The MyProxy Certificate Authority

University of Illinois at Urbana-Champaign

National Center for Supercomputing Applications

MyProxy > Docs > Admin Guide > The MyProxy Certificate Authority

The GridShib CA can be configured to use the MyProxy CA.

Starting with v3.0, the MyProxy server includes the ability to act as a Certificate Authority (CA), signing certificates with a configured CA key on request for authenticated users that don't already have certificates stored in the MyProxy repository. Users can run myproxy-logon to authenticate and obtain a certificate from the MyProxy CA when and where needed, without needing to store long-lived keys and certificates in the MyProxy repository or elsewhere.

The MyProxy CA has been developed to meet the requirements of the Short Lived Credential Services X.509 Public Key Certification Authorities Profile of The Americas Grid Policy Management Authority, a member of the International Grid Trust Federation. The NCSA MyProxy CA has been accredited under the Profile.

The MyProxy CA functionality requires the configuration of PAM and/or SASL to support username/password and/or Kerberos authentication for obtaining certificates. The myproxy-server administrator must also configure the myproxy-server with the CA key, other CA attributes, and a method for mapping MyProxy usernames to Distinguished Names (DNs) in the signed certificates. Three mapping methods are supported: certificate_mapfile, which follows the Globus Toolkit grid-mapfile format, certificate_mapapp, which provides a general-purpose call-out interface, and LDAP.

The MyProxy server can act as a CA, a repository, or both. The CA functionality is disabled unless the CA configuration options in the myproxy-server.config are enabled. Likewise, the myproxy-server.config accepted_credentials setting controls whether clients can store credentials on the server. A myproxy-server.config template is provided in $GLOBUS_LOCATION/share/myproxy.

By default, the MyProxy CA issues certificates valid for 12 hours. This can be customized using the max_cert_lifetime option in myproxy-server.config.

MyProxy CA Installation

The MyProxy CA can be configured to use a Hardware Security Module.

Install the myproxy-server according to the MyProxy Server Installation instructions.
Create your CA using SimpleCA or equivalent. The Globus SimpleCA package is included in the myproxy-server installation. Be sure to create host credentials for the myproxy-server. Note: the PEM passphrase you choose during SimpleCA setup must be entered in the myproxy-server.config certificate_issuer_key_passphrase configuration line (see below).
Configure the myproxy-server to use PAM and/or SASL.
Configure the CA functionality in the myproxy-server.config file. For example:
pam "sufficient" sasl "sufficient" authorized_retrievers "*" certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem certificate_issuer_key_passphrase "myproxy" certificate_serialfile /home/globus/.globus/simpleCA/serial certificate_mapfile /etc/grid-security/grid-mapfile
Note: the certificate_issuer_key_passphrase is the PEM passphrase you chose for your SimpleCA installation.
Restart the myproxy-server for the configuration changes to take effect.

You should now be able to retrieve certificates using myproxy-logon. For example:

  $ myproxy-logon -s myproxy.ncsa.uiuc.edu
  Enter MyProxy pass phrase: <enter PAM password here>
  A credential has been received for user jbasney in /tmp/x509up_u25555.

If there are any problems, consult the Troubleshooting Guide.