GridProxies

A guide on how to create and use them.

Method 1: Long Life Proxies

  1. Use voms-proxy-init -valid XX:XX to create a proxy certificate with a very long lifetime. The proxy certificate will be output to $X509_USER_PROXY. Note that the maximum lifetime of this certificate is the remaining lifetime of the original grid certificate.
  2. In a cron job, copy the proxy certificate to a temporary location every 12 hours (ie cp $X509_USER_PROXY ~/tmp_proxy).
  3. In the cron job, use the command glite-voms-proxy-init -valid 12:00 -cert ~/tmp_proxy -key ~/tmp_proxy to renew give the temporary proxy a shorter lifetime.

Why Method 1 is bad...

Creating long lived proxies is a bad idea because they cannot be revoked. If they are compromised they will give unfettered access to grid resources using your credentials until they expire. This method gets around this problem by creating a second proxy with a much shorter lifetime. This method represents no more of a risk than using a conventional proxy if:

  • The cron job is stopped in the case of a security violation (otherwise you'll continue to create new proxies which may be intercepted and abused).
  • The local system is not compromised, giving access to the original long lived proxy
  • Users are careful to only ever use tmp_proxy. This is not trivial as new calls to lcguisetup will point to the original long lived proxy!

A better method would be to only use a MyProxy server. This is discussed below.

Method 2: MyProxy Server

  1. Use voms-proxy-init as per normal to create a proxy grid certificate. This certificate will have a lifetime of 12 hours and will allow you to communicate with the MyProxy server.
  2. Use the command myproxy-init -l -a to create a proxy certificate on the $MYPROXY_SERVER server. It will initially prompt for your grid certificate password which will authenticate you to the server and enable you to create the proxy. You will then be prompted to enter a password for the proxy certificate THIS MUST BE DIFFERENT TO YOUR GRID CERTIFICATE PASSPHRASE!!!!
  3. If successful, a proxy certificate will now be stored on the myproxy server with a default lifetime of 7 days. Any local proxies (ie those created with voms-proxy-init) can be destroyed of left to expire.
  4. On any system, a valid proxy certificate may now be retrieved from the myproxy server using the command myproxy-get-delegation -l . Users will be prompted for the proxy password (not the Grid Certificate passphrase), which may be read from a file using the switch -S < password_file. A 12 hour proxy will then be created on the local system.

It is important to remember that the myproxy certificate stored in the myproxy server can be destoryed at anytime with the command myproxy-destroy -l .

-- ChristopherCurtis - 11 Aug 2009

Topic revision: r2 - 11 Aug 2009 - 15:28:51 - ChristopherCurtis
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback