Registering a client with a server

Before you can delegate certificates using the OAuth 1.0a for MyProxy service, you must register your OAuth for MyProxy client. This requires that you generate a public and private key. You will supply the registration page (normally located at https://whatever.the.server/oauth/register) with your public key and other information.

Generating public and private key pairs.

There are several ways to do this, but the easiest is with open ssl. You would issue:

openssl genrsa -out oauth-privkey.pem 2048
chmod 0600 oauth-privkey.pem
openssl rsa -in oauth-privkey.pem -pubout -out oauth-pubkey.pem

You now have a private and public key pair, which are PEM format. (Privacy Enhanced Mail format is just a pair of headers slapped around a base 64 representation of binary data and is the basic format for all of the keys in this discussion. What goes between the headers inside the PEM format is very different though.) Using your private key with Java require a little more work, since the generated RSA private key is not in a format Java understands. OpenSSL’s default is called PKCS #1, which looks like

-----BEGIN RSA PRIVATE KEY-----
stuff...
-----END RSA PRIVATE KEY-----

The newer format for this (which is natively supported by Java) is PKCS #8 format. OpenSSL has a utility for conversion and here is how to use it:

openssl pkcs8 -topk8 -in oauth-privkey.pem -nocrypt -out oauth-privkey.pk8

The resulting file looks like

-----BEGIN PRIVATE KEY-----
other stuff...
-----END PRIVATE KEY-----

You should set the group to be "tomcat" and set it to be only owner (root) and group readable:

chmod 0640 oauth-privkey.pk8

The public key is in the X509 public key standard and looks like

-----BEGIN PUBLIC KEY-----
more stuff....
-----END PUBLIC KEY-----

Filling out the registration form

The default registration form looks like this:

Registration Form Image

The various fields are as follows:

  • Client Name: A human readable name for the science gateway (OAuth for MyProxy client) that you are registering. This will be displayed to users and should identify your site.
  • Contact email: An email address where a human being can be reached for support.
  • Home url: The main address for your site. This will be displayed to users as part of the authentication process.
  • Error url: A page on your site that provides support information for users in case of a server error. If you have no error page, you can just reuse your home url.
  • Public key: The X509 standard encoded public key you generated above. Just cut and paste it in.

Using your keys

The Client API will require your private key. The OA4MP server will require your public one. The Client API only needs the native Java object

java.security.PrivateKey

There is a utility called edu.uiuc.ncsa.csd.security.KeyUtil which will read in various formats. Generally the format is to|from PKCS 8 PEM, so to read in a PKCS 8 PEM format key from a file you’d issue

FileReader fr = new FileReader(“/path/to/oauth-privkey.pk8”);
PrivateKey pkey = KeyUtil.fromPKCS8PEM(fr);

Remember that this utility does not convert between formats generally (so, e.g., reading in a PKCS 1 format file using fromPKCS8PEM will fail). You must use OpenSSL’s utility to do that.


Last modified 09/22/16.
©2000-2013 Board of Trustees of the University of Illinois.