custom openssl --valid flag | ||
| + | |||
| + | version 1.11 | ||
| + | - Search for exact label/id first, then start regexping | ||
| + | - Use /usr/local/lib as default location of some shlibs | ||
| + | - Use proxy extensions instead of pointing to extfile | ||
| + | - Run_cmd and pkcs11tool clash on cygwin; don't use | ||
| + | - Make sure quiet is *really* quiet | ||
| + | - Don't drown the last exit code from openssl | ||
| + | - Cleanup: specify engine in openssl.cnf file | ||
| + | |||
| + | version 1.00 | ||
| + | - Added RFC3820 support, quiet/debug, bits flags | ||
| + | - Make it look more like grid-proxy-init | ||
| + | - New directory structure to support multiple platforms more easily | ||
| + | - Patch by davidg to allow RFC3820 proxy generation | ||
| + | |||
| + | version 0.90 | ||
| + | - First version of mkproxy script to generate grid proxies using | ||
| + | Aladdin eToken for private key storage | ||
Latest revision as of 11:43, 3 March 2008
Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken.
A shell script ( mkproxy script ) was written for this purpose. This script requires quite a few special programs and libraries, which need to be installed before attempting to use the mkproxy script.
Downloading the required files
If you have installed the etoken-mkproxy RPM then all required files are already installed.
Alternatively, for manual installations, you can download and install the appropriate tarball for your platform:
- Windows using Cygwin: Mkproxy-cygwin.tar.gz
- FC5: Mkproxy-fc5.tar.gz
- RHEL4: Mkproxy-rhel4.tar.gz
- Suse10: Mkproxy-suse10.tar.gz
All required program files and libraries for running the mkproxy script are distributed in this tarball. This tarball also includes the mkproxy script itself so there is no need to download it separately.
Please read the instructions on Using an Aladdin eToken PRO to store grid certificates to install the eToken RTE software before attempting to use this script.
The mkproxy script has been tested on
- Windows XP (using cygwin)
- Linux Fedora Core 5 (fc5)
- Linux CentOS 4, Scientific Linux 4 (rhel4)
- Linux openSuse 10 (suse10)
In the near future we hope to test it on MacOS X as well.
Note On Windows, the Cygwin toolkit ( http://www.cygwin.com/ ) needs to be installed before attempting to use the mkproxy script. It does NOT work on Windows using either a command shell or the MingW/MSys shell.
mkproxy script usage
If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command
./bin/mkproxy
in the directory where you unpacked the mkproxy-<platform>.tar.gz tarball. This will return
Starting Aladdin eToken PRO proxy generation (detected platform cygwin) Found X.509 certificate on eToken: label: (eTCAPI) Jan Just Keijser's NIKHEF ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Generating a 512 bit RSA private key ..........++++++++++++ ......++++++++++++ writing new private key to 'proxykey.QjN408' ----- engine "pkcs11" set. Signature ok subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Fri Apr 20 16:51:16 WEST 2007
The default location of your grid proxy is the same as for grid-proxy-init:
- wherever $X509_USER_PROXY is pointing to
otherwise
- /tmp/x509up_u<id>, where <id> is your numeric userid.
mkproxy Command-line options
To see the command-line options for the mkproxy script, type
./bin/mkproxy --help
or, in case the etoken-mkproxy RPM is installed, type
/opt/etoken-pro/bin/mkproxy --help
Which will return
mkproxy version 1.50
This script will generate a X509 grid proxy using a public/private
key pair found on an attached Aladdin eToken PRO.
Options
[--help] Displays usage.
[--version] Displays version.
[--debug] Enables extra debug output.
[--quiet] Quiet mode, minimal output.
[--limited] Creates a limited globus proxy.
[--old] Creates a legacy globus proxy (default).
[--gt3] Creates a pre-RFC3820 compliant proxy.
[--rfc] Creates a RFC3820 compliant proxy.
[--days=N] Number of days the proxy is valid.
[--valid=HH:MM] Proxy is valid for HH hours and MM minutes
(default=12:00).
[--path-length=N] Allow a chain of at most N proxies to be generated
from this one (default=2).
[--bits=N] Number of bits in key (512, 1024, 2048, default=512).
[--out=proxyfile] Non-standard location of new proxy cert.
[--slot=N] Slot number where eToken is located (default=0).
[--label=string] (Part of) label of X509 certificate on eToken.
[--id=string] (Part of) ID of X509 certificate on eToken.
Note Instead of using '--option=value' you can also use '--option value'.
These option resemble the options of the grid-proxy-init command but there are some additions:
--slot=N
specify the slot in which the eToken USB token is insert. If you use only a single token then the default of 0 applies. If you use multiple tokens then increase this number.
--label=string --id=string
By default, the mkproxy script will use the first X509 certificate found on the eToken to generate a proxy. If there are multiple X509 certificates stored on your eToken then you can specify (part of) the label or of the id of a X509 certificate to select a specific X509 certificate. The RSA private key which is used to create the grid proxy is found by matching the 'id ' of the X509 public certificate with that of the private key. For example, to explicitly select a certificate with a specific ID, use
--id=39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Fortunately, there is no need to specify the full label or id as found on the eToken to select an X509 certificate. The value passed to the --label option is matched against the X509 certificates on Your Precious eToken using a sed-style regular expression. For example, by specifying
--label=NIKHEF
the mkproxy script will select the first X509 certificate on the token with a label matching 'NIKHEF'.
Advanced mkproxy usage
A more advanced example to use the mkproxy script is
# /opt/etoken-pro/bin/mkproxy --slot=0 --label=NIK --rfc --bits 1024 Starting Aladdin eToken PRO proxy generation (detected platform fc5) Found X.509 certificate on eToken: label: (eTCAPI) Jan Just Keijser's NIKHEF ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Generating a 1024 bit RSA private key ............................++++++ .........++++++ writing new private key to 'proxykey.Cz3139' ----- engine "pkcs11" set. Signature ok subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=5815075619841 Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sat Apr 21 14:10:50 CEST 2007
which
- selects the first X509 certificate found in slot 0 matching label NIK
- creates an RFC 3820 compliant proxy
- using a 1024 bit RSA key
Changelog for mkproxy script
version 1.50 (rpm version 1.3) - Set the proxy serial number to the cert serial number for old style proxies. This is required to make certain VOMS plugins happy. version 1.40 (rpm version 1.2) - Added LC_ALL=C to fix internationalisation problem on Darwin - Bugfix: option parsing for --out= - Added Darwin support - Added kernel 2.6.22 support (OpenSuSE 10.3, FC7+, Ubuntu 7.10) version 1.32 (rpm version 1.1) - Fix SLOT bug for the umpteenth time - Fix support for multiple tokens - Merge the 2 different branches of mkproxy - Add support for gt3 and limited proxies; use custom openssl --valid flag version 1.11 - Search for exact label/id first, then start regexping - Use /usr/local/lib as default location of some shlibs - Use proxy extensions instead of pointing to extfile - Run_cmd and pkcs11tool clash on cygwin; don't use - Make sure quiet is *really* quiet - Don't drown the last exit code from openssl - Cleanup: specify engine in openssl.cnf file version 1.00 - Added RFC3820 support, quiet/debug, bits flags - Make it look more like grid-proxy-init - New directory structure to support multiple platforms more easily - Patch by davidg to allow RFC3820 proxy generation version 0.90 - First version of mkproxy script to generate grid proxies using Aladdin eToken for private key storage
