[[ux_proxies]]
   
Proxy certificate support
-------------------------

[NOTE]
==================
First, a warning: proxies are not really supported in UNICORE, except for
a very limited set of usage scenarios. Many "normal" things will not work
with proxy certificates. Thus, only use this feature if really strictly necessary.
No feature in UNICORE _requires_ proxies
======================

Proxies are supported in two ways in UNICORE
  
  - transport-layer security and authentication via the UNICORE gateway
  
  - enable usage of GSI based software such as GridFTP

This document provides information and configuration snippets for the second usage scenario. 
Information about the first case can be found on the SourceForge Wiki page 
https://sourceforge.net/apps/mediawiki/unicore/index.php?title=EnableProxySupport[EnableProxySupport].

TLS proxy support
~~~~~~~~~~~~~~~~~

Using proxies for TLS means that the proxy certificate is used by the client to establish the 
SSL connection. You must use a gateway with the appropriate configuration for this to work.
On the UNICORE/X side it is necessary to set a property in uas.config :

-------------
uas.authoriser.proxysupport=true
-------------


GSI tools support
~~~~~~~~~~~~~~~~~
 
Your UNICORE client needs to create and send the proxy. Both UCC and URC support 
this, please consult your client documentation for the details.

==== Storing the proxy in the job directory 
 
First, you need to enable a handler on the web services engine. In the unicorex/conf/wsrflite.xml,
add a handler definition on the target system service:

-------------------
  <service name="TargetSystemService" wsrf="true" persistent="true">
   ...
   <!-- additional proxy extraction handler definition -->
   <handler type="in" class="de.fzj.unicore.uas.security.ProxyCertInHandler"/>
  </service>
------------------
 

The handler can also be added for all services like this:

-------------------
  
  <!-- add proxy extract handler on all services. 
       This needs to be done *before* the service definitions -->
  <globalHandler type="in" class="de.fzj.unicore.uas.security.ProxyCertInHandler"/>
  
  <service name="...">
  </service>
  
  ...
-------------------

Secondly, you need to modify the XNJS configuration to enable a component that stores the proxy in the 
format expected by GSI (no encryption, PEM format).

So open the XNJS config file (e.g. 'conf/xnjs.xml') and edit the ProcessingChain section.
  

--------------------------------------
    <eng:ProcessingChain actionType="JSDL" jobDescriptionType="{http://schemas.ggf.org/jsdl/2005/11/jsdl}JobDefinition">
    <!-- stores proxy to uspace -->
    <eng:Processor>de.fzj.unicore.uas.xnjs.ProxyCertToUspaceProcessor</eng:Processor>
    <!-- usual entries -->
    <eng:Processor>de.fzj.unicore.xnjs.jsdl.JSDLProcessor</eng:Processor>
    <eng:Processor>de.fzj.unicore.xnjs.ems.processors.UsageLogger</eng:Processor>
  </eng:ProcessingChain>
--------------------------------------

==== Configuring gridftp 

Using GridFTP basically works out of the box, if the client sends a proxy and you have Globus installed
on your TSI login node. However it can be customised using two settings in the XNJS config file ("xnjs.xml" 
or "xnjs_legacy.xml").

--------------------------------------
    <!-- name / path of the executable -->
    <eng:Property name="globus-url-copy" value="/usr/local/bin/globus-url-copy"/>
    <!-- additional parameters for globus-url-copy -->
    <eng:Property name="globus-url-copy.parameters" value=""/>
-------------------------------------

