MyProxyServer¶
Renew CA¶
The host CA certificate of the myproxyserver a validity period of a year. It needs to be renewed on yearly basis.
For climate4impact the host certificate is valid till 2017-04-14.
The certificate can be renewed in the following way:
### RENEW CA ### #Request new certificate #Create a certificate signing request openssl req -new -out /usr/local/globus-5.2.0/etc/hostcert_request.pem -key /etc/grid-security/hostkey.pem -config /etc/grid-security/globus-host-ssl.conf #Use name: bvlpenes.knmi.nl #You can verify by the following command openssl req -verify -text -noout -in /usr/local/globus-5.2.0/etc/hostcert_request.pem #Re-sign the certificate signing request / renew certificate, this results in the new certificate openssl ca -out /usr/local/globus-5.2.0/etc/hostsigned.pem -notext -config /usr/local/globus-5.2.0/var/lib/globus/simple_ca/grid-ca-ssl.conf -infiles /usr/local/globus-5.2.0/etc/hostcert_request.pem #When you get the following error (this is a bug) # failed to update database # TXT_DB error number 2 #You can adjust: vi /usr/local/globus-5.2.0/var/lib/globus/simple_ca/index.txt #By removing the corresponding line (there might be better options). (Update 2016-04-14: All lines can be removed.) #Copy the certificate to its final destination: cp -p /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem chown root: /etc/grid-security/hostcert.pem chmod 644 /etc/grid-security/hostcert.pem #Complete.
Ready, the MyProxy certificate is now renewed.
Inspect a x509 certificate with OpenSSL¶
openssl x509 -in certs/creds.pem -noout -text
Download a file from ESGF using wget¶
wget --no-check-certificate --private-key /tmp/x509up_u1202 --certificate /tmp/x509up_u1202 "http://cmip-dn1.badc.rl.ac.uk/thredds/fileServer/esg_dataroot/cmip5/output1/MOHC/HadCM3/decadal1960/day/atmos/day/r10i3p1/v20110825/pr/pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc" -O pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc
Download a file from ESGF using CURL¶
curl -v --location -k --cert /tmp/x509up_u1202 --key /tmp/x509up_u1202 --cookie-jar cookies.dat "http://cmip-dn1.badc.rl.ac.uk/thredds/fileServer/esg_dataroot/cmip5/output1/MOHC/HadCM3/decadal1960/day/atmos/day/r10i3p1/v20110825/pr/pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc" --output pr_day_HadCM3_decadal1960_r10i3p1_19601101-19901130.nc
Add certificates to custom truststore¶
keytool -genkey -alias dummy -keyalg RSA -keystore /test/truststore.jks
#!/bin/bash echo | openssl s_client -connect pcmdi3.llnl.gov:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pcmdi3.llnl.gov echo | openssl s_client -connect pcmdi9.llnl.gov:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pcmdi9.llnl.gov echo | openssl s_client -connect ipcc-ar5.dkrz.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ipcc-ar5.dkrz.de echo | openssl s_client -connect esgf-data.dkrz.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > esgf-data.dkrz.de echo | openssl s_client -connect esg.pik-potsdam.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > esg.pik-potsdam.de echo "pcmdi3.llnl.gov" keytool -delete -alias pcmdi3.llnl.gov -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias pcmdi3.llnl.gov -file pcmdi3.llnl.gov -keystore /test/truststore.jks -storepass changeit -noprompt echo "pcmdi9.llnl.gov" keytool -delete -alias pcmdi9.llnl.gov -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias pcmdi9.llnl.gov -file pcmdi9.llnl.gov -keystore /test/truststore.jks -storepass changeit -noprompt echo "ipcc-ar5.dkrz.de" keytool -delete -alias ipcc-ar5.dkrz.de -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias ipcc-ar5.dkrz.de -file ipcc-ar5.dkrz.de -keystore /test/truststore.jks -storepass changeit -noprompt echo "esgf-data.dkrz.de" keytool -delete -alias esgf-data.dkrz.de -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias esgf-data.dkrz.de -file esgf-data.dkrz.de -keystore /test/truststore.jks -storepass changeit -noprompt echo "esg.pik-potsdam.de" keytool -delete -alias esg.pik-potsdam.de -keystore /test/truststore.jks -storepass changeit keytool -import -v -trustcacerts -alias esg.pik-potsdam.de -file esg.pik-potsdam.de -keystore /test/truststore.jks -storepass changeit -noprompt
VM Arguments:
-Djavax.net.ssl.trustStore="/test/truststore.jks" -Djavax.net.ssl.trustStorePassword="changeit"
MyProxyServer Installation and Configuration¶
Note* This is not the MyProxyServer used by Climate4Impact, it is a test instance. Installation instructions are similar.
################################################################################################
# Manual to install and configure MyProxyServer on a Scientific Linux or RedHat 6 machine.
#
# MyProxyServer will be configured with a Pluggable Authenication Module (PAM) to create credentials
# with predefined password for any username.
# This is achieved with the PAM extension pam_credential_translation written by P. Kershaw
#
# (Author: Maarten Plieger, KNMI)
################################################################################################
#Installation instructions on scientific linux 6.1 (or RH 6).
