Common Access Toolkit for Federations (CAT)
From EgeeWiki
The fact of increasing numbers of applications that require user authentication or also authorization forces users to manage a lot of data for authentication and authorization. This can lead to break the security of the provided applications/services.
Project CAT for Federations joins federated environment and PKI. PKI is a good choice how to create enough secured management of identities that is independent on application/service providers. These identities can be used in accessing the applications or services. Using federated environment removes some inconveniences of PKI. User don't have to do personal visit of registration authority, because domestic IdP of federation should be a registration authority. After successful registration user can obtain certificate(identity credential) from a federated CA that can be a webservice available through HTTP.
The goal of the project is to provide transparent environment for managing credentials for authentication and authorization. This makes easier to create and use federated infrastructure and through it access to many services including grid-services. This aim is ensured by created framework that contains user-friendly tools for managing user's identities(certificates with private keys).
Contents |
MS Windows platform
Tools for MS Windows are a primary goal now. The framework uses Network Identity Manager. The CAT project provides two plugins for it - Federated plugin, ProxyCert plugin and a special package with a batch script. The script uses user's kerberos ticket to obtain certificate from MyProxy CA.
Network Identity Manager
Network Identity Manager(NIM) is a modular framework to manage credentials on MS Windows. It provides a GUI for basic operations with credentials and make their handling more user friendly. It is primarily aimed at Kerberos but other mechanisms can be supported too via plugins.
Installation
First download the MIT Kerberos for Windows. Install it and then download and install NIMv2 framework. Now you can manage kerberos identities and add CAT plugins.
Federated plugin
This plugin is designed to manage credentials(certificates with private keys) from federated CAs which are available via web browser. It has embedded Internet Explorer to browse CA website. It uses a simple configuration file for reading a list of known CAs and theirs URLs.
Installation and configuration
Download the msi installer of Federated plugin and install it.
If you don't choose default installation path a default registry record must be changed pointing to a new location of the plugin.
Example: [HKEY_LOCAL_MACHINE\Software\MIT\NetIDMgr\PluginManager\Modules\Fed_NIM_Mod] "ImagePath"="C:\\Fed_NIM_Plugin\\fed_nim.dll"
After successful installation of the plugin restart NIM.
The configuration file is located in plugin direcory. There is a default version with example of one record that contains all needed information about one online CA. Each CA record is on a one new line and template for the record is: <human readable name of CA>;<RDN of CA without OIDs separated by comma>;<url of CA>;
Example: OnlineCA_VPN;CZ, MetaCentrum, OpenVPN OnlineCA;https://mizar.ics.muni.cz/onlineca/; for RDN:C = CZ,O = MetaCentrum,CN = OpenVPN OnlineCA
Editing of the file is able only by manual writing, GUI of the plugin can't edit the file. To set the configuration file path in plugin open NIM and select from the menu : "Options -> Federation" and edit the path.
Obtaining and removing credentials
To obtain a new credential(certificate with private key) use "Identity Wizard". Click on icon "Obtain new credentials",
click on "Identity chooser", choose "New identity",
choose "Federation X509 Certificate Identity" and CA which you want to use.
Click "Next" and on the next screen click on "Get the certificate" and follow web page you see.
After successful getting certificate click "Finish" and you should see your new certificate in the list of credentials.
To remove certificate select the certificate you want to remove and click on icon "Destroy credentials".
Setting the server side (Federated CA)
(Tu prosim dopis o tej konfiguracii CA vo federacii)
Build instructions
Download plugin sources and NIMv2 SDK.
SDK requires to set these two variables:
- KFWSDKDIR - path to NIMv2 SDK
- NIDMRAWDIRS set to 1
If use "nmake" utility enter plugin main direcotry and the command is:
nmake -f Makefile all
ProxyCert plugin
This plugin is able to generate proxy certificates from long-term PKI credentials. This is useful in grid environment. The plugin is built upon VOMS and MyProxy, hence it is able to generate proxies using credentials stored in smart cards or the MS CertStore area or in MyProxy server.
Installation and configuration
Download the msi installer of the ProxyCert plugin and install it.
It is strongly recommended to install it into default path due to dependencies. If you didn't choose default installation path a default registry record must be changed pointing to a new location of the plugin.
