wiki:MyProxyCredentialTranslationService

Version 2 (modified by pjkersha, 8 years ago) (diff)

--

MyProxy? Credential Translation Service

Pluggable Authentication Module for MyProxy enabling the generation of short-lived user certificates from other authentication assertions.

Source Code

Installation

Applies to installation and configuration of MyProxyServer? on a Scientific Linux or RedHat? 6 machine. MyProxyServer? will be configured with a Pluggable Authenication Module (PAM) to create credentials with predefined password for any username. This is achieved with the PAM extension pam_credential_translation.

  1. As user root
      yum update
      yum install gcc
      yum install openssl-devel
      yum install libtool
      yum groupinstall 'Development Tools'
      yum install libtool-ltdl-devel
      yum install pam-devel
    
  2. install perl modules:
      cpan -i Archive::Tar
      cpan -i IO::Zlib
      cpan -i Package::Constants
    
    
  3. Add user globus
      groupadd globus
      adduser -g globus globus
      passwd globus
      >(globus)
    
  4. Create directories mkdir /usr/local/globus-5.2.0 chown globus:globus /usr/local/globus-5.2.0

mkdir /etc/grid-security mkdir /etc/grid-security/certificates

#Set hostname bvmlab-218-21.knmi.nl in vi /etc/sysconfig/network vi /etc/hosts #<ip address> <myproxy server FQDN> hostname <myproxy server FQDN> etc/init.d/network restart

### INSTALL PAM MODULE ### svn checkout  http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation cd pam_credential_translation

#Adjust pam_credential_translation.c with PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char argv){

return PAM_SUCCESS ;

} make #Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required)

### Set Firewall as root, open port 7512 in the firewall: ### vi /etc/sysconfig/iptables #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT

/etc/init.d/iptables restart

####################### As user globus ####################### #INSTALL Globus toolkit and MyProxyServer?

#Get gt5.2.0-all-source-installer.tar.gz export GLOBUS_LOCATION=/usr/local/globus-5.2.0/ tar -xzvf gt5.2.0-all-source-installer.tar.gz cd gt5.2.0-all-source-installer ./configure make make install make gsi-myproxy make install

export GLOBUS_LOCATION=/usr/local/globus-5.2.0/ . $GLOBUS_LOCATION/etc/globus-user-env.sh

### Install SimpleCA ### export GLOBUS_LOCATION=/usr/local/globus-5.2.0/ . $GLOBUS_LOCATION/etc/globus-user-env.sh

#Create local grid security directories mkdir ${sysconfdir}/grid-security/ mkdir ${sysconfdir}/grid-security/certificates

#There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by: mkdir /usr/local/globus-5.2.0libexec/ cp /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0/libexec/

grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-bvmlab-218-21.knmi.nl, ou=GlobusTest?, o=Grid" -email "<ca admin e-mail address>" -days 1825 -pass globus_install -force

### AS ROOT: request grid certificate ###

mkdir /etc/grid-security mkdir /etc/grid-security/certificates

#Copy certificates to root grid security directory cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates

#Request host certificate grid-cert-request -host '<myproxy server FQDN>'

#Copy it to a place readable for user globus cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem

### AS GLOBUS: sign the certificate ###

grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out /usr/local/globus-5.2.0/etc/hostsigned.pem

### AS ROOT: install the signed certificate ###

cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem chown root:root /etc/grid-security/hostcert.pem chmod 644 /etc/grid-security/hostcert.pem

myproxy-server-setup #If everything is all right, kill the proxy server and configure it

### Create the myproxy server configuration file ###

accepted_credentials "*" authorized_retrievers "*" default_retrievers "*" authorized_renewers "*" default_renewers "none" authorized_key_retrievers "*" default_key_retrievers "none" trusted_retrievers "*" default_trusted_retrievers "none" cert_dir /etc/grid-security/certificates pam required pam_id "myproxy-credential-translation" certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem certificate_issuer_key_passphrase "globus_install" certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts certificate_mapapp "/etc/grid-security/certificate_map_app.sh" #Store this in: /etc/myproxy-server.config

### Create certificate map application, which generates the new user id's ###

#!/bin/sh echo "certificate_map_app called: /O=Grid/OU=GlobusTest?/OU=simpleCA-test/OU=local/CN=$1" >> /var/log/pam_credential_translation.log echo "/O=Grid/OU=GlobusTest?/OU=simpleCA-test/OU=local/CN=$1" #And store this in /etc/grid-security/certificate_map_app.sh

### Create myproxy-credential-translation configuration file ###

auth required pam_credential_translation.so sha256passwd=<md5 hex encoded hash> account required pam_credential_translation.so sha256passwd=<md5 hex encoded hash> #Store this in /etc/pam.d/

### TESTING on a client machine ###

myproxy-get-trustroots -s <myproxy server FQDN> myproxy-logon -s <myproxy server FQDN>

}}}