First of all, the MyProxy site has an excellent page on various grid credential renewal issues and MyProxy. So to begin, I want to set my credential renewer service as a "default renewer" in the MyProxy configuration. I do this by adding
default_renewers "DN of my renewing service"
to the myproxy-server.config file. Now my renewing service can renew credentials stored in this MyProxy server. Next, I store a proxy in MyProxy without a passphrase, so that MyProxy can use it for proxy renewal.
myproxy-init -n -s myproxy-server.mydomain.org -l myusername
The -n option says to store the proxy without a passphrase. Now I can renew this proxy with
myproxy-logon -s myproxy-server.mydomain.org -a /tmp/aging_proxy \
-l myusername -o /tmp/refreshed_proxy
In the previous command, -a specifies the proxy that we want to renew. For this to work, you either need to have loaded a proxy credential of the renewing service, or you need to set the X509_USER_CERT and X509_USER_KEY environment variables to the locations of the certificate and unencrypted key of your renewing service. And to do MyProxy renewal using the JGlobus API, it looks like this:
MyProxy myproxy = new MyProxy(myproxyHost, myproxyPort);
GetParams getParams = new GetParams();
GSSCredential renewedCredential = myproxy.get(serviceCred, getParams);
Note that you need a valid MyProxy username as well as a still valid proxy credential. To load the service credential, do this:
An important thing to keep in mind (which I forgot halfway through this process) is that the credential stored in MyProxy cannot have a passphrase protecting it for it to be used to renew a proxy credential. We make use of the grid credential storage feature of MyProxy in the LEAD project, and for this to work with credential renewal, we first have to unencrypt the private key of the grid credential. Use openssl to do this:
GlobusCredential globusCred = new GlobusCredential(pathToServiceCert,
GSSCredential gssCred = new GlobusGSSCredentialImpl(globusCred,
openssl rsa -in ~/.globus/userkey.pem -out ~/.globus/userkey1.pem
Then store your credential to MyProxy with this key:
myproxy-store -s myproxy.mydomain.org -l myusername -y .globus/userkey1.pem
Now you'll be able to use this MyProxy credential for proxy renewal.