diff --git a/README/README.GLOBUS b/README/README.GLOBUS
index e247118bf3e5e21adff755dd4a42d8be17e8a148..ff39081063ad665b41853aabb7f987bb2371ec49 100644
--- a/README/README.GLOBUS
+++ b/README/README.GLOBUS
@@ -54,29 +54,29 @@ Globus Authentication has been tested for the moment only on Linux.
...
Checking for globusdir ... no
-Checking for GLOBUS_LOCATION ... <Your_GLOBUS_LOCATION>
-Checking for openssl/x509.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
-Checking for openssl/pem.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
-Checking for globus_gss_assist.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
-Checking for globus_gss_common.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
-Checking for globus_gsi_credential.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
+Checking for GLOBUS_LOCATION ... <GLBSLOC>
+Checking for openssl/x509.h ... <GLBSLOC>/include/<flavour>
+Checking for openssl/pem.h ... <GLBSLOC>/include/<flavour>
+Checking for globus_gss_assist.h ... <GLBSLOC>/include/<flavour>
+Checking for globus_gss_common.h ... <GLBSLOC>/include/<flavour>
+Checking for globus_gsi_credential.h ... <GLBSLOC>/include/<flavour>
Checking for gsi version ... yes
-Checking for libglobus_gss_assist_<flavour> ... <Your_GLOBUS_LOCATION>/lib
-Checking for libglobus_gssapi_gsi_<flavour> ... <Your_GLOBUS_LOCATION>/lib
-Checking for libssl_<flavour> ... <Your_GLOBUS_LOCATION>/lib
-Checking for libcrypto_<flavour> ... <Your_GLOBUS_LOCATION>/lib
-Checking for libglobus_gsi_credential_<flavour> ... <Your_GLOBUS_LOCATION>/lib
-Checking for globus-user-env.sh ... <Your_GLOBUS_LOCATION>/etc
-Checking for grid-proxy-init ... <Your_GLOBUS_LOCATION>/bin
-Checking pkg_data_<flavour>_rtl.gpt ... <Your_GLOBUS_LOCATION>/etc/globus_packages/globus_gsi_credential
+Checking for libglobus_gss_assist_<flavour> ... <GLBSLOC>/lib
+Checking for libglobus_gssapi_gsi_<flavour> ... <GLBSLOC>/lib
+Checking for libssl_<flavour> ... <GLBSLOC>/lib
+Checking for libcrypto_<flavour> ... <GLBSLOC>/lib
+Checking for libglobus_gsi_credential_<flavour> ... <GLBSLOC>/lib
+Checking for globus-user-env.sh ... <GLBSLOC>/etc
+Checking for grid-proxy-init ... <GLBSLOC>/bin
+Checking pkg_data_<flavour>_rtl.gpt ... <GLBSLOC>/etc/globus_packages/globus_gsi_credential
Checking for of globus patch ... yes, version <globus_gsi_credential version>
Checking for patch version consistency ... yes
-Checking for globus_gsi_system_config.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
-Checking for globus_gsi_cert_utils.h ... <Your_GLOBUS_LOCATION>/include/<flavour>
+Checking for globus_gsi_system_config.h ... <GLBSLOC>/include/<flavour>
+Checking for globus_gsi_cert_utils.h ... <GLBSLOC>/include/<flavour>
Applying experimental patch to globus_gsi_credential.c
...
- where <flavour> is either gcc32 or gcc32dbg, and <Your_GLOBUS_LOCATION>
+ where <flavour> is either gcc32 or gcc32dbg, and <GLBSLOC>
is the env $GLOBUS_LOCATION.
The last 3 lines appear only if the patch is needed and activated.
@@ -185,103 +185,99 @@ cd ../..
3.2) On the SERVER side
- .1) Running as 'root' (or with su privileges)
+ The servers daemons (rootd/proofd/TServerSocket) need a valid service-type
+ certificate and key pair to handshake mutual authentication with the
+ client.
