[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 09:40:05 CST 2012


Thank Bryce. I find the process fairly hard to understand and follow in 
detail.
Let's say I have a X509 proxy (or cert) which I previously supplied to 
Globus Online.
It would be fantastic to have  a method that would simply take a path to 
that proxy and
do the activation. Or does delegate_proxy_activate.py do exactly that?

In the example that you link to, the delegate_proxy_activate.py --
is that enough or should I follow the rest of the e-mail as in instruction?

Thanks

Maxim


On 2/1/2012 10:32 AM, Bryce Allen wrote:
> There's an example of how to do this from Python on github (it's just
> not part of the PyPI package):
>
> https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
>
> This RFC for how this works is still accurate except that there is no
> 'public_key_expires' field:
> https://lists.globusonline.org/mailman/private/transfer-api/2011-March/000030.html
>
> The key field that needs to be sent in the activation requirements is
> the proxy_chain. It's a proxy certificate using the public key sent by
> the server, signed by the users credential, together with the user
> certificate and any other certificates in the chain. It's non trivial
> to construct - see the 'create_proxy' function in the main client file:
> https://github.com/globusonline/transfer-api-client-python/blob/master/globusonline/transfer/api_client/__init__.py
>
> The filled in requirements will look something like this:
>
> {
>    "DATA_TYPE": "activation_requirements",
>    "DATA": [
>       {
>        "name": "proxy_chain",
>        "DATA_TYPE": "activation_requirement",
>        "value": " "-----BEGIN
>        CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJALtiJziHQJt0MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV\nBAYTAlVTMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0\naW5nIEFwcGxpY2F0aW9uczEUMBIGA1UEAxMLQnJ5Y2UgQWxsZW4wHhcNMTIwMjAx\nMTUyMjM0WhcNMTIwMjAxMTYyMjM0WjB8MQswCQYDVQQGEwJVUzE4MDYGA1UEChMv\nTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBsaWNhdGlvbnMx\nFDASBgNVBAMTC0JyeWNlIEFsbGVuMR0wGwYDVQQDExQxMzUwMjM5Nzc1NjU1MDk3\nODQyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5YTLyFj1mS5neE\nkbSagSNAfpSWcieT3aLV51gKnq7+oWQecDLsTJO4vzxpaCdWEN+xYTvfTglkiSSL\naldzE9f9b+YjpN5WtWJ4HWCIaNyooFkGoOmwmSKsRZ8O9eSEabfbAT9OdV6OH2AE\nY77d+fwDi4jmpKj9qFcyakBPhZaxhUGdjUMWfTjjMhjWlkKPTd0V/rW2e2MSFiy6\nhLG1bCNe1Wa2wFzFDdDgaLoc2uIeVGXf/c7wRxGpMGqoD8mf+xVCKY6WypsM9Zje\nKqO7kWO++3fa4s87SE5xsMAVZ1geMHc6IFyg5HLgs13cxq1vzLLpZSmxZ8undYLO\njgfHCXf13uqhcAQ0OIB4/agosffGHyaSbv6xjhUb/UiVKLkVPwbLaPx9/lyEp0Jr\nALEI8lg5pGemUWnplWFla6jNCdzNvEseY3L2pZlL9B0AZ7E9c5JcyHbBBKZod7An\nHElzyRw/EytT+ZO3r2MH7lYnEobkts2uiBfowbKYdE/QjlKcFIo0nqlC50MOZVxq\nL8T17xfdSLJRVR0nmCn41shNNJ8VPjNUNyOiYSsSDxhcqRlPMQgjSx5VGnOIr//w\nb+tO3sG2QgdYBw6LaaWVchK9Udq+1j8ZcI3fppA67Bz/erHLxSJm49LrewqoPJDJ\nfFCyMIaoNyyuF3mXrSIRUdNIxCpjAgMBAAGjITAfMB0GCCsGAQUFBwEOAQH/BA4w\nDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQUFAAOCAQEApBRRIwJKGYm5VYaljXT7\nKnF42etZua/7Z0xofYePJUQLOO909ffMM880Y4K0b88b+UNhoIusoyw5pWRpE2X8\nlvfUsVnGYuatb/66IYqUu0RLF8j0xm5twHGfFzAX1M8G4jQJELzugYA3BR9gEDdg\nJfK1Z+PK2iYDuqj+ModJyQhW75arHu/kNRyAWrPk8jo4NzIyUzVKQXGwFbmQbK+d\n0yGHb0tIvGyCIoSnd03AhqWhuE7zzpNUkX/KGTDTBJ9mouVMXVo4yUBIRfbaG0xW\nhGBqZNDfC4HhELA2afxZduo8dplOVqYCE37CAtRJFgOC1Om87yT8pAHnzgHhukZL\nAQ==\n-----END
