Re: [Condor-users] help with MyProxy and Condor

[Emir Imamagic <eimamagi@xxxxxxx>]

Hi,

i believe that the problem here is in myproxy server certificate. As the 
message says the server certificate should have one of following two 
forms of CN:
host/yoga.citi.umich.edu
myproxy/yoga.citi.umich.edu

and in your case server CN is "myproxy/yoga.citi.umich.edu@xxxxxxxxxxxxxx"

Can you get another certificate with CN myproxy/yoga.citi.umich.edu from 
your CA?

Also, can you try getting proxy manually with the command reported in log:
/usr/local/globus-4.0.1/bin/myproxy-get-delegation -v -o 
/tmp/x509up_u200008 -s yoga.citi.umich.edu -d -t 12 -S -l root -p 7512 
-k condor

Cheers,
emir


Olga Kornievskaia wrote:
> I got a little further in getting condor and myproxy to work. Now, I can 
> get Condor to contact MyProxy server, however, it fails with the 
> following message:
>
> 4/13 19:59:32 [6007] myproxy-get-delegation for proxy 
> /tmp/x509up_u200008, for job (87,0) exited with code 1, output (top):
> want_trusted_certs = 0
>
> server name: /C=US/ST=Michigan/L=Ann Arbor/O=University of 
> Michigan/OU=CITI Production 
> KCA/CN=myproxy/yoga.citi.umich.edu@xxxxxxxxxxxxxx/emailAddress=aglo@xxxxxxxxxxxxxx
> checking if server name matches "myproxy@xxxxxxxxxxxxxxxxxxx"
> server name does not match
> checking if server name matches "host@xxxxxxxxxxxxxxxxxxx"
> server name does not match
> Error authenticating: authenticated peer name does not match
>
> Failed to receive credentials.
> Server authorization failed.  Server
>
> When I run myproxy-init I set an environment variable MYPROXY_SERVER, 
> does something similar needs to be done in the job submission script?
>
> Thanks.
>
> Olga Kornievskaia wrote:
>
>
> > Thanks for your affirmation that the code actually works. However, I'm 
> > still unsuccessful in getting it to work.
> >
> > Do you know if there is an option in the job script to tell it where to 
> > find  X509 credentials?
> >
> > I set X509_USER_PROXY to some location (eg., /tmp/x509_proxy_cred) that 
> > contains a certificate that is valid for 5mins. Then I submit a job 
> > (sleep 600) where I specify MyProxyHost, MyProxyCredentialName, and 
> > MyProxyPassword (prior to that I've done the myproxy-init, that now has 
> > a 7day valid proxy).  When I submit the job, I look in  
> > /tmp/Gridmanager.<username> and see that it take X509_USER_PROXY to be 
> > /tmp/x509up_u<uid>.  Unfortunately, there actually is a file 
> > /tmp/x509up_u<uid> that has a certificate that is used for something 
> > else and it's lifetime is longer than 5mins but I'm trying to test the 
> > renewal functionality therefore I'm trying to point Condor at a 
> > different set of credentials.
> >
> > Once again, any help would be appreciated.
> >
> > Also, here some other snippets from the log
> > .....
> > 4/13 11:41:50 [4745] MyProxy Refresh Threshold 240 (default)
> > 4/13 11:41:50 [4745] MyProxy New Proxy Lifetime 12 (default)
> > 4/13 11:41:50 [4745] Adding new MyProxy entry for proxy 
> > /tmp/x509up_u200008 : host=yoga.citi.umich.edu, cred name=condor
> > .....
> >
> > 4/13 11:44:46 [4745] Checking proxies
> > 4/13 11:44:46 [4745] About to RefreshProxyThruMyProxy() for 
> > /tmp/x509up_u200008
> > 4/13 11:44:46 [4745]  GetMyProxyPasswordFromSchedD 68, 0
> > 4/13 11:44:46 [4745] GRIDMANAGER_TIMEOUT_MULTIPLIER is undefined, using 
> > default value of 0
> > 4/13 11:44:46 [4745] This process has a valid certificate & key
> > 4/13 11:44:46 [4745] X509_USER_PROXY=/tmp/x509up_u200008
> > 4/13 11:44:46 [4745] Calling 
> > /usr/local/globus-4.0.1/bin/myproxy-get-delegation /tmp/x509up_u200008 
> > -v -o /tmp/x509up_u200008 -s yoga.citi.umich.edu -d -t 12 -S -l root -p 
> > -1 -k condor
> >
> >
> >
> > Emir Imamagic wrote:
> >
> >
> >
> >
> > > Hi,
> > >
> > > I've been using it for quite a while.
> > >
> > > - First you should create MyProxy wrapper script (e.g. 
> > > /usr/local/globus-4.0.1/libexec/myproxy-get-delegation.condor):
> > > #!/bin/sh
> > > export LD_LIBRARY_PATH=/usr/local/globus-4.0.1/lib
> > > /usr/local/globus-4.0.1/bin/myproxy-get-delegation $@
> > >
> > > and set MYPROXY_GET_DELEGATION option to that instead directly to binary 
> > > /usr/local/globus-4.0.1/bin/myproxy-get-delegation.
> > >
> > >
> > > - Create MyProxy certificate:
> > > myproxy-init -x -r "<CertSubjectLine>" -l root -k condor -s myproxy.host
> > >
> > >
> > > - Submit script should be similar to this one:
> > > executable=MyTest
> > > MyProxyHost     = myproxy.host:7512
> > > MyProxyCredentialName = condor
> > > MyProxyPassword = MyPa88word
> > > universe=grid
> > > grid_type=gt2
> > > log=condorG.log
> > > output=MyTest.out
> > > error=MyTest.err
> > > globusscheduler=mygrid.host
> > > queue
> > >
> > > - You can also set MyProxyRefreshThreshold option in submit script to a 
> > > large value in order to force Condor to refresh certificate straight 
> > > away and trace Gridmanager log (/tmp/Gridmanager.<username>) to see what 
> > > will happen.
> > >
> > > Hope this help,
> > > emir