[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 10:47:15 CST 2012

Hello Bryce,

thanks for the note.

On 2/1/2012 11:41 AM, Bryce Allen wrote:
> What do you mean by anonymous retrieval? When using the myproxy
> activation method, you send the myproxy username/password to
> globusonline, and globusonline calls myproxy-logon with the appropriate
> myproxy server using that user/pass.
I guess I was referring to myself being unable to activate an EP on 
Globus Online
web site, when I specified the CERN instance of MyProxy. This is the 
error message
I got on GO web site:

Activate of endpoint 'mxp#MXP_BNL_TEST' failed: Failed to receive 
credentials. ERROR from myproxy-server: "<anonymous>" not authorized by 
server's default trusted_retrievers policy "<anonymous>" not authorized 
by server's authorized_retrievers policy "<anonymous>" not authorized by 
server's authorized_renewers policy

I haven't tried similar operation in the Python client, will probably 
do... Suspect will
see the same behavior.


>   The username/password are sent
> over ssl and are never stored. The short term credential returned from
> myproxy-logon is the only thing we keep, in order to perform operations
> on the user's behalf.
> Having the username/password pass through is undesirable for some, which
> is why we created delegate_proxy activation. But there is no anonymous
> retrieval that I can think of.
> Some possible workarounds:
> - Use the CLI to activate using gsissh -g (but this requires having
>    globus toolkit installed on the client).
> - Modify delegate_proxy_activate.py to use the openssl command to
>    create and sign the certificate instead of M2Crypto. The signing part
>    is definitely doable, but I'm not sure if it's possible to create a
>    proxy certificate just with the openssl command.
> Creating a proxy and signing it is a fairly complex operation - some
> tooling is needed. What do you have available on the worker nodes? Is
> running easy_install to compile M2Crypto against openssl also out of
> the question?

More information about the transfer-api mailing list