TeraGrid [ User Info: Access: Certificate Proxies ]

Learn About the TeraGrid

TeraGrid News

Education & Training

Science Gateways

User Support & Documentation

	User Support & Documentation
	Certificate Proxies Home > User Info > Access > Proxy Certificates On this page Creating a Proxy: myproxy-logon (Default) Additional MyProxy Commands Creating a Proxy: grid-proxy-init Creating a Proxy at PSC: kinit Sample PSC Proxy Helpful Proxy Commands Creating a MyProxy Certificate (all sites) Related Links Using Your User Certificate (NCSA) SSO for Non-Default Certificates SSO from Your Desktop (Linux/Mac OSX) Need Help? Phone Toll-free 1.866.907.2383 Submit a Ticket (online form -- fastest) Submit a Ticket via email TeraGrid Knowledge Base In order to use Single Sign-on (SSO), a user needs to create a temporary credential called a certificate proxy. The proxy confirms that you are authorized by a trusted authority to access grid resources. It also confirms that you are who you say you are because you must enter the passphrase that was used to create the X.509 certificate. If you are using the default TeraGrid Certificate Authority (CA), this is your TeraGrid-wide password—the same one you use to log in to the User Portal. There is no set-up by the user for this CA. If you are using another CA, there is inital set-up. To create the proxy, you will use the passphrase you used to create your X.509 certficate (or KX.509 if your CA is PSC). The trusted authority may be a certificate from any of the CAs listed on the Single Sign-on for non-default certificates page. Once a proxy has been created, you can use gsissh to login to any other TeraGrid system, and you may use an GSI-enabled feature of the TeraGrid during that session. The authority of the proxy has a limited lifetime. Default expiration for a proxy session is 12 hours (however, you may create a longer proxy). After it has expired, you must create a new proxy. Proxies are intended for short-term use when the user is submitting many jobs and cannot be troubled to repeat a password for every job. Proxies provide a convenient alternative to constantly entering passwords, but are also less secure than the user's normal security credential. Therefore, they should be deleted after they are no longer needed (or after they expire). Creating a Proxy Using myproxy-logon (all sites) Most TeraGrid users will use MyProxy to generate a certificate proxy. MyProxy is a certificate repository that offers added security, retrieval, and expiration management features. To create a proxy, run the myproxy-logon command. When requested, enter your TeraGrid-wide password that you received in your account information packet. tg-login1> myproxy-logon -T -l your_username Enter MyProxy pass phrase: A credential has been received for user your_username in /tmp/x509up_u99999. Trust roots have been installed in /usr/users/your_username/.globus/certificates. Have you previously run myproxy-init to store a credential? In that case, myproxy-logon will use this credential, and you will need to enter your previously-chosen myproxy-init passphrase instead of your TeraGrid-wide password. Additional MyProxy Commands To retrieve a proxy locally once it's been generated at the server, type the following command: myproxy-get-delegation To store a credential on the MyProxy server for shorter or longer than 12 hours: myproxy-init -c To store a credential with the same lifetime as your current credential (for example, your long-lived credential from the CA), you can use the "-c 0" option to myproxy-init: $ myproxy-init -c 0 -s myproxy.teragrid.org Your identity: /C=US/O=National Center for Supercomputing Applications/CN=user name Enter GRID pass phrase for this identity: Creating proxy ............................... Done Proxy Verify OK Your proxy is valid until: Thu Oct 20 17:29:28 2005 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 7278 hours (303.2 days) for user now exists on myproxy.teragrid.org. IU, NCSA, ORNL, Purdue, SDSC, TACC, UC/ANL To create a proxy, run the grid-proxy-init program (after you have obtained an X.509 certificate and entered your DN into the grid-mapfile at each site you will be using). When requested, enter the passphrase you used when you first created your certificate. % grid-proxy-init Your output should look like this: Your identity: /C=US/O=NPACI/OU=SDSC/CN=Your Full Name/USERID=your_username Enter GRID pass phrase for this identity:your passphrase Creating proxy ........................ Done Your proxy is valid until: Tue Dec 23 23:58:15 2003 N.B., If you log on after your proxy has expired, you must type the grid-proxy-init command again. There are many commands you can use to manage your proxy certificate. A few helpful commands are listed in the "Additional Information for grid-proxy" section below. Exception: PSC At PSC, the KX.509 system is used. KX.509 uses PSC's existing Kerberos infrastructure in order to issue short-term X.509 certificates and from them, proxies. This is different than the other current TeraGrid sites. The grid-proxy-init command will not work with KX.509. If you are a PSC KX.509 user--that is, if you obtained your original certificate from PSC--use the following command to create a certificate proxy on the TeraGrid. kinit user@PSC.EDU; kx509; kxlist -p A Sample Proxy and DN Inquiry session is available below. Once the proxy is created, it is identical to any other "grid" proxy, so the grid-proxy-* commands listed in the "Additional Information About Basic Certificate