Rather than storing your Grid credentials on each machine you
use to access the Grid, you can store them in a CredentialManager repository
and retrieve a proxy credential from the CredentialManager repository when
needed.
The description above is intuitive and easy to understand, though not accurate.
Actually, a CredentialManagerService Factory that can create multiple
CredentialManagerService instances is deployed after installation. (See Installation for installation details) These instances are the ones that will peform operations on the credentials for the clients and each client will work with its own instance. A service instance is created whenever a credential is stored. These service instances can be accessed later to get or destroy the credentials.
To test the client, we firstly start the Grid Services container installed at $GLOBUS_LOCATION
globus-start-container
With the container running, A client can run the client program myproxy-cm. To store a credential in the CredentialManager repository, run the init command on a computer where your Grid credentials are located. For example:
$ myproxy-cm init http://bit.ncsa.uiuc.edu:8080 songs test Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Sumin Song Enter GRID pass phrase for this identity: Creating proxy, please wait... Your proxy is valid until Sat Feb 28 22:01:59 CST 2004 Enter MyProxy Pass Phrase: The service instance termination time: Sat Feb 28 22:02:07 CST 2004Note that in init command above, http://bit.ncsa.uiuc.edu:8080 is the CredentialManagerFactory's base URL, including IP address and port. "songs" is the user name and "test" is the credential name, that are specified by the user and will be used later by get and destroy command. A service instance is created whenever a credential is stored. The retrieval or destroy of the credential is accomplishded by accessing its service instance's handle. (The service instance's handle is obtained by querying index service, here is the details).
$ myproxy-cm get http://bit.ncsa.uiuc.edu:8080 songs test certname: songstest http://141.142.97.119:8080/ogsa/services/CredentialManager/CredentialManagerFactoryService/hash-26279847-1077425424825 Request the delegation of proxy cert from service instance: Enter MyProxy Pass Phrase: Save the delegated credential into file: /home/songs/x509up_u26102The get command prompts for the pass phrase you set previously with init. The client will pass the necessary information to the server and the server firstly will use the password provided by the client to decrypt the encrypted private key. The client will be given three chances to provide the correct password. If the password is correct, a proxy credential is retrieved and stored in the correct default location for use with Globus. Note that http://bit.ncsa.uiuc.edu:8080 is the IndexService's base URL. Since the IndexService and CredentialManager's service instances are in the same container by default, the IndexService's base URL is the same as the CredentialManagerFactory's base URL in this example. However, the user should be careful when the IndexService runs remotely with CredentialManager's service instances. Please specify the IndexService's base URL, not the CredentialManagerFactory's base URL. "songs" and "test" are used in get command to indicate which credential the client wants to access.
http://141.142.97.119:8080/ogsa/services/CredentialManager/CredentialManagerFactoryService/hash-26279847-1077425424825is the handle of the service instance for this particular credential and is obtained by querying index service. The user can also specify the service handle directly to get the credential using -h option:
$ myproxy-cm get -h http://141.142.97.119:8080/ogsa/services/CredentialManager/CredentialManagerFactoryService/hash-26279847-1077425424825The get documentation lists all the available options for the get command.
$myproxy-cm destroy http://bit.ncsa.uiuc.edu:8080 songs test certname: songstest Destroyed service: http://141.142.97.119:8080/ogsa/services/CredentialManager/CredentialManagerFactoryService/hash-26279847-1077425424825If you are the owner of the credential to be destroyed, you do not need to provide the pass phrase. Otherwise, you need to specify the pass phrase, which is set previously with init command, using -p option. After the credential is destroyed, it cannot be accessed any more. Note that http://bit.ncsa.uiuc.edu:8080 is the IndexService's base URL. Since the IndexService and CredentialManager's service instances are in the same container by default, the IndexService's base URL is the same as the CredentialManagerFactory's base URL in this example. However, the user should be careful when the IndexService runs remotely with CredentialManager's service instances. Please specify the IndexService's base URL, not the CredentialManagerFactory's base URL. Similiar with get command, the user can also specify the service handle directly to destroy the credential using -h option:
$ myproxy-cm destroy -h http://141.142.97.119:8080/ogsa/services/CredentialManager/CredentialManagerFactoryService/hash-26279847-1077425424825The destroy documentation lists all the available options for the destroy command.