From 60c6cab8f58d35cbfb9a714585876e8d34484dd4 Mon Sep 17 00:00:00 2001 From: Frank Scheiner Date: Fri, 25 Nov 2022 17:56:06 +0100 Subject: [PATCH 1/4] Task list fixes No.2 --- 6.2/admin/install/install_frag.adoc | 3 --- 6.2/gsic/grid-proxy-init-manual.adoc | 10 +++++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/6.2/admin/install/install_frag.adoc b/6.2/admin/install/install_frag.adoc index f94c26f1..2489edb1 100644 --- a/6.2/admin/install/install_frag.adoc +++ b/6.2/admin/install/install_frag.adoc @@ -137,9 +137,6 @@ build subsets of the Grid Community Toolkit: **gsi**:: Security Libraries and Tools -**gsi**:: - Security Libraries and Tools - **udt**:: Globus XIO UDT Driver diff --git a/6.2/gsic/grid-proxy-init-manual.adoc b/6.2/gsic/grid-proxy-init-manual.adoc index 3125143a..e20dee1a 100644 --- a/6.2/gsic/grid-proxy-init-manual.adoc +++ b/6.2/gsic/grid-proxy-init-manual.adoc @@ -16,10 +16,10 @@ grid-proxy-init - Generate a new proxy certificate The **++grid-proxy-init++** program generates X.509 proxy certificates derived from the currently available certificate files. By default, this command generates a http://www.ietf.org/rfc/rfc3820.txt[RFC 3820] Proxy -Certificate with a 512 bit key valid for 12 hours in a file named +Certificate with a 2048 bit key valid for 12 hours in a file named ++/tmp/x509up_uUID++. Command-line options and variables can modify the format, strength, lifetime, and location of the generated proxy -certificate. . Command-line options and variables can modify the format, +certificate. Command-line options and variables can modify the format, strength, lifetime, and location of the generated proxy certificate. X.509 proxy certificates are short-lived certificates, signed usually by @@ -72,7 +72,7 @@ The full set of command-line options to **++grid-proxy-init++** are: Write the generated proxy certificate file to 'PROXYPATH' instead of the default path of ++/tmp/x509up_uUID++.. **-bits 'BITS'**:: - When creating the proxy certificate, use a 'BITS' bit key instead of the default 512 bit keys. + When creating the proxy certificate, use a 'BITS' bit key instead of the default 2048-bit keys. **-policy 'POLICYFILE'**:: Add the certificate policy data described in 'POLICYFILE' as the ProxyCertInfo X.509 extension to the generated proxy certificate. @@ -121,7 +121,7 @@ and '-bits' command-line options to **++grid-proxy-init++**. For example: -------- -% grid-proxy-init -hours 8 -bits 1024 +% grid-proxy-init -hours 8 -bits 4096 Your identity: /DC=org/DC=example/CN=Joe User Enter GRID pass phrase for this identity: Creating proxy .................................. Done Your proxy is valid until: Thu Mar 17 23:48:05 2010 @@ -161,7 +161,7 @@ The following files affect the execution of **++grid-proxy-init++**: For more information about proxy certificate types and their compatibility in GT and GCT, see -http://dev.globus.org/wiki/Security/ProxyCertTypes[http://dev.globus.org/wiki/Security/ProxyCertTypes]. +https://web.archive.org/web/20130817025920/http://dev.globus.org/wiki/Security/ProxyCertTypes[https://web.archive.org/web/20130817025920/http://dev.globus.org/wiki/Security/ProxyCertTypes]. == See Also == From f53eaa659166c551e084e98318279839c117a45a Mon Sep 17 00:00:00 2001 From: Frank Scheiner Date: Fri, 25 Nov 2022 17:57:15 +0100 Subject: [PATCH 2/4] Add information about the use of PKCS#12 keystores with grid-proxy-init --- 6.2/gsic/grid-proxy-init-manual.adoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/6.2/gsic/grid-proxy-init-manual.adoc b/6.2/gsic/grid-proxy-init-manual.adoc index e20dee1a..f2026222 100644 --- a/6.2/gsic/grid-proxy-init-manual.adoc +++ b/6.2/gsic/grid-proxy-init-manual.adoc @@ -140,6 +140,8 @@ The following environment variables affect the execution of **++X509_USER_KEY++**:: Path to the key to use to sign the new proxy. +To use a PKCS#12 keystore instead of PEM files for certificate and key, both **++X509_USER_CERT++** and **++X509_USER_KEY++** have to point to the PKCS#12 keystore. + **++X509_CERT_DIR++**:: Path to the directory containing trusted certifiate certificates and signing policies. @@ -150,12 +152,13 @@ The following environment variables affect the execution of The following files affect the execution of **++grid-proxy-init++**: **++$HOME/.globus/usercert.pem++**:: - Default path to the certificate to use as issuer of the new proxy. + Default path to the certificate to use as issuer of the new proxy. If it exists it takes precendence over **++[...]