- The servers rootd/proofd make use of the host certificate ( <CA bla
- bla>/CN=host/<FQDN>) located by default in
-
- /etc/grid-security/hostcert.pem
-
- and the related private key (default in
- /etc/grid-security/hostkey.pem). The environment variable
- X509_USER_CERT should be set to point to this file.
-
- No proxies are needed for the host certificate.
-
- Server Configuration file:
- both daemon servers accept as argument
+ By default, the search for a such a certificate/key pair is done in
+ the following order:
+
+ - ROOT specific {certificate,key} under /etc/grid-security/root;
+ file names: rootcert.pem, rootkey.pem ;
+
+ - host {certificate,key} under /etc/grid-security;
+ file names: hostcert.pem, hostkey.pem ;
+
+ - user proxy {certificate,key} under /tmp, file name: x509up_<uid>;
+
+ The reason to have the last one is to allow unprivileged users to
+ run GSI authentication for their own local server. Make sure that
+ the time validity of the proxy is long enough for the purposes of
+ the server. Proxies can initialized for any time duration (within
+ the time validity of the certificate) with
+
+ grid-proxy-init -valid <large_number_of_hours>:0
+
+ The proxies *must be* initialized before the daemon tries to use
+ them, i.e. there is no prompt for proxy initialization as on the
+ client side.
+
+ Any other service certificate may be used in place of the ROOT one:
+ the important point is that the key file can be read by the daemon.
+ To create a request for a ROOT specific certificate use
+
+ grid-cert-request -service root -host <machine_FQDN>
+
+ The certificate request will be placed under /etc/grid-security/root .
+ If you do not have write permission of /etc/grid-security, you can
+ redirect grid-cert-request to write on a different directory using
+ '-dir <alternative_directory'.
+
+ Alternative location(s) for the certificates to use can be specified
+ by means of the hostcert.conf file. By default this file is searched
+ for in /etc/root/hostcert.conf or in $ROOTSYS/etc/hostcert.conf .
+ However, daemon servers accept the argument
-C <server_globus_conf_file>
+
+ to specify an alternative location; for daemons based on TServerSocket
+ the ROOT environment variable
+
+ SrvAuth.HostCert <server_globus_conf_file>
+
+ is provided.
+ The hostcert.conf contains record lines specifying
- By default this file is looked for in /etc/root/hostcert.conf or in
- $ROOTSYS/etc/hostcert.conf and it contains record lines specifying
-
- <certificates_dir> <host_cert_file> <host_cert_key> <grid_mapfile>
-
- Record lines starting with '#' are considered as comments; an example:
+ <certificates_dir> <host_cert_file> <host_cert_key> <grid_mapfile>
- < bof >
- # This is an example of hostcert.conf ...
- /etc/grid-security/certificates /etc/grid-security/hostcert.pem
- /etc/grid-security/hostkey.pem /etc/grid-security/grid-mapfile
- < eof >
-
- (nb: all the 4 records should be on the same line: here they are split
- to make it more readable).
+ See the header of $ROOTSYS/etc/hostcert.conf for any details about
+ the syntax and sue of the file; as an example:
- There may be as many line as there are valid certificate settings
- (corresponding to different Certificates Authorities and potentially
- to different DN-to-UserName mappings ). When a request for globus
- authentication arrives, rootd/proofd look among their own certificates
- if there is one issued by the same CA which has issued the client
- certificate; if the search is successful they communicate the related
- subject name to the client and setenv the relevant variables using to
- the chosen configuration set.
-
- .2) Running as normal user
-
- In globus the authentication is governed by a process having superuser
- privileges, usually a gatekeeper. The host certificate is not fully
- accessible to a normal user, since the key cannot be read. Therefore
- host credentials cannot be acquired by a server running as non-root.
-
- There is, however, the possibility to grant access to the local user
- area; this can be done via valid user proxies, to be initialized
- before the authentication is attempted.
