The MyProxy Certificate Authority

National Center for Supercomputing Applications

University of Illinois at Urbana-Champaign

MyProxy > Docs > Admin Guide > The MyProxy Certificate Authority

The GridShib CA can be configured to use the MyProxy CA.

Starting with v3.0, the MyProxy server includes the ability to act as a Certificate Authority (CA), signing certificates with a configured CA key on request for authenticated users that don't already have certificates stored in the MyProxy repository. Users can run myproxy-logon to authenticate and obtain a certificate from the MyProxy CA when and where needed, without needing to store long-lived keys and certificates in the MyProxy repository or elsewhere.

The MyProxy CA meets the requirements of the Short Lived Credential Services X.509 Public Key Certification Authorities Profile of The Americas Grid Policy Management Authority, a member of the International Grid Trust Federation. The NCSA MyProxy CA and the NERSC Online CA have been accredited under the Profile.

The MyProxy CA functionality requires the configuration of PAM and/or SASL to support username/password and/or Kerberos authentication for obtaining certificates. The myproxy-server administrator must also configure the myproxy-server with the CA key, other CA attributes, and a method for mapping MyProxy usernames to Distinguished Names (DNs) in the signed certificates. Three mapping methods are supported: certificate_mapfile, which follows the Globus Toolkit grid-mapfile format, certificate_mapapp, which provides a general-purpose call-out interface, and LDAP.

The MyProxy server can act as a CA, a repository, or both. The CA functionality is disabled unless the CA configuration options in the myproxy-server.config are enabled. Likewise, the myproxy-server.config accepted_credentials setting controls whether clients can store credentials on the server. A myproxy-server.config template is provided in $GLOBUS_LOCATION/share/myproxy.

By default, the MyProxy CA issues certificates valid for 12 hours. This can be customized using the max_cert_lifetime option in myproxy-server.config.

MyProxy CA Installation

The MyProxy CA can be configured to use a Hardware Security Module.

Install the myproxy-server according to the MyProxy Server Installation instructions.
Create your CA using SimpleCA or equivalent. The Globus SimpleCA package is included in the myproxy-server installation. Be sure to create host credentials for the myproxy-server. Note: the PEM passphrase you choose during SimpleCA setup must be entered in the myproxy-server.config certificate_issuer_key_passphrase configuration line (see below).
Configure the myproxy-server to use PAM and/or SASL.
Configure the CA functionality in the myproxy-server.config file. For example:
pam "sufficient" sasl "sufficient" authorized_retrievers "*" certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem certificate_issuer_key_passphrase "myproxy" certificate_serialfile /home/globus/.globus/simpleCA/serial certificate_out_dir /home/globus/.globus/simpleCA/newcerts certificate_mapfile /etc/grid-security/grid-mapfile
Note: the certificate_issuer_key_passphrase is the PEM passphrase you chose for your SimpleCA installation.
Restart the myproxy-server for the configuration changes to take effect.

You should now be able to retrieve certificates using myproxy-logon. For example:

$ myproxy-logon -s myproxy.ncsa.uiuc.edu
Enter MyProxy pass phrase: <enter PAM password here>
A credential has been received for user jbasney in /tmp/x509up_u25555.

If there are any problems, consult the Troubleshooting Guide.

Revocation

If you configure MyProxy with SimpleCA, then you can revoke certificates and generate certificate revocation lists (CRLs) using openssl ca commands. The following instructions assume SimpleCA is installed in /home/globus/.globus/simpleCA and your myproxy-server.config is configured as above.

The following script (installed at $GLOBUS_LOCATION/share/myproxy/myproxy-crl.cron) can be installed as a cron job to periodically generate CRLs:

#!/bin/sh

CRLDAYS=14
SIMPLECADIR="/home/globus/.globus/simpleCA"
PASS="/home/globus/.globus/.simplecapass"
CONF="$SIMPLECADIR/grid-ca-ssl.conf"
CACERT="$SIMPLECADIR/cacert.pem"
INDEX="$SIMPLECADIR/index.txt"
HASH=`openssl x509 -noout -hash -in $CACERT`
PEMCRL="$SIMPLECADIR/$HASH.r0"
DERCRL="$SIMPLECADIR/$HASH.crl"

if [ ! -e $INDEX ] ; then
   touch $INDEX
fi

openssl ca -gencrl -config $CONF -passin file:$PASS \
  -crldays $CRLDAYS -out $PEMCRL.$$ &&
mv $PEMCRL.$$ $PEMCRL &&
openssl crl -outform DER -in $PEMCRL -out $DERCRL.$$ &&
mv $DERCRL.$$ $DERCRL

Various CRL settings can be specified in $SIMPLECADIR/grid-ca-ssl.conf. See the OpenSSL ca(1) documentation for details.

To revoke a certificate, find the certificate in $SIMPLECADIR/newcerts and use the following script (installed at $GLOBUS_LOCATION/share/myproxy/myproxy-revoke), passing the file path on the command-line:

#!/bin/sh

FILENAME="$*" # command-line argument
SIMPLECADIR="/home/globus/.globus/simpleCA"
PASS="/home/globus/.globus/.simplecapass"
CONF="$SIMPLECADIR/grid-ca-ssl.conf"

openssl ca -passin file:$PASS -config $CONF -revoke $FILENAME

If you are using MyProxy with a Hardware Security Module, it will likely be necessary to add -engine options to the scripts according to the HSM documentation.