Table of Contents
Documentation for the APIs in this component can be found here:
For information on the internationalization API, see the CCommon Libraries Public Interface.
Table of Contents
The GSSAPI implementation contained in this component produces security tokens that follow an extended version of the SSL/TLS protocol. More information about the protocol can be found here.
Table of Contents
Table of Contents
The globus-update-certificate-dir
program creates symlinks
between files (CA certificates, certificate revocation lists, signing
policy, and certificate request configuration files) using the
certificate hash the installed version of OpenSSL uses. OpenSSL 1.0.0
uses a different name hashing algorithm than previous versions, so CA
distributions created with older versions of OpenSSL might not be able
to locate trusted CAs and related files. Running
globus-update-certificate-dir
against a trusted CA directory
will add symlinks to the files to the hash if needed.
The full set of command-line options to
globus-update-certificate-dir
consists of:
Table of Contents
The grid-cert-diagnostics
program displays information about the
current user’s security environment, including information about
security-related environment variables, security directory search path,
personal key and certificates, and trusted certificates. It is intended
to provide information to help diagnose problems using GSIC.
By default, grid-cert-diagnostics
prints out information
regarding the environment and trusted certificate directory. If the -p
command-line option is used, then additional information about the
current user’s default certificate and key will be printed.
The full set of command-line options to grid-cert-diagnostics
consists of:
ntpdate
command.
-
.
In this example, we see the default mode of checking the default
security environment for the system, without processing the user’s key
and certificate. Note the user receives a warning about a
cog.properties
and about an expired CA certificate. and about an
expired CA certificate.
% grid-cert-diagnostics Checking Environment Variables ============================== Checking if X509_CERT_DIR is set... no Checking if X509_USER_CERT is set... no Checking if X509_USER_KEY is set... no Checking if X509_USER_PROXY is set... no Checking Security Directories ======================= Determining trusted cert path... /etc/grid-security/certificates Checking for cog.properties... found WARNING: If the cog.properties file contains security properties, Java apps will ignore the security paths described in the GSI documentation Checking trusted certificates... ================================ Getting trusted certificate list... Checking CA file /etc/grid-security/certificates/1c4f4c48.0... ok Verifying certificate chain for "/etc/grid-security/certificates/1c3f2ca8.0"... ok Checking CA file /etc/grid-security/certificates/9d8788eb.0... ok Verifying certificate chain for "/etc/grid-security/certificates/9d8753eb.0"... failed globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has expired: Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired.
In this example, we show a user with a mismatched private key and certificate:
% grid-cert-diagnostics -p Checking Environment Variables ============================== Checking if X509_CERT_DIR is set... no Checking if X509_USER_CERT is set... no Checking if X509_USER_KEY is set... no Checking if X509_USER_PROXY is set... no Checking Security Directories ======================= Determining trusted cert path... /etc/grid-security/certificates Checking for cog.properties... not found Checking Default Credentials ============================== Determining certificate and key file names... ok Certificate Path: "/home/juser/.globus/usercert.pem" Key Path: "/home/juser/.globus/userkey.pem" Reading certificate... ok Reading private key... ok Checking Certificate Subject... "/O=Grid/OU=Example/OU=User/CN=Joe User" Checking cert... ok Checking key... ok Checking that certificate contains an RSA key... ok Checking that private key is an RSA key... ok Checking that public and private keys have the same modulus... failed Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5 219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8 FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403 CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2 Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790 600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022 6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF 7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5 Certificate and and private key don't match
Table of Contents
The grid-cert-info
program displays information contained within
a certificate file. By default it shows a text representation of the
entire certificate. Specific facts about the certificate can be shown
instead by using command-line options. If any of those options are used,
then the default display is suppressed. This can be added to the output
by using the -all command-line option.
If multiple display options are included on the command-line, the facts related to those will be displayed on separate lines in the order that they occur. If an option is specified multiple time, that fact will be displayed multiple times.
The full set of command-line options to grid-cert-info
are:
grid-cert-info
and exit.
grid-cert-info
command. The second form includes more details.
x509
command.
x509
command.
Display the validity times for the default certificate
% grid-cert-info -sd -ed Aug 31 12:33:47 2009 GMT Aug 31 12:33:47 2010 GMT
Display the same information about a different certificate specified on the command-line
% grid-cert-info -sd -ed -f /etc/grid-security/hostcert.pem Jan 21 12:24:48 2003 GMT Jul 15 11:30:57 2020 GMT
Display the subject of a certificate in both the default and the RFC 2253 forms.
% grid-cert-info -subject /DC=org/DC=example/DC=grid/CN=Joe User % grid-cert-info -subject -rfc2253 CN=Joe User,DC=grid,DC=example,DC=org
The grid-cert-request
program generates an X.509 Certificate
Request and corresponding private key for the specified name, host, or
service. It is intended to be used with a CA implemented using the
globus_simple_ca
package.
The default behavior of grid-cert-request
is to generate a
certificate request and private key for the user running the command.
The subject name is derived from the gecos information in the local
system’s password database, unless the -commonname, -cn, or -host
command-line options are used.
