Introduction
This guide contains advanced configuration information for system administrators working with MyProxy. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
This information is in addition to the basic Globus Toolkit prerequisite, overview, installation, security configuration instructions in Installing GT 5.0.0. Read through this guide before continuing! |
A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.
Table of Contents
MyProxy is built and installed as part of a default GT 5.0.0 installation. For basic installation instructions, see Installing GT 5.0.0. No extra installation steps are required for this component.
If you wish to install MyProxy without installing the rest of the Globus Toolkit, follow the instructions in Installing GT 5.0.0 with the following changes. First, you do not need Ant, a JDK, or a JDBC database to build only MyProxy. Second, instead of running "make", run:
globus$ make gsi-myproxy
This will install the MyProxy client and server programs. For client-only installations, simply do not configure or use the installed server.
No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.
Please refer to the MyProxy Admin Guide for MyProxy server configuration instructions.
A sample SysV-style
boot script for MyProxy is installed at
$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy.
To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run
chkconfig --add myproxy.
You will need to edit the file to set the GLOBUS_LOCATION environment
variable correctly.
Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:
- Add the entries in
$GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the/etc/servicesor/etc/inet/servicesfile. - Add the entries in
$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modificationsto/etc/inetd.confor/etc/inet/inetd.conf, or copy$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxyto/etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation. - Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.
In addition, an example cron script is provided in $GLOBUS_LOCATION/share/myproxy/myproxy.cron
for removing expired/revoked credentials from the repository.
You will need to edit the file to set the GLOBUS_LOCATION
environment variable correctly before installing in (for example) /etc/cron.hourly.
To verify your myproxy-server installation and configuration, you can
run the myproxy-server directly from your shell.
If using a host certificate, you will need to run the myproxy-server
as root.
First, make sure your Globus environment is setup in your shell.
Set the GLOBUS_LOCATION environment variable to the location of your
MyProxy installation.
Then, depending on your shell, run one of the following commands.
For csh shells:
source $GLOBUS_LOCATION/etc/globus-user-env.csh
For sh shells:
. $GLOBUS_LOCATION/etc/globus-user-env.sh
Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d.
The -d argument runs the myproxy-server in debug mode.
It will write debugging messages to the terminal and
exit after servicing a single request.
You will need to start it once for each test request.
In another shell, you can run the MyProxy client programs to test the
server.
If run without the -d argument,
the myproxy-server program will start up and background itself.
It accepts connections on TCP port 7512, forking off a separate child
to handle each incoming connection.
It logs information via the syslog service under the daemon facility.
Table of Contents
You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.
Table of Contents
Table of Contents
For a list of common errors in GT, see Error Codes.
Table 7.1. MyProxy Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
MyProxy server name does not match expected name | This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-host certificate or if the server is running on a machine with multiple hostnames. The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers.If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine's DNS record or a problem with the resolver on your system. |
If the server name shown in the error message is acceptable, set the MYPROXY_SERVER_DN environment variable to that name to resolve the problem.
|
Error in bind(): Address already in use | This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You cannot run multiple instances of the myproxy-server on the same network port. |
If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option,
and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port.
|
grid-proxy-init failed | This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying Globus installation. |
Run grid-proxy-init -debug -verifyfor more information. |
User not authorized | An error from the myproxy-server saying you are "not authorized" to complete an operation typically indicates that the
myproxy-server.config file settings are restricting your access to the myproxy-server. It is possible that the
myproxy-server is running with the default myproxy-server.config file, which does not authorize any operations. | See Configuring MyProxy for more information. |
Unable to verify remote side's credentials |
An error saying "Unable to verify remote side's credentials,"
"Couldn't verify the remote certificate," or "alert bad certificate"
often indicates that the client or server's certificate is signed by
an untrusted Certification Authority (CA). The client must have a CA
certificate and signing policy file installed in
/etc/grid-security/certificates for the CA that signed the server's
certificate. Likewise, the server must have a CA certificate and
signing policy file installed in /etc/grid-security/certificates for
the CA that signed the client's certificate.
| See Configuring Certificates for more information. |
For additional information, see the MyProxy Troubleshooting Page at NCSA.
Table of Contents
By default, the myproxy-server will send a UDP packet containing usage information to usage-stats.cilogon.org:4810 after serving each request. See the MyProxy Privacy Policy for details.
H
- host certificate
An EEC belonging to a host. When using GSI this certificate is typically stored in
/etc/grid-security/hostcert.pem. For more information on possible host certificate locations see the GSI C Developer's Guide.