Registry keys for winglobus

Robert Olson olson at
Thu Feb 6 17:28:46 CST 2003

At 05:17 PM 2/6/2003 -0600, Ti Leggett wrote:
>I was wondering if the registry keys that are in the .iss file are
>specifically needed. As they are they don't allow for one person to
>install the package and another person then login and make use of some
>things. Example:
>HKCU\Software\Globus\GSI\x509_user_cert is currently set to
>Because you're setting it only in HKCurrentUser only the installing user
>will get that setting. All subsequent users won't. I propose this:
>HKLM\SOFTWARE\Globus\GSI\x509_user_cert set to %USERPROFILE%\Application

The question is if the Globus code will handle this properly (if it will 
expand %USERPROFILE% at runtime).

>(HKLM == HKLocalMachine)
>That way this setting affects all users and should reference that right
>What I was curious is if any of globus or Bob's tools point to the
>previous key or not.

Globus includes the following:

#ifdef WIN32
#define GSI_REGISTRY_DIR "software\\Globus\\GSI"
#define X509_DEFAULT_CERT_DIR     ".globus\\certificates"
#define X509_DEFAULT_USER_CERT    ".globus\\usercert.pem"
#define X509_DEFAULT_USER_KEY     ".globus\\userkey.pem"
#define X509_DEFAULT_PKCS12_FILE  ".globus\\usercred.p12"
#define X509_INSTALLED_CERT_DIR "share\\certificates"

and the following commentary on proxy-finding:

Function: proxy_get_filenames()

     Gets the filenames for the various files used
     to store the cert, key, cert_dir and proxy.

     Environment variables to use:
         X509_CERT_DIR   Directory of trusted certificates
                         File names are hash values, see the SSLeay
                         c_hash script.
         X509_CERT_FILE  File of trusted certifiates
         X509_USER_PROXY File with a proxy certificate, key, and
                         additional certificates to makeup a chain
                         of certificates used to sign the proxy.
         X509_USER_CERT  User long term certificate.
         X509_USER_KEY   private key for the long term certificate.

     All of these are assumed to be in PEM form. If there is a
     X509_USER_PROXY, it will be searched first for the cert and key.
     If not defined, but a file /tmp/x509up_u<uid> is
     present, it will be used, otherwise the X509_USER_CERT
     and X509_USER_KEY will be used to find the certificate
     and key. If X509_USER_KEY is not defined, it will be assumed
     that the key is is the same file as the certificate.

     If windows, look in the registry HKEY_CURRENT_USER for the
     GSI_REGISTRY_DIR, then look for the x509_user_cert, etc.

     Then try $HOME/.globus/usercert.pem
     and $HOME/.globus/userkey.pem
         Unless it is being run as root, then look for
         /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem

     X509_CERT_DIR and X509_CERT_FILE can point to world readable
     shared director and file. One of these must be present.
     if not use $HOME/.globus/certificates
         or /etc/grid-security/certificates
         or $GLOBUS_LOCATION/share/certificates

     The file with the key must be owned by the user,
     and readable only by the user. This could be the X509_USER_PROXY,
     X509_USER_CERT or the X509_USER_KEY

     X509_USER_PROXY_FILE is used to generate the default
     proxy file name.

     In other words:

     proxy_get_filenames() is used by grid-proxy-init, wgpi, 
grid-proxy-info and
     Indirectly by gss_acquire_creds. For grid-proxy-init and wgpi, the 
     is 0, for acquire_creds its 1. This is used to signal how the proxy 
file is
     to be used, 1 for input 0 for output.

     The logic for output is to use the provided input parameter, registry,
     environment, or default name for the proxy. Wgpi calls this multiple times
     as the options window is updated. The file will be created if needed.

     The logic for input is to use the provided input parameter, registry,
     environment variable. But only use the default file if it exists, is owned
     by the user, and has something in it. But not when run as root.

     Then on input if there is a proxy, the user_cert and user_key are set to
     use the proxy.

More information about the ag-dev mailing list