Version 4 (modified by pjkersha, 8 years ago) (diff)


MyProxy? Credential Translation Service

Pluggable Authentication Module for MyProxy enabling the generation of short-lived user certificates from other authentication assertions.

Source Code


Applies to installation and configuration of MyProxyServer? on a Scientific Linux or RedHat? 6 machine. MyProxyServer? will be configured with a Pluggable Authenication Module (PAM) to create credentials with predefined password for any username. This is achieved with the PAM extension pam_credential_translation.

  1. As user root
      yum update
      yum install gcc
      yum install openssl-devel
      yum install libtool
      yum groupinstall 'Development Tools'
      yum install libtool-ltdl-devel
      yum install pam-devel
  2. install perl modules:
      cpan -i Archive::Tar
      cpan -i IO::Zlib
      cpan -i Package::Constants
  3. Add user globus
      groupadd globus
      adduser -g globus globus
      passwd globus
  4. Create directories
      mkdir /usr/local/globus-5.2.0
      chown globus:globus /usr/local/globus-5.2.0
      mkdir /etc/grid-security
      mkdir /etc/grid-security/certificates
  5. Set hostname <MyProxy server FQDN> in vi /etc/sysconfig/network vi /etc/hosts #<ip address> <myproxy server FQDN> hostname <myproxy server FQDN> etc/init.d/network restart


  1. Install PAM Module
      svn checkout
      cd pam_credential_translation
  2. Copy the file to /lib64/security/ (root privileges required)
  3. Set Firewall as root, open port 7512 in the firewall:
      vi /etc/sysconfig/iptables
      #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT
      /etc/init.d/iptables restart  
  4. Install Globus toolkit and MyProxyServer
      wget gt5.2.0-all-source-installer.tar.gz 
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      tar -xzvf gt5.2.0-all-source-installer.tar.gz
      cd gt5.2.0-all-source-installer
      make install
      make gsi-myproxy
      make install
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      . $GLOBUS_LOCATION/etc/ 
  5. Install SimpleCA
      export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
      . $GLOBUS_LOCATION/etc/ 
  6. Create local grid security directories mkdir ${sysconfdir}/grid-security/ mkdir ${sysconfdir}/grid-security/certificates


  1. There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by:
      mkdir  /usr/local/globus-5.2.0//libexec/
      cp  /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0/libexec/
      grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-test, ou=GlobusTest, o=Grid" -email "<ca admin e-mail address>" -days 1825 -pass globus_install -force
  2. As root: request grid certificate
      mkdir /etc/grid-security
      mkdir /etc/grid-security/certificates
  3. Copy certificates to root grid security directory
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf
      cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates
  4. Request host certificate
      grid-cert-request -host '<myproxy server FQDN>'
  5. Copy it to a place readable for user globus
      cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem
  6. As globus user: sign the certificate
      grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out  /usr/local/globus-5.2.0/etc/hostsigned.pem
  7. As root: install the signed certificate
      cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem
      chown root:root /etc/grid-security/hostcert.pem
      chmod 644 /etc/grid-security/hostcert.pem
  8. If everything is all right, kill the proxy server and configure it.
  9. Create the myproxy server configuration file
      accepted_credentials  "*"
      authorized_retrievers "*"
      default_retrievers    "*"
      authorized_renewers   "*"
      default_renewers      "none"
      authorized_key_retrievers "*"
      default_key_retrievers    "none"
      trusted_retrievers    "*"
      default_trusted_retrievers "none"
      cert_dir /etc/grid-security/certificates
      pam required
      pam_id "myproxy-credential-translation"
      certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem
      certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem
      certificate_issuer_key_passphrase "globus_install"
      certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial
      certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts
      certificate_mapapp "/etc/grid-security/"
    Store this in: /etc/myproxy-server.config
  10. Create certificate map application, which generates the new user id's
      echo "certificate_map_app called: /O=Grid/OU=GlobusTest/OU=simpleCA-test/OU=local/CN=$1" >> /var/log/pam_credential_translation.log
      echo "/O=Grid/OU=GlobusTest/OU=simpleCA-test/OU=local/CN=$1"
  11. And store this in /etc/grid-security/
  12. Create myproxy-credential-translation configuration file
      auth required sha256passwd=<md5 hex encoded hash>
      account  required sha256passwd=<md5 hex encoded hash>
      #Store this in /etc/pam.d/
  13. Testing on a client machine
      myproxy-get-trustroots -s <myproxy server FQDN>
      myproxy-logon -s <myproxy server FQDN>