On Aug 19, 2008, at 5:58 PM, Jim Basney wrote:
I agree that running the myproxy-server as globus makes sense for the
quickstart. I assume you've worked out the details of how the
hostcert
and hostkey need to be setup in this case.
For the record, I recommend that production myproxy-server deployments
run on a dedicated server with no other services running to provide
the
maximum isolation against attacks. Since the myproxy-server holds
private keys, it's important that it be particularly well-protected.
But, for the purposes of the quickstart, I think your approach is a
good
one, and I hope MyProxy makes the quickstart process work more
smoothly.
(And any suggestions on how we can improve MyProxy are most welcome.)
In the end I decided to run it as root, because I wanted it to run
using the hostcert. I suppose the globus user would have been
reasonable if I set it up with the containercert, but I didn't want to
add the X509_USER_CERT/KEY to the myproxy xinetd file. I think it's
reasonable either way for the quickstart.
I figure I will also be adding the PAM backend to get myproxy to act
as an online CA, and since root will need to do that configuration
too, it seemed reasonably natural.
I think that myproxy helps a lot with a step of the quickstart that
confused many people, which is the part where you need to sign a
hostcert on one machine and get it to another machine. I think the
current section 2.3 (Setting up your second machine: Security) is much
smoother than it was in the 4.0 quickstart because there's no need to
invoke something like mail/scp to move the hostcerts around.
My one piece of feedback based on the quickstart so far: I'd like an
option to myproxy-admin-adduser that gets rid of most of the text. I
feel like the interface could be as simple as:
[EMAIL PROTECTED]:~ # myproxy-admin-adduser -c "Charles Bacon" -l bacon
Enter PEM pass phrase for certificate: *bacon's new password*
Verifying - Enter PEM pass phrase: *bacon's new password*
Generating certificate for:
/O=Grid/OU=GlobusTest/OU=simpleCA-elephant.mcs.anl.gov/OU=mcs.anl.gov/
CN=Charles Bacon
To sign the request please enter the password for the CA key:
*SimpleCA password*
The new signed certificate is at: /homes/globus/.globus/simpleCA//
newcerts/05.pem
using storage directory /var/myproxy
Credential stored successfully
Charles
