|
What follows are instructions for using MyProxy and GSISSH for single sign-on to TeraGrid systems from a Unix/Linux/OSX system. Windows users should try GSI-SSHTerm instead. The TeraGrid MyProxy server is configured to allow all TeraGrid users to obtain certificates using their TeraGrid Portal username and password. NCSA users can alternatively use the NCSA MyProxy server with their NCSA Kerberos username and password. This is an example of how the MyProxy CA can be integrated with an existing authentication service (in this case, the TERAGRID.ORG/NCSA.EDU Kerberos domains) for certificate issuance. ContentsInstall MyProxy and GSISSHFirst, check to see if you already have myproxy-logon and gsissh installed.
$ which myproxy-logon gsissh
If the above command returns output, like this:
$ which myproxy-logon gsissh
/usr/local/globus/bin/myproxy-logon /usr/local/globus/bin/gsissh then you can proceed to the next step. Otherwise, you need to install the needed commands as follows. First, download and unpack a Globus Toolkit installer for your system from http://www.globus.org/toolkit/downloads/. Use a binary installer if one is available for your system. Otherwise, a source installer is required.
$ tar xzf gt5*-installer.tar.gz
Then, install MyProxy and GSISSH.
$ cd gt5*-installer
$ ./configure --prefix=$HOME/globus $ make gsi-myproxy gsi-openssh $ make install
If you're not sure if you have a C or Bourne shell, just try both
options and see which one works without errors.
Finally, set your environment. For C shells, do the following:
$ setenv GLOBUS_LOCATION $HOME/globus
$ source $GLOBUS_LOCATION/etc/globus-user-env.csh For Bourne shells, do the following:
$ GLOBUS_LOCATION=$HOME/globus
$ export GLOBUS_LOCATION $ . $GLOBUS_LOCATION/etc/globus-user-env.sh Add these environment setting commands to your .cshrc, .login, .bashrc, or .profile file in your home directory so you don't need to run them again later. Obtain your certificate from MyProxy
If you have previously run myproxy-init to store a credential
on the myproxy.teragrid.org server
then myproxy-logon will use your stored credential,
and you will need to enter your previously-chosen myproxy-init
passphrase at the myproxy-logon prompt instead of your TeraGrid Portal
password.
Now you should be ready to obtain your certificate from the TeraGrid MyProxy server by running the command below. This command will also update your environment with additional CA certificates and certificate revocation lists for TeraGrid. (Remove the -T option if you don't want the CA files updated.) Enter your TeraGrid Portal username in place of username, and enter your TeraGrid Portal password when prompted for your MyProxy pass phrase.
$ myproxy-logon -T -l username -s myproxy.teragrid.org
Enter MyProxy pass phrase: A credential has been received for user username in /tmp/x509up_u25555. Trust roots have been installed in /home/username/.globus/certificates/. Alternatively, to use your NCSA Kerberos password, use myproxy.ncsa.uiuc.edu instead.
$ myproxy-logon -T -l username -s myproxy.ncsa.uiuc.edu
Enter MyProxy pass phrase: A credential has been received for user username in /tmp/x509up_u25555. Trust roots have been installed in /home/username/.globus/certificates/. By default, your certificate from MyProxy is valid for 12 hours, so you can run myproxy-logon once each day. If you need a longer-lived certificate (for example, if you are submitting a long-running job), you can request a certificate valid for up to 11 days (264 hours) by adding the -t option, as in the following example.
$ myproxy-logon -T -l username -s myproxy.teragrid.org
-t 264
Enter MyProxy pass phrase: A credential has been received for user username in /tmp/x509up_u25555. Trust roots have been installed in /home/username/.globus/certificates/. Login via GSISSHNow you can login to any TeraGrid systems where you have an account using the gsissh command.
$ gsissh login-hg.ncsa.teragrid.org
You can also copy files to/from TeraGrid systems using gsiscp and gsisftp.
$ gsiscp ~/filename login-hg.ncsa.teragrid.org:~/filename
$ gsiscp login-hg.ncsa.teragrid.org:~/filename ~/filename $ gsisftp login-hg.ncsa.teragrid.org TroubleshootingTeraGrid users can find additional information at http://www.teragrid.org/userinfo/. You can also consult the MyProxy Troubleshooting and GSISSH Troubleshooting pages. The myproxy-logon -T command will keep your certificate revocation list files up-to-date for increased security. If you switch to some other method of managing your certificates, these files may become out-of-date, causing authentication problems. If this occurs, you can remove them with the following command.
$ rm -f ~/.globus/certificates/*.r*
If the myproxy-logon command fails with a "GSS" error, there may be a problem with your existing credentials. Try again after removing your existing proxy credential with the following command.
$ grid-proxy-destroy
Last modified
10/21/10. |