MyProxy OAuth Authentication
The legacy MyProxy authentication method exchanges end-user credentials for special, time-limited credentials that Globus uses to perform transfer-related activities on the user’s behalf.
The MyProxy OAuth authentication method is used in environments that do not meet the requirements for CILogon authentication. That typically means…
Not all users have SUNetIDs; or
Users on the system do not use SUNetIDs as their local username.
If either of the above is true, then CILogon will not work, and MyProxy OAuth should be used.
Moderate Risk? Use CILogon
If you have Moderate Risk data, then two-step is required. That means you must use the CILogon authentication method (it is the only one which supports two-step at this time).
Here is how MyProxy OAuth authentication works:
The end user chooses to use your Globus Connect Server endpoint.
Globus redirects the user to an OAuth service running on your endpoint, where they enter their local username and password.
Globus establishes a secure connection with the MyProxy service running on your endpoint, and sends you the username and password provided.
The OAuth service relays the credentials to MyProxy, which validates them. If valid, a short-lived client certificate & private key are generated, and sent back to Globus.
Although this authentication method does send credentials over the Internet, the credentials are not being shared with any third party (including Globus).
When Globus communicates with your endpoint, it uses the client cert issued by MyProxy, which contains the end user’s local username. That is how your endpoint knows who is using Globus.
MyProxy OAuth is a Python WSGI application, which uses Apache as the gateway between the user and the application. Although Apache has already been installed (as part of installing the MyProxy OAuth packages); you still need to configure Apache’s SSL settings, and obtain a certificate.
For the server certificate, you can get one from University IT, or you can get one from Let’s Encrypt. Both are free, and both have tradeoffs: A certificate from University IT lasts for up to two years, but can take a business day to be issued, and you have to remember to renew it. A certificate from Let’s Encrypt will last indefinitely as long as you have auto-renewal in place, but there are limits on how many new certs are issued per day, so you might have to wait.
Either way, until you have a certificate, MyProxy OAuth authentication may not work.
Besides getting a certificate, you will also need to configure your server’s SSL settings. The best tool to use is the Mozilla SSL Configuration Generator. You will need to provide your version of the “server” (that is, Apache) and of OpenSSL; you can get these from the list below:
- RHEL/CentOS 6: Server 2.2.15 and OpenSSL 1.0.1e
- RHEL/CentOS 7: Server 2.4.6 and OpenSSL 1.0.1e
- Debian 8: Server 2.4.10 and OpenSSL 1.0.1t
- Debian 9: Server 2.4.25 and OpenSSL 1.1.0f
- Ubuntu 16.04: Server 2.4.18 and OpenSSL 1.0.2g
- Ubuntu 18.04: Server 2.4.29 and OpenSSL 1.1.0g
Once your set your server and OpenSSL versions, if the Modern option is available, then select it. Otherwise, select Intermediate. Also, make sure HSTS Enabled is selected. At this point, the appropriate configuraion will be displayed, which you can copy to the appropriate Apache configuration file. The guides linked at the start of this section will help you locate the right configuration file.
Is TLS 1.0 disabled?
Before you move on, check the `SSLProtocol` line in your new SSL configuration, and make sure '-TLSv1' appears on that line. If it is missing, add it to the end of the line.
Now that the web server has been configured, you can move on to configuring Globus!
The MyProxy OAuth service allows a little customization, in the form of custom CSS and a logo. Before you continue configuration, you should download those files:
Download this CSS file to
/etc/globus-myproxy-oauth-stylesheet.csson the server.
Download the all-red Block S with Tree logo to
/etc/globus-myproxy-oauth-logo.pngon the server.
The logo lives on the Stanford Identity site, which requires that you log in to
download logos. So, you will have to download it manually, and copy it to the
server. The CSS file may be download directly using
To use MyProxy OAuth authentication, you will be making additions to the
globus-connect-server.conf file that you first filled in during initial
Perform initial configuration first
If you have not already completed the initial configuration, do that first, and then come back here.
Here is the content which needs to be added to the
Each of the sections will now be discussed in detail. If you do not need this explanation, you can skip ahead.
Security section is very simple:
[Security] FetchCredentialFromRelay = True IdentityMethod = OAuth
globus-connect-server-setup to configure MyProxy
OAuth. The explanation for FetchCredentialFromRelay is a little more
TLS is used to secure the communications between Globus and your endpoint.
With TLS, the server side must have a private key and certificate (if you run a
web site, you are probably aware of this already). Since Globus is initiating
connections to your endpoint, your endpoint needs a private key and
certificate. The FetchCredentialsFromRelay setting tells
globus-connect-server-setup to fetch a key and certificate from Globus, which
will be used for all future connections from Globus.
