The myproxy-server defaults to /var/myproxy. If non-root, it can't write to /var, so it falls back to $GLOBUS_LOCATION/var/myproxy.
http://grid.ncsa.uiuc.edu/myproxy/man/myproxy-server.8.html [EMAIL PROTECTED] wrote: > Hi Charles, > > I have performed the revised GT4.2 Quickstart and I have now succeeded. > Thanks for your help. > > I have another question about myproxy certificates storage location. My > certificates are being saved into /var/proxy instead of > /sandbox/globus/globus-4.2.0//var/myproxy as described into the > Quickstart. When I first asked help I noticed that they were being saved > into /sandbox/globus/globus-4.2.0//var/myproxy. > Justo to understand how it works, what makes these happening? > > Best regards, Klaus Schwarzmeier > > > > > > > Charles Bacon <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 20/08/2008 10:54 > > To > Jim Basney <[EMAIL PROTECTED]> > cc > [email protected] > Subject > Re: [gt-user] myproxy-logon Failed reading length 0 (GT 4.2.0) > > > > > > > On Aug 19, 2008, at 5:58 PM, Jim Basney wrote: > >> I agree that running the myproxy-server as globus makes sense for the >> quickstart. I assume you've worked out the details of how the >> hostcert >> and hostkey need to be setup in this case. >> >> For the record, I recommend that production myproxy-server deployments >> run on a dedicated server with no other services running to provide >> the >> maximum isolation against attacks. Since the myproxy-server holds >> private keys, it's important that it be particularly well-protected. >> >> But, for the purposes of the quickstart, I think your approach is a >> good >> one, and I hope MyProxy makes the quickstart process work more >> smoothly. >> (And any suggestions on how we can improve MyProxy are most welcome.) > > In the end I decided to run it as root, because I wanted it to run > using the hostcert. I suppose the globus user would have been > reasonable if I set it up with the containercert, but I didn't want to > add the X509_USER_CERT/KEY to the myproxy xinetd file. I think it's > reasonable either way for the quickstart. > > I figure I will also be adding the PAM backend to get myproxy to act > as an online CA, and since root will need to do that configuration > too, it seemed reasonably natural. > > I think that myproxy helps a lot with a step of the quickstart that > confused many people, which is the part where you need to sign a > hostcert on one machine and get it to another machine. I think the > current section 2.3 (Setting up your second machine: Security) is much > smoother than it was in the 4.0 quickstart because there's no need to > invoke something like mail/scp to move the hostcerts around. > > My one piece of feedback based on the quickstart so far: I'd like an > option to myproxy-admin-adduser that gets rid of most of the text. I > feel like the interface could be as simple as: > > [EMAIL PROTECTED]:~ # myproxy-admin-adduser -c "Charles Bacon" -l bacon > Enter PEM pass phrase for certificate: *bacon's new password* > Verifying - Enter PEM pass phrase: *bacon's new password* > Generating certificate for: > /O=Grid/OU=GlobusTest/OU=simpleCA-elephant.mcs.anl.gov/OU=mcs.anl.gov/ > CN=Charles Bacon > To sign the request please enter the password for the CA key: > *SimpleCA password* > The new signed certificate is at: /homes/globus/.globus/simpleCA// > newcerts/05.pem > using storage directory /var/myproxy > Credential stored successfully > > > Charles > > > > This message is intended solely for the use of its addressee and may > contain privileged or confidential information. If you are not the > addressee you should not distribute, copy or file this message. In this > case, please notify the sender and destroy its contents immediately. > Esta mensagem é para uso exclusivo de seu destinatário e pode conter > informações privilegiadas e confidenciais. Se você não é o destinatário > não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, > notifique o remetente da mesma e destrua imediatamente a mensagem.
smime.p7s
Description: S/MIME Cryptographic Signature
