Project

General

Profile

MyProxyServer

Renew CA

The host CA certificate of the myproxyserver a validity period of a year. It needs to be renewed on yearly basis.

For climate4impact the host certificate is valid till 2017-04-14.

The certificate can be renewed in the following way:

### RENEW CA ###

#Request new certificate

#Create a certificate signing request
openssl req -new -out /usr/local/globus-5.2.0/etc/hostcert_request.pem -key /etc/grid-security/hostkey.pem -config /etc/grid-security/globus-host-ssl.conf
#Use name: bvlpenes.knmi.nl

#You can verify by the following command
openssl req -verify -text -noout -in /usr/local/globus-5.2.0/etc/hostcert_request.pem

#Re-sign the certificate signing request / renew certificate, this results in the new certificate
openssl ca -out /usr/local/globus-5.2.0/etc/hostsigned.pem -notext -config /usr/local/globus-5.2.0/var/lib/globus/simple_ca/grid-ca-ssl.conf -infiles /usr/local/globus-5.2.0/etc/hostcert_request.pem

#When you get the following error (this is a bug)
# failed to update database
# TXT_DB error number 2
#You can adjust: vi /usr/local/globus-5.2.0/var/lib/globus/simple_ca/index.txt 
#By removing the corresponding line (there might be better options). (Update 2016-04-14: All lines can be removed.)

#Copy the certificate to its final destination:
cp -p /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem
chown root: /etc/grid-security/hostcert.pem
chmod 644 /etc/grid-security/hostcert.pem

#Complete.

Ready, the MyProxy certificate is now renewed.


Inspect a x509 certificate with OpenSSL

openssl x509 -in certs/creds.pem -noout -text

Download a file from ESGF using wget

wget --no-check-certificate --private-key /tmp/x509up_u1202 --certificate /tmp/x509up_u1202 "http://cmip-dn1.badc.rl.ac.uk/thredds/fileServer/esg_dataroot/cmip5/output1/MOHC/HadCM3/decadal1960/day/atmos/day/r10i3p1/v20110825/pr/pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc" -O pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc

Download a file from ESGF using CURL

curl -v --location -k --cert /tmp/x509up_u1202 --key /tmp/x509up_u1202 --cookie-jar cookies.dat  "http://cmip-dn1.badc.rl.ac.uk/thredds/fileServer/esg_dataroot/cmip5/output1/MOHC/HadCM3/decadal1960/day/atmos/day/r10i3p1/v20110825/pr/pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc" --output pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc

Add certificates to custom truststore

keytool -genkey -alias dummy -keyalg RSA -keystore /test/truststore.jks

#!/bin/bash
echo | openssl s_client -connect pcmdi3.llnl.gov:443  2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > pcmdi3.llnl.gov
echo | openssl s_client -connect pcmdi9.llnl.gov:443  2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > pcmdi9.llnl.gov
echo | openssl s_client -connect ipcc-ar5.dkrz.de:443  2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > ipcc-ar5.dkrz.de
echo | openssl s_client -connect esgf-data.dkrz.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > esgf-data.dkrz.de
echo | openssl s_client -connect esg.pik-potsdam.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > esg.pik-potsdam.de

echo "pcmdi3.llnl.gov" 
keytool -delete -alias pcmdi3.llnl.gov  -keystore /test/truststore.jks
 -storepass changeit
keytool -import -v -trustcacerts -alias pcmdi3.llnl.gov -file pcmdi3.llnl.gov -keystore /test/truststore.jks
 -storepass changeit -noprompt

echo "pcmdi9.llnl.gov" 
keytool -delete -alias pcmdi9.llnl.gov  -keystore /test/truststore.jks
 -storepass changeit
keytool -import -v -trustcacerts -alias pcmdi9.llnl.gov -file pcmdi9.llnl.gov -keystore /test/truststore.jks
 -storepass changeit -noprompt

echo "ipcc-ar5.dkrz.de" 
keytool -delete -alias ipcc-ar5.dkrz.de  -keystore /test/truststore.jks
 -storepass changeit
keytool -import -v -trustcacerts -alias ipcc-ar5.dkrz.de -file ipcc-ar5.dkrz.de -keystore /test/truststore.jks
 -storepass changeit -noprompt

echo "esgf-data.dkrz.de" 
keytool -delete -alias esgf-data.dkrz.de  -keystore /test/truststore.jks
 -storepass changeit
keytool -import -v -trustcacerts -alias esgf-data.dkrz.de -file esgf-data.dkrz.de -keystore /test/truststore.jks
 -storepass changeit -noprompt

echo "esg.pik-potsdam.de" 
keytool -delete -alias esg.pik-potsdam.de  -keystore /test/truststore.jks
 -storepass changeit
keytool -import -v -trustcacerts -alias esg.pik-potsdam.de -file esg.pik-potsdam.de -keystore /test/truststore.jks
 -storepass changeit -noprompt

VM Arguments:
-Djavax.net.ssl.trustStore="/test/truststore.jks" -Djavax.net.ssl.trustStorePassword="changeit"

MyProxyServer Installation and Configuration

Note* This is not the MyProxyServer used by Climate4Impact, it is a test instance. Installation instructions are similar.