- Is is advised to initialize the user proxies for a very long time,
- e.g.
-
- grid-proxy-init -valid 999999:0
-
- (the actual duration is limited by the lifetime of the user certificate)
- to be sure that for the running time of the daemon authentication is
- possible.
- That should be all. The /etc/root/hostcert.conf can still be used to
- specify non standard certificate directory and mapping file (with the
- same format), the two entries in between being meaningless.
- Make sure that you have read access to hostcert.conf and to the files
- and directories specified inside; it may be wise to use local user-owned
- versions of these files and directories; example
+< bof >
+# This is an example of hostcert.conf to use the ldap service certificate
+ * /etc/grid-security/ldap/ldapcert.pem /etc/grid-security/ldap/ldapkey.pem *
+< eof >
- machine:~> cat $HOME/root/hostcert.conf
+ This file provides also a convenient way to specify certificate settings
+ corresponding to different Certificates Authorities and potentially
+ to different DN-to-UserName mappings. When a request for globus
+ authentication arrives, the daemons look among their own certificates
+ if there is one issued by the same CA which has issued the client
+ certificate; if the search is successful they communicate the related
+ subject name to the client and setenv the relevant variables using to
+ the chosen configuration set.
- # This is the local configuration
- $HOME/.globus/certificates * * $HOME/.globus/grid-mapfile
+ The hostcert.conf file can also be used to specify non-standard locations
+ for the user proxy files.
- machine:~> rootd -d 3 -p 5151 -C $HOME/root/hostcert.conf -f $ROOTSYS
.2.1) Using user proxies when running as 'root' (or with su privileges)
- If a valid host certificate is not available, the server administrator
- can still decide to run as 'root' and use the valid proxies of a user
- registered on the machine to authenticate a client.
- To activate this, the user certificate and key location should be
- specified in the relevant hostcert.conf file, e.g.
-
- < bof >
- # This is an example of hostcert.conf ...
- /etc/grid-security/certificates /home/<user>/.globus/usercert.pem
- /home/<user>/.globus/userkey.pem /etc/grid-security/grid-mapfile
- < eof >
-
- (nb: all the 4 records should be on the same line: here they are split
- to make it more readable).
+ If a valid host certificate is not available, the server administrator
+ can still decide to run as 'root' and use the valid proxies of a user
+ registered on the machine to authenticate a client.
+ To activate this, the user certificate and key location should be
+ specified in the relevant hostcert.conf file, e.g.
+
+ < bof >
+ # This is an example of hostcert.conf ...
+ * /home/<user>/.globus/usercert.pem /home/<user>/.globus/userkey.pem *
+ < eof >
- The program will then look for the proxy file associated with the owner
- of the certificate and key files and use that to acquire the credentials
- needed for authentication; as at point .2), the proxies must be
- initialized before the relevant software tries to use them, i.e.
- there is no prompt for proxy initialization.
+ The program will then look for the proxy file associated with the owner
+ of the certificate and key files and use that to acquire the credentials
+ needed for authentication; as above, the proxies must be initialized
+ before the relevant software tries to use them.
4) Trying out
@@ -373,4 +369,4 @@ May 27 12:49:46 pcepsft43 rootd[24031]: RootdLoop: kind:2004 -- buf:'/test.root
.7) mailto: gerardo.ganis@cern.ch.
--------------------------------------------------------------------------------------
-Last update: January 13, 2005
+Last update: February 22, 2005
diff --git a/etc/hostcert.conf b/etc/hostcert.conf
index 3398d6d07b348d232429890f06608f10942230e1..f7096a826db3c6375ad3c26ba6c9ebbaafbd11aa 100644
--- a/etc/hostcert.conf
+++ b/etc/hostcert.conf
@@ -7,18 +7,19 @@
### (default: /etc/grid-security/certificates)
###
### <host_cert_file> : host certificate file
-### (default: /etc/grid-security/hostcert.pem)
+### (defaults: /etc/grid-security/root/rootcert.pem,
+### /etc/grid-security/hostcert.pem)
###
### <host_cert_key> : host key file
-### (default: /etc/grid-security/hostkey.pem)
+### (default: /etc/grid-security/root/rootkey.pem,
+### /etc/grid-security/hostkey.pem)
###
### <grid_mapfile> : file for mapping local usernames to certificate subjects
### (default: /etc/grid-security/grid-mapfile)
###
-### The wild card '*' can be used to leave a default for a field: this allows
-### to change some fields without retyping everything
+### The wild card '*' can be used to leave a default for a field.
