National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

Creating Original User Credentials with MyProxy

See Step-by-Step: Grid Security from Scratch with MyProxy for MyProxy & SimpleCA installation instructions.

Summary: To create a new user security credential, an administrator runs myproxy-admin-adduser on a MyProxy server. The new credential resides on the server instead of originating on a user workstation, simplifying credential management.

Motivation: Credential management can be a headache for Grid users, as well as a security risk. To avoid it, MyProxy can create original Grid security credentials instead of storing proxies of users' credentials. That way, users never have to manage long-term credentials themselves, and the original credentials never leave the MyProxy server. The disadvantage of this setup is that Grid services must be configured to trust the MyProxy server's internal CA.

The account that myproxy-admin-adduser and Simple CA are run under must have exclusive access to the credential repository (generally /var/myproxy or $GLOBUS_HOME/var/myproxy), since it will need to store new credentials there, and since MyProxy enforces single-account restricted access (for example, chmod -R 700 with traditional Unix-style permissions).

Configuration: Creating original credentials requires that SimpleCA be installed on the MyProxy server, as detailed in the step-by-step guide. You will need to run myproxy-admin-adduser under the same account that SimpleCA is configured for, which is root if you followed the step-by-step guide.

Usage: When you run myproxy-admin-adduser, you will be prompted first to create an initial passphrase for the new credentials and then for the existing passphrase of the SimpleCA key. (The rest of the output is included below to limit confusion.) Later, the user may change their passphrase remotely using myproxy-change-pass-phrase.

1. Create Credentials

First, an administrator runs myproxy-admin-adduser on the MyProxy server:

root@myproxy-server# myproxy-admin-adduser -c "John Doe" -l jdoe
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password, 
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.

Generating a 1024 bit RSA private key
writing new private key to '/tmp/myproxy_adduser_key.pem'
Enter PEM pass phrase: <initial passphrase>
Verifying - Enter PEM pass phrase: <initial passphrase>

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:\
    Level 1 Organizational Unit [simpleCA]:Level 2 Organizational Unit \
    [localdomain.localhost]:Name (e.g., John M. Smith) []:

---- [Screen is cleared] ----

A private key and a certificate request has been generated with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA/OU=localdomain.localhost/CN=John Doe

If the CN=John Doe is not appropriate, rerun this
script with the -force -cn "Common Name" options.

Your private key is stored in /tmp/myproxy_adduser_key.pem
Your request is stored in /tmp/myproxy_adduser_cert_request.pem

Please e-mail the request to the Globus Simple CA
You may use a command similar to the following:

  cat /tmp/myproxy_adduser_cert_request.pem | mail

Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.

Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at

To sign the request
please enter the password for the CA key: <CA passphrase>

The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem

using storage directory /var/myproxy
Credential stored successfully

The newly created credentials can now be used in the same way as if they had been imported into MyProxy via myproxy-init, as described in Managing Credentials. The difference is that the credentials created by myproxy-admin-adduser are entirely contained within the MyProxy server, so there is no need for users to manage original credentials.

2. Change Passphrase

To ensure that only the end user knows the passphrase for their security credentials, the administrator should communicate the initial passphrase to the user via an out-of-band communication channel.

Then, the user can change their passphrase by running myproxy-change-pass-phrase on a remote Grid client system.

jdoe$ export MYPROXY_SERVER="<MyProxy Server>"
jdoe$ myproxy-logon
Enter MyProxy pass phrase: <initial passphrase>
A proxy has been received for user jdoe in /tmp/x509up_u500
jdoe$ myproxy-change-pass-phrase
Enter (current) MyProxy pass phrase:<initial passphrase>
Enter new MyProxy pass phrase:<new passphrase>
Verifying - Enter new MyProxy pass phrase:<new passphrase>
Pass phrase changed.

By default, MyProxy client commands such as myproxy-logon and myproxy-change-pass-phrase assume that the local username is the same as the MyProxy username. If it is different, you can specify a MyProxy username with -l <username>.

Last modified 07/03/07.
©2000-2017 Board of Trustees of the University of Illinois.