MyProxy is an open source software and part of the Globus toolkit. It provides functionalities to manage X.509 Public Key Infrastructure (PKI) security credentials. It is an online repository that allows users to store their X.509 PKI security credentials. Each credential is protected by a password that is provided by the user at the time of storage. The credential can be retrieved later from the repository for use.
The advantage of this method is that users don't have to carry their private keys and certificates to install on computers which they would like to access grid resources from. This is especially userful for users who have to use shared computers and are thus unwilling to save a copy of their grid certificates on those computers. For more information about MyProxy, please refer to http://grid.ncsa.uiuc.edu/myproxy.
Using LRZ's MyProxy Server
Please note that the service is also available on port 80, in case the client's network provider filters connections to high ports (above 1024).
Create and Store Credential
At LRZ Globus is available on both SuperMUC and the Linux cluster. To set the needed environmental variables, please use the following command:
module load globus
To create and store a credential:
myproxy-init -s myproxy.lrz.de
The user will be prompted to enter first his/her grid certificate passphrase. As a consequence, a credential/proxy is generated. User will be prompted to enter another passphrase, the so called MyProxy passphrase. This is the passphrase that will protect the user's credential on the myproxy server. Even if the lifetime of the proxy just created is limited (by default 7 days, usually much less than the original user certificate), all criteria to devise a secure password should be applied here as well. The MyProxy passhrase should be entered twice, the second time for verification.
To create a credential that has a maximum lifetime (i.e., equal to those of the original credential), please use
myproxy-init -c 0
For more information regarding creating credential with varying lifetime, please use "
Retrieve and Remove Credential
If you are going to use the Java webstart based GSISSH-Term you can use its builtin functionality to retrieve a proxy from a MyProxy server. See GSISSH-Term page for all the details.
On the other hand, in order to retrieve a credential from LRZ's MyProxy by means of the command line tool:
myproxy-logon -s myproxy.lrz.de
The user will be prompted to enter his/her MyProxy passphrase for verification.
To remove a credential from LRZ's MyProxy:
myproxy-destroy -s myproxy.lrz.de
User will be prompted to enter his/her MyProxy passphrase for verification.
If you face any problems, please contact email@example.com.
MyProxy Virtual Organizations Support (VOMS)
The LRZ MyProxy can issue a proxy certificate with VOMS extensions. This comes very handy as it saves users the trouble to install and configure VOMS utilities on their local platform. Simply uploading a regular (non VOMS) credential to MyProxy, it is possible to retrieve a proxy with a VO attribute. MyProxy is connecting to the VOMS server, performing all the necessary negotiations and checks on behalf of the user. The procedure is successfull if the VO is supported by LRZ. At the moment, the LRZ MyProxy works with all EGI VOs. Of course, the user should have previously registered his certificate's DN with the VOMS server, that is to say the user should be a member of the VO he wants to use. For more details, or to check that your VO is recognized, please contact firstname.lastname@example.org.
The procedure to get your proxy signed by a VO consists of two steps:
- upload a (plain regular) proxy without VO extensions to MyProxy, typing
myproxy-init -s myproxy.lrz.de -p 7512, as already explained above. You need to enter the password of your private key and the passphrase you want to use ;
- at the moment of requesting a credential, use the
-mflag, i.e., typing
myproxy-logon -s myproxy.lrz.de -p 7512 -m <your VO>, for example
myproxy-logon -s myproxy.lrz.de -p 7512 -m esr. You can easily verify the extensions by means of the
This feature has also been imported in GSISSH-Term: just specify your VO in the
VO Name field when you try to connect to a resource using the MyProxy dialogue box (in the following picture, where the user is asking MyProxy to get a VO extension from the dech VO).
MyProxy as a Certification Authority
In case you encounter problems obtaining a grid certificate but you have an LRZ account, then the LRZ MyProxy can issue a credential for you. The Distinguished Name (DN) of the new certificate follows the rule:
/O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=<Personal name> <Family name> <username>
For example, the user
John Doe, whose account is
jd00ab will receive a certificate with the DN:
/O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=John Doe jd00ab
This credential allows a user to perform all operations on all of our supported grid services such as interactive login, file transfer (including Globus Online) and job submission. The temporary certificate can even be imported in a browser (this is an advanced topic, please contact email@example.com) and used for authentication. However, please be aware of the intrinsic limitations:
- the lifetime is limited to 500 hours, after expiration, a new one should be generated;
- the certificate is valid only on LRZ resources and in the EGCF Testbed. This means that if you want to reach these resources from your machine or any other client, the Globus commands should be issued from the machine external to LRZ or the EGCF Testbed. In other words, assuming that the goal is copying a file from a LRZ machine, the file should be pulled from the destination. If the file is pushed from LRZ, the procedure will not work, since the CA used by MyProxy is not recognized. For the same reason, in order to store a file into the LRZ machine, the correct procedure consists in pushing the file from the source to the destination, rather than pulling it from the destination. In case of problems, especially using globus-url-copy, please enter the following command on your client:
myproxy-get-trust-roots -v -s myproxy.lrz.de -p 7512. A copy of the CA certificates used for authentication (including the LRZ MyProxy CA) will be saved in your
$HOME/.globus/certificatesfolder. This location has a higher priority over the system one, so it should be possible to avoid the remaining mutual client-server authentication issues. The last step is not necessary when using Globus Online;
- in order to use your certificate at LRZ, your DN should be registered and known to us. Instructions on how to identify the DN are given later on in this section.
Obtaining a certificate from the LRZ MyProxy CA is very easy, and in principle not different from retrieving a proxy stored in advance. On the command line, type
myproxy-logon -s myproxy.lrz.de -p 7512 -l <your LRZ username>
and then enter the password associated with your (LRZ SIM) account. You can verify that the operation was successful by means of the
subject : /O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=John Doe jd00ab issuer : /O=Grid/OU=IGE-Testbed-CA/CN=Globus Simple CA identity : /O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=John Doe jd00ab type : end entity credential strength : 2048 bits path : /tmp/x509up_u501 timeleft : 11:51:40
identity field contains the DN to add to your account in the LRZ ID portal.
In order to extend the life span of your credential, use the
-t option of
myproxy-logon, specifying the number of hours, up to 500.
If you already uploaded a certificate using your username, then this will not work. You have to remove the old credential typing
myproxy-destroy -s myproxy.lrz.de -p 7512 -l <your LRZ username>.
The same functionality is also available if you access the LRZ MyProxy service by means of GSISSH-Term: just specify your LRZ username and passphrase in the corresponding fields. If you need to fetch the certificate DN, click on
Proxy in the menu bar on top, and then choose
Proxy Info to visualize the subject.