Skip to content

ESGFNode|IDP|MyProxyWithAttributeCalloutConfig

Jump to bottom Edit New page
Stephen Pascoe edited this page Apr 9, 2014 · 10 revisions
Wiki Reorganisation
This page has been classified for reorganisation. It has been given the category MOVE.
The content of this page will be revised and moved to one or more other pages in the new wiki structure.

MyProxy Installation and Configuration

This document more or less documents my experience setting up MyProxy using an external application to perform attribute callouts on certificate issue to users. It's documented in a more or less narrative form that shows step by step how to recreate what I've done. Note that all steps along the way were performed as root on the installation machine.

Become the root Super User:

su - root

Download the Globus toolkit binary installer (be sure to download the appropriate one for your platform. You can see which options are available at [ http://www-unix.globus.org/ftppub/gt4/4.2.0/installers/bin/ ](http://www- unix.globus.org/ftppub/gt4/4.2.0/installers/bin/) and the source is available here: [ http://www-unix.globus.org/ftppub/gt4/4.2.0/installers/src/ ](http ://www-unix.globus.org/ftppub/gt4/4.2.0/installers/src/) ):

wget http://www-unix.globus.org/ftppub/gt4/4.2.0/installers/bin/gt4.2.0-x86_deb_4.0-installer.tar.gz

Extract the installer and change into the newly created directory:

tar -xzf gt4.2.0-x86_deb_4.0-installer.tar.gz

cd gt4.2.0-x86_deb_4.0-installer

Set your desired GLOBUS_LOCATION to the directory where Globus should be installed (which likely doesn't exist yet; for this example, it will be /usr/local/gt4.2.0) and then configure and build the required MyProxy and Simple CA pieces (only, rather than the entire Globus Toolkit):

export GLOBUS_LOCATION=/usr/local/gt4.2.0
# optional: ln -s /usr/local/gt4.2.0 /usr/local/gt-current

./configure --prefix=/usr/local/gt4.2.0

make gsi-myproxy globus_simple_ca_setup

make install

# required on some systems: adjust your LD_LIBRARY_PATH env var
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GLOBUS_LOCATION/lib

_ NOTE: Before moving on, you MUST make sure that the myProxy-server binary that was installed has PAM support built in. To test this, run '$GLOBUS_LOCATION/sbin/myproxy-server -V' and you should see a mention of PAM _

Upgrade MyProxy to latest 4.x version available

VERY IMPORTANT MYPROXY UPDATE :

The MyProxy software included with gt4.2.0 is version 4.2. That was sufficient for the time of the writing of this document, but now it is crucial that you use the latest version available (or at least version 4.6, which this document will point you to). The reason is both for security reasons and for functionality that this page relies on it supporting. However, the MyProxy 5.x code is NOT recommended at this time, as it's not compatible with 4.x clients.

NOTE: There is likely a later version available by the time you try this, so please download the latest version possible to ensure that you have other security related changes. The official MyProxy releases can be downloaded from here .

To upgrade to MyProxy version 4.6 (which is known to work with ESGF), simply execute the following before continuing on with these instructions as normal:

wget http://www.globus.org/ftppub/myproxy/myproxy-4.6.tar.gz

$GLOBUS_LOCATION/sbin/gpt-build -force myproxy-4.6.tar.gz gcc32dbg

[ where gcc32dbg is the flavor; perhaps gcc64dbg for your setup? ]
[ NOTE: The libssl-dev package or the equivalent is required for this to work ]

$GLOBUS_LOCATION/sbin/gpt-postinstall

[ for good measure ]

$GLOBUS_LOCATION/sbin/myproxy-server -V
myproxy-server version MYPROXYv2 (v4.6 25 Mar 2009 PAM)

[ check version and ensure PAM support is available ]

Setup and configure SimpleCA.

More notes are available here:

The output of this command should look something like this:

creating CA config package...done.

A self-signed certificate has been generated
for the Certificate Authority with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus Simple CA

If this is invalid, rerun this script

/usr/local/gt-current/setup/globus/setup-simple-ca

and enter the appropriate fields.

