Ticket #928 (closed task: fixed)

Opened 13 years ago

Last modified 12 years ago

[S] Use MyProxy with a Simple CA for on-the-fly credential creation

Reported by: pjkersha Owned by: pjkersha
Priority: required Milestone: OMII-UK: Package NDG Security
Component: security Version:
Keywords: Security, MyProxy, SimpleCA, OMII-UK Cc:

Description (last modified by pjkersha) (diff)

MyProxy enables on the fly creation of credentials issued from a SimpleCA on the basis of a callout to some external authentication mechanism.

This is desirable for NDG partner sites as they use username/password fields in user databases for authentication. This will enable NDG Security MyProxy deployments to integrate more readily with existing systems.

Change History

comment:1 Changed 13 years ago by pjkersha

  • Status changed from new to assigned

comment:2 Changed 13 years ago by pjkersha

Different PAMs (Pluggable Authentication modules) are needed according to the database type:

  • BADC/PML: Postgres - deployed at BADC, PML TODO
  • BODC: Oracle
    • pam_oci8 - This package is based on the Open Source OCI8 C Oracle wrapper API. The project is no longer active and it doesn't support MD5 encryption of passwords. However, it's been adapted to do the latter and tested at BODC with a test MyProxy? installation.
    • BODC to investigate with Oracle to see it an off-the-shelf solution is available.
  • NOCS: MySQL - There is a MySQL PAM package. This needs investigating.

comment:3 Changed 13 years ago by pjkersha

The NGS have had no relevant experience with an Oracle PAM for MyProxy

comment:4 Changed 13 years ago by pjkersha

Got pam_mysql 0.7RC1 from Sourceforge and tested with clear text and MD5 encrypted passwords.

Configure options needed some tinkering for MD5 password encryption support:

$ ./configure --with-openssl --with-pam_mods_dir=/lib/security openssl_CFLAGS="-DHAVE_OPENSSL"

Need to test deployment at NOCS.

BODC are making enquiries about PAM support for Oracle. If not available use the adapted pam_oci8 package as of  earlier comment

comment:5 Changed 13 years ago by pjkersha

Query about Oracle PAM has reached a dead end. Use adapted pam_oci8 instead. This is tested but needs packaging i.e. updated configure script.

comment:6 Changed 13 years ago by pjkersha

Need to investigate LDAP PAM for NOCS - may need this and or pam_mysql. pam_ldap is straightforward installation and e.g. is given on  MyProxy CA pages.

comment:7 Changed 13 years ago by pjkersha

MyProxy - MySQL interface working at NOCS for NOCS Browse login. Still to do:

  • NOCS MyProxy - OpenDAP interface for NOCS internal users login
  • BODC deployment with MyProxy - pam_oci8

comment:8 Changed 13 years ago by pjkersha

  • Description modified (diff)
  • Completed BODC deployment on development server. Set-up will be mirrored on production machine.

comment:9 Changed 12 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed
  • Description modified (diff)

Completed. Note:

  • Session Manager has a new authentication interface so that MyProxy can be replaced with an alternative authentication mechanism if required e.g. user database callout.
  • MyProxy has been talked about for ESG non-browser based profile and so may be important for IPCC AR5 security interoperability.
Note: See TracTickets for help on using tickets.