|
It is possible to run a myproxy-server using a non-host certificate: either a normal user certificate or any other certificate you desire. In that case, the myproxy-server can run in a non-root account. In order to do this, the private key of the certificate will either need to be unencrypted (this is recommended), or you will need to generate a proxy from the encrypted key for the server to use (by running grid-proxy-init). Your private key is encrypted if your key.pem file includes the string "ENCRYPTED". You can use the following command to decrypt an encrypted key:
One option is to run the myproxy-server with a myproxy service certificate, with "/CN=myproxy/<fully-qualified hostname>". The MyProxy C clients will work by default with a myproxy-server running with a myproxy service certificate. However, other MyProxy clients (such as the Java CoG clients) at this time assume the myproxy-server will use a host certificate and will need to be configured to accept a non-host certificate. If you are using the key and certificate directly, and they are not in the default locations (i.e. $(HOME)/.globus/usercert.pem and $(HOME)/.globus/userkey.pem), you will need to set the environment variables X509_USER_CERT and X509_USER_KEY to the paths of the certificate and key files respectively before running the myproxy-server. If instead you decide to run the myproxy-server with a proxy credential, we recommend that you create a new proxy specifically for the myproxy-server, to avoid confusion, by setting the X509_USER_PROXY environment variable, running grid-proxy-init to create a new proxy in the location specified by X509_USER_PROXY, starting the myproxy-server, and then un-setting the X509_USER_PROXY environment variable. For example:
Note that when using a proxy you will need to periodically renew the proxy before it expires by running grid-proxy-init periodically in order to allow the myproxy-server to keep functioning. For this reason, we do not recommend running the myproxy-server with a proxy credential, except for testing purposes. If you run the myproxy-server with a non-standard certificate, you will need to inform the client of what certificate subject to expect. You do this by setting the environment variable MYPROXY_SERVER_DN to the DN of the certificate being used by the server. If there is an error, the MyProxy C clients will report what you should set MYPROXY_SERVER_DN to.
Last modified
01/30/06. |