MyProxy Java API

From EUAGwiki

Contents 1 MyProxy Java API (with CoG-JGlobus 1.7.0) 1.1 Lectured by 2 About this page 3 Material and instructions for use 4 Example of API usage 5 How to build the examples 6 Register a long-term proxy into a MyProxy Server 7 Retrieve credentials from a MyProxy Server 8 Api Documentation 9 References

[edit] MyProxy Java API (with CoG-JGlobus 1.7.0)

[edit] Lectured by

Giuseppe LA ROCCA
Italian National Institute of Nuclear Physics
Italy
mailto:giuseppe.larocca@ct.infn.it

[edit] About this page

Goal of this wiki page is to provide some hints and examples about how to interact with the MyProxy service using the dedicated Java API exposed by the cog-jglobus.

MyProxy is open source software for managing X.509 Public Key Infrastructure (PKI) security credentials (certificates and private keys). MyProxy combines an online credential repository with an online certificate authority to allow users to securely obtain credentials when and where needed. Users run myproxy-logon to authenticate and obtain credentials, including trusted CA certificates and Certificate Revocation Lists (CRLs).

Storing credentials in a MyProxy repository allows users to easily obtain RFC 3820 proxy credentials, without worrying about managing private key and certificate files. They can use MyProxy to delegate credentials to services acting on their behalf (like a grid portal) by storing credentials in the MyProxy repository and sending the MyProxy passphrase to the service. They can also use MyProxy to renew their credentials, so, for example, long-running jobs don't fail because of expired credentials. A professionally managed MyProxy server can provide a more secure storage location for private keys than typical end-user systems. MyProxy can be configured to encrypt all private keys in the repository with user-chosen passphrases, with server-enforced policies for passphrase quality. By using a proxy credential delegation protocol, MyProxy allows users to obtain proxy credentials when needed without ever transferring private keys over the network.

For users that don't already have PKI credentials, the MyProxy Certificate Authority (CA) provides a convenient method for obtaining them. The MyProxy CA issues short-lived session credentials to authenticated users. The repository and CA functionality can be combined in one service or can be used separately.

MyProxy provides a set of flexible authentication and authorization mechanisms for controlling access to credentials. Server-wide policies allow the MyProxy administrator to control how credentials may be used. Per-credential policies provide additional controls for credential owners. MyProxy supports multiple authentication mechanisms, including passphrase, certificate, Kerberos, Pubcookie, VOMS, PAM, LDAP, SASL and One Time Passwords (OTP).

[edit] Material and instructions for use

In attach you can find a tarball with the JAVA source files implementing what described above. If you have a shell on a linux machine, download the tar ball with the examples typing

wget http://grid.ct.infn.it/api-java/Api-Java-MyProxy.tar.gz

Uncompress the tar in your working directory using the command:

$ tar zxvf Api-Java-MyProxy.tar.gz 
Api-Java-MyProxy/
Api-Java-MyProxy/help/
Api-Java-MyProxy/help/MyProxyManger_usage.txt
Api-Java-MyProxy/log4j.properties
Api-Java-MyProxy/MyProxyManager.sh
Api-Java-MyProxy/MyProxyMnager.java
Api-Java-MyProxy/cog-jglobus-1.7.0-bin-tar.gz
Api-Java-MyProxy/PasswordField.java
Api-Java-MyProxy/cog.properties

These are the files you should find in the working directory

$ cd Api-Java-MyProxy
$ ls -al
-rw-r--r--  1 larocca users 2854765 Jan 29 13:08 cog-jglobus-1.7.0-bin-tar.gz
-rw-r--r--  1 larocca users    1594 Jan 25 11:37 cog.properties
drwxr-xr-x  2 larocca users    8192 Jan 20 13:05 help
-rw-r--r--  1 larocca users     523 Jan 26 17:11 log4j.properties
-rw-r--r--  1 larocca users   12920 Jan 29 12:16 MyProxyManager.java
-rw-r--r--  1 larocca users     817 Jan 25 18:14 MyProxyManager.sh
-rw-------  1 larocca users    1315 Jan 25 18:13 PasswordField.java

To compile all the Java files, first uncompress the CoG jGlobus tar in the working directory containing the examples, and then use the MyProxyManger.sh bash script to compile.

