National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

MyProxy supports multiple methods for credential renewal, so, for example, long-running tasks don't fail because of an expired credential. An authorized Grid service can renew credentials on your behalf, or you can renew credentials manually as needed.

Contents

Starting with version 3.6, the MyProxy CA also supports certificate-based renewal using the authorized_renewers and default_renewers options.

Certificate-based Renewal

Note: To use certificate-based renewal, your MyProxy server must be configured with authorized_renewers and default_renewers policies in the myproxy-server.config file. Also, certificate-based renewal is currently only supported by MyProxy C clients and not by MyProxy Java clients. (Update: Support for certificate-based credential renewal has been committed to the CoG jglobus CVS. See Bug 4612 for details.)

To store a general-purpose renewable credential in the MyProxy repository, run the myproxy-init command with the -A option on a computer where your Grid credentials are located. For example:

  $ myproxy-init -A -k renewable
  Your identity: /C=US/O=National Computational Science Alliance/CN=Jim Basney
  Enter GRID pass phrase for this identity:
  Creating proxy .............................................. Done
  Your proxy is valid until: Tue May 13 16:14:30 2003
  A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

The -A option provides unrestricted renewal of your credentials so it should be used with caution. The -k option specifies a name for the credential to distinguish this renewable credential from other credentials you may have in the repository.

Alternatively, to store a renewable credential in the MyProxy repository for use by a trusted renewal service, run the myproxy-init command with the -R option on a computer where your Grid credentials are located. For example:

  $ myproxy-init -R 'modi4.ncsa.uiuc.edu' -k renewable
  Your identity: /C=US/O=National Computational Science Alliance/CN=Jim Basney
  Enter GRID pass phrase for this identity:
  Creating proxy .......................................... Done
  Your proxy is valid until: Tue May 13 16:02:49 2003
  A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

This example uses the -R option to authorize the renewal service on modi4.ncsa.uiuc.edu (i.e., a trusted service with a certificate subject of CN=modi4.ncsa.uiuc.edu) to renew your credentials, and uses the -k option to specify a name for the credential to distinguish this renewable credential from other credentials you may have in the repository. The myproxy-init documentation lists all the available options for the myproxy-init command. By default, the credential is stored under your Unix username (jbasney in the example above) for 7 days, and can be used to renew credentials for an additional 12 hours at a time.

To renew credentials, run the myproxy-logon command with the -a option specifying the filename of the credential you want to renew. For example:

  $ myproxy-logon -a /tmp/x509up_u$UID -k renewable -l jbasney
  A proxy has been received for user jbasney in /tmp/x509up_u500 

If the renewable credential was stored with the myproxy-init -R option, the renewer must have a valid credential matching the -R policy to successfully renew a credential. If, instead, the credential was stored with myproxy-init -A, no additional credential is required. The myproxy-logon documentation lists all the available options for the myproxy-logon command.

To learn about how certificate-based proxy renewal is used in EGEE, see:

D. Kouril and J. Basney. A Credential Renewal Service for Long-Running Jobs. 6th IEEE/ACM International Workshop on Grid Computing (Grid 2005), Seattle, WA, November 13-14, 2005.

Password-based Renewal

MyProxy password authentication can also be used for credential renewal. For example:

  $ myproxy-init -r 'Jim Basney' -k renewable
  Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
  Enter GRID pass phrase for this identity:
  Creating proxy ............................... Done
  Proxy Verify OK
  Your proxy is valid until: Fri May 12 20:18:02 2006
  Enter MyProxy pass phrase:
  Verifying - Enter MyProxy pass phrase:
  A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

The -r option restricts access to the stored credential so that it can only be accessed by a client that has a valid credential with CN=Jim Basney. In other words, only a holder of a valid credential of Jim Basney's can use MyProxy to obtain a new credential for Jim Basney. Additionally, a valid pass phrase is required.

To renew credentials, simply run myproxy-logon. For example:

  $ myproxy-logon -k renewable
  Enter MyProxy pass phrase:
  A credential has been received for user jbasney in /tmp/x509up_u501.

The myproxy-logon documentation lists all the available options for the myproxy-logon command.

Condor-G (version 6.7.0 and above) supports this type of password-based credential renewal. After storing your renewable credential, set MyProxyHost, MyProxyPassword, and MyProxyCredentialName in your submit description file. For example:

  executable      = /usr/bin/my-executable
  universe        = grid
  grid_type       = gt3
  globusscheduler = condor-unsup-7
  MyProxyHost     = myproxy.ncsa.uiuc.edu:7512
  MyProxyPassword = password
  MyProxyCredentialName = renewable
  queue

See the Condor-G section of the Condor Manual for details.

Refreshing GRAM Credentials

You can use the globusrun command to update the credentials of submitted Globus Toolkit GRAM jobs:

  $ globusrun -refresh-proxy <job-ID>

For example:

  $ globusrun -b -r tg-login.ncsa.teragrid.org '&(executable=/bin/sleep)(arguments=30)'
  globus_gram_client_callback_allow successful
  GRAM Job submission successful
  https://tg-login1.ncsa.teragrid.org:46995/17303/1109781852/
  GLOBUS_GRAM_PROTOCOL_JOB_STATE_ACTIVE

  $ globusrun -refresh-proxy https://tg-login1.ncsa.teragrid.org:46995/17303/1109781852/

You can also use globus-credential-refresh to update the credentials for submitted Globus Toolkit WS-GRAM jobs:

  $ globus-credential-refresh -e <eprFileName>

For example:

  $ globus-credential-delegate -h tg-grid1.uc.teragrid.org ~/epr
  EPR will be written to: /home/ncsa/jbasney/epr
  Delegated credential EPR:
  Address: https://tg-grid1.uc.teragrid.org:8443/wsrf/services/DelegationService

  $ globusrun-ws -F tg-grid1.uc.teragrid.org -Jf ~/epr -Sf ~/epr -Tf ~/epr -submit -b -c /bin/hostname
  Submitting job...Done.
  Job ID: uuid:dd242fd2-d4a0-11da-9ef2-0007e9d81322
  Termination time: 04/26/2006 21:17 GMT

  $ globus-credential-refresh -e ~/epr
  Arguments: 43200 true /home/ncsa/jbasney/epr
  Delegated epr Address: https://tg-grid1.uc.teragrid.org:8443/wsrf/services/DelegationService

See the Globus Toolkit Delegation Service Manual for more details.

Last modified 05/28/13.
©2000-2017 Board of Trustees of the University of Illinois.