CILogon: GridShib-CA

Search this site

CILogon

The GridShib-CA is a software product of the CILogon project.
Latest Release‎ > ‎CA Options‎ > ‎

MyProxy CA

This page has directions for configuring the GridShib-CA to use a MyProxy-based CA. The MyProxy server can be running either on the same host as the GridShib-CA or a remote host.

If you elect to use a MyProxy CA instead of the default OpenSSL CA, it is assumed you have some experience with Grid certificate management and have access to a PKI infrastructure and know how to get certificates. So these directions, out of necessity, skip over these details which are specific to your local environment.

Note that you probably don't want to use the same MyProxy server for GridShib-CA and anything else. These directions assume a MyProxy server dedicated to a GridShib-CA. It's possible in theory to use it for other things, but you'll need to figure out how to tweak the configuration yourself.

Note

You should use MyProxy version 4.4 or later, as earlier versions have problems handling certain Shibboleth identities (see Bug 6560).

1. Prerequisites

  • You need to have the IO::Net::SSL perl module installed on the GridShib-CA system. You can install this by using cpan, e.g.: sudo cpan IO::Net::SSL

2. Configuring the GridShib CA to use MyProxy

You need to create a set of credentials for the GridShib CA to use when contacting the MyProxy server. The DN of these credentials can be whatever you want, just remember it for subsequent steps where it will be referred to as the GridShib-CA DN. For the purposes of these installation instructions, we will assume a DN of "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service", adjust them to match your chosen DN.

Install the created credentials (certificate and key respectively) in the following locations. (You can install them in an alternate location, in which case you will need to adjust the MyProxyClientCert and MyProxyClientKey parameters in gridshib-ca.conf as described subsequently.)

  • {gridshib-ca configuration path}/myproxy-client-cert.pem

  • {gridshib-ca configuration path}/myproxy-client-key.pem

You need to make sure they are owned by the user under which the Apache httpd runs. Permissions should be as shown here: 

-rw-------  1 apache root 1387 Jun  2 16:24 myproxy-client-cert.pem
-rw-------  1 apache root 1679 Jun  2 16:24 myproxy-client-key.pem

Next you need to edit the file gridshib-ca.conf file and modify the following parameters:

  • caModule: Change this setting to GridShibCA::MyProxyCA

  • MyProxyHostname: Set this value to the hostname where the MyProxy server is running

  • MyProxyPort: Set this value to the port number of the MyProxy server (7512 is the default)

  • MyProxyClientCert: Set this value to the path of the certificate to use to authenticate to the MyProxy server

  • MyProxyClientKey: Set this value to the path of the key to use to authenticate to the MyProxy server

3. Configuring the MyProxy Server

On the MyProxy server system, do the following. These steps give the GridShib-CA to request and receive any certificate from the MyProxy CA with the mapapp program specifying which certificates are generated.

  1. The MyProxy server must be configured to act as a CA. Note that you do not need to configure support for SASL or PAM as you will be configuring authorized_retrievers in the following steps.

  2. In /etc/myproxy-server.config set authorized_retrievers, trusted_retrievers and default_trusted_retrievers to the GridShib-CA DN. If you created a SimpleCA when deploying MyProxy, it will be the DN of that CA. For example: 

    authorized_retrievers           "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service"
    trusted_retrievers              "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service"
    default_trusted_retrievers      "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service"

  3. From the GridShib-CA system, copy the file {gridshib-ca configuration path}/myproxy-mapapp.pl to somewhere on the MyProxy server. It should be installed owned by root and with permissions 0700. For these directions we assume you installed it as /usr/local/bin/myproxy-mapapp.pl. If you are running the myproxy server on the same system as the GridShib-CA you can just leave this file where it is and specify its path in the next step.

    • If you did not specify --with-relative-dn during configuration, you will need to edit this file and set the value for $namespace to the correct relative DN for your MyProxy CA. This value must be in OpenSSL format (e.g. /C=US/O=NCSA-TEST/OU=User/).

  4. In /etc/myproxy-server.config set certificate_mapapp to the path of mapapp.pl. For example: 

    certificate_mapapp        "/usr/local/bin/myproxy-mapapp.pl"

  5. If the MyProxy server is already running, restart the myproxy server by killing it and restarting it in order to reload the configuration. (Running "/etc/init.d/myproxy restart" should do it.)

    • If the server fails to start, check your system logs for the reason.

  6. To test the server, run a command such as the following, which assumes the server is running on the localhost and /C=US/O=NCSA-TEST/OU=User/CN=User is a valid DN permitted by your myproxy-mapapp.pl script.
    % setenv X509_USER_CERT {gridshib-ca configuration path}/myproxy-client cert.pem
    % setenv 509_USER_KEY{gridshib-ca configuration path}/myproxy-client-key.pem
    % myproxy-logon -s localhost -n -l "/C=US/O=NCSA-TEST/OU=User/CN=User"
    A credential has been received for user     /C=US/O=NCSA-TEST/OU=User/CN=User in /tmp/x509up_u33339.


Comments