Introduction
Please refer to the MyProxy Developer's Guide on the MyProxy web site.
Table of Contents
Table of Contents
Supported Features
- Users can obtain certificates and trust roots from the MyProxy CA using myproxy-logon.
- Users can store and retrieve multiple X.509 proxy credentials using myproxy-init and myproxy-logon.
- Users can store and retrieve multiple X.509 end-entity credentials using myproxy-store and myproxy-retrieve.
- Users and administrators can manage trustroots (CA certificates and CRLs) using myproxy-logon and myproxy-get-trustroots.
- Administrators can load the repository with X.509 end-entity credentials on the users' behalf using myproxy-admin-load-credential.
- Administrators can use the myproxy-admin-adduser command to create user credentials and load them into the MyProxy repository.
- Administrators can use the myproxy-admin-addservice command to create host credentials and load them into the MyProxy repository.
- Users and administrators can set access control policies on the credentials in the repository.
- If allowed by policy, job managers (such as Condor-G) can renew credentials before they expire.
- The MyProxy server enforces local site passphrase policies using a configurable external call-out.
Deprecated Features
- None
Tested Platforms for MyProxy:
- Mac OS X 10.5
- x86/x86_64 GNU/Linux
- PPC AIX 5.3
- Sun4u Solaris 5.10
You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.
Please refer to the MyProxy User Guide for MyProxy usage scenarios.
The MyProxy system architecture and design is described in the following two publications:
- J. Basney, M. Humphrey, and V. Welch. The MyProxy Online Credential Repository. Software: Practice and Experience, 2005.
- J. Novotny, S. Tuecke, and V. Welch. An Online Credential Repository for the Grid: MyProxy. Proceedings of the Tenth International Symposium on High Performance Distributed Computing (HPDC-10), IEEE Press, August 2001.
Table of Contents
For a list of common errors in GT, see Error Codes.
Table 5.1. MyProxy Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
MyProxy server name does not match expected name | This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-host certificate or if the server is running on a machine with multiple hostnames. The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers.If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine's DNS record or a problem with the resolver on your system. |
If the server name shown in the error message is acceptable, set the MYPROXY_SERVER_DN environment variable to that name to resolve the problem.
|
Error in bind(): Address already in use | This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You cannot run multiple instances of the myproxy-server on the same network port. |
If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option,
and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port.
|
grid-proxy-init failed | This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying Globus installation. |
Run grid-proxy-init -debug -verifyfor more information. |
User not authorized | An error from the myproxy-server saying you are "not authorized" to complete an operation typically indicates that the
myproxy-server.config file settings are restricting your access to the myproxy-server. It is possible that the
myproxy-server is running with the default myproxy-server.config file, which does not authorize any operations. | See Configuring MyProxy for more information. |
Unable to verify remote side's credentials |
An error saying "Unable to verify remote side's credentials,"
"Couldn't verify the remote certificate," or "alert bad certificate"
often indicates that the client or server's certificate is signed by
an untrusted Certification Authority (CA). The client must have a CA
certificate and signing policy file installed in
/etc/grid-security/certificates for the CA that signed the server's
certificate. Likewise, the server must have a CA certificate and
signing policy file installed in /etc/grid-security/certificates for
the CA that signed the client's certificate.
| See Configuring Certificates for more information. |
For additional information, see the MyProxy Troubleshooting Page at NCSA.
For additional information about MyProxy, see the MyProxy Project Home Page at NCSA.
H
- host certificate
An EEC belonging to a host. When using GSI this certificate is typically stored in
/etc/grid-security/hostcert.pem. For more information on possible host certificate locations see the GSI C Developer's Guide.- host credentials
The combination of a host certificate and its corresponding private key.