Registry keys for winglobus

Ti Leggett leggett at
Thu Feb 6 19:53:35 CST 2003

So I'm trying to find where the code is that has those lines below and
searching the WinGlobus directory turns up nothing. Can you point me at
those files?

On Thu, 6 Feb 2003, Robert Olson wrote:

> At 05:17 PM 2/6/2003 -0600, Ti Leggett wrote:
> >I was wondering if the registry keys that are in the .iss file are
> >specifically needed. As they are they don't allow for one person to
> >install the package and another person then login and make use of some
> >things. Example:
> >
> >HKCU\Software\Globus\GSI\x509_user_cert is currently set to
> >{userappdata}\.globus\usercert.pem
> >
> >Because you're setting it only in HKCurrentUser only the installing user
> >will get that setting. All subsequent users won't. I propose this:
> >
> >HKLM\SOFTWARE\Globus\GSI\x509_user_cert set to %USERPROFILE%\Application
> >Data\.globus
> The question is if the Globus code will handle this properly (if it will 
> expand %USERPROFILE% at runtime).
> >(HKLM == HKLocalMachine)
> >
> >That way this setting affects all users and should reference that right
> >spot.
> >
> >What I was curious is if any of globus or Bob's tools point to the
> >previous key or not.
> Globus includes the following:
> #ifdef WIN32
> #define GSI_REGISTRY_DIR "software\\Globus\\GSI"
> #define X509_DEFAULT_CERT_DIR     ".globus\\certificates"
> #define X509_DEFAULT_USER_CERT    ".globus\\usercert.pem"
> #define X509_DEFAULT_USER_KEY     ".globus\\userkey.pem"
> #define X509_DEFAULT_PKCS12_FILE  ".globus\\usercred.p12"
> #define X509_INSTALLED_CERT_DIR "share\\certificates"
> and the following commentary on proxy-finding:
> Function: proxy_get_filenames()
> Description:
>      Gets the filenames for the various files used
>      to store the cert, key, cert_dir and proxy.
>      Environment variables to use:
>          X509_CERT_DIR   Directory of trusted certificates
>                          File names are hash values, see the SSLeay
>                          c_hash script.
>          X509_CERT_FILE  File of trusted certifiates
>          X509_USER_PROXY File with a proxy certificate, key, and
>                          additional certificates to makeup a chain
>                          of certificates used to sign the proxy.
>          X509_USER_CERT  User long term certificate.
>          X509_USER_KEY   private key for the long term certificate.
>      All of these are assumed to be in PEM form. If there is a
>      X509_USER_PROXY, it will be searched first for the cert and key.
>      If not defined, but a file /tmp/x509up_u<uid> is
>      present, it will be used, otherwise the X509_USER_CERT
>      and X509_USER_KEY will be used to find the certificate
>      and key. If X509_USER_KEY is not defined, it will be assumed
>      that the key is is the same file as the certificate.
>      If windows, look in the registry HKEY_CURRENT_USER for the
>      GSI_REGISTRY_DIR, then look for the x509_user_cert, etc.
>      Then try $HOME/.globus/usercert.pem
>      and $HOME/.globus/userkey.pem
>          Unless it is being run as root, then look for
>          /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem
>      X509_CERT_DIR and X509_CERT_FILE can point to world readable
>      shared director and file. One of these must be present.
>      if not use $HOME/.globus/certificates
>          or /etc/grid-security/certificates
>          or $GLOBUS_LOCATION/share/certificates
>      The file with the key must be owned by the user,
>      and readable only by the user. This could be the X509_USER_PROXY,
>      X509_USER_CERT or the X509_USER_KEY
>      X509_USER_PROXY_FILE is used to generate the default
>      proxy file name.
>      In other words:
>      proxy_get_filenames() is used by grid-proxy-init, wgpi, 
> grid-proxy-info and
>      Indirectly by gss_acquire_creds. For grid-proxy-init and wgpi, the 
> proxy_in
>      is 0, for acquire_creds its 1. This is used to signal how the proxy 
> file is
>      to be used, 1 for input 0 for output.
>      The logic for output is to use the provided input parameter, registry,
>      environment, or default name for the proxy. Wgpi calls this multiple times
>      as the options window is updated. The file will be created if needed.
>      The logic for input is to use the provided input parameter, registry,
>      environment variable. But only use the default file if it exists, is owned
>      by the user, and has something in it. But not when run as root.
>      Then on input if there is a proxy, the user_cert and user_key are set to
>      use the proxy.

More information about the ag-dev mailing list