[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] help with MyProxy and Condor


i believe that the problem here is in myproxy server certificate. As the message says the server certificate should have one of following two forms of CN:

and in your case server CN is "myproxy/yoga.citi.umich.edu@xxxxxxxxxxxxxx"

Can you get another certificate with CN myproxy/yoga.citi.umich.edu from your CA?

Also, can you try getting proxy manually with the command reported in log:
/usr/local/globus-4.0.1/bin/myproxy-get-delegation -v -o /tmp/x509up_u200008 -s yoga.citi.umich.edu -d -t 12 -S -l root -p 7512 -k condor


Olga Kornievskaia wrote:
I got a little further in getting condor and myproxy to work. Now, I can get Condor to contact MyProxy server, however, it fails with the following message:

4/13 19:59:32 [6007] myproxy-get-delegation for proxy /tmp/x509up_u200008, for job (87,0) exited with code 1, output (top):
want_trusted_certs = 0

server name: /C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=CITI Production KCA/CN=myproxy/yoga.citi.umich.edu@xxxxxxxxxxxxxx/emailAddress=aglo@xxxxxxxxxxxxxx
checking if server name matches "myproxy@xxxxxxxxxxxxxxxxxxx"
server name does not match
checking if server name matches "host@xxxxxxxxxxxxxxxxxxx"
server name does not match
Error authenticating: authenticated peer name does not match

Failed to receive credentials.
Server authorization failed.  Server

When I run myproxy-init I set an environment variable MYPROXY_SERVER, does something similar needs to be done in the job submission script?


Olga Kornievskaia wrote:

Thanks for your affirmation that the code actually works. However, I'm still unsuccessful in getting it to work.

Do you know if there is an option in the job script to tell it where to find X509 credentials?

I set X509_USER_PROXY to some location (eg., /tmp/x509_proxy_cred) that contains a certificate that is valid for 5mins. Then I submit a job (sleep 600) where I specify MyProxyHost, MyProxyCredentialName, and MyProxyPassword (prior to that I've done the myproxy-init, that now has a 7day valid proxy). When I submit the job, I look in /tmp/Gridmanager.<username> and see that it take X509_USER_PROXY to be /tmp/x509up_u<uid>. Unfortunately, there actually is a file /tmp/x509up_u<uid> that has a certificate that is used for something else and it's lifetime is longer than 5mins but I'm trying to test the renewal functionality therefore I'm trying to point Condor at a different set of credentials.

Once again, any help would be appreciated.

Also, here some other snippets from the log
4/13 11:41:50 [4745] MyProxy Refresh Threshold 240 (default)
4/13 11:41:50 [4745] MyProxy New Proxy Lifetime 12 (default)
4/13 11:41:50 [4745] Adding new MyProxy entry for proxy /tmp/x509up_u200008 : host=yoga.citi.umich.edu, cred name=condor

4/13 11:44:46 [4745] Checking proxies
4/13 11:44:46 [4745] About to RefreshProxyThruMyProxy() for /tmp/x509up_u200008
4/13 11:44:46 [4745]  GetMyProxyPasswordFromSchedD 68, 0
4/13 11:44:46 [4745] GRIDMANAGER_TIMEOUT_MULTIPLIER is undefined, using default value of 0
4/13 11:44:46 [4745] This process has a valid certificate & key
4/13 11:44:46 [4745] X509_USER_PROXY=/tmp/x509up_u200008
4/13 11:44:46 [4745] Calling /usr/local/globus-4.0.1/bin/myproxy-get-delegation /tmp/x509up_u200008 -v -o /tmp/x509up_u200008 -s yoga.citi.umich.edu -d -t 12 -S -l root -p -1 -k condor

Emir Imamagic wrote:


I've been using it for quite a while.

- First you should create MyProxy wrapper script (e.g. /usr/local/globus-4.0.1/libexec/myproxy-get-delegation.condor):
export LD_LIBRARY_PATH=/usr/local/globus-4.0.1/lib
/usr/local/globus-4.0.1/bin/myproxy-get-delegation $@

and set MYPROXY_GET_DELEGATION option to that instead directly to binary /usr/local/globus-4.0.1/bin/myproxy-get-delegation.

- Create MyProxy certificate:
myproxy-init -x -r "<CertSubjectLine>" -l root -k condor -s myproxy.host

- Submit script should be similar to this one:
MyProxyHost     = myproxy.host:7512
MyProxyCredentialName = condor
MyProxyPassword = MyPa88word

- You can also set MyProxyRefreshThreshold option in submit script to a large value in order to force Condor to refresh certificate straight away and trace Gridmanager log (/tmp/Gridmanager.<username>) to see what will happen.

Hope this help,