-------------------------------------------------------------------

The private key of the CA is stored in /root/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /root/.globus/simpleCA//cacert.pem

The distribution package built for this CA is stored in

/root/.globus/simpleCA//globus_simple_ca_ecdb249f_setup-0.20.tar.gz

This file must be distributed to any host wishing to request
certificates from this CA.

CA setup complete.

The following commands will now be run to setup the security
configuration files for this CA:

$GLOBUS_LOCATION/sbin/gpt-build
/root/.globus/simpleCA//globus_simple_ca_ecdb249f_setup-0.20.tar.gz

$GLOBUS_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------


setup-ssl-utils: Configuring ssl-utils package
Running setup-ssl-utils-sh-scripts...

*

Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:

/usr/local/gt-current/setup/globus_simple_ca_ecdb249f_setup/setup-gsi

For further information on using the setup-gsi script, use the -help
option.  The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.

*

setup-ssl-utils: Complete

NOTE : To modify the CA's Subject, you should use the following syntax when prompted (Using ANL as the example Gateway organization):

cn=ANL Gateway CA, ou=www.esg.anl.gov, ou=ESG-ANL, o=ESG

Run the command the above output specifies to complete the CA installation:

/usr/local/gt-current/setup/globus_simple_ca_ecdb249f_setup/setup-gsi -default

The output should look something like this:

setup-gsi: Configuring GSI security
Making /etc/grid-security...
mkdir /etc/grid-security
Making trusted certs directory: /etc/grid-security/certificates/
mkdir /etc/grid-security/certificates/
Installing /etc/grid-security/certificates//grid-security.conf.ecdb249f...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete

Generating a Host Certificate/Key

If the machine does not already have an existing hostcert (generally located in _ /etc/grid-security/hostcert.pem _ ), now it's time to generate a host certificate for our machine using the grid-cert-request command, and then sign it using the grid-ca-sign command. If the host cert already exists, skip this section and move on to modifying the _ /etc/myproxy-server.config _ file.

# Run this on the ESG Node that needs the Host certificate
$GLOBUS_LOCATION/bin/grid-cert-request -host `hostname --fqdn` -dir $HOME/.globus/host

Transfer the certificate request to a machine where the CA that should sign the host certificate exists. In ESGF, you may need to send the request to [email protected] , where it can be signed by PCMDI7. NOTE: DO NOT send the generated key in e-mail along with the request!

If you are _ self-signing _ the certificate (which means that you are signing the host certificate request by your OWN local CA, use the command below):

# Run this on the CA machine that signs host certificate requests
$GLOBUS_LOCATION/bin/grid-ca-sign -in ~/.globus/host/hostcert_request.pem -out ~/.globus/host/hostsigned.pem

The output of that command should look like this:

To sign the request
please enter the password for the CA key:

The new signed certificate is at: /root/.globus/simpleCA//newcerts/01.pem

If you have shipped your request to another entity for signing, you will eventually receive a signed host certificate file back.

If you have self-signed the request on your own node, you will have output the signed certificate at the location specified.

Finally, move the generated certificate and key files to the final locations:

mv ~/.globus/host/hostsigned.pem /etc/grid-security/hostcert.pem
mv ~/.globus/host/hostkey.pem /etc/grid-security/hostkey.pem

More information about these tools can be found here:

Configuring the basic MyProxy functionality

Modify Myproxy config file /etc/myproxy-server.config to point to the new CA Cert:

esgdev:~# cat /etc/myproxy-server.config
accepted_credentials       "*"
authorized_retrievers      "*"
default_retrievers         "*"
authorized_renewers        "*"
authorized_key_retrievers  "*"
trusted_retrievers         "*"
default_trusted_retrievers "none"

pam_id "myproxy"
pam "required"

certificate_issuer_cert /root/.globus/simpleCA/cacert.pem
certificate_issuer_key /root/.globus/simpleCA/private/cakey.pem
certificate_issuer_key_passphrase "PASSWORD"
certificate_serialfile /root/.globus/simpleCA/serial
certificate_mapapp /usr/local/gt4.2.0/share/myproxy/myproxy-certificate-mapapp
certificate_extapp /usr/local/gt4.2.0/bin/esg_attribute_callout_app

You might notice that the _ certificate_extapp _ entry is pointing to a file that doesn't exist on your filesystem. However, it is important that you add this entry to the configuration file, though the file itself is explained later (in the section titled _ Configuring the External Attribute Callout piece with MyProxy _ below). Write down the path used for this entry, as you will be creating this file a couple of steps later. Similarly, the _ certificate_mapapp _ entry is a file that is downloaded in the next step below. Be sure that the location in the configuration above matches the final location of the newly downloaded file at that time.

