Lab Exercise: MyProxy
This lab will introduce the MyProxy credential repository and the commands to use it.
From your laptop (where your ~/.globus/usercert.pem and ~/.globus/userkey.pem files are located), issue the following command:
$ myproxy-init -s myproxy.ncsa.uiuc.edu
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ........................................................... Done
Proxy Verify OK
Your proxy is valid until: Wed Mar 2 08:41:27 2005
Enter MyProxy pass phrase:
Verifying password - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu.
$The myproxy-init command prompts first for the pass phrase of your Grid credentials and then prompts twice for a new pass phrase to use to secure the credentials on the MyProxy server. By default, the credential is stored under your Unix username (mfreemon is the example above) for 7 days and can be used to retrieve credentials with 12 hour lifetimes.
One thing you will notice is that MyProxy commands require an "-s" argument that specifies the hostname of the MyProxy server. If this argument is omitted, the MyProxy command will look for an environment variable called MYPROXY_SERVER for the hostname, as in the following example:
$ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu
$ myproxy-init
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ........................................ Done
Proxy Verify OK
Your proxy is valid until: Wed Mar 2 11:32:06 2005
Enter MyProxy pass phrase:
Verifying password - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu.
$Obviously, the export statement above is a good candidate to place into ~/.bash_profile or /etc/profile if you're working with a single MyProxy server most of the time.
Let's now log into a remote machine and retrieve our credential from the MyProxy server.
First, ssh into the LLO cluster from your local machine:
$ ssh ldas-grid.ligo-la.caltech.edu
[...snip...]
$
$ grid-proxy-info
subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy
issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy
identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
type : full legacy globus proxy
strength : 512 bits
path : /tmp/x509up_p20050.filebxV6nr.1
timeleft : 7:25:18
$The problem is, we already have a proxy from the process of SSHing into the server (because we're using the GSI-enabled version of SSH)
$ grid-proxy-destroy
$ grid-proxy-info
ERROR: Couldn't find a valid proxy.
Use -debug for further information.
$Now it's as if we logged into the server using a normal password (e.g. without using GSI authentication).
Keep in mind that we do not have our "real" certificate (usercert.pem and userkey.pem) on this machine.
$ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu
Enter MyProxy pass phrase:
A proxy has been received for user mfreemon in /tmp/x509up_p20050.filebxV6nr.1
$ grid-proxy-info
subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy/CN=proxy
issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy
identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
type : full legacy globus proxy
strength : 512 bits
path : /tmp/x509up_p20050.filebxV6nr.1
timeleft : 11:59:49
$The myproxy-get-delegation command prompts for the pass phrase you set previously with myproxy-init, retrieves a proxy credential for you, and stores it in the correct default location for use with Globus.
It's usage is straightforward. After you have stored a credential on the MyProxy server with the myproxy-init command, you may delete it with the myproxy-destroy command.
$ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu
Enter MyProxy pass phrase:
A proxy has been received for user mfreemon in /tmp/x509up_u500
$ myproxy-destroy -s myproxy.ncsa.uiuc.edu
Default MyProxy credential for user mfreemon was successfully removed.
$ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu
Enter MyProxy pass phrase:
ERROR from server: Credentials do not exist
Unable to retrieve credential information
Failed to receive a proxy.
$The myproxy-get-delegation commands above merely demonstrate that the credential existed in the repository before the myproxy-destroy was issued, and was really gone after the myproxy-destroy.
It's important to note that you must have a valid credential to renew. You can't renew a credential once it has expired.Credential renewal allows you to extend the lifetime of credentials easily, without needing to re-enter your password. For greater security, each renewal is logged on the MyProxy server, and renewals can be disabled at any time on the MyProxy server if a security problem is suspected.
To store a renewable credential in the MyProxy repository, run the myproxy-init command with the
-R
or-A
option on a computer where your Grid credentials are located.
-A --allow_anonymous_renewers Allow credentials to be renewed by any client (not recommended)
-R --renewable_by <dn> Allow specified entity to renew credentialExit out of your SSH session to get back to your shell on your local machine. Then issue the following command to store a renewable credential in the MyProxy server:
$ myproxy-init -R 'condorg/ldas-grid.ligo-la.caltech.edu' -k renewable \
-s myproxy.ncsa.uiuc.edu
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy .................................................. Done
Proxy Verify OK
Your proxy is valid until: Wed Jan 19 07:42:11 2005
A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu.
$This example authorizes the Condor-G service on ldas-grid.ligo-la.caltech.edu to renew credentials with the
-R
option, and uses the-k
option to specify a name for the credential to distinguish this renewable credential from other credentials you may have in the repository.
-A
option to
myproxy-init instead of
-R
. This option provides unrestricted renewal of your
credentials so it should be used with caution.
$ myproxy-init -A -k renewable -s myproxy.ncsa.uiuc.edu
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
Enter GRID pass phrase for this identity:
Creating proxy ........................................ Done
Proxy Verify OK
Your proxy is valid until: Wed Jan 19 07:46:20 2005
A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu.
$
-a
option
specifying the filename of the credential you want to renew.First, get the path to your existing proxy certificate:
$ grid-proxy-info
subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy
issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy
identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
type : full legacy globus proxy
strength : 512 bits
path : /tmp/x509up_p1066.filekaFRr0.1
timeleft : 3:23:24
$Then use that filename for the -a argument of the myproxy-get-delegation command, as follows:
$ myproxy-get-delegation -a /tmp/x509up_p1066.filekaFRr0.1 -k renewable \
-s myproxy.ncsa.uiuc.edu
A proxy has been received for user mfreemon in /tmp/x509up_p1066.filekaFRr0.1
$If the renewable credential was stored with the
myproxy-init -R
option, the renewer must have a valid credential matching the-R
policy to successfully renew a credential. If, instead, the credential was stored withmyproxy-init -A
, no additional credential is required.You have now renewed your MyProxy certificate.
Special Note for LSC DataGrid Users: Automatic credential renewal is typically used in the context of long-running jobs submitted via Condor-G (GRAM). Condor support for credential renewal was added in version 6.7. The current version of the LSC DataGrid Client, version 3.0, includes Condor version 6.6.6. As a result, credential renewal is not available in LSC DataGrid Client 3.0.
Condor-G can automatically renew credentials using the MyProxy software. This feature is designed to prevent long-running jobs from failing due to expired credentials. This is also valuable when jobs are waiting in the queues a long time before starting.
The following sequence of steps is typical when using this feature.
* Note that the -p option of the condor_submit command can be used instead of putting the password in the submit file.
A typical submit file might look similar to this:
executable = /usr/bin/cal
universe = grid
grid_type = "gt3"
globusscheduler = ldas-grid.ligo-la.caltech.edu/jobmanager-condor
MyProxyHost = myproxy.ncsa.uiuc.edu
MyProxyServerDN = /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon
MyProxyPassword = password
MyProxyCredentialName = my_name_for_this_executable_run
queue
Complete documentation for automatic credential renewal in Condor-G can be found at http://www.cs.wisc.edu/condor/manual/v6.7/5_4Condor_G.html