Home -> Toolkit -> Docs -> Development -> 3.9.4 -> Security -> Myproxy -> User

GT 3.9.4 MyProxy: User's Guide

• Introduction
• Command-line tools
• Graphical user interfaces
• Troubleshooting

Introduction

Rather than storing your X.509 credentials (certificate and private key) on each machine you use, you can store them in a MyProxy repository and retrieve a proxy credential from the MyProxy repository when needed.

To store a credential in the MyProxy repository, run the myproxy-init command on a computer where your Grid credentials are located. For example:

  $ myproxy-init -a -s myproxy.ncsa.uiuc.edu
  Your identity: /C=US/O=National Computational Science Alliance/CN=Jim Basney
  Enter GRID pass phrase for this identity:
  Creating proxy ........................................... Done
  Your proxy is valid until Fri Sep 13 13:52:56 2002
  Enter MyProxy Pass Phrase:
  Verifying password - Enter MyProxy Pass Phrase:
  A proxy valid for 168 hours (7.0 days) for user jbasney now exists on myproxy.ncsa.uiuc.edu.

The myproxy-init command prompts first for the pass phrase of your private key (similar to grid-proxy-init) and then prompts twice for a new pass phrase to use to secure the credentials on the MyProxy server. By default, the credential is stored under your Unix username (jbasney in the example above) for 7 days and can be used to retrieve credentials with 12 hour lifetimes. The Command-line tools section below lists all the available options for the myproxy-init command.

Once you've stored a credential in the MyProxy repository, you can retrieve a proxy credential whenever you need one with the myproxy-get-delegation command. For example:

  $ myproxy-get-delegation -s myproxy.ncsa.uiuc.edu
  Enter MyProxy Pass Phrase:
  A proxy has been received for user jbasney in /tmp/x509up_u500

The myproxy-get-delegation command prompts for the pass phrase you set previously with myproxy-init, retrieves a proxy credential for you, and stores it in the correct default location for use with other Globus Toolkit programs. The Command-line tools section below lists all the available options for the myproxy-get-delegation command.

Command-line tools

• myproxy-init
• myproxy-info
• myproxy-get-delegation
• myproxy-destroy
• myproxy-change-pass-phrase
• myproxy-admin-adduser
• myproxy-admin-change-pass
• myproxy-admin-query
• myproxy-admin-load-credential
• myproxy-server

myproxy-init

Tool description

The myproxy-init command uploads a credential to a myproxy-server for later retrieval. In the default mode, the command first prompts for the user's Grid pass phrase (if needed), which is used to create a proxy credential. The command then prompts for a MyProxy pass phrase, which will be required to later retrieve the credential. The MyProxy pass phrase must be entered a second time for confirmation. A credential with a lifetime of one week (by default) is then delegated to the myproxy-server and stored with the given MyProxy pass phrase. Proxy credentials with default lifetime of 12 hours can then be retrieved by myproxy-get-delegation using the MyProxy passphrase. The default behavior can be overridden by options specified below.

The myproxy-init command can also upload a credential to a myproxy-server to support credential renewal. Renewal allows a trusted service (for example, a batch job scheduler) to obtain a new credential for a user before the existing credential it has for that user expires. The -R argument to myproxy-init configures the credential for renewal by the specified service. Renewal requires two authentications. The renewing service must authenticate with its own credentials, matching the distinquished name specified by the -R argument, and must also authenticate with an existing credential that matches the distinguished name of the stored credential, to retrieve a new credential.

A credential may be used either for retrieval or renewal but not both. If both are desired, upload a different credential for each use, with a different name using the -k option.

The hostname where the myproxy-server is running must be specified by either defining the MYPROXY_SERVER environment variable or the -s option.

Command syntax

myproxy-init [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential should be stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-c hours, --cred_lifetime hours

Specifies the lifetime of the credential stored on the myproxy-server in hours. Specify 0 for the maximum possible life- time, i.e., the lifetime of the original credential. Default: 1 week (168 hours)

-t hours, --proxy_lifetime hours

Specifies the maximum lifetime of credentials retrieved from the myproxy-server using the stored credential. Default: 12 hours

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

-a, --allow_anonymous_retrievers

Allow credentials to be retrieved with just pass phrase authen- tication. By default, only entities with credentials that match the myproxy-server.config default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config server-wide policy must also allow "anonymous" clients for this option to have an effect.