By default, grid-cert-request
writes user certificate requests
and keys to the $HOME/.globus
directory, and host and service
certificate requests and keys to directory, and host and service
certificate requests and keys to /etc/grid-security
. This can be
overridden by using the . This can be overridden by using the -dir
command-line option.
The full set of command-line options to grid-cert-request
are:
grid-cert-request
and exit.
grid-cert-request
command. The second form includes more details.
$HOME/.globus/PREFIXcert_request.pem
, , $HOME/.globus/PREFIXcert.pem
, and , and $HOME/.globus/PREFIXkey.pem
..
grid-default-ca
.
subjectAltName
extension containing one or more host names. This is used when a certificate may be used by multiple virtual servers or if a host has different names when contacted within or outside a private network. Multiple DNS names can be included in the extension by separating then with a comma.
subjectAltName
extension containing the IP addresses named by the IP-ADDRESS strings. This is used when a certificate may be used by services listening on multiple networks. Multiple IP addresses can be included in the extension by separating then with a comma.
Create a user certificate request:
% grid-cert-request A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. A private key and a certificate request has been generated with the subject: /O=org/OU=example/OU=grid/CN=Joe User If the CN=Joe User is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/juser/.globus/userkey.pem Your request is stored in /home/juser/.globus/usercert_request.pem Please e-mail the request to the Example CA ca@grid.example.org You may use a command similar to the following: cat /home/juser/.globus/usercert_request.pem | mail ca@grid.example.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Example CA at ca@grid.example.org
Create a host certificate for a host with two names.
% grid-cert-request -host grid.example.org -dns grid.example.org,grid-internal.example.org A private host key and a certificate request has been generated with the subject: /O=org/OU=example/OU=grid/CN=host/grid.example.org ---------------------------------------------------------- The private key is stored in /etc/grid-security/hostkey.pem The request is stored in /etc/grid-security/hostcert_request.pem Please e-mail the request to the Example CA ca@grid.example.org You may use a command similar to the following: cat /etc/grid-security/hostcert_request.pem | mail ca@grid.example.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Example CA at ca@grid.example.org
The following environment variables affect the execution of
grid-cert-request
:
X509_CERT_DIR
GRID_SECURITY_DIR
X509_CERT_DIR
is not set.
GLOBUS_LOCATION
X509_CERT_DIR
nor the GRID_SECURITY_DIR
environment variables are set.
$HOME/.globus/usercert_request.pem
$HOME/.globus/usercert.pem
$HOME/.globus/userkey.pem
/etc/grid-security/hostcert_request.pem
/etc/grid-security/hostcert.pem
/etc/grid-security/hostkey.pem
TRUSTED-CERT-DIR/globus-user-ssl.conf
, TRUSTED-CERT-DIR/globus-user-ssl.conf.CA-HASH
TRUSTED-CERT-DIR/globus-host-ssl.conf
, TRUSTED-CERT-DIR/globus-host-ssl.conf.CA-HASH
Table of Contents
The grid-default-ca
program sets the default certificate
authority to use when the grid-cert-request
script is run. The
CA’s certificate, configuration, and signing policy must be installed in
the trusted certificate directory to be able to request certificates
from that CA. Note that some CAs have different policies and use other
tools to handle certificate requests. Please consult your CA’s support
staff if you unsure. The grid-default-ca
is designed to work
with CAs implemented using the globus_simple_ca
package.
By default, the grid-default-ca
program displays a list of
installed CA certificates and the prompts the user for which one to set
as the default. If invoked with the -list command-line option,
grid-default-ca
will print the list and not prompt nor set the
default CA. If invoked with the -ca option, it will not list or
prompt, but set the default CA to the one with the hash that matches the
CA-HASH argument to that option. If grid-default-ca
is used to
set the default CA, the caller of this program must have write
permissions to the trusted certificate directory.
The grid-default-ca
program sets the CA in the one of the grid
security directories. It looks in the directory named by the
GRID_SECURITY_DIR
environment, the X509_CERT_DIR
,
/etc/grid-security
, and , and
$GLOBUS_LOCATION/share/certificates
. .
The full set of command-line options to grid-default-ca
are:
grid-default-ca
and exit.
grid-default-ca
command. The second form includes more details.
List the contents of the trusted certificate directory that contain the string Example:
% grid-default-ca | grep Example 15) cd1186ff - /DC=org/DC=Example/DC=Grid/CN=Example CA
Choose that CA as the default:
% grid-default-ca -ca cd1186ff setting the default CA to: /DC=org/DC=Example/DC=Grid/CN=Example CA linking /etc/grid-security/certificates/grid-security.conf.cd1186ff to /etc/grid-security/certificates/grid-security.conf linking /etc/grid-security/certificates/grid-host-ssl.conf.cd1186ff to /etc/grid-security/certificates/grid-host-ssl.conf linking /etc/grid-security/certificates/grid-user-ssl.conf.cd1186ff to /etc/grid-security/certificates/grid-user-ssl.conf ...done.
