[transfer-api] Can I use cert-based authentication with MyProxy?

Bryce Allen ballen at ci.uchicago.edu
Wed Feb 1 10:20:29 CST 2012


Oh I forgot about that - another thing I need to add to the docs.
M2Crypto is required to create and sign the proxy, since it's not
supported in the standard libraries. It might also be reasonable to
call the openssl command to do the work, to avoid the extra python
module dependency.

In any case are you able to install M2Crypto? Most distributions have
packages for it, or if you have the python/openssl dev libraries
installed it should install cleanly with easy_install.

In Fedora/RHEL/CentOS:

$ yum install m2crypto

In Ubuntu/Debian:

$ apt-get install python-m2crypto

-Bryce

On Wed, 01 Feb 2012 11:11:37 -0500
Maxim Potekhin <potekhin at bnl.gov> wrote:
> Bryce,
> 
> this is what I get when I try to run the example:
> 
> [mxp at pandadev01 ~/globus-test]$ ./t1.py
> Traceback (most recent call last):
>    File "./t1.py", line 70, in <module>
>      proxy = create_proxy_from_file(cred_file, public_key)
>    File 
> "/usatlas/u/mxp/globusonline-transfer-api-client-python-7e08617/globusonline/transfer/api_client/__init__.py", 
> line 1058, in create_proxy_from_file
>      return create_proxy(issuer_cred, public_key, lifetime)
>    File 
> "/usatlas/u/mxp/globusonline-transfer-api-client-python-7e08617/globusonline/transfer/api_client/__init__.py", 
> line 1067, in create_proxy
>      from M2Crypto import X509, RSA, EVP, ASN1, BIO
> ImportError: No module named M2Crypto
> 
> 
> 
> 
> On 2/1/2012 10:54 AM, Bryce Allen wrote:
> > delegate_proxy_activate.py does that, it just doesn't have good
> > documentation - I'll add usage info to the docstring. I would avoid
> > trying to do it manually based on the RFC unless you absolutely
> > can't use the Python code. You run it like this:
> >
> > delegate_proxy_activate.py USERNAME 'ENDPOINT_NAME' /path/to/cred \
> >   -k /path/to/client/auth/key \
> >   -c /path/to/client/auth/cert \ # often the same as key
> >   -C ../ca/gd-bundle_ca.cert
> >
> > It has the same options as the transfer_api main script, but adds to
> > required arguments for ENDPOINT_NAME (which needs to be quoted in
> > case it contains a #) and the path to an X509 credential or proxy.
> >
> > It's on my todo list to improve the option parsing and support a
> > config file so the options don't have to be passed every time.
> >
> > -Bryce
> >
> > On Wed, 01 Feb 2012 10:40:05 -0500
> > Maxim Potekhin<potekhin at bnl.gov>  wrote:
> >> Thank Bryce. I find the process fairly hard to understand and
> >> follow in detail.
> >> Let's say I have a X509 proxy (or cert) which I previously supplied
> >> to Globus Online.
> >> It would be fantastic to have  a method that would simply take a
> >> path to that proxy and
> >> do the activation. Or does delegate_proxy_activate.py do exactly
> >> that?
> >>
> >> In the example that you link to, the delegate_proxy_activate.py --
> >> is that enough or should I follow the rest of the e-mail as in
