GT 5.0.4 MyProxy: System Administrator's Guide

Introduction

This guide contains advanced configuration information for system administrators working with MyProxy. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.

[Important]Important

This information is in addition to the basic Globus Toolkit prerequisite, overview, installation, security configuration instructions in Installing GT 5.0.4. Read through this guide before continuing!

A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.


Chapter 1. Building and Installing

MyProxy is built and installed as part of a default GT 5.0.4 installation. For basic installation instructions, see Installing GT 5.0.4. No extra installation steps are required for this component.

If you wish to install MyProxy without installing the rest of the Globus Toolkit, follow the instructions in Installing GT 5.0.4 with the following changes. First, you do not need Ant, a JDK, or a JDBC database to build only MyProxy. Second, instead of running "make", run:

globus$ make gsi-myproxy

This will install the MyProxy client and server programs. For client-only installations, simply do not configure or use the installed server.

Chapter 2. Configuring

No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.

Please refer to the MyProxy Admin Guide for MyProxy server configuration instructions.

Chapter 3. Deploying

A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run chkconfig --add myproxy. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.

Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:

  • Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the /etc/services or /etc/inet/services file.
  • Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications to /etc/inetd.conf or /etc/inet/inetd.conf, or copy $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy to /etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation.
  • Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.

In addition, an example cron script is provided in $GLOBUS_LOCATION/share/myproxy/myproxy.cron for removing expired/revoked credentials from the repository. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly before installing in (for example) /etc/cron.hourly.

Chapter 4. Testing

To verify your myproxy-server installation and configuration, you can run the myproxy-server directly from your shell. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.

For csh shells:

source $GLOBUS_LOCATION/etc/globus-user-env.csh

For sh shells:

. $GLOBUS_LOCATION/etc/globus-user-env.sh

Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d. The -d argument runs the myproxy-server in debug mode. It will write debugging messages to the terminal and exit after servicing a single request. You will need to start it once for each test request. In another shell, you can run the MyProxy client programs to test the server.

If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.

Chapter 5. Security Considerations

1. MyProxy Security Considerations

You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.

For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.

Chapter 6. Debugging

Table of Contents

1. Logging

1. Logging

The myproxy-server logs to the system logger (syslog) LOG_DAEMON facility. Alternatively, run

myproxy-server -d

from a terminal. In that mode, the myproxy-server will write debugging messages to the terminal and exit after servicing a single request.

Chapter 7. Troubleshooting

1. Common GT Errors

For a list of common errors in GT, see Error Codes.

2. Errors

Table 7.1. MyProxy Errors

Error CodeDefinitionPossible Solutions
MyProxy server name does not match expected name

This error appears as a mutual authentication failure or a server authentication failure, and the error message should list two names: the expected name of the MyProxy server and the actual authenticated name.

By default, the MyProxy clients expect the MyProxy server to be running with a host certificate that matches the target hostname. This error can occur when running the MyProxy server under a non-host certificate or if the server is running on a machine with multiple hostnames.

The MyProxy clients authenticate the identity of the MyProxy server to avoid sending passphrases and credentials to rogue servers.

If the expected name contains an IP address, your system is unable to do a reverse lookup on that address to get the canonical hostname of the server, indicating either a problem with that machine's DNS record or a problem with the resolver on your system.

If the server name shown in the error message is acceptable, set the MYPROXY_SERVER_DN environment variable to that name to resolve the problem.
Error in bind(): Address already in useThis error indicates that the myproxy-server port (default: 7512) is in use by another process, probably another myproxy-server instance. You cannot run multiple instances of the myproxy-server on the same network port. If you want to run multiple instances of the myproxy-server on a machine, you can specify different ports with the -p option, and then give the same -p option to the MyProxy commands to tell them to use the myproxy-server on that port.
grid-proxy-init failedThis error indicates that the grid-proxy-init command failed when myproxy-init attempted to run it, which implies a problem with the underlying Globus installation. Run
grid-proxy-init -debug -verify
for more information.
User not authorizedAn error from the myproxy-server saying you are "not authorized" to complete an operation typically indicates that the myproxy-server.config file settings are restricting your access to the myproxy-server. It is possible that the myproxy-server is running with the default myproxy-server.config file, which does not authorize any operations. See Configuring MyProxy for more information.
Unable to verify remote side's credentials An error saying "Unable to verify remote side's credentials," "Couldn't verify the remote certificate," or "alert bad certificate" often indicates that the client or server's certificate is signed by an untrusted Certification Authority (CA). The client must have a CA certificate and signing policy file installed in /etc/grid-security/certificates for the CA that signed the server's certificate. Likewise, the server must have a CA certificate and signing policy file installed in /etc/grid-security/certificates for the CA that signed the client's certificate. See Configuring Certificates for more information.

3. Additional MyProxy Troubleshooting

For additional information, see the MyProxy Troubleshooting Page at NCSA.

Chapter 8. Usage statistics collection

1. MyProxy usage statistics collection

By default, the myproxy-server will send a UDP packet containing usage information to usage-stats.cilogon.org:4810 after serving each request. See the MyProxy Privacy Policy for details. You can see the Globus Usage Statistics policy here.

Glossary

H

host certificate

An EEC belonging to a host. When using GSI this certificate is typically stored in /etc/grid-security/hostcert.pem. For more information on possible host certificate locations see the GSI C Developer's Guide.