>        CERTIFICATE-----\n-----BEGIN
>        CERTIFICATE-----\nMIIEJDCCAwygAwIBAgIDF2whMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT\nMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw\ncGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO\nBgNVBAMTB015UHJveHkwHhcNMTIwMjAxMTUxMzE2WhcNMTIwMjEyMTUxODE2WjBd\nMQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl\ncmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxFDASBgNVBAMTC0JyeWNlIEFsbGVuMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUf36B5rWNeguv3ZvCWE+xUs\nCEB3hGsp/fUv9I0RP3sSd+A4O7/Md0y12bDo+KsbQUsrFWg8mAqltloRgZzeyP5R\nYyp4ZD1xtGJLYzju6BIGJHC5AhXMvQO6LUzpOAJjXjYs2Isn0d0C6Bg3Z83jwVc5\nALzXFVKhe9UH+sphBmn/SjIjWst9AaGeF7xQNyibfMEMcmLNniPRAIpTp9W3uTOb\n3SgBWkBRBIu04qc1diTRViB6ZQ6gUiuBoIF810nDfozFg/I9IlltIIBJwOtl8W78\nK4A9rNGX9m9E0JXHUaIslJKYiAv/pKa4VeyWQ8rvDXzCh8UEu9alJqJj4A1DpwID\nAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUC5UaHZjimiwXo2Bl\nzrOWRMi8i+swHwYDVR0jBBgwFoAU1/ylAnY69hP6K6Hg5lA1xyPHe1EwDAYDVR0T\nAQH/BAIwADA0BgNVHSAELTArMAwGCisGAQQBpD5kAgUwDAYKKoZIhvdMBQICAzAN\nBgsqhkiG90wFAgMCATA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY2EubmNzYS51\naXVjLmVkdS9mMmU4OWZlMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAKamGeSfMyQN\nOjanlYcDfmX5QVFHNk11WG+pPaOP45s8XyZ5qPBqmFcEQzQ99oq9N34fabkSNWaM\niEXoCQ/y3+LOvxzWqlmKXkZphPlTtz5Q7H57hggow42cvTf44ZKQPCNWr6WRK965\nF48PzgpRr4Sp+NXoK8/FLZNsunxzluttPMc8ihqFRuX+ssi7fXTG+2qvythX1v4a\ncJc4S1YLpTK3CKQXkRhvdJt7f2GMgUm7xFAb2XNNEEYHiu5T6fINyFW//bvShlg2\nJVzWhEuKWca6O1bn/wPH0oiMfLY/USJYUwExNCXRHUzLSGE67VuIEB/256x9ZB2e\nN1w+he3jSXI=\n-----END
>        CERTIFICATE-----\n\n"", "type": "delegate_proxy", } ],
> }
>
> It may include additional (unused) activation requirements in the DATA
> list, and other fields that were part of the original response from the
> server, so you can just take the response and add the proxy_chain
> value. However those are all optional and are ignored anyway.
>
> Hope that helps,
> Bryce
>
> On Tue, 31 Jan 2012 23:26:20 -0500
> Maxim Potekhin<potekhin at bnl.gov>  wrote:
>> Hello,
>>
>> when I look at activation requirements, I observe that they seem to
>> be tailored to password-based auth with MyProxy server. In our
>> situation, we need cert-based auth. Is it still possible?
>>
>> Thanks
>>
>> Maxim
>>
>> _______________________________________________
>> transfer-api mailing list
>> transfer-api at lists.globusonline.org
>> https://lists.globusonline.org/mailman/listinfo/transfer-api
>>
>>
>> _______________________________________________
>> transfer-api mailing list
>> transfer-api at lists.globusonline.org
>> https://lists.globusonline.org/mailman/listinfo/transfer-api

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/a4daecc4/attachment.htm>


More information about the transfer-api mailing list