Note
|
The Grid Community Toolkit documentation was taken from the Globus Toolkit 6.0 documentation. As a result, there may be inaccuracies and outdated information. Please report any problems to the Grid Community Forums as GitHub issues. |
Introduction
This guide contains advanced configuration information for system administrators working with MyProxy. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.
Important
|
This information is in addition to the basic Grid Community Toolkit prerequisite, overview, installation, security configuration instructions in Installing GCT 6.2. Read through this guide before continuing! |
A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Grid Community Toolkit client software is installed.
Building and Installing
MyProxy is built and installed as part of a default GCT 6.2 installation. For basic installation instructions, see Installing GCT 6.2. No extra installation steps are required for this component.
If you wish to install MyProxy without installing the rest of the Grid Community Toolkit, follow the instructions in Installing GCT 6.2 with the following changes. First, you do not need Ant, a JDK, or a JDBC database to build only MyProxy. Second, instead of running "make", run:
globus$ make myproxy
This will install the MyProxy client and server programs. For client-only installations, simply do not configure or use the installed server.
Configuring
No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.
Please refer to the MyProxy Admin Guide for MyProxy server configuration instructions.
Deploying
A sample SysV-style boot script for MyProxy is installed at
$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy
. To install on
Linux, copy the file to . To install on Linux, copy the file to
/etc/rc.d/init.d/myproxy
and run and run chkconfig --add
myproxy
. You will need to edit the file to set the
GLOBUS_LOCATION
environment variable correctly. environment
variable correctly.
Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:
-
Add the entries in
$GLOBUS_LOCATION/share/myproxy/etc.services
.modifications to the .modifications to the/etc/services
or or/etc/inet/services
file. file. -
Add the entries in
$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications
to to/etc/inetd.conf
or or/etc/inet/inetd.conf
, or copy , or copy$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy
to to/etc/xinetd.d/myproxy
. You’ll need to modify the paths in the file according to your installation.. You’ll need to modify the paths in the file according to your installation. -
Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.
In addition, an example cron script is provided in
$GLOBUS_LOCATION/share/myproxy/myproxy.cron
for removing
expired/revoked credentials from the repository. You will need to edit
the file to set the for removing expired/revoked credentials from the
repository. You will need to edit the file to set the
GLOBUS_LOCATION
environment variable correctly before installing in
(for example) environment variable correctly before installing in (for
example) /etc/cron.hourly
. .
Testing
To verify your myproxy-server installation and configuration, you can
run the myproxy-server directly from your shell. If using a host
certificate, you will need to run the myproxy-server as root. First,
make sure your GCT environment is setup in your shell. Set the
GLOBUS_LOCATION
environment variable to the location of your MyProxy
installation. Then, depending on your shell, run one of the following
commands. environment variable to the location of your MyProxy
installation. Then, depending on your shell, run one of the following
commands.
For csh shells:
For sh shells:
Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d
. The -d
argument runs the myproxy-server in debug mode. It will write debugging
messages to the terminal and exit after servicing a single request. You
will need to start it once for each test request. In another shell, you
can run the MyProxy client programs to test the server.
If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.
Security Considerations
MyProxy Security Considerations
You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.
Debugging
Logging
The myproxy-server logs to the system logger (syslog) LOG_DAEMON facility. Alternatively, run
from a terminal. In that mode, the myproxy-server will write debugging messages to the terminal and exit after servicing a single request.
Troubleshooting
Errors
Error Code | Definition | Possible Solutions |
---|---|---|
|
This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name. + By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-host certificate or if the server is running on a machine with multiple hostnames.</simpara> The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers. + If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine’s DNS record or a problem with the resolver on your system. |
If the server name shown in the error message is acceptable, set the |
|
This error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You cannot run multiple instances of the myproxy-server on the same network port. |
If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option, and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port. |
|
This error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying GCT installation. |
Run |
|
An error from the myproxy-server saying you are "not authorized" to complete
an operation typically indicates that the |
See Configuring MyProxy for more information. |
|
An error saying "Unable to verify remote side’s credentials," "Couldn’t
verify the remote certificate," or "alert bad certificate" often indicates
that the client or server’s certificate is signed by
an untrusted Certification Authority (CA). The client must have a CA
certificate and signing policy file installed in
|
See Configuring Certificates for more information. |
Usage statistics collection
MyProxy usage statistics collection
Deactivated by default since MyProxy v6.0.
When activated, the myproxy-server will send a UDP packet containing usage information to usage-stats.cilogon.org:4810 after serving each request. See the MyProxy Privacy Policy for details. You can see the Globus Usage Statistics policy here.