[Gt-eos] genproxy - create GSI proxy credentials w/o Globus

Frank Scheiner scheiner at hlrs.de
Thu Nov 9 11:29:37 CET 2017


Dear all,

as there is an ongoing discussion about MyProxy without Globus, maybe 
this fits in here, too:

Some time ago during working in an archiving project of KIT and HLRS, we 
set up a dedicated host with all sorts of GridFTP client tools for our 
users - to spare them the work to install, set up and update these tools 
themselves and to ease up debugging through a fixed set of tool versions.

If you are interested, the documentation is public and available on [1].

[1]: http://wiki.scc.kit.edu/lsdf/index.php/BWDAHub

Access is via GSI-OpenSSH mainly, but there are always users with 
"obscure" sorts of operating systems where this is not available 
prepackaged or where there are other blocks on the road. In addition a 
GSI proxy credential (GPC) is also needed for GridFTP transfers in and 
out of the archive. But how should users create such GPCs if they don't 
have the Globus tools at their disposal?

Jan Just Keijser's `genproxy` ([2]) to the rescue! I'm unsure if this 
tool is widely known:

[2]: https://www.nikhef.nl/~janjust/proxy-verify/genproxy

It is a shell script that allows to create GPCs (1 day minimum lifetime, 
no support for PKCS#12 keystores currently) with OpenSSL alone, which 
should allow usage on many additional operating systems. I made some 
adaptations to get its output closer to `grid-proxy-init` for example 
and included new code from JJK and the result is now available from [3]. 
With some modifications (e.g. remove bashisms, etc.) I could also get it 
to work under NetBSD (default installation w/o additional packages 
installed), for OpenBSD I'm still struggling, there seem to be enough 
differences between LibreSSL and OpenSSL that it doesn't work there out 
of the box. So much for "obscure" OSes.

[3]: https://github.com/HLRS/genproxy

With this tool users of the archive can create their needed GPCs on 
their personal workstations with minimal effort (currently only Bash and 
OpenSSL required) and use an SSH client to upload them to the dedicated 
host. Upon login with SSH they can work and use GridFTP clients like any 
other user that is using the conventional way.

I used this tool extensively during the described archiving project and 
did not experience a single situation where the created GPCs didn't work 
as expected or weren't accepted by the involved services.

Therefore this tool might also be suited to be moved under the umbrella 
of the gridcf - as an addition or "enabling technology" for edge cases 
maybe, where no Globus/gct tools are available for. :-)

Cheers,
Frank

-- 
Frank Scheiner

High Performance Computing Center Stuttgart (HLRS)
Department Project User Management & Accounting

Email: scheiner at hlrs.de
Phone: +49 711 685 68039

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2293 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20171109/5e4eb30a/attachment.p7s>


More information about the discuss mailing list