MyProxy as Online CA for short term credentials

MyProxy can be set up to run as an Online CA that issues short term credentials to authenticated users. A server is set up at workshop1.ci.uchicago.edu and the server is configured with a username/password file that has your ISSGC usernames and password. Usernames are issgcxx and corresponding password.

Now we'll contact the MyProxy server using your login name. In this case, the example uses issgc01, use your own login name and provide the password.

[rachana@glite-tutor2 ~]$ myproxy-logon -s workshop1.ci.uchicago.edu -l issgc01
Enter MyProxy pass phrase:
A credential has been received for user issgc01 in /tmp/x509up_u8623.
[rachana@glite-tutor2 ~]$

The new credential is issued by the MyProxy CA. You can see that the issuer of the credential is different from your default credential from GILDA CA. Also note that unlike your GILDA user certificate that is valid for days, this certificate is short term and valid only for 12 hours.

[rachana@glite-tutor2 ~]$ grid-proxy-info
subject  : /O=Grid/OU=GlobusTest/OU=simpleCA-workshop1.ci.uchicago.edu/CN=issgc01
issuer   : /O=Grid/OU=GlobusTest/OU=simpleCA-workshop1.ci.uchicago.edu/CN=Globus Simple CA
identity : /O=Grid/OU=GlobusTest/OU=simpleCA-workshop1.ci.uchicago.edu/CN=issgc01
type     : end entity credential
strength : 1024 bits
path     : /tmp/x509up_u8623
timeleft : 11:59:30
[rachana@glite-tutor2 ~]$

Now lets try to submit a job using the new credential.

[rachana@glite-tutor2 ~]$ globusrun-ws -submit -F iceage-ce-01.ct.infn.it -s -job-command /bin/hostname
Delegating user credentials...Failed.
globusrun-ws: Error trying to delegate
globus_soap_message_module: Failed sending request ManagedJobFactoryPortType_GetMultipleResourceProperties.
globus_xio: System error in read: Connection reset by peer
globus_xio: A system call failed: Connection reset by peer
[rachana@glite-tutor2 ~]$

The above fails because the iceage cluster does not trust the MyProxy CA, but only trusts the GILDA CA. GRAM services on workshop1.ci.uchicago.edu have been set up to trust the MyProxy CA. So try to submit the same job to that machine.

[rachana@glite-tutor2 ~]$ globusrun-ws -submit -F workshop1.ci.uchicago.edu -s -job-command /bin/hostname 
Delegating user credentials...
Done.
Submitting job...Done.
Job ID: uuid:cae825f2-4c63-11dd-9f9c-00304877960c
Termination time: 07/08/2008 20:32 GMT
Current job state: Active
Current job state: CleanUp-Hold
globusrun-ws: ignoring error while streaming gsiftp://workshop1.ci.uchicago.edu:2812/home/train23/cae825f2-4c63-11dd-9f9c-00304877960c.0.stdout:
globus_ftp_client: the server responded with an error
500 500-Command failed. : globus_xio_gsi: gss_init_sec_context failed.
500-globus_gsi_gssapi: Unable to verify remote side's credentials
500-globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't verify the remote certificate
500-OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
500 End.
[rachana@glite-tutor2 ~]$ 

The above fails because even the local machine you are submitting jobs from does not trust the MyProxy CA. Since the authentication to the GRAM server and GridFTP transfer is mutual authentication, the server attempts to authenticate the client and the client also authenticates the server.

MyProxy OnlineCA can be used for provisioning clients with trusted certificates, that is, MyProxy Online CA can be used to download the trusted CA certificates to local machine. This is done by adding option -T to the myproxy-logon command.

[rachana@glite-tutor2 ~]$ unset X509_CERT_DIR
[rachana@glite-tutor2 ~]$ myproxy-logon -s workshop1.ci.uchicago.edu -l issgc01 -T
Enter MyProxy pass phrase:
A credential has been received for user issgc01 in /tmp/x509up_u8623.
Trust roots have been installed in /home/rachana/.globus/certificates/.
[rachana@glite-tutor2 ~]$

Like the output indicates, the trusted certificates are downloaded to ~/.globus/certificates. By default trusted certificates are read from /etc/grid-security/certificates, but that directory is applicable to machine wide services. This command downloads it to your personal directory.

Attempt to submit the job again:

[rachana@glite-tutor2 ~]$ globusrun-ws -submit -F workshop1.ci.uchicago.edu -s -job-command /bin/hostname 
Delegating user credentials...Failed.
globusrun-ws: Error trying to delegate
globus_delegation_client_util: DelegationFactoryPortType_RequestSecurityToken callback failed.
globus_soap_message_module: SOAP Fault
Fault code: soapenv:Server.userException
Fault string: org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: "/O=Grid/OU=GlobusTest/OU=simpleCA-workshop1.ci.uchicago.edu/CN=issgc01" is not authorized to use operation: {http://www.globus.org/08/2004/delegationService}requestSecurityToken on this service
[rachana@glite-tutor2 ~]$ 

Authentication succeded, but authorization failed. GRAM services are configured to use GridMap files located in etc/grid-security/gridmap-file. This file is write protected so only administrators can change it to give access. But the file can be read by anyone. The identity of your new credentials is not in th Grid Map file to authorize you to submit jobs.

