wiki:MyProxyCredentialTranslationService

MyProxy Credential Translation Service

Pluggable Authentication Module for MyProxy enabling the generation of short-lived user certificates from other authentication assertions.

Source Code

This is available from the svn repository.

Installation

These instructions apply to installation and configuration of MyProxyServer on a Scientific Linux or RedHat 6 machine and the Pluggable Authenication Module (PAM) to create credentials with predefined password for any username.

  1. As user root
      yum update
      yum install gcc
      yum install openssl-devel
      yum install libtool
      yum groupinstall 'Development Tools'
      yum install libtool-ltdl-devel
      yum install pam-devel
    
  2. install perl modules:
      cpan -i Archive::Tar
      cpan -i IO::Zlib
      cpan -i Package::Constants
    
    
  3. Add user globus
      groupadd globus
      adduser -g globus globus
      passwd globus
      >(globus)
    
  4. Create directories
      mkdir /usr/local/globus-5.2.0
      chown globus:globus /usr/local/globus-5.2.0
    
      mkdir /etc/grid-security
      mkdir /etc/grid-security/certificates
    
  5. Set hostname <MyProxy server FQDN> in
      vi /etc/sysconfig/network
      vi /etc/hosts #<ip address> <myproxy server FQDN>
      hostname  <myproxy server FQDN>
      etc/init.d/network restart
    
  6. Install PAM Module
      svn checkout http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation
      cd pam_credential_translation
      make
    
  7. Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required)
  8. Set Firewall as root, open port 7512 in the firewall:
      vi /etc/sysconfig/iptables
      #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT
      
      /etc/init.d/iptables restart  
    
  9. Install Globus toolkit and MyProxyServer
      wget gt5.2.0-all-source-installer.tar.gz 
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      tar -xzvf gt5.2.0-all-source-installer.tar.gz
      cd gt5.2.0-all-source-installer
      ./configure
      make
      make install
      make gsi-myproxy
      make install
    
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      . $GLOBUS_LOCATION/etc/globus-user-env.sh 
    
  10. Install SimpleCA
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      . $GLOBUS_LOCATION/etc/globus-user-env.sh 
    
  11. Create local grid security directories
      mkdir ${sysconfdir}/grid-security/
      mkdir ${sysconfdir}/grid-security/certificates
    
  12. There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by:
      mkdir /usr/local/globus-5.2.0/libexec/
      cp  /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0/libexec/
    
      grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-test, ou=GlobusTest, o=Grid" -email "<ca admin e-mail address>" -days 1825 -pass globus_install -force
    
  13. As root: request grid certificate
      mkdir /etc/grid-security
      mkdir /etc/grid-security/certificates
    
  14. Copy certificates to root grid security directory
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates
    
  15. Request host certificate
      grid-cert-request -host '<myproxy server FQDN>'
    
  16. Copy it to a place readable for user globus
      cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem
    
  17. As globus user: sign the certificate
      grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out  /usr/local/globus-5.2.0/etc/hostsigned.pem
    
  18. As root: install the signed certificate
      cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem
      chown root:root /etc/grid-security/hostcert.pem
      chmod 644 /etc/grid-security/hostcert.pem
    
      myproxy-server-setup
    
  19. If everything is all right, kill the proxy server and configure it.
  20. Create the myproxy server configuration file
      accepted_credentials  "*"
      authorized_retrievers "*"
      default_retrievers    "*"
      authorized_renewers   "*"
      default_renewers      "none"
      authorized_key_retrievers "*"
      default_key_retrievers    "none"
      trusted_retrievers    "*"
      default_trusted_retrievers "none"
      cert_dir /etc/grid-security/certificates
      pam required
      pam_id "myproxy-credential-translation"
      certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem
      certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem
      certificate_issuer_key_passphrase "globus_install"
      certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial
      certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts
      certificate_mapapp "/etc/grid-security/certificate_map_app.sh"
    
    Store this in: /etc/myproxy-server.config
  21. Create certificate map application, which generates the new user ids
      #!/bin/sh
      echo "certificate_map_app called: /O=Grid/OU=GlobusTest/OU=simpleCA-test/OU=local/CN=$1" >> /var/log/pam_credential_translation.log
      echo "/O=Grid/OU=GlobusTest/OU=simpleCA-test/OU=local/CN=$1"
    
  22. And store this in /etc/grid-security/certificate_map_app.sh
  23. Create myproxy-credential-translation configuration file
      auth required pam_credential_translation.so sha256passwd=<md5 hex encoded hash>
      account  required pam_credential_translation.so sha256passwd=<md5 hex encoded hash>
    
    Store this in /etc/pam.d/
  24. Testing on a client machine
      myproxy-get-trustroots -s <myproxy server FQDN>
      myproxy-logon -s <myproxy server FQDN>