Perl Clients

From GridSiteWiki

This page contains notes on how to build a perl client for authenticated access to a GridSite. It splits into three section:

  • How to get a web page using an X.509 client certificate as the authentication method
  • How to get a web page using a GSI Proxy as the authentication method
  • How to access a web service using SOAP::Lite, authenticating with your GSI Proxy (over TLS).
  • Links to examples and applications of this.
Table of contents
1 Perl to access GridSite over HTTPS using Standard X.509 Client Certificates
2 Perl to access GridSite over HTTPS using GSI Proxies
3 SOAP::Lite to access GridSite over https using GSI Proxies
4 Perl Pearls
[edit]

Perl to access GridSite over HTTPS using Standard X.509 Client Certificates

Notes on mutual authentication in perl using X.509 certs. How to interpret Client-SSL-Warning: Peer certificate not verified headers if you see them and even if you don't!

  • First get and install Crypt::SSLeay if you haven't already got it. 
perl -MCPAN -e 'install Crypt::SSLeay'

This provides the link between the https methods in LWP and the openssl C libraries.

During installation you will be prompted for an openssl to link against. (At first I linked against the stock openssl 0.9.7a and later discovered problems)... I ended up installing and linking against version 0.9.6m.

  • Get an up to date version of the LWP (libwww) perl module.

The stock version that installs on a Fedora Core 1 is old and doesn't do everything needed for mutual authentication. These early versions of the LWP module produced the header "Client-SSL-Warning: Peer certificate not verified", regardless of the it was or not. So update the LWP module: 

perl -MCPAN -e 'install "LWP"'
  • Write a program to authenticate using your X.509 Certificate (one like this will do): 
#!/usr/bin/perl

use LWP::UserAgent;

$ENV{HTTPS_CA_DIR} = (defined $ENV{X509_CERT_DIR})?$ENV{X509_CERT_DIR}:"/etc/grid-security/certificates";
$ENV{HTTPS_CERT_FILE} = $ENV{HOME}/.globus/usercert.pem;
$ENV{HTTPS_KEY_FILE}  = $ENV{HOME}/.globus/userkey.pem;

# Print SSL Debug stuff (omit this line if not debugging)
$ENV{HTTPS_DEBUG} = 1;

# Instantiate an LWP User Agent to communicate through
my $agent = LWP::UserAgent->new;

# Get a response from https://www.gridsite.org/
my $response = $agent->get( "https://www.gridsite.org/" );

# Do something with your response
if ( $response->is_success ) {
  print $response->as_string;
} else {
  print "Something went wrong\n";
}
  • To check that it's all working connect to a secure site that has a certificate issued by a CA not in $HTTPS_CA_DIR
[edit]

Perl to access GridSite over HTTPS using GSI Proxies

  • Write a new program e.g. this time, to authenticate with your GSI proxy. 
#!/usr/bin/perl

use LWP::UserAgent;

$ENV{HTTPS_CA_DIR} = (defined $ENV{X509_CERT_DIR})?$ENV{X509_CERT_DIR}:"/etc/grid-security/certificates";

# ---- GSI Magic to make it work ----
my $GSIPROXY = (defined $ENV{X509_USER_PROXY})?$ENV{X509_USER_PROXY}:"/tmp/x509up_u$<";
$ENV{HTTPS_CA_FILE} = $GSIPROXY;
$ENV{HTTPS_CERT_FILE} = $GSIPROXY;
$ENV{HTTPS_KEY_FILE}  = $GSIPROXY;
# ---- End of GSI Magic ----

# Print SSL Debug stuff (omit this line if not debugging)
$ENV{HTTPS_DEBUG} = 1;

# Instantiate an LWP User Agent to communicate through
my $agent = LWP::UserAgent->new;

# Get a response from https://www.gridsite.org/
my $response = $agent->get( "https://www.gridsite.org/" );
 
# Do something with your response
if ( $response->is_success ) {
  print $response->as_string;
} else {
  print "Something went wrong\n";
}
  • Anything that you use/build, which is derived from your instance of LWP, will use your proxy if you set the environment variables as specified above.
HTTPS_KEY_FILE 
points to the file containtaining the key
HTTPS_CERT_FILE 
points to the file containing the certificate that matches the key
HTTPS_CA_FILE 
points to a file containing a list of trusted certificates (for GSI we specify this so that Crypt::SSLeay knows how to construct your GSI proxy's certificate chain)
HTTPS_CA_DIR 
points to the directory containing all your Trusted CA Root Certificates

For GSI proxies the first three should be the same file (normally after a grid-proxy-init command located here: /tmp/x509up_u`id -u`).

[edit]

SOAP::Lite to access GridSite over https using GSI Proxies

  • Get SOAP::Lite if you haven't already got it. 
perl -MCPAN -e 'install SOAP::Lite'

A Simple SOAP::Lite script might look a bit like this: 

#!/usr/bin/perl

# Uncomment next line for SOAP debug info 
# use SOAP::Lite +trace => debug => sub {};

use SOAP::Lite;

# ---- GSI Magic to make it work ----
my $GSIPROXY = (defined $ENV{X509_USER_PROXY})?$ENV{X509_USER_PROXY}:"/tmp/x509up_u$<";
$ENV{HTTPS_CA_DIR} = (defined $ENV{X509_CERT_DIR})?$ENV{X509_CERT_DIR}:"/etc/grid-security/certificates";
$ENV{HTTPS_CA_FILE} = $GSIPROXY;
$ENV{HTTPS_CERT_FILE} = $GSIPROXY;
$ENV{HTTPS_KEY_FILE}  = $GSIPROXY;
# ---- End of GSI Magic ----

# Uncomment next line for SSL debug info
# $ENV{HTTPS_DEBUG} = 1;

# force SSLv3, If you want
$ENV{HTTPS_VERSION} = '3';

# Instantiate a SOAP User Agent to communicate through (NB this need not be HTTPS, the WSDL will specify HTTP or HTTPS)
$service  = SOAP::Lite -> service( "http://www.gridsite.org/AnotherDescription.wsdl" );

# Call a WS Operation via the SOAP Agent
$response = $service->SomeOperation();

print $response;
[edit]

Perl Pearls

Assuming you've got to grips with the above stuff, you may like to visit the Perl Pearls (http://www.kato.mvc.mcc.ac.uk/gridsite/GridPerlPearls.html) page on the Manchester Computing RSS GridSite.

There in you'll find such gems as:

  • How to create a legacy GSI proxy without any Globus code.
  • How to create a basic yet secure and authenticated Application Hosting Environment.
  • How to create a web service and client that will delegate a proxy to that hosting environment.

...

Retrieved from "http://www.gridsite.org/wiki/Perl_Clients"