> >> instruction?
> >>
> >> Thanks
> >>
> >> Maxim
> >>
> >>
> >> On 2/1/2012 10:32 AM, Bryce Allen wrote:
> >>> There's an example of how to do this from Python on github (it's
> >>> just not part of the PyPI package):
> >>>
> >>> https://github.com/globusonline/transfer-api-client-python/blob/master/examples/delegate_proxy_activate.py
> >>>
> >>> This RFC for how this works is still accurate except that there is
> >>> no 'public_key_expires' field:
> >>> https://lists.globusonline.org/mailman/private/transfer-api/2011-March/000030.html
> >>>
> >>> The key field that needs to be sent in the activation requirements
> >>> is the proxy_chain. It's a proxy certificate using the public key
> >>> sent by the server, signed by the users credential, together with
> >>> the user certificate and any other certificates in the chain. It's
> >>> non trivial to construct - see the 'create_proxy' function in the
> >>> main client file:
> >>> https://github.com/globusonline/transfer-api-client-python/blob/master/globusonline/transfer/api_client/__init__.py
> >>>
> >>> The filled in requirements will look something like this:
> >>>
> >>> {
> >>>     "DATA_TYPE": "activation_requirements",
> >>>     "DATA": [
> >>>        {
> >>>         "name": "proxy_chain",
> >>>         "DATA_TYPE": "activation_requirement",
> >>>         "value": " "-----BEGIN
> >>>         CERTIFICATE-----\nMIIEfTCCA2WgAwIBAgIJALtiJziHQJt0MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV\nBAYTAlVTMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0\naW5nIEFwcGxpY2F0aW9uczEUMBIGA1UEAxMLQnJ5Y2UgQWxsZW4wHhcNMTIwMjAx\nMTUyMjM0WhcNMTIwMjAxMTYyMjM0WjB8MQswCQYDVQQGEwJVUzE4MDYGA1UEChMv\nTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBsaWNhdGlvbnMx\nFDASBgNVBAMTC0JyeWNlIEFsbGVuMR0wGwYDVQQDExQxMzUwMjM5Nzc1NjU1MDk3\nODQyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL5YTLyFj1mS5neE\nkbSagSNAfpSWcieT3aLV51gKnq7+oWQecDLsTJO4vzxpaCdWEN+xYTvfTglkiSSL\naldzE9f9b+YjpN5WtWJ4HWCIaNyooFkGoOmwmSKsRZ8O9eSEabfbAT9OdV6OH2AE\nY77d+fwDi4jmpKj9qFcyakBPhZaxhUGdjUMWfTjjMhjWlkKPTd0V/rW2e2MSFiy6\nhLG1bCNe1Wa2wFzFDdDgaLoc2uIeVGXf/c7wRxGpMGqoD8mf+xVCKY6WypsM9Zje\nKqO7kWO++3fa4s87SE5xsMAVZ1geMHc6IFyg5HLgs13cxq1vzLLpZSmxZ8undYLO\njgfHCXf13uqhcAQ0OIB4/agosffGHyaSbv6xjhUb/UiVKLkVPwbLaPx9/lyEp0Jr\nALEI8lg5pGemUWnplWFla6jNCdzNvEseY3L2pZlL9B0AZ7E9c5JcyHbBBKZod7An\nHElzyRw/EytT+ZO3r2MH7lYnEobkts2uiBfowbKYdE/QjlKcFIo0nqlC50MOZVxq\nL8T17xfdSLJRVR0nmCn41shNNJ8VPjNUNyOiYSsSDxhcqRlPMQgjSx5VGnOIr//w\nb+tO3sG2QgdYBw6LaaWVchK9Udq+1j8ZcI3fppA67Bz/erHLxSJm49LrewqoPJDJ\nfFCyMIaoNyyuF3mXrSIRUdNIxCpjAgMBAAGjITAfMB0GCCsGAQUFBwEOAQH/BA4w\nDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQUFAAOCAQEApBRRIwJKGYm5VYaljXT7\nKnF42etZua/7Z0xofYePJUQLOO909ffMM880Y4K0b88b+UNhoIusoyw5pWRpE2X8\nlvfUsVnGYuatb/66IYqUu0RLF8j0xm5twHGfFzAX1M8G4jQJELzugYA3BR9gEDdg\nJfK1Z+PK2iYDuqj+ModJyQhW75arHu/kNRyAWrPk8jo4NzIyUzVKQXGwFbmQbK+d\n0yGHb0tIvGyCIoSnd03AhqWhuE7zzpNUkX/KGTDTBJ9mouVMXVo4yUBIRfbaG0xW\nhGBqZNDfC4HhELA2afxZduo8dplOVqYCE37CAtRJFgOC1Om87yT8pAHnzgHhukZL\nAQ==\n-----END
