Hallo Jan Just,
> I wasn't clear in my previous email: what I meant was:
>
> can a WMS renew a proxy from a MyProxy server that was uploaded with a passphrase? I'm not
> saying the WMS would know the passphrase, but as the WMS is a trusted renewer it may not
> need the passphrase at all.
Currently that does not seem to be possible.
I suppose such a feature could be considered,
if it is really needed. See below.
> We've now changed the way the proxy is uploaded to the MyProxy server to use a username
> and password; the WMS seems to upload its own proxy to the MyProxy store, so hopefully the
> renewal process now works.
The WMS does not upload anything to the MyProxy server!
In its use of a MyProxy server the WMS requires that the user
has uploaded a long-lived proxy with the "-d" and "-n" options,
i.e. the "user name" has to be the DN and the proxy shall have
no pass phrase.
> The *reason* for using a passphrase is that if you do not specify a passphrase and you
> want to use DN-based retrieval (i.e. "-d") then you must have a valid proxy or cert/key
> pair on the "retriever" host. If the retriever host is down for a longer period of time
> then its proxy expires and you have to manually jumpstart the process by sending a new
> proxy via some other route to the retrieving host.
The host that needs to retrieve the proxy probably has a host cert?
In that case a cron job could generate a host proxy with the desired
ownership every N hours? Or the service account might even be given
its own copy of the host cert and key, as is done on Nagios hosts...
You could also upload 2 proxies into the MyProxy server: one without
a pass phrase for use by the WMS (using "-d"), one with a pass phrase
to bootstrap the retriever host (using "-l username").
|