| Shell | |
|
The use of a proxy certificate has several advantages:
Of course, there are also several disadvantages:
Usually the command is issued from a shell prompt without any options. The user is then asked for the password used to decrypt the private key used to sign the newly created temporary certificate:
| Shell | |
|
This process ensures that only the owner of the long-lived certificate can
create proxy certificates. The default is to use the user's certificate and key
files $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem
To use different certificate and key files, specify the file names with the
-c and -k options.
| Shell | |
|
The simplest use of the clarens-ping command is with the URL of the server as the only argument. Pressing Ctrl-C aborts the process, and prints the minimum, average, and maximum response times of the server.
| Shell | |
|
| Shell | |
|
The command should be supplied with the file name of a PEM-encoded certificate, e.g.:
| Shell | |
|
The name of the package is constructed out of the certificate's distinguished name (DN), with the version number being a hash value calculated from the certificate. This ensures that the RPM package name should be unique. The resultant RPM package can be installed as usual:
| Shell | |
|
The certificate will be installed in $opkg_root/etc/grid-security/hostcert.pem.
| Shell | |
|
The key will be encrypted inside the RPM package since host keys are usually stored unencrypted in the server filesystem. This provides some modicum of security for storing the key in paces that may not be entirely secure.
E.g.:
| Shell | |
|
Upon installation of the resultant RPM package, the user will be prompted
for the password used to encrypt the key. If the correct password is entered,
the unencrypted key will be installed
in $opkg_root/etc/grid-security/hostkey.pem. The encrypted key file will
be stored in $opkg_root/etc/grid-security/hostkey_unenc.pem.
| Shell | |
|
E.g.
| Shell | |
|
As with the host certificate, the package name is constructed in such a way that
it should be unique. In addition, the dependencies of the RPM package will be
set up to that the whole certificate chain must be installed. E.g. if the CA with
the distinguished name CAName was issued by a higer level CA with a DN
of CA-pki, an RPM package named
cacert-CA-pki-XXXXXX-1.noarch.rpm
will
be required to be installed first. This might seem onerous, but using a CA
certificate without having the full certificate chain available makes it
virtually useless!
The RPM package will install the certificate in the directory
$opkg_root/etc/grid-security/certificates/5e4666aa.0, linked to the real file
in
$opkg_root/etc/grid-security/certificates.real/cacert-CAName-5e4666aa
in the above example.
| Shell | |
|
The RPM files will be created exactly as if the clarens-package-cacert command was invoked for each of the files.
Usage is simply e.g.:
| Shell | |
|
The resultant RPM package will install files in $opkg_root/lib/root/.
Upon initializing the OpenPKG environment, the binary and library paths and
environment variables will be set up so that the ROOT application can be invoked
from the command line by simply typing root.
This functionality is provided by the kx509 utility, which can be downloaded and installed using the command clump install kx509.
To create a proxy certificate from a Kerberos ticket:
| Shell | |
|
The proxy certificate will be valid for the same period as the ticket.
In the clarens-client-python package, the file Clarens.py contains a Clarens base class that can be used from the command line or from more complex scripts or programs. This base class has a dependency on the M2Crypto package, which is also used on the server.
clarens_client object:
| PYTHON | |
|
Note that the URI does not have a fixed form like some other XMLRPC servers use (e.g. always ending in the path /RPC2).
The object constructor has the following options:
| OPTION | VALUES | default | DESCRIPTION | |
| debug | 0 or 1 | 0 | Show requests responses when set. | |
| certfile | Filename | /tmp/x509up_u$UID then |
||
$HOME/.globus/usercert.pem |
Path to a PEM-encoded certificate. | |||
| keyfile | Filename | /tmp/x509up_u$UID |
Path to a PEM-encoded private key. | |
| then | ||||
$HOME/.globus/userkey.pem |
||||
| callback | Function | util.passphrase_callback |
The name of a function | |
| that returns a password. | ||||
| passwd | string | None | The private key password. |
Procedure calls implemented by the remote server may now be called as methods of the client object. The simplest method is the echo.echo method, which merely returns its argument. Return values are part of a list by convention of the XMLRPC protocol:
| PYTHON | |
|
In this case, the string Hello would be returned as ['Hello'].
There are a whole list of system.method methods implemented to query the server as to the methods it implements. These are discussed elsewhere.
Using the system.logout method of the client object:
| PYTHON | |
|
| PYTHON | |
|
While encoding requests and responses simplifies server and client interactions, it does have one serious drawback: large binary responses are difficult to handle. Such a response must be returned as a string encoded in a text-friendly way, e.g. so-called base-64 encoding. This increases the CPU requirements on both the server and client. Since the data encoding increases the size of the response, more bandwidth is required to transport the data.
For that reason, Clarens returns binary data responses in raw form. This might confuse a client application expecting XML-encoded text. To enable or disable automatic XML deserialization, use the enable_deserialize and disable_deserialize methods as follows:
| PYTHON | |
|
The variable contents should contain the content of the remote file after this code is executed.
| PYTHON | |
|
| PYTHON | |
|
The certificate and key filenames must be accessible from the current working directory in the way they are specified. There are no special directories searched for these files.
file.<method> methods. The latter
can be used as a replacement for the standard TFile class.
This interface depends on Root, OpenSSL and the cURL HTTP transport library being present on the system.
The following example shows how to open the file named hsimple.root in the top-level directory on the remote server:
| C++ | |
|
The first two gSystem.Load statements loads the Clarens client extensions into memory, making them available for the script of program to use.
The UserRSA class above holds the user's authentication credentials and
can be reused multiple times for connecting to different servers.
The Clarens class represents a connection to one server. A connection
may be established explicitly using the open method.
Finally, the TCWebfile class represents a remote file.
The object f can be used the same as any read-only TFile,
including browsing its contents using the builting object browser, as is
demonstrated above.
Note that multiple files can be opened on the server using the same Clarens object, which will remain instantiated until all references to it have been removed, after which it can be deleted. Deleting the Clarens object will also log the user out of the server using the system.logout remote method.
$HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem.
To use a different set of files, add the certificate and key filenames as
arguments to the UserRSA object constructor:
| C++ | |
|
This example uses the same file for both the private key and the certificate. This happens to be the way that the grid-proxy-init command stores its temporary certificate and an unencrypted private key for the user with ID 510.
| C++ | |
|
In this example the TCWebfile object is set to use a cache of a 10 pages, with a page size of 512 kB each. The cache is not persistent, so that data downloaded by the client is lost when the TCWebFile is destroyed.
Multiple files can be opened using the same connection to the remote server.
| C++ | |
|
Opening files from multiple sites could be useful for doing simultaneous analysis on these files. This certificate and private key are read only once. If the private key is encrypted, the password is only needed once.
| C++ | |
|
The TCSystemDirectory class can be used to browse a remote filesystem through Clarens.
The constructor takes 5 arguments, the last of which is optional. Here is an example:
| C++ | |
|
This should make a connection to the server running on the localhost at the URL specified in the fourth argument. The UserRSA object is used once again to hold authentication information.
The first and second arguments corresponds to the Name and Title arguments of a Root TNamed object, and is used to construct a tree in the TBrowser. The third argument is the full path of the directory being browsed on the Clarens server, as seen from the client side. In this case we browse the root directory.
A TBrowser object is instantiated, and the Browse method of the TCSystemDirectory is called. If the remote server was contacted successfully, a folder named localhost should show up in the left panel of the browser window.