With the MyProxy Service the proxy certificates can be stored for later usage when, for instance, your private key is not at hand. For more information regarding certificates please see the Certificates FAQ.
It is also best to avoid distributing the private key across several machines, but to keep it safe on your workstation instead. If you wish to run Globus commands on a platform on which you cannot or should not store your private key and/or certificates, then you can retrieve your proxy certificate stored at a MyProxy service.
The proxy certificate can be stored and used with:
- Java Webstart based GSISSH-Term
- the Globus command-line commands.
A use case example: A researcher needs to use ssh to login to a machine. On target machine the user needs to use Globus commands. Due to either security or practical reasons there is no private key stored on the target machine. So, the user can use Globus command to fetch proxy certificate from a MyProxy server.
The PRACE MyProxy servers are:
- myproxy.lrz.de, or myproxy-prace.lrz.de if you are on a platform connected to the internal PRACE network, i.e. your Home Site or one of your Execution Sites
Storing Your Proxy Certificate on the PRACE MyProxy Server
Using Globus Command-line Tools
If the private key is on a machine with a Globus installation, then the following Globus command can be used to store the proxy certificate on the MyProxy server:
Optional command line parameters for this command include
- Lifetime in hours of the proxy on the server:
-c 168(this is the default value)
- Maximum lifetime in hours of the proxy when retrieved from server:
- Target host:
By default, the target host name should have been set already through the
module load globus command.
Using GSI-SSH MyProxy Tool
To use GSISSH-Term to store proxy: First start the Java GSI-SSHTerm.Choose "MyProxy Tool" from Tools menu.
One can set
- Server: the MyProxy server, see the list above.
- Port: 7512 is the default
- Lifetime (hours): how long the proxy can be used from MyProxy server
- Username: needed later fetch the proxy from the MyProxy server. Not tied to any Unix accounts
- Certificate format: source of which to generate the proxy: .pem, .p12 or an existing proxy
- Passphare: PEM and PKCS12 format needs a passphare to generate the proxy
Retrieving Your Proxy Certificate
Using Globus Command-line Tools
When logged on a PRACE machine which has both a Globus installation and is connected to the public internet, users can fetch the proxy using the following commands:
module load prace module load globus myproxy-logon
The final command will ask for the MyProxy Password which was used to store the proxy certificate on PRACE’s MyProxy server.
The default MyProxy server address should be set in the globus modulefile into the
$MYPROXY_SERVER environmental variable.
If required, the address can be given as parameter, e.g.
The Proxy lifetime, in hours, can be specified with
-t. Time cannot exceed the time which was specified when storing it on the server. The default lifetime is with
myproxy-init command 12 hours and with Java Uploader tool 10 hours.
Using the GSI-SSH Java Web Start
Java GSI-SSHTerm provides easy way to connect into PRACE machines outside PRACE network. Its usage is described in Interactive Access to HPC Resources.
The GSI-SSHTerm tool supports the MyProxy service. The MyProxy server address is found behind menu sequence Figures 2 and 3 below:
File – New Connection "Advanced" GSI Defaults tab
Provide the access information:
- Username: you have to use same name when you stored the proxy
- Port: 7512 (should be the default)
In the Authentication Order list MyProxy belongs to Other Methods. Its priority can be increased by clicking it to the top of the list.
As displayed on next figure, the connection properties can be configured by clicking the "Advanced" button in the "New Connection" dialogue. In this tab, one can use the "MyProxy" method from the "Other Methods" list to fetch a proxy.
GSI-SSH Java Webstart application: When "Other Methods" is primary method you can also see the following kind of dialog. "Account Name" and "Passphrase" were set when storing the proxy.