Lab Exercise: MyProxy

Purpose:

This lab will introduce the MyProxy credential repository and the commands to use it.

1. Storing a Credential
2. Retrieving a Credential
3. Destroying a Credential
4. Credential Renewal
5. Condor-G Automatic Credential Renewal

The MyProxy Credential Repository software was developed at the National Center for Supercomputing Applications.  During this lab, we will be using the public MyProxy server located at NCSA in Champaign, IL.  Complete documentation and support for MyProxy can be found at http://myproxy.ncsa.uiuc.edu.

Storing a Credential

1. To store a credential in the MyProxy repository, run the myproxy-init command on a computer where your grid credentials are located. 

From your laptop (where your ~/.globus/usercert.pem and ~/.globus/userkey.pem files are located), issue the following command:

$ myproxy-init -s myproxy.ncsa.uiuc.edu Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ........................................................... Done Proxy Verify OK Your proxy is valid until: Wed Mar 2 08:41:27 2005 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu. $

The myproxy-init command prompts first for the pass phrase of your Grid credentials and then prompts twice for a new pass phrase to use to secure the credentials on the MyProxy server. By default, the credential is stored under your Unix username (mfreemon is the example above) for 7 days and can be used to retrieve credentials with 12 hour lifetimes.

One thing you will notice is that MyProxy commands require an "-s" argument that specifies the hostname of the MyProxy server.  If this argument is omitted, the MyProxy command will look for an environment variable called MYPROXY_SERVER for the hostname, as in the following example:

$ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu $ myproxy-init Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ........................................ Done Proxy Verify OK Your proxy is valid until: Wed Mar 2 11:32:06 2005 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu. $

Obviously, the export statement above is a good candidate to place into ~/.bash_profile or /etc/profile if you're working with a single MyProxy server most of the time.

Retrieving a Credential

2. At this point, our original credential (usercert.pem and userkey.pem) resides on our local machine, and we have added a proxy credential (derived from our original credential) to the MyProxy server.

Let's now log into a remote machine and retrieve our credential from the MyProxy server.

First, ssh into the LLO cluster from your local machine:

$ ssh ldas-grid.ligo-la.caltech.edu [...snip...] $

3. But wait...Do a grid-proxy-info:

$ grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_p20050.filebxV6nr.1 timeleft : 7:25:18 $

The problem is, we already have a proxy from the process of SSHing into the server (because we're using the GSI-enabled version of SSH)

4. Let delete the existing proxy:

$ grid-proxy-destroy $ grid-proxy-info ERROR: Couldn't find a valid proxy. Use -debug for further information. $

Now it's as if we logged into the server using a normal password (e.g. without using GSI authentication).

Keep in mind that we do not have our "real" certificate (usercert.pem and userkey.pem) on this machine.

5. Let's retrieve our proxy from the MyProxy server and display its information:

$ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu Enter MyProxy pass phrase: A proxy has been received for user mfreemon in /tmp/x509up_p20050.filebxV6nr.1 $ grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_p20050.filebxV6nr.1 timeleft : 11:59:49 $

The myproxy-get-delegation command prompts for the pass phrase you set previously with myproxy-init, retrieves a proxy credential for you, and stores it in the correct default location for use with Globus.

Destroying a Credential

6. The myproxy-destroy command is used to remove your credential from the MyProxy server.

It's usage is straightforward.  After you have stored a credential on the MyProxy server with the myproxy-init command, you may delete it with the myproxy-destroy command.

$ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu Enter MyProxy pass phrase: A proxy has been received for user mfreemon in /tmp/x509up_u500 $ myproxy-destroy -s myproxy.ncsa.uiuc.edu Default MyProxy credential for user mfreemon was successfully removed. $ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu Enter MyProxy pass phrase: ERROR from server: Credentials do not exist Unable to retrieve credential information Failed to receive a proxy. $

The myproxy-get-delegation commands above merely demonstrate that the credential existed in the repository before the myproxy-destroy was issued, and was really gone after the myproxy-destroy.

Credential Renewal

7. MyProxy supports credential renewal, so, for example, long-running tasks don't fail because of an expired credential. An authorized Grid service (such as Condor-G) can renew credentials on your behalf, or you can renew credentials manually as needed.

It's important to note that you must have a valid credential to renew.  You can't renew a credential once it has expired.

