National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

MyProxy Integration with Pubcookie

MyProxy supports integration with the Pubcookie web single sign-on system. A Pubcookie application server can use the granting cookie it receives from the Pubcookie login server to authenticate to a MyProxy server on a user's behalf to obtain X.509 credentials.

For additional background, see:

J. Martin, J. Basney, and M. Humphrey. Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy. 2005 International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, 2005.

MyProxy Pubcookie support was contributed by the University of Virginia Grid Computing Group.

MyProxy Server Configuration

To enable Pubcookie support in the MyProxy server, set the pubcookie_granting_cert and pubcookie_app_server_key options in the myproxy-server.config file. Only one pubcookie_app_server_key can be configured; multiple application servers will be supported in the future.

As of version 3.3.0, Pubcookie uses AES encryption by default. MyProxy, however, can only currently handle Pubcookie's DES encryption, which can be set on an Application Server in the Pubcookie section of httpd.conf (or pubcookie.conf below). (See MyProxy Bug 315.)

Application Server Configuration

The application server uses the granting cookie as the MyProxy password. The MyProxy server verifies the login server's signature on the granting cookie and verifies that the username in the granting cookie matches the MyProxy username in the request. For example:

  $ cat pubcookie_granting_cookie | myproxy-logon -S
  A credential has been received for user jbasney in /tmp/x509up_u25555.

A mod_perl script is available to manage X.509 credentials on an Application Server. For the script and installation instructions, click here.

Authenticating to MyProxy from Pubcookie

Pubcookie uses authentication plugins called verifiers that can authenticate against external services such as LDAP and Kerberos. The most general of the verifiers, "fork", simply passes the username and password to an external process and bases its authentication decision on the exit value. An exit value of zero passes, and a non-zero exit value fails authentication. For a MyProxy verifier script and installation instructions, click here.

Last modified 05/08/06.
©2000-2019 Board of Trustees of the University of Illinois.