2.2. Managing credentials: GSI certificates¶
For GSI certificate-based authentication, mdtmFTP uses the same security model as Globus Toolkit. As of January 2018, Globus Toolkit is retired, and now it is succeeded by software maintained by Grid Community Forum (GCF). For a detailed discussion about GSI security, please refer to the GCF document section on Configuring Security for GridFTP.
Setting up GSI secuirty involves two tasks:
To intall and configure user credentials.
To install and configure host credentials.
2.2.1. User credentials¶
2.2.1.1. Requesting and installing user certificates on the client side¶
CILogon issues user certificates. We recommend requesting user certificates from CILogon. Or you can choose to request user certificates from your preferred CAs.
A user can obtain and install an CILogon user certicate by following the steps below:
go to CILogon to obtain a user certificate.
install the obtained certificate in the user’s home directory,
~/.globus/usercred.p12,use
chmodto protect it from unauthorized access:
$ chmod 0600 ~/.globus/usercred.p12
(For details, see CILogon FAQ entry: “Can I download a CILogon certificate to my computer?”.)
The usercred.p12 file is password protected when it is downloaded
from CILogon. For simplicity of use, you may want to derive a
password-free userkey.pem and usercert.pem from
~/.globus/usercred.p12:
$ cd ~/.globus
$ openssl pkcs12 -in usercred.p12 -nokeys -out usercert.pem
$ openssl pkcs12 -in usercred.p12 -nocerts -out userkey.pem
$ chmod 0600 userkey.pem
Enter password for ~/.globus/usercred.p12 when prompted. The
resulting key and certificate will be password-free.
2.2.1.2. Setting up trust paths for user certificates on the server side¶
To verify CILogon user certificates, you need to install CILogon CA bundle, available at the download site, on the server side.
Download the CA bundle:
$ cd ~
$ wget https://cilogon.org/cilogon-ca-certificates.tar.gz
Create the directory /etc/grid-security/certificates if it doesn’t
exist:
$ sudo mkdir -p /etc/grid-security/certificates
Install CILogon CA bundle in /etc/grid-security/certificates:
$ cd /etc/grid-security/certificates
$ sudo tar zxvf ~/cilogon-ca-certificates.tar.gz --strip-components 2
2.2.1.3. Granting access to mdtmFTP server on the server side¶
To grant access to mdtmFTP server for a given user, you need
edit /etc/grid-security/grid-mapfile to create the mapping
between the user’s certificate and a local user account on the server side.
Obtain the user’s certificate Common Name (CN) from
usercert.pem:
$ openssl x509 -in ~/.globus/usercert.pem -noout -subject
subject=DC = org, DC = cilogon, C = US, O = Fermi National Accelerator Laboratory, OU = People, CN = BDE User, CN = UID:bdeuser
2. Map the certificate CN to a local user account.
A line like below need to be added in /etc/grid-security/grid-mapfile:
"/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=MDTM User/CN=UID:mdtmftp" mdtmftp
Note: please do not map user certificates to root.
2.2.2. Host credentials¶
2.2.2.1. Requesting and intalling host certificates on the server side¶
You need request a host certificate for each mdtmFTP server host. We recommend requesting host certificates from one of the following CAs:
Install host key and certificate files in:
/etc/grid-security/hostkey.pem/etc/grid-security/hostcert.pem
Set appropriate ownship and permission for hostkey.pem and hostcert.pem:
$ cd /etc/grid-security
$ sudo chown root:root hostcert.pem hostkey.pem
$ sudo chmod 0600 hostkey.pem
$ sudo chmod 0644 hostcert.pem
2.2.2.2. Setting up trust paths for host certificates on the client side¶
You may request host certificates from one or multiple CAs.
To verify host certificates on the client side, all related CA
certificates must be insatlled under the path /etc/grid-security/certificates
on the client side.
If you are using a host certificate signed by InCommon or LetsEncrypt, you can simply install CILogon CA bundle, available at the download site. The CILogon CA bundle includes InCommon and LetsEncrypt’s CA certificates.
Download the CA bundle:
$ cd ~
$ wget https://cilogon.org/cilogon-ca-certificates.tar.gz
Create the directory /etc/grid-security/certificates if it doesn’t
exist:
$ sudo mkdir -p /etc/grid-security/certificates
Install CILogon CA bundle in /etc/grid-security/certificates:
$ cd /etc/grid-security/certificates
$ sudo tar zxvf ~/cilogon-ca-certificates.tar.gz --strip-components 2
If you are using host certificates signed by a SimpleCA instance, you
will need to add the instance’s CA certificate to your trust path, in
/etc/grid-security/certificate. You can install the certificate
by installing the RPM or DEB package created by running the
grid-ca-package command in your SimpleCA node. See notes under
Using SimpleCA for details.
2.2.3. Verifying trust paths¶
You can verify whether user and host credentials have been correctly configured
by using GSI-enabled OpenSSH, also known as gsissh.
Follow the below steps:
Install gsissh server on mdtmFTP server host:
$ sudo yum install gsi-openssh-serverOn the server host, change the default gsissh port
With the default configuration in
/etc/gsisshd/sshd_config, gsissh will attempt to run on port 22, but it will likely conflict with any “regular” ssh services that we have on that port. Pleae change the default gsissh port:$ sudo vim /etc/gsisshd/sshd_config # Change port to 2202
On the server host, start gsissh server in debug mode:
$ sudo systemctl stop gsisshd $ sudo /usr/sbin/gsisshd -d
Install gsissh client on mdtmFTP client host:
$ sudo yum install gsi-openssh-clientsFrom the client, try connecting to the server:
$ gsissh -p 2202 $USER@$HOST \ -o PasswordAuthentication=no \ -o PubkeyAuthentication=no \ -o GSSAPIAuthentication=yes
Replace
$USERand$HOSTas appropriate.
If the above steps worked well, you will get a shell on the host. Otherwise, use the debug messages from both the client and the server to figure out what went wrong.
If things went well, and if you need gsissh again, you can enable and start the service:
$ sudo systemctl enable gsisshd
$ sudo systemctl start gsisshd