National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

It is possible to run a myproxy-server using a non-host certificate: either a normal user certificate or any other certificate you desire. In that case, the myproxy-server can run in a non-root account. In order to do this, the private key of the certificate will either need to be unencrypted (this is recommended), or you will need to generate a proxy from the encrypted key for the server to use (by running grid-proxy-init). Your private key is encrypted if your key.pem file includes the string "ENCRYPTED". You can use the following command to decrypt an encrypted key:

openssl rsa -in <encryptedkey.pem> -out <unencryptedkey.pem>

One option is to run the myproxy-server with a myproxy service certificate, with "/CN=myproxy/<fully-qualified hostname>". The MyProxy C clients will work by default with a myproxy-server running with a myproxy service certificate. However, other MyProxy clients (such as the Java CoG clients) at this time assume the myproxy-server will use a host certificate and will need to be configured to accept a non-host certificate.

If you are using the key and certificate directly, and they are not in the default locations (i.e. $(HOME)/.globus/usercert.pem and $(HOME)/.globus/userkey.pem), you will need to set the environment variables X509_USER_CERT and X509_USER_KEY to the paths of the certificate and key files respectively before running the myproxy-server.

If instead you decide to run the myproxy-server with a proxy credential, we recommend that you create a new proxy specifically for the myproxy-server, to avoid confusion, by setting the X509_USER_PROXY environment variable, running grid-proxy-init to create a new proxy in the location specified by X509_USER_PROXY, starting the myproxy-server, and then un-setting the X509_USER_PROXY environment variable. For example:

$ export X509_USER_PROXY=/tmp/myproxy-server.proxy
$ grid-proxy-init
Your identity: /C=US/O=National Computational Science Alliance/CN=Jim Basney
Enter GRID pass phrase for this identity:
Creating proxy ............................................................... Done
Your proxy is valid until: Fri Jul 30 04:08:43 2004
$ myproxy-server
$ unset X509_USER_PROXY

Note that when using a proxy you will need to periodically renew the proxy before it expires by running grid-proxy-init periodically in order to allow the myproxy-server to keep functioning. For this reason, we do not recommend running the myproxy-server with a proxy credential, except for testing purposes.

If you run the myproxy-server with a non-standard certificate, you will need to inform the client of what certificate subject to expect. You do this by setting the environment variable MYPROXY_SERVER_DN to the DN of the certificate being used by the server. If there is an error, the MyProxy C clients will report what you should set MYPROXY_SERVER_DN to.

Last modified 01/30/06.
©2000-2019 Board of Trustees of the University of Illinois.