|
|
||||
|
|
||||
|
|
||||
Table of Contents
The GridShib User's Guide provides general end user-oriented information.
Building on the Globus Toolkit? Grid Security Infrastructure (GSI), the Shibboleth to Globus attribute gateway allows [...]
A typical GridShib user will use only two SHIB-specific commands, ___ and ___
A normal usage scenario would look like this to a user:
In the morning, the user runs:
% grid-proxy-init
The command generates a Globus proxy credential
At the end of the day, the user runs:
% grid-proxy-destroy
to destroy the Globus proxy credential. Or the user might simply let the credential expire.
Please see the SHIB Command Reference.
The following are some common problems that may cause clients or servers to report that credentials are invalid:
Use grid-proxy-infoto check whether the proxy has actually expired. If it has, generate a new proxy with grid-proxy-init.
This may cause the server or client to conclude that a credential has expired.
Use grid-cert-infoto check your certificate's expiration date. If it has expired, follow your CA's procedures to get a new one.
If the permissions on your proxy file are too lax (for example, if others can read your proxy file), Globus Toolkit clients will not use that file to authenticate. You can "fix" this problem by changing the permissions on the file or by destroying it (with grid-proxy-destroyand creating a new one (with grid-proxy-init). However, it is still possible that someone else has made a copy of that file during the time that the permissions were wrong. In that case, they will be able to impersonate you until the proxy file expires or your permissions or end-user certificate are revoked, whichever happens first.
If the permissions on your end user certificate private key file are too lax (for example, if others can read the file), grid-proxy-initwill refuse to create a proxy certificate. You can "fix" this by changing the permissions on the private key file; however, you will still have a much more serious problem: it's possible that someone has made a copy of your private key file. Although this file is encrypted, it is possible that someone will be able to decrypt the private key, at which point they will be able to impersonate you as long as your end user certificate is valid. You should contact your CA to have your end-user certificate revoked and get a new one.
Verify that the remote system is configured to trust the CA that issued your end-entity certificate. See the [TODO: add admin guide link] for details.
Verify that your system is configured to trust the remote CA (or that your environment is set up to trust the remote CA). See the [TODO: add admin guide link] for details.
It is sometimes difficult to distinguish between errors reported by the remote service regarding your credentials and errors reported by the client interface regarding the remote service's credentials. If you can't find anything wrong with your credentials, check for the same conditions (or ask a remote administrator to do so) on the remote system.
This version of GridShib uses the OASIS Security Assertion Markup Language (SAML) standard. Users should be aware that RSA Security has identified four patents it believes could be relevant to implementing certain operational modes of the SAML specifications. The Globus Alliance has established a license agreement with RSA covering usage of SAML in the Globus Toolkit, however users who redistribute SAML-enabled portions of the Globus Toolkit or use SAML-enabled portions in their own applications should understand the issue and may want to obtain their own royalty-free license from RSA.
For information regarding the patent claims and a royalty-free reciprocal license to the RSA patents, see: http://www.rsasecurity.com/solutions/standards/saml
For sublicense rights to the RSA patents under the Globus Toolkit Public License, see: http://www-fp.globus.org/Security/CAS/GT3/rsa-sublicense.html