[Gt-eos] genproxy - create GSI proxy credentials w/o Globus
Frank Scheiner
scheiner at hlrs.de
Thu Nov 9 11:29:37 CET 2017
Dear all,
as there is an ongoing discussion about MyProxy without Globus, maybe
this fits in here, too:
Some time ago during working in an archiving project of KIT and HLRS, we
set up a dedicated host with all sorts of GridFTP client tools for our
users - to spare them the work to install, set up and update these tools
themselves and to ease up debugging through a fixed set of tool versions.
If you are interested, the documentation is public and available on [1].
[1]: http://wiki.scc.kit.edu/lsdf/index.php/BWDAHub
Access is via GSI-OpenSSH mainly, but there are always users with
"obscure" sorts of operating systems where this is not available
prepackaged or where there are other blocks on the road. In addition a
GSI proxy credential (GPC) is also needed for GridFTP transfers in and
out of the archive. But how should users create such GPCs if they don't
have the Globus tools at their disposal?
Jan Just Keijser's `genproxy` ([2]) to the rescue! I'm unsure if this
tool is widely known:
[2]: https://www.nikhef.nl/~janjust/proxy-verify/genproxy
It is a shell script that allows to create GPCs (1 day minimum lifetime,
no support for PKCS#12 keystores currently) with OpenSSL alone, which
should allow usage on many additional operating systems. I made some
adaptations to get its output closer to `grid-proxy-init` for example
and included new code from JJK and the result is now available from [3].
With some modifications (e.g. remove bashisms, etc.) I could also get it
to work under NetBSD (default installation w/o additional packages
installed), for OpenBSD I'm still struggling, there seem to be enough
differences between LibreSSL and OpenSSL that it doesn't work there out
of the box. So much for "obscure" OSes.
[3]: https://github.com/HLRS/genproxy
With this tool users of the archive can create their needed GPCs on
their personal workstations with minimal effort (currently only Bash and
OpenSSL required) and use an SSH client to upload them to the dedicated
host. Upon login with SSH they can work and use GridFTP clients like any
other user that is using the conventional way.
I used this tool extensively during the described archiving project and
did not experience a single situation where the created GPCs didn't work
as expected or weren't accepted by the involved services.
Therefore this tool might also be suited to be moved under the umbrella
of the gridcf - as an addition or "enabling technology" for edge cases
maybe, where no Globus/gct tools are available for. :-)
Cheers,
Frank
--
Frank Scheiner
High Performance Computing Center Stuttgart (HLRS)
Department Project User Management & Accounting
Email: scheiner at hlrs.de
Phone: +49 711 685 68039
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2293 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.egi.eu/pipermail/gt-eos/attachments/20171109/5e4eb30a/attachment.p7s>
More information about the Gt-eos
mailing list