Verifying ICE's proxy renewal

This page will guide you through the path of verification of ICE's proxy renewal mechanism.


  • EMI1 WMS Installed and configured with high ICE's proxy renewal frequency (parameter proxy_renewal_frequency = 120 in glite_wms.conf)
  • Install the voms-clients package on WMS machine in order to be able to quickly inspect proxy lifetime without using long openssl commands
  • A JDL with valorized attribute MyProxyServer (choose your preferred myproxy server) and a sleep of some minute as executable
  • Your credentials registered on the same myproxy server specified in the JDL (use the command: myproxy-init -s -d -C ~/.globus/usercert.pem -y ~/.globus/userkey.pem --voms -A -n)


Log as root into the WMS machine; make sure ICE is running and change directory to /var/ice/persist_dir. Make sure there is not any proxy file in the current directory (a proxy file held by ICE has a name like this: 02DCBA19CA35649ED9E8626E56AF6406D6448863.betterproxy). If some file is present, it is better you scratch ICE by stopping it (/etc/init.d/glite-wms-ice stop), removing everything from the directory /var/ice/persist_dir and restart ICE (/etc/init.d/glite-wms-ice start).

Swith to the UI console and create a voms proxy lasting 30 minutes with the command: voms-proxy-init -voms -valid 00:30. Then submit your JDL to the WMS. Switch to the console connected to the WMS machine. A proxy file should be present now (or in few seconds) in the current directory (/var/ice/persist_dir). You can verify its validity with the command voms-proxy-info -all -file proxyfile. The validity should be few less than 30 minutes. If the validity is about 12 hours, it means that your credentials have been previously registered in the proxy renewal daemon running in the WMS machine. In this case you have to switch off the proxy renewal daemon (/etc/init.d/glite-proxy-renewald stop), remove any proxy file from its cache directory (\rm /var/glite/spool/glite-renewd/*) and restart it (/etc/init.d/glite-proxy-renewald start) and repeat everything since the ICE's scratch. Then recreate a 30 minutes voms proxy and submit your JDL again. Just after verification of the proxy lifetime (that must be about 30 minutes), execute the command

tail -f /var/log/wms/ice.log|grep DelegationRenewal

At a certain point you will have to see a log message like this...

2012-07-05 15:34:05,048 DEBUG - iceCommandDelegationRenewal::renewAllDelegations() - Command output is [/var/ice/persist_dir/02DCBA19CA35649ED9E8626E56AF6406D6448863.betterproxy.voms.D3sBb2
2012-07-05 15:34:05,048 DEBUG - iceCommandDelegationRenewal::renewAllDelegations() - Proxy renewal successful for DN=[/C=IT/O=INFN/OU=Personal Certificate/L=Padova/CN=Alvise Dorigo-/dteam/Role=NULL/Capability=NULL] MyProxyURL=[]: new proxy is [/var/ice/persist_dir/02DCBA19CA35649ED9E8626E56AF6406D6448863.betterproxy.renewed]. It will overwrite the better one...

Kill the tail and check again the proxy file held by ICE in its directory /var/ice/persist_dir; now the timelft shoud be about 12 hours.

-- AlviseDorigo - 2012-07-05

Edit | Attach | PDF | History: r3 < r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r3 - 2012-07-10 - AlviseDorigo

This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback