National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

Step-by-Step: Grid Security from Scratch with MyProxy

MyProxy can serve as the root of a grid security setup. That is, MyProxy can create cryptographic credentials for users and hosts, which grid services can be configured to trust.

This guide will show you how to install and configure a MyProxy server and use it to distributed credentials. These instructions should work on any Unix-compatible operating system, such as Linux, Mac OS X, or Solaris.

  1. Install Globus Toolkit
    1. Optional: Install Java and Ant
    2. Download Globus
    3. Build Globus
  2. Configure SimpleCA
    1. Environment Variables
    2. SimpleCA Setup Script
    3. GSI Setup Script
  3. Create MyProxy Server Host Credentials
  4. Configure MyProxy Service
    1. Automatically Configure with myproxy-server-setup
    2. Manually Edit Configuration to Accept Requests
    3. Manually Install MyProxy as a Service
  5. Manage User Credentials
    1. Initialize Credentials
    2. Retrieve Credentials
  6. Distribute Service Credentials
    1. Initialize Credentials
    2. Retrieve Credentials

These instructions install both MyProxy and SimpleCA to run as root. For instructions on installing them as non-root, see the SimpleCA Installation Guide and the MyProxy Administrator's Guide.

Note that they need to both be installed under the same user account, unless your system supports access control lists, since they both need access to MyProxy's credential repository, which MyProxy does not allow to have global or group file access.

Once you have completed the installation steps detailed in this guide, you will be ready to run grid services with a simple but complete configuration of Grid Security Infrastructure.

1. Install Globus Toolkit

A. Optional: Install Java and Ant

Some parts of the Globus Toolkit require Java and Ant, but MyProxy does not. If you install Globus without Java, the configuration process will generate a warning, but it can be ignored. If you wish to install Java and Ant, follow these instructions.

B. Download Globus

Download and unpack the GT all-source installation package from the Globus Toolkit download page.

$ tar xzvf gt4.0-all-source-installer.tar.gz

C. Build Globus

Build and install enough of the Globus Toolkit to run MyProxy. You can find the Globus Toolkit install guide here.

Note: for non-Bourne shells such as csh, replace export X=y with setenv X y and execute the .csh version of the scripts such as globus-user-env.csh.

root# useradd globus
root# export GLOBUS_LOCATION=/usr/local/globus-4.0
root# mkdir $GLOBUS_LOCATION
root# chown globus.globus $GLOBUS_LOCATION
root# cd gt4.0-all-source-installer
root# ./configure --prefix $GLOBUS_LOCATION --with-flavor=gcc32dbg
root# make gsi-myproxy
root# make install
root# source $GLOBUS_LOCATION/etc/globus-user-env.sh

The make gsi-myproxy and make install commands compile and install the parts of Globus Toolkit required for a MyProxy server and runs a GPT postinstall step. It may take a few minutes to a few hours, depending on host resources.

Globus Toolkit 4.0.5 includes MyProxy 3.7. The following instructions require upgrading to MyProxy 4.0 (or later).

Next, please upgrade to the latest MyProxy release.

2. Configure SimpleCA

For more details on SimpleCA installation, see Chapter 7 of the Globus administrator's guide.

SimpleCA is a simple Certificate Authority that will provide the basis for grid security credentials.

A. SimpleCA Setup Script

At its root is a self-signed X.509 certificate that the rest of your grid can be configured to trust. The setup script generates that root certificate and prepares an installation package.

root# $GLOBUS_LOCATION/setup/globus/setup-simple-ca

The script setup-simple-ca will prompt you for the following:

  • A subject name for the CA, which should distinguish it from all other CAs ever created. Use the default, except:
    • localhost.localdomain - change to be the fully-qualified domain hostname of the machine that you are configuring.
    • ou=GlobusTest - either keep (if this is, in fact, a test install), eliminate or replace with an appropriate distinguisher to set this installation of SimpleCA apart from others on the same machine.
  • An administrative email address for the CA. It can be a personal email address for the MyProxy server administrator. These instructions assume that you are using the CA primarily as a source of user certificates for MyProxy, which means that the email address will rarely be visible to users.
  • An expiration date, in terms of the number of days until the CA's root certificate will expire. You can accept the default, which is 5 years (1825 days).
  • A passphrase (password) for the CA's root certificate store. You will be prompted for it whenever the CA's root certificate's primary key is required, which will mostly be when a new user is added to the system.