###
-### Lines can be commented by a '#' in the very first position (all the example
+### Lines can be commented by a '#' in the first column (all the example
### below are commented)
###
### A few examples
@@ -26,6 +27,9 @@
### To use /etc/grid-security/grid-mapfile1 as map file
# * * * /etc/grid-security/grid-mapfile1
###
+### To use the ldap service certificate
+# * /etc/grid-security/ldap/ldapcert.pem /etc/grid-security/ldap/ldapkey.pem
+###
### To use host certificates from a non standard location
# * /etc/grid-security/cernCA/hostcert.pem /etc/grid-security/cernCA/hostkey.pem
###
diff --git a/rpdutils/src/globus.cxx b/rpdutils/src/globus.cxx
index 3a787a598500e7d09a7d84b57b131d47b8800ce6..d05b3189b2ac616f6073ecad73190a85a73d88a1 100644
--- a/rpdutils/src/globus.cxx
+++ b/rpdutils/src/globus.cxx
@@ -1,4 +1,4 @@
-// @(#)root/rpdutils:$Name: $:$Id: globus.cxx,v 1.8 2004/04/20 15:21:50 rdm Exp $
+// @(#)root/rpdutils:$Name: $:$Id: globus.cxx,v 1.9 2004/07/04 17:48:43 rdm Exp $
// Author: Gerardo Ganis 7/4/2003
/*************************************************************************
@@ -67,8 +67,10 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
int retval = 1;
std::string HostCertConf = "/hostcert.conf";
char *certdir_default = "/etc/grid-security/certificates";
- char *hostcert_default = "/etc/grid-security/hostcert.pem";
- char *hostkey_default = "/etc/grid-security/hostkey.pem";
+ char *hostcert_default[2] = {"/etc/grid-security/root/rootcert.pem",
+ "/etc/grid-security/hostcert.pem"};
+ char *hostkey_default[2] = {"/etc/grid-security/root/rootkey.pem",
+ "/etc/grid-security/hostkey.pem"};
char *gridmap_default = "/etc/grid-security/grid-mapfile";
char dir_def[kMAXPATHLEN] = { 0 }, cert_def[kMAXPATHLEN] = { 0 },
key_def[kMAXPATHLEN] = { 0 }, map_def[kMAXPATHLEN] = { 0 };
@@ -77,6 +79,7 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
X509 *xcert = 0;
FILE *fcert = 0;
char *issuer_name = 0;
+ int id = 0;
if (gDebug > 2)
ErrorInfo("GlbsToolCheckCert: enter: %s", ClientIssuerName);
@@ -121,31 +124,31 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
if (nw == 1) {
if (dir_def[0] == '*')
strcpy(dir_def, certdir_default);
- strcpy(cert_def, hostcert_default);
- strcpy(key_def, hostkey_default);
+ strcpy(cert_def, hostcert_default[0]);
+ strcpy(key_def, hostkey_default[0]);
strcpy(map_def, gridmap_default);
} else if (nw == 2) {
if (dir_def[0] == '*')
strcpy(dir_def, certdir_default);
if (cert_def[0] == '*')
- strcpy(cert_def, hostcert_default);
- strcpy(key_def, hostkey_default);
+ strcpy(cert_def, hostcert_default[0]);
+ strcpy(key_def, hostkey_default[0]);
strcpy(map_def, gridmap_default);
} else if (nw == 3) {
if (dir_def[0] == '*')
strcpy(dir_def, certdir_default);
if (cert_def[0] == '*')
- strcpy(cert_def, hostcert_default);
+ strcpy(cert_def, hostcert_default[0]);
if (key_def[0] == '*')
- strcpy(key_def, hostkey_default);
