On 18/11/11 14:47, Mingchao Ma wrote:
> Hi Daniela and all,
>
> As Stephen pointed out, the maximum lifetime of a proxy should be 24 hours,
> as per
> https://wiki.egi.eu/wiki/EGI_CSIRT:Op-notices/proxy-lifetime-02-11-2007.
Some of what's said on
https://www.gridpp.ac.uk/wiki/VOMS_proxy_time_limited_and_how_to_request_an_extension
(linked to from https://www.gridpp.ac.uk/wiki/Main_Page with the title
https://www.gridpp.ac.uk/wiki/VOMS_proxy_time_limited_and_how_to_request_an_extension)
looks out of date. I've marked it as such, but can someone with more
knowledge tidy this up please.
> The
> voms server is rightly to enforce it. A proxy certificate is **designed** to
> be short live and one can not revoke a proxy certificate. The way to stop a
> compromised proxy certificate is either ban the DN cross the Grid for the
> lifetime of the proxy or to revoke the associated classical EE certificate,
> or do both. Neither is cheap in term of operation.
>
> Here is another pointer about how to use myproxy
> http://egee-uig.web.cern.ch/egee-uig/beta_pages/ProxyRenewal.html
I do wish there was an EGI page on this sort of thing rather than it
being scattered all over the web.
Chris
>
> Cheers,
>
> Mingchao
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of Daniela Bauer
>> Sent: Friday, November 18, 2011 2:13 PM
>> To: [log in to unmask]
>> Subject: Re: long term *voms* proxies with myproxy
>>
>> I have now found the -d option.
>>
>> I think I'll go for tea now.
>>
>> Daniela
>>
>> On 18 November 2011 14:08, Daniela Bauer
>> <[log in to unmask]> wrote:
>>> lx06:grid_mastercode_nov11 :~] myproxy-info -v
>>> MyProxy v4.2 10 Jan 2008 PAM
>>> Socket bound to port 20000.
>>> Attempting to connect to 130.246.183.214:7512
>>> using trusted certificates directory /vols/grid/certificates
>>> server name:
>> /C=UK/O=eScience/OU=CLRC/L=RAL/CN=lcgpx0620.gridpp.rl.ac.uk/emailAddress=t
>> [log in to unmask]
>>> checking that server name is acceptable...
>>> server name does not match "[log in to unmask]"
>>> server name matches "[log in to unmask]"
>>> authenticated server name is acceptable
>>> ERROR from myproxy-server (lcgrbp01.gridpp.rl.ac.uk):
>>> no credentials found for user dbauer, owner
>>> "/C=UK/O=eScience/OU=Imperial/L=Physics/CN=daniela bauer"
>>>
>>>
>>> ???????
>>>
>>> On 18 November 2011 14:04, Daniela Bauer
>>> <[log in to unmask]> wrote:
>>>> Hmmm... this does not bode well:
>>>>
>>>>
>>>> lx06:grid_mastercode_nov11 :~] source
>>>> /vols/grid/glite/ui/3.2.10-1/external/etc/profile.d/grid-env.sh
>>>>
>>>> lx06:grid_mastercode_nov11 :~] voms-proxy-init -valid 24:00 --voms
>>>> vo.londongrid.ac.uk
>>>> Enter GRID pass phrase:
>>>> Your identity: /C=UK/O=eScience/OU=Imperial/L=Physics/CN=daniela bauer
>>>> Creating temporary proxy ................................. Done
>>>> Contacting voms.gridpp.ac.uk:15021
>>>>
>> [/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk/EMAILADDRESS=op
>> [log in to unmask]]
>>>> "vo.londongrid.ac.uk" Done
>>>> Creating proxy .......................... Done
>>>> Your proxy is valid until Sat Nov 19 14:02:01 2011
>>>> lx06:grid_mastercode_nov11 :~] myproxy-init -n -d
>>>> Your identity: /C=UK/O=eScience/OU=Imperial/L=Physics/CN=daniela bauer
>>>> Enter GRID pass phrase for this identity:
>>>> Creating proxy .................................................. Done
>>>> Proxy Verify OK
>>>> Your proxy is valid until: Fri Nov 25 14:02:09 2011
>>>> A proxy valid for 168 hours (7.0 days) for user
>>>> /C=UK/O=eScience/OU=Imperial/L=Physics/CN=daniela bauer now exists on
>>>> lcgrbp01.gridpp.rl.ac.uk.
>>>>
>>>> lx06:grid_mastercode_nov11 :~] myproxy-info
>>>> ERROR from myproxy-server (lcgrbp01.gridpp.rl.ac.uk):
>>>> no credentials found for user dbauer, owner
>>>> "/C=UK/O=eScience/OU=Imperial/L=Physics/CN=daniela bauer"
>>>>
>>>> What did I miss now ?
>>>>
>>>> Thanks,
>>>> Daniela
>>>>
>>>>
>>>>
>>>> On 18 November 2011 13:35, Stephen Burke <[log in to unmask]>
>> wrote:
>>>>> Testbed Support for GridPP member institutes [mailto:TB-
>>>>>> [log in to unmask]] On Behalf Of Ewan MacMahon said:
>>>>>> Well if the tools already do this, why are people finding that
>>>>>> they're getting non-VOMSified proxies?
>>>>>
>>>>> Which people? It's always possible that something is broken or
>> misconfigured on a WMS.
>>>>>
>>>>>> Could someone just outline how this is supposed to work? Which
>>>>>> component renews which proxy when, and how does that make it to
>>>>>> the CE and then on to the WN?
>>>>>
>>>>> The WMS includes a proxy renewal daemon - the documentation is here
>> although it isn't very substantial:
>>>>>
>>>>> http://egee.cesnet.cz/cvsweb/PR/proxyrenew_AG.pdf
>>>>>
>>>>> Basically it checks the proxy expiry time, and when it sees it getting
>> close to expiry it tries to retrieve a new one from myproxy, and if that
>> works it goes through the VOMS credentials in the original proxy and
>> contacts the VOMS server(s) to renew those too. The WMS then sends the new
>> proxy to any CEs with jobs for that user - I don't know exactly how it
>> gets to the WN. Some more info here:
>>>>>
>>>>> http://wiki.italiangrid.it/twiki/bin/view/CREAM/GliteCeProxyRenewMan
>>>>>
>>>>> Stephen
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> -----------------------------------------------------------
>>>> [log in to unmask]
>>>> HEP Group/Physics Dep
>>>> Imperial College
>>>> Tel: +44-(0)20-75947810
>>>> http://www.hep.ph.ic.ac.uk/~dbauer/
>>>>
>>>
>>>
>>>
>>> --
>>> -----------------------------------------------------------
>>> [log in to unmask]
>>> HEP Group/Physics Dep
>>> Imperial College
>>> Tel: +44-(0)20-75947810
>>> http://www.hep.ph.ic.ac.uk/~dbauer/
>>>
>>
>>
>>
>> --
>> -----------------------------------------------------------
>> [log in to unmask]
>> HEP Group/Physics Dep
>> Imperial College
>> Tel: +44-(0)20-75947810
>> http://www.hep.ph.ic.ac.uk/~dbauer/
|