Hello Lukasz!
On 29.08.2011, at 15:11, Lukasz Lacinski wrote: > Hi Petar, > > Globus Online team released Globus Connect Multi-Users v0.2. GCMU is an > easy-to-install software package providing GridFTP and MyProxy servers > with MyProxy CA. The GridFTP and MyProxy servers use a certificate > issued by GO CA, but it can be any certificated issued by a CA trusted > by GO. in your case by an IGTF accredited CA. The MyProxy CA uses a > self-signed certificate that is not trusted by GO and it causes a > problem with second-party transfers on the GO side. To authenticate data > channels GO verifies a user certificate issued by the MyProxy CA. > Because the MyProxy CA is not trusted by GO, the MyProxy server must > provide a whole certificate chain when issues a user certificate. Thanks for the explanation, I was actually planning to implement this on my own as described in my previous post. The GFTP and MyProxy would have host certificates by an IGTF accredited CA but the MyProxy CA would be a SimpleCA that the GridFTP server(s) trust and it would map these users to UNIX accounts. My assumption was that this would be transparent to GO since I had assumed that GO wouldn't care about the short lived certificate issued by the MyProxy CA. > The > option 'certificate_issuer_subca_certfile' allows to configure MyProxy > server to add a self-signed certificate of the MyProxy CA to every > issued user certificate. > GridFTP servers do not have to trust this MyProxy CA unless an admin of > the GridFTP servers want to use user certificates issued by the MyProxy > CA to authenticate users and give them access to filesystem. In a > third-party transfer GO can use a different user certificate in control > channel authentication for every GridFTP server. A GridFTP server does > not have to trust a user certificate used with another GridFTP server. > Then GO leverages DCSC to successfully perform data channel > authentication > http://www.globus.org/toolkit/docs/5.0/5.0.3/data/gridftp/developer/#gridftp-developer-dcsc-spec. > > Please, look also below at inline comments. > > On 8/29/11 6:19 AM, Forai, Petar wrote: >> Dear List! >> >> We're trying to setup a GridFTP + MyProxy infrastructure to enable >> GlobusOnline services for our users. We've setup a basic service that >> consists of a simple gridftp installation and myproxy server - both have >> host certificates signed by an IGTF accredited certificate authority and >> we've been able to do GFTP transfers between two hosts with user >> certificates signed by our NREN's personal CA. >> >> There are a few questions still left where it would be good to know how to >> proceed with this. Given that some of our collaboration partners don't have >> a clearly assigned grid where they belong to and/or could get the >> appropriate host and user certificates to be able to use our GFTP service >> I'd like to know if this is the way to proceed: >> >> >> Setup MyProxy with it's own (self signed) CA and use myproxy over it's >> PAM/LDAP interface to resolve users and then issue temporary certificates >> for these users and provide the GFTP server with this CA's root certificate >> and have that set to be a trusted CA? Is this a common approach? I've seen >> that there are basically only a few accredited short lived CAs out there. > You need to add this CA's root certificate to a set of trusted CA only > if you want to authenticate users using certificates signed by this CA' > root certificate. You have to add this CA's root certificate to a > certificate chain issued by MyProxy server to let GridFTP clients (GO) > verify a user certificate in this chain. This is needed only for > second-party transfers like directory listing. This seems to be exactly what I was asking for. Could you point me into the right direction of the MyProxy documentation on how to proceed with this? > >> If the MyProxy CA does provide credentials to non X509 certified users how >> do I proceed with host certificates of them (assuming they only want GFTP >> for our GFTP to their user equipment transfers)? Is this only practically >> possible by using GO and accepting GO's Globus Connect root CA for hosts and >> users - do I still need the MyProxy self signed CA in this case? > Host certificates are verified by GridFTP clients only. It means that > only GO must trust CAs that issued host certificates. Data channel > authentication is based on user certificates, not host certificates. So > GridFTP servers should trust CAs that issued user certificates used in > control channel authentication. It sometimes happens that an institution > does not want to trust a CA certificate used by another GridFTP servers. > DCSC allows to avoid this problem and specify a different certificate > for data channel authentication than a certificate used in control > channel authentication. > > Regards, > Lukasz Petar Forai — GMI IT mailto: [email protected] GPG/PGP-Fingerprint: AB28 19EE CDF9 FDF0 BE75 B685 6092 5EF5 9F95 6183
