Perl Clients

From GridSiteWiki

This page contains notes on how to build a perl client for authenticated access to a GridSite. It splits into three section:

  • How to get a web page using an X.509 client certificate as the authentication method
  • How to get a web page using a GSI Proxy as the authentication method
  • How to access a web service using SOAP::Lite, authenticating with your GSI Proxy (over TLS).
  • Links to examples and applications of this.
Table of contents

Perl to access GridSite over HTTPS using Standard X.509 Client Certificates

Notes on mutual authentication in perl using X.509 certs. How to interpret Client-SSL-Warning: Peer certificate not verified headers if you see them and even if you don't!

  • First get and install Crypt::SSLeay if you haven't already got it.
perl -MCPAN -e 'install Crypt::SSLeay'

This provides the link between the https methods in LWP and the openssl C libraries.

During installation you will be prompted for an openssl to link against. (At first I linked against the stock openssl 0.9.7a and later discovered problems)... I ended up installing and linking against version 0.9.6m.

  • Get an up to date version of the LWP (libwww) perl module.

The stock version that installs on a Fedora Core 1 is old and doesn't do everything needed for mutual authentication. These early versions of the LWP module produced the header "Client-SSL-Warning: Peer certificate not verified", regardless of the it was or not. So update the LWP module:

perl -MCPAN -e 'install "LWP"'
  • Write a program to authenticate using your X.509 Certificate (one like this will do):
#!/usr/bin/perl

use LWP::UserAgent;

$ENV{HTTPS_CA_DIR} = (defined $ENV{X509_CERT_DIR})?$ENV{X509_CERT_DIR}:"/etc/grid-security/certificates";
$ENV{HTTPS_CERT_FILE} = $ENV{HOME}/.globus/usercert.pem;
$ENV{HTTPS_KEY_FILE}  = $ENV{HOME}/.globus/userkey.pem;

# Print SSL Debug stuff (omit this line if not debugging)
$ENV{HTTPS_DEBUG} = 1;

# Instantiate an LWP User Agent to communicate through
my $agent = LWP::UserAgent->new;

# Get a response from https://www.gridsite.org/
my $response = $agent->get( "https://www.gridsite.org/" );

# Do something with your response
if ( $response->is_success ) {
  print $response->as_string;
} else {
  print "Something went wrong\n";
}
  • To check that it's all working connect to a secure site that has a certificate issued by a CA not in $HTTPS_CA_DIR

Perl to access GridSite over HTTPS using GSI Proxies

  • Write a new program e.g. this time, to authenticate with your GSI proxy.
#!/usr/bin/perl

use LWP::UserAgent;

$ENV{HTTPS_CA_DIR} = (defined $ENV{X509_CERT_DIR})?$ENV{X509_CERT_DIR}:"/etc/grid-security/certificates";

# ---- GSI Magic to make it work ----
my $GSIPROXY = (defined $ENV{X509_USER_PROXY})?$ENV{X509_USER_PROXY}:"/tmp/x509up_u$<";
$ENV{HTTPS_CA_FILE} = $GSIPROXY;
$ENV{HTTPS_CERT_FILE} = $GSIPROXY;
$ENV{HTTPS_KEY_FILE}  = $GSIPROXY;
# ---- End of GSI Magic ----

# Print SSL Debug stuff (omit this line if not debugging)
$ENV{HTTPS_DEBUG} = 1;

# Instantiate an LWP User Agent to communicate through
my $agent = LWP::UserAgent->new;

# Get a response from https://www.gridsite.org/
my $response = $agent->get( "https://www.gridsite.org/" );
 
# Do something with your response
if ( $response->is_success ) {
  print $response->as_string;
} else {
  print "Something went wrong\n";
}
  • Anything that you use/build, which is derived from your instance of LWP, will use your proxy if you set the environment variables as specified above.
HTTPS_KEY_FILE 
points to the file containtaining the key
HTTPS_CERT_FILE 
points to the file containing the certificate that matches the key
HTTPS_CA_FILE 
points to a file containing a list of trusted certificates (for GSI we specify this so that Crypt::SSLeay knows how to construct your GSI proxy's certificate chain)
HTTPS_CA_DIR 
points to the directory containing all your Trusted CA Root Certificates

For GSI proxies the first three should be the same file (normally after a grid-proxy-init command located here: /tmp/x509up_u`id -u`).

SOAP::Lite to access GridSite over https using GSI Proxies

  • Get SOAP::Lite if you haven't already got it.
perl -MCPAN -e 'install SOAP::Lite'

A Simple SOAP::Lite script might look a bit like this:

#!/usr/bin/perl

# Uncomment next line for SOAP debug info 
# use SOAP::Lite +trace => debug => sub {};

use SOAP::Lite;

# ---- GSI Magic to make it work ----
my $GSIPROXY = (defined $ENV{X509_USER_PROXY})?$ENV{X509_USER_PROXY}:"/tmp/x509up_u$<";
$ENV{HTTPS_CA_DIR} = (defined $ENV{X509_CERT_DIR})?$ENV{X509_CERT_DIR}:"/etc/grid-security/certificates";
$ENV{HTTPS_CA_FILE} = $GSIPROXY;
$ENV{HTTPS_CERT_FILE} = $GSIPROXY;
$ENV{HTTPS_KEY_FILE}  = $GSIPROXY;
# ---- End of GSI Magic ----

# Uncomment next line for SSL debug info
# $ENV{HTTPS_DEBUG} = 1;

# force SSLv3, If you want
$ENV{HTTPS_VERSION} = '3';

# Instantiate a SOAP User Agent to communicate through (NB this need not be HTTPS, the WSDL will specify HTTP or HTTPS)
$service  = SOAP::Lite -> service( "http://www.gridsite.org/AnotherDescription.wsdl" );

# Call a WS Operation via the SOAP Agent
$response = $service->SomeOperation();

print $response;

Perl Pearls

Assuming you've got to grips with the above stuff, you may like to visit the Perl Pearls (http://www.kato.mvc.mcc.ac.uk/gridsite/GridPerlPearls.html) page on the Manchester Computing RSS GridSite.

There in you'll find such gems as:

  • How to create a legacy GSI proxy without any Globus code.
  • How to create a basic yet secure and authenticated Application Hosting Environment.
  • How to create a web service and client that will delegate a proxy to that hosting environment.

...