Configuring the Certificate Mapapp Callout piece with MyProxy

MyProxy can call a script called the "myproxy-certificate-mapapp" that is generally used to map a username into a DN suitable for the issued credential certificate. For the case of ESG, the DN should contain the user's !OpenID, but we first need to retrieve that information from the ESG database. The _ ESGOpenIDRetriever _ (download link below) is a java program that does just that, although it needs to be configured to access the ESG database in order to get the user's !OpenID. Edit /usr/local/gt4.2.0/share/myproxy/myproxy- certificate-mapapp (assuming it matches the path you inserted into the myproxy-server.config file above) by changing the contents to the following (or download the file from the link just below):

username=$1

if [ X"$username" = X ]; then

 . # no username given exit 1

fi

# Configure this for each installation
ESG_OPENID_RETRIEVER_DIR="/usr/local/gt4.2.0/bin"

CWD=`pwd`
cd $ESG_OPENID_RETRIEVER_DIR

# REQUIRES postgresql jar file either in same dir as this script and
# java class file, or in the classpath export
export CLASSPATH=$CLASSPATH:postgresql-8.3-603.jdbc3.jar:$ESG_OPENID_RETRIEVER_DIR/postgresql-8.3-603.jdbc3.jar

JAVA_CMD="java ESGOpenIDRetriever -h datagrid.ucar.edu:5433 -u esgcet_admin -p PASSWORD -d DATABASE -g ESG-NCAR -U"
if ! test "x$1" = "x"; then

  OPENID_STR=`$JAVA_CMD $1`

  # Emit DN: DN must match the signing policy for your CA.
  echo "/O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=${OPENID_STR}"

fi

cd $CWD

NOTE: You can download a copy of this file to avoid typing it out here:

This file now contains site specific information that will need to be modified for each Gateway. As you can see, the -g option in the JAVA_CMD line requires the db access and gateway name, and for example , we use ESG-NCAR above. Also, you must configure the _ ESG_OPENID_RETRIEVER_DIR _ variable to contain the path to the !ESGOpenIDRetriever java program (link provided below).

Also required is the !ESGOpenIDRetriever Java class file. Here's a link to the Java Source file so that you can compile it and place it in the appropriate directory:

The following postgresql JDBC driver is required as well:

Finally, make sure the Certificate Mapapp application script is executable!

chmod a+x /usr/local/gt4.2.0/share/myproxy/myproxy-certificate-mapapp

Using Postgresql as the backend username/password DB with Myproxy

It must be noted that this section of the document is loosely based on the following document:

Make sure that you have read the page above and have an idea of what we're doing here before reading below.

Configuring postgresql with our MyProxy installation

First, make sure that the debian package of libpam-pgsql is installed on your system, or the vendor specific equivalent package. Then the /etc/pam_pgsql.conf needs to contain the following -- edit the content to point to your specific DB system:

database = dev-anl
host = datagrid.ucar.edu
port = 5433
user = USERNAME
password = PASSWORD
table = security.myproxy_user
user_column = username
pwd_column = password
pw_type = crypt_md5

Finally, the /etc/pam.d/myproxy file needs to contain the following:

auth      required    pam_pgsql.so
account   required    pam_pgsql.so

Now, the MyProxy server should be configured to use the ESG database for authentication! When we're ready to test the installation below, if there are problems, be sure to read the PKISSO page mentioned above which has more details on how the database needs to be setup and what the configuration entries mean (though ESG has already taken care of the proper configuration on the DB side).

Configuring the External Attribute Callout piece with MyProxy (ExtApp)

It should be noted that the following pages were used as a reference for getting this to work:

Create a file located at $GLOBUS_LOCATION/bin/esg_attribute_callout_app with the following contents. Note for this example, that my GLOBUS_LOCATION is /usr/local/gt-current. Modify your script to contain your specific GLOBUS_LOCATION.

