Hi Petar,
On 8/29/11 8:54 AM, Forai, Petar wrote:
Hello Lukasz!
On 29.08.2011, at 15:11, Lukasz Lacinski wrote:
Hi Petar,
Globus Online team released Globus Connect Multi-Users v0.2. GCMU is an
easy-to-install software package providing GridFTP and MyProxy servers
with MyProxy CA. The GridFTP and MyProxy servers use a certificate
issued by GO CA, but it can be any certificated issued by a CA trusted
by GO. in your case by an IGTF accredited CA. The MyProxy CA uses a
self-signed certificate that is not trusted by GO and it causes a
problem with second-party transfers on the GO side. To authenticate data
channels GO verifies a user certificate issued by the MyProxy CA.
Because the MyProxy CA is not trusted by GO, the MyProxy server must
provide a whole certificate chain when issues a user certificate.
Thanks for the explanation, I was actually planning to implement this on my own
as described in my previous post.
The GFTP and MyProxy would have host certificates by an IGTF accredited CA but
the MyProxy CA would be a SimpleCA that the GridFTP server(s) trust and it
would map these users to UNIX accounts. My assumption was that this would be
transparent to GO since I had assumed that GO wouldn't care about the short
lived certificate issued by the MyProxy CA.
Instead of using a gridmap file you can use the authz callout developed
by Mike Linke
http://www.mcs.anl.gov/~mlink/globus_gridmap_verify_myproxy_callout-0.1.tar.gz.
To use it
$ gpt-build globus_gridmap_verify_myproxy_callout-0.1.tar.gz <flavor>
set server envs:
GSI_AUTHZ_CONF=$GLOBUS_LOCATION/etc/gridmap_verify_myproxy_callout-gsi_authz.conf
GLOBUS_MYPROXY_CA_CERT=/path/to/ca/cert.0
Clients with a cert signed by that ca will use the userid from the DN
(last CN in the DN), otherwise a normal gridmap lookup will be performed.
The callout is used by GCMU. (Some info is below).
The
option 'certificate_issuer_subca_certfile' allows to configure MyProxy
server to add a self-signed certificate of the MyProxy CA to every
issued user certificate.
GridFTP servers do not have to trust this MyProxy CA unless an admin of
the GridFTP servers want to use user certificates issued by the MyProxy
CA to authenticate users and give them access to filesystem. In a
third-party transfer GO can use a different user certificate in control
channel authentication for every GridFTP server. A GridFTP server does
not have to trust a user certificate used with another GridFTP server.
Then GO leverages DCSC to successfully perform data channel
authentication
http://www.globus.org/toolkit/docs/5.0/5.0.3/data/gridftp/developer/#gridftp-developer-dcsc-spec.
Please, look also below at inline comments.
On 8/29/11 6:19 AM, Forai, Petar wrote:
Dear List!
We're trying to setup a GridFTP + MyProxy infrastructure to enable GlobusOnline
services for our users. We've setup a basic service that consists of a simple
gridftp installation and myproxy server - both have host certificates signed by
an IGTF accredited certificate authority and we've been able to do GFTP
transfers between two hosts with user certificates signed by our NREN's
personal CA.
There are a few questions still left where it would be good to know how to
proceed with this. Given that some of our collaboration partners don't have a
clearly assigned grid where they belong to and/or could get the appropriate
host and user certificates to be able to use our GFTP service I'd like to know
if this is the way to proceed:
Setup MyProxy with it's own (self signed) CA and use myproxy over it's PAM/LDAP
interface to resolve users and then issue temporary certificates for these
users and provide the GFTP server with this CA's root certificate and have that
set to be a trusted CA? Is this a common approach? I've seen that there are
basically only a few accredited short lived CAs out there.
You need to add this CA's root certificate to a set of trusted CA only
if you want to authenticate users using certificates signed by this CA'
root certificate. You have to add this CA's root certificate to a
certificate chain issued by MyProxy server to let GridFTP clients (GO)
verify a user certificate in this chain. This is needed only for
second-party transfers like directory listing.
This seems to be exactly what I was asking for. Could you point me into the
right direction of the MyProxy documentation on how to proceed with this?
http://grid.ncsa.illinois.edu/myproxy/man/myproxy-server.config.5.html
You can also install GCMU (https://www.globusonline.org/gcmu/) to look
at all GridFTP and MyProxy configuration files. You can look how DNs of
issued certificates are generated (a CN is a local username) and how
GridFTP authz callout is configured to use this CN to map to an
appropriate user account - gridmap file is not needed to map
certificates issued by the MyProxy CA to local user accounts. A main
installation script can be executed by a non-root user. After that root
privileges are required to copy xinetd configuration files and restart
xinetd daemon only (and change ownership of a "host" certificate).
Regards,
Lukasz
If the MyProxy CA does provide credentials to non X509 certified users how do I
proceed with host certificates of them (assuming they only want GFTP for our
GFTP to their user equipment transfers)? Is this only practically possible by
using GO and accepting GO's Globus Connect root CA for hosts and users - do I
still need the MyProxy self signed CA in this case?
Host certificates are verified by GridFTP clients only. It means that
only GO must trust CAs that issued host certificates. Data channel
authentication is based on user certificates, not host certificates. So
GridFTP servers should trust CAs that issued user certificates used in
control channel authentication. It sometimes happens that an institution
does not want to trust a CA certificate used by another GridFTP servers.
DCSC allows to avoid this problem and specify a different certificate
for data channel authentication than a certificate used in control
channel authentication.
Regards,
Lukasz
Petar Forai — GMI IT
mailto: [email protected]
GPG/PGP-Fingerprint: AB28 19EE CDF9 FDF0 BE75 B685 6092 5EF5 9F95 6183
