MyProxy is an open source software and part of the Globus toolkit. It provides functionalities to manage X.509 Public Key Infrastructure (PKI) security credentials. It is an online repository that allows users to store their X.509 PKI security credentials. Each credential is protected by a password that is provided by the user at the time of storage. The credential can be retrieved later from the repository for use.

The advantage of this method is that users don't have to carry their private keys and certificates to install on computers which they would like to access grid resources from. This is especially userful for users who have to use shared computers and are thus unwilling to save a copy of their grid certificates on those computers. For more information about MyProxy, please refer to

Using LRZ's MyProxy Server

Port: 7512

Please note that the service is also available on port 80, in case the client's network provider filters connections to high ports (above 1024).

Create and Store Credential

At LRZ Globus is available on both SuperMUC and the Linux cluster. To set the needed environmental variables, please use the following command:

module load globus

To create and store a credential:

myproxy-init -s

The user will be prompted to enter first his/her grid certificate passphrase. As a consequence, a credential/proxy is generated. User will be prompted to enter another passphrase, the so called MyProxy passphrase. This is the passphrase that will protect the user's credential on the myproxy server. Even if the lifetime of the proxy just created is limited (by default 7 days, usually much less than the original user certificate), all criteria to devise a secure password should be applied here as well. The MyProxy passhrase should be entered twice, the second time for verification.

To create a credential that has a maximum lifetime (i.e., equal to those of the original credential), please use

myproxy-init -c 0

For more information regarding creating credential with varying lifetime, please use "myproxy-init -help"

Retrieve and Remove Credential

If you are going to use the Java webstart based GSISSH-Term you can use its builtin functionality to retrieve a proxy from a MyProxy server. See GSISSH-Term page for all the details.

On the other hand, in order to retrieve a credential from LRZ's MyProxy by means of the command line tool:

myproxy-logon -s

The user will be prompted to enter his/her MyProxy passphrase for verification.

To remove a credential from LRZ's MyProxy:

myproxy-destroy -s

User will be prompted to enter his/her MyProxy passphrase for verification.

If you face any problems, please contact

MyProxy Virtual Organizations Support (VOMS)

The LRZ MyProxy can issue a proxy certificate with VOMS extensions. This comes very handy as it saves users the trouble to install and configure VOMS utilities on their local platform. Simply uploading a regular (non VOMS) credential to MyProxy, it is possible to retrieve a proxy with a VO attribute. MyProxy is connecting to the VOMS server, performing all the necessary negotiations and checks on behalf of the user. The procedure is successfull if the VO is supported by LRZ. At the moment, the LRZ MyProxy works with all EGI VOs. Of course, the user should have previously registered his certificate's DN with the VOMS server, that is to say the user should be a member of the VO he wants to use. For more details, or to check that your VO is recognized, please contact

The procedure to get your proxy signed by a VO consists of two steps:

  • upload a (plain regular) proxy without VO extensions to MyProxy, typing myproxy-init -s -p 7512, as already explained above. You need to enter the password of your private key and the passphrase you want to use ;
  • at the moment of requesting a credential, use the -m flag, i.e., typing myproxy-logon -s -p 7512 -m <your VO>, for example myproxy-logon -s -p 7512 -m esr. You can easily verify the extensions by means of the voms-proxy-info --all command.

This feature has also been imported in GSISSH-Term: just specify your VO in the VO Name field when you try to connect to a resource using the MyProxy dialogue box (in the following picture, where the user is asking MyProxy to get a VO extension from the dech VO).

GSISSHTerm's MyProxy dialogue box with VOMS field

MyProxy as a Certification Authority

In case you encounter problems obtaining a grid certificate but you have an LRZ account, then the LRZ MyProxy can issue a credential for you. The Distinguished Name (DN) of the new certificate follows the rule:

/O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=<Personal name> <Family name> <username>

For example, the user John Doe, whose account is jd00ab will receive a certificate with the DN:

/O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=John Doe jd00ab

This credential allows a user to perform all operations on all of our supported grid services such as interactive login, file transfer (including Globus Online) and job submission. The temporary certificate can even be imported in a browser (this is an advanced topic, please contact and used for authentication. However, please be aware of the intrinsic limitations:

  • the lifetime is limited to 500 hours, after expiration, a new one should be generated;
  • the certificate is valid only on LRZ resources and in the EGCF Testbed. This means that if you want to reach these resources from your machine or any other client, the Globus commands should be issued from the machine external to LRZ or the EGCF Testbed. In other words, assuming that the goal is copying a file from a LRZ machine, the file should be pulled from the destination. If the file is pushed from LRZ, the procedure will not work, since the CA used by MyProxy is not recognized. For the same reason, in order to store a file into the LRZ machine, the correct procedure consists in pushing the file from the source to the destination, rather than pulling it from the destination. In case of problems, especially using globus-url-copy, please enter the following command on your client:
    myproxy-get-trustroots -v -s -p 7512 -b
    A copy of the CA certificates used for authentication (including the LRZ MyProxy CA) will be saved in your $HOME/.globus/certificates folder. This location has a higher priority over the system one, so it should be possible to avoid the remaining mutual client-server authentication issues. The last step is not necessary when using Globus Online;
  • in order to use your certificate at LRZ, your DN should be registered and known to us. Instructions on how to identify the DN are given later on in this section.

Obtaining a certificate from the LRZ MyProxy CA is very easy, and in principle not different from retrieving a proxy stored in advance. On the command line, type

myproxy-logon -s -p 7512 -l <your LRZ username>

and then enter the password associated with your (LRZ SIM) account. You can verify that the operation was successful by means of the grid-proxy-info command:

subject : /O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=John Doe jd00ab 
issuer : /O=Grid/OU=IGE-Testbed-CA/CN=Globus Simple CA 
identity : /O=Grid/OU=GlobusTest/OU=IGE-Testbed-CA/OU=LRZ/CN=John Doe jd00ab 
type : end entity credential 
strength : 2048 bits 
path : /tmp/x509up_u501 
timeleft : 11:51:40

The identity field contains the DN to add to your account in the LRZ ID portal.

In order to extend the life span of your credential, use the -t option of myproxy-logon, specifying the number of hours, up to 500.

If you already uploaded a certificate using your username, then this will not work. You have to remove the old credential typing myproxy-destroy -s -p 7512 -l <your LRZ username>.

The same functionality is also available if you access the LRZ MyProxy service by means of GSISSH-Term: just specify your LRZ username and passphrase in the corresponding fields. If you need to fetch the certificate DN, click on Proxy in the menu bar on top, and then choose Proxy Info to visualize the subject.