[Go-essp-tech] MyProxy Clients for ESG

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Mon Oct 26 08:33:32 MDT 2009 

Hi Phil,

Please see thread below, there seems to have been some similar work  
with NVO. Does this seem like the functionality you need?

Rachana


> Begin forwarded message:
>
>> From: Bill Baker
>> Date: October 22, 2009 11:35:24 AM CDT
>> To: Jim Basney
>> Cc: Rachana Ananthakrishnan <ranantha at mcs.anl.gov>
>> Subject: Re: MyProxy web login: ESG & NVO
>> Reply-To: Bill Baker <bbb at illinois.edu>
>>
>> Yes, the NVO has a "Save as ..." credential download page at https://nvologin1.ncsa.uiuc.edu/protected/welcome 
>> .  To use it, you will need to create an SSO account, which is a  
>> simple email-based registration.
>>
>> The script that operates it is written in Perl, and it leverages  
>> the MyProxy-pubcookie integration.  Ray and I wrote it.
>>
>> The code is at https://svn.ncsa.uiuc.edu/svn/nvo-security/pubcookie/portal/var_www/portal/perl/Portal/ 
>>  -- see GetEEC.pm
>>
>> The PEM conversion code seems clumsy to me -- I was serving PEM  
>> credentials straight out of MyProxy, but our partners who actually  
>> use the PEM credentials were having trouble with the encryption (or  
>> something -- I don't remember exactly what the problem was) and  
>> suggested the approach that the script currently uses.
>>
>> Bill
>>
>> ----- Original Message -----
>> From: "Jim Basney"
>> To: "Rachana Ananthakrishnan" <ranantha at mcs.anl.gov>, "Bill Baker"
>> Sent: Thursday, October 22, 2009 10:13:14 AM GMT -06:00 US/Canada  
>> Central
>> Subject: MyProxy web login: ESG & NVO
>>
>> Hi Bill,
>>
>> Rachana pointed out to me some work in ESG to put a simple HTTPS
>> interface in front of myproxy-logon that retrieves a certificate and
>> private key. It made me think of the NVO login design that lets you
>> download your certificate and private key from the browser (via "Save
>> Link As..." if I understand correctly).
>>
>> I see some documentation for the NVO SSO system at:
>>  http://mywiki.ncsa.uiuc.edu/wiki/NVO_SSO
>>
>> Are there other details you could share with Rachana? Maybe there's  
>> an
>> opportunity for some code sharing between ESG and NVO.
>>
>> Thanks,
>> Jim
>>
>> Rachana Ananthakrishnan wrote:
>>> Hi Jim,
>>>
>>> Thanks for the quick response.
>>>
>>> Good point about about the keys sent on the wire. I am presuming  
>>> that
>>> with SSL they deem it acceptable to push private key information.  
>>> Is the
>>> NVO work separate module that can be leveraged?
>>>
>>> Rachana
>>>
>>> On Oct 22, 2009, at 9:58 AM, Jim Basney wrote:
>>>
>>>> Hi Rachana,
>>>>
>>>> I wasn't aware of this work. The closest thing to it I'm aware of  
>>>> is the
>>>> NVO portal login, that also delivers the user certificate and  
>>>> private
>>>> key over HTTPS. Certainly it'd be very nice for Phil to share his  
>>>> work
>>>> with the MyProxy community.
>>>>
>>>> The main issue with his design is that it violates the proscription
>>>> against generating private keys on behalf of subscribers and  
>>>> sending
>>>> them over the network. That's why the MyProxy and GridShib CA  
>>>> protocols
>>>> generate keypairs on the client-side and send a certificate  
>>>> request.
>>>>
>>>> -Jim
>>>
>

On Oct 22, 2009, at 8:52 AM, <philip.kershaw at stfc.ac.uk> <philip.kershaw at stfc.ac.uk 
 > wrote:

> Hi Rachana,
>
> I've literally just finished developing it hence my question.  - I  
> don't want to take it further at this stage if there's something  
> else that will do the same thing.
>
> The application simply fronts a MyProxy logon call with a HTTPS  
> interface.  The client sends a HTTP GET call to a web server hosting  
> an application which fronts a MyProxy server translating the HTTP  
> request into a MyProxy logon call.
>
> HTTP client --<HTTP Basic Auth over HTTPS>--> Proxy Application -- 
> <MyProxy logon>--> MyProxy server
>
> Username and password are passed in the HTTP header using HTTP Basic  
> Auth.   The proxy application is configured to receives the request  
> and passes it on to a MyProxy service to perform the usual logon  
> process.   The application receives the response back from MyProxy  
> and passes certificate(s) and key back to the HTTP client in plain/ 
> text format.   As it's over SSL, HTTP client and server can  
> authenticate each other.
>
> Cheers,
> Phil
>
>> -----Original Message-----
>> From: Rachana Ananthakrishnan [mailto:ranantha at mcs.anl.gov]
>> Sent: 21 October 2009 17:18
>> To: Kershaw, Philip (STFC,RAL,SSTD)
>> Cc: go-essp-tech at ucar.edu
>> Subject: Re: [Go-essp-tech] MyProxy Clients for ESG
>>
>>
>> Hi Phil,
>>
>> This sound interesting. Can you send out pointers to this work?
>>
>> Thanks,
>> Rachana
>>
>> On Oct 21, 2009, at 9:57 AM, <philip.kershaw at stfc.ac.uk>
>> <philip.kershaw at stfc.ac.uk
>>> wrote:
>>
>>> Hi all,
>>>
>>> Dean mentions a improved MyProxy client below.  I'd be interested to
>>> find out more about it.
>>>
>>> We had some discussion about the ease of use of MyProxy clients at
>>> GO-ESSP.  I've been looking at this and have developed an
>> add on to
>>> our interface here to enable MyProxy logon via a https call.  It
>>> would mean the logon step could be carried out with something like
>>> wget without the need for a specialist client.  Does anyone else
>>> know of any similar work?  Are you looking to add an specific
>>> utilities in the Gateway for MyProxy integration?
>>>
>>> Cheers,
>>> Phil
>>>
>>>> -----Original Message-----
>>>> From: go-essp-tech-bounces at ucar.edu
>>>> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Dean
>> N. Williams
>>>> Sent: 20 October 2009 14:41
>>>> To: Pascoe, Stephen (STFC,RAL,SSTD)
>>>> Cc: go-essp-tech at ucar.edu
>>>> Subject: Re: [Go-essp-tech] next telco: ESG data node
>> progress, 4pm
>>>> UT,20th October
>>>>
>>>>
>>>> Hi Stephen,
>>>>
>>>> 	Bob and Gavin will be on the call today, so these
>>>> questions will be
>>>> answered in great detail. Gavin, Eric, and Neill are working to
>>>> include GridFTP and a new improved MyProxy client. Bob
>> will point you
>>>> to the publisher commands. Bob and Gavin will discuss the
>> testing of
>>>> the publication installation and process. Finally, we will discuss
>>>> updated material on the DN development, deployment, and publication
>>>> timelines.
>>>>
>>>> Best regards,
>>>> 	Dean
>>>>
>>>> On Oct 20, 2009, at 6:21 AM, <stephen.pascoe at stfc.ac.uk> wrote:
>>>>
>>>>>
>>>>> Some items I'd like to discuss at the telco. today:
>>>>>
>>>>> * datanode deployment update
>>>>> * Data publication timelines -- I can report on our expected
>>>>> publication timeline of UKMO data.
>>>>> * Testing the publication process.  How should testing
>> "esgpublish"
>>>>> work?  Are the constraints on what metadata we give our
>>>> test datasets?
>>>>> How do we unpublish test datasets, including removal from
>>>> the gateway?
>>>>> * Documentation.  Is there any documentation on the
>> esgcet command-
>>>>> line tools ($CDAT_HOME/bin/esg*)?  If not lets we start a wiki
>>>> page on it.
>>>>> * GridFTP -- I'm not clear how this is meant to be
>> configured on the
>>>>> node.
>>>>>
>>>>> Cheers,
>>>>> Stephen.
>>>>>
>>>>> ---
>>>>> Stephen Pascoe  +44 (0)1235 445980
>>>>> British Atmospheric Data Centre
>>>>> Rutherford Appleton Laboratory
>>>>>
>>>>> -----Original Message-----
>>>>> From: badc-nmwg-bounces at zonda.badc.rl.ac.uk
>>>>> [mailto:badc-nmwg-bounces at zonda.badc.rl.ac.uk] On Behalf Of Bryan
>>>>> Lawrence
>>>>> Sent: 19 October 2009 14:55
>>>>> To: go-essp-tech at ucar.edu
>>>>> Subject: [badc-nmwg] [Go-essp-tech] next telco: ESG data node
>>>>> progress,4pm UT, 20th October
>>>>>
>>>>> Hi Folks
>>>>>
>>>>> As announced, the next telco will be 4pm UT, 20th of October.
>>>>>
>>>>> (Yes, that's 0300 in Canberra, 0900 in San Francisco,
>> 1000 Denver,
>>>>> 1200 in NYC, 1700 in the UK, 1800  in Europe, and the time will
>>>> change for
>>>>> most of us the following week).
>>>>>
>>>>> The telco will be limited to one hour in duration.
>>>>>
>>>>> Telco number is US +1-925-424-8105 access code 305757#.
>>>>>
>>>>> Because of the antisocial hour in the Antipodes, we're
>> planning to
>>>>> record the meeting ...  so that we don't get sued because
>>>> of potential
>>>>> damage from massive caffeine spikes ... if anyone has a
>>>> problem with
>>>>> that (the recording that is), please speak out asap.
>>>>>
>>>>> Topic of the day: progress on installing and configuring
>>>> the ESG data
>>>>> node. I think the actual agenda will be constructed in the
>>>> first five
>>>>> minutes of the call.
>>>>>
>>>>> Dean has produced the attached document which will
>> eventually appear
>>>>> on the CMIP5 site.  Do feel free to provide constructive
>>>> criticism, so
>>>>> the
>>>>> document can be as useful as possible for those following
>>>> us down this
>>>>> road.
>>>>>
>>>>> Cheers
>>>>> Bryan
>>>>>
>>>>> --
>>>>> Bryan Lawrence
>>>>> Director of Environmental Archival and Associated Research (NCAS/
>>>>> British Atmospheric Data Centre and NCEO/NERC NEODC) STFC,
>>>> Rutherford Appleton
>>>>> Laboratory Phone +44 1235 445012; Fax ... 5848;
>>>>> Web: home.badc.rl.ac.uk/lawrence
>>>>> --
>>>>> Scanned by iCritical.
>>>>> _______________________________________________
>>>>> GO-ESSP-TECH mailing list
>>>>> GO-ESSP-TECH at ucar.edu
>>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>>
>>>>
>>>> _______________________________________________
>>>> GO-ESSP-TECH mailing list
>>>> GO-ESSP-TECH at ucar.edu
>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>
>>> --
>>> Scanned by iCritical.
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
>>
> --
> Scanned by iCritical.

More information about the GO-ESSP-TECH mailing list