    Important: Your passphrase must not contain any spaces.

Output of setup-simple-CA, and required inputs:

    C e r t i f i c a t e    A u t h o r i t y    S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distributes will
be kept in:

/root/.globus/simpleCA/

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-localhost.localdomain, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]: n

Enter a unique subject name for this CA:
cn=Globus Simple CA, ou=simpleCA-machine.example.com, ou=GlobusImpl, o=Grid

Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA): user@example.com

The CA certificate has an expiration date. Keep in mind that 
once the CA certificate has expired, all the certificates 
signed by that CA become invalid.  A CA should regenerate 
the CA certificate and start re-issuing ca-setup packages 
before the actual CA certificate expires.  This can be done 
by re-running this setup script.  Enter the number of DAYS 
the CA certificate should last before it expires.
[default: 5 years (1825 days)]: <enter>

Enter PEM pass phrase: <passphrase>
Verifying - Enter PEM pass phrase: <passphrase again>

creating CA config package...done.

A self-signed certificate has been generated 
for the Certificate Authority with the subject: 

/O=Grid/OU=GlobusImpl/OU=simpleCA-machine.example.com/CN=Globus Simple CA

If this is invalid, rerun this script 

/usr/local/globus-4.0/setup/globus/setup-simple-ca

and enter the appropriate fields.

-------------------------------------------------------------------

The private key of the CA is stored in /root/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /root/.globus/simpleCA//cacert.pem

The distribution package built for this CA is stored in

/root/.globus/simpleCA//globus_simple_ca_5ad3e221_setup-0.17.tar.gz

This file must be distributed to any host wishing to request
certificates from this CA.

CA setup complete.

The following commands will now be run to setup the security
configuration files for this CA:

$GPT_LOCATION/sbin/gpt-build -install-only \
/root/.globus/simpleCA//globus_simple_ca_5ad3e221_setup-0.17.tar.gz

$GPT_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------

setup-ssl-utils: Configuring ssl-utils package
Running setup-ssl-utils-sh-scripts...

***************************************************************************

Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:

/usr/local/globus-4.0/setup/globus_simple_ca_5ad3e221_setup/setup-gsi

For further information on using the setup-gsi script, use the -help
option.  The -default option sets this security configuration to be 
the default, and -nonroot can be used on systems where root access is 
not available.

***************************************************************************

setup-ssl-utils: Complete

Important output:

  • Notice the 8-digit hexadecimal string that appears in the output - in this case, 5ad3e221. That number is known as your CA hash.

  • The PEM-encoded private key and root certificate for this CA. PEM is a file format from an old IETF initiative, Privacy-Enhanced Mail. It is a standard format for keys and certificates in Globus.

    /root/.globus/simpleCA//private/cakey.pem
    /root/.globus/simpleCA//cacert.pem

  • The setup package for other machines in your grid, so that they can request certificates from this server:

    /root/.globus/simpleCA//globus_simple_ca_<CA hash>_setup-0.17.tar.gz

  • A script to configure grid security on this machine to use SimpleCA.

    /usr/local/globus-4.0/setup/globus_simple_ca_<CA hash>_setup/setup-gsi

B. GSI Setup Script

Finally, run setup-gsi, as root, to configure the Grid Security Infrastructure.

root# $GLOBUS_LOCATION/setup/globus_simple_ca_<CA hash>_setup/setup-gsi

3. Create Host Credentials

Now that MyProxy and SimpleCA are installed, each host on your grid will need a host certificate, signed by SimpleCA, that vouches for its identity. The first host certificate should be for the MyProxy server itself.

