Thursday 10 February 2011

Proxy certificates and delegation with netCDF Beta release

I've written previously about the extensions to the netCDF C API to enable SSL client based authentication.  It's been great to see how something slotted in at the base of a software stack filters down to benefit all the dependents: colleagues have been testing Ferret, ncview and Python bindings built against the updated libraries and used to query ESG-secured OPeNDAP services.  This links with another thread, the MashMyData project extends this SSL client based authentication mechanism from EECs (End Entity Certificates) - the current currency for short lived credentials in ESGF (Earth System Grid Federation) - to RFC3820 proxy certificates.   This is necessitated by the need for delegation in chain of operations in our use case: a chain linking a portal to an OGC Web Processing Service which itself calls an OPeNDAP service.  So, on to trying out the netCDF C client with a proxy certificate:
  • Get ESG-enabled netCDF - now in 4.1.2 beta2
  • build simple client against this version of the library
  • Get  EEC and delegate (need Globus Toolkit for this example)
So expanding the last step:

1) Get short lived EEC from home MyProxy server:

$ myproxy-logon -s <my idp's myproxy host address> -o user.pem -b

2) Delegate to obtain proxy certificate:

$ grid-proxy-init -cert user.pem -key user.pem -out ./credentials.pem -rfc

3) Update netCDF configuration to pick up credentials:

CURL.VERBOSE=1
CURL.COOKIEJAR=.dods_cookies
CURL.SSL.VALIDATE=1
CURL.SSL.CERTIFICATE=<path>/credentials.pem
CURL.SSL.KEY=<path>/credentials.pem
CURL.SSL.CAPATH=<home path>.globus/certificates

Calling the netCDF client makes the underlying Curl library invocation and correctly passes the certificate chain comprising proxy certificate and EEC that issued it (grid-proxy-init step).  The OPeNDAP server and associated security middleware is correctly configured to accept proxy certificates.  I get my data back :).