lcmaps_verify_proxy.mod - LCMAPS plugin to verify a certificate chain including
] [--max-voms-ttl <timeperiod>
This plugin will test if the presented proxy certificate is authentic. This is
done using OpenSSL methods to verify the certificate chain, check if the
End-Entity Certificate is not revoked by checking CRLs or OCSP(*). In an
(5) file it is advised to run this plug-in as the first
plug-in and fail the policy if there is no other way of verifying the input
Additional this plug-in can impose other policies, like proxy and VOMS life-time
restrictions or require that the certificate chain is offered in a certain
way, e.g. by offering a Limited proxy or (optionally) without a private key.
The plug-in takes its input from the LCMAPS framework. The certificate chain is
coming from the registered (derived) STACK_OF(X509) * and the private key
(when available) is taken from the registered PEM string credentials.
A certificate chain will be checked and verified by OpenSSL, but additionally to
these checks this plug-in also performs semantic checks on the certificate
chain based on how GT2, GT3 and RFC 3820 proxy certificates are to be
constructed and used.
- When enabled allow the certificate chain to contain a
limited proxy certificate. GT2, GT3 and RFC Limited proxies are treated as
- -certdir | -cadir | -capath | --capath
- This option sets the directory used to find the CA
certificates, CRLs and other files used in the verification process of the
presented certificate chain. Setting this option is muted by the option
--only-enforce-lifetime-checks. When unset, the value of
$X509_CERT_DIR will be used, when that is also unset,
/etc/grid-security/certificates will be used.
- When enabled all uses of limited proxies will be prohibited
and treated as a failure condition. GT2, GT3 and RFC Limited proxies are
treated as equal.
- When enabled the plug-in verification process will not fail
on the absence of the private key. Having a private key to present is part
of the proof of possession of the certificate chain its delegations,
therefore a fundamental part of the user credentials. Discarding the
private key check is useful in cases where another process has already
establish trust in the user credentials by performing the private key
proof of possession steps. Example: This feature can be enabled in
deployments where gLExec is part of the CREAM CE. The CREAM CE's SSL
handshake is taking ensuring that fully verified credentials get passed
down. Counter example: This feature is not-enabled on a gLExec-on-the-WN
deployment, as gLExec will need to ensure that the pilot-job payload
credentials are fully verified before account mapping should occur.
- --max-proxy-level-ttl=<level> |
- Set a maximum to the allowed validity period of the proxy
certificate for a specific delegation <level>. The first
delegation after an EEC certificate is <level> 0. This
delegation level could be used in a MyProxy. A typical setting would be
14d-00:00 to allow for a MyProxy certificate with a validity period
of two weeks.
A special <level> is indicated by an l or L. This
is the leaf proxy or also known as the final delegation. A safe setting
for this would be 1d-00:00 to allow a proxy certificate validity
period of 1 day/24 hours.
Set the <timeperiod> in the following format:
[0-99]d-[0-23][00-59]. For example 2d-13:37.
- --max-voms-ttl <timeperiod>
- Set a maximum to the allowed validity period of the VOMS
credentials (when present). Using VOMS credentials with a validity period
longer then the set timeperiod> will result in a failure.
- This setting will override the option
--discard_private_key_absence and option to set the environment
variable $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE which performs the same
- When enable this option will bypass all verification steps
and will only perform the lifetime checks configured by
--max-proxy-level-ttl and/or --max-voms-ttl. This option is
ideal to be used in a Globus Gatekeeper, GridFTPd and/or GSI-OpenSSHd
- Explicitly require the certificate chain to have a
limited proxy as a final delegation. The plug-in will fail if the
certificate chain does not have a limited proxy.
OCSP is not functional and will be added when either CAB/Forum or the IGTF
publish a clear profile.
Please report any errors to the Nikhef Grid Middleware Security Team
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team