documents > User's Manual > TLS Authentication

TLS Authentication

English | Japanese

This document describes the settings required for TLS authentication in Gfarm.

Gfarm requires TLS 1.3. OpenSSL 1.1.1 or later is required.

There are two types of TLS authentication: tls_sharedsecret authentication, in which the server and client share a private key, and tls_client_certificate authentication, which uses a client certificate.

Common settings for tls_sharedsecret, tls_client_certificate, sasl_auth and sasl authentications

The following settings are common to the two TLS authentication methods, sasl authentication method and sasl_auth authentication method.

directory containing the Certificate Authority's certificate files
Required by all of clients, gfmd, and gfsd.
This can be set with the tls_ca_certificate_path directive and defaults to /etc/pki/tls/certs/gfarm.
This directory format is the same as /etc/grid-security/certificates for GSI authentication methods, so if your site has already been configured for GSI authentication, simply create a symbolic link with the following command to complete the configuration.
```
# mkdir -p /etc/pki/tls/certs
# ln -s /etc/grid-security/certificates /etc/pki/tls/certs/gfarm
```
directory where CRL files provided by the CA are located
Required by all of clients, gfmd, and gfsd.
The default directory is /etc/pki/tls/certs/gfarm, which is same with tls_ca_certificate_path.
This directory format is also common with /etc/grid-security/certificates for GSI authentication, so sites that have already completed the GSI authentication settings can complete the settings by creating the symbolic link described above.
the host certificate and the private key for gfmd
These files are required only on the hosts running gfmd.
These can be set by tls_certificate_file and tls_key_file in gfmd.conf, and the default file name is as follows:

host certificate /etc/pki/tls/certs/gfmd.crt

private key /etc/pki/tls/private/gfmd.key

For sites that have already been configured for GSI authentication, simply use the following command to create a symbolic link to complete the configuration.
```
# mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
# ln -s /etc/grid-security/hostcert.pem /etc/pki/tls/certs/gfmd.crt
# ln -s /etc/grid-security/hostkey.pem /etc/pki/tls/private/gfmd.key
```
the service certificate and the private key for gfsd
The following file names can be set by tls_certificate_file and tls_key_file directives in gfarm2.conf, which is referred to by gfsd, and is the default setting.

service certificate /etc/pki/tls/certs/gfsd.crt

private key /etc/pki/tls/private/gfsd.key

However, the X509_USER_CERT and X509_USER_KEY environment variables take precedence over the tls_certificate_file and tls_key_file settings, respectively. When gfsd is initially configured using the config-gfsd command, the tls_certificate_file and tls_key_file directives have no effect because the following locations are set via these environment variables:

service certificate /etc/grid-security/gfsd/gfsdcert.pem

private key /etc/grid-security/gfsd/gfsdkey.pem

Since these path names are the same as those for GSI authentication, additional settings are not necessary for sites that have already completed GSI authentication settings.
In order to use a service certificate in gfsd, the following additional settings are required for gfarm2.conf of the client, gfarm2.conf of gfsd, and gfmd.conf of gfmd.
```
spool_server_cred_type host
spool_server_cred_service gfsd
```
These setting are also common to GSI, so sites that have already completed GSI certification do not need to make any additional settings.

host certificate	/etc/pki/tls/certs/gfmd.crt
private key	/etc/pki/tls/private/gfmd.key

service certificate	/etc/pki/tls/certs/gfsd.crt
private key	/etc/pki/tls/private/gfsd.key

service certificate	/etc/grid-security/gfsd/gfsdcert.pem
private key	/etc/grid-security/gfsd/gfsdkey.pem

settings specific to tls_sharedsecret authentication

For all client, gfmd, and gfsd hosts, a common key must be placed in the .gfarm_shared_key file directly under each user's home directory.
The configuration of this file is the same as that of sharedsecret authentication, so please refer to the description of sharedsecret authentication.

settings specific to tls_client_certificate

settings by the administrator

For each user, set the Subject DN of the client certificate in the fourth field of the gfuser command in the format "/O=Company/OU=Division/CN=UserName".
This setting is also common to GSI, so additional settings are not required for sites that have already been configured for GSI authentication.

settings by each user

When proxy certificates are used
Proxy certificates created by GSI's grid-proxy-init and myproxy-logon commands can be used without modification. Use these commands to create proxy certificates.
When proxy certificates are not used
They can be set in tls_certificate_file and tls_key_file in gfarm2.conf of the client, and the default file name is as follows in each user's home directory.

user certificate .gfarm/usercert.pem

private key .gfarm/userkey.pem

These files are same to GSI, so for sites that have already completed GSI certification settings, simply create a symbolic link with the following command to complete the setup.
```
$ ln -s .globus $HOME/.gfarm
```