[transfer-api] Can I use cert-based authentication with MyProxy?

Bryce Allen ballen at ci.uchicago.edu
Wed Feb 1 11:10:52 CST 2012


You just found a bug - we don't trim whitespace from the hostname. Can
make sure there is no trailing whitespace and try again?

Thanks,
Bryce

On Wed, 01 Feb 2012 11:59:04 -0500
Maxim Potekhin <potekhin at bnl.gov> wrote:
> Bryce,
> 
> I tried to use a different server and got this:
> 
> Activate of endpoint 'mxp#MXP_BNL_TEST' failed: Unknown host 
> "myproxy.to.infn.it "
> 
> myproxy.to.infn.it does exist, I put my X509 there.
> 
> Maxim
> 
> 
> On 2/1/2012 11:41 AM, Bryce Allen wrote:
> > On Wed, 01 Feb 2012 11:25:58 -0500
> > Maxim Potekhin<potekhin at bnl.gov>  wrote:
> >> my client will run in the cloud, there is only so much I can
> >> reasonably install
> >> on remote worker nodes, on the fly. Yum is out of question.
> >>
> >> Is there any workaround to get auth to Globus Online?
> >>
> >> Alternatively, is there a simple way to use MyProxy, whereby it
> >> does not allow anonymous retrieval? If yes, could you post a
> >> complete
> > What do you mean by anonymous retrieval? When using the myproxy
> > activation method, you send the myproxy username/password to
> > globusonline, and globusonline calls myproxy-logon with the
> > appropriate myproxy server using that user/pass. The
> > username/password are sent over ssl and are never stored. The short
> > term credential returned from myproxy-logon is the only thing we
> > keep, in order to perform operations on the user's behalf.
> >
> > Having the username/password pass through is undesirable for some,
> > which is why we created delegate_proxy activation. But there is no
> > anonymous retrieval that I can think of.
> >
> > Some possible workarounds:
> >
> > - Use the CLI to activate using gsissh -g (but this requires having
> >    globus toolkit installed on the client).
> > - Modify delegate_proxy_activate.py to use the openssl command to
> >    create and sign the certificate instead of M2Crypto. The signing
> > part is definitely doable, but I'm not sure if it's possible to
> > create a proxy certificate just with the openssl command.
> >
> > Creating a proxy and signing it is a fairly complex operation - some
> > tooling is needed. What do you have available on the worker nodes?
> > Is running easy_install to compile M2Crypto against openssl also
> > out of the question?
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <https://lists.globusonline.org/mailman/private/transfer-api/attachments/20120201/99dce066/attachment.pgp>


More information about the transfer-api mailing list