|
Since Fermilab has a sitewide credential system, we are
able to use that infrastructure to create Grid proxies for all our
users. Rather than having to individually register with a CA and
protect one's private keys, one can replace the "grid-proxy-init"
command in the Globus instructions with a "ginit" command madeup of the
following three elements: kinit; kx509; kxlist -p. I've made a script
on my machine to bundle these all together and save some keystrokes,
but they work fine as a sequence of individual commands, and you might
find that more useful for debugging and/or learning how things work.
For this to work, you make sure the following configuration steps have been done:
- A minimal Kerberos configuration is needed on the machine in order to contact the FNAL KDCs and KCA. A standard FNAL Kerberos installation is certainly sufficient, though a stripped down config along the lines of Kerberos-Lite could be made and wouldn't require root installation.
- You need to get a Kerberos TGT for the principal for which you want a proxy. For a user, a standard "kinit" should suffice.
- Then issue the command "kx509". This command is available in
some GRID toolkit distributions and was supported by the NSF Middleware
Initiative but is now available at the Univeristy of Michigan's KX.509 site..
For UPS/UPD users, a kx509 product is available from fnkits. For
Scientific Linux users, the utility is included in the Fermi Kerberos
packages and is installed as part of the base of Scientific Linux
Fermi.
The result of executing the kx509 command should
cause an additional pair of entries in your Kerberos cache file. Here's
what the string looks like for me:
bash-2.04$ kinit
Password for dane@FNAL.GOV:
bash-2.04$ klist
Ticket cache: /tmp/krb5cc_1444
Default principal: dane@FNAL.GOV
Valid starting Expires Service principal
07/18/02 16:26:46 07/19/02 18:26:46 krbtgt/FNAL.GOV@FNAL.GOV
07/18/02 16:26:46 07/19/02 18:26:46 afs@FNAL.GOV
bash-2.04$ kx509
bash-2.04$ klist
Ticket cache: /tmp/krb5cc_1444
Default principal: dane@FNAL.GOV
Valid starting Expires Service principal
07/18/02 16:26:46 07/19/02 18:26:46 krbtgt/FNAL.GOV@FNAL.GOV
07/18/02 16:26:46 07/19/02 18:26:46 afs@FNAL.GOV
07/18/02 16:27:10 07/19/02 18:26:46
kca_service/siskiyou.fnal.gov@FNAL.GOV
07/17/02 16:27:11 07/19/02 18:26:46 kx509/certificate@FNAL.GOV
The last entry, is a x509 certificate stored in the
Kerberos cache. This is useful for maintenance and for web client
authentication (with the related plugin for Netscape/IE), but not yet
for the grid.
- Execute the command "kxlist -p" ("p" for proxy)
(this comes with the kx509 in the package above) and you should see
output like below:
bash-2.04$ kxlist -p
Service kx509/certificate
issuer= /C=US/ST=Illinois/L=Batavia/O=Fermilab/CN=Kerberized Certificate
Authority
subject= /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Kerberized Certificate
Authority/CN=dane/USERID=dane/Email=dane@FNAL.GOV
serial=D0
hash=91cad9b0
The "kxlist" lists the contents of the proxy
certificate stored in the Kerberos cache. The "-p" causes a GRID proxy
file (/tmp/x509up_) to be created, and this proxy file is then read by the grid utilities (in this case the globus_url_copy or whatever).
- On the receiving end, the gridmapfile needs to contain an entry that matches the subject line from the kxlist.
[root@heorot dane]# more /etc/grid-security/grid-mapfile
"/C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Kerberized Certificate
Authority/CN=dane/USERID=dane/Email=dane@FNAL.GOV" dane
and it needs the WHOLE subject line.
- Both ends need to have the CA public keys and signing policies
from http://home.fnal.gov/~crawdad/fnal-globus/fnal-certs.tar installed
in /etc/grid-security/certificates.
Enhancements in process:
- Extend use to multi-component user principals (eg. /cron/ principals, and CAF/farm principals.)
- Make certificates subordinate to DOE Science Grids CA (requires format change and thus new entries in Gridmap files).
|
