Grid Proxies

Grid Proxies

 What is a proxy?

A proxy is a short-term credential that proves your identity, allowing you to use grid services. It is based on the grid certificate that was automatically provided for you when your WestGrid account was created.

 How can I create a proxy?

To create a proxy, use the grid-proxy-init command;


wg0>grid-proxy-init
Your identity: /C=CA/O=Grid/OU=westgrid.ca/CN=Simon Sharpe/Email=ssharpe@ucalgary.ca
Enter GRID pass phrase for this identity:
mypassphrase
Your proxy is valid until: Fri Dec 3 21:15:13 2004

Your pass-phrase is the phrase you chose when you applied for your WestGrid account. There is no way to recover a lost pass-phrase. If you no longer know your pass-phrase you will need a new certificate. Contact WestGrid Support

You can verify that your proxy is valid by using ssh to connect to another site;


wg0>ssh blackhole
Last login: Tue Nov 30 12:32:25 2004 from lattice.westgrid.ca
Welcome to blackhole.westgrid.ca!

ssharpe@blackhole:~>

Why were you not prompted for your password? Ssh on WestGrid has been replaced with grid-enabled ssh. When you have a valid proxy, you don't need a password.

Your proxy (along with all other current proxies on your home system) is stored in /tmp with a file-name starting with "x509up_u."

Once you have a proxy, you might want to push it onto the myproxy server to make it visible to all WestGrid machine.

 

What else can I do with Proxies? 

To get information on your proxy, use the grid-proxy-info command.


wg0>grid-proxy-info
subject : /C=CA/O=Grid/OU=westgrid.ca/CN=Simon Sharpe/Email=ssharpe@ucalgary.ca/CN=proxy
issuer : /C=CA/O=Grid/OU=westgrid.ca/CN=Simon Sharpe/Email=ssharpe@ucalgary.ca
identity : /C=CA/O=Grid/OU=westgrid.ca/CN=Simon Sharpe/Email=ssharpe@ucalgary.ca
type : full legacy globus proxy
strength : 512 bits
path : /tmp/x509up_u500006
timeleft : 11:09:30

You can see that this proxy is still good for 11 hours and 9 minutes.

You can destroy a proxy with the grid-proxy-destroy command.


wg0>grid-proxy-destroy
wg0>
There is no confirmation message, but you can confirm that the proxy is gone with the grid-proxy-info command;

 

myproxy Server

 What can myproxy do for me?

 

You may also place proxies on other WestGrid machines through the MyProxy server. This gives you access to all grid tools when running at sites that do not contain your certificates. It is also necessary for you to access portal.westgrid.ca

To use MyProxy, the grid tools need to know the location of the MyProxy server. This location is set in the environment variable MYPROXY_SERVER=myproxy.westgrid.ca. If you do not have this set in your environment, you can explicitly add "-s myproxy.westgrid.ca" to the end of any of the following MyProxy commands.

To push your proxy up to the MyProxy Server, use myproxy-init.

 

> myproxy-init
Your identity: /C=CA/O=Grid/OU=westgrid.ca/CN=Simon Sharpe/Email=ssharpe@ucalgary.ca
Enter GRID pass phrase for this identity:
myexistingcertificatepassphrase
Creating proxy ................................... Done
Your proxy is valid until: Fri Dec 10 13:16:32 2004
Enter MyProxy pass phrase:
mynewpassphrase
Verifying password - Enter MyProxy pass phrase:
mynewpassphrase
A proxy valid for 168 hours (7.0 days) for user ssharpe now exists on myproxy.westgrid.ca.
wg0>

 

You will be prompted for the Grid pass phrase for your identity, then twice for a MyProxy pass phrase. This MyProxy pass phrase need not be the same as your Grid pass phrase, but it is easier to remember if it is. You will need this pass-phrase later in the get-delegation step. A message confirms that a MyProxy credential has been created for you on myproxy.westgrid.ca. Your MyProxy credential, by default lasts for 7 days and can be used to generate proxies with a 12 hour lifespan. The -c option controls the longevity of your MyProxy credential. The -t option controls maximum life of proxies generated from your MyProxy credential.

myproxy-init -c 5000 -t 72 stores a MyProxy credential with a lifetime of 5000 hours that can generate proxies that live up to 72 hours.

You can check the status of your MyProxy with myproxy-info.

You can now connect to another WestGrid site and pull a proxy down to other machines with myproxy-get-delegation;

ssharpe@nexus> myproxy-get-delegation
Enter MyProxy pass phrase:
mynewpassphrase
A proxy has been received for user ssharpe in /tmp/x509up_u500006
ssharpe@nexus>

This creates a new proxy on the machine you are using. You will be prompted for the MyProxy pass phrase. A message confirms the creation of your proxy. You can use -t to control the lifetime of this proxy, but it can be no longer than the limit set (explicitly or by default) with the myproxy-init -t option.

myproxy-get-delegation -t 48 creates a proxy with a lifetime of 48 hours.

You can check the status of this proxy with grid-proxy-info.

 


Updated 2009-01-30.