From EgeeWiki

This page provides tools for the MS Windows OS, which allow to generate proxy certificates and use them to access machines using a GSI enabled ssh server. The tools are based on standard VOMS commands ported to the MS Windows environment and they support retrieving VOMS attributes from a VOMS server. The command has been extended to support the PKCS11 interface and the MS Certificate Store, which is a standard storage used by many Windows applications. These extensions make it possible to generate proxy certificates from credentials stored on a smart card.

Contents 1 Quick Start 2 Creating proxy certificates 3 Known issues 4 Building 5 VOMS on Linux

Quick Start

First download the package containing the voms-proxy-init command and putty, winscp clients with support for proxy certificates and unpack it. Then install a set of trusted CA root certificates, e.g. the latest IGTF release. Set the X509_CERT_DIR variable to point to the directory with the CA certificates, e.g.:

set X509_CERT_DIR=%HOMEPATH%\certificates

Depending on locations of your long-term credential, choose the appropriate method and generate a proxy certificate (containing or not VOMS attributes). Start putty or winscp from the directory with voms-proxy-init and point them to a machine running a GSI-enabled ssh server and try connecting. You should get in without having to insert your password and your proxy should be delegated to the other side as well.

Creating proxy certificates

The voms_proxy_init command supports three locations to store user's credentials: common files (encoded in either PEM or PKCS12 formats), smart cards interfaced with the PKCS11 API, and the Microsoft Certificate Store. Generated proxy certificates are only stored in files.

The command needs to have access to a directory with trusted CA certificates and to a vomses configuration file describing the VOMS servers (if VOMS attributes are requested). Their locations are determined by the -userconf and -certdir command-line options, or they can be set up by environment variables VOMS_USERCONF and X509_CERT_DIR.

• Generate a proxy from a PKCS12 file

voms_proxy_init.exe -cert "%HOMEPATH%\usercred.p12"

• Generate a proxy from MS Certificate Store credentials

voms_proxy_init.exe -cert "MSCS:SUBJ:Daniel Kouril" -key "MSCS:SUBJ:Daniel Kouril"

credentials can be specified either by the SUBJ: or THUMB: prefixes. Credentials must be accessible from the Storage, regardless if they are stored in the storage or on a smart card. The mmc utility can be used to manage the CertStore.

• Generate a proxy via the PKCS11 interface

voms_proxy_init.exe -cert "SC:0:Daniel Kouril's  CESNET CA ID" -key "SC:0:Daniel Kouril's  CESNET CA ID"

The cert/key identificators are of the form SC:<slot>:<label>. Note, if you have multiple certificates of the same identity, make sure to copy the correct label (they can only differ in spaces, e.g.).

A Registry record must be added pointing to a PKCS11 library. Example: [HKEY_CURRENT_USER\Software\Globus\GSI] "PKCS11.DLL"="C:\\WINDOWS\\system32\\aetpkss1.dll"

Known issues

• when there is no file with the proxy both Putty and WinSCP crash. It is due to error in gsigssapi.dll library.
• WinSCP has default GSSAPI mechanism set to the Kerberos therefore it is needed to manualy change the type to the

GSI (SSH->Authentication).

• environment variables to specify proxy location etc, the environment must not contain parenthesis so remove them if you use the auto-expand capability of the Windows shell.

Building

We provide a patch that makes it possible to compile the VOMS client part on MS Windows. In order to build adapted VOMS sources following componenets are needed:

• Globus libraries

The Globus's GSS-API is used by the VOMS client to establish an authentication connection to the VOMS server. Only the security libraries from the Globus toolkit are necessary.

• Expat

• A PKCS11 library

We use open-source implementation from the OpenSC project. Other implementation (e.g. provided by smart card vendors) should work as well.

• VOMS sources

Currently we work with the 1.7.16 release of VOMS, which can be retrieved e.g. from the [Etics repository].

• The patch

After putting together the dependecies, untar the voms sources and apply the patch. Then Adapt paths in the Makefile.mak.common to point ot GT, expat and PKCS11 directories and run nmake -f Makefile.mak in the top level directory. The patch also ships a simple Visual Studio project definition that can be used to build the package from within the VS GUI.

The build produces the command-line voms_proxy_init.exe and corresponding client libraries.

VOMS on Linux

Note that the standard VOMS code already supports the PKCS11 interface that makes it possible to generate proxies from a smart smart card. The support isn't however built in by default and must be enabled by compiler option -DUSE_PKCS11. There's also a small issue with a hard-wired name of a PKCS11 library that which is dynamicaly loaded, it can be fix by a small patch though (the fix is also part of the Windows patch). A binary of voms_proxy_init with the PKCS11 support enabled can than be made use any PKCS11 library on the system to generate proxies derived from credentials stored in the card instead of files.