$ cd Api-Java-MyProxy
$ tar zxf cog-jglobus-1.7.0-bin-tar.gz

[edit] Example of API usage

Two different methods have been created in order to let user:

• to delegate user credentials from a MyProxy Server;
• to register user credentials to a MyProxy Server.

Before to compile, open the MyProxyManager.sh file and set the read_credential flag depending if you want to get/put credentials from/to the MyProxy Server.

[edit] How to build the examples

$ cat MyProxyManager.sh 
#/bin/sh
#
#  @author Giuseppe LA ROCCA
#  @mail giuseppe.larocca@ct.infn.it
#  @copyright 2010-01-20
#
# Export the CLASSPATH environment variable before to compile
# and run the class.
#
unset CLASSPATH
export CLASSPATH=.:./cog-jglobus-1.7.0-bin/lib/log4j-1.2.15.jar:./cog-jglobus-1.7.0-bin/lib/cog-jglobus-1.7.0.jar:./cog-jglobus-1.7.0-bin/lib/jgss.jar
export MYPROXY_SERVER=myproxy.ct.infn.it
export MYPROXY_PORT=7512
export MYPROXY_PROXYLIFETIME=14400  # 4 hours
# flag=0 => to register user credentials into a MyProxy Server.
# flag=1 => to delegate user credentials from a MyProxy Server.
export flag=0

# Compile the Java class
JAVA_HOME=/usr/java/jdk1.5.0_14/  <== Customize here if necessary!

${JAVA_HOME}/bin/javac -classpath ${CLASSPATH} MyProxyManager.java PasswordField.java

umask 066; ${JAVA_HOME}/bin/java -cp ${CLASSPATH}:. MyProxyManager \
                                     ${MYPROXY_SERVER} \
                                     ${MYPROXY_PORT} \
                                     ${MYPROXY_PROXYLIFETIME} \
                                     ${UID} \
                                     ${X509_USER_PROXY} \
                                     ${flag}

[edit] Register a long-term proxy into a MyProxy Server

Before to start you need to have a valid credentials in your account. You can use the command grid-proxy-init command as follow:

$ grid-proxy-init 
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Giuseppe La Rocca
Enter GRID pass phrase for this identity:
Creating proxy ................................. Done
Your proxy is valid until: Sat Jan 30 02:51:51 2010

Once you have a plain proxy, please open the bash script MyProxyManager.sh and set the flag variable to '0', then compile your examples as follow:

$ source MyProxyManager.sh 
[main] INFO  MyProxyManager  - -----------------------------------------------------------------------------
[main] INFO  MyProxyManager  -  +++ Configure System Setting(s) before to start user's proxy generation +++ 
[main] INFO  MyProxyManager  - 
[main] INFO  MyProxyManager  - -----------------------------------------------------------------------------
[main] INFO  MyProxyManager  -  USER ACCOUNT                    : larocca
[main] INFO  MyProxyManager  -  MyProxy Server                  : myproxy.ct.infn.it
[main] INFO  MyProxyManager  -  MyProxy Server Port             : 7512
[main] INFO  MyProxyManager  -  Proxy Lifetime                  : 14400
Enter MyProxy pass phrase:*******
[..cut..]
90 bf 93 5a 65 5e a8 c5 74 c0 ac fb 
89 a5 14 98 a9 ea cc c0 c0 00 2e d3 
08 bd d1 62 f9 32 f5 56 e9 f5 0e 6e 
a5 8e e2 09 97 d8 0c 89 af b2 80 63 
d0 2e 91 00 39 76 ef b7 64 b3 62 86 
55 ee 91 ea 46 1a 18 74 9b d1 0e 0d 
95 a5 9d e1 fd d7 a0 d6 c8 d9 b1 74 
a5 5a 2e cb a6 d6 7f 9f cf 51 1c f6 
55 f3 64 32 cd 9c 0e 27 83 22 a2 85 
98 eb 9a fd 46 
Thread Thread[main,5,main]OID 1.2.840.113549.1.1.5mapped to SHA-1/RSA/PKCS#1
[main] INFO  MyProxyManager  -  Using credential    : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca
[main] INFO  MyProxyManager  -  A proxy valid for 43028 sec. now exists on myproxy.ct.infn.it for user larocca
[main] INFO  MyProxyManager  - ---------------------------------------------------------------------------------------