MyProxy section is also simple, with two options that can be changed
(although that is not normally required):
[MyProxy] Server = %(HOSTNAME)s ;;ServerBehindNAT = True
Server and ServerBehindNAT influence how
configures your endpoint.
Normally, your system’s hostname should match what is in Public DNS. But, in
some cases (such as when you are behind a NAT), that is not the case. When
your hostname does not match what is in Public DNS, you need to set Server to
your name in public DNS, and set ServerBehindNAT to
True. That will force
globus-connect-server-setup to configure MyProxy with the settings you
OAuth section has configuration specific to the OAuth server. Some of it
is a duplicate of the MyProxy section, and some of it is unique.
[OAuth] Server = %(HOSTNAME)s ;;ServerBehindNAT = True Stylesheet = /etc/globus-myproxy-oauth-stylesheet.css Logo = /etc/globus-myproxy-oauth-logo.png
The Server and ServerBehindNAT entries should be set to exactly the same values as what appears in the MyProxy section (you should just copy/paste them from one section to the other).
The logo is the “Block S (1 Color, Red, Dark Background)” logo, meant to be placed on a Stanford-red background. The stylesheet is what configures this background. It also enables the use of the Source Sans Pro font family, one of the two preferred font families for header and body text.
globus-connect-server.conf has been completed, it is now time to run
You should now run the
globus-connect-server-setup command. When you run
this command, you will be asked for your Globus ID’s password. Once that is
provided, setup will commence.
'sslv3 alert handshake failure' is OK
If you are running globus-connect-server-setup on a system running Python 3.1 or older, you may get the message 'sslv3 alert handshake failure'. This may be safely ignored. It is happening because your older Python is missing support for TLS SNI, which is required by downloads.globus.org (the Globus package repository). This issue has been reported to Globus.
Repeatedly prompted for ID and password?
If you are being repeatedly prompted for your Globus ID and password, that normally means that one of the two are incorrect. Remember, when prompted for your Globus ID, only enter the part before the at-sign.
'can't apply partial context' error?
If you get the message `can't apply partial context to unlabeled file `/var/lib/myproxy-oauth/myproxy-oauth.db'`, and SELinux is disabled, then the warning may be safely ignored.
Here is an example of the output from a successful run of
Password: Configured MyProxy server on sci-nfs-1.stanford.edu:7512 CA DN: /O=Globus Connect Server/CN=sci-nfs-1.stanford.edu Configured OAuth server sci-nfs-1.stanford.edu Configured GridFTP server to run on sci-nfs-1.stanford.edu Server DN: /C=US/O=Globus Consortium/OU=Globus Connect Service/CN=8af58dce-3969-11e8-b98d-0ac6873fc732 Using Authentication Method OAuth Configured Endpoint quake-sci-nfs-1
globus-connect-server-setup is performing these steps:
Checking for newer versions of Globus Connect Server.
apache2) services, and performing basic configuration for all services.
Configuring Python WSGI for Apache.
Creating a local certificate authority, which MyProxy will use to issue client certs.
Requesting a server certificate and private key from Globus, which MyProxy and GridFTP will use when accepting connections from Globus.
If configuration was successful, the “Configured endpoint” message will be printed. At this point, services have been started and are ready for use!
Write down your Server DN
The Server DN is needed later in the configuration process, so make a note of it, until configuration is complete.
The OAuth service runs as a Python WSGI application, under Apache. This is probably the first time Apache will have been used on this server, and so some configuraion will be required:
Disable Welcome Page
In a default Apache configuration, when someone browses to your site, they will be presented with a “Welcome” page. That page should be disabled. The exact way to do this depends on which Linux distribution you are using:
In RHEL, CentOS, and Scientific Linux, edit the file at
/etc/httpd/conf.d/welcome.conf: Remove the line
ErrorDocument 403 /error/noindex.html.
Restart Apache for the change to take effect.
The OAuth service requires SSL, which means you will need to get a valid certificate. For the Stanford community, two options are available:
You can get a certificate from University IT. This does not involve any additional software, and certificates are valid for up to two years, but involves some time and effort to configure.
You can get a certificate from Let’s Encrypt, using Certbot. This requires minimal effort (because Certbot does the work), but it means that you have to install additional third-party software, which will need to run on a regular basis (Let’s Encrypt certificates must be renewed approximately once a quarter).
At the same time, you should configure Apache to use modern TLS standards. This is most easily done by going to the Mozilla SSL Configuration Generator, choosing the Modern or Intermediate configuration, and entering your system’s versions of Apache and OpenSSL.
Apache will need to be restarted whenever SSL configuration is changed.
Now that Globus Connect Server (or, more specifically, MyProxy and GridFTP) is (are) up and running, you should finish configuration.