[transfer-api] Can I use cert-based authentication with MyProxy?

Maxim Potekhin potekhin at bnl.gov
Wed Feb 1 11:22:11 CST 2012

Bryce --

indeed it worked now. Thanks, that helps.

Of course we are trying to get the X509 auth going as well, and
I'm not sure how to proceed in the light of not being able to really
use the m2 library.



On 2/1/2012 12:10 PM, Bryce Allen wrote:
> You just found a bug - we don't trim whitespace from the hostname. Can
> make sure there is no trailing whitespace and try again?
> Thanks,
> Bryce
> On Wed, 01 Feb 2012 11:59:04 -0500
> Maxim Potekhin<potekhin at bnl.gov>  wrote:
>> Bryce,
>> I tried to use a different server and got this:
>> Activate of endpoint 'mxp#MXP_BNL_TEST' failed: Unknown host
>> "myproxy.to.infn.it"
>> myproxy.to.infn.it does exist, I put my X509 there.
>> Maxim
>> On 2/1/2012 11:41 AM, Bryce Allen wrote:
>>> On Wed, 01 Feb 2012 11:25:58 -0500
>>> Maxim Potekhin<potekhin at bnl.gov>   wrote:
>>>> my client will run in the cloud, there is only so much I can
>>>> reasonably install
>>>> on remote worker nodes, on the fly. Yum is out of question.
>>>> Is there any workaround to get auth to Globus Online?
>>>> Alternatively, is there a simple way to use MyProxy, whereby it
>>>> does not allow anonymous retrieval? If yes, could you post a
>>>> complete
>>> What do you mean by anonymous retrieval? When using the myproxy
>>> activation method, you send the myproxy username/password to
>>> globusonline, and globusonline calls myproxy-logon with the
>>> appropriate myproxy server using that user/pass. The
>>> username/password are sent over ssl and are never stored. The short
>>> term credential returned from myproxy-logon is the only thing we
>>> keep, in order to perform operations on the user's behalf.
>>> Having the username/password pass through is undesirable for some,
>>> which is why we created delegate_proxy activation. But there is no
>>> anonymous retrieval that I can think of.
>>> Some possible workarounds:
>>> - Use the CLI to activate using gsissh -g (but this requires having
>>>     globus toolkit installed on the client).
>>> - Modify delegate_proxy_activate.py to use the openssl command to
>>>     create and sign the certificate instead of M2Crypto. The signing
>>> part is definitely doable, but I'm not sure if it's possible to
>>> create a proxy certificate just with the openssl command.
>>> Creating a proxy and signing it is a fairly complex operation - some
>>> tooling is needed. What do you have available on the worker nodes?
>>> Is running easy_install to compile M2Crypto against openssl also
>>> out of the question?

More information about the transfer-api mailing list