Version 2 (modified by pjkersha, 10 years ago) (diff)


HOWTO for Script Based Download from ESGF Secured OPeNDAP Service

Secured services in the ESG Federation such as OPeNDAP support both OpenID and PKI based authentication. OpenID provides a convenient means for browser based access but for script based access an alternative PKI based solution is more suited. For this, a user obtains a short term authentication token which they can pass in their client programs or scripts to access secured services. The token is actually a key pair, a private key and associated X.509 certificate. The certificate typically last a few hours before it expires. Users obtain a certificate using a token service MyProxy passing their usual username/password to obtain a certificate in response. Once obtained, it along with the private key can be used with programs like wget, to make secured calls to the service to obtain data.

The steps shown below assume a Linux environment with wget installed. With some modification they should also work with Windows and Mac.

1) Obtaining Credentials from MyProxy

Two different client programs are described here:

  1. Java MyProxyLogon Webstart application
  2. Python !MyProxyClient package

They are alternative means of performing the same task of getting credentials.

MyProxyLogon WebStart

Select this  link to invoke the WebStart application. If this doesn't work the application can be  downloaded and run from a command line instead:

$