The following environment variables affect the execution of
grid-default-ca
:
GRID_SECURITY_DIRECTORY
X509_CERT_DIR
GLOBUS_LOCATION
The grid-default-ca
program displays CAs from all of the
directories in its search list; however, grid-cert-request
only
uses the first which contains a grid security configuration.
The grid-default-ca
program may display the same CA multiple
times if it is located in multiple directories in its search path.
However, it does not provide any information about which one would
actually be used by the grid-cert-request
command.
Table of Contents
The grid-change-pass-phrase
program changes the passphrase
protecting a private key or PKCS12 bundle containing a private key and
certificate. By default, grid-change-pass-phrase
uses the
X509_USER_KEY
environment variable to locate the private key. If
that is not set, then it looks for $HOME/.globus/userkey.pem
and
and $HOME/.globus/usercred.p12
in succession. The path to a key can
be specified by using the in succession. The path to a key can be
specified by using the -file command-line option.
The full set of command-line options to grid-change-pass-phrase
are:
grid-change-pass-phrase
and exit.
grid-change-pass-phrase
command. The second form includes more details.
Change the passphrase of the default private key:
% grid-change-pass-phrase Enter pass phrase for /home/juser/.globus/userkey.pem: writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Table of Contents
The grid-proxy-init
program generates X.509 proxy certificates
derived from the currently available certificate files. By default, this
command generates a RFC 3820 Proxy
Certificate with a 512 bit key valid for 12 hours in a file named
/tmp/x509up_uUID
. Command-line options and variables can modify the
format, strength, lifetime, and location of the generated proxy
certificate. . Command-line options and variables can modify the format,
strength, lifetime, and location of the generated proxy certificate.
X.509 proxy certificates are short-lived certificates, signed usually by a user’s identity certificate or another proxy certificate. The key associated with a proxy certificate is unencrypted, so applications can authenticate using a proxy identity without providing a passphrase.
Proxy certificates provide a convenient alternative to constantly entering passwords, but are also less secure than the user’s normal security credential. Therefore, they should always be user-readable only (this is enforced by the GSI libraries), and should be deleted after they are no longer needed.
This version of grid-proxy-init
supports three different proxy
formats: the old proxy format used in early releases of the Globus
Toolkit up to version 2.4.x, an IETF draft version of X.509 Proxy
Certificate profile used in Globus Toolkit 3.0.x and 3.2.x, and the RFC
3820 profile used in Globus Toolkit Version 4.0.x and 4.2.x. By default,
this version of grid-proxy-init
creates an RFC 3820 compliant
proxy. To create a proxy compatible with older versions of the Globus
Toolkit, use the -old or -draft command-line options.
The full set of command-line options to grid-proxy-init
are:
grid-proxy-init
.
grid-proxy-init
command
grid-proxy-init
except for passphrase prompts.
CERTFILE
using the key located in using the key located in KEYFILE
. If not specified the default certificate and key will be used. This overrides the values of environment variables described below.. If not specified the default certificate and key will be used. This overrides the values of environment variables described below.
X509_CERT_DIR
environment variable
/tmp/x509up_uUID
..
grid-proxy-init
.
grid-proxy-init
.
To create a proxy with the default lifetime and format, run the
grid-proxy-init
program with no arguments. For example:
% grid-proxy-init Your identity: /DC=org/DC=example/CN=Joe User Enter GRID pass phrase for this identity: Creating proxy .................................. Done Your proxy is valid until: Thu Mar 18 03:48:05 2010
To create a stronger proxy that lasts for only 8 hours, use the -hours
and -bits command-line options to grid-proxy-init
. For
example:
% grid-proxy-init -hours 8 -bits 1024 Your identity: /DC=org/DC=example/CN=Joe User Enter GRID pass phrase for this identity: Creating proxy .................................. Done Your proxy is valid until: Thu Mar 17 23:48:05 2010
The following environment variables affect the execution of
grid-proxy-init
:
X509_USER_CERT
X509_USER_KEY
X509_CERT_DIR
The following files affect the execution of grid-proxy-init
:
$HOME/.globus/usercert.pem
$HOME/.globus/userkey.pem
For more information about proxy certificate types and their compatibility in GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.
Table of Contents
The grid-proxy-destroy
program removes X.509 proxy files from
the local filesystem. It overwrites the data in the files and removes
the files from the filesystem. By default, it removes the current user’s
default proxy (either /tmp/x509up_uUID
where where UID is the
current POSIX user id, or the file pointed to by the X509_USER_PROXY
environment variable) unless a list of proxy file paths are included as
part of the command line.
Use the --
command-line option to separate a list of proxy paths
from command line options if the proxy file begins with the -
character.
The full list of command-line options to grid-proxy-destroy
are:
grid-proxy-destroy
.
grid-proxy-destroy
command
The following environment variables affect the execution of
grid-proxy-destroy
:
X509_USER_PROXY
Table of Contents
The grid-proxy-info
program extracts information from an X.509
proxy certificates, and optionally displays or returns an exit code
based on that information.
