GT 6.0 MyProxy: Developer’s Guide


Table of Contents

1. Before you begin
1. Feature summary
2. Tested platforms
3. Backward compatibility summary
4. Technology dependencies
5. MyProxy Security Considerations
2. Usage scenarios
3. Tutorials
4. Architecture and design overview
5. Troubleshooting
1. Errors
2. Additional MyProxy Troubleshooting
6. Related Documentation

Please refer to the MyProxy Developer’s Guide on the MyProxy web site.

Chapter 1. Before you begin

1. Feature summary

Supported Features

  • Users can obtain certificates and trust roots from the MyProxy CA using myproxy-logon.
  • Users can store and retrieve multiple X.509 proxy credentials using myproxy-init and myproxy-logon.
  • Users can store and retrieve multiple X.509 end-entity credentials using myproxy-store and myproxy-retrieve.
  • Users and administrators can manage trustroots (CA certificates and CRLs) using myproxy-logon and myproxy-get-trustroots.
  • Administrators can load the repository with X.509 end-entity credentials on the users' behalf using myproxy-admin-load-credential.
  • Administrators can use the myproxy-admin-adduser command to create user credentials and load them into the MyProxy repository.
  • Administrators can use the myproxy-admin-addservice command to create host credentials and load them into the MyProxy repository.
  • Users and administrators can set access control policies on the credentials in the repository.
  • If allowed by policy, job managers (such as Condor-G) can renew credentials before they expire.
  • The MyProxy server enforces local site passphrase policies using a configurable external call-out.

Deprecated Features

  • None

2. Tested platforms

Tested Platforms for MyProxy:

Table 1.1. Tested Platforms

Operating System Distribution Version(s) Architecture(s)

Linux

CentOS

5, 6

i386, x86_64

7

x86_64

Fedora

20, 21, 22

i386, x86_64

Red Hat Enterprise Linux

5, 6

i386, x86_64

7

x86_64

Scientific Linux

5, 6

i386, x86_64

7

x86_64

SUSE Linux Enterprise Server

11SP3

x86_64

Debian

6, 7, 8

i386, amd64

Ubuntu

12.04LTS, 14.04LTS, 14.10, 15.04

i386, amd64

Mac OS X

10.6-10.10

i386, x86_64

Solaris

OmniOS

r151006

x86_64

Windows 7

Cygwin

i386, x86_64

MingW64

i386, x86_64


3. Backward compatibility summary

All MyProxy versions are fully backwards compatible.

4. Technology dependencies

MyProxy depends on the following GT component:

5. MyProxy Security Considerations

You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.

For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.

Chapter 2. Usage scenarios

Please refer to the MyProxy User Guide for MyProxy usage scenarios.

Chapter 3. Tutorials

There are no tutorials available at this time.

Chapter 4. Architecture and design overview

The MyProxy system architecture and design is described in the following two publications:

Chapter 5. Troubleshooting

1. Errors

Table 5.1. MyProxy Errors

Error Code Definition Possible Solutions

MyProxy server name does not match expected name

This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-host certificate or if the server is running on a machine with multiple hostnames.</simpara> The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers. If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine’s DNS record or a problem with the resolver on your system.

If the server name shown in the error message is acceptable, set the MYPROXY_SERVER_DN environment variable to that name to resolve the problem.

Error in bind(): Address already in use

This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You cannot run multiple instances of the myproxy-server on the same network port.

If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option, and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port.

grid-proxy-init failed

This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying Globus installation.

Run grid-proxy-init -debug -verify for more information.

User not authorized

An error from the myproxy-server saying you are "not authorized" to complete an operation typically indicates that the myproxy-server.config file settings are restricting your access to the myproxy-server. It is possible that the myproxy-server is running with the default myproxy-server.config file, which does not authorize any operations.

See Configuring MyProxy for more information.

Unable to verify remote side’s credentials

An error saying "Unable to verify remote side’s credentials," "Couldn’t verify the remote certificate," or "alert bad certificate" often indicates that the client or server’s certificate is signed by an untrusted Certification Authority (CA). The client must have a CA certificate and signing policy file installed in /etc/grid-security/certificates for the CA that signed the server’s certificate. Likewise, the server must have a CA certificate and signing policy file installed in /etc/grid-security/certificates for the CA that signed the client’s certificate.

See Configuring Certificates for more information.


2. Additional MyProxy Troubleshooting

For additional information, see the MyProxy Troubleshooting Page at NCSA.

Chapter 6. Related Documentation

For additional information about MyProxy, see the MyProxy Project Home Page at NCSA.