Using the Grid/VOMS proxy

From BiGGrid Wiki
Jump to navigation Jump to search
Prev: Job startGridSession Up: Next: Proxy server

In order to use Grid facilities, you have to create a proxy. A proxy is a special kind of certificate that enables you to use Grid facilities during a certain period, without using passwords (Physically, this proxy is a file owned by you and placed in the /tmp directory. You never have to deal with this file directly).

A proxy certificate is a short lived certificate which is used to perform actions on the Grid on your behalf. You can read more at http://www.globus.org/alliance/publications/papers/pki04-welch-proxy-cert-final.pdf

Creating a VOMS proxy

Make sure you first installed your certificate on the ui grid server. Now issue the command: 

voms-proxy-init --voms <YourVOName>

You should get something like this: 

mgjansen$ voms-proxy-init --voms lsgrid
Cannot find file or dir: /home/mgjansen/.glite/vomses
Enter GRID pass phrase:
Your identity: /O=dutchgrid/O=users/O=sara/CN=Machiel Jansen
Creating temporary proxy .................................... Done
Contacting  voms.grid.sara.nl:30018 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "lsgrid" Done
Creating proxy ..................................................................... Done
Your proxy is valid until Fri Mar 14 00:53:02 2008

In essence this is the "user name" for the Grid. The pass phrase is the pass phrase you used creating the certificate. The last line in the example shows the expiration time of the proxy. So, from time to time you will have to call voms-proxy-init again.

You may get the following error: 

ERROR: Couldn't find valid credentials to generate a proxy.
Use --debug for further information.

The permissions on your installed certificate are probably wrong. Check the appropriate steps in "Installing your certificate".

Inspecting your proxy certificate

You can inspect your system with the command 

voms-proxy-info -all

Here is an example: 

mgjansen$ voms-proxy-info -all
subject   : /O=dutchgrid/O=users/O=sara/CN=Machiel Jansen/CN=proxy
issuer    : /O=dutchgrid/O=users/O=sara/CN=Machiel Jansen
identity  : /O=dutchgrid/O=users/O=sara/CN=Machiel Jansen
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u512
timeleft  : 11:57:01
=== VO lsgrid extension information ===
VO        : lsgrid
subject   : /O=dutchgrid/O=users/O=sara/CN=Machiel Jansen
issuer    : /O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl
attribute : /lsgrid/Role=NULL/Capability=NULL
attribute : /lsgrid/SARA/Role=NULL/Capability=NULL
timeleft  : 11:57:02

You can see that a proxy certificate has a limited lifetime and is stored in the /tmp directory. It also has an extension which mentions the VO information. By using this information and based on your VO membership, the VOMS system can authorize you to certain resources on the Grid.

NOTE: In the step after this step, you will delegate your proxy certificate to the proxy server and there it will be valid by default for a week. So it will be possible that long running jobs and jobs that started running only after a few days can continue to run. However, the proxy certificate that you use locally is only valid for 12 hours. So remember that after 12 hours you have to create a new proxy certificate to interact with the Grid (and your long running jobs).



Prev: Job startGridSession Up: Next: Proxy server
Retrieved from "https://wiki.nikhef.nl/biggrid/index.php?title=Using_the_Grid/VOMS_proxy&oldid=177"