> >>>         CERTIFICATE-----\n-----BEGIN
> >>>         CERTIFICATE-----\nMIIEJDCCAwygAwIBAgIDF2whMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNVBAYTAlVT\nMTgwNgYDVQQKEy9OYXRpb25hbCBDZW50ZXIgZm9yIFN1cGVyY29tcHV0aW5nIEFw\ncGxpY2F0aW9uczEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxEDAO\nBgNVBAMTB015UHJveHkwHhcNMTIwMjAxMTUxMzE2WhcNMTIwMjEyMTUxODE2WjBd\nMQswCQYDVQQGEwJVUzE4MDYGA1UEChMvTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBl\ncmNvbXB1dGluZyBBcHBsaWNhdGlvbnMxFDASBgNVBAMTC0JyeWNlIEFsbGVuMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUf36B5rWNeguv3ZvCWE+xUs\nCEB3hGsp/fUv9I0RP3sSd+A4O7/Md0y12bDo+KsbQUsrFWg8mAqltloRgZzeyP5R\nYyp4ZD1xtGJLYzju6BIGJHC5AhXMvQO6LUzpOAJjXjYs2Isn0d0C6Bg3Z83jwVc5\nALzXFVKhe9UH+sphBmn/SjIjWst9AaGeF7xQNyibfMEMcmLNniPRAIpTp9W3uTOb\n3SgBWkBRBIu04qc1diTRViB6ZQ6gUiuBoIF810nDfozFg/I9IlltIIBJwOtl8W78\nK4A9rNGX9m9E0JXHUaIslJKYiAv/pKa4VeyWQ8rvDXzCh8UEu9alJqJj4A1DpwID\nAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUC5UaHZjimiwXo2Bl\nzrOWRMi8i+swHwYDVR0jBBgwFoAU1/ylAnY69hP6K6Hg5lA1xyPHe1EwDAYDVR0T\nAQH/BAIwADA0BgNVHSAELTArMAwGCisGAQQBpD5kAgUwDAYKKoZIhvdMBQICAzAN\nBgsqhkiG90wFAgMCATA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY2EubmNzYS51\naXVjLmVkdS9mMmU4OWZlMy5jcmwwDQYJKoZIhvcNAQEFBQADggEBAKamGeSfMyQN\nOjanlYcDfmX5QVFHNk11WG+pPaOP45s8XyZ5qPBqmFcEQzQ99oq9N34fabkSNWaM\niEXoCQ/y3+LOvxzWqlmKXkZphPlTtz5Q7H57hggow42cvTf44ZKQPCNWr6WRK965\nF48PzgpRr4Sp+NXoK8/FLZNsunxzluttPMc8ihqFRuX+ssi7fXTG+2qvythX1v4a\ncJc4S1YLpTK3CKQXkRhvdJt7f2GMgUm7xFAb2XNNEEYHiu5T6fINyFW//bvShlg2\nJVzWhEuKWca6O1bn/wPH0oiMfLY/USJYUwExNCXRHUzLSGE67VuIEB/256x9ZB2e\nN1w+he3jSXI=\n-----END
> >>>         CERTIFICATE-----\n\n"", "type": "delegate_proxy", } ],
> >>> }
> >>>
> >>> It may include additional (unused) activation requirements in the
> >>> DATA list, and other fields that were part of the original
> >>> response from the server, so you can just take the response and
> >>> add the proxy_chain value. However those are all optional and are
> >>> ignored anyway.
> >>>
> >>> Hope that helps,
> >>> Bryce
> >>>
> >>> On Tue, 31 Jan 2012 23:26:20 -0500
> >>> Maxim Potekhin<potekhin at bnl.gov>   wrote:
> >>>> Hello,
> >>>>
> >>>> when I look at activation requirements, I observe that they seem
> >>>> to be tailored to password-based auth with MyProxy server. In our
> >>>> situation, we need cert-based auth. Is it still possible?
> >>>>
> >>>> Thanks
> >>>>
> >>>> Maxim
> >>>>
> >>>> _______________________________________________
> >>>> transfer-api mailing list
> >>>> transfer-api at lists.globusonline.org
> >>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> transfer-api mailing list
> >>>> transfer-api at lists.globusonline.org
> >>>> https://lists.globusonline.org/mailman/listinfo/transfer-api
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/700732c5/attachment.pgp>


More information about the transfer-api mailing list