Typically authorizing a user on a cluster and adding them to GridMap file involves contacting the system administrator. But on workhop1.ci.uchicago.edu a tool called gx-map is set up that allows users who ssh to the machine to add themselves to the gridmap file. The actual addition is not instant and it might take a few minutes to reflect on the gridmap file.

[rachana@glite-tutor2 ~]$ ssh workshop1.ci.uchicago.edu 

Grid map file used is at /etc/grid-security/grid-mapfile

[rachana@workshop1 ~]$ less /etc/grid-security/grid-mapfile 
# $Id: GridLab2.txt,v 1.12 2006/06/23 15:47:17 RachanaAnanthakrishnan Exp apache $
# $Source: /var/www/twiki/data/SummerGridWorkshop/GridLab2.txt,v $
#
# Automatically generated by gx-gen-mapfile (gx-map 0.5.1)
# at Fri 2006-06-23 15:26:02 UTC on gridlab1.phys.utb.edu.
# DO NOT EDIT THIS FILE.  ANY CHANGES YOU MAKE WILL BE LOST ON THE NEXT UPDATE.
#
"/C=US/O=Globus Alliance/OU=User/CN=101497d3dcd.3dcd5aef" ranantha
"/C=US/O=Globus Alliance/OU=User/CN=10bd8f410f6.5f0086b4" benc
"/C=US/O=Globus Alliance/OU=User/CN=10bf234e01a.ac286cfa" ranantha
"/C=US/O=SDSC/OU=SDSC/CN=Account Train10/UID=train10" train10
"/C=US/O=SDSC/OU=SDSC/CN=Account Train11/UID=train11" train11
"/C=US/O=SDSC/OU=SDSC/CN=Account Train12/UID=train12" train12
"/C=US/O=SDSC/OU=SDSC/CN=Account Train13/UID=train13" train13
"/C=US/O=SDSC/OU=SDSC/CN=Account Train14/UID=train14" train14
"/C=US/O=SDSC/OU=SDSC/CN=Account Train15/UID=train15" train15
"/C=US/O=SDSC/OU=SDSC/CN=Account Train16/UID=train16" train16
"/C=US/O=SDSC/OU=SDSC/CN=Account Train17/UID=train17" train17
"/C=US/O=SDSC/OU=SDSC/CN=Account Train18/UID=train18" train18
"/C=US/O=SDSC/OU=SDSC/CN=Account Train19/UID=train19" train19
...
"/C=US/O=SDSC/OU=SDSC/CN=Account Train58/UID=train58" train58
"/C=US/O=SDSC/OU=SDSC/CN=Account Train59/UID=train59" train59
"/C=US/O=SDSC/OU=SDSC/CN=Account Train60/UID=train60" train60
"/DC=org/DC=doegrids/OU=People/CN=Gaurang Mehta 998137" gmehta
[rachana@glite-tutor2 ~]$

This gridmap file has been created using a tool (it can also be hand written).

Only the listed DNs are allowed to access the GRAM server.

Each entry is a mapping from DN to username. For example DN <i>/C=US/O=SDSC/OU=SDSC/CN=Account Train31/UID=train31</i> is mapped to usename <i>train31</i>.

Note that the identity presented by credenitals you used in previous step is not in the gridmap file.

Download credential from MyProxy:

[rachana@workshop1 ~]$ myproxy-logon -s workshop1.ci.uchicago.edu -l issgc01
Enter MyProxy pass phrase:
A credential has been received for user issgc01 in /tmp/x509up_u8623.
[rachana@workshop1 ~]$

Add identity to grid map file:

[rachana@workshop1 ~]$ gx-request -quick-add
About to map distinguished name
    "O=Grid/OU=GlobusTest/OU=simpleCA-workshop1.ci.uchicago.edu/CN=issgc01"
to user
    train31
Proceed? [yn] y
Mapping request submitted.
The grid-mapfile should be updated in a few minutes
[rachana@workshop1 ~]$

This update may take a few minutes. You can look for the update by searching the gridmap file for your DN.

Submit the job again.

[rachana@glite-tutor2 ~]$ globusrun-ws -submit -F workshop1.ci.uchicago.edu -s -job-command /bin/hostname 
Delegating user credentials...Done.
Submitting job...Done.
Job ID: uuid:bcbb6a22-4c57-11dd-908a-00304877960c
Termination time: 07/08/2008 19:06 GMT
Current job state: Active
Current job state: CleanUp-Hold
workshop1.ci.uchicago.edu
Current job state: CleanUp
Current job state: Done
Destroying job...Done.
Cleaning up any delegated credentials...Done.
[rachana@glite-tutor2 ~]$ 

Hopefully it worked.

Now tidy up the changes made in this exercise so that they do not interfere with other exercises:

$ grid-proxy-destroy
$ rm -rfv ~/.globus/certificates/