MyProxyServer¶
Renew CA¶
The host CA certificate of the myproxyserver a validity period of a year. It needs to be renewed on yearly basis.
For climate4impact the host certificate is valid till 2017-04-14.
The certificate can be renewed in the following way:
### RENEW CA ### #Request new certificate #Create a certificate signing request openssl req -new -out /usr/local/globus-5.2.0/etc/hostcert_request.pem -key /etc/grid-security/hostkey.pem -config /etc/grid-security/globus-host-ssl.conf #Use name: bvlpenes.knmi.nl #You can verify by the following command openssl req -verify -text -noout -in /usr/local/globus-5.2.0/etc/hostcert_request.pem #Re-sign the certificate signing request / renew certificate, this results in the new certificate openssl ca -out /usr/local/globus-5.2.0/etc/hostsigned.pem -notext -config /usr/local/globus-5.2.0/var/lib/globus/simple_ca/grid-ca-ssl.conf -infiles /usr/local/globus-5.2.0/etc/hostcert_request.pem #When you get the following error (this is a bug) # failed to update database # TXT_DB error number 2 #You can adjust: vi /usr/local/globus-5.2.0/var/lib/globus/simple_ca/index.txt #By removing the corresponding line (there might be better options). (Update 2016-04-14: All lines can be removed.) #Copy the certificate to its final destination: cp -p /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem chown root: /etc/grid-security/hostcert.pem chmod 644 /etc/grid-security/hostcert.pem #Complete.
Ready, the MyProxy certificate is now renewed.
Inspect a x509 certificate with OpenSSL¶
openssl x509 -in certs/creds.pem -noout -text
Download a file from ESGF using wget¶
wget --no-check-certificate --private-key /tmp/x509up_u1202 --certificate /tmp/x509up_u1202 "http://cmip-dn1.badc.rl.ac.uk/thredds/fileServer/esg_dataroot/cmip5/output1/MOHC/HadCM3/decadal1960/day/atmos/day/r10i3p1/v20110825/pr/pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc" -O pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc
Download a file from ESGF using CURL¶
curl -v --location -k --cert /tmp/x509up_u1202 --key /tmp/x509up_u1202 --cookie-jar cookies.dat "http://cmip-dn1.badc.rl.ac.uk/thredds/fileServer/esg_dataroot/cmip5/output1/MOHC/HadCM3/decadal1960/day/atmos/day/r10i3p1/v20110825/pr/pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc" --output pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc
Add certificates to custom truststore¶
keytool -genkey -alias dummy -keyalg RSA -keystore /test/truststore.jks
#!/bin/bash echo | openssl s_client -connect pcmdi3.llnl.gov:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pcmdi3.llnl.gov echo | openssl s_client -connect pcmdi9.llnl.gov:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pcmdi9.llnl.gov echo | openssl s_client -connect ipcc-ar5.dkrz.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ipcc-ar5.dkrz.de echo | openssl s_client -connect esgf-data.dkrz.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > esgf-data.dkrz.de echo | openssl s_client -connect esg.pik-potsdam.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > esg.pik-potsdam.de echo "pcmdi3.llnl.gov" keytool -delete -alias pcmdi3.llnl.gov -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias pcmdi3.llnl.gov -file pcmdi3.llnl.gov -keystore /test/truststore.jks -storepass changeit -noprompt echo "pcmdi9.llnl.gov" keytool -delete -alias pcmdi9.llnl.gov -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias pcmdi9.llnl.gov -file pcmdi9.llnl.gov -keystore /test/truststore.jks -storepass changeit -noprompt echo "ipcc-ar5.dkrz.de" keytool -delete -alias ipcc-ar5.dkrz.de -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias ipcc-ar5.dkrz.de -file ipcc-ar5.dkrz.de -keystore /test/truststore.jks -storepass changeit -noprompt echo "esgf-data.dkrz.de" keytool -delete -alias esgf-data.dkrz.de -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias esgf-data.dkrz.de -file esgf-data.dkrz.de -keystore /test/truststore.jks -storepass changeit -noprompt echo "esg.pik-potsdam.de" keytool -delete -alias esg.pik-potsdam.de -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias esg.pik-potsdam.de -file esg.pik-potsdam.de -keystore /test/truststore.jks -storepass changeit -noprompt
VM Arguments:
-Djavax.net.ssl.trustStore="/test/truststore.jks" -Djavax.net.ssl.trustStorePassword="changeit"
MyProxyServer Installation and Configuration¶
Note* This is not the MyProxyServer used by Climate4Impact, it is a test instance. Installation instructions are similar.
