#!/bin/sh # Script to refresh the a proxy with VO attributes - Marco Mambelli marco@hep.uchicago.edu # make-proxy [--no-voms-proxy] # --no-voms-proxy creates only a grid proxy from the certificates (2a below), no VOMS proxy command is run # TO RUN THE SCRIPT # 0. Save this script and make sure that it is executable # 1. Personalize the script by filling correctly the variables below # 2a. If you provide CERT_FILE and KEY_FILE these will be used to generate the base-proxy # make sure that ownership and permissions are correct # and there is no need for 2b # 2b. Generate the base-proxy (user-proxy) with something like # (where IN_NAME="/full_path_to_base_proxy"): # As owner of the certificate used to generate the base proxy: # grid-proxy-init -valid 8800:0 -out /full_path_to_base_proxy -old # Then ss root: # chown user_that_owns_vo_proxy /full_path_to_base_proxy # chmod 0600 /full_path_to_base_proxy # Remember that the proxy needs to be renewed once a year (you will receive an email) # 3. Add a Cron entry like # 10 * * * * /full_path_to_script_make-proxy # A cron entry like # 10 * * * * . /share/wlcg-client/setup.sh; voms-proxy-init -valid 48:0 -voms voms_option -key $HOME/.globus/base_proxy -cert $HOME/.globus/base_proxy -out my_proxy_with_atlas_voms_attribute >/dev/null 2>&1 # will provide similar results but not send the warning emails like this script #### VARIABLES to PERSONALIZE # Setup file, if needed (not needed if the Grid sw is installed via RPM) SETUP_FILE="" # If you are using a certificate/key pair (2a) instead of a proxy then define CERT_FILE & KEY_FILE # If both these file exist then the proxy will use these. If even one is missing, then it will use the base proxy (IN_NAME) CERT_FILE="/var/lib/gwms-frontend/hostcert.pem" KEY_FILE="/var/lib/gwms-frontend/hostkey.pem" # base-proxy (user-proxy) IN_NAME="/var/lib/gwms-frontend/frontend_base_proxy" # provy with VO attributes used by the application OUT_NAME="/tmp/vofe_proxy" # These emails (OWNER_EMAIL, CC_EMAIL) will receive a message if the base-proxy is missing, expired os about to expire # E.g. You can send th email to the owner and add a support mailing list in CC (this may be empty) OWNER_EMAIL="name@uchicago.edu" CC_EMAIL="" # Proxy description used in the email sent when the proxy is missing, expired os about to expire PROXY_DESCRIPTION="VO Fronted on HOSTNAME" # Extra options for grid-proxy-init "-old" is necessary to avoid mixed voms proxies that will fail GSI authentication in HTCondor GPI_EXTRA_OPTIONS="-old" # These 2 parameters are ignored if --no-voms-proxy is passed on the command line # The VO option for the proxy, usually "voname:/voname". Leave blank if no VO membership is required VOMS_OPTION="" # These are extra options for the voms-proxy-init command, normally leave as it is VOMS_EXTRA_OPTION="-dont-verify-ac" ##### PARAMETERS # _TIME - requested duration of the proxy # _VERTIME - trigger an error if the proxy has a lifespan shorter than this VOMS_ACTION= PROXY_TIME="500:0" PROXY_VERTIME="150:0" VOMS_PROXY_TIME="50:0" if [ "x$1" == "x--no-voms-proxy" ]; then VOMS_ACTION="novoms" PROXY_TIME="50:0" PROXY_VERTIME="24:0" fi ##### SCRIPT EMAIL_MESSAGE=" Generate the base-proxy used by $PROXY_DESCRIPTION by doing the following. As owner of the certificate used to generate the base proxy: grid-proxy-init -valid 8800:0 -out /tmp/tmp_proxy -old Then as root: cp /tmp/tmp_proxy $IN_NAME chown $USER $IN_NAME chmod 0600 $IN_NAME rm /tmp/tmp_proxy" CC_EMAIL_OPTION="" if [[ ! "x$CC_EMAIL" == "x" ]] then CC_EMAIL_OPTION="-c $CC_EMAIL" fi VOMS_OPTION_STRING="" if [[ ! "x$VOMS_OPTION" == "x" ]] then VOMS_OPTION_STRING="-voms $VOMS_OPTION" fi if [[ ! -z $SETUP_FILE && -f $SETUP_FILE ]] then source $SETUP_FILE fi NEW_CERT_MESSAGE="" if [[ ! -z $CERT_FILE && ! -z $KEY_FILE && -f $CERT_FILE && -f $KEY_FILE ]] then NEW_CERT_MESSAGE="Th proxy was generated from the certificate $CERT_FILE and key $KEY_FILE." grid-proxy-init -valid $PROXY_TIME -key $KEY_FILE -cert $CERT_FILE -out $IN_NAME $GPI_EXTRA_OPTIONS >/dev/null 2>&1 if [ $? -ne 0 ]; then echo -e "The generation of the proxy file $IN_NAME for $PROXY_DESCRIPTION failed.\n Please login on `hostname` and check the certificate $CERT_FILE and key $KEY_FILE. As $USER run manually:\ngrid-proxy-init -valid $PROXY_TIME -key $KEY_FILE -cert $CERT_FILE -out $IN_NAME" | mail -s "$PROXY_DESCRIPTION proxy error due to certificates." $OWNER_EMAIL $CC_EMAIL_OPTION exit 0 fi fi if [ -f $IN_NAME ]; then grid-proxy-info -exists -valid $PROXY_VERTIME -file $IN_NAME if [ $? -ne 0 ]; then echo "The proxy file $IN_NAME for $PROXY_DESCRIPTION has or will expire soon. $NEW_CERT_MESSAGE $EMAIL_MESSAGE" | mail -s "$PROXY_DESCRIPTION proxy has or will expire soon." $OWNER_EMAIL $CC_EMAIL_OPTION fi else echo "The proxy file $IN_NAME for $PROXY_DESCRIPTION is missing. $NEW_CERT_MESSAGE $EMAIL_MESSAGE" | mail -s "Missing $PROXY_DESCRIPTION proxy" $OWNER_EMAIL $CC_EMAIL_OPTION fi # Exit if no VOMS proxy is required if [ "x$VOMS_ACTION" == "xnovoms" ]; then cp $IN_NAME $OUT_NAME chmod 600 $OUT_NAME exit 0 fi voms-proxy-init -valid $VOMS_PROXY_TIME -key $IN_NAME -cert $IN_NAME $VOMS_OPTION_STRING -out $OUT_NAME $VOMS_EXTRA_OPTION >/dev/null 2>&1 if [ $? -ne 0 ]; then echo -e "The proxy file $IN_NAME seems OK but voms-proxy-init is failing. $NEW_CERT_MESSAGE\nPlease login on `hostname` and as $USER run manually:\nvoms-proxy-init -valid $VOMS_PROXY_TIME -key $IN_NAME -cert $IN_NAME $VOMS_OPTION_STRING -out $OUT_NAME $VOMS_EXTRA_OPTION" | mail -s "$PROXY_DESCRIPTION proxy renewal broken." $OWNER_EMAIL $CC_EMAIL_OPTION fi