The default mode of operation is to print the following facts about the
current user’s default proxy: subject, issuer, identity, type, strength,
path, and time left. If the command-line option -exists or -e is
included in the command-line, nothing is printed unless one of the print
options is specified. Instead, grid-proxy-info
determines if a
valid proxy exists and, if so, exits with the exit code 0
; if a
proxy does not exist or is not valid, grid-proxy-info
exits with
the exit code 1
. Additional validity criteria can be added by using
the -valid, -v, -hours, -h, -bits, or -b command-line
options. If used, these options must occur after the -e or
-exists command-line options. Those options are only valid if one of
the -e or -exists command-line options is used.
The complete set of command-line options to grid-proxy-info
are:
grid-proxy-info
.
grid-proxy-info
command
grid-proxy-init(1)
for information about how to create different types of proxies.
grid-proxy-info
will exit with exit code 1
.
The following environment variables affect the execution of
grid-proxy-info
:
X509_USER_PROXY
Table of Contents
The grid-mapfile-add-entry
program adds a new mapping from an
X.509 distinguished name to a local POSIX user name to a gridmap file.
Gridmap files are used as a simple authorization method for services
such as GRAM5 or GridFTP.
The grid-mapfile-add-entry
program verifies that the
LOCAL-NAME is a valid user name on the system on which it was run, and
that the mapping between DISTINGUISHED-NAME and LOCAL-NAME does not
already exist in the gridmap file.
By default, grid-mapfile-add-entry
will modify the gridmap file
named by the GRIDMAP
environment variable if present, or the file
/etc/grid-security/grid-mapfile
if not. This can be changed by the
use of the if not. This can be changed by the use of the -mapfile or
-f command-line options.
If the gridmap file does not exist, grid-mapfile-add-entry
will
create it. If it already exists, grid-mapfile-add-entry
will
save the current contents of the file to a new file with the string
.old
appended to the file name.
The full set of command-line options to grid-mapfile-add-entry
are:
grid-mapfile-add-entry
.
grid-mapfile-add-entry
command. The second form includes more details.
oneline
format.
Add a mapping between the current user’s certificate to the current user
id to a gridmap file in $HOME/.gridmap
: :
% grid-mapfile-add-entry -f $HOME/.gridmap -dn "`grid-cert-info -subject`" -ln "`id -un`" Modifying /home/juser/.gridmap ... /home/juser/.gridmap does not exist... Attempting to create /home/juser/.gridmap New entry: "/DC=org/DC=example/DC=grid/CN=Joe User" juser (1) entry added
Add a mapping between the a distinguished name and multiple local names:
% grid-mapfile-add-entry -dn "/DC=org/DC=example/DC=grid/CN=Joe User" juser" local1 local2 Modifying /home/juser/.gridmap ... /home/juser/.gridmap does not exist... Attempting to create /home/juser/.gridmap New entry: "/DC=org/DC=example/DC=grid/CN=Joe User" local1,local2 (1) entry added
The following environment variables affect the execution of
grid-mapfile-add-entry
:
GRIDMAP
The following files affect the execution of
grid-mapfile-add-entry
:
/etc/grid-security/grid-mapfile
GRIDMAP
environment variable is not set.
Table of Contents
The grid-mapfile-check-consistency
program performs basic checks
for validity of a gridmap file. These checks include checks for
existence, duplication of entries, and valid local user names. If the
gridmap file is valid, grid-mapfile-check-consistency
exits with
a zero exit code, otherwise it exits with a non-zero exit code. In
either case, it displays information about its progress as it parses and
validates the gridmap file.
By default, grid-mapfile-check-consistency
will check the
gridmap file named by the GRIDMAP
environment variable if present.
If that variable is not set, it will check the file $HOME/.gridmap
for non-root users if present. If that doesn’t exist or for non-root
users if present. If that doesn’t exist or
grid-mapfile-check-consistency
is run as root, it will then
check /etc/grid-security/grid-mapfile
. This can be changed by the
use of the . This can be changed by the use of the -mapfile or -f
command-line options.
The full set of command-line options to
grid-mapfile-check-consistency
are:
grid-mapfile-check-consistency
.
grid-mapfile-check-consistency
command.
Check that the gridmap file in /etc/grid-security
is valid: is
valid:
% grid-mapfile-check-consistency -f /etc/grid-security/grid-mapfile Checking /etc/grid-security/grid-mapfile Verifying grid mapfile existence...OK Checking for duplicate entries...OK Checking for valid user names...OK
Check a gridmap file that has an invalid local user name:
% grid-mapfile-check-consistency -f /etc/grid-security/grid-mapfile Checking /etc/grid-security/grid-mapfile Verifying grid mapfile existence...OK Checking for duplicate entries...OK ERROR: baduser is not a valid local username ERROR: Found 1 invalid username(s)
The following environment variables affect the execution of
grid-mapfile-check-consistency
:
GRIDMAP
The following files affect the execution of
grid-mapfile-check-consistency
:
$HOME/.gridmap
GRIDMAP
environment variable is not set for non-root users.
/etc/grid-security/grid-mapfile
GRIDMAP
environment variable is not set and the above file does not exist.
