National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

mod_myproxy Apache Perl Module

Logging out: Pubcookie can't guarantee that users will actively log out at the end of their sessions; in fact, Pubcookie's primary logout mechanism is simply for the user to quit their browser, thus destroying all session cookies.

However, with mod_myproxy, this will leave the X.509 credential in the application server's file system. Thus, it's important that the server's file system be secure and that the credentials have relatively short life times.

This mod_perl script:

  1. Submits the Pubcookie granting cookie to myproxy-logon, in order to retrieve an X.509 credential.
  2. Stores the credential in the Application Server's local file system.
  3. Sets an Apache environment variable, X509_USER_PROXY, with the path to the credential, for retrieval by web applications.
  4. On logout, erases the credential.

direct link to Mod_Myproxy.pm

Installation

  1. Install mod_perl. The easiest way will be via a package manager such as apt (Debian), yum (Fedora), or up2date (RHEL), but it can also be installed from source and compiled into Apache.

  2. Note the use of PubcookieEncryption DES -- MyProxy is not yet compatible with the AES encryption that is new in Pubcookie 3.3.

    Update Apache's configuration files. Here is a sample pubcookie.conf, that could go in a directory such as /etc/httpd/conf.d/ or simply appended to httpd.conf.


    direct link to pubcookie.conf
    The debugging script dump.pm, referred to above, is described below in the section on debugging.

  3. Create /etc/httpd/conf/perl_startup.pl (referred to in pubcookie.conf, above).

    use lib qw(/home/globus/mod_myproxy/perl);
    1;
    
    direct link to perl_startup.pl

  4. Copy Mod_Myproxy.pm to the application server in the directory specified in your httpd configuration. In the sample pubcookie.conf above, the directory is /home/globus/mod_myproxy/perl/, and Mod_Myproxy.pm should go in /home/globus/mod_myproxy/perl/Myproxy/Mod_Myproxy.pm. Note the Myproxy subdirectory -- it is due to Perl's package organizing system.

  5. Configure the script by updating its constants (see below).

Script Configuration

At the top of the script are several constants that you should check against your environment.

GLOBUS_LOCATION Globus installation directory, for locating myproxy-logon executable
MYPROXY_SERVER The hostname of your MyProxy server
MYPROXY_EXTRA_PARAMS Extra parameters to pass to myproxy-logon, such as a non-standard port number (useful for debugging in concert with myproxy-server -d)
LOGOUT_URI_REGEX Any URL that matches this regular expression will be considered a "logout", and the user's credentials will be erased. Coordinate this with your Pubcookie configuration.
CRED_STORE_DIR The directory on the local file system in which to store users' X.509 credentials. Each user's credential will be stored in a file in this directory named after the user. For example, user hjones will have credentials stored in <CRED_STORE_DIR>/hjones.
SESSION_STORE_DIR This script keeps minimal session information about each user in a separate directory; this directory must be different from CRED_STORE_DIR for security reasons. Currently, the session information consists solely of the username. The filenames are generated randomly and assigned to HTTP sessions via cookies.
DIR_PERMISSIONS Permissions to set on CRED_STORE_DIR and SESSION_STORE_DIR, but only if they don't already exist and need to be created. Default value is full access only for the owner (most likely the apache account).
X509_USER_PROXY The name of the environment variable to set in Apache's internal per-thread environment, containing the path to the current user's X.509 credential.
MM_SESSION The name of the cookie to set that contains the user's session name (see SESSION_STORE_DIR).
MYPROXY_OUT_LOG The file to pipe myproxy-logon's stdout to.
MYPROXY_ERR_LOG The file to pipe myproxy-logon's stderr to.

Debugging

Future Improvements

Automatic cleanup: It should be possible to write a cleanup script to watch for expired credentials and delete them from the Application Server's local file system, run at intervals via cron. A sample script will be added here soon.

Local Decryption: Currently, decryption is done by the MyProxy server. There is a major drawback to this approach, however, in that the MyProxy server can be configured to work with only one Pubcookie application server, assuming each has its own symmetric key with which its granting cookies are encrypted. Decrypting in the mod_perl script, instead, before sending the granting cookie to the MyProxy server, would have two advantages:

  1. Security: The MyProxy server would need to be configured only with the Pubcookie login server's public key, which it would use to verify the signatures of granting cookies, and not an application server's symmetric key.
  2. Flexibility: Multiple application servers could use a common MyProxy server.

Last modified 06/15/06.
©2000-2019 Board of Trustees of the University of Illinois.