wiki:netCDF-ESGSecurityExtension

netCDF C API Security Extension for Earth System Grid

This page is concerned with an extension added to the netCDF OPeNDAP client C API to enable PKI based authentication. The work has been carried out for the Earth System Grid whose security architecture supports OpenID and PKI based authentication for services. For details of the authentication mechanism see: wiki:ESGF#Authentication.

Accessing the Code

The code is integrated into the code repository trunk and has been integrated into the  beta2 release.

Build

Follow the usual build instructions for netCDF ensuring that the curl libraries are linked in.

$ ./configure --with-curl-config=/usr/bin/curl-config --enable-shared

Configuration

All settings are made via the .dodsrc file in the user's home directory. No changes are needed to any C code.

$ cat ~/.dodsrc
CURL.VERBOSE=1
CURL.COOKIEJAR=.dods_cookies
CURL.SSL.VALIDATE=1
CURL.SSL.CERTIFICATE=/.../creds.pem
CURL.SSL.KEY=/.../creds.pem
CURL.SSL.CAPATH=/.../ca-certificates
  • CURL.COOKIEJAR: cookies maintain authenticated state once the initial call has completed the SSL handshake with the authentication service
  • CURL.SSL.CERTIFICATE: the path to an SSL client certificate used to authenticate with the server. ESGF uses MyProxyCA to provide users with short lived PKI credentials. In the example both certificate and private key are stored together in the same file creds.pem
  • CURL.SSL.KEY: path to the private key file
  • CURL.SSL.CAPATH: path to directory containing CA certificates used to verify the server's certificate. Certificate files should be named following the convention <cert hash>.<n> as set-up by the OpenSSL c_rehash command line utility. ESGF has a bundle of trusted CA certificates used by services in the federation.

Testing

The netcdf-4.1.2-beta2 snaphot has been tested against CEDA's PyDAP service,  http://ceda.ac.uk/dap/ configured with the NDG Security Python WSGI filters and with an ESG Data Node configured with TDS and the ESG Security Java servlet filters. See here for an example C client.

Also tested with python-netcdf4 and Ferret.