################################################################################################ # Manual to install and configure MyProxyServer on a Scientific Linux or RedHat 6 machine. # # MyProxyServer will be configured with a Pluggable Authenication Module (PAM) to create credentials # with predefined password for any username. # This is achieved with the PAM extension pam_credential_translation written by P. Kershaw # # (Author: Maarten Plieger, KNMI) ################################################################################################ #Installation instructions on scientific linux 6.1 (or RH 6). ####################### As user root ####################### yum update yum install gcc yum install openssl-devel yum install libtool yum groupinstall 'Development Tools' yum install libtool-ltdl-devel yum install pam-devel #install perl modules: cpan -i Archive::Tar cpan -i IO::Zlib cpan -i Package::Constants #Add user globus groupadd globus adduser -g globus globus passwd globus >(globus) #Create directories mkdir /usr/local/globus-5.2.0 chown globus:globus /usr/local/globus-5.2.0 mkdir /etc/grid-security mkdir /etc/grid-security/certificates #Set hostname bvmlab-218-21.knmi.nl in vi /etc/sysconfig/network vi /etc/hosts #145.23.218.21 bvmlab-218-21.knmi.nl hostname bvmlab-218-21.knmi.nl etc/init.d/network restart ### INSTALL PAM MODULE ### svn checkout http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation cd pam_credential_translation #Adjust pam_credential_translation.c with PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv){ return PAM_SUCCESS ; } make #Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required) ### Set Firewall as root, open port 7512 in the firewall: ### vi /etc/sysconfig/iptables #ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT /etc/init.d/iptables restart ####################### As user globus ####################### #INSTALL Globus toolkit and MyProxyServer #Get gt5.2.0-all-source-installer.tar.gz export GLOBUS_LOCATION=/usr/local/globus-5.2.0/ tar -xzvf gt5.2.0-all-source-installer.tar.gz cd gt5.2.0-all-source-installer ./configure make make install make gsi-myproxy make install export GLOBUS_LOCATION=/usr/local/globus-5.2.0/ . $GLOBUS_LOCATION/etc/globus-user-env.sh ### Install SimpleCA ### export GLOBUS_LOCATION=/usr/local/globus-5.2.0/ . $GLOBUS_LOCATION/etc/globus-user-env.sh #Create local grid security directories mkdir ${sysconfdir}/grid-security/ mkdir ${sysconfdir}/grid-security/certificates #There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by: mkdir /usr/local/globus-5.2.0//libexec/ cp /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0//libexec/ grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-bvmlab-218-21.knmi.nl, ou=GlobusTest, o=Grid" -email "plieger@knmi.nl" -days 1825 -pass globus_install -force ### AS ROOT: request grid certificate ### mkdir /etc/grid-security mkdir /etc/grid-security/certificates #Copy certificates to root grid security directory cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates #Request host certificate grid-cert-request -host 'bvmlab-218-21.knmi.nl' #Copy it to a place readable for user globus cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem ### AS GLOBUS: sign the certificate ### grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out /usr/local/globus-5.2.0/etc/hostsigned.pem ### AS ROOT: install the signed certificate ### cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem chown root:root /etc/grid-security/hostcert.pem chmod 644 /etc/grid-security/hostcert.pem myproxy-server-setup #If everything is allright, kill the proxy server and configure it ### Create the myproxy server configuration file ### accepted_credentials "*" authorized_retrievers "*" default_retrievers "*" authorized_renewers "*" default_renewers "none" authorized_key_retrievers "*" default_key_retrievers "none" trusted_retrievers "*" default_trusted_retrievers "none" cert_dir /etc/grid-security/certificates pam required pam_id "myproxy-credential-translation" certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem certificate_issuer_key_passphrase "globus_install" certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts certificate_mapapp "/etc/grid-security/certificate_map_app.sh" #Store this in: /etc/myproxy-server.config ### Create certificate map application, which generates the new user id's ### #!/bin/sh echo "certificate_map_app called: /O=Grid/OU=GlobusTest/OU=simpleCA-bvmlab-218-21.knmi.nl/OU=local/CN=$1" >> /var/log/pam_credential_translation.log echo "/O=Grid/OU=GlobusTest/OU=simpleCA-bvmlab-218-21.knmi.nl/OU=local/CN=$1" #And store this in /etc/grid-security/certificate_map_app.sh ### Create myproxy-credential-translation configuration file ### auth required pam_credential_translation.so sha256passwd=****************** account required pam_credential_translation.so sha256passwd=****************** #Store this in /etc/pam.d/ ### TESTING on a client machine ### myproxy-get-trustroots -s bvmlab-218-21.knmi.nl myproxy-logon -s bvmlab-218-21.knmi.nl
Interesting link: http://docs.snic.se/wiki/Requesting_a_grid_certificate_from_the_Nordugrid_CA