MyProxy
> Docs
> Administrator's Guide
> Grid Security from Scratch
Step-by-Step: Grid Security from Scratch with MyProxy
For in-depth documentation, see:
MyProxy can serve as the root of a grid security setup. That is, MyProxy
can create cryptographic credentials for users and hosts, which grid services
can be configured to trust.
This guide will show you how to install and configure a MyProxy server
and use it to distributed credentials. These instructions should work on
any Unix-compatible operating system, such as Linux, Mac OS X, or
Solaris.
- Install Globus Toolkit
- Optional: Install Java and Ant
- Download Globus
- Build Globus
- Configure SimpleCA
- Environment Variables
- SimpleCA Setup Script
- GSI Setup Script
- Create MyProxy Server Host Credentials
- Configure MyProxy Service
- Automatically Configure with myproxy-server-setup
- Manually Edit Configuration to Accept Requests
- Manually Install MyProxy as a Service
- Manage User Credentials
- Initialize Credentials
- Retrieve Credentials
- Distribute Service Credentials
- Initialize Credentials
- Retrieve Credentials
These instructions install both MyProxy and SimpleCA to run as root.
For instructions on installing them as non-root, see the SimpleCA
Installation Guide and the MyProxy
Administrator's Guide.
Note that they need to both be installed under the same user
account, unless your system supports access control lists, since
they both need access to MyProxy's credential repository, which
MyProxy does not allow to have global or group file access.
Once you have completed the installation steps detailed in this guide,
you will be ready to run grid services with a simple but complete
configuration of Grid
Security Infrastructure.
Some parts of the Globus Toolkit require Java and Ant, but MyProxy
does not. If you install Globus without Java, the configuration
process will generate a warning, but it can be ignored. If you
wish to install Java and Ant, follow these
instructions.
Download and unpack the GT all-source installation
package from the
Globus Toolkit
download page.
$ tar xzvf gt4.0-all-source-installer.tar.gz
Build and install enough of the Globus Toolkit to run MyProxy.
You can find the Globus Toolkit install guide here.
Note: for non-Bourne shells such as csh , replace
export X=y with setenv X y and execute the
.csh version of the scripts such as
globus-user-env.csh .
root# useradd globus
root# export GLOBUS_LOCATION=/usr/local/globus-4.0
root# mkdir $GLOBUS_LOCATION
root# chown globus.globus $GLOBUS_LOCATION
root# cd gt4.0-all-source-installer
root# ./configure --prefix $GLOBUS_LOCATION --with-flavor=gcc32dbg
root# make gsi-myproxy
root# make install
root# source $GLOBUS_LOCATION/etc/globus-user-env.sh
The make gsi-myproxy and make install commands
compile and install the parts of Globus Toolkit required for a
MyProxy server and runs a GPT
postinstall step. It may take a few minutes to a few hours,
depending on host resources.
Globus Toolkit 4.0.5 includes MyProxy 3.7. The following
instructions require upgrading
to MyProxy 4.0 (or later).
Next, please
upgrade to the latest MyProxy release.
For more details on SimpleCA installation, see Chapter
7 of the Globus administrator's guide.
SimpleCA is a simple Certificate
Authority that will provide the basis for grid security
credentials.
At its root is a self-signed X.509 certificate that the rest of
your grid can be configured to trust. The setup script generates
that root certificate and prepares an installation package.
root# $GLOBUS_LOCATION/setup/globus/setup-simple-ca
The script setup-simple-ca will prompt you for the following:
-
A subject name for the CA, which should distinguish it from
all other CAs ever created. Use the default, except:
localhost.localdomain - change to be the
fully-qualified domain hostname of the machine that you are
configuring.
ou=GlobusTest - either keep (if this is, in
fact, a test install), eliminate or replace with an
appropriate distinguisher to set this installation of
SimpleCA apart from others on the same machine.
- An administrative email address for the CA. It can be a
personal email address for the MyProxy server administrator.
These instructions assume that you are using the CA primarily as
a source of user certificates for MyProxy, which means that the
email address will rarely be visible to users.
- An expiration date, in terms of the number of days
until the CA's root certificate will expire. You can accept the
default, which is 5 years (1825 days).
-
A passphrase (password) for the CA's root certificate
store. You will be prompted for it whenever the CA's root
certificate's primary key is required, which will mostly be when
a new user is added to the system.
Important: Your passphrase
must not contain any spaces.
Output of setup-simple-CA , and required inputs:
C e r t i f i c a t e A u t h o r i t y S e t u p
This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.
