[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 10:59:04 CST 2012


I tried to use a different server and got this:

Activate of endpoint 'mxp#MXP_BNL_TEST' failed: Unknown host 
"myproxy.to.infn.it "

myproxy.to.infn.it does exist, I put my X509 there.


On 2/1/2012 11:41 AM, Bryce Allen wrote:
> On Wed, 01 Feb 2012 11:25:58 -0500
> Maxim Potekhin<potekhin at bnl.gov>  wrote:
>> my client will run in the cloud, there is only so much I can
>> reasonably install
>> on remote worker nodes, on the fly. Yum is out of question.
>> Is there any workaround to get auth to Globus Online?
>> Alternatively, is there a simple way to use MyProxy, whereby it does
>> not allow anonymous retrieval? If yes, could you post a complete
> What do you mean by anonymous retrieval? When using the myproxy
> activation method, you send the myproxy username/password to
> globusonline, and globusonline calls myproxy-logon with the appropriate
> myproxy server using that user/pass. The username/password are sent
> over ssl and are never stored. The short term credential returned from
> myproxy-logon is the only thing we keep, in order to perform operations
> on the user's behalf.
> Having the username/password pass through is undesirable for some, which
> is why we created delegate_proxy activation. But there is no anonymous
> retrieval that I can think of.
> Some possible workarounds:
> - Use the CLI to activate using gsissh -g (but this requires having
>    globus toolkit installed on the client).
> - Modify delegate_proxy_activate.py to use the openssl command to
>    create and sign the certificate instead of M2Crypto. The signing part
>    is definitely doable, but I'm not sure if it's possible to create a
>    proxy certificate just with the openssl command.
> Creating a proxy and signing it is a fairly complex operation - some
> tooling is needed. What do you have available on the worker nodes? Is
> running easy_install to compile M2Crypto against openssl also out of
> the question?

More information about the transfer-api mailing list