Using an Aladdin eToken PRO to generate grid proxies
Once your grid certificate and private key are safely stored on your eToken, you can generate grid proxies directly from the eToken.
A shell script ( mkproxy script ) was written for this purpose. This script requires quite a few special programs and libraries, which need to be installed before attempting to use the mkproxy script.
Downloading the required files
If you have installed the etoken-mkproxy RPM then all required files are already installed.
Alternatively, for manual installations, you can download and install the Mkproxy.tar.gz tarball. All required program files and libraries for running the mkproxy script are distributed in this tarball. This tarball also includes the mkproxy script itself so there is no need to download it separately.
Please read the instructions on Using an Aladdin eToken PRO to store grid certificates to install the eToken RTE software before attempting to use this script.
The mkproxy script has been tested on
- Windows XP (using cygwin)
- Linux CentOS 4, Scientific Linux 4 (rhel4)
- Linux Fedora Core 5 (fc5)
In the near future we hope to test it on MacOS X as well.
Note On Windows, the Cygwin toolkit ( http://www.cygwin.com/ ) needs to be installed before attempting to use the mkproxy script. It does NOT work on Windows using either a command shell or the MingW/MSys shell.
Manually installing the mkproxy script
To install the myproxy script, download the Mkproxy.tar.gz tarball and unpack it in Your Favorite Directory. Support for all platforms mentioned above is included, so if you only need support for a single platform (e.g. rhel4) you can delete the cygwin and fc5 directories.
mkproxy script usage
If you have installed a single grid certificate on your eToken you can now generate a grid proxy using the command
./mkproxy
Which will return
Starting Aladdin eToken PRO proxy generation (detected platform cygwin) Found X.509 certificate on eToken: label: (eTCAPI) Jan Just Keijser's NIKHEF ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Generating a 512 bit RSA private key ..........++++++++++++ ......++++++++++++ writing new private key to 'proxykey.QjN408' ----- engine "pkcs11" set. Signature ok subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Fri Apr 20 16:51:16 WEST 2007
The default location of your grid proxy is the same as for grid-proxy-init:
- wherever $X509_USER_PROXY is pointing to
otherwise
- /tmp/x509up_u<id>, where <id> is your numeric userid.
mkproxy Command-line options
To see the command-line options for the mkproxy script, type
./mkproxy --help
Which will return
mkproxy version 1.30
This script will generate a X509 grid proxy using a public/private
key pair found on an attached Aladdin eToken PRO.
Options
[--help] Displays usage.
[--version] Displays version.
[--debug] Enables extra debug output.
[--quiet] Quiet mode, minimal output.
[--limited] Creates a limited globus proxy.
[--old] Creates a legacy globus proxy (default).
[--gt3] Creates a pre-RFC3820 compliant proxy.
[--rfc] Creates a RFC3820 compliant proxy.
[--days=N] Number of days the proxy is valid.
[--path-length=N] Allow a chain of at most N proxies to be generated
from this one (default=2).
[--bits=N] Number of bits in key (512, 1024, 2048, default=512).
[--out=proxyfile] Non-standard location of new proxy cert.
[--slot=N] Slot number where eToken is located (default=0).
[--label=string] (Part of) label of X509 certificate on eToken.
[--id=string] (Part of) ID of X509 certificate on eToken.
Notes
- Instead of using '--option=value' you can also use '--option value'.
- The /opt/etoken-pro/bin/mkproxy script as found in the etoken-mkproxy RPM includes an extra option:
[--valid=HH:MM] Proxy is valid for HH hours and MM minutes
(default=12:00).
which allows you to specify short-lived proxies.
These option resemble the options of the grid-proxy-init command but there are some additions:
--slot=N
specify the slot in which the eToken USB token is insert. If you use only a single token then the default of 0 applies. If you use multiple tokens then increase this number.
--label=string --id=string
By default, the mkproxy script will use the first X509 certificate found on the eToken to generate a proxy. If there are multiple X509 certificates stored on your eToken then you can specify (part of) the label or of the id of a X509 certificate to select a specific X509 certificate. The RSA private key which is used to create the grid proxy is found by matching the 'id ' of the X509 public certificate with that of the private key. For example, to explicitly select a certificate with a specific ID, use
--id=39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Fortunately, there is no need to specify the full label or id as found on the eToken to select an X509 certificate. The value passed to the --label option is matched against the X509 certificates on Your Precious eToken using a sed-style regular expression. For example, by specifying
--label=NIKHEF
the mkproxy script will select the first X509 certificate on the token with a label matching 'NIKHEF'.
--platform=rhel4|fc5|cygwin|guess
The mkproxy will try to determine which platform it is running on, in order to select the appropriate libraries for accessing the eToken. You can overrule the platform with this option, where the option --guess tells the mkproxy script to smart-guess where to find the appropriate executables, drivers and libraries.
Note on proxy duration
When using the mkproxy.tar.gz tarball all grid proxies generated using the mkproxy script have a duration measured in days, with a minimum of 1 day (i.e 24 hours). This is due to missing functionality in the openssl x509 command, which does not allow you to specify anything more fine-grained, not even a specific end-date.
The etoken-mkproxy RPM includes a patched version of the openssl x509 command. This allows you to specify the proxy duration in hours and minutes (--valid HH:MM).
Advanced mkproxy usage
A more advanced example to use the mkproxy script is
./mkproxy --slot=0 --label=NIK --rfc --bits 1024 Starting Aladdin eToken PRO proxy generation (detected platform fc5) Found X.509 certificate on eToken: label: (eTCAPI) Jan Just Keijser's NIKHEF ID id: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Generating a 1024 bit RSA private key ............................++++++ .........++++++ writing new private key to 'proxykey.Cz3139' ----- engine "pkcs11" set. Signature ok subject=/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=5815075619841 Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sat Apr 21 14:10:50 CEST 2007
which
- selects the first X509 certificate found in slot 0 matching label NIK
- creates an RFC 3820 compliant proxy
- using a 1024 bit RSA key
Adding support for other platforms
The mkproxy script makes use of a few external programs which are all publicly available on the Internet. Most of these can be found at the OpenSC website ( http://www.opensc.org ).
The following tools are used by the mkproxy script:
- the pkcs11-tool command, which in turn depends on the libopensc.so, libscconf.so, libopenct.so and libpcsclite.so libraries
- the engine-pkcs11.so library , which in turn depends on the libp11.so library
- the openssl command, preferably version 0.9.8 or higher, with support for dynamic engine loading
To add support for your platform, you can either install the required packages from the web (using rpm/apt/yum/yast/emerge/whatever)
or
you can follow these steps to add support for e.g. ubuntu:
- create a directory 'ubuntu' in the directory where the mkproxy script is installed
- in this directory 'ubuntu' create two more directories, 'bin' and 'lib'
- copy a version of pkcs11-tool that works on your platform to ubuntu/bin
- copy a version of openssl with dynamic engine loading support that works on your platform to ubuntu/bin
- copy these libraries to ubuntu/lib:
- libopensc.so,N
- libscconf.so.N
- libopenct.so.N
- libpcsclite.so.N
- engine-pkcs11.so
- libp11.so.N
(where 'N' is the major version number of the library as required and found by using the ldd command
and finally
- use
./mkproxy --platform=ubuntu
to overrule the platform as determined by the mkproxy script.
