|
MyProxy
> Docs
> Admin Guide
> Pubcookie Integration
> mod_myproxy
mod_myproxy Apache Perl Module
Logging out: Pubcookie can't guarantee that users will
actively log out at the end of their sessions; in fact, Pubcookie's
primary logout mechanism is simply for the user to quit
their browser, thus destroying all session cookies.
However, with mod_myproxy , this will leave the X.509
credential in the application server's file system. Thus, it's
important that the server's file system be secure and that the
credentials have relatively short life times.
This mod_perl script:
- Submits the Pubcookie
granting cookie to myproxy-logon, in order to
retrieve an X.509 credential.
- Stores the credential in the Application Server's local file
system.
- Sets an Apache environment variable,
X509_USER_PROXY , with the path to the credential, for
retrieval by web applications.
- On logout, erases the credential.
direct link to Mod_Myproxy.pm
Installation
-
Install mod_perl. The
easiest way will be via a package manager such as apt
(Debian), yum (Fedora), or up2date
(RHEL), but it can also be installed from source and compiled into
Apache.
-
Note the use of
PubcookieEncryption DES -- MyProxy is not yet
compatible with the AES encryption that is new in Pubcookie 3.3.
Update Apache's configuration files. Here is a sample
pubcookie.conf , that could go in a directory such as
/etc/httpd/conf.d/ or simply appended to
httpd.conf .
direct link to pubcookie.conf
The debugging script dump.pm , referred to above, is described below in the section on debugging.
-
Create /etc/httpd/conf/perl_startup.pl (referred to in
pubcookie.conf , above).
use lib qw(/home/globus/mod_myproxy/perl);
1;
direct link to perl_startup.pl
-
Copy Mod_Myproxy.pm to the
application server in the directory specified in your httpd
configuration. In the sample pubcookie.conf above,
the directory is /home/globus/mod_myproxy/perl/ , and
Mod_Myproxy.pm should go in
/home/globus/mod_myproxy/perl/Myproxy/Mod_Myproxy.pm .
Note the Myproxy subdirectory -- it is due to Perl's
package organizing system.
-
Configure the script by updating its constants (see below).
Script Configuration
At the top of the script are several constants that you should
check against your environment.
GLOBUS_LOCATION |
Globus installation directory, for locating myproxy-logon
executable |
MYPROXY_SERVER |
The hostname of your MyProxy server |
MYPROXY_EXTRA_PARAMS |
Extra parameters to pass to myproxy-logon, such as a
non-standard port number (useful for debugging in concert with
myproxy-server -d ) |
LOGOUT_URI_REGEX |
Any URL that matches this regular expression will be considered a
"logout", and the user's credentials will be erased. Coordinate
this with your Pubcookie configuration. |
CRED_STORE_DIR |
The directory on the local file system in which to store users'
X.509 credentials. Each user's credential will be stored in a
file in this directory named after the user. For example,
user hjones will have credentials stored in
<CRED_STORE_DIR>/hjones . |
SESSION_STORE_DIR |
This script keeps minimal session information about each user in a
separate directory; this directory must be different from
CRED_STORE_DIR for security reasons. Currently, the
session information consists solely of the username. The
filenames are generated randomly and assigned to HTTP sessions via
cookies. |
DIR_PERMISSIONS |
Permissions to set on CRED_STORE_DIR and
SESSION_STORE_DIR, but only if they don't already
exist and need to be created. Default value is full access only
for the owner (most likely the apache account). |
X509_USER_PROXY |
The name of the environment variable to set in Apache's internal
per-thread environment, containing the path to the current user's
X.509 credential. |
MM_SESSION |
The name of the cookie to set that contains the user's session
name (see SESSION_STORE_DIR). |
MYPROXY_OUT_LOG |
The file to pipe myproxy-logon's
stdout to. |
MYPROXY_ERR_LOG |
The file to pipe myproxy-logon's
stderr to. |
Debugging
-
The Dump script referred to in
pubcookie.conf above is helpful for viewing Apache's
environment:
direct link to Dump.pm
-
For more verbose debugging output from Mod_Myproxy.pm ,
uncomment the line in sub debug() { that contains
$r->log->notice(... .
-
Finally, to watch all the relevant log files at once, you can
employ something like tail -f /var/log/httpd/*_log
/var/log/secure /var/log/myproxy_* .
Future Improvements
Automatic cleanup: It should be possible to
write a cleanup script to watch for expired credentials and delete
them from the Application Server's local file system, run at intervals
via cron. A sample script will be added here soon.
Local Decryption: Currently, decryption is done by the
MyProxy server. There is a major drawback to this approach, however,
in that the MyProxy server can be configured to work with only
one Pubcookie application server, assuming each has its own
symmetric key with which its granting cookies are encrypted.
Decrypting in the mod_perl script, instead, before sending the
granting cookie to the MyProxy server, would have two advantages:
- Security: The MyProxy server would need to be configured
only with the Pubcookie login server's public key, which it would
use to verify the signatures of granting cookies, and not an
application server's symmetric key.
- Flexibility: Multiple application servers could use a
common MyProxy server.
Last modified
06/15/06.
©2000-2019 Board of Trustees of the University of Illinois.
|