wiki:MyProxyCredentialTranslationService

Version 1 (modified by pjkersha, 8 years ago) (diff)

--

MyProxy? Credential Translation Service

Pluggable Authentication Module for MyProxy enabling the generation of short-lived user certificates from other authentication assertions.

Source Code

Installation

################################################################################################
# Manual to install and configure MyProxyServer on a Scientific Linux or RedHat 6 machine.
#
# MyProxyServer will be configured with a Pluggable Authenication Module (PAM) to create credentials
# with predefined password for any username. 
# This is achieved with the PAM extension pam_credential_translation written by P. Kershaw
#
################################################################################################

#Installation instructions on scientific linux 6.1 (or RH 6).

####################### As user root ####################### 
  yum update
  yum install gcc
  yum install openssl-devel
  yum install libtool
  yum groupinstall 'Development Tools'
  yum install libtool-ltdl-devel
  yum install pam-devel

  #install perl modules:
  cpan -i Archive::Tar
  cpan -i IO::Zlib
  cpan -i Package::Constants

  #Add user globus
  groupadd globus
  adduser -g globus globus
  passwd globus
  >(globus)

  #Create directories
  mkdir /usr/local/globus-5.2.0
  chown globus:globus /usr/local/globus-5.2.0

  mkdir /etc/grid-security
  mkdir /etc/grid-security/certificates

  #Set hostname bvmlab-218-21.knmi.nl in
  vi /etc/sysconfig/network
  vi /etc/hosts #145.23.218.21 <myproxy server FQDN>
  hostname  <myproxy server FQDN>
  etc/init.d/network restart

  ### INSTALL PAM MODULE ###
  svn checkout http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation
  cd pam_credential_translation
  
  #Adjust pam_credential_translation.c with 
  PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv){
    return PAM_SUCCESS ;
  }
  make
  #Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required)

  ### Set Firewall as root, open port 7512 in the firewall: ###
  vi /etc/sysconfig/iptables
  #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT
  
  /etc/init.d/iptables restart  

####################### As user globus ####################### 
#INSTALL Globus toolkit and MyProxyServer
  #Get gt5.2.0-all-source-installer.tar.gz 
  export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
  tar -xzvf gt5.2.0-all-source-installer.tar.gz
  cd gt5.2.0-all-source-installer
  ./configure
  make
  make install
  make gsi-myproxy
  make install

  export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
  . $GLOBUS_LOCATION/etc/globus-user-env.sh 

  ### Install SimpleCA ###
  export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
  . $GLOBUS_LOCATION/etc/globus-user-env.sh 

  #Create local grid security directories
  mkdir ${sysconfdir}/grid-security/
  mkdir ${sysconfdir}/grid-security/certificates

  #There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by:
  mkdir  /usr/local/globus-5.2.0//libexec/
  cp  /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0/libexec/

  grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-bvmlab-218-21.knmi.nl, ou=GlobusTest, o=Grid" -email "<ca admin e-mail address>" -days 1825 -pass globus_install -force

### AS ROOT: request grid certificate ###
  mkdir /etc/grid-security
  mkdir /etc/grid-security/certificates

  #Copy certificates to root grid security directory
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates

  #Request host certificate
  grid-cert-request -host '<myproxy server FQDN>'

  #Copy it to a place readable for user globus
  cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem

### AS GLOBUS: sign the certificate ###
  grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out  /usr/local/globus-5.2.0/etc/hostsigned.pem

### AS ROOT: install the signed certificate ###
  cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem
  chown root:root /etc/grid-security/hostcert.pem
  chmod 644 /etc/grid-security/hostcert.pem

  myproxy-server-setup
  #If everything is all right, kill the proxy server and configure it

### Create the myproxy server configuration file ###
  accepted_credentials  "*"
  authorized_retrievers "*"
  default_retrievers    "*"
  authorized_renewers   "*"
  default_renewers      "none"
  authorized_key_retrievers "*"
  default_key_retrievers    "none"
  trusted_retrievers    "*"
  default_trusted_retrievers "none"
  cert_dir /etc/grid-security/certificates
  pam required
  pam_id "myproxy-credential-translation"
  certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem
  certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem
  certificate_issuer_key_passphrase "globus_install"
  certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial
  certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts
  certificate_mapapp "/etc/grid-security/certificate_map_app.sh"
  #Store this in: /etc/myproxy-server.config 

### Create certificate map application, which generates the new user id's ###
  #!/bin/sh
  echo "certificate_map_app called: /O=Grid/OU=GlobusTest/OU=simpleCA-test/OU=local/CN=$1" >> /var/log/pam_credential_translation.log
  echo "/O=Grid/OU=GlobusTest/OU=simpleCA-test/OU=local/CN=$1"
  #And store this in /etc/grid-security/certificate_map_app.sh

### Create myproxy-credential-translation configuration file ###
  auth required pam_credential_translation.so sha256passwd=<md5 hex encoded hash>
  account  required pam_credential_translation.so sha256passwd=<md5 hex encoded hash>
  #Store this in /etc/pam.d/

### TESTING on a client machine ###
  myproxy-get-trustroots -s <myproxy server FQDN>
  myproxy-logon -s <myproxy server FQDN>