Example: [[HKEY_LOCAL_MACHINE\Software\MIT\NetIDMgr\PluginManager\Modules\ProxyCertModule] "ImagePath"="C:\\Fed_NIM_Plugin\\cpproxycert.dll"
In this case dlls like ssleay32, libeay32, libexpat, pthreadVC2, libsasl from plugin directory must be copied into NIMv2 installation directory.
After successful installation of the plugin restart NIM.
The plugin has its own configuration dialog in: "Options -> X509 Proxy". The plugin primary accepts configuration settings from the dialog. If some configuration value is blank, plugin searches setting among environment variables. The configuration dialog of the plugin contains these settings(value in box brackets is name of equivalent environment variable):
- Certificates Dir [X509_CERT_DIR] - path to directory with certificates of trusted CAs
- VOMS Certificates Dir [X509_VOMS_DIR] - path to directory with certificates of trusted VOMS servers
- VOMS configuration [VOMS_LOCATION] - path to config file(vomses) for VOMS (VOMS_LOCATION - path to directory with config file).
- MyProxy Server [MYPROXY_SERVER] - hostname of the MyProxy server
If you want to use MyProxy server, you have to set these another environment variables:
- CA_PATH - path to directory with trusted CAs. Example: CA_PATH=C:\CAT-release\win\GetSaveCert\CA
- MYPROXY_SERVER_DN - RDN of MyProxy CA server certificate. Example: MYPROXY_SERVER_DN=/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=radius.ics.muni.cz
It is necessary to download, extract and set path to directory with current IGTF Distribution of Authority Root Certificates package to "Certificates Dir" or [X509_CERT_DIR] variable at least for VOMS using or to set CA_PATH and MYPROXY_SERVER_DN for MyProxy using.
Obtaining and removing credential
To obtain a new credential(certificate with private key) use "Identity Wizard". Click on icon "Obtain new credentials",
click on "Identity chooser", choose "New identity "
choose "X509 Proxy Certificate Identity" and a type of proxy certificate which you want to get.
If you choose VOMS select certificate for proxy certificate generating in the next dialog, edit path where to store a new proxy and click "Finish" and you should see your new certificate in the list of credentials.
If you choose MyProxy enter username and password to server, edit path where to store a new proxy and click "Finish" and you should see your new certificate in the list of credentials.
List of credentials:
To remove certificate select the certificate you want to remove and click on icon "Destroy credentials".
Setting the server side (VOMS server, MyProxy server)
There is no need to set something special on VOMS server.
In case using MyProxy server is needed to have valid certificate stored on the server and have right username and password.
Build instructions
Download plugin sources and NIMv2 SDK.
SDK requires to set these two variables:
- KFWSDKDIR - path to NIMv2 SDK
- NIDMRAWDIRS set to 1
It is necessary to set paths to all plugin dependencies. They can be found in plugin Makefile under "Configuration settings" For building the myproxy libriaries download myproxy-win port sources. If use "nmake" utility enter plugin main directory and the command is:
nmake -f Makefile all
MyProxy CA
MyProxy is open source software for managing X509 credentials(certificates with private keys). The CAT project uses MyProxy server's ability to be a Certificate Authority. In this mode user is able to obtain short lived certificate from MyProxy server. User have to authenticate to CA by his kerberos ticket which he get after successful login into MS Windows in domain. Login is done by user's kerberos password.
The project provides a win32 port of myproxy-logon command which is used for obtainig certificate and save_cert utility which stores obtained certificate into MS CertStore.
Installation and configuration
It is necessary to have installed MIT KFW at least. To have NIMv2 is recommended.
Download zipped package with myproxy-logon and save_cert utility and extract it. There is an batch file named "runme.bat". Edit three variables:
- CA_PATH - path to directory with trusted CAs. Example: CA_PATH=C:\CAT-release\win\GetSaveCert\CA
- SASL_PLUGIN_PATH - path to sasl plugin directory. Example: SASL_PLUGIN_PATH=C:\CAT-release\win\GetSaveCert
- MYPROXY_SERVER_DN - RDN of MyProxy CA server certificate. Example: MYPROXY_SERVER_DN=/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=radius.ics.muni.cz
Command myproxy-logon uses this options:
- -s [myproxy server]
- -n use krb ticket for authentication
- -l [username]
- -o [output file, if "-" use stdout]
Edit myproxy server and username if necessary.