-A, --allow_anonymous_renewers

Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repos- itory if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recom- mended. It is included only for sake of completeness.

-r dn, --retrievable_by dn

Allow the specified entity to retrieve credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead.

-R dn, --renewable_by dn

Allow the specified entity to renew credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead. This option implies -n since passphrase authentication is not used for cre- dential renewal.

-x, --regex_dn_match

Specifies that the DN used by options -r and -R will be matched as a regular expression.

-X, --match_cn_only

Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject.

-k name, --credname name

Specifies the credential name.

-K description

--creddesc description

Specifies credential description.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-info

Tool description

The myproxy-info command displays information about a user's creden- tials stored on a myproxy-server. The user must have a valid proxy credential as generated by grid-proxy-init or retrieved by myproxy-get-delegation when running this command.

Command syntax

myproxy-info [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l name, --username name

Specifies the MyProxy account to query. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

myproxy-get-delegation

Tool description

The myproxy-get-delegation command retrieves a credential from the myproxy-server that was previously stored using myproxy-init. In the default mode, the command prompts for the MyProxy pass phrase asso- ciated with the credential to be retrieved and stores the retrieved credential in the standard location ( /tmp/x509up_u<uid> ).

Command syntax

myproxy-get-delegation [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential to retrieve is stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable. When used with the -a option, the certificate subject of the authorization creden- tial is used. Otherwise, the certificate subject of the default credential is used.

-t hours, --proxy_lifetime hours

Specifies the lifetime of credentials retrieved from the myproxy-server using the stored credential. The resulting lifetime is the shorter of the requested lifetime and the life- time specified when the credential was stored using myproxy-init. Default: 12 hours

-o file, --out file

Specifies where the retrieved proxy credential should be stored. If this option is not specified, the proxy credential will be stored in the default location (/tmp/x509up_u<uid>).

-a file, --authorization file

Specifies a credential to be used for authorizing the request instead of a passphrase. When renewing a credential, use this option to specify the existing, valid credential that you want to renew. Renewing a credential generally requires two certifi- cate-based authentications. The client authenticates with its identity, using the credential in the standard location or spec- ified by X509_USER_PROXY or X509_USER_CERT and X509_USER_KEY in addition to authenticating with the existing credential, in the location specified by this option, that it wants to renew.

-k name, --credname name

Specifies the name of the credential that is to be retrieved or renewed.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-destroy

Tool description

The myproxy-destroy command removes a credential from the myproxy-server that was previously stored using myproxy-init. The user must have a valid proxy credential as generated by grid-proxy-init or retrieved by myproxy-get-delegation when running this command.

Command syntax

myproxy-destroy [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential to destroy is stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

-k name, --credname name

Specifies name of the credential to be destroyed.

myproxy-change-pass-phrase

Tool description

The myproxy-change-pass-phrase command changes the passphrase under which a credential is protected in the MyProxy repository. The command first prompts for the current passphrase for the credential, then prompts twice for the new passphrase. Only the credential owner can change a credential's passphrase. The user must have a valid proxy credential as generated by grid-proxy-init or retrieved by myproxy-get-delegation when running this command.

Command syntax

myproxy-change-pass-phrase [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential should be stored. By default, the command uses the value of the LOG-NAME environment variable. Use this option to specify a differ- ent account username on the MyProxy server. The MyProxy user- name need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

-k name, --credname name

Specifies the credential name.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-admin-adduser

Tool description

The myproxy-admin-adduser command creates a new credential for a user and loads it into the MyProxy repository. It is a perl script that runs grid-cert-request (a standard Globus Toolkit program) and grid-ca- sign (from the Globus Simple CA package) to create the credential and then runs myproxy-admin-load-credential to load the credential into the MyProxy repository. The command prompts for the common name to be included in the new cer- tificate (if the -c argument is not specified), the Globus Simple CA key password for signing the certificate, the MyProxy username (if the -l or -d arguments are not specified), and the MyProxy passphrase for the credential. Most of the command-line options for this command are passed directly to the myproxy-admin-load-credential command. The Globus Simple CA must be configured before using this command.

