Proxy certificate support

Proxies are used in two ways in UNICORE

  • transport-layer security and authorisation
  • enable connection to and use of GSI based software such as GridFTP

    This document provides information and configuration snippets for the second usage scenario. Information about the first case can be found on the SourceForge Wiki page EnableProxySupport.

TLS proxy support

Using proxies for TLS means that the proxy certificate is used by the client to establish the SSL connection. You must use a gateway with the appropriate configuration for this to work. On the UNICORE/X side it is necessary to set a property in uas.config :

uas.authoriser.proxysupport=true

GSI tools support

Prerequisites

Your UNICORE client needs to create and send the proxy. Both UCC and URC support this, please consult your client documentation for the details.

Storing the proxy in the job directory

First, you need to enable a handler on the web services engine. In the unicorex/conf/wsrflite.xml, add a handler definition on the target system service:

  <service name="TargetSystemService" wsrf="true" persistent="true">
   ...
   <!-- additional proxy extraction handler definition -->
   <handler type="in" class="de.fzj.unicore.uas.security.ProxyCertInHandler"/>
  </service>

The handler can also be added for all services like this:

  
  <!-- add proxy extract handler on all services. 
       This needs to be done *before* the service definitions -->
  <globalHandler type="in" class="de.fzj.unicore.uas.security.ProxyCertInHandler"/>
  
  <service name="...">
  </service>
  
  ...

Secondly, you need to modify the XNJS configuration to enable a component that stores the proxy in the format expected by GSI (no encryption, PEM format).

So open the XNJS config file (e.g. unicorex/conf/xnjs.xml) and edit the ProcessingChain section.

    <eng:ProcessingChain actionType="JSDL" jobDescriptionType="{http://schemas.ggf.org/jsdl/2005/11/jsdl}JobDefinition">
    <!-- stores proxy to uspace -->
    <eng:Processor>de.fzj.unicore.uas.xnjs.ProxyCertToUspaceProcessor</eng:Processor>
    <!-- usual entries -->
    <eng:Processor>de.fzj.unicore.xnjs.jsdl.JSDLProcessor</eng:Processor>
    <eng:Processor>de.fzj.unicore.xnjs.ems.processors.UsageLogger</eng:Processor>
  </eng:ProcessingChain>

Configuring gridftp

Using GridFTP basically works out of the box, if the client sends a proxy and you have Globus installed on your TSI login node. However it can be customised using two settings in the XNJS config file ("xnjs.xml" or "xnjs_legacy.xml").

    <!-- name / path of the executable -->
    <eng:Property name="globus-url-copy" value="/usr/local/bin/globus-url-copy"/>
    <!-- additional parameters for globus-url-copy -->
    <eng:Property name="globus-url-copy.parameters" value=""/>