lcmaps_verify_proxy.mod - LCMAPS plugin to verify a certificate
chain including proxies
lcmaps_verify_proxy.mod
[--allow-limited-proxy]
[-certdir|-cadir|-capath|--capath
<certificate_directory>] [--disallow-limited-proxy]
[--discard_private_key_absence]
[--max-proxy-level-ttl=<level>|--max-proxy-level-ttl@<level>
<timeperiod>] [--max-voms-ttl <timeperiod>]
[--never_discard_private_key_absence]
[--only-enforce-lifetime-checks] [--require-limited-proxy]
This plugin will test if the presented proxy certificate is
authentic. This is done using OpenSSL methods to verify the certificate
chain, check if the End-Entity Certificate is not revoked by checking CRLs
or OCSP(*). In an lcmaps.db (5) file it is advised to run this
plug-in as the first plug-in and fail the policy if there is no other way of
verifying the input credentials.
Additional this plug-in can impose other policies, like proxy and
VOMS life-time restrictions or require that the certificate chain is offered
in a certain way, e.g. by offering a Limited proxy or (optionally) without a
private key.
The plug-in takes its input from the LCMAPS framework. The
certificate chain is coming from the registered (derived) STACK_OF(X509) *
and the private key (when available) is taken from the registered PEM string
credentials.
A certificate chain will be checked and verified by OpenSSL, but
additionally to these checks this plug-in also performs semantic checks on
the certificate chain based on how GT2, GT3 and RFC 3820 proxy certificates
are to be constructed and used.
- --allow-limited-proxy
- When enabled allow the certificate chain to contain a limited proxy
certificate. GT2, GT3 and RFC Limited proxies are treated as equal.
- -certdir | -cadir |
-capath | --capath <certificate_directory>
- This option sets the directory used to find the CA certificates, CRLs and
other files used in the verification process of the presented certificate
chain. Setting this option is muted by the option
--only-enforce-lifetime-checks. When unset, the value of
$X509_CERT_DIR will be used, when that is also unset,
/etc/grid-security/certificates will be used.
- --disallow-limited-proxy
- When enabled all uses of limited proxies will be prohibited and treated as
a failure condition. GT2, GT3 and RFC Limited proxies are treated as
equal.
- --discard_private_key_absence
- When enabled the plug-in verification process will not fail on the absence
of the private key. Having a private key to present is part of the proof
of possession of the certificate chain its delegations, therefore a
fundamental part of the user credentials. Discarding the private key check
is useful in cases where another process has already establish trust in
the user credentials by performing the private key proof of possession
steps. Example: This feature can be enabled in deployments where gLExec is
part of the CREAM CE. The CREAM CE's SSL handshake is taking ensuring that
fully verified credentials get passed down. Counter example: This feature
is not-enabled on a gLExec-on-the-WN deployment, as gLExec will need to
ensure that the pilot-job payload credentials are fully verified before
account mapping should occur.
- --max-proxy-level-ttl=<level>
| --max-proxy-level-ttl@<level> <timeperiod>
- Set a maximum to the allowed validity period of the proxy certificate for
a specific delegation <level>. The first delegation after an
EEC certificate is <level> 0. This delegation level could be
used in a MyProxy. A typical setting would be 14d-00:00 to allow
for a MyProxy certificate with a validity period of two weeks.
A special <level> is indicated by an l or
L. This is the leaf proxy or also known as the final delegation.
A safe setting for this would be 1d-00:00 to allow a proxy
certificate validity period of 1 day/24 hours.
Set the <timeperiod> in the following format:
[0-99]d-[0-23][00-59]. For example 2d-13:37.
- --max-voms-ttl
<timeperiod>
- Set a maximum to the allowed validity period of the VOMS credentials (when
present). Using VOMS credentials with a validity period longer then the
set timeperiod> will result in a failure.
- --never_discard_private_key_absence
- This setting will override the option --discard_private_key_absence
and option to set the environment variable
$VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE which performs the same
behavior.
- --only-enforce-lifetime-checks
- When enable this option will bypass all verification steps and will only
perform the lifetime checks configured by --max-proxy-level-ttl
and/or --max-voms-ttl. This option is ideal to be used in a Globus
Gatekeeper, GridFTPd and/or GSI-OpenSSHd deployment.
- --require-limited-proxy
- Explicitly require the certificate chain to have a limited proxy as
a final delegation. The plug-in will fail if the certificate chain does
not have a limited proxy.
OCSP is not functional and will be added when either CAB/Forum or
the IGTF publish a clear profile.
Please report any errors to the Nikhef Grid Middleware Security
Team <grid-mw-security-support@nikhef.nl>.
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware
Security Team <grid-mw-security@nikhef.nl>.