wiki:MyProxyCredentialTranslationService

Version 3 (modified by pjkersha, 6 years ago) (diff)

--

MyProxy? Credential Translation Service

Pluggable Authentication Module for MyProxy enabling the generation of short-lived user certificates from other authentication assertions.

Source Code

Installation

Applies to installation and configuration of MyProxyServer? on a Scientific Linux or RedHat? 6 machine. MyProxyServer? will be configured with a Pluggable Authenication Module (PAM) to create credentials with predefined password for any username. This is achieved with the PAM extension pam_credential_translation.

  1. As user root
      yum update
      yum install gcc
      yum install openssl-devel
      yum install libtool
      yum groupinstall 'Development Tools'
      yum install libtool-ltdl-devel
      yum install pam-devel
    
  2. install perl modules:
      cpan -i Archive::Tar
      cpan -i IO::Zlib
      cpan -i Package::Constants
    
    
  3. Add user globus
      groupadd globus
      adduser -g globus globus
      passwd globus
      >(globus)
    
  4. Create directories
      mkdir /usr/local/globus-5.2.0
      chown globus:globus /usr/local/globus-5.2.0
    
      mkdir /etc/grid-security
      mkdir /etc/grid-security/certificates
    
  5. Set hostname <MyProxy server FQDN> in vi /etc/sysconfig/network vi /etc/hosts #<ip address> <myproxy server FQDN> hostname <myproxy server FQDN> etc/init.d/network restart

}}}

  1. Install PAM Module
      svn checkout http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation
      cd pam_credential_translation
      make
    
  2. Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required)
  3. Set Firewall as root, open port 7512 in the firewall:
      vi /etc/sysconfig/iptables
      #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT
      
      /etc/init.d/iptables restart  
    
  4. Install Globus toolkit and MyProxyServer
      wget gt5.2.0-all-source-installer.tar.gz 
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      tar -xzvf gt5.2.0-all-source-installer.tar.gz
      cd gt5.2.0-all-source-installer
      ./configure
      make
      make install
      make gsi-myproxy
      make install
    
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      . $GLOBUS_LOCATION/etc/globus-user-env.sh 
    
  5. Install SimpleCA
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      . $GLOBUS_LOCATION/etc/globus-user-env.sh 
    
  6. Create local grid security directories mkdir ${sysconfdir}/grid-security/ mkdir ${sysconfdir}/grid-security/certificates

}}}

  1. There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by:
      mkdir  /usr/local/globus-5.2.0//libexec/
      cp  /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0/libexec/
    
      grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-test, ou=GlobusTest, o=Grid" -email "<ca admin e-mail address>" -days 1825 -pass globus_install -force
    
  2. As root: request grid certificate
      mkdir /etc/grid-security
      mkdir /etc/grid-security/certificates
    
  3. Copy certificates to root grid security directory
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates
    
  4. Request host certificate
      grid-cert-request -host '<myproxy server FQDN>'
    
  5. Copy it to a place readable for user globus
      cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem
    
  6. As globus user: sign the certificate
      grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out  /usr/local/globus-5.2.0/etc/hostsigned.pem
    

### AS ROOT: install the signed certificate ###

cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem chown root:root /etc/grid-security/hostcert.pem chmod 644 /etc/grid-security/hostcert.pem

myproxy-server-setup #If everything is all right, kill the proxy server and configure it

### Create the myproxy server configuration file ###

accepted_credentials "*" authorized_retrievers "*" default_retrievers "*" authorized_renewers "*" default_renewers "none" authorized_key_retrievers "*" default_key_retrievers "none" trusted_retrievers "*" default_trusted_retrievers "none" cert_dir /etc/grid-security/certificates pam required pam_id "myproxy-credential-translation" certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem certificate_issuer_key_passphrase "globus_install" certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts certificate_mapapp "/etc/grid-security/certificate_map_app.sh" #Store this in: /etc/myproxy-server.config

### Create certificate map application, which generates the new user id's ###

#!/bin/sh echo "certificate_map_app called: /O=Grid/OU=GlobusTest?/OU=simpleCA-test/OU=local/CN=$1" >> /var/log/pam_credential_translation.log echo "/O=Grid/OU=GlobusTest?/OU=simpleCA-test/OU=local/CN=$1" #And store this in /etc/grid-security/certificate_map_app.sh

### Create myproxy-credential-translation configuration file ###

auth required pam_credential_translation.so sha256passwd=<md5 hex encoded hash> account required pam_credential_translation.so sha256passwd=<md5 hex encoded hash> #Store this in /etc/pam.d/

### TESTING on a client machine ###

myproxy-get-trustroots -s <myproxy server FQDN> myproxy-logon -s <myproxy server FQDN>

}}}