The CA information about the certificates it distributes will
be kept in:
/root/.globus/simpleCA/
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-localhost.localdomain, ou=GlobusTest, o=Grid
Do you want to keep this as the CA subject (y/n) [y]: n
Enter a unique subject name for this CA:
cn=Globus Simple CA, ou=simpleCA-machine.example.com, ou=GlobusImpl, o=Grid
Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA): user@example.com
The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid. A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires. This can be done
by re-running this setup script. Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]: <enter>
Enter PEM pass phrase: <passphrase>
Verifying - Enter PEM pass phrase: <passphrase again>
creating CA config package...done.
A self-signed certificate has been generated
for the Certificate Authority with the subject:
/O=Grid/OU=GlobusImpl/OU=simpleCA-machine.example.com/CN=Globus Simple CA
If this is invalid, rerun this script
/usr/local/globus-4.0/setup/globus/setup-simple-ca
and enter the appropriate fields.
-------------------------------------------------------------------
The private key of the CA is stored in /root/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /root/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in
/root/.globus/simpleCA//globus_simple_ca_5ad3e221_setup-0.17.tar.gz
This file must be distributed to any host wishing to request
certificates from this CA.
CA setup complete.
The following commands will now be run to setup the security
configuration files for this CA:
$GPT_LOCATION/sbin/gpt-build -install-only \
/root/.globus/simpleCA//globus_simple_ca_5ad3e221_setup-0.17.tar.gz
$GPT_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------
setup-ssl-utils: Configuring ssl-utils package
Running setup-ssl-utils-sh-scripts...
***************************************************************************
Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:
/usr/local/globus-4.0/setup/globus_simple_ca_5ad3e221_setup/setup-gsi
For further information on using the setup-gsi script, use the -help
option. The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.
***************************************************************************
setup-ssl-utils: Complete
Important output:
-
Notice the 8-digit hexadecimal string that appears in the
output - in this case, 5ad3e221. That number is
known as your CA hash.
-
The PEM-encoded private key and root certificate for this CA. PEM
is a file format from an old IETF initiative, Privacy-Enhanced
Mail. It is a standard format for keys and certificates in
Globus.
/root/.globus/simpleCA//private/cakey.pem
/root/.globus/simpleCA//cacert.pem
-
The setup package for other machines in your grid, so that they
can request certificates from this server:
/root/.globus/simpleCA//globus_simple_ca_<CA hash>_setup-0.17.tar.gz
-
A script to configure grid security on this machine to use
SimpleCA.
/usr/local/globus-4.0/setup/globus_simple_ca_<CA hash>_setup/setup-gsi
Finally, run setup-gsi, as root, to configure the Grid
Security Infrastructure.
root# $GLOBUS_LOCATION/setup/globus_simple_ca_<CA hash>_setup/setup-gsi
Now that MyProxy and SimpleCA are installed, each host on your
grid will need a host certificate, signed by SimpleCA, that vouches
for its identity. The first host certificate should be for the
MyProxy server itself.
Creating a certificate requires two steps:
- Create a certificate request
- Sign the request, to create the certificate
-
Request a host certificate. Execute
grid-cert-request , supplying the MyProxy server's
hostname:
root# grid-cert-request -host '<hostname>'
Generating a 1024 bit RSA private key
...................................++++++
...............................++++++
writing new private key to '/etc/grid-security/hostkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:
Level 0 Organizational Unit [simpleCA-example.com]:
Name (e.g., John M. Smith) []:
A private host key and a certificate request has been generated
with the subject:
/O=Grid/OU=simpleCA-example.com/CN=host/<hostname>
----------------------------------------------------------
The private key is stored in /etc/grid-security/hostkey.pem
The request is stored in /etc/grid-security/hostcert_request.pem
Please e-mail the request to the Globus Simple CA user@example.com
You may use a command similar to the following:
cat /etc/grid-security/hostcert_request.pem | mail user@example.com
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at user@example.com
- Sign the host certificate. Enter the passphrase that you
created when you configured SimpleCA.
root# grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pem
To sign the request
please enter the password for the CA key: <passphrase>
The new signed certificate is at: /root/.globus/simpleCA//newcerts/01.pem
-
Deploy the signed certificate to
/etc/grid-security/hostcert.pem, to establish the MyProxy server
as a member of the grid.
root# mv hostsigned.pem /etc/grid-security/hostcert.pem
For more details, see the MyProxy
Administrator's Guide.
In MyProxy version 4.0 and later, the myproxy-server can be
configured automatically by the
myproxy-server-setup command as demonstrated by
the following example.
root# myproxy-server-setup
Wrote a default myproxy-server configuration to /etc/myproxy-server.config.
Installed /etc/init.d/myproxy.
Starting up MyProxy server... done.
Running myproxy-server tests...
Success!
The following manual configuration steps (B and C) are required
only if myproxy-server-setup is not used or a custom
configuration is needed.
