XSEDE Software Discovery

MyProxy is open source software for managing X.509 Public Key Infrastructure (PKI) security credentials (certificates and private keys). MyProxy combines an online credential repository with an online certificate authority to allow users to securely obtain credentials when and where needed. Users run myproxy-logon to authenticate and obtain credentials, including trusted CA certificates and Certificate Revocation Lists (CRLs).

Storing credentials in a MyProxy repository allows users to easily obtain RFC 3820 proxy credentials, without worrying about managing private key and certificate files. They can use MyProxy to delegate credentials to services acting on their behalf (like a grid portal) by storing credentials in the MyProxy repository and sending the MyProxy passphrase to the service. They can also use MyProxy to renew their credentials, so, for example, long-running jobs don't fail because of expired credentials. A professionally managed MyProxy server can provide a more secure storage location for private keys than typical end-user systems. MyProxy can be configured to encrypt all private keys in the repository with user-chosen passphrases, with server-enforced policies for passphrase quality. By using a proxy credential delegation protocol, MyProxy allows users to obtain proxy credentials when needed without ever transferring private keys over the network.

For users that don't already have PKI credentials, the MyProxy Certificate Authority (CA) provides a convenient method for obtaining them. The MyProxy CA issues short-lived session credentials to authenticated users. The repository and CA functionality can be combined in one service or can be used separately.

MyProxy provides a set of flexible authentication and authorization mechanisms for controlling access to credentials. Server-wide policies allow the MyProxy administrator to control how credentials may be used. Per-credential policies provide additional controls for credential owners. MyProxy supports multiple authentication mechanisms, including passphrase, certificate, Kerberos, OAuth, SAML, OpenID, Pubcookie, VOMS, PAM, LDAP, RADIUS, SASL, Moonshot, and One Time Passwords (OTP).

• Vendor Software URL: http://grid.ncsa.illinois.edu/myproxy/oauth/

CILogon is an InCommon service provider, part of the XSEDE architecture, that provides a proxy service from SAML to OIDC and X.509, allowing XSEDE users to log on with their campus identities to access X.509-based services (like GridFTP) and OIDC-based services (like Globus).

• Vendor Software URL: https://github.com/cilogon

OAuth for MyProxy provides an OAuth-compliant REST web interface to the MyProxy service for providing user certificates to science gateways. It eliminates the need for users to disclose their MyProxy passwords to science gateways. Instead, gateway users authenticate to their MyProxy server's OAuth web interface to approve issuance of a certificate by MyProxy to the science gateway they are using.

• Vendor Software URL: http://grid.ncsa.illinois.edu/myproxy/oauth/

Globus Toolkit GSI OpenSSH login service

• Vendor Software URL: http://grid.ncsa.illinois.edu/ssh/

Interactive GridFTP client

• Vendor Software URL: https://github.com/JasonAlt/UberFTP