Table of Contents
This page has directions for configuring the GridShib-CA to use a MyProxy-based CA. It has been tested with MyProxy version 3.5. The MyProxy server can be running either on the same host as the GridShib-CA or a remote host.
If you elect to use a MyProxy CA instead of the default OpenSSL CA, it is assumed you have some experience with Grid certificate management and have access to a PKI infrastructure and know how to get certificates. So these directions, out of necessity, skip over these details which are specific to your local environment.
Note that you probably don't want to use the same MyProxy server for GridShib-CA and anything else. These directions assume a MyProxy server dedicated to a GridShib-CA. It's possible in theory to use it for other things, but you'll need to figure out how to tweak the configuration yourself.
You need to have the IO::Net::SSL perl module installed on the GridShib-CA system (and it's prerequisite NET::SSLeay).
You need to create a set of credentials for the GridShib CA to use when contacting the MyProxy server. The DN of these credentials can be whatever you want, just remember it for subsequent steps where it will be referred to as the GridShib-CA DN. For the purposes of these installation instructions, we will assume a DN of "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service", adjust them to match your chosen DN.
Install the created credentials (certificate and key respectively) in the following locations. (You can install them in an alternate location, in which case you will need to adjust the MyProxyClientCert and MyProxyClientKey parameters in gridshib-ca.conf as described subsequently.)
/tmp/gridshib-ca//myproxy-client-cert.pem
/tmp/gridshib-ca//myproxy-client-key.pem
You need to make sure they are owned by the user under which the Apache httpd runs. Permissions should be as shown here:
-rw------- 1 apache root 1387 Jun 2 16:24 myproxy-client-cert.pem -rw------- 1 apache root 1679 Jun 2 16:24 myproxy-client-key.pem
Next you need to edit the file /tmp/gridshib-ca//gridshib-ca.conf and modify the following parameters:
caModule: Change this setting to GridShibCA::MyProxyCA
MyProxyHostname: Set this value to the hostname where the MyProxy server is running
MyProxyPort: Set this value to the port number of the MyProxy server (7512 is the default)
MyProxyClientCert: Set this value to the path of the certificate to use to authenticate to the MyProxy server
MyProxyClientKey: Set this value to the path of the key to use to authenticate to the MyProxy server
On the MyProxy server system, do the following. These steps give the GridShib-CA to request and receive any certificate from the MyProxy CA with the mapapp program specifying which certificates are generated.
The MyProxy server must be configured to act as a CA
In /etc/myproxy-server.config set authorized_retrievers to the GridShib-CA DN. For example:
authorized_retrievers "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service"
In /etc/myproxy-server.config trusted_retrievers must include the GridShib-CA DN. For example:
trusted_retrievers "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service"
In /etc/myproxy-server.config default_trusted_retrievers must include the GridShib-CA DN. For example:
default_trusted_retrievers "/C=US/O=NCSA-TEST/OU=User/CN=SP-Service"
From the GridShib-CA system, copy the file "/tmp/gridshib-ca//myproxy-mapapp.pl" to somewhere on the MyProxy server. It should be installed owned by root and with permissions 0700. For these directions we assume you installed it as "/usr/local/bin/myproxy-mapapp.pl". If you are running the myproxy server on the same system as the GridShib-CA you can just leave this file where it is and specify its path in the next step. If you did not specify --with-relative-dn during configuration, you will need to edit this file and set the value for $namespace to the correct relative DN for your MyProxy CA. This value must be in OpenSSL format (e.g. /C=US/O=NCSA-TEST/OU=User/).
In /etc/myproxy-server.config set certificate_mapapp to the path of mapapp.pl. For example:
certificate_mapapp "/usr/local/bin/mapapp.pl"
If the MyProxy server is already running, restart the myproxy server by killing it and restarting it in order to reload the configuration. (Running "/etc/init.d/myproxy stop; /etc/init.d/myproxy start" should do it.)