Commands" section below are applicable. Exceptions are grid-proxy-init and any grid-cert-* commands. Sample Proxy and DN Inquiry (PSC) $ kinit username@PSC.EDU username@PSC.EDU's Password: $ kx509 $ kxlist -p Service kx509/certificate issuer= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Kerberos Certification Authority subject= /C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=username/UID=username/emailAddress=username@yourdomain.EDU serial=0114 hash=a1266002 $ grid-proxy-info -subject /C=US/O=Pittsburgh Supercomputing Center/OU=PSC Kerberos Certification Authority/CN=username/USERID=username/Email=username@yourdomain.EDU Helpful Proxy Commands Once you have a certificate and entries in the appropriate grid-mapfiles, you can issue some of the basic commands to test your grid capabilities. The following examples illustrate some common commands. Change your certificate password: grid-change-pass-phrase tg-login2:/users/kericson% grid-change-pass-phrase read RSA key Enter PEM pass phrase: [enter your original pass-phrase] writing RSA key Enter PEM pass phrase: [enter your NEW pass-phrase] Verifying password - Enter PEM pass phrase: [enter your NEW pass-phrase again] Create a proxy good for 24 hours: grid-proxy-init -hours 24 tg-login2:/users/kericson % grid-proxy-init -hours 24 Your identity: /C=US/O=NPACI/OU=SDSC/CN=Kate Ericson/USERID=kericson Enter GRID pass phrase for this identity: [enter your pass-phrase] Creating proxy .......................Done Your proxy is valid until: Sat Nov 22 10:38:40 2003 Login to another node on the same cluster without a password: gsissh N.B.: You will need a grid-mapfile entry at your local site. tg-login2:/users/kericson % gsissh tg-login1.sdsc.teragrid.org Verify that you have access to tg-login.ncsa.teragrid.org tg-login2:/users/kericson % globusrun -a -r tg-login.ncsa.teragrid.org GRAM Authentication test successful Login to cluster at a different site without a password N.B.: You will need a grid-mapfile entry at the remote site. tg-login2:/users/kericson % gsissh tg-login.ncsa.teragrid.org Destroy your proxy certificate before it expires: grid-proxy-destroy tg-login2:/users/kericson % grid-proxy-destroy Obtain information about the current proxy: grid-proxy-info: % grid-proxy-info subject : /C=US/O=NPACI/USERID=your_user)id/CN=proxy issuer : /C=US/O=NPACI/USERID=your_user_id type : full strength : 512 bits path : /tmp/x509up_u000 timeleft : 11:59:58 Basic certificate commands are also described on NCSA's "Using Your User Certificate" page. This guide talks about how to find out information about your certificate: creating a proxy certificate, using the proxy certificate, and destroying the proxy certificate. It also has instructions on moving your certificate to another site's TeraGrid machine (if you want to make that machine the starting point for your grid computing). Creating a MyProxy Certificate (all sites) To create a proxy, run the myproxy-init program (after you have obtained an X.509 certificate and entered your DN into the grid-mapfile at each site you will be using). When requested, enter the passphrase you used when you first created your certificate. The hostname should always be myproxy.teragrid.org. % myproxy-init Your output should look like this: site/username> myproxy-init -s myproxy.tergrid.org Your identity: /C=US/O=NPACI/OU=SDSC/CN=Full Name/USERID=username Enter GRID pass phrase for this identity: Creating proxy ......................................................................... Done Proxy Verify OK Your proxy is valid until: Fri Dec 24 16:11:18 2004 N.B., If you log on after your proxy has expired, you must type the myproxy-init command again. Additional MyProxy commands To retrieve a proxy locally once it's been generated at the server type the following command: myproxy-get-delegation To set the lifetime of the credentials you store on the MyProxy server to longer (or shorter) than the default of one week, use the myproxy-init -c option. To store a credential with the same lifetime as your current credential (for example, your long-lived credential from the CA), you can use the "-c 0" option to myproxy-init: $ myproxy-init -c 0 -s myproxy.teragrid.org Your identity: /C=US/O=National Center for Supercomputing Applications/CN=user name Enter GRID pass phrase for this identity: Creating proxy ............................... Done Proxy Verify OK Your proxy is valid until: Thu Oct 20 17:29:28 2005 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 7278 hours (303.2 days) for user now exists on myproxy.teragrid.org. For KCA sites, you can set $X509_USER_KEY and $X509_USER_CERT to tell MyProxy to read the credentials from the location where KCA puts them: $ export X509_USER_CERT='grid-proxy-info -path' $ export X509_USER_KEY='grid-proxy-info -path' $ myproxy-init -c 0 -s myproxy.teragrid.org Your identity: /C=US/O=National Center for Supercomputing Applications/CN=user name/CN=793146486 Creating proxy .............................. Done Proxy Verify OK Your proxy is valid until: Wed Dec 22 03:55:42 2004 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 17 hours (0.7 days) for user now exists on myproxy.teragrid.org.

Upper Left Footer

Upper Right Footer

The TeraGrid project is funded by the National Science Foundation and includes 11 partners:
Indiana, LONI, NCAR, NCSA, NICS, ORNL, PSC, Purdue, SDSC, TACC and UC/ANL.

Please email help@teragrid.org with questions or comments.

This site is XHTML 1.0 Transitional, CSS compliant.

Bottom Left Footer

Bottom Right Footer