Credential renewal allows you to extend the lifetime of credentials easily, without needing to re-enter your password.  For greater security, each renewal is logged on the MyProxy server, and renewals can be disabled at any time on the MyProxy server if a security problem is suspected.

To store a renewable credential in the MyProxy repository, run the myproxy-init command with the -R or -A option on a computer where your Grid credentials are located.

-A  --allow_anonymous_renewers  Allow credentials to be renewed by any client (not recommended)  -R  --renewable_by <dn>         Allow specified entity to renew credential

Exit out of your SSH session to get back to your shell on your local machine.  Then issue the following command to store a renewable credential in the MyProxy server:

$ myproxy-init -R 'condorg/ldas-grid.ligo-la.caltech.edu' -k renewable \                -s myproxy.ncsa.uiuc.edu Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy .................................................. Done Proxy Verify OK Your proxy is valid until: Wed Jan 19 07:42:11 2005 A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu. $

This example authorizes the Condor-G service on ldas-grid.ligo-la.caltech.edu  to renew credentials with the -R option, and uses the -k option to specify a name for the credential to distinguish this renewable credential from other credentials you may have in the repository.

8. To be able to renew credentials directly, you can use the -A option to myproxy-init instead of -R. This option provides unrestricted renewal of your credentials so it should be used with caution.

$ myproxy-init -A -k renewable -s myproxy.ncsa.uiuc.edu Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ........................................ Done Proxy Verify OK Your proxy is valid until: Wed Jan 19 07:46:20 2005 A proxy valid for 168 hours (7.0 days) for user mfreemon now exists on myproxy.ncsa.uiuc.edu. $

9. To renew credentials, run the myproxy-get-delegation command with the -a option specifying the filename of the credential you want to renew.

First, get the path to your existing proxy certificate:

$ grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_p1066.filekaFRr0.1 timeleft : 3:23:24 $

Then use that filename for the -a argument of the myproxy-get-delegation command, as follows:

$ myproxy-get-delegation -a /tmp/x509up_p1066.filekaFRr0.1 -k renewable \                          -s myproxy.ncsa.uiuc.edu A proxy has been received for user mfreemon in /tmp/x509up_p1066.filekaFRr0.1 $

If the renewable credential was stored with the myproxy-init -R option, the renewer must have a valid credential matching the -R policy to successfully renew a credential. If, instead, the credential was stored with myproxy-init -A, no additional credential is required.

You have now renewed your MyProxy certificate.

 

Condor-G Automatic Credential Renewal

Special Note for LSC DataGrid Users:  Automatic credential renewal is typically used in the context of long-running jobs submitted via Condor-G (GRAM).  Condor support for credential renewal was added in version 6.7.  The current version of the LSC DataGrid Client, version 3.0, includes Condor version 6.6.6.  As a result, credential renewal is not available in LSC DataGrid Client 3.0.

Condor-G can automatically renew credentials using the MyProxy software.  This feature is designed to prevent long-running jobs from failing due to expired credentials.  This is also valuable when jobs are waiting in the queues a long time before starting.

The following sequence of steps is typical when using this feature.

• Create a long-lived credential on a secure MyProxy server, using the myproxy-init command.
  
  myproxy-init -s <host> -x -r <cert subject> -k <credential name>
   
• Creates a short-lived proxy on a local submit machine, using grid-proxy-init or myproxy-get-delegation.
   
• Submit a Condor-G job, specifying in the submit file:

   

  MyProxy server name (host:port)

  MyProxy credential name (optional)

  MyProxy password ^*

^*  Note that the -p option of the condor_submit command can be used instead of putting the password in the submit file.

A typical submit file might look similar to this:

executable      = /usr/bin/cal  universe        = grid  grid_type       = "gt3"  globusscheduler = ldas-grid.ligo-la.caltech.edu/jobmanager-condor  MyProxyHost     = myproxy.ncsa.uiuc.edu  MyProxyServerDN = /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon     MyProxyPassword = password  MyProxyCredentialName = my_name_for_this_executable_run  queue

• When the short-lived proxy is about to expire, Condor-G talks to the MyProxy server to refresh the proxy.

Complete documentation for automatic credential renewal in Condor-G can be found at http://www.cs.wisc.edu/condor/manual/v6.7/5_4Condor_G.html