[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 13:11:27 CST 2012


Thanks Bryce.

What' the logic behind having to encrypt the client proxy?
Can we do without it?

Maxim


On 2/1/2012 2:05 PM, Bryce Allen wrote:
> It might be possible using a small C program to create the
> certificate, and then the openssl command to sign. The problem is that
> the openssl command only supports creating certificates using CSRs,
> which are not sent by the Transfer API server and require the private
> key to work. Since the channel is already authenticated, we currently
> just send the public key. Another option would be to modify the API to
> send a CSR (possibly alongside the public key so it's backward
> compatible), but server side changes take a lot more time to get
> released.
>
> I'll take a quick look at how hard it would be to write the required C
> program.
>
> -Bryce
>
> On Wed, 01 Feb 2012 13:53:14 -0500
> Maxim Potekhin<potekhin at bnl.gov>  wrote:
>> Bryce,
>>
>> I don't have a working M2 on any of my nodes, and my attempts to
>> build it failed, in one case due to an old swig and then because of
>> non-standard location
>> of openssl headers. The installer does not seem to be flexible enough
>> to correct this quickly and w/o root access (which I don't have).
>>
>> Do you think you can provide a openssl recipe? That would allow us to
>> move forward, because otherwise I don't see how we can code up our
>> client.
>>
>> Thanks
>>
>> Maxim
>>



More information about the transfer-api mailing list