National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

VOMS (Virtual Organization Membership Service) provides support for managing group membership and roles in grid security. We can consider many ways in which MyProxy might used with VOMS:

Store proxy credentials containing VOMS extensions in MyProxy:
Proxy credentials containing VOMS extensions can be stored in MyProxy just like any other proxy credentials. The MyProxy clients and servers do not need to be VOMS-aware. The VOMS extension is simply passed inside the certificate without requiring any special processing by MyProxy.
Integrate myproxy-init and myproxy-logon and voms-proxy-init:
To make it easier to store and retrieve credentials containing VOMS assertions in MyProxy, a --voms option has been added to myproxy-init and myproxy-logon starting in MyProxy version 3.9, as documented below. In this case, VOMS extensions are always added on the client-side, before or after communicating with the myproxy-server. Therefore, voms-proxy-init must be properly installed in PATH and configured (i.e., by setting the VOMS_USERCONF environment variable) on the client-side.
Add VOMS extensions to certificates in the myproxy-server:
Rather than performing VOMS operations on the client-side (requiring client-side VOMS configuration), the myproxy-server can add VOMS extensions to proxy certificates when it issues those certificates to the client. This capability was added to the myproxy-server starting in MyProxy 5.1. It requires enabling VOMS support in the myproxy-server (see below) and also setting the allow_voms_attribute_requests option in myproxy-server.config. (See also the voms_userconf option.) On the client side, it will soon be supported in the CoG JGlobus MyProxy client, via the -voms option. It is not (yet) supported by other MyProxy clients.
Support VOMS authorization in the myproxy-server:
Instead of setting myproxy-server access control policies based on individual certificate subject names, instead use VOMS attributes. For example, a VOMS attribute could be defined that indicates what services are allowed to renew credentials via the myproxy-server authorized_renewers policy. This capability is available starting with MyProxy version 3.6 and is documented below.
Support VOMS authorization in MyProxy clients:
In addition to verifying that the myproxy-server's certificate subject matches its hostname, the server's certificate could include a VOMS attribute that indicates it is a trusted credential management service for a virtual organization community. This is the subject of Bug 322. This functionality is not yet implemented.

MyProxy's VOMS support continues to evolve. Please join the discussions on the myproxy-user mailing list about it.

For an example of using MyProxy and VOMS together in Java, see http://projects.arcs.org.au/trac/common-grid-libs/wiki/ProxyLight.

Contents

Using MyProxy's Command-Line VOMS Support

Starting in MyProxy version 3.9, the myproxy-init and myproxy-logon clients contain --voms options to add VOMS attributes to credentials stored in the MyProxy repository or retrieved from MyProxy. The --voms option requires voms-proxy-init to be installed and configured on your system, but the MyProxy clients do not need to be specially configured with VOMS support or linked with VOMS libraries.

To store a credential in the MyProxy repository containing VOMS attributes, use myproxy-init --voms VO similar to the voms-proxy-init -voms VO command. For example:

$ myproxy-init --voms NCSA
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
Enter GRID pass phrase:
verify OK
Creating temporary proxy .................................................................... Done
Contacting  voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done
Creating proxy ....................................................... Done
Your proxy is valid until Fri Nov  2 09:41:27 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

We can then retrieve a proxy and verify that it contains the VOMS attributes:

$ myproxy-logon
Enter MyProxy pass phrase:
A credential has been received for user jbasney in /tmp/x509up_u502.
$ voms-proxy-info -all
subject   : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy
issuer    : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy
identity  : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy
type      : unknown
strength  : 1024 bits
path      : /tmp/x509up_u502
timeleft  : 11:59:58
=== VO NCSA extension information ===
VO        : NCSA
subject   : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
issuer    : /C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu
attribute : /NCSA/Role=NULL/Capability=NULL
timeleft  : 11:59:48

Alternatively, to add VOMS attributes to a proxy retrieved from MyProxy, use myproxy-logon --voms VO similar to the voms-proxy-init -voms VO command. For example:

