[transfer-api] Can I use cert-based authentication with MyProxy?

Bryce Allen ballen at ci.uchicago.edu
Wed Feb 1 10:59:56 CST 2012

The website uses the Transfer API, so I would expect the same error,
unless something went wrong with passing the username/password. This
looks like it might be a problem specific to the CERN myproxy - I
opened up a support ticket to see if anyone else on our team has
ideas, you should get the CC.


On Wed, 01 Feb 2012 11:47:15 -0500
Maxim Potekhin <potekhin at bnl.gov> wrote:
> Hello Bryce,
> thanks for the note.
> On 2/1/2012 11:41 AM, Bryce Allen wrote:
> > What do you mean by anonymous retrieval? When using the myproxy
> > activation method, you send the myproxy username/password to
> > globusonline, and globusonline calls myproxy-logon with the
> > appropriate myproxy server using that user/pass.
> I guess I was referring to myself being unable to activate an EP on 
> Globus Online
> web site, when I specified the CERN instance of MyProxy. This is the 
> error message
> I got on GO web site:
> Activate of endpoint 'mxp#MXP_BNL_TEST' failed: Failed to receive 
> credentials. ERROR from myproxy-server: "<anonymous>" not authorized
> by server's default trusted_retrievers policy "<anonymous>" not
> authorized by server's authorized_retrievers policy "<anonymous>" not
> authorized by server's authorized_renewers policy
> I haven't tried similar operation in the Python client, will probably 
> do... Suspect will
> see the same behavior.
> Maxim
> >   The username/password are sent
> > over ssl and are never stored. The short term credential returned
> > from myproxy-logon is the only thing we keep, in order to perform
> > operations on the user's behalf.
> >
> > Having the username/password pass through is undesirable for some,
> > which is why we created delegate_proxy activation. But there is no
> > anonymous retrieval that I can think of.
> >
> > Some possible workarounds:
> >
> > - Use the CLI to activate using gsissh -g (but this requires having
> >    globus toolkit installed on the client).
> > - Modify delegate_proxy_activate.py to use the openssl command to
> >    create and sign the certificate instead of M2Crypto. The signing
> > part is definitely doable, but I'm not sure if it's possible to
> > create a proxy certificate just with the openssl command.
> >
> > Creating a proxy and signing it is a fairly complex operation - some
> > tooling is needed. What do you have available on the worker nodes?
> > Is running easy_install to compile M2Crypto against openssl also
> > out of the question?
> _______________________________________________
> transfer-api mailing list
> transfer-api at lists.globusonline.org
> https://lists.globusonline.org/mailman/listinfo/transfer-api
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/922e1299/attachment.pgp>

More information about the transfer-api mailing list