Creating a certificate requires two steps:

  1. Create a certificate request
  2. Sign the request, to create the certificate
  1. Request a host certificate. Execute grid-cert-request, supplying the MyProxy server's hostname:
    root# grid-cert-request -host '<hostname>'
    Generating a 1024 bit RSA private key
    ...................................++++++
    ...............................++++++
    writing new private key to '/etc/grid-security/hostkey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Level 0 Organization [Grid]:
    Level 0 Organizational Unit [simpleCA-example.com]:
    Name (e.g., John M. Smith) []:
    A private host key and a certificate request has been generated
    with the subject:
    
    /O=Grid/OU=simpleCA-example.com/CN=host/<hostname>
    
    ----------------------------------------------------------
    
    The private key is stored in /etc/grid-security/hostkey.pem
    The request is stored in /etc/grid-security/hostcert_request.pem
    
    Please e-mail the request to the Globus Simple CA user@example.com
    You may use a command similar to the following:
    
     cat /etc/grid-security/hostcert_request.pem | mail user@example.com
    
    Only use the above if this machine can send AND receive e-mail. if not, please
    mail using some other method.
    
    Your certificate will be mailed to you within two working days.
    If you receive no response, contact Globus Simple CA at user@example.com
    
  2. Sign the host certificate. Enter the passphrase that you created when you configured SimpleCA.
    root# grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pem
    
    To sign the request
    please enter the password for the CA key: <passphrase>
    
    The new signed certificate is at: /root/.globus/simpleCA//newcerts/01.pem
    
  3. Deploy the signed certificate to /etc/grid-security/hostcert.pem, to establish the MyProxy server as a member of the grid.
    root# mv hostsigned.pem /etc/grid-security/hostcert.pem
    

4. Configure MyProxy Service

For more details, see the MyProxy Administrator's Guide.

A. Automatically Configure with myproxy-server-setup

In MyProxy version 4.0 and later, the myproxy-server can be configured automatically by the myproxy-server-setup command as demonstrated by the following example.

root# myproxy-server-setup 
Wrote a default myproxy-server configuration to /etc/myproxy-server.config.
Installed /etc/init.d/myproxy.
Starting up MyProxy server... done.
Running myproxy-server tests...
Success!

The following manual configuration steps (B and C) are required only if myproxy-server-setup is not used or a custom configuration is needed.

B. Manually Edit Configuration to Accept Requests

Modify the myproxy-server.config template provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.config to accept requests by uncommenting the provided sample policy at the top of the file:

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features.  See below for more examples.
accepted_credentials       "*"
authorized_retrievers      "*"
default_retrievers         "*"
authorized_renewers        "*"
default_renewers           "none"
authorized_key_retrievers  "*"
default_key_retrievers     "none"
trusted_retrievers         "*"
default_trusted_retrievers "none"

Then copy the modified $GLOBUS_LOCATION/share/myproxy/myproxy-server.config file to /etc/myproxy-server.config (if you have root access) or $GLOBUS_LOCATION/etc/myproxy-server.config (if you don't have root access).

C. Manually Install MyProxy as a Service

  1. Copy MyProxy's SysV-style init script into init.d:

    root# cp $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy \
      /etc/rc.d/init.d/myproxy

    root# chmod +x /etc/rc.d/init.d/myproxy
  2. Edit the script to set the GLOBUS_LOCATION variable (near the beginning of the file):

    GLOBUS_LOCATION="/usr/local/globus-4.0"
  3. Install MyProxy as a service. Different Unixes and Linux distributions have different commands to automate this; here are some examples:

    • SUSE or RedHat-based Linux (Fedora, Mandrake, etc):
      root# chkconfig --add myproxy
    • Debian-based Linux (Ubuntu, Linspire, Xandros, etc):
      root# update-rc.d myproxy
  4. Tip: If you are running a firewall, which some Linux distributions run by default, you may need to open TCP port 7512 on the MyProxy server before clients will be able to connect to it.