Table of Contents
The grid-mapfile-delete-entry
program deletes mappings from a
gridmap file. If both the -dn and -ln> options are specified,
grid-mapfile-delete-entry
removes entries which meet both
criteria (remove entries mapping DISTINGUISHED-NAME to LOCAL-NAME
for each LOCAL-NAME specified). If only -dn or -ln is specified
all entries for that DISTINGUISHED-NAME or LOCAL-NAME are
removed.
By default, grid-mapfile-delete-entry
will modify the gridmap
file named by the GRIDMAP
environment variable if present, or the
file /etc/grid-security/grid-mapfile
if not. This can be changed by
the use of the if not. This can be changed by the use of the -mapfile
or -f command-line options.
Prior to modifying a gridmap file, grid-mapfile-delete-entry
saves its current contents to a file with the string .old
appended
to the original file name.
The full set of command-line options to
grid-mapfile-delete-entry
are:
grid-mapfile-delete-entry
.
grid-mapfile-delete-entry
command. The second form includes more details.
oneline
format.
Remove all mappings for a distinguished name:
% grid-mapfile-delete-entry "/DC=org/DC=example/DC=grid/CN=Joe User" Modifying /etc/grid-security/grid-mapfile ... Deleting entry: "/DC=org/DC=example/DC=grid/CN=Joe User" juser,juser2 (1) entry deleted
Remove the mapping between a distinguished name and a single local username:
% grid-mapfile-delete-entry "/DC=org/DC=example/DC=grid/CN=Joe User" -ln juser2 Modifying /etc/grid-security/grid-mapfile ... Current entry: "/DC=org/DC=example/DC=grid/CN=Joe User" juser (1) mapping removed: (juser2), (0) not present and ignored (0) entries deleted
The following environment variables affect the execution of
grid-mapfile-delete-entry
:
GRIDMAP
The following files affect the execution of
grid-mapfile-delete-entry
:
/etc/grid-security/grid-mapfile
GRIDMAP
environment variable is not set.
Table of Contents
This section describes the configuration steps required to:
Configure SSL/TLS security parameters
determine whether or not to trust certificates issued by a particular Certificate Authority (CA),
grid-cert-request
command, which is used to generate certificates,
In general, Globus tools will look for a configuration file in a user-specific location first, and in a system-wide location if no user-specific file was found. The configuration commands described here may be run by administrators to create system-wide defaults and by individuals to override those defaults.
The configuration file described here was added with the package globus-gssapi-gsi-11.16 and the toolkit binary package version 6.0.1430141288.
The global security parameters for GSIC are included in the file
/etc/grid-security/gsi.conf
. This file contains the default values
used by all GSI-enabled servers and clients. The format of the file is a
sequence of lines containing a single NAME=VALUE pair, with comments
beginning with the . This file contains the default values used by all
GSI-enabled servers and clients. The format of the file is a sequence of
lines containing a single NAME=VALUE pair, with comments beginning with
the #
character. All values in the default configuration file may be
overridden by setting the corresponding environment variable for a
particular process.
The NAME strings that are currently understood are
Table 15.1. GSI Configuration Values
Configuration Entry | Description | Environment Override | Default Value |
---|---|---|---|
| A flag to choose whether to force TLS or
to allow SSLv3 as well. Set this to |
|
|
| GSSAPI Name compatibility mode when trying to determine if a host certificate is legitimate. GSI predates RFC2818, so old versions of GSI use some old, less-secure, practices. The possible values are described in GLOBUS_GSSAPI_NAME_COMPATIBILITY |
|
|
| OpenSSL Cipher List. This is an preference-ordered list of OpenSSL cipher names. See the OpenSSL cipher documentation for information on the syntax of this string. |
|
|
The Globus tools will trust certificates issued by a CA if (and only if) it can find information about the CA in the trusted certificates directory.
The trusted certificates directory is located as described below and exists either on a per-machine or on a per-installation basis.
X509_CERT_DIR
is the environment variable used to specify the path
to the trusted certificates directory. This directory contains
information about which CAs are trusted (including the CA certificates
themselves) and, in some cases, configuration information used by
grid-cert-request
to formulate certificate requests. The location of the trusted
certificates directory is looked for in the following order:
. value of the X509_CERT_DIR
environment variable
$HOME/.globus/certificates
/etc/grid-security/certificates
exists exists
$GLOBUS_LOCATION/share/certificates
The following two files must exist in the directory for each trusted CA:
.0
.signing_policy
Globus components will honor a certificate only if:
The cert_hash that appears in the file names above is the hash of the CA certificate, which can be found by running the command:
$GLOBUS_LOCATION/bin/openssl x509 -hash -noout < ca_certificate
Some CAs provide tools to install their CA certificates and signing policy files into the trusted certificates directory. You can, however, create a signing policy file by hand; the signing policy file has the following format:
access_id_CA X509 'CA Distinguished Name' pos_rights globus CA:sign cond_subjects globus '"Distinguished Name Pattern"'
In the above, the CA Distinguished Name is the subject name of the CA certificate, and the Distinguished Name Pattern is a string used to match the distinguished names of certificates granted by the CA.
