[Gt-eos] genproxy - create GSI proxy credentials w/o Globus

Mischa Salle msalle at nikhef.nl
Thu Nov 9 12:15:09 CET 2017


Dear Frank,

great! I know his tool (obviously), I like the fact that it finally made
it's way to github. Putting it under gcf makes sense to me.
Perhaps you can persuade Jan Just to also add his grid-proxy-verify...

By the way, you know that voms-proxy-init (C or Java) also can create
(plain) proxy certs? They have no external dependencies.

If you like we can go (together with Jan Just) over some potential
improvements, such as pkcs12 support (not difficult).

    Cheers,
    Mischa

On Thu, Nov 09, 2017 at 11:29:37AM +0100, Frank Scheiner wrote:
> Dear all,
> 
> as there is an ongoing discussion about MyProxy without Globus, maybe this
> fits in here, too:
> 
> Some time ago during working in an archiving project of KIT and HLRS, we set
> up a dedicated host with all sorts of GridFTP client tools for our users -
> to spare them the work to install, set up and update these tools themselves
> and to ease up debugging through a fixed set of tool versions.
> 
> If you are interested, the documentation is public and available on [1].
> 
> [1]: http://wiki.scc.kit.edu/lsdf/index.php/BWDAHub
> 
> Access is via GSI-OpenSSH mainly, but there are always users with "obscure"
> sorts of operating systems where this is not available prepackaged or where
> there are other blocks on the road. In addition a GSI proxy credential (GPC)
> is also needed for GridFTP transfers in and out of the archive. But how
> should users create such GPCs if they don't have the Globus tools at their
> disposal?
> 
> Jan Just Keijser's `genproxy` ([2]) to the rescue! I'm unsure if this tool
> is widely known:
> 
> [2]: https://www.nikhef.nl/~janjust/proxy-verify/genproxy
> 
> It is a shell script that allows to create GPCs (1 day minimum lifetime, no
> support for PKCS#12 keystores currently) with OpenSSL alone, which should
> allow usage on many additional operating systems. I made some adaptations to
> get its output closer to `grid-proxy-init` for example and included new code
> from JJK and the result is now available from [3]. With some modifications
> (e.g. remove bashisms, etc.) I could also get it to work under NetBSD
> (default installation w/o additional packages installed), for OpenBSD I'm
> still struggling, there seem to be enough differences between LibreSSL and
> OpenSSL that it doesn't work there out of the box. So much for "obscure"
> OSes.
> 
> [3]: https://github.com/HLRS/genproxy
> 
> With this tool users of the archive can create their needed GPCs on their
> personal workstations with minimal effort (currently only Bash and OpenSSL
> required) and use an SSH client to upload them to the dedicated host. Upon
> login with SSH they can work and use GridFTP clients like any other user
> that is using the conventional way.
> 
> I used this tool extensively during the described archiving project and did
> not experience a single situation where the created GPCs didn't work as
> expected or weren't accepted by the involved services.
> 
> Therefore this tool might also be suited to be moved under the umbrella of
> the gridcf - as an addition or "enabling technology" for edge cases maybe,
> where no Globus/gct tools are available for. :-)
> 
> Cheers,
> Frank
> 
> -- 
> Frank Scheiner
> 
> High Performance Computing Center Stuttgart (HLRS)
> Department Project User Management & Accounting
> 
> Email: scheiner at hlrs.de
> Phone: +49 711 685 68039
> 



> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20171109/84284ec2/attachment.p7s>


More information about the discuss mailing list