[transfer-api] Can I use cert-based authentication with MyProxy?

Bryce Allen ballen at ci.uchicago.edu
Wed Feb 1 09:54:26 CST 2012


delegate_proxy_activate.py does that, it just doesn't have good
documentation - I'll add usage info to the docstring. I would avoid
trying to do it manually based on the RFC unless you absolutely can't
use the Python code. You run it like this:

delegate_proxy_activate.py USERNAME 'ENDPOINT_NAME' /path/to/cred \
 -k /path/to/client/auth/key \
 -c /path/to/client/auth/cert \ # often the same as key
 -C ../ca/gd-bundle_ca.cert

It has the same options as the transfer_api main script, but adds to
required arguments for ENDPOINT_NAME (which needs to be quoted in case
it contains a #) and the path to an X509 credential or proxy.

It's on my todo list to improve the option parsing and support a config
file so the options don't have to be passed every time.

-Bryce

On Wed, 01 Feb 2012 10:40:05 -0500
Maxim Potekhin <potekhin at bnl.gov> wrote:
> Thank Bryce. I find the process fairly hard to understand and follow
> in detail.
> Let's say I have a X509 proxy (or cert) which I previously supplied
> to Globus Online.
> It would be fantastic to have  a method that would simply take a path
> to that proxy and
> do the activation. Or does delegate_proxy_activate.py do exactly that?
> 
> In the example that you link to, the delegate_proxy_activate.py --
> is that enough or should I follow the rest of the e-mail as in
> instruction?
> 
> Thanks
> 
> Maxim
> 
> 
> On 2/1/2012 10:32 AM, Bryce Allen wrote:
> > There's an example of how to do this from Python on github (it's
> > just not part of the PyPI package):
> >
> > https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
> >
> > This RFC for how this works is still accurate except that there is
> > no 'public_key_expires' field:
> > https://lists.globusonline.org/mailman/private/transfer-api/2011-March/000030.html
> >
> > The key field that needs to be sent in the activation requirements
> > is the proxy_chain. It's a proxy certificate using the public key
> > sent by the server, signed by the users credential, together with
> > the user certificate and any other certificates in the chain. It's
> > non trivial to construct - see the 'create_proxy' function in the
> > main client file:
> > https://github.com/globusonline/transfer-api-client-python/blob/master/globusonline/transfer/api_client/__init__.py
> >
> > The filled in requirements will look something like this:
> >
> > {
> >    "DATA_TYPE": "activation_requirements",
> >    "DATA": [
> >       {
> >        "name": "proxy_chain",
> >        "DATA_TYPE": "activation_requirement",
> >        "value": " "-----BEGIN
> >        CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJALtiJziHQJt0MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV\nBAYTAlVTMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0\naW5nIEFwcGxpY2F0aW9uczEUMBIGA1UEAxMLQnJ5Y2UgQWxsZW4wHhcNMTIwMjAx\nMTUyMjM0WhcNMTIwMjAxMTYyMjM0WjB8MQswCQYDVQQGEwJVUzE4MDYGA1UEChMv\nTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBsaWNhdGlvbnMx\nFDASBgNVBAMTC0JyeWNlIEFsbGVuMR0wGwYDVQQDExQxMzUwMjM5Nzc1NjU1MDk3\nODQyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5YTLyFj1mS5neE\nkbSagSNAfpSWcieT3aLV51gKnq7+oWQecDLsTJO4vzxpaCdWEN+xYTvfTglkiSSL\naldzE9f9b+YjpN5WtWJ4HWCIaNyooFkGoOmwmSKsRZ8O9eSEabfbAT9OdV6OH2AE\nY77d+fwDi4jmpKj9qFcyakBPhZaxhUGdjUMWfTjjMhjWlkKPTd0V/rW2e2MSFiy6\nhLG1bCNe1Wa2wFzFDdDgaLoc2uIeVGXf/c7wRxGpMGqoD8mf+xVCKY6WypsM9Zje\nKqO7kWO++3fa4s87SE5xsMAVZ1geMHc6IFyg5HLgs13cxq1vzLLpZSmxZ8undYLO\njgfHCXf13uqhcAQ0OIB4/agosffGHyaSbv6xjhUb/UiVKLkVPwbLaPx9/lyEp0Jr\nALEI8lg5pGemUWnplWFla6jNCdzNvEseY3L2pZlL9B0AZ7E9c5JcyHbBBKZod7An\nHElzyRw/EytT+ZO3r2MH7lYnEobkts2uiBfowbKYdE/QjlKcFIo0nqlC50MOZVxq\nL8T17xfdSLJRVR0nmCn41shNNJ8VPjNUNyOiYSsSDxhcqRlPMQgjSx5VGnOIr//w\nb+tO3sG2QgdYBw6LaaWVchK9Udq+1j8ZcI3fppA67Bz/erHLxSJm49LrewqoPJDJ\nfFCyMIaoNyyuF3mXrSIRUdNIxCpjAgMBAAGjITAfMB0GCCsGAQUFBwEOAQH/BA4w\nDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQUFAAOCAQEApBRRIwJKGYm5VYaljXT7\nKnF42etZua/7Z0xofYePJUQLOO909ffMM880Y4K0b88b+UNhoIusoyw5pWRpE2X8\nlvfUsVnGYuatb/66IYqUu0RLF8j0xm5twHGfFzAX1M8G4jQJELzugYA3BR9gEDdg\nJfK1Z+PK2iYDuqj+ModJyQhW75arHu/kNRyAWrPk8jo4NzIyUzVKQXGwFbmQbK+d\n0yGHb0tIvGyCIoSnd03AhqWhuE7zzpNUkX/KGTDTBJ9mouVMXVo4yUBIRfbaG0xW\nhGBqZNDfC4HhELA2afxZduo8dplOVqYCE37CAtRJFgOC1Om87yT8pAHnzgHhukZL\nAQ==\n-----END
> >        CERTIFICATE-----\n-----BEGIN
> >        CERTIFICATE-----\nMIIEJDCCAwygAwIBAgIDF2whMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT\nMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw\ncGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO\nBgNVBAMTB015UHJveHkwHhcNMTIwMjAxMTUxMzE2WhcNMTIwMjEyMTUxODE2WjBd\nMQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl\ncmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxFDASBgNVBAMTC0JyeWNlIEFsbGVuMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUf36B5rWNeguv3ZvCWE+xUs\nCEB3hGsp/fUv9I0RP3sSd+A4O7/Md0y12bDo+KsbQUsrFWg8mAqltloRgZzeyP5R\nYyp4ZD1xtGJLYzju6BIGJHC5AhXMvQO6LUzpOAJjXjYs2Isn0d0C6Bg3Z83jwVc5\nALzXFVKhe9UH+sphBmn/SjIjWst9AaGeF7xQNyibfMEMcmLNniPRAIpTp9W3uTOb\n3SgBWkBRBIu04qc1diTRViB6ZQ6gUiuBoIF810nDfozFg/I9IlltIIBJwOtl8W78\nK4A9rNGX9m9E0JXHUaIslJKYiAv/pKa4VeyWQ8rvDXzCh8UEu9alJqJj4A1DpwID\nAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUC5UaHZjimiwXo2Bl\nzrOWRMi8i+swHwYDVR0jBBgwFoAU1/ylAnY69hP6K6Hg5lA1xyPHe1EwDAYDVR0T\nAQH/BAIwADA0BgNVHSAELTArMAwGCisGAQQBpD5kAgUwDAYKKoZIhvdMBQICAzAN\nBgsqhkiG90wFAgMCATA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY2EubmNzYS51\naXVjLmVkdS9mMmU4OWZlMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAKamGeSfMyQN\nOjanlYcDfmX5QVFHNk11WG+pPaOP45s8XyZ5qPBqmFcEQzQ99oq9N34fabkSNWaM\niEXoCQ/y3+LOvxzWqlmKXkZphPlTtz5Q7H57hggow42cvTf44ZKQPCNWr6WRK965\nF48PzgpRr4Sp+NXoK8/FLZNsunxzluttPMc8ihqFRuX+ssi7fXTG+2qvythX1v4a\ncJc4S1YLpTK3CKQXkRhvdJt7f2GMgUm7xFAb2XNNEEYHiu5T6fINyFW//bvShlg2\nJVzWhEuKWca6O1bn/wPH0oiMfLY/USJYUwExNCXRHUzLSGE67VuIEB/256x9ZB2e\nN1w+he3jSXI=\n-----END
> >        CERTIFICATE-----\n\n"", "type": "delegate_proxy", } ],
> > }
> >
> > It may include additional (unused) activation requirements in the
> > DATA list, and other fields that were part of the original response
> > from the server, so you can just take the response and add the
> > proxy_chain value. However those are all optional and are ignored
> > anyway.
> >
> > Hope that helps,
> > Bryce
> >
> > On Tue, 31 Jan 2012 23:26:20 -0500
> > Maxim Potekhin<potekhin at bnl.gov>  wrote:
> >> Hello,
> >>
> >> when I look at activation requirements, I observe that they seem to
> >> be tailored to password-based auth with MyProxy server. In our
> >> situation, we need cert-based auth. Is it still possible?
> >>
> >> Thanks
> >>
> >> Maxim
> >>
> >> _______________________________________________
> >> transfer-api mailing list
> >> transfer-api at lists.globusonline.org
> >> https://lists.globusonline.org/mailman/listinfo/transfer-api
> >>
> >>
> >> _______________________________________________
> >> transfer-api mailing list
> >> transfer-api at lists.globusonline.org
> >> https://lists.globusonline.org/mailman/listinfo/transfer-api
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/37b19879/attachment.pgp>


More information about the transfer-api mailing list