Thursday, March 29, 2007

Credential renewal with MyProxy and JGlobus

I'm currently working on create a service as part of the LEAD project that will be responsible for kept grid credentials fresh for the duration of a workflow or some other user process. I've been experimenting with the capabilities of MyProxy and JGlobus to this end.

First of all, the MyProxy site has an excellent page on various grid credential renewal issues and MyProxy. So to begin, I want to set my credential renewer service as a "default renewer" in the MyProxy configuration. I do this by adding

default_renewers "DN of my renewing service"

to the myproxy-server.config file. Now my renewing service can renew credentials stored in this MyProxy server. Next, I store a proxy in MyProxy without a passphrase, so that MyProxy can use it for proxy renewal.

myproxy-init -n -s myproxy-server.mydomain.org -l myusername

The -n option says to store the proxy without a passphrase. Now I can renew this proxy with

myproxy-logon -s myproxy-server.mydomain.org -a /tmp/aging_proxy \
           -l myusername -o /tmp/refreshed_proxy

In the previous command, -a specifies the proxy that we want to renew. For this to work, you either need to have loaded a proxy credential of the renewing service, or you need to set the X509_USER_CERT and X509_USER_KEY environment variables to the locations of the certificate and unencrypted key of your renewing service. And to do MyProxy renewal using the JGlobus API, it looks like this:

MyProxy myproxy = new MyProxy(myproxyHost, myproxyPort);
GetParams getParams = new GetParams();
getParams.setUserName(username);
getParams.setLifetime(24*60*60);
getParams.setAuthzCreds(userCred);

GSSCredential renewedCredential = myproxy.get(serviceCred, getParams);

Note that you need a valid MyProxy username as well as a still valid proxy credential. To load the service credential, do this:

GlobusCredential globusCred = new GlobusCredential(pathToServiceCert,
                                                 pathToServiceKey);
GSSCredential gssCred = new GlobusGSSCredentialImpl(globusCred,
                                GSSCredential.INITIATE_AND_ACCEPT);
An important thing to keep in mind (which I forgot halfway through this process) is that the credential stored in MyProxy cannot have a passphrase protecting it for it to be used to renew a proxy credential. We make use of the grid credential storage feature of MyProxy in the LEAD project, and for this to work with credential renewal, we first have to unencrypt the private key of the grid credential. Use openssl to do this:

openssl rsa -in ~/.globus/userkey.pem -out ~/.globus/userkey1.pem

Then store your credential to MyProxy with this key:

myproxy-store -s myproxy.mydomain.org -l myusername -y .globus/userkey1.pem

Now you'll be able to use this MyProxy credential for proxy renewal.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)