Skip to content

Authentication/Certificates

Authentication/Authorization#

Authentication is done via x509 SSL certificates When no token is available (missing or expired), the client will automatically create a token (AliEn side short lived certificate).

Certificate/token locations#

The location of user certificate can be customized by X509_USER_{CERT,KEY} env vars (should point to files),
and if not set, the default location is ${HOME}/.globus/user{cert,key}.pem

The location of token certificate can be customized by JALIEN_TOKEN_{CERT,KEY} env vars:

  • can point to files
  • or have the certificate content within the value (and the client will create some temporary files to be used).

If these are not set, the default files ${TMPDIR}/token{cert,key}_$UID.pem will be used. * if TMPDIR is not set, /tmp will be used

Warning

On clusters like lxplus /tmp is private to the node, so for each login the token will be lost.
Use/set a TMPDIR relative to the ${HOME}

CA certificates locations#

There are a few locations where CA certificates can be found:

  1. Within O2 environment, there will be always present the env var $X509_CERT_DIR
  2. Outside of O2 environment, IF cvmfs is present and with alienpy installed with pip, is highly recommended to do:
    export X509_CERT_DIR=/cvmfs/alice.cern.ch/etc/grid-security/certificates
  3. If outside of O2, and no cvmfs present and with alienpy installed with pip, one can do:
    alien.py getCAcerts  # this will install AliEn-CAS content to $HOME/.globus/certificates
export X509_CERT_DIR=$HOME/.globus/certificates

Certificate/token information/verification#

  • Information on certificate/token is printed by commands: cert-info/token-info

  • Verification against the known CA certificates is done by : cert-verify/token-verify

Tip

when certificate is known to be valid, this can check if the correct directory of CA certificates is seen.

  • Checking the key against the certificate: certkey-match/tokenkey-match

Info

These operations does not require network connectivity.

Certificate/token information/verification - openssl#

  • Certificate information 

    openssl x509 -text -noout -in ~/.globus/usercert.pem

  • Token information 

    openssl x509 -text -noout -in ${TMPDIR:-/tmp}/tokencert_$(id -u).pem

  • Certificate verification against CA certificates 

    # if within O2 env
openssl verify -CApath $X509_CERT_DIR $HOME/.globus/usercert.pem

# outside of O2 env but cvmfs present
openssl verify -CApath /cvmfs/alice.cern.ch/etc/grid-security/certificates $HOME/.globus/usercert.pem

  • Certificate/key match verification 

    openssl x509 --noout --modulus --in ~/.globus/usercert.pem | openssl md5; \
openssl rsa -noout -modulus -in ~/.globus/userkey.pem | openssl md5

Token operations#

  • alien-token-init is an alias to alien.py token-init
  • token-init can be used for token customization 
    alien.py token-init -h
INFO: token is automatically created, use this for token customization
usage: token-init   [-options]

options:
-u <username>          :  switch to another role of yours
-v <validity (days)>   :  default depends on token type
-t <tokentype>         :  can be one of: job, jobagent, host, user (default)
-jobid <job DN extension>  :  expected to be present in a job token
-hostname <FQDN>       :  required for a host certificate
  • token-destroy will delete the token files.

Tip

For programatic usage use token command (same options as token-init); print only command.
Allow usage like: 

eval $(alien.py -json token | jq -r '.["results"][0] |  "JALIEN_TOKEN_CERT=\"\(.tokencert)\"", "JALIEN_TOKEN_KEY=\"\(.tokenkey)\""')
This will define in the current environment JALIEN_TOKEN_CERT and JALIEN_TOKEN_KEY

Role change#

user <username> command will change the role of current user temporary. (like doing su <username>)

Tip

use user for temporary change of the role.
user token-init to create a new token, for prolonged use of the alternate user name.