Sections

Deployment

Users

Administrators

Security

Using MyProxy

Using MyProxy

This page gives a brief explanation of how to use MyProxy, particularly with cron jobs, as this is not well-covered by the existing documentation. For some general information about certificates and security concepts see the Grid certificates page.

How MyProxy works

A MyProxy server is a secure repository which can store a proxy with a lifetime greater than the standard 12 hours; typically the lifetime is 1 week. Short-lived proxies can then be extracted ("delegated") from it. MyProxy can work in two basic modes (plus some variations), known as renewer and retriever. The WMS uses the renewer mode, whereby it presents the existing proxy shortly before it expires, plus its own identification, normally a host certificate, which is explicitly authorised in the MyProxy configuration to be a renewer.

If you want to retrieve a proxy yourself, e.g. with a cron job, the renewer mode would generally be overly complicated, although possible. In such a case it's usually better to use the retriever mode, where the client simply asks for a proxy without needing to have any existing credential. In that case you obviously need some other way to authorise the right to retrieve the proxy, which is managed by associating a username and password with the stored proxy.

This password will generally have to be stored in a file, or perhaps in memory in a running program. That storage should obviously be secure, i.e. it should be readable only by the owner, and the password itself should be strong and unrelated to the password on your Grid certificate. It may appear that this is no different to storing the main Grid certificate password in a file, but in fact having the MyProxy password in a file is much less dangerous than either having your Grid password in a file or directly creating a long-lived proxy. If the MyProxy password were stolen by a hacker there are two circuit breakers to limit the potential damage: the proxy can be deleted from the MyProxy server, and your VOMS membership can be suspended, either of which would prevent any further use. By contrast a long-lived proxy can't be revoked even if you know it has been stolen, you have to wait for it to expire, or else revoke your certificate.

One important point is that if you want to use both the renewer and retriever modes, e.g. with a cron job and via the WMS, you have to store two proxies in the MyProxy server, one for each use.

For more details about using MyProxy see the man pages, particularly for myproxy-init and myproxy-get-delegation, and also the documentation on the MyProxy web site. However, the following sections summarise the usage for the standard cases.

Using MyProxy with job submission

The use of MyProxy with the WMS proxy renewal service is covered in the User Guide, but briefly you store a proxy with the command 


myproxy-init -d -n
where the -d option means that your DN is used as the user identification under which the proxy is stored, and -n means that there is no password. You may also need the -s option to specify the name of the MyProxy server unless it's defined via the MYPROXY_SERVER environment variable.

You also need to tell the WMS the name of the MyProxy server via the MyProxyServer JDL attribute. Note that the MyProxy has to be configured to trust the WMS server; your UI will generally have suitable defaults for both.

Using MyProxy with a cron job

As explained above, to retrieve a proxy from a cron job or other automated process it's generally better to use the retriever mode with a password. This does not require the retrieving process to have access to either your Grid certificate or an existing proxy. For this case you store the proxy like this: 


myproxy-init -a
Your identity: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=john smith
Enter GRID pass phrase for this identity:
Creating proxy ............................................... Done
Proxy Verify OK
Your proxy is valid until: Thu Nov 13 22:30:47 2008
Enter MyProxy pass phrase:
Verifying password - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user jsmith now exists on lcgrbp01.gridpp.rl.ac.uk.
Note that in this mode myproxy-init asks you for two passwords. The first one is for your Grid certificate, which is only used locally to create a one-week proxy (which gets deleted again after the upload). That proxy gets stored in the MyProxy server, and you then supply a second password (twice) which is also sent to the MyProxy, so anyone who subsequently presents the same password (and username) can retrieve a short-term proxy delegated from the one in the MyProxy.

The -a option here means that "anonymous" retrieval is allowed, i.e. the retrieving process does not need a certificate of its own, unlike the WMS which uses its host certificate. Some MyProxy servers may not be configured to allow this mode to be used, so if you get an error message you should contact the administrator of the service.

By default the proxy will be stored using the local user id (taken from the LOGNAME environment variable), jsmith in the example above. Alternatively you can supply a username with the -l option. This can be anything, but should not clash with the name used by another user.

From the output above you can also see that the default lifetime of the proxy stored in the MyProxy server is 7 days. This is normally sufficient as uploading a new proxy once a week is not especially onerous, although the lifetime can be longer if required.

As before you may also need the -s option to specify the name of the MyProxy server unless it's defined via the MYPROXY_SERVER environment variable.

Having stored a proxy, a cron job or other process can retrieve a short-lived proxy with: 


myproxy-get-delegation
Enter MyProxy pass phrase:
A proxy has been received for user jsmith in /tmp/x509up_u3456
Again this uses the local user name as identification by default, or you can supply a username with the -l option. Obviously this needs to match the name used when the proxy was uploaded. The retrieved proxy is stored in the standard place and can therefore be used as normal.

As shown above, the password used when the proxy was stored has to be supplied when a delegated proxy is retrieved. For use in a cron job or other process this needs to be stored somewhere, typically in a file, and that file therefore needs to be protected. Use the -S option to read the password directly from stdin rather than using an interactive prompt.

It's important to emphasise that this password is not the same as the one you use for your Grid certificate. Your Grid password is used to encrypt the private key for your certificate on your local disk, and shouldn't be stored anywhere because it defeats the point of the encryption, i.e. that a hacker who manages to steal your key still can't use it. You also shouldn't transmit that password to remote services because they never get your private key, only a proxy which has its own key (unencrypted). The password you use for MyProxy should be completely different, unconnected to any other password. In an ideal world you should probably use a different password each time you upload a new proxy, although this may be somewhat difficult to manage in practice.

MyProxy only stores a basic proxy without any VOMS attributes, so it's generally necessary to "dress" the retrieved proxy with something like: 


voms-proxy-init -voms atlas -noregen
Your identity: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=john smith/CN=proxy/CN=proxy/CN=proxy
Contacting  voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "atlas" Done
Creating proxy .................................. Done

Warning: your certificate and proxy will expire Fri Nov  7 10:31:04 2008
which is within the requested lifetime of the proxy
Here the -noregen option means that the existing proxy is used to contact the VOMS server, rather than trying to create a new one from your certificate. This also explains the warning: both the proxy and the VOMS attributes have a default lifetime of 12 hours, but since the commands are issued with a short time gap the proxy will expire slightly earlier. This should not cause problems in practice; generally you should generate another proxy well before the expiry time in any case.

Note that the DN of the above proxy contains three instances of /CN=proxy. This means that the proxy has been delegated three times: once when you created the initial proxy, again when it was sent to the MyProxy server, and again when you retrieved it. The final VOMS-enabled proxy has yet a fourth delegation. In general the Grid middleware should be able to cope with several levels of delegation without problems, although each delegation does increase the size of the proxy and a very large number of delegations may overflow buffers and lead to errors.

One final point is that recent versions of the MyProxy software have a --voms argument to myproxy-get-delegation which effectively performs the voms-proxy-init as well, but this is just a convenience and doesn't add any new functionality.

Deleting the stored proxy

When you no longer need the stored proxy, or if you have any reason to think that the MyProxy password may have been stolen, you should delete it with the myproxy-destroy command. If you subsequently start using MyProxy again you should try to use a different password. You can check the status of any stored proxy with the myproxy-info command. These commands again take the -s, -l and -d options with the same usage as described above.

Last modified Wed 24 December 2008 . View page history