Registry keys for winglobus
olson at mcs.anl.gov
Thu Feb 6 17:28:46 CST 2003
At 05:17 PM 2/6/2003 -0600, Ti Leggett wrote:
>I was wondering if the registry keys that are in the .iss file are
>specifically needed. As they are they don't allow for one person to
>install the package and another person then login and make use of some
>HKCU\Software\Globus\GSI\x509_user_cert is currently set to
>Because you're setting it only in HKCurrentUser only the installing user
>will get that setting. All subsequent users won't. I propose this:
>HKLM\SOFTWARE\Globus\GSI\x509_user_cert set to %USERPROFILE%\Application
The question is if the Globus code will handle this properly (if it will
expand %USERPROFILE% at runtime).
>(HKLM == HKLocalMachine)
>That way this setting affects all users and should reference that right
>What I was curious is if any of globus or Bob's tools point to the
>previous key or not.
Globus includes the following:
#define GSI_REGISTRY_DIR "software\\Globus\\GSI"
#define X509_DEFAULT_CERT_DIR ".globus\\certificates"
#define X509_DEFAULT_USER_CERT ".globus\\usercert.pem"
#define X509_DEFAULT_USER_KEY ".globus\\userkey.pem"
#define X509_DEFAULT_PKCS12_FILE ".globus\\usercred.p12"
#define X509_INSTALLED_CERT_DIR "share\\certificates"
#define X509_INSTALLED_HOST_CERT_DIR "NEEDS_TO_BE_DETERMINED"
#define X509_DEFAULT_HOST_CERT "NEEDS_TO_BE_DETERMINED"
#define X509_DEFAULT_HOST_KEY "NEEDS_TO_BE_DETERMINED"
and the following commentary on proxy-finding:
Gets the filenames for the various files used
to store the cert, key, cert_dir and proxy.
Environment variables to use:
X509_CERT_DIR Directory of trusted certificates
File names are hash values, see the SSLeay
X509_CERT_FILE File of trusted certifiates
X509_USER_PROXY File with a proxy certificate, key, and
additional certificates to makeup a chain
of certificates used to sign the proxy.
X509_USER_CERT User long term certificate.
X509_USER_KEY private key for the long term certificate.
All of these are assumed to be in PEM form. If there is a
X509_USER_PROXY, it will be searched first for the cert and key.
If not defined, but a file /tmp/x509up_u<uid> is
present, it will be used, otherwise the X509_USER_CERT
and X509_USER_KEY will be used to find the certificate
and key. If X509_USER_KEY is not defined, it will be assumed
that the key is is the same file as the certificate.
If windows, look in the registry HKEY_CURRENT_USER for the
GSI_REGISTRY_DIR, then look for the x509_user_cert, etc.
Then try $HOME/.globus/usercert.pem
Unless it is being run as root, then look for
/etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem
X509_CERT_DIR and X509_CERT_FILE can point to world readable
shared director and file. One of these must be present.
if not use $HOME/.globus/certificates
The file with the key must be owned by the user,
and readable only by the user. This could be the X509_USER_PROXY,
X509_USER_CERT or the X509_USER_KEY
X509_USER_PROXY_FILE is used to generate the default
proxy file name.
In other words:
proxy_get_filenames() is used by grid-proxy-init, wgpi,
Indirectly by gss_acquire_creds. For grid-proxy-init and wgpi, the
is 0, for acquire_creds its 1. This is used to signal how the proxy
to be used, 1 for input 0 for output.
The logic for output is to use the provided input parameter, registry,
environment, or default name for the proxy. Wgpi calls this multiple times
as the options window is updated. The file will be created if needed.
The logic for input is to use the provided input parameter, registry,
environment variable. But only use the default file if it exists, is owned
by the user, and has something in it. But not when run as root.
Then on input if there is a proxy, the user_cert and user_key are set to
use the proxy.
More information about the ag-dev