####################### As user root #######################
yum update
yum install gcc
yum install openssl-devel
yum install libtool
yum groupinstall 'Development Tools'
yum install libtool-ltdl-devel
yum install pam-devel
#install perl modules:
cpan -i Archive::Tar
cpan -i IO::Zlib
cpan -i Package::Constants
#Add user globus
groupadd globus
adduser -g globus globus
passwd globus
>(globus)
#Create directories
mkdir /usr/local/globus-5.2.0
chown globus:globus /usr/local/globus-5.2.0
mkdir /etc/grid-security
mkdir /etc/grid-security/certificates
#Set hostname bvmlab-218-21.knmi.nl in
vi /etc/sysconfig/network
vi /etc/hosts #145.23.218.21 bvmlab-218-21.knmi.nl
hostname bvmlab-218-21.knmi.nl
etc/init.d/network restart
### INSTALL PAM MODULE ###
svn checkout http://proj.badc.rl.ac.uk/svn/ndg-security/trunk/MashMyData/pam_credential_translation
cd pam_credential_translation
#Adjust pam_credential_translation.c with
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv){
return PAM_SUCCESS ;
}
make
#Copy the pam_credential_translation.so file to /lib64/security/ (root privileges required)
### Set Firewall as root, open port 7512 in the firewall: ###
vi /etc/sysconfig/iptables
#ADD: -A INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT
/etc/init.d/iptables restart
####################### As user globus #######################
#INSTALL Globus toolkit and MyProxyServer
#Get gt5.2.0-all-source-installer.tar.gz
export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
tar -xzvf gt5.2.0-all-source-installer.tar.gz
cd gt5.2.0-all-source-installer
./configure
make
make install
make gsi-myproxy
make install
export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
. $GLOBUS_LOCATION/etc/globus-user-env.sh
### Install SimpleCA ###
export GLOBUS_LOCATION=/usr/local/globus-5.2.0/
. $GLOBUS_LOCATION/etc/globus-user-env.sh
#Create local grid security directories
mkdir ${sysconfdir}/grid-security/
mkdir ${sysconfdir}/grid-security/certificates
#There is a bug in myproxy-server-setup, it is pointing to the wrong location, can be fixed by:
mkdir /usr/local/globus-5.2.0//libexec/
cp /usr/local/globus-5.2.0/share/globus/globus-script-initializer /usr/local/globus-5.2.0//libexec/
grid-ca-create -subject "cn=Globus Simple CA, ou=simpleCA-bvmlab-218-21.knmi.nl, ou=GlobusTest, o=Grid" -email "plieger@knmi.nl" -days 1825 -pass globus_install -force
### AS ROOT: request grid certificate ###
mkdir /etc/grid-security
mkdir /etc/grid-security/certificates
#Copy certificates to root grid security directory
cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-user-ssl.conf.* /etc/grid-security/globus-user-ssl.conf
cp /usr/local/globus-5.2.0/etc/grid-security/certificates/globus-host-ssl.conf.* /etc/grid-security/globus-host-ssl.conf
cp /usr/local/globus-5.2.0/etc/grid-security/certificates/grid-security.conf.* /etc/grid-security/grid-security.conf
cp /usr/local/globus-5.2.0/etc/grid-security/certificates/* /etc/grid-security/certificates
#Request host certificate
grid-cert-request -host 'bvmlab-218-21.knmi.nl'
#Copy it to a place readable for user globus
cp /etc/grid-security/hostcert_request.pem /usr/local/globus-5.2.0/etc/hostcert_request.pem
### AS GLOBUS: sign the certificate ###
grid-ca-sign -in /usr/local/globus-5.2.0/etc/hostcert_request.pem -out /usr/local/globus-5.2.0/etc/hostsigned.pem
### AS ROOT: install the signed certificate ###
cp /usr/local/globus-5.2.0/etc/hostsigned.pem /etc/grid-security/hostcert.pem
chown root:root /etc/grid-security/hostcert.pem
chmod 644 /etc/grid-security/hostcert.pem
myproxy-server-setup
#If everything is allright, kill the proxy server and configure it
### Create the myproxy server configuration file ###
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"
authorized_key_retrievers "*"
default_key_retrievers "none"
trusted_retrievers "*"
default_trusted_retrievers "none"
cert_dir /etc/grid-security/certificates
pam required
pam_id "myproxy-credential-translation"
certificate_issuer_cert /usr/local/globus-5.2.0/var/lib/globus/simple_ca/cacert.pem
certificate_issuer_key /usr/local/globus-5.2.0/var/lib/globus/simple_ca/private/cakey.pem
certificate_issuer_key_passphrase "globus_install"
certificate_serialfile /usr/local/globus-5.2.0/var/lib/globus/simple_ca/serial
certificate_out_dir /usr/local/globus-5.2.0/var/lib/globus/simple_ca/newcerts
certificate_mapapp "/etc/grid-security/certificate_map_app.sh"
#Store this in: /etc/myproxy-server.config
### Create certificate map application, which generates the new user id's ###
#!/bin/sh
echo "certificate_map_app called: /O=Grid/OU=GlobusTest/OU=simpleCA-bvmlab-218-21.knmi.nl/OU=local/CN=$1" >> /var/log/pam_credential_translation.log
echo "/O=Grid/OU=GlobusTest/OU=simpleCA-bvmlab-218-21.knmi.nl/OU=local/CN=$1"
#And store this in /etc/grid-security/certificate_map_app.sh
### Create myproxy-credential-translation configuration file ###
auth required pam_credential_translation.so sha256passwd=******************
account required pam_credential_translation.so sha256passwd=******************
#Store this in /etc/pam.d/
### TESTING on a client machine ###
myproxy-get-trustroots -s bvmlab-218-21.knmi.nl
myproxy-logon -s bvmlab-218-21.knmi.nl
Interesting link: http://docs.snic.se/wiki/Requesting_a_grid_certificate_from_the_Nordugrid_CA