Some very simple wildcard matching is done: if the Distinguished Name Pattern ends with a , then any distinguished name that matches the part of the CA subject name before the is considered a match.
Note: the cond_subjects line may contain a space-separated list of distinguished name patterns.
A repository of CA certificates that are widely used in academic and research settings can be found here.
The
grid-cert-request
command, which is used to create certificates, uses the following
configuration files:
globus-user-ssl.conf
globus-host-ssl.conf
grid-security.conf
:
A base configuration file that contains the name and email address for the
CA.
directions
:
An optional file that may contain directions on using the CA.
Many CAs provide tools to install configuration files with the following names in the Trusted Certificates directory:
globus-user-ssl.conf.
cert_hash
globus-host-ssl.conf.
cert_hash
grid_security.conf.
cert_hash
directions.
cert_hash
The command:
grid-cert-request -ca cert_hash
will create a certificate request based on the specified CA’s configuration files.
The command:
grid-cert-request -ca
will list the available CAs and let the user choose which one to create a request for.
The default CA is the CA that will be used for certificate requests if
grid-cert-request
is invoked without the -ca flag.
You can specify a default CA by invoking the
grid-default-ca
command (follow the link for examples of using the command).
The directions
file may contain specific directions on how to use
the CA. There are three types of printed messages: file may contain
specific directions on how to use the CA. There are three types of
printed messages:
Each message is delimited from others with lines ----- BEGIN message
type TEXT ----- and ----- END message type TEXT -----. For
example, the directions
file would contain the following lines: file
would contain the following lines:
----- BEGIN REQUEST HEADER TEXT ----- This is a Certificate Request file It should be mailed to ${GSI_CA_EMAIL_ADDR} ----- END REQUEST HEADER TEXT -----
If this file does not exist, the default messages are printed.
Different CAs use different mechanisms for issuing end-user certificates; some use mechanisms that are entirely web-based, while others require you to generate a certificate request and send it to the CA. If you need to create a certificate request for a service certificate, you can do so by running:
grid-cert-request -host hostname -service service_name
where hostname is the fully-qualified name of the host on which the service will be running, and service_name is the name of the service. This will create the following three files:
cert.pem
cert_request.pem
key.pem
grid-cert-request
.
The
grid-cert-request
command recognizes several other useful options; you can list these
with:
grid-cert-request -help
Several Globus services map certificates to local unix usernames to be used with unix services. The default implementation uses a gridmap file to map the distinguished name of the identity of the client’s certificate to a local login name. Administrators can modify the contents of the gridmap file to control what certificate identities are allowed to access Globus services, as well as configure, via an environment variable, what gridmap file a particular service uses.
In addition to the identity-based mapping done via the gridmap file, administrators can configure Globus services to to use arbitrary mapping functions. These may use other criteria, such as SAML assertions, to map a certificate to a local account, or may map certificates to temporary accounts. Administrators can install different mapping implementations and configure services to use them by creating appropriate configuration files and setting environment variables.
Gridmap files contain a database of entries mapping distinguished names to local user names. These may be manipulated by using the following tools.
To add an entry to the gridmap file, run:
$GLOBUS_LOCATION/sbin/grid-mapfile-add-entry \ -dn "Distinguished Name" \ -ln local_name
To delete an entry from the gridmap file, run:
$GLOBUS_LOCATION/sbin/grid-mapfile-delete-entry \ -dn "Distinguished Name" \ -ln local_name
To check the consistency of the gridmap file, run
$GLOBUS_LOCATION/sbin/grid-mapfile-check-consistency
To configure a service to use a particular gridmap file, set the
GRIDMAP
variable in the service’s environment to the path of the
gridmap file. In this way, you can grant different access rights to
different certificate identities on a per-service basis by setting the
GRIDMAP
variable in different service environments.
You can use tools described above to operate on different gridmap files
by either setting the GRIDMAP
environment variable prior to invoking
them, or by using the -mapfile command-line option.
For reference, the GSI C code looks for the gridmap in these locations:
GRIDMAP
environment variable
/etc/grid-security/grid-mapfile
HOME/.gridmap
:
For services not running as root.
A gridmap line of the form:
"Distinguished Name" local_name
maps the distinguished name Distinguished Name to the local name local_name.
A gridmap line of the form:
"Distinguished Name" local_name1,local_name2
maps Distinguished Name to both local_name1 and local_name2; any number of local user names may occur in the comma-separated local name list.
For more detailed information about the gridmap file see the file description and grammars on dev.globus.org.
To use an alternative credential mapping, you create a
gsi-authz.conf
file containing information about how the mapping
functions are called from the authorization library. file containing
information about how the mapping functions are called from the
authorization library.
To configure a per-service authorization configuration file, set the
GSI_AUTHZ_CONF
variable to the path to the configuration file in the
environment of the service.