################################################################################################
# Manual to install and configure MyProxyServer on a Scientific Linux or RedHat 6 machine.
#
# MyProxyServer will be configured with a Pluggable Authenication Module (PAM) to create credentials
# with predefined password for any username. 
# This is achieved with the PAM extension pam_credential_translation written by P. Kershaw
#
# (Author: Maarten Plieger, KNMI)
################################################################################################

#Installation instructions on scientific linux 6.1 (or RH 6).

####################### As user root ####################### 
  yum update
  yum install gcc
  yum install openssl-devel
  yum install libtool
  yum groupinstall 'Development Tools'
  yum install libtool-ltdl-devel
  yum install pam-devel

  #install perl modules:
  cpan -i Archive::Tar
  cpan -i IO::Zlib
  cpan -i Package::Constants

  #Add user globus
  groupadd globus
  adduser -g globus globus
  passwd globus
  >(globus)

  #Create directories
  mkdir /usr/local/globus-5.2.0
  chown globus:globus /usr/local/globus-5.2.0

  mkdir /etc/grid-security
  mkdir /etc/grid-security/certificates

  #Set hostname bvmlab-218-21.knmi.nl in
  vi /etc/sysconfig/network
  vi /etc/hosts #145.23.218.21 bvmlab-218-21.knmi.nl
  hostname  bvmlab-218-21.knmi.nl
  etc/init.d/network restart

  ### INSTALL PAM MODULE ###
  svn checkout http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation
  cd pam_credential_translation

  #Adjust pam_credential_translation.c with 
  PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv){
    return PAM_SUCCESS ;
  }
  make
  #Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required)

  ### Set Firewall as root, open port 7512 in the firewall: ###
  vi /etc/sysconfig/iptables
  #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT

  /etc/init.d/iptables restart  

####################### As user globus ####################### 
#INSTALL Globus toolkit and MyProxyServer
  #Get gt5.2.0-all-source-installer.tar.gz 
  export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
  tar -xzvf gt5.2.0-all-source-installer.tar.gz
  cd gt5.2.0-all-source-installer
  ./configure
  make
  make install
  make gsi-myproxy
  make install

  export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
  . $GLOBUS_LOCATION/etc/globus-user-env.sh 

  ### Install SimpleCA ###
  export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
  . $GLOBUS_LOCATION/etc/globus-user-env.sh 

  #Create local grid security directories
  mkdir ${sysconfdir}/grid-security/
  mkdir ${sysconfdir}/grid-security/certificates

  #There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by:
  mkdir  /usr/local/globus-5.2.0//libexec/
  cp  /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0//libexec/

  grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-bvmlab-218-21.knmi.nl, ou=GlobusTest, o=Grid" -email "plieger@knmi.nl" -days 1825 -pass globus_install -force

### AS ROOT: request grid certificate ###
  mkdir /etc/grid-security
  mkdir /etc/grid-security/certificates

  #Copy certificates to root grid security directory
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf
  cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates

  #Request host certificate
  grid-cert-request -host 'bvmlab-218-21.knmi.nl'

  #Copy it to a place readable for user globus
  cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem

### AS GLOBUS: sign the certificate ###
  grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out  /usr/local/globus-5.2.0/etc/hostsigned.pem

### AS ROOT: install the signed certificate ###
  cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem
  chown root:root /etc/grid-security/hostcert.pem
  chmod 644 /etc/grid-security/hostcert.pem

  myproxy-server-setup
  #If everything is allright, kill the proxy server and configure it

### Create the myproxy server configuration file ###
  accepted_credentials  "*" 
  authorized_retrievers "*" 
  default_retrievers    "*" 
  authorized_renewers   "*" 
  default_renewers      "none" 
  authorized_key_retrievers "*" 
  default_key_retrievers    "none" 
  trusted_retrievers    "*" 
  default_trusted_retrievers "none" 
  cert_dir /etc/grid-security/certificates
  pam required
  pam_id "myproxy-credential-translation" 
  certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem
  certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem
  certificate_issuer_key_passphrase "globus_install" 
  certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial
  certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts
  certificate_mapapp "/etc/grid-security/certificate_map_app.sh" 
  #Store this in: /etc/myproxy-server.config 

### Create certificate map application, which generates the new user id's ###
  #!/bin/sh
  echo "certificate_map_app called: /O=Grid/OU=GlobusTest/OU=simpleCA-bvmlab-218-21.knmi.nl/OU=local/CN=$1" >> /var/log/pam_credential_translation.log
  echo "/O=Grid/OU=GlobusTest/OU=simpleCA-bvmlab-218-21.knmi.nl/OU=local/CN=$1" 
  #And store this in /etc/grid-security/certificate_map_app.sh

### Create myproxy-credential-translation configuration file ###
  auth required pam_credential_translation.so sha256passwd=******************
  account  required pam_credential_translation.so sha256passwd=******************
  #Store this in /etc/pam.d/

### TESTING on a client machine ###
  myproxy-get-trustroots -s bvmlab-218-21.knmi.nl
  myproxy-logon -s bvmlab-218-21.knmi.nl 

Interesting link: http://docs.snic.se/wiki/Requesting_a_grid_certificate_from_the_Nordugrid_CA