Modify the
myproxy-server.config
template provided at
$GLOBUS_LOCATION/share/myproxy/myproxy-server.config
to accept requests by uncommenting the provided sample policy at
the top of the file:
#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features. See below for more examples.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"
authorized_key_retrievers "*"
default_key_retrievers "none"
trusted_retrievers "*"
default_trusted_retrievers "none"
Then copy the modified
$GLOBUS_LOCATION/share/myproxy/myproxy-server.config
file to
/etc/myproxy-server.config (if you have root access) or
$GLOBUS_LOCATION/etc/myproxy-server.config (if you don't
have root access).
-
Copy MyProxy's SysV-style init script into init.d:
root# cp $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy \ /etc/rc.d/init.d/myproxy
root# chmod +x /etc/rc.d/init.d/myproxy
-
Edit the script to set the GLOBUS_LOCATION
variable (near the beginning of the file):
GLOBUS_LOCATION="/usr/local/globus-4.0"
-
Install MyProxy as a service. Different Unixes and Linux
distributions have different commands to automate this; here
are some examples:
-
Tip: If you are running a firewall, which some
Linux distributions run by default, you may need to open
TCP port 7512 on the MyProxy server before clients will be
able to connect to it.
Start the service for the first time (will start
automatically on future reboots):
There are three simple options for configuring MyProxy to
manage user credentials.
Afterwards, your users will be able to authenticate to the
MyProxy server to retrieve their credentials and use them to gain
access to grid services.
By default, myproxy-logon assumes that the
local username is the same as the MyProxy username. If it is
different, you can specify a MyProxy username with -l
<username> .
To retrieve credentials from MyProxy, run myproxy-logon. MyProxy will
delegate the original credentials by creating a proxy
credential or, in the case of the MyProxy Certificate
Authority, will create fresh credentials from scratch. The
credentials will be stored in the local file system as an X.509
certificate and private key.
The myproxy-logon -T option instructs MyProxy to
install trust root security configuration.
jdoe$ myproxy-logon -s <MyProxy server hostname> -T
Enter MyProxy pass phrase: <passphrase>
A proxy has been received for user jdoe in /tmp/x509up_u500
You can also use MyProxy to distribute host/service credentials
to allow other hosts and services to participate securely in your
grid. The MyProxy server administrator creates the host/service
credentials, stores them in the MyProxy repository, and distributes
the username and passphrase for the credentials to the host/service
administrator. The host/service administrator then uses
myproxy-retrieve to download the credentials to the
host, using the provided username and passphrase.
To create host/service credentials to distribute to a system
administrator, use the myproxy-admin-addservice
command, providing the host/service name and a username/passphrase
the administrator can use to retrieve the credentials.
root@myproxy-server# myproxy-admin-addservice -c <hostname> -l <username>
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.
Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to '/tmp/myproxy_adduser_key.pem'
Enter PEM pass phrase: <passphrase>
Verifying - Enter PEM pass phrase: <passphrase>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:\
Level 1 Organizational Unit [simpleCA]:Level 2 Organizational Unit \
[localdomain.localhost]:Name (e.g., John M. Smith) []:
A private key and a certificate request has been generated with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA/OU=localdomain.localhost/CN=<hostname>
If the CN=<hostname> is not appropriate, rerun this
script with the -force -cn "Common Name" options.
Your private key is stored in /tmp/myproxy_adduser_key.pem
Your request is stored in /tmp/myproxy_adduser_cert_request.pem
Please e-mail the request to the Globus Simple CA jdoe@ncsa.uiuc.edu
You may use a command similar to the following:
cat /tmp/myproxy_adduser_cert_request.pem | mail jdoe@ncsa.uiuc.edu
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at jdoe@ncsa.uiuc.edu
To sign the request
please enter the password for the CA key: <CA passphrase>
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
using storage directory /var/myproxy
Credential stored successfully
Then notify the system administrator that the credentials are ready to be retrieved with the provided username/passphrase as described in the next section.
To retrieve host/service credentials on the new host:
Install the
Globus Toolkit
(including MyProxy client commands) on the new host.
Run myproxy-retrieve to download the
credentials on the new host, supplying the host's fully-qualified
hostname and the username/passphrase provided by the MyProxy
administrator.
root# myproxy-retrieve -T -s <MyProxy server hostname> -k <hostname> -l <username>
Enter MyProxy pass phrase: <passphrase>
Credentials for <username> have been stored in
/etc/grid-security/hostcert.pem and
/etc/grid-security/hostkey.pem.
Trust roots have been installed in /etc/grid-security/certificates/.
After the credentials are successfully installed on the new
host, remove them from the MyProxy server.
root# myproxy-destroy -s <MyProxy server hostname> -k <hostname> -l <username>
MyProxy credential '<hostname>' for user <username> was successfully removed.
Last modified
10/11/13.
©2000-2019 Board of Trustees of the University of Illinois.
|