/usercred.p12++** but also requires the presence of the matching key file (**++[...]/userkey.pem++**). **++$HOME/.globus/userkey.pem++**:: - Default path to the key to use to sign the new proxy. - + Default path to the key to use to sign the new proxy. If it exists it takes precendence over **++[...]/usercred.p12++** but also requires the presence of the matching certificate file (**++[...]/usercert.pem++**). +**++$HOME/.globus/usercred.p12++**:: + Default path to the PKCS#12 keystore that contains both the certificate to use as issuer of the new proxy and the key to use to sign the new proxy. To use a PKCS#12 keystore, neither **++[...]/usercert.pem++** nor **++[...]/userkey.pem++** must be present. == Compatibility == From 653bc22f3fea096a233222a446a2d1035d144d18 Mon Sep 17 00:00:00 2001 From: Frank Scheiner Date: Thu, 1 Dec 2022 16:14:40 +0100 Subject: [PATCH 3/4] Correct description for -cert and -key options --- 6.2/gsic/grid-proxy-init-manual.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/6.2/gsic/grid-proxy-init-manual.adoc b/6.2/gsic/grid-proxy-init-manual.adoc index f2026222..f22422c6 100644 --- a/6.2/gsic/grid-proxy-init-manual.adoc +++ b/6.2/gsic/grid-proxy-init-manual.adoc @@ -62,8 +62,8 @@ The full set of command-line options to **++grid-proxy-init++** are: **-valid 'HOURS':'MINUTES', -hours 'HOURS'**:: Create a certificate that is valid for 'HOURS' hours and 'MINUTES' minutes. If not specified, the default of twelve hours and no minutes is used. -**-cert 'CERTFILE', -key 'KEYFILE'**:: - Create a proxy certificate signed by the certificate located in ++CERTFILE++ using the key located in using the key located in ++KEYFILE++. If not specified the default certificate and key will be used. This overrides the values of environment variables described below.. If not specified the default certificate and key will be used. This overrides the values of environment variables described below. +**-cert 'CERTFILE' -key 'KEYFILE'**:: + Create a proxy certificate signed by the certificate located in ++CERTFILE++ using the key located in ++KEYFILE++. If not specified the default certificate and key will be used. This overrides the values of environment variables described below. **-certdir 'CERTDIR'**:: Search 'CERTDIR' for trusted certificates if verifying the proxy certificate. If not specified, the default trusted certificate search path is used. This overrides the value of the ++X509_CERT_DIR++ environment variable From ae5705574cb4e32845293c80de22d89905bdd94f Mon Sep 17 00:00:00 2001 From: Frank Scheiner Date: Thu, 1 Dec 2022 16:17:58 +0100 Subject: [PATCH 4/4] Add information about the correct use with a PKCS#12 keystore --- 6.2/gsic/grid-proxy-init-manual.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/6.2/gsic/grid-proxy-init-manual.adoc b/6.2/gsic/grid-proxy-init-manual.adoc index f22422c6..df65fa52 100644 --- a/6.2/gsic/grid-proxy-init-manual.adoc +++ b/6.2/gsic/grid-proxy-init-manual.adoc @@ -63,7 +63,7 @@ The full set of command-line options to **++grid-proxy-init++** are: Create a certificate that is valid for 'HOURS' hours and 'MINUTES' minutes. If not specified, the default of twelve hours and no minutes is used. **-cert 'CERTFILE' -key 'KEYFILE'**:: - Create a proxy certificate signed by the certificate located in ++CERTFILE++ using the key located in ++KEYFILE++. If not specified the default certificate and key will be used. This overrides the values of environment variables described below. + Create a proxy certificate signed by the certificate located in ++CERTFILE++ using the key located in ++KEYFILE++. If not specified the default certificate and key will be used. This overrides the values of environment variables described below. When using a PKCS#12 keystore as source for certificate and key it must be provided as argument for both options. **-certdir 'CERTDIR'**:: Search 'CERTDIR' for trusted certificates if verifying the proxy certificate. If not specified, the default trusted certificate search path is used. This overrides the value of the ++X509_CERT_DIR++ environment variable