 |
 |
Hi, Maarten Litmaath wrote: > Hallo Jan Just, > >>>> can the WMS renew a proxy from a credential with a passphrase on >>>> the MyProxy server? >>> >>> No, by design! >>> >> where is this specified? > > It has been like that from the very first of our grid projects; > we might find this documented in EDG/EGEE design documents, > but think about it: how would a pass phrase help in this case? > > You would have to inform all entities that need to renew or > retrieve a proxy from the MyProxy server: how do you do that, > in a secure way? > > Sure, the WMS could be told the pass phrase at job submission or > proxy delegation time, but do you actually _want_ someone's WMS > to know the password?! What if the machine gets compromised? > > Long ago the grid projects came up with a different way: > make the WMS a trusted _renewer_ of proxies. > There are 3 authorization steps required for that to work: > > 1. The WMS must authenticate with its host cert. > 2 Its host DN must be registered in the user-supplied MyProxy > server as a trusted renewer. > 2. The WMS must present the proxy to be renewed while that proxy > is still _valid_. > > There are other acceptable ways for a MyProxy server to be used > and some services (e.g. Nagios) do so, but the WMS can only do > what we just described. > >> The system (upload a passphrase protected robot cert generated proxy >> to a MyProxy server) >> has been in operation for 4 years or more and only recently this >> problem popped up. Is >> this behaviour new? > > No, but there appears to have been some confusion; see below. > >>>> We have a user that uses a robot certificate which stores a >>>> credential on the MyProxy >>>> server. This credential is protected with a passphrase. >>> >>> Why?! >> the robot token is located in a protected server room on an isolated >> well-controlled >> machine. A proxy is generated every 24 hours and uploaded using a >> well known password (and > > Aha, a well known password... Understandable, but not needed when > the MyProxy server is used better. > >> using "-d" ) to the MyProxy server. >> The portal host on which the proxy is needed grabs a proxy using >> this "well-known" password. >> This has been working for nearly 4 years - could be we just got lucky >> during those 4 >> years, but where was it specified that you cannot do this? > > You can do _that_, but it is not what this discussion was about! > > The question was: can a _WMS_ renew a proxy protected with a pass phrase? > Answer: no, by design. > I wasn't clear in my previous email: what I meant was: can a WMS renew a proxy from a MyProxy server that was uploaded with a passphrase? I'm not saying the WMS would know the passphrase, but as the WMS is a trusted renewer it may not need the passphrase at all. We've now changed the way the proxy is uploaded to the MyProxy server to use a username and password; the WMS seems to upload its own proxy to the MyProxy store, so hopefully the renewal process now works. Steven Burke wrote: > I don't understand what you mean by "well-known" - a) if it's well-known how does it add any security, and b) how you you expect the WMSes to know it? I also don't understand why you would do it every 24 hours - the whole point of myproxy is that it can hold long-lived proxies. The *reason* for using a passphrase is that if you do not specify a passphrase and you want to use DN-based retrieval (i.e. "-d") then you must have a valid proxy or cert/key pair on the "retriever" host. If the retriever host is down for a longer period of time then its proxy expires and you have to manually jumpstart the process by sending a new proxy via some other route to the retrieving host. I agree that it's not necessary to do this every 24 hours, I used to do it every 48 hours but there was a VOMS-related issue at the time, which I avoided by doing it every 24 hours. cheers, JJK / Jan Just Keijser Nikhef Amsterdam