Hi Petar,
Globus Online team released Globus Connect Multi-Users v0.2. GCMU is an
easy-to-install software package providing GridFTP and MyProxy servers
with MyProxy CA. The GridFTP and MyProxy servers use a certificate
issued by GO CA, but it can be any certificated issued by a CA trusted
by GO. in your case by an IGTF accredited CA. The MyProxy CA uses a
self-signed certificate that is not trusted by GO and it causes a
problem with second-party transfers on the GO side. To authenticate data
channels GO verifies a user certificate issued by the MyProxy CA.
Because the MyProxy CA is not trusted by GO, the MyProxy server must
provide a whole certificate chain when issues a user certificate. The
option 'certificate_issuer_subca_certfile' allows to configure MyProxy
server to add a self-signed certificate of the MyProxy CA to every
issued user certificate.
GridFTP servers do not have to trust this MyProxy CA unless an admin of
the GridFTP servers want to use user certificates issued by the MyProxy
CA to authenticate users and give them access to filesystem. In a
third-party transfer GO can use a different user certificate in control
channel authentication for every GridFTP server. A GridFTP server does
not have to trust a user certificate used with another GridFTP server.
Then GO leverages DCSC to successfully perform data channel
authentication
http://www.globus.org/toolkit/docs/5.0/5.0.3/data/gridftp/developer/#gridftp-developer-dcsc-spec.
Please, look also below at inline comments.
On 8/29/11 6:19 AM, Forai, Petar wrote:
Dear List!
We're trying to setup a GridFTP + MyProxy infrastructure to enable GlobusOnline
services for our users. We've setup a basic service that consists of a simple
gridftp installation and myproxy server - both have host certificates signed by
an IGTF accredited certificate authority and we've been able to do GFTP
transfers between two hosts with user certificates signed by our NREN's
personal CA.
There are a few questions still left where it would be good to know how to
proceed with this. Given that some of our collaboration partners don't have a
clearly assigned grid where they belong to and/or could get the appropriate
host and user certificates to be able to use our GFTP service I'd like to know
if this is the way to proceed:
Setup MyProxy with it's own (self signed) CA and use myproxy over it's PAM/LDAP
interface to resolve users and then issue temporary certificates for these
users and provide the GFTP server with this CA's root certificate and have that
set to be a trusted CA? Is this a common approach? I've seen that there are
basically only a few accredited short lived CAs out there.
You need to add this CA's root certificate to a set of trusted CA only
if you want to authenticate users using certificates signed by this CA'
root certificate. You have to add this CA's root certificate to a
certificate chain issued by MyProxy server to let GridFTP clients (GO)
verify a user certificate in this chain. This is needed only for
second-party transfers like directory listing.
If the MyProxy CA does provide credentials to non X509 certified users how do I
proceed with host certificates of them (assuming they only want GFTP for our
GFTP to their user equipment transfers)? Is this only practically possible by
using GO and accepting GO's Globus Connect root CA for hosts and users - do I
still need the MyProxy self signed CA in this case?
Host certificates are verified by GridFTP clients only. It means that
only GO must trust CAs that issued host certificates. Data channel
authentication is based on user certificates, not host certificates. So
GridFTP servers should trust CAs that issued user certificates used in
control channel authentication. It sometimes happens that an institution
does not want to trust a CA certificate used by another GridFTP servers.
DCSC allows to avoid this problem and specify a different certificate
for data channel authentication than a certificate used in control
channel authentication.
Regards,
Lukasz