For reference, the GSI C code looks for the authorization configuration file in these locations (in the given order):
GSI_AUTHZ_CONF
environment variable
/etc/grid-security/gsi-authz.conf
GLOBUS_LOCATION/etc/gsi-authz.conf
HOME/.gsi-authz.conf
The authorization file defines a set of callouts, one per line. Each callout is defined by an abstract type, library, and symbol separated by whitespace. Comments begin with the # character and continue to the end of line.
Here is a sample gsi-authz.conf
file that configures a file that
configures a globus_mapping callout to use the
globus_gridmap_callout function in the
/usr/local/globus/lib/libglobus_gridmap_callout
shared
object: shared object:
# abstract-type library symbol globus_mapping /opt/globus/lib/libglobus_gridmap_callout globus_gridmap_callout
Table of Contents
Credentials are looked for in the following order:
X509_USER_PROXY
specifies the path to the proxy credential. If
X509_USER_PROXY
is not set, the proxy credential is created (by
grid-proxy-init
) and searched for (by client programs) in an
operating-system-dependent local temporary file.
X509_USER_CERT
and X509_USER_KEY
specify the path to the end
entity (user, service, or host) certificate and corresponding private
key. The paths to the certificate and key files are determined as
follows:
For service credentials:
X509_USER_CERT
and X509_USER_KEY
exist and contain a valid certificate and key, those files are used.
/etc/grid-security/service/servicecert.pem
and and /etc/grid-security/service/servicekey.pem
exist and contain a valid certificate and key, those files are used. exist and contain a valid certificate and key, those files are used.
$GLOBUS_LOCATION/etc/grid-security/service/servicecert.pem
and and $GLOBUS_LOCATION/etc/grid-security/service/servicekey.pem
exist and contain a valid certificate and key, those files are used. exist and contain a valid certificate and key, those files are used.
service/servicecert.pem
and and service/servicekey.pem
in the user’s in the user’s .globus
directory exist and contain a valid certificate and key, those files are used. directory exist and contain a valid certificate and key, those files are used.
For host credentials:
X509_USER_CERT
and X509_USER_KEY
exist and contain a valid certificate and key, those files are used.
/etc/grid-security/hostcert.pem
and and /etc/grid-security/hostkey.pem
exist and contain a valid certificate and key, those files are used. exist and contain a valid certificate and key, those files are used.
$GLOBUS_LOCATION/etc/hostcert.pem
and and $GLOBUS_LOCATION/etc/hostkey.pem
exist and contain a valid certificate and key, those files are used. exist and contain a valid certificate and key, those files are used.
hostcert.pem
and and hostkey.pem
in the user’s in the user’s .globus
directory, exist and contain a valid certificate and key, those files are used. directory, exist and contain a valid certificate and key, those files are used.
For user credentials:
X509_USER_CERT
and X509_USER_KEY
exist and contain a valid certificate and key, those files are used.
usercert.pem
and and userkey.pem
exist in the user’s exist in the user’s .globus
directory, those files are used. directory, those files are used.
usercred.p12
exists in the user’s exists in the user’s .globus
directory, the certificate and key are read from that file. directory, the certificate and key are read from that file.
GRIDMAP
specifies the path to the grid map file, which is used to
map distinguished names (found in certificates) to local names (such as
login accounts). The location of the grid map file is determined as
follows:
. If the GRIDMAP
environment variable is set, the grid map file location is the value of that environment variable.
Otherwise:
/etc/grid-security/grid-mapfile
..
$HOME/.gridmap
..
X509_CERT_DIR
is used to specify the path to the trusted
certificates directory. This directory contains information about which
CAs are trusted (including the CA certificates themselves) and, in some
cases, configuration information used by grid-cert-request
to
formulate certificate requests. The location of the trusted certificates
directory is determined as follows:
. If the X509_CERT_DIR
environment variable is set, the trusted certificates directory is the value of that environment variable.
$HOME/.globus/certificates
exists, that directory is the trusted certificates directory. exists, that directory is the trusted certificates directory.
/etc/grid-security/certificates
exists, that directory is the trusted certificates directory. exists, that directory is the trusted certificates directory.
$GLOBUS_LOCATION/share/certificates
exists, then it is the trusted certificates directory. exists, then it is the trusted certificates directory.
GSI_AUTHZ_CONF
is used to specify the path to the GSI authorization
callout configuration file. This file is used to configure authorization
callouts used by both the gridmap and the authorization API. The
location of the GSI authorization callout configuration file is
determined as follows:
. If the GSI_AUTHZ_CONF
environment variable is set, the authorization callout configuration file location is the value of this environment variable.
/etc/grid-security/gsi-authz.conf
exists, then this file is used. exists, then this file is used.
$GLOBUS_LOCATION/etc/gsi-authz.conf
exists, then this file is used. exists, then this file is used.
$HOME/.gsi-authz.conf
exists, then this file is used. exists, then this file is used.
GSI_GAA_CONF
is used to specify the path to the GSI GAA (Generic
Authorization and Access control)
configuration file. This file
is used to configure policy language specific plugins to the GAA-API.
The location of the GSI GAA configuration file is determined as follows:
. If the GSI_GAA_CONF
environment variable is set, the GAA configuration file location is the value of this environment variable.
/etc/grid-security/gsi-gaa.conf
exists, then this file is used. exists, then this file is used.
$GLOBUS_LOCATION/etc/gsi-gaa.conf
exists, then this file is used. exists, then this file is used.
$HOME/.gsi-gaa.conf
exists, then this file is used. exists, then this file is used.
GRID_SECURITY_DIR
specifies a path to a directory containing
configuration files that specify default values to be placed in
certificate requests. This environment variable is used only by the
grid-cert-request
and grid-default-ca
commands.
The location of the grid security directory is determined as follows:
. If the GRID_SECURITY_DIR
environment variable is set, the grid security directory is the value of that environment variable.
/etc/grid-security
, the grid security directory is that directory., the grid security directory is that directory.
$GLOBUS_LOCATION/etc
, the grid security directory is that directory., the grid security directory is that directory.
GLOBUS_GSSAPI_FORCE_TLS
specifies whether to use TLS by default when
establishing a security context. The default behavior if this is not set
is to use SSLv3.
GLOBUS_GSSAPI_NAME_COMPATIBILITY
specifies what name matching
algorithms are supported by GSSAPI for mutual authentication and
gss_compare_name
. This variable may be set to any of the
following values:
STRICT_GT2
STRICT_RFC2818
HYBRID
:
Support a hybrid of the two previous name matching algorithms, liberally
matching both hyphen wildcards, canonical names associated with IP
addresses, and subjectAltName extensions.
If this variable is not set, the HYBRID
behavior is used.
Table of Contents
The following are some common problems that may cause clients or servers to report that credentials are invalid:
Table 17.1. Credential Errors
Error Code | Definition | Possible Solutions |
---|---|---|
| Your proxy credential may have expired. | Use grid-proxy-info to check whether the proxy credential has actually expired. If it has, generate a new proxy with grid-proxy-init. |
| This may cause the server or client to conclude that a credential has expired. | Check the system clocks on the local and remote system. |
| Your end-user certificate may have expired | Use grid-cert-info to check your certificate’s expiration date. If it has expired, follow your CA’s procedures to get a new one. |
| If the permissions on your proxy file are too lax (for example, if others can read your proxy file), Globus Toolkit clients will not use that file to authenticate. | You can "fix" this problem by changing the permissions on the file or by destroying it (with grid-proxy-destroy) and creating a new one (with grid-proxy-init). [IMPORTANT] However, it is still possible that someone else has made a copy of that file during the time that the permissions were wrong. In that case, they will be able to impersonate you until the proxy file expires or your permissions or end-user certificate are revoked, whichever happens first. |
| If the permissions on your end user certificate private key file are too lax (for example, if others can read the file), grid-proxy-init will refuse to create a proxy certificate. | You can "fix" this by changing the permissions on the private key file. [IMPORTANT] However, you will still have a much more serious problem: it is possible that someone has made a copy of your private key file. Although this file is encrypted, it is possible that someone will be able to decrypt the private key, at which point they will be able to impersonate you as long as your end user certificate is valid. You should contact your CA to have your end-user certificate revoked and get a new one. |
| The remote system may not trust your CA | Verify that the remote system is configured to trust the CA that issued your end-entity certificate. See link:admin/install/index.html for details. |
| You may not trust the remote system’s CA | Verify that your system is configured to trust the remote CA (or that your environment is set up to trust the remote CA). See admin/install/index.html for details. |
| There may be something wrong with the remote service’s credentials | It is sometimes difficult to distinguish between errors reported by the remote service regarding your credentials and errors reported by the client interface regarding the remote service’s credentials. If you cannot find anything wrong with your credentials, check for the same conditions on the remote system (or ask a remote administrator to do so) . |
The
grid-cert-diagnostics
program checks prints diagnostics about the user’s certificates, and
host security environment.
% grid-cert-diagnostics -p
openssl verify -CApath /etc/grid-security/certificates -purpose sslclient ~/.globus/usercert.pem
openssl s_client -ssl3 -cert ~/.globus/usercert.pem -key ~/.globus/userkey.pem -CApath /etc/grid-security/certificates -connect <host:port>
Here <host:port> denotes the server and port you connect to.
If it prints an error and puts you back at the command prompt, then it typically means that the server has closed the connection, i.e. that the server was not happy with the client’s certificate and verification. Check the SSL log on the server.
If the command "hangs" then it has actually opened a telnet style (but secure) socket, and you can "talk" to the server.
You should be able to scroll up and see the subject names of the server’s verification chain:
depth=2 /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1 verify return:1 depth=1 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 verify return:1 depth=0 /DC=org/DC=doegrids/OU=Services/CN=wiggum.mcs.anl.gov verify return:1
In this case, there were no errors. Errors would give you an extra line next to the subject name of the certificate that caused the error.
The following are some common problems that may cause clients or servers to report that user are not authorized:
Table 17.2. Gridmap Errors
Error Code | Definition | Possible Solutions |
---|---|---|
| The content of the grid map file does not conform to the expected format | Run |
| The grid map file does not contain a entry for your DN | Use |