Obtaining and removing certificate
Run batch script. If there are some errors see log files. You should see a new certificate in MS CertStore. Run certificate manager: "Start->Run" with "certmgr.msc" parameter and see "Personal -> Certificates".
To remove certificate open the certificate manager, select the certificate you want to remove and click on icon "Delete".
Setting the server side (MyProxy CA)
(Tu prosim dopis ako nastavit tu CA)
Build instructions
Download MyProxy win port sources and save_cert utility sources.
MyProxy requires to set paths to OpenSSL and Cyrus-SASL in its Makefile.mak.common
Save_cert requires to set path to OpenSSL in its Makefile.mak.common
If use "nmake" utility enter plugin main direcotry and the command is:
nmake -f Makefile all
Accessing MS CertStore from Mozilla Firefox
Certificates obtained from MyProxy CA and stored in MS CertStore can be accessed from Mozilla Firefox. There exists a PKCS#11 plugin for Firefox that can do this. It can be downloaded here and all needed instructions can be found here.
Linux/Mac OS X platform
There isn't a special tool for managing credentials like NIM for these platforms. The CAT project provides a bash script which is able to obtain certificate through web browser or from MyProxy CA.
CertMgr bash script
The CertMgr script is able to obtain certificate from federated online CA through Mozilla Firefox or from MyProxy CA if user have valid kerberos ticket. As a repository for certificates is used NSS Shared DB. This database is used by Firefox for storing certificates and private keys. More information about NSS can be found here or here.
Installation and configuration
There are some external dependances which you have to figure out before installing the script.
Install Mozilla Firefox from official website or from your distribution repository.
Download, build and install myproxy-logon utility. It is recommended to use CAT version.
Install OpenSSL utility and NSS Security Tools.
After all dependances download the script.
The script requires only minimal configuration. It is necessary to set two environment variables:
- CA_PATH - path to directory with trusted CAs. Example: CA_PATH=~/trustedCA
- MYPROXY_SERVER_DN - RDN of MyProxy CA server certificate. Example: MYPROXY_SERVER_DN="/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=radius.ics.muni.cz"
The last thing is to set using new database format.
Obtaining and removing certificate
The script accepts these options:
- -O OnlineCA URL
- -M MyProxy server
- -u MyProxy username
- -d NSS database path
Example of obtaining certificates from online CA:
>./certmgr.sh -O https://www.example.com
Example of obtaining certificates from MyProxy CA:
>./certmgr.sh -M myproxyca.example.com -u Tomas -d ~/.mozilla/firefox/hr0l8yhl.default
To remove certificate open the certificate manager in Firefox: "", and remove the certificate you want. You can do this also by certutil from NSS Security Tools.
MyProxy and VOMS
The CAT project provides special versions of myproxy-logon and voms-proxy-init utilities. They are build upon pure OpenSSL instead using Globus Toolkit.
myproxy-logon
You have to have installed openssl and sasl libraries before building.
Download a source package, enter the directory and use Makefile.dan with command:
make -f Makefile.dan myproxy-logon
voms-proxy-init
Download a source package, enter the directory and use configure script to generate Makafile. Then use:
make -f Makefile all
The CAT project adds to VOMS ability to use NSS DB as a PKCS#11 device. For enabling this use configure options:
./configure CFLAGS=-I/usr/include/nss\ -I/usr/include/nspr\ -DUSE_PKCS11\ -DUSE_PKCS11_DL\ -DUSE_NSS_DB\ -DNO_GSSAPI_CONFIG_H CXXFLAGS=-I/usr/include/nss\ -I/usr/include/nspr\ -DUSE_PKCS11\ -DUSE_PKCS11_DL\ -DUSE_NSS_DB\ -DNO_GSSAPI_CONFIG_H LIBS=-ldes425
It is necessary to have installed NSS and NSPR4 headers and libraries.
Before using voms-proxy-init set these environment variables:
- X509_CERT_DIR - path to directory with certificates of trusted CAs - required
- X509_VOMS_DIR - path to directory with certificates of trusted VOMS servers - optional
- X509_USER_PROXY - path to user proxy certificate - required
If you want to use NSS DB as PKCS#11 set these environment variables:
- PKCS11_LIB - path to libsoftokn3.so
- MOZILLA_NSS_DB - path to NSS DB. Example: /home/tomas/.mozilla/firefox/hr0l8yhl.default