Command syntax

myproxy-admin-adduser [ options ] 

Command options

-h

Displays command usage text and exits.

-u

Displays command usage text and exits.

-c cn

Specifies the Common Name for the new credential (for example: "Jim Basney").

-s dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-l username

Specifies the MyProxy account under which the credential should be stored.

-t hours

Specifies the maximum lifetime of credentials retrieved from the myproxy-server using the stored credential. Default: 12 hours

-n

Disables passphrase authentication for the stored credential. If specified, the command will not prompt for a passphrase, the credential will not be encrypted by a passphrase in the reposi- tory, and the credential will not be retrievable using passphrase authentication with myproxy-get-delegation. This option is used for storing renewable credentials and is implied by -R.

-d

Use the certificate subject (DN) as the username.

-a

Allow credentials to be retrieved with just pass phrase authen- tication. By default, only entities with credentials that match the myproxy-server.config default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config server-wide policy must also allow "anonymous" clients for this option to have an effect.

-A

Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repos- itory if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recom- mended. It is included only for sake of completeness.

-r dn

Allow the specified entity to retrieve credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead.

-R dn

Allow the specified entity to renew credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead. This option implies -n since passphrase authentication is not used for cre- dential renewal.

-x

Specifies that the DN used by options -r and -R will be matched as a regular expression.

-X

Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject.

-k name

Specifies the credential name.

-K description

Specifies credential description.

myproxy-admin-change-pass

Tool description

The myproxy-admin-change-pass command changes the passphrase used to encrypt a credential in the MyProxy repository. The command first prompts for the current passphrase for the credential, then prompts twice for the new passphrase. If an empty passphrase is given, the credential will not be encrypted. It accesses the repository directly and must be run on the machine where the myproxy-server is installed from the account that owns the repository.

Command syntax

myproxy-admin-change-pass [ options ] 

Command options

-h

Displays command usage text and exits.

-u

Displays command usage text and exits.

-s dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-l username

Specifies the MyProxy account under which the credential should be stored.

-k name

Specifies the credential name.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-admin-query

Tool description

The myproxy-admin-query command displays information about the creden- tials stored in the MyProxy repository. It can also be used to remove credentials from the repository. It accesses the repository directly and must be run on the machine where the myproxy-server is installed from the account that owns the repository.

Command syntax

myproxy-admin-query [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-l name, --username name

Return information on credentials for a single username. By default, the command returns information on all credentials for all usernames.

-k name, --credname name

Return information on the credentials with the specified name.

-e hours, --expiring_in hours

Return information on credentials with remaining lifetime less than the specified number of hours. For example, -e 0 will return all expired credentials.

-t hours, --time_left hours

Return information on credentials with remaining lifetime greater than the specified number of hours.

-s dir, --storage dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-r, --remove

Remove the credentials matching the query from the repository. For example, myproxy-admin-query -e 0 -r will remove all expired credentials from the repository.

-L msg, --lock msg

Places the credentials matching the query under an administrative lock and specifies a message to be returned on access attempts.

-U, --unlock

Removes any administrative locks for the credentials matching the query.

myproxy-admin-load-credential

Tool description

The myproxy-admin-load-credential command stores a credential directly in the local MyProxy repository. It must be run from the account that owns the repository. Many of the options are similar to myproxy-init. However, unlike myproxy-init, myproxy-admin-load-credential does not create a proxy from the source credential but instead directly loads a copy of the source credential into the repository. The pass phrase of the source credential is unchanged. Use myproxy-admin-change-pass to change the pass phrase after the credential is stored if desired. Proxy credentials with default lifetime of 12 hours can then be retrieved by myproxy-get-delegation using the MyProxy passphrase. The command's behavior is controlled by the following options.

Command syntax

myproxy-admin-load-credential [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s dir, --storage dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-c filename, --certfile filename

Specifies the filename of the source certificate. This is a required parameter.

-y filename, --keyfile filename

Specifies the filename of the source private key. This is a required parameter.