    Start the service for the first time (will start automatically on future reboots):

    • RedHat-based Linux:
      root# service myproxy start
    • Debian-based Linux:
      root# invoke-rc.d myproxy start

5. Manage User Credentials

A. Initialize Credentials

There are three simple options for configuring MyProxy to manage user credentials. Afterwards, your users will be able to authenticate to the MyProxy server to retrieve their credentials and use them to gain access to grid services.

By default, myproxy-logon assumes that the local username is the same as the MyProxy username. If it is different, you can specify a MyProxy username with -l <username>.

B. Retrieve Credentials

To retrieve credentials from MyProxy, run myproxy-logon. MyProxy will delegate the original credentials by creating a proxy credential or, in the case of the MyProxy Certificate Authority, will create fresh credentials from scratch. The credentials will be stored in the local file system as an X.509 certificate and private key. The myproxy-logon -T option instructs MyProxy to install trust root security configuration.

jdoe$ myproxy-logon -s <MyProxy server hostname> -T
Enter MyProxy pass phrase: <passphrase>
A proxy has been received for user jdoe in /tmp/x509up_u500

6. Distribute Service Credentials

You can also use MyProxy to distribute host/service credentials to allow other hosts and services to participate securely in your grid. The MyProxy server administrator creates the host/service credentials, stores them in the MyProxy repository, and distributes the username and passphrase for the credentials to the host/service administrator. The host/service administrator then uses myproxy-retrieve to download the credentials to the host, using the provided username and passphrase.

A. Initialize Credentials

To create host/service credentials to distribute to a system administrator, use the myproxy-admin-addservice command, providing the host/service name and a username/passphrase the administrator can use to retrieve the credentials.

root@myproxy-server# myproxy-admin-addservice -c <hostname> -l <username>
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password, 
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.

Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to '/tmp/myproxy_adduser_key.pem'
Enter PEM pass phrase: <passphrase>
Verifying - Enter PEM pass phrase: <passphrase>

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:\
    Level 1 Organizational Unit [simpleCA]:Level 2 Organizational Unit \
    [localdomain.localhost]:Name (e.g., John M. Smith) []:

---- [Screen is cleared] ----

A private key and a certificate request has been generated with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA/OU=localdomain.localhost/CN=<hostname>

If the CN=<hostname> is not appropriate, rerun this
script with the -force -cn "Common Name" options.

Your private key is stored in /tmp/myproxy_adduser_key.pem
Your request is stored in /tmp/myproxy_adduser_cert_request.pem

Please e-mail the request to the Globus Simple CA jdoe@ncsa.uiuc.edu
You may use a command similar to the following:

  cat /tmp/myproxy_adduser_cert_request.pem | mail jdoe@ncsa.uiuc.edu

Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.

Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at jdoe@ncsa.uiuc.edu

To sign the request
please enter the password for the CA key: <CA passphrase>

The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem

using storage directory /var/myproxy
Credential stored successfully

Then notify the system administrator that the credentials are ready to be retrieved with the provided username/passphrase as described in the next section.

B. Retrieve Credentials

To retrieve host/service credentials on the new host:

  1. Install the Globus Toolkit (including MyProxy client commands) on the new host.

  2. Run myproxy-retrieve to download the credentials on the new host, supplying the host's fully-qualified hostname and the username/passphrase provided by the MyProxy administrator.

    root# myproxy-retrieve -T -s <MyProxy server hostname> -k <hostname> -l <username>
    Enter MyProxy pass phrase: <passphrase>
    Credentials for <username> have been stored in
    /etc/grid-security/hostcert.pem and
    /etc/grid-security/hostkey.pem.
    Trust roots have been installed in /etc/grid-security/certificates/.
    
  3. After the credentials are successfully installed on the new host, remove them from the MyProxy server.

    root# myproxy-destroy -s <MyProxy server hostname> -k <hostname> -l <username>
    MyProxy credential '<hostname>' for user <username> was successfully removed.
    

Last modified 10/11/13.
©2000-2014 Board of Trustees of the University of Illinois.