{{{#!/bin/bash

if test "x$1" = "x"; then

  • echo "Usage: esg_attribute_callout_app " exit 1

fi

Configure this for each installation ESG_GROUP_RETRIEVER_DIR="/usr/local

/gt-current/bin"

CWD= pwd cd $ESG_GROUP_RETRIEVER_DIR

REQUIRES postgresql jar file either in same dir as this script and # java

class file, or in the classpath export export CLASSPATH=$CLASSPATH:postgresql -8.3-603.jdbc3.jar:$ESG_GROUP_RETRIEVER_DIR/postgresql-8.3-603.jdbc3.jar

JAVA_CMD="java ESGGroupRetriever -h datagrid.ucar.edu:5433 -u esgcet_admin -p PASSWORD -d prototype -g ESG-NCAR -U"

if ! test "x$1" = "x"; then

  • GROUP_STR= $JAVA_CMD $1 if ! test -z "$GROUP_STR" ;

    • then echo "1.2.3.4.4.3.2.1.7.8=ASN1:UTF8String:$GROUP_STR" fi

cd $CWD }}} NOTE: the format of the output is dictated by the second link listed above in this section. In particular, the "Arbitrary extensions" section is the most relevant. Also, depending on which site you are, you will need to adjust the parameter that follows the "-g" switch. For example, this script is specifically written for the "ESG-NCAR" site. If you are setting up this server/installation on another site, you must find out which gateway name to use for authentication to work properly. Also of course the username and password (following the "-u" and "-p" switches, respectively) need to be updated to match your system.

You can download this file (to avoid typing it) from here:

Also required is the ESGGroupRetriever Java class file. Here's a link to the Java Source file so that you can compile it and place it in the appropriate directory:

The following postgresql JDBC driver is required as well:

To hook this script up to MyProxy , we add the following line to /etc/myproxy-server.config:

certificate_extapp /usr/local/gt4.2.0/bin/esg_attribute_callout_app

Again, adjust the path above to match your GLOBUS_LOCATION directory.

Testing the MyProxy installation

Configure your local environment:

. $GLOBUS_LOCATION/etc/globus-user-env.sh

Run MyProxy server in debug mode:

$GLOBUS_LOCATION/sbin/myproxy-server -d

Run the MyProxy Client:

myproxy-logon -s esgdev.ci.uchicago.edu

If everything is configured properly, you should see something like this:

Enter MyProxy pass phrase:
A credential has been received for user root in /tmp/x509up_u0.

_ NOTE: If the MyProxy server is on a machine with an already populated /etc/grid-security/ directory and you wish not to overwrite the certificates in there, you can use the following environment variables to make sure that the MyProxy server uses the proper certs that we've generated _ :

export X509_USER_CERT=/etc/grid-security/hostcert-myproxy.pem
export X509_USER_KEY=/etc/grid-security/hostkey-myproxy.pem

More information can be found here:

Testing the MyProxy Attribute Callout functionality

Start the Myproxy server using something like this command:

/etc/init.d/myproxy start

Run the client command to retrieve a certificate:

myproxy-logon -s esgdev.ci.uchicago.edu -l testUser -p 7512 -o certificate-file

On successful auth, the output should look like this:

Enter MyProxy pass phrase:
A credential has been received for user testUser in certificate-file.

And now that we've saved the certificate, we can verify if the extension was included by running this command:

