ProxyProvider

This resource type provides an interface to obtain proxy certificates using a user identifier. The following proxy providers are presented here: DIRACCA, PUSP. When all users upload their proxies to proxy manager manually, you do not need to deploy these resources. The /Registry/Users section describes how to specify a proxy provifer for a user’s DN.

DIRACCA proxy provider

ProxyProvider implementation for the proxy generation using local Certification Authority (CA) credentials. DIRACCA type of the proxy provider is a simple CA, its main purpose is to generate a proxy on the fly for DIRAC users who do not have a certificate registered in DIRAC registry. To use it needs to have CA certificate and key locally. Here are two ways to set up this type of proxy provider in the DIRAC configuration:

/Resources/ProxyProviders section
  MY_DIRACCA
  {

    # Main option, to show which proxy provider type you want to register.
    ProviderType = DIRACCA

    # The path to the CA certificate. This option is required.
    CertFile = /opt/dirac/etc/grid-security/DIRACCA-EOSH/cert.pem

    # The path to the CA key. This option is required.
    KeyFile = /opt/dirac/etc/grid-security/DIRACCA-EOSH/key.pem

    # The distinguished name fields that must contain the exact same contents as that field in the CA's
    # DN. If this parameter is not specified, the default value will be a empty list.
    Match = O, OU

    # The distinguished name fields list that must be present. If this parameter is not specified, the
    # default value will be a "CN".
    Supplied = C, CN

    # The distinguished name fields list that are allowed, but not required. If this parameter is not
    # specified, the default value will be a "C, O, OU, emailAddress"
    Optional = emailAddress

    # Order of the distinguished name fields in a created user certificate. If this parameter is not
    # specified, the default value will be a "C, O, OU, CN, emailAddress"
    DNOrder = C, O, OU, emailAddress, CN

    # To set default value for distinguished name field.
    C = FR
    O = DIRAC
    OU = DIRAC TEST

    # The path to the openssl configuration file. This is optional and not recomended to use.
    # But if you choose to use this option, it is recommended to use a relatively simple configuration.
    # All required parameters will be taken from the configuration file, except "DNOrder".
    CAConfigFile = /opt/dirac/pro/etc/openssl_config_ca.cnf
  }

The Proxy provider supports the following distinguished names, more details here:

  • SN(surname)

  • GN(givenName)

  • C(countryName)

  • CN(commonName)

  • L(localityName)

  • Email(emailAddress)

  • O(organizationName)

  • OU(organizationUnitName)

  • SP,ST(stateOrProvinceName)

  • SERIALNUMBER(serialNumber)

PUSP proxy provider

ProxyProvider implementation for a Per-User Sub-Proxy(PUSP) proxy generation using PUSP proxy server. More details about PUSP here. Required parameters in the DIRAC configuration for its implementation:

/Resources/ProxyProviders section
  MY_PUSP
  {

    ProviderType = DIRACCA

    # PUSP service URL
    ServiceURL = https://mypuspserver.com/
  }

Usage

The ProxyProvider is typically used by the ProxyManager to provide a proxy for a DIRAC user/group in the case the proxy in the proxyDB is expired or is absent.