Security/ProxyCertTypes
From Globus
Contents |
Proxy Certificates Types
There are three types of Proxy Certificates in use by various versions of the Globus Toolkit. It is assumed the reader is familiar with RFC 3820.
Legacy Proxy Certificates
Legacy proxy certificates were first introduced in GT 2.0 and continue to be supported in GT 4.x. These proxy certificates pre-date RFC 3820 and are recognizable by the lack of ProxyCertInfo extension and the use of "CN=proxy" or "CN=limited proxy" DN components.
They can be generated in GT4 through the use of 'grid-proxy-init -old'.
Example generation and display:
% grid-proxy-init -old Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch Enter GRID pass phrase for this identity: Creating proxy ................................. Done Your proxy is valid until: Fri Jun 1 04:19:43 2007 % grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch identity : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:59:54
Proxy Draft Proxy Certificates
Proxy Draft Proxy Certificates (also sometimes called "GSI3 Proxy Certificates" because of their first appearance in GT3) are Proxy Certificates that are very similar to RFC 3820 Proxy Certificates with the exception that the ProxyCertInfo extension is identified with a non-standard OID: "1.3.6.1.4.1.3536.1.1.222". (Defined in the C code by PROXYCERTINFO_OLD_OID and in java by GSIConstants.GSI_3_IMPERSONATION_PROXY).
In GT 4.0.x Proxy Draft Proxy Certificates are the default with grid-proxy-init.
Example creation and display:
% grid-proxy-init Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch Enter GRID pass phrase for this identity: Creating proxy ................................... Done Your proxy is valid until: Fri Jun 1 04:20:56 2007 % grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch/CN=283701648 issuer : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch identity : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:57:27
RFC 3820 Proxy Certificates
RFC 3820 Proxy Certificates are proxy certificates that conform to RFC 3820 completely.
In GT 4.0.x RFC 3820 Proxy Certificates can be generated using 'grid-proxy-init -rfc'.
In GT 4.2.x, these will be generated by grid-proxy-init by default.
Example creation and display:
% grid-proxy-init -rfc Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch Enter GRID pass phrase for this identity: Creating proxy ....................................................... Done Your proxy is valid until: Fri Jun 1 04:24:20 2007 % grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch/CN=584830083 issuer : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch identity : /C=US/O=National Center for Supercomputing Applications/CN=Von S. Welch type : RFC 3820 compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 11:59:58
Proxy Certificate Compatibility
- GT 4.2.x accepts all three types of proxy certificates listed above and generates RFC 3820 compliant proxy by default.
- GT 4.0.x accepts all three types of proxy certificates listed above and generates Proxy Draft Proxy Certificates by default.
- GT 3.x accepts Proxy Draft and Legacy proxy certificates.
- GT 2.x accepts Legacy proxy certificates.
Limited and Restricted Proxies
Proxy certificates inherit all, some or none of the permissions of the user whose end entity certificate (EEC) generated the proxy. The table below summarizes the common inheritance models and their attributes. Proxy certificates that conform to the RFC 3820 specification can, in theory, have any inheritance policies through the definition of proxy policy language OIDs and different policy contents; however, the types listed below are those in common use.
| Proxy Type | Rights Inherited | How expressed in Legacy Proxies | How expressed in Proxy Draft and RFC 3820 Proxies | Notes |
|---|---|---|---|---|
| Full Proxy | All | CN component of "proxy" | Policy language identifier in the ProxyCertInfo extension of 1.3.6.1.5.5.7.21.1 | Generated by default by grid-proxy-init and other tools |
| Limited Proxy | All rights except process creation (e.g. you cannot use a limited proxy to launch a GRAM job or log in via GSI-OpenSSH if they are using the default configuration) | CN component of "limited proxy" | Policy language identifier in the ProxyCertInfo extension of 1.3.6.1.4.1.3536.1.1.1.9 | Delegated by GRAM by default; Created by 'grid-proxy-init -limited' |
| Independent Proxy | None | Does not exist in Legacy proxies | Policy language identifier in the ProxyCertInfo extension of 1.3.6.1.5.5.7.21.2 | Not generally in use; Created by 'grid-proxy-init -independent' |
| Restricted Proxy | Undefined | Does not exist in Legacy proxies | Policy language identifier in the ProxyCertInfo extension something other than listed in this table | Used as a catch-all term to describe proxy certificates with unrecognized policy languages. Not generally in use. |
Related Material
Using OpenSSL to Dump a Proxy Certificate
You can use openssl as shown in the following example to do a full textual dump of a proxy certificate. The following example shows a legacy proxy certificate.
%openssl x509 -in /tmp/x509up_u501 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1763 (0x6e3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=National Center for Supercomputing Applications, CN=Von S. Welch
Validity
Not Before: May 30 20:36:42 2007 GMT
Not After : May 31 08:41:42 2007 GMT
Subject: C=US, O=National Center for Supercomputing Applications, CN=Von S. Welch, CN=proxy
...output truncated...
Using Python to Generate a Proxy Certificate
You can use the PyGsi package to generate RFC 3820 compliant Proxy Certificates. Earlier proxy formats can only be generated with pyGlobus. The following example shows how to generate a Legacy Proxy Certificate using pyGlobus.
from pyGlobus import security from pyGlobus import proxyc security.grid_proxy_init(proxyType=proxyc.GLOBUS_GSI_CERT_UTILS_TYPE_GSI_2_PROXY)
The next example shows how to generate a Proxy Draft Proxy Certificate using pyGlobus.
from pyGlobus import security from pyGlobus import proxyc security.grid_proxy_iinit(proxyType=proxyc.GLOBUS_GSI_CERT_UTILS_TYPE_GSI_3_IMPERSONATION_PROXY)
The next example shows how to generate a RFC 3820 compliant Proxy Certificate using pyGlobus.
from pyGlobus import security from pyGlobus import proxyc security.grid_proxy_init(proxyType=proxyc.GLOBUS_GSI_CERT_UTILS_TYPE_RFC_IMPERSONATION_PROXY)
Each of the pyGlobus examples generates a Proxy Certificate that is stored in the default location in the filesystem. The following example shows how to use the resulting credential in a Python program.
from pyGlobus.security import GSSCred proxy = GSSCred() proxy.acquire_cred()
The last example shows how to generate a RFC 3820 compliant Proxy Certificate using pyGsi.
from pyGsi import proxylib proxyFactory = proxylib.ProxyFactory() proxyFactory.generate() proxyCert = proxyFactory.getproxy()