openssl x509 -noout -text -in certificate-file

If the extension was included, the output to that command should look like the following:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 175 (0xaf)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Grid, OU=GlobusTest, OU=simpleCA-esgdev.ci.uchicago.edu, CN=Globus Simple CA
        Validity
            Not Before: Dec 15 19:04:59 2008 GMT
            Not After : Dec 16 07:09:59 2008 GMT
        Subject: O=Grid, OU=GlobusTest, OU=simpleCA-esgdev.ci.uchicago.edu, CN=https://openid.prototype.ucar.edu/myopenid/esg_ncar_test_user
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                    00:cf:5d:55:01:c4:7a:81:45:62:a0:80:18:ba:08:
                    69:20:b1:cc:8d:a0:20:74:97:6a:69:88:76:59:3e:
                    a0:a7:01:a2:75:bb:51:30:0b:54:3f:ed:37:e4:9c:
                    ab:ea:6a:19:45:65:5f:f1:76:39:01:4a:bf:65:3d:
                    be:6b:e4:74:09:2c:40:9e:eb:b4:d3:f1:e2:b5:43:
                    a0:c3:b5:b2:cc:1b:01:39:93:1d:5e:3c:f7:6f:ea:
                    8d:5e:c5:36:7c:66:4a:83:27:f6:b5:2c:ec:de:87:
                    cb:bb:67:d1:47:33:82:8e:d0:77:fe:f1:dc:02:e3:
                    58:97:03:5c:68:98:4f:ce:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.2.3.4.4.3.2.1.7.8:
                ...esg.vo.group.roles=group_CCSM_role_default;group_Dycore_role_default;group_NARCCAP_role_default;group_User_role_default:esg.vo.openid=https://openid.prototype.ucar.edu/myopenid/esg_ncar_test_user
    Signature Algorithm: sha1WithRSAEncryption
        a0:6e:ef:45:02:3f:87:5b:83:db:6b:25:97:4a:34:14:60:51:
        2a:0a:df:9f:ed:9d:aa:9f:8b:bc:c1:10:0e:c9:74:92:35:75:
        79:92:99:51:a5:5d:82:f0:5f:b8:0c:fa:79:ca:1e:a9:12:43:
        0f:c8:e5:f0:c5:81:ae:24:9f:0c:a0:94:a5:92:3a:d9:b9:4f:
        04:27:de:73:0a:2e:b6:2a:5a:13:84:b3:3d:85:f8:72:93:36:
        5d:5e:ae:15:76:9c:22:6e:05:90:39:a2:6a:c8:e0:b6:75:c5:
        d9:76:2d:27:5b:66:2e:99:6f:f0:24:ae:0a:61:f5:5d:c8:f4:
        50:14

Programatically extracting the Extension data

I have written a sample C program to extract the extension data from a certificate. To download/view this sample, use the following link:

Working with the ESG Test Database

Below are notes on the specific ESG test database settings that were used during development.

database.url=jdbc:postgresql://datagrid.ucar.edu:5433/dev-anl
database.username=esgcet_admin
password=PASSWORD

The Psql command used for testing/debugging is as follows:

psql -h datagrid.ucar.edu -p 5433 -U esgcet_admin dev-anl

Troubleshooting: PAM Debugging

If there are problems getting the auth to work through the MyProxy server, it may be useful to make sure PAM is doing the right thing. To enable PAM debugging, make sure that your /etc/pam.d/myproxy file contains these lines instead:

auth      required    pam_pgsql.so 0xffffffff
account   required    pam_pgsql.so 0xffffffff

And modify your /etc/syslog.conf file so that it contains this line:

*.debug /PAM/DEBUG/LOGFILE

where "/PAM/DEBUG/LOGFILE" is the absolute path to a file that you would like to contain the debugging information. An example is /var/log/pamlog, but is arbitrary and can be whatever you would like.

Then restart syslog by doing this:

/etc/init.d/syslog restart

After restarting the MyProxy server, you should now see PAM debugging output now in the /PAM/DEBUG/LOGFILE file that you've chosen above.

NOTE: Some installs require the word "debug" instead of the "0xffffffff" parameter above. If the above doesn't work, please try using "debug" instead. Also, if you need to use another config file that contains alternate database information, you can use the "config_file" option to point to a new location. An example with both debugging and an alternate config file may look like this:

auth      required    pam_pgsql.so debug config_file=/etc/pam.d/myproxy-alt
account   required    pam_pgsql.so debug config_file=/etc/pam.d/myproxy-alt

Troubleshooting: Misc (deprecated item)

NOTE: This answer is deprecated and no longer is an acceptable solution . It remains here for reference, however.

If it seems that all user accounts in the db file MUST actually exist on the filesystem (for example user accounts must be created for all users in it. (i.e. user1 must be created with 'useradd user1') and regardless of system password, the DB password from the file will be used), the correct fix is to make sure BOTH lines are present in the file (and not just the first):

auth    required        pam_userdb.so  db=/usr/local/gt4.2.0/userpass
account    required        pam_userdb.so  db=/usr/local/gt4.2.0/userpass
Add a custom footer
Add a custom sidebar
Clone this wiki locally