Creating Original User Credentials with MyProxy
See Step-by-Step: Grid Security from Scratch with MyProxy for MyProxy & SimpleCA installation instructions.
Summary: To create a new user security credential, an administrator runs myproxy-admin-adduser on a MyProxy server. The new credential resides on the server instead of originating on a user workstation, simplifying credential management.
Motivation: Credential management can be a headache for Grid users, as well as a security risk. To avoid it, MyProxy can create original Grid security credentials instead of storing proxies of users' credentials. That way, users never have to manage long-term credentials themselves, and the original credentials never leave the MyProxy server. The disadvantage of this setup is that Grid services must be configured to trust the MyProxy server's internal CA.
The account that myproxy-admin-adduser and
CA are run under must have exclusive access to the credential
Configuration: Creating original credentials requires that SimpleCA be installed on the MyProxy server, as detailed in the step-by-step guide. You will need to run myproxy-admin-adduser under the same account that SimpleCA is configured for, which is root if you followed the step-by-step guide.
Usage: When you run myproxy-admin-adduser, you will be prompted first to create an initial passphrase for the new credentials and then for the existing passphrase of the SimpleCA key. (The rest of the output is included below to limit confusion.) Later, the user may change their passphrase remotely using myproxy-change-pass-phrase.
1. Create Credentials
First, an administrator runs myproxy-admin-adduser on the MyProxy server:
root@myproxy-server# myproxy-admin-adduser -c "John Doe" -l jdoe A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Generating a 1024 bit RSA private key .........++++++ .++++++ writing new private key to '/tmp/myproxy_adduser_key.pem' Enter PEM pass phrase: <initial passphrase> Verifying - Enter PEM pass phrase: <initial passphrase> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:\ Level 1 Organizational Unit [simpleCA]:Level 2 Organizational Unit \ [localdomain.localhost]:Name (e.g., John M. Smith) : ---- [Screen is cleared] ---- A private key and a certificate request has been generated with the subject: /O=Grid/OU=GlobusTest/OU=simpleCA/OU=localdomain.localhost/CN=John Doe If the CN=John Doe is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /tmp/myproxy_adduser_key.pem Your request is stored in /tmp/myproxy_adduser_cert_request.pem Please e-mail the request to the Globus Simple CA email@example.com You may use a command similar to the following: cat /tmp/myproxy_adduser_cert_request.pem | mail firstname.lastname@example.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Simple CA at email@example.com To sign the request please enter the password for the CA key: <CA passphrase> The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem using storage directory /var/myproxy Credential stored successfully
The newly created credentials can now be used in the same way as if they had been imported into MyProxy via myproxy-init, as described in Managing Credentials. The difference is that the credentials created by myproxy-admin-adduser are entirely contained within the MyProxy server, so there is no need for users to manage original credentials.
2. Change Passphrase
To ensure that only the end user knows the passphrase for their security credentials, the administrator should communicate the initial passphrase to the user via an out-of-band communication channel.
Then, the user can change their passphrase by running myproxy-change-pass-phrase on a remote Grid client system.
jdoe$ export MYPROXY_SERVER="<MyProxy Server>" jdoe$ myproxy-logon Enter MyProxy pass phrase: <initial passphrase> A proxy has been received for user jdoe in /tmp/x509up_u500 jdoe$ myproxy-change-pass-phrase Enter (current) MyProxy pass phrase:<initial passphrase> Enter new MyProxy pass phrase:<new passphrase> Verifying - Enter new MyProxy pass phrase:<new passphrase> Pass phrase changed.
By default, MyProxy client commands such as myproxy-logon
assume that the local username is the same as the MyProxy username.
If it is different, you can specify a MyProxy username with