Hi Charles,
I have performed the revised GT4.2 Quickstart and I have now
succeeded.
Thanks for your help.
I have another question about myproxy certificates storage
location. My
certificates are being saved into /var/proxy instead of
/sandbox/globus/globus-4.2.0//var/myproxy as described into the
Quickstart. When I first asked help I noticed that they were being
saved
into /sandbox/globus/globus-4.2.0//var/myproxy.
Justo to understand how it works, what makes these happening?
Best regards, Klaus Schwarzmeier
Charles Bacon <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
20/08/2008 10:54
To
Jim Basney <[EMAIL PROTECTED]>
cc
[email protected]
Subject
Re: [gt-user] myproxy-logon Failed reading length 0 (GT 4.2.0)
On Aug 19, 2008, at 5:58 PM, Jim Basney wrote:
I agree that running the myproxy-server as globus makes sense for
the
quickstart. I assume you've worked out the details of how the
hostcert
and hostkey need to be setup in this case.
For the record, I recommend that production myproxy-server
deployments
run on a dedicated server with no other services running to provide
the
maximum isolation against attacks. Since the myproxy-server holds
private keys, it's important that it be particularly well-protected.
But, for the purposes of the quickstart, I think your approach is a
good
one, and I hope MyProxy makes the quickstart process work more
smoothly.
(And any suggestions on how we can improve MyProxy are most
welcome.)
In the end I decided to run it as root, because I wanted it to run
using the hostcert. I suppose the globus user would have been
reasonable if I set it up with the containercert, but I didn't want
to
add the X509_USER_CERT/KEY to the myproxy xinetd file. I think it's
reasonable either way for the quickstart.
I figure I will also be adding the PAM backend to get myproxy to act
as an online CA, and since root will need to do that configuration
too, it seemed reasonably natural.
I think that myproxy helps a lot with a step of the quickstart that
confused many people, which is the part where you need to sign a
hostcert on one machine and get it to another machine. I think the
current section 2.3 (Setting up your second machine: Security) is
much
smoother than it was in the 4.0 quickstart because there's no need to
invoke something like mail/scp to move the hostcerts around.
My one piece of feedback based on the quickstart so far: I'd like an
option to myproxy-admin-adduser that gets rid of most of the text. I
feel like the interface could be as simple as:
[EMAIL PROTECTED]:~ # myproxy-admin-adduser -c "Charles Bacon" -l bacon
Enter PEM pass phrase for certificate: *bacon's new password*
Verifying - Enter PEM pass phrase: *bacon's new password*
Generating certificate for:
/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.mcs.anl.gov/
OU=mcs.anl.gov/
CN=Charles Bacon
To sign the request please enter the password for the CA key:
*SimpleCA password*
The new signed certificate is at: /homes/globus/.globus/simpleCA//
newcerts/05.pem
using storage directory /var/myproxy
Credential stored successfully
Charles
This message is intended solely for the use of its addressee and may
contain privileged or confidential information. If you are not the
addressee you should not distribute, copy or file this message. In
this
case, please notify the sender and destroy its contents immediately.
Esta mensagem é para uso exclusivo de seu destinatário e pode conter
informações privilegiadas e confidenciais. Se você não é o
destinatário
não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por
favor,
notifique o remetente da mesma e destrua imediatamente a mensagem.
