Hi Charles, I have performed the revised GT4.2 Quickstart and I have now succeeded. Thanks for your help.
I have another question about myproxy certificates storage location. My certificates are being saved into /var/proxy instead of /sandbox/globus/globus-4.2.0//var/myproxy as described into the Quickstart. When I first asked help I noticed that they were being saved into /sandbox/globus/globus-4.2.0//var/myproxy. Justo to understand how it works, what makes these happening? Best regards, Klaus Schwarzmeier Charles Bacon <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 20/08/2008 10:54 To Jim Basney <[EMAIL PROTECTED]> cc [email protected] Subject Re: [gt-user] myproxy-logon Failed reading length 0 (GT 4.2.0) On Aug 19, 2008, at 5:58 PM, Jim Basney wrote: > I agree that running the myproxy-server as globus makes sense for the > quickstart. I assume you've worked out the details of how the > hostcert > and hostkey need to be setup in this case. > > For the record, I recommend that production myproxy-server deployments > run on a dedicated server with no other services running to provide > the > maximum isolation against attacks. Since the myproxy-server holds > private keys, it's important that it be particularly well-protected. > > But, for the purposes of the quickstart, I think your approach is a > good > one, and I hope MyProxy makes the quickstart process work more > smoothly. > (And any suggestions on how we can improve MyProxy are most welcome.) In the end I decided to run it as root, because I wanted it to run using the hostcert. I suppose the globus user would have been reasonable if I set it up with the containercert, but I didn't want to add the X509_USER_CERT/KEY to the myproxy xinetd file. I think it's reasonable either way for the quickstart. I figure I will also be adding the PAM backend to get myproxy to act as an online CA, and since root will need to do that configuration too, it seemed reasonably natural. I think that myproxy helps a lot with a step of the quickstart that confused many people, which is the part where you need to sign a hostcert on one machine and get it to another machine. I think the current section 2.3 (Setting up your second machine: Security) is much smoother than it was in the 4.0 quickstart because there's no need to invoke something like mail/scp to move the hostcerts around. My one piece of feedback based on the quickstart so far: I'd like an option to myproxy-admin-adduser that gets rid of most of the text. I feel like the interface could be as simple as: [EMAIL PROTECTED]:~ # myproxy-admin-adduser -c "Charles Bacon" -l bacon Enter PEM pass phrase for certificate: *bacon's new password* Verifying - Enter PEM pass phrase: *bacon's new password* Generating certificate for: /O=Grid/OU=GlobusTest/OU=simpleCA-elephant.mcs.anl.gov/OU=mcs.anl.gov/ CN=Charles Bacon To sign the request please enter the password for the CA key: *SimpleCA password* The new signed certificate is at: /homes/globus/.globus/simpleCA// newcerts/05.pem using storage directory /var/myproxy Credential stored successfully Charles This message is intended solely for the use of its addressee and may contain privileged or confidential information. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately. Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.
