 |
 |
> -----Original Message----- > From: Testbed Support for GridPP member institutes [mailto:TB- > [log in to unmask]] On Behalf Of John Kewley > Sent: 06 September 2013 15:15 > > > BTW: Can any user upload his cert from any-old-machine (i.e. local > > client > > system) to a myproxy server directly using the CertWizard? I thought a > > myproxy server held proxies. Am I wrong? Can it hold user certificates? > > And should it do so? > > this allows credentials to be uploaded to a server rather than the medium > term proxy > (7 days typically) with myproxy-init. The MyProxy part of CertWizard > doesn't have this functionality. > I think that's OK - as you say, there's a principle that the users cert should remain somewhere they control (most obviously their local system). > If it is outside your domain then the proxy credentials stored should be > shorter-lived (even though password protected) > > > > then they just need to grab the proxy from there and voms-ify it on > > > the UI. > > > > > That last bit might need a bit of friendly wrapper script round it, > > > but the model sounds good. > > NGS had this sort of vomsifying when you logged into scarf and/or the NGS > UIs. > Well, this process works now, I just tried it: - Start CertWizard, - Create a grid proxy (a plain grid proxy, no VOMS), - Upload it to myproxy.ngs.ac.uk using CertWizard, setting a username and password, - SSH into a UI - Do 'myproxy-get-delegation -s myproxy.ngs.ac.uk -l username' to get a proxy - Do 'voms-proxy-init -n --voms name_of_your_vo' to add VOMS extensions to it. By-the-by, it turns out that GSISSH-Term still exists, and uses the same standard proxy locations as Certwizard does (of course), so I'm hoping that with a gsi-ssh accessible UI, the user would be able to log in with that and their proxy, not a traditional username and password. At that point, all they'd need for a client system would be something capable of running two Java Web Start apps, and that'd be it. I don't have a gsi-ssh accessible immediately to hand to test it, but I think the principle is sound. Ewan