CLIPC server connection between MARIS <--> KNMI using PKI x509 client authentication

The CLIPC portal needs to access climate4impact's webservices in a secure way. This is arranged via Public Key Infrastructure (PKI). The workflow described here explains how MARIS can access webservices at KNMI/CLIPC using PKI x509 client authentication. A certificate authority is created at KNMI/C4I, and is registed in an Apache HTTP server at climate4impact (C4I). Finally MARIS can register users at C4I and is able to access C4I webservices with a private key and a certificate in a secure way. Examples with wget are given.

The access token API at C4I
The webservice that will be accessed over PKI is the accesstoken API. The accesstoken API can register new users and generates tokens (uuid v4) for designated users. These tokens can be used temporarily in URL's to gain access to most webservices at C4I, like WMS, WCS, WPS and the user basket with its per user secured Opendap server. An important aspect here is that this is done over HTTPS, as the accesstoken is part of the URL. The access token API and its webservices are described in the API document.

Access to ESGF resources
The problem that is being solved is that C4I webservices can be accessed directly by the CLIPC backend and CLIPC frontend (openlayers3) using accesstokens. When users are registerd both at ESGF and C4I, C4I webservices can be used with ESGF, that means that it is possible to use visualisation and processing webservices with restricted ESGF resources. The problem that is not being solved is that portals can access restricted ESGF resources directly by themselves. Within CLIPC, google OAuth2 is used to obtain user ID's. As google ID's have no meaning for ESGF, it is currently not possible to access restricted ESGF resources in the CLIPC portal. When CEDA OAuth2 is used, and the user is registered at ESGF for the specific role, it will be possible to access ESGF resources with webservices at C4I. Keep in mind that is is always possible to access unrestricted ESGF resources, like data from the CLIPC project stored at ESGF.

These actors come into action:
  • C4I: Climate4impact portal running at KNMI, exposes webservices for other portals. Currently only the accesstoken webservice can be used over PKI, see API.
  • CA: KNMI-CLIPC Certificate Authority installed at C4I for the CLIPC project
  • MARIS: The CLIPC portal running at MARIS, wants to access webservices at climate4impact using PKI
The commands describe how to:
  1. Setup a CA for CLIPC at C4I
  2. How MARIS can be registered and trusted
  3. How MARIS can access the accesstoken webservice at C4I using PKI
The following files play key roles in PKI:
  • .key = keep always private
  • .crt = certificate
  • .csr = certificate signing request
  • .pem = CA certificate in pem format

1) Setup a CA for CLIPC, done by KNMI

CA Creates a private key and a certificate authorithy file

  • The private key needs to be kept secure, it is used by the CA to create new CA files: the file is knmi_clipc_rootca.key
    openssl genrsa -out knmi_clipc_rootca.key 2048 #<!-- Keep this one private
  • The CA file is created for a special context, in this case for the CLIPC project: knmi_clipc_ca.pem
    openssl req -x509 -days 3650 -new -nodes -key knmi_clipc_rootca.key -sha256 -out knmi_clipc_ca.pem -subj '/O=KNMICLIPCCA/OU=RDWDT/CN=knmi_clipc_ca_tokenapi'

KNMI Puts the CLIPC certificate authorithy file in the apache httpd truststore for apache http server

The c_rehash makes a hash of the certificate, needed for apache httpserver.

cp knmi_clipc_ca.pem /home/visadm/.globus/certificates/
c_rehash .

In case of a tomcat server it needs to be added to the truststore: (same as certificates for apache http server)

keytool -import -v -trustcacerts -alias knmi_clipc_ca.pem -file knmi_clipc_ca.pem -keystore esg-truststore.ts  -storepass changeit -noprompt

Incoming client authentication requests will be validated:
  • if they are trusted by this CLIPC CA
  • if they are really made by MARIS.
  • After the validation we know for sure that the content in the certificate is valid and that the content has been created by MARIS.

2) Register a new portal: CLIPC/MARIS will be trusted by our CA.

MARIS generates a certificate signing request, which will be signed by the CLIPC CA. The CLIPC CA will return a certificate (maris.crt) for MARIS.

MARIS Creates a privatekey and keeps it secure

openssl genrsa -des3 -out maris.key 1024  -subj '/O=MARIS/OU=MARIS/CN=clipctokenapiformaris'
openssl rsa -in maris.key -out marisnopass.key

MARIS creates a certificate signing request (CSR) and sends maris.csr to CLIPC CA

openssl req -new -key marisnopass.key -out maris.csr -subj '/O=MARIS/OU=MARIS/CN=clipctokenapiformaris_20160303'
echo | openssl s_client -connect 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > climate4impact.pem 
#Maris gives maris.csr to CA

The string CN=clipctokenapiformaris_20160303 is important, this is configured and validated in the webservice at C4I as well. See for details.

KNMI CLIPC CA now signs the CSR and sends maris.crt file to MARIS

openssl x509 -req -in maris.csr  -CA knmi_clipc_ca.pem  -CAkey knmi_clipc_rootca.key -CAcreateserial -out maris.crt -days 3600
#CA gives maris.crt to MARIS

  • PKI has now been setup and can be used in operation.
  • MARIS is trusted by C4I in CLIPC context
  • MARIS can now access C4I webservices with the private key and certificate (marisnopass.key and maris.crt).

The next steps explain how MARIS can access webservices at climate4impact.

MARIS can now create access tokens for CLIPC

Example on how to obtain a token for a specific user

wget --ca-certificate devclimate4impact.pem --private-key marisnopass.key --certificate maris.crt "" -O /tmp/test.txt && cat /tmp/test.txt

If a user/client_id is not known by C4I, a new user will be automatically made. A JSON document containing the accesstoken is returned, as described in API.

The certificate can also be used in a browser, a p12 format is required for this

openssl pkcs12 -export -clcerts -in maris.crt -inkey marisnopass.key -out maris.p12

Climate4impact <--> UC Downscaling portal

The same mechanism can be used by the UC downscaling portal.

Example on how to assign a token for a specific user

wget --ca-certificate devclimate4impact.pem --private-key ucdownscaingportalnopass.key --certificate ucdownscaingportal.crt "" -O /tmp/test.txt && cat /tmp/test.txt