$ myproxy-logon --voms NCSA
Enter MyProxy pass phrase:
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy
Creating temporary proxy .............................................................. Done
Contacting  voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done
Creating proxy .................................................. Done
Your proxy is valid until Fri Oct 26 21:43:24 2007
A credential has been received for user jbasney in /tmp/x509up_u502.
$ voms-proxy-info -all
subject   : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy/CN=proxy
issuer    : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy
identity  : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney/CN=proxy/CN=proxy/CN=proxy
type      : unknown
strength  : 1024 bits
path      : /tmp/x509up_u502
timeleft  : 11:58:55
=== VO NCSA extension information ===
VO        : NCSA
subject   : /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
issuer    : /C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu
attribute : /NCSA/Role=NULL/Capability=NULL
timeleft  : 11:58:55

Note that if your VOMS installation does not support newer proxy certificate formats, you will need to set GT_PROXY_MODE=old before running myproxy-init to store your proxy:

$ export GT_PROXY_MODE=old
$ myproxy-init
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
Enter GRID pass phrase for this identity:
Creating proxy .................................................................................. Done
Proxy Verify OK
Your proxy is valid until: Fri Nov  2 09:44:12 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

For older versions of the MyProxy clients, it is possible to get the same behavior as above by manually running voms-proxy-init before myproxy-init or after myproxy-logon.

To store a proxy with a VOMS attributes:

$ voms-proxy-init -voms NCSA
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
Creating temporary proxy ............................... Done
Contacting  voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done
Creating proxy ...................................................... Done
$ export GT_PROXY_MODE=old
$ myproxy-init --certfile `grid-proxy-info -path` --keyfile `grid-proxy-info -path` -c 0
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
Creating proxy .................................................................................. Done
Proxy Verify OK
Your proxy is valid until: Fri Nov  2 09:44:12 2007
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 11 hours (0.5 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

To retrieve a proxy then add VOMS attributes:

$ myproxy-logon
Enter MyProxy pass phrase:
A credential has been received for user jbasney in /tmp/x509up_u502.
$ voms-proxy-init -cert `grid-proxy-info -path` -key `grid-proxy-info -path` -voms NCSA
Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Jim Basney
Creating temporary proxy ............................... Done
Contacting  voms.ncsa.uiuc.edu:15000 [/C=US/O=National Center for Supercomputing Applications/CN=voms.ncsa.uiuc.edu] "NCSA" Done
Creating proxy ...................................................... Done

This approach is discussed in more detail here.

Enabling MyProxy Server VOMS Support

VOMS support is not enabled by default in the myproxy-server. It requires a special installation process to enable. Note that this capability is separate from MyProxy's --voms command-line support, which is enabled by default and does not require the below special installation process.

  1. First, install VOMS header files and libraries. One option is to install VOMS from VDT.
  2. Install the Globus Toolkit. The best method is to follow the instructions for building and installing only MyProxy using the Globus Toolkit. Be sure to obtain X.509 user and host credentials before proceeding.
  3. Untar the latest MyProxy release and run

    ./configure --with-flavor=gcc32dbg --with-voms=/usr/local/vdt-1.3.11/glite

    changing the flavor and VOMS install paths as appropriate. Then run

    make install

    which will install MyProxy to your $GLOBUS_LOCATION directory.
  4. You can verify that VOMS support was compiled in to MyProxy by looking for "VOMS" in the version string:
     
      $ myproxy-server -V
      myproxy-server version MYPROXYv2 (v3.6 10 Aug 2006 PAM SASL KRB5 LDAP VOMS)
    
    VOMS support is required in the myproxy-server only. MyProxy clients do not need to be compiled with VOMS support.

Configuring MyProxy's VOMS Authorization Support

With VOMS support enabled in the myproxy-server, the myproxy-server.config policy expressions may specify fully-qualified attribute names using the "FQAN:" prefix. For example:

authorized_retrievers "FQAN:/voce/Role=Admin/Capability=NULL"

Last modified 03/05/10.
©2000-2014 Board of Trustees of the University of Illinois.