-l username, --username username

Specifies the MyProxy account under which the credential should be stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a differ- ent account username on the MyProxy server. The MyProxy user- name need not correspond to a real Unix username.

-t hours, --proxy_lifetime hours

Specifies the maximum lifetime of credentials retrieved from the myproxy-server using the stored credential. Default: 12 hours

-d, --dn_as_username

Use the certificate subject (DN) as the username.

-a, --allow_anonymous_retrievers

Allow credentials to be retrieved with just pass phrase authentication. By default, only entities with credentials that match the myproxy-server.config default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config server-wide policy must also allow "anonymous" clients for this option to have an effect.

-A, --allow_anonymous_renewers

Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repos- itory if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recom- mended. It is included only for sake of completeness.

-r dn, --retrievable_by dn

Allow the specified entity to retrieve credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead.

-R dn, --renewable_by dn

Allow the specified entity to renew credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead.

-x, --regex_dn_match

Specifies that the DN used by options -r and -R will be matched as a regular expression.

-X, --match_cn_only

Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject.

-k name, --credname name

Specifies the credential name.

-K description, --creddesc description

Specifies credential description.

myproxy-server

Tool description

The myproxy-server is a server that runs on a trusted, secure host and manages a database of security credentials for use from remote sites. The myproxy-init program stores credentials with associated policies that specify credential lifetimes and who is authorized to retrieve credentials. The myproxy-server.config file sets server-wide policies that are used in conjunction with the policies set by myproxy-init to control who is authorized to store and retrieve credentials.

Command syntax

myproxy-server [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-d, --debug

Run the server in debug mode. In this mode, the server will run in the foreground, will accept one connection, write log mes- sages to the terminal while processing the incoming request, and exit after completing one request.

-p port, --port port

Specifies the TCP port number that the myproxy-server should listen on. Default: 7512

-c file, --config file

Specifies the location of the myproxy-server configuration file. Default: /etc/myproxy-server.config or $GLOBUS_LOCA- TION/etc/myproxy-server.config

-s dir, --storage dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

Graphical user interfaces

MyProxy does not have a GUI.

Troubleshooting

When troubleshooting a MyProxy problem, it is important to consult the myproxy-server logs. If you don't have access to the myproxy-server logs, please contact your myproxy-server administrator for help. The myproxy-server logs to the system logger (syslog) LOG_DAEMON facility. Alternatively, run

myproxy-server -d

from a terminal. In that mode, the myproxy-server will write debugging messages to the terminal and exit after servicing a single request.

The most common cause of MyProxy authentication problems is incorrect system clocks. GSI authentication is very sensitive to clock skew. Make sure your system clock is accurate (for example, by running an ntpd) and your timezone is set correctly.

To debug GSI authentication problems, run

grid-proxy-init -debug -verify

from the terminal where you run the MyProxy clients, and run

grid-proxy-init -debug -verify -cert /etc/grid-security/hostcert.pem -key /etc/grid-security/hostkey.pem

as root on the myproxy-server machine (assuming you run the myproxy-server as root).

The following common problems are documented below:

1. MyProxy server name does not match expected name.
2. Error in bind(): Address already in use
3. grid-proxy-init failed
4. User not authorized

1. MyProxy server name does not match expected name.

   This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-nost certificate or if the server is running on a machine with multiple hostnames. The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers.

   If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine's DNS record or a problem with the resolver on your system.

   If the server name shown in the error message is acceptable, set the MYPROXY_SERVER_DN environment variable to that name to resolve the problem.

2. Error in bind(): Address already in use

   This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You can not run multiple instances of the myproxy-server on the same network port. If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option, and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port.

3. grid-proxy-init failed

   This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying Globus installation. Run

   grid-proxy-init -debug -verify

   for more information.

4. User not authorized

   An error from the myproxy-server saying you are "not authorized" to complete an operation typically indicates that the myproxy-server.config file settings are restricting your access to the myproxy-server. It is possible that the myproxy-server is running with the default myproxy-server.config file, which does not authorize any operations. See the "Configuring the MyProxy Server Installation" section of the Administrator's Guide for more information.