The GridShib CA can be configured to use the MyProxy CA.
Starting with v3.0, the MyProxy server includes the ability to act as a Certificate Authority (CA), signing certificates with a configured CA key on request for authenticated users that don't already have certificates stored in the MyProxy repository. Users can run myproxy-logon to authenticate and obtain a certificate from the MyProxy CA when and where needed, without needing to store long-lived keys and certificates in the MyProxy repository or elsewhere.
The MyProxy CA meets the requirements of the Short Lived Credential Services X.509 Public Key Certification Authorities Profile of The Americas Grid Policy Management Authority, a member of the International Grid Trust Federation. The NCSA MyProxy CA and the NERSC Online CA have been accredited under the Profile.
The MyProxy CA functionality requires the configuration of PAM and/or SASL to support username/password and/or Kerberos authentication for obtaining certificates. The myproxy-server administrator must also configure the myproxy-server with the CA key, other CA attributes, and a method for mapping MyProxy usernames to Distinguished Names (DNs) in the signed certificates. Three mapping methods are supported: certificate_mapfile, which follows the Globus Toolkit grid-mapfile format, certificate_mapapp, which provides a general-purpose call-out interface, and LDAP.
The MyProxy server can act as a CA, a repository, or both. The CA functionality is disabled unless the CA configuration options in the myproxy-server.config are enabled. Likewise, the myproxy-server.config accepted_credentials setting controls whether clients can store credentials on the server. A myproxy-server.config template is provided in $GLOBUS_LOCATION/share/myproxy.
By default, the MyProxy CA issues certificates valid for 12 hours. This can be customized using the max_cert_lifetime option in myproxy-server.config.
MyProxy CA support was contributed by Monte Goode from Lawrence Berkeley National Laboratory.
MyProxy CA Installation
The MyProxy CA can be configured to use a Hardware Security Module.
You should now be able to retrieve certificates using myproxy-logon. For example:
$ myproxy-logon -s myproxy.ncsa.uiuc.edu Enter MyProxy pass phrase: <enter PAM password here> A credential has been received for user jbasney in /tmp/x509up_u25555.
If there are any problems, consult the Troubleshooting Guide.
If you configure MyProxy with SimpleCA, then you can revoke certificates and generate certificate revocation lists (CRLs) using openssl ca commands. The following instructions assume SimpleCA is installed in /home/globus/.globus/simpleCA and your myproxy-server.config is configured as above.
The following script (installed at $GLOBUS_LOCATION/share/myproxy/myproxy-crl.cron) can be installed as a cron job to periodically generate CRLs:
#!/bin/sh CRLDAYS=14 SIMPLECADIR="/home/globus/.globus/simpleCA" PASS="/home/globus/.globus/.simplecapass" CONF="$SIMPLECADIR/grid-ca-ssl.conf" CACERT="$SIMPLECADIR/cacert.pem" INDEX="$SIMPLECADIR/index.txt" HASH=`openssl x509 -noout -hash -in $CACERT` PEMCRL="$SIMPLECADIR/$HASH.r0" DERCRL="$SIMPLECADIR/$HASH.crl" if [ ! -e $INDEX ] ; then touch $INDEX fi openssl ca -gencrl -config $CONF -passin file:$PASS \ -crldays $CRLDAYS -out $PEMCRL.$$ && mv $PEMCRL.$$ $PEMCRL && openssl crl -outform DER -in $PEMCRL -out $DERCRL.$$ && mv $DERCRL.$$ $DERCRL
Various CRL settings can be specified in $SIMPLECADIR/grid-ca-ssl.conf. See the OpenSSL ca(1) documentation for details.
To revoke a certificate, find the certificate in $SIMPLECADIR/newcerts and use the following script (installed at $GLOBUS_LOCATION/share/myproxy/myproxy-revoke), passing the file path on the command-line:
#!/bin/sh FILENAME="$*" # command-line argument SIMPLECADIR="/home/globus/.globus/simpleCA" PASS="/home/globus/.globus/.simplecapass" CONF="$SIMPLECADIR/grid-ca-ssl.conf" openssl ca -passin file:$PASS -config $CONF -revoke $FILENAME
If you are using MyProxy with a Hardware Security Module, it will likely be necessary to add -engine options to the scripts according to the HSM documentation.