|
Note
|
The Grid Community Toolkit documentation was taken from the Globus Toolkit 6.0 documentation. As a result, there may be inaccuracies and outdated information. Please report any problems to the Grid Community Forums as GitHub issues. |
Please refer to the MyProxy Developer’s Guide on the MyProxy web site.
Before you begin
Feature summary
Supported Features
-
Users can obtain certificates and trust roots from the MyProxy CA using
myproxy-logon. -
Users can store and retrieve multiple X.509 proxy credentials using
myproxy-initandmyproxy-logon. -
Users can store and retrieve multiple X.509 end-entity credentials using
myproxy-storeandmyproxy-retrieve. -
Users and administrators can manage trustroots (CA certificates and CRLs) using
myproxy-logonandmyproxy-get-trustroots. -
Administrators can load the repository with X.509 end-entity credentials on the users' behalf using
myproxy-admin-load-credential. -
Administrators can use the
myproxy-admin-addusercommand to create user credentials and load them into the MyProxy repository. -
Administrators can use the
myproxy-admin-addservicecommand to create host credentials and load them into the MyProxy repository. -
Users and administrators can set access control policies on the credentials in the repository.
-
If allowed by policy, job managers (such as Condor-G) can renew credentials before they expire.
-
The MyProxy server enforces local site passphrase policies using a configurable external call-out.
Deprecated Features
-
None
Tested platforms
Tested Platforms for MyProxy:
| Operating System | Distribution | Version(s) | Architecture(s) |
|---|---|---|---|
Linux |
CentOS |
5, 6 |
i386, x86_64 |
7 |
x86_64 |
||
Fedora |
20, 21, 22 |
i386, x86_64 |
|
Red Hat Enterprise Linux |
5, 6 |
i386, x86_64 |
|
7 |
x86_64 |
||
Scientific Linux |
5, 6 |
i386, x86_64 |
|
7 |
x86_64 |
||
SUSE Linux Enterprise Server |
11SP3 |
x86_64 |
|
Debian |
6, 7, 8 |
i386, amd64 |
|
Ubuntu |
12.04LTS, 14.04LTS, 14.10, 15.04 |
i386, amd64 |
|
Mac OS X |
10.6-10.10 |
i386, x86_64 |
|
Solaris |
OmniOS |
r151006 |
x86_64 |
Windows 7 |
Cygwin |
i386, x86_64 |
|
MingW64 |
i386, x86_64 |
||
Backward compatibility summary
All MyProxy versions are fully backwards compatible.
MyProxy Security Considerations
You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.
Usage scenarios
Please refer to the MyProxy User Guide for MyProxy usage scenarios.
Tutorials
There are no tutorials available at this time.
Architecture and design overview
The MyProxy system architecture and design is described in the following two publications:
-
J. Basney, M. Humphrey, and V. Welch. The MyProxy Online Credential Repository. Software: Practice and Experience, 2005.
-
J. Novotny, S. Tuecke, and V. Welch. An Online Credential Repository for the Grid: MyProxy. Proceedings of the Tenth International Symposium on High Performance Distributed Computing (HPDC-10), IEEE Press, August 2001.
Troubleshooting
Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
|
This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. + By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-host certificate or if the server is running on a machine with multiple hostnames.</simpara> The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers. + If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine’s DNS record or a problem with the resolver on your system. |
If the server name shown in the error message is acceptable, set the |
|
This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You cannot run multiple instances of the myproxy-server on the same network port. |
If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option, and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port. |
|
This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying GCT installation. |
Run |
|
An error from the myproxy-server saying you are "not authorized" to complete
an operation typically indicates that the |
See Configuring MyProxy for more information. |
|
An error saying "Unable to verify remote side’s credentials," "Couldn’t
verify the remote certificate," or "alert bad certificate" often indicates
that the client or server’s certificate is signed by
an untrusted Certification Authority (CA). The client must have a CA
certificate and signing policy file installed in
|
See Configuring Certificates for more information. |
Additional MyProxy Troubleshooting
For additional information, see the MyProxy Troubleshooting Page at NCSA.
Related Documentation
For additional information about MyProxy, see the MyProxy Project Home Page at NCSA.