National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

What follows are instructions for using MyProxy and GSISSH for single sign-on to TeraGrid systems from a Unix/Linux/OSX system. Windows users should try GSI-SSHTerm instead. The TeraGrid MyProxy server is configured to allow all TeraGrid users to obtain certificates using their TeraGrid Portal username and password. NCSA users can alternatively use the NCSA MyProxy server with their NCSA Kerberos username and password. This is an example of how the MyProxy CA can be integrated with an existing authentication service (in this case, the TERAGRID.ORG/NCSA.EDU Kerberos domains) for certificate issuance.

Contents

Install MyProxy and GSISSH

First, check to see if you already have myproxy-logon and gsissh installed.

$ which myproxy-logon gsissh

If the above command returns output, like this:

$ which myproxy-logon gsissh
/usr/local/globus/bin/myproxy-logon
/usr/local/globus/bin/gsissh

then you can proceed to the next step. Otherwise, you need to install the needed commands as follows.

First, download and unpack a Globus Toolkit installer for your system from http://www.globus.org/toolkit/downloads/. Use a binary installer if one is available for your system. Otherwise, a source installer is required.

$ tar xzf gt5*-installer.tar.gz

Then, install MyProxy and GSISSH.

$ cd gt5*-installer
$ ./configure --prefix=$HOME/globus
$ make gsi-myproxy gsi-openssh
$ make install
If you're not sure if you have a C or Bourne shell, just try both options and see which one works without errors.

Finally, set your environment. For C shells, do the following:

$ setenv GLOBUS_LOCATION $HOME/globus
$ source $GLOBUS_LOCATION/etc/globus-user-env.csh

For Bourne shells, do the following:

$ GLOBUS_LOCATION=$HOME/globus
$ export GLOBUS_LOCATION
$ . $GLOBUS_LOCATION/etc/globus-user-env.sh

Add these environment setting commands to your .cshrc, .login, .bashrc, or .profile file in your home directory so you don't need to run them again later.

Obtain your certificate from MyProxy

If you have previously run myproxy-init to store a credential on the myproxy.teragrid.org server then myproxy-logon will use your stored credential, and you will need to enter your previously-chosen myproxy-init passphrase at the myproxy-logon prompt instead of your TeraGrid Portal password.

Now you should be ready to obtain your certificate from the TeraGrid MyProxy server by running the command below. This command will also update your environment with additional CA certificates and certificate revocation lists for TeraGrid. (Remove the -T option if you don't want the CA files updated.) Enter your TeraGrid Portal username in place of username, and enter your TeraGrid Portal password when prompted for your MyProxy pass phrase.

$ myproxy-logon -T -l username -s myproxy.teragrid.org
Enter MyProxy pass phrase:
A credential has been received for user username in /tmp/x509up_u25555.
Trust roots have been installed in /home/username/.globus/certificates/.

Alternatively, to use your NCSA Kerberos password, use myproxy.ncsa.uiuc.edu instead.

$ myproxy-logon -T -l username -s myproxy.ncsa.uiuc.edu
Enter MyProxy pass phrase:
A credential has been received for user username in /tmp/x509up_u25555.
Trust roots have been installed in /home/username/.globus/certificates/.

By default, your certificate from MyProxy is valid for 12 hours, so you can run myproxy-logon once each day. If you need a longer-lived certificate (for example, if you are submitting a long-running job), you can request a certificate valid for up to 11 days (264 hours) by adding the -t option, as in the following example.

$ myproxy-logon -T -l username -s myproxy.teragrid.org -t 264
Enter MyProxy pass phrase:
A credential has been received for user username in /tmp/x509up_u25555.
Trust roots have been installed in /home/username/.globus/certificates/.

Login via GSISSH

Now you can login to any TeraGrid systems where you have an account using the gsissh command.

$ gsissh login-hg.ncsa.teragrid.org

You can also copy files to/from TeraGrid systems using gsiscp and gsisftp.

$ gsiscp ~/filename login-hg.ncsa.teragrid.org:~/filename
$ gsiscp login-hg.ncsa.teragrid.org:~/filename ~/filename
$ gsisftp login-hg.ncsa.teragrid.org

Troubleshooting

TeraGrid users can find additional information at http://www.teragrid.org/userinfo/. You can also consult the MyProxy Troubleshooting and GSISSH Troubleshooting pages.

The myproxy-logon -T command will keep your certificate revocation list files up-to-date for increased security. If you switch to some other method of managing your certificates, these files may become out-of-date, causing authentication problems. If this occurs, you can remove them with the following command.

$ rm -f ~/.globus/certificates/*.r*

If the myproxy-logon command fails with a "GSS" error, there may be a problem with your existing credentials. Try again after removing your existing proxy credential with the following command.

$ grid-proxy-destroy

Last modified 10/21/10.
©2000-2019 Board of Trustees of the University of Illinois.