MyProxy supports multiple methods for credential renewal, so, for example, long-running tasks don't fail because of an expired credential. An authorized Grid service can renew credentials on your behalf, or you can renew credentials manually as needed.
Starting with version 3.6, the MyProxy CA also supports
certificate-based renewal using the
To use certificate-based renewal,
your MyProxy server must be configured with
To store a general-purpose renewable credential in the MyProxy
repository, run the
myproxy-init command with
$ myproxy-init -A -k renewable Your identity: /C=US/O=National Computational Science Alliance/CN=Jim Basney Enter GRID pass phrase for this identity: Creating proxy .............................................. Done Your proxy is valid until: Tue May 13 16:14:30 2003 A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.
Alternatively, to store a renewable credential in the MyProxy
repository for use by a trusted renewal service, run the
myproxy-init command with
$ myproxy-init -R 'modi4.ncsa.uiuc.edu' -k renewable Your identity: /C=US/O=National Computational Science Alliance/CN=Jim Basney Enter GRID pass phrase for this identity: Creating proxy .......................................... Done Your proxy is valid until: Tue May 13 16:02:49 2003 A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.
This example uses the
To renew credentials, run the
command with the
$ myproxy-logon -a /tmp/x509up_u$UID -k renewable -l jbasney A proxy has been received for user jbasney in /tmp/x509up_u500
If the renewable credential was stored with the
To learn about how certificate-based proxy renewal is used in EGEE, see:
MyProxy password authentication can also be used for credential renewal. For example:
$ myproxy-init -r 'Jim Basney' -k renewable Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney Enter GRID pass phrase for this identity: Creating proxy ............................... Done Proxy Verify OK Your proxy is valid until: Fri May 12 20:18:02 2006 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.
To renew credentials, simply run myproxy-logon. For example:
$ myproxy-logon -k renewable Enter MyProxy pass phrase: A credential has been received for user jbasney in /tmp/x509up_u501.
The myproxy-logon documentation lists all the available options for the myproxy-logon command.
(version 6.7.0 and above)
supports this type of password-based credential renewal.
After storing your renewable credential, set
executable = /usr/bin/my-executable universe = grid grid_type = gt3 globusscheduler = condor-unsup-7 MyProxyHost = myproxy.ncsa.uiuc.edu:7512 MyProxyPassword = password MyProxyCredentialName = renewable queue
See the Condor-G section of the Condor Manual for details.
You can use the globusrun command to update the credentials of submitted Globus Toolkit GRAM jobs:
$ globusrun -refresh-proxy <job-ID>
$ globusrun -b -r tg-login.ncsa.teragrid.org '&(executable=/bin/sleep)(arguments=30)' globus_gram_client_callback_allow successful GRAM Job submission successful https://tg-login1.ncsa.teragrid.org:46995/17303/1109781852/ GLOBUS_GRAM_PROTOCOL_JOB_STATE_ACTIVE $ globusrun -refresh-proxy https://tg-login1.ncsa.teragrid.org:46995/17303/1109781852/
You can also use globus-credential-refresh to update the credentials for submitted Globus Toolkit WS-GRAM jobs:
$ globus-credential-refresh -e <eprFileName>
$ globus-credential-delegate -h tg-grid1.uc.teragrid.org ~/epr EPR will be written to: /home/ncsa/jbasney/epr Delegated credential EPR: Address: https://tg-grid1.uc.teragrid.org:8443/wsrf/services/DelegationService $ globusrun-ws -F tg-grid1.uc.teragrid.org -Jf ~/epr -Sf ~/epr -Tf ~/epr -submit -b -c /bin/hostname Submitting job...Done. Job ID: uuid:dd242fd2-d4a0-11da-9ef2-0007e9d81322 Termination time: 04/26/2006 21:17 GMT $ globus-credential-refresh -e ~/epr Arguments: 43200 true /home/ncsa/jbasney/epr Delegated epr Address: https://tg-grid1.uc.teragrid.org:8443/wsrf/services/DelegationService
See the Globus Toolkit Delegation Service Manual for more details.