[edit] Retrieve credentials from a MyProxy Server

Open the bash script MyProxyManager.sh and set the flag variable to '1', then compile your examples as follow:

$ source MyProxyManager.sh 
[main] INFO  MyProxyManager  - -----------------------------------------------------------------------------
[main] INFO  MyProxyManager  -  +++ Configure System Setting(s) before to start user's proxy generation +++ 
[main] INFO  MyProxyManager  - 
[main] INFO  MyProxyManager  - -----------------------------------------------------------------------------
[main] INFO  MyProxyManager  -  USER ACCOUNT                    : larocca
[main] INFO  MyProxyManager  -  MyProxy Server                  : myproxy.ct.infn.it
[main] INFO  MyProxyManager  -  MyProxy Server Port             : 7512
[main] INFO  MyProxyManager  -  Proxy Lifetime                  : 14400
Enter MyProxy pass phrase:*********
[..cut..]
1a 47 c0 72 5b f9 3e 9c 00 59 e5 3b 
b5 48 af b0 fd 50 3b d8 92 71 6c a9 
21 72 a2 21 7c 7e 86 12 dd 2e 68 49 
53 4f 38 f3 96 8a 68 cc fa 8c 0e 10 
e3 26 96 19 87 3e bf 77 37 e4 62 aa 
06 93 bc 81 7f 67 3a de 78 af 63 6f 
cd b5 80 88 93 76 26 52 cc 40 29 82 
90 bf 93 5a 65 5e a8 c5 74 c0 ac fb 
89 a5 14 98 a9 ea cc c0 c0 00 2e d3 
08 bd d1 62 f9 32 f5 56 e9 f5 0e 6e 
a5 8e e2 09 97 d8 0c 89 af b2 80 63 
d0 2e 91 00 39 76 ef b7 64 b3 62 86 
55 ee 91 ea 46 1a 18 74 9b d1 0e 0d 
95 a5 9d e1 fd d7 a0 d6 c8 d9 b1 74
a5 5a 2e cb a6 d6 7f 9f cf 51 1c f6 
55 f3 64 32 cd 9c 0e 27 83 22 a2 85 
98 eb 9a fd 46 
Thread Thread[main,5,main]OID 1.2.840.113549.1.1.5mapped to SHA-1/RSA/PKCS#1
[main] INFO  MyProxyManager  - ---------------------------------------------------------------------------------------
[main] INFO  MyProxyManager  -  Got proxy DN    = /C=IT/O=INFN/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca
[main] INFO  MyProxyManager  -  Remaining lifetime = 14399 sec.
[main] INFO  MyProxyManager  -  X509_USER_PROXY         = /tmp/x509up_u512
[main] INFO  MyProxyManager  -  Proxy file has been successfully created!
[main] INFO  MyProxyManager  - ---------------------------------------------------------------------------------------

Your plain proxy is now available in your User Interface. You can check your proxy running the command grid-proxy-info command as follow:

$ grid-proxy-info
subject  : /C=IT/O=INFN/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/CN=1061479195/CN=2068807947/CN=1000982499
issuer   : /C=IT/O=INFN/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/CN=1061479195/CN=2068807947
identity : /C=IT/O=INFN/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca
type     : Proxy draft (pre-RFC) compliant impersonation proxy
strength : 1024 bits
path     : /tmp/x509up_u512
timeleft : 3:54:31 

To add the VOMS extention to your proxy use the voms-proxy-init command as follow:

$ voms-proxy-init --voms euasia --noregen
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=INFN Catania/CN=Giuseppe La Rocca/CN=1061479195/CN=2068807947/CN=1000982499
Contacting  voms.grid.sinica.edu.tw:15015 [/C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw] "euasia" Done
Creating proxy .............................. Done
Warning: your certificate and proxy will expire Fri Jan 29 18:40:35 2010
which is within the requested lifetime of the proxy

[edit] Api Documentation

http://www-unix.globus.org/cog/distribution/1.7.0/api/index.html

[edit] References

http://grid.ncsa.illinois.edu/myproxy/