WARNING

The trick contained in this page has to be used with care and bearing in mind the possible security issues.

Please, use this information only if strictly necessary and don't abuse it by generating unnecessarily long grid proxies.


VOMS extends the X.509 standard by adding more information to the certificate chain already present in the IGTF certificate. Indeed, a VOMS proxy contains the full X.509 chain of your IGTF certificate: yours, the intermediate, and the CA certificates. During the execution of the voms-proxy-init command, a new cryptographic key is generated and paired with a certificate, which is holding the authorised VOMS extensions and exhibits a shorter expiration, that is signed using your IGTF-certificate private key.

The same applies to grid proxies, which are an offline version - there is no interaction with a remote VOMS server - and allow arbitrary expiration within the validity of the IGTF certificate it derives from.

Being part of a valid certificate chain, a grid proxy can be used to authenticate at a VOMS server and obtaining a valid VOMS proxy without exposing your certificate key.

The following commands demonstrate a proof-of-concept of this technique.

Howto
grid-proxy-init -valid 8766:0 																	# create a grid proxy with a tentative 1 year validity
rm /tmp/x509up_u$UID.key /tmp/x509up_u$UID.cert                                                 # clean any previously generated files
umask 0022 																						# for security reasons, make new files unreadable by others
sed -n '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/p' /tmp/x509up_u$UID >/tmp/x509up_u$UID.key        # extract the private key from the grid proxy
sed -e '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/d' /tmp/x509up_u$UID >/tmp/x509up_u$UID.cert       # extract the certificate chain from the grid proxy

voms-proxy-init --cert /tmp/x509up_u$UID.cert --key /tmp/x509up_u$UID.key --voms km3net.org     # create a voms proxy for the KM3NeT VO

The VOMS proxy will be created without the need of providing a password, since the private key extracted from the grid proxy is not encrypted.

Also, such VOMS proxy, created in /tmp/x509up_u$UID, will present an expiration time limited by the VOMS server configuration, typically 12 hours, but can be automatically and programmatically refreshed without human interaction by issuing the voms-proxy-init command listed above, for example from a batch job that has been attached with the grid proxy.

The resulting VOMS proxy is perfectly valid for accessing any grid computing and storage element.

  • No labels