+ strcpy(key_def, hostkey_default[0]);
strcpy(map_def, gridmap_default);
} else if (nw == 4) {
if (dir_def[0] == '*')
strcpy(dir_def, certdir_default);
if (cert_def[0] == '*')
- strcpy(cert_def, hostcert_default);
+ strcpy(cert_def, hostcert_default[0]);
if (key_def[0] == '*')
- strcpy(key_def, hostkey_default);
+ strcpy(key_def, hostkey_default[0]);
if (map_def[0] == '*')
strcpy(map_def, gridmap_default);
}
@@ -169,7 +172,7 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
if (!PEM_read_X509(fcert, &xcert, 0, 0)) {
ErrorInfo("GlbsToolCheckCert: unable to load host"
" certificate (%s)", cert_tmp);
- goto goout;;
+ goto goout;
}
// Get the issuer name
issuer_name =
@@ -223,66 +226,77 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
ErrorInfo
("GlbsToolCheckCert: Try to use env definitions or defaults ...");
- // We have not found a goof one: try with these envs definitions
+ // We have not found a good one: try with these envs definitions
// or the defaults ...
if (getenv("X509_CERT_DIR") != 0) {
strcpy(dir_def, getenv("X509_CERT_DIR"));
} else
strcpy(dir_def, certdir_default);
- if (getenv("X509_USER_CERT") != 0) {
- strcpy(cert_def, getenv("X509_USER_CERT"));
- } else
- strcpy(cert_def, hostcert_default);
- if (getenv("X509_USER_KEY") != 0) {
- strcpy(key_def, getenv("X509_USER_KEY"));
- } else
- strcpy(key_def, hostkey_default);
if (getenv("GRIDMAP") != 0) {
strcpy(map_def, getenv("GRIDMAP"));
} else
strcpy(map_def, gridmap_default);
-
// Expand for test if needed
dir_tmp = GlbsToolExpand(dir_def);
- cert_tmp = GlbsToolExpand(cert_def);
- key_tmp = GlbsToolExpand(key_def);
map_tmp = GlbsToolExpand(map_def);
- if (!access(dir_tmp, R_OK)) {
- if (!access(cert_tmp, R_OK)) {
- if (!access(key_tmp, R_OK)) {
- // Load certificate
- fcert = fopen(cert_tmp, "r");
- if (!PEM_read_X509(fcert, &xcert, 0, 0)) {
- ErrorInfo("GlbsToolCheckCert: unable to load host"
- " certificate (%s)",cert_tmp);
+ // First the ROOT specific, then the host one
+ for ( id = 0; id < 2; id++) {
+ // Load certificate / key names
+ if (getenv("X509_USER_CERT") != 0) {
+ strcpy(cert_def, getenv("X509_USER_CERT"));
+ } else
+ strcpy(cert_def, hostcert_default[id]);
+ if (getenv("X509_USER_KEY") != 0) {
+ strcpy(key_def, getenv("X509_USER_KEY"));
+ } else
+ strcpy(key_def, hostkey_default[id]);
+
+ // Expand for test if needed
+ cert_tmp = GlbsToolExpand(cert_def);
+ key_tmp = GlbsToolExpand(key_def);
+
+ if (!access(dir_tmp, R_OK)) {
+ if (!access(cert_tmp, R_OK)) {
+ if (!access(key_tmp, R_OK)) {
+ // Load certificate
+ fcert = fopen(cert_tmp, "r");
+ if (!PEM_read_X509(fcert, &xcert, 0, 0)) {
+ ErrorInfo("GlbsToolCheckCert: unable to load host"
+ " certificate (%s)",cert_tmp);
+ goto goout;
+ }
+ // Get the issuer name
+ issuer_name =
+ X509_NAME_oneline(X509_get_issuer_name(xcert), 0, 0);
+ if (strstr(issuer_name, ClientIssuerName) != 0) {
+ CertFound = 1;
+ if (gDebug > 2)
+ ErrorInfo
+ ("GlbsToolCheckCert: Issuer Subject: %s matches",
+ issuer_name);
+ goto found;
+ }
+ } else {
+ ErrorInfo("GlbsToolCheckCert: default hostkey file not"
+ " existing or not readable (%s)", key_tmp);
goto goout;
}
- // Get the issuer name
- issuer_name =
- X509_NAME_oneline(X509_get_issuer_name(xcert), 0, 0);
- if (strstr(issuer_name, ClientIssuerName) != 0) {
- CertFound = 1;
- if (gDebug > 2)
- ErrorInfo
- ("GlbsToolCheckCert: Issuer Subject: %s matches",
- issuer_name);
- goto found;
- }
} else {
- ErrorInfo("GlbsToolCheckCert: default hostkey file not"
- " existing or not readable (%s)", key_tmp);
+ ErrorInfo("GlbsToolCheckCert: default hostcert file not"
+ " existing or not readable (%s)",cert_tmp);
goto goout;
}
} else {
- ErrorInfo("GlbsToolCheckCert: default hostcert file not"
- " existing or not readable (%s)",cert_tmp);
+ ErrorInfo("GlbsToolCheckCert: default cert directory not"
+ " existing or not readable (%s)",dir_tmp);
goto goout;
}
- } else {
- ErrorInfo("GlbsToolCheckCert: default cert directory not"
- " existing or not readable (%s)",dir_tmp);
- goto goout;
+ // Release memory before going to next set
+ if (cert_tmp)
+ delete[]cert_tmp;
+ if (key_tmp)
+ delete[]key_tmp;
}
goout:
diff --git a/rpdutils/src/rpdutils.cxx b/rpdutils/src/rpdutils.cxx
index 6b92b2bedc2e94f44a85e0c22155389ffad5aa82..0c91663fb04d9387f12373fcf79504902eedd677 100644
--- a/rpdutils/src/rpdutils.cxx
+++ b/rpdutils/src/rpdutils.cxx
@@ -1,4 +1,4 @@
-// @(#)root/rpdutils:$Name: $:$Id: rpdutils.cxx,v 1.70 2005/02/18 14:44:40 rdm Exp $
+// @(#)root/rpdutils:$Name: $:$Id: rpdutils.cxx,v 1.71 2005/02/21 11:13:00 rdm Exp $
// Author: Gerardo Ganis 7/4/2003
/*************************************************************************
@@ -3835,15 +3835,16 @@ int RpdGlobusAuth(const char *sstr)
// Now we open the certificates and we check if we are able to
// autheticate the client. In the affirmative case we initialize
// our credentials and we send our subject name to the client ...
- // NB: we try first the user proxies; if it does not work we
- // try using the local host certificates; but only if we have
- // the rigth privileges
+ // NB: we look first for a specific certificate for ROOT (default
+ // location under /etc/grid-security/root); if this is does not
+ // work we try to open the host certificate, which however may
+ // require super-user privileges; finally we check if valid proxies
+ // (for the user who started the server) are available.
char *subject_name;
int CertRc = 0;
- CertRc = GlbsToolCheckProxy(client_issuer_name, &subject_name);
- if (CertRc && getuid() == 0)
- CertRc = GlbsToolCheckCert(client_issuer_name, &subject_name);
-
+ CertRc = GlbsToolCheckCert(client_issuer_name, &subject_name);
+ if (CertRc)
+ CertRc = GlbsToolCheckProxy(client_issuer_name, &subject_name);
if (CertRc) {
ErrorInfo("RpdGlobusAuth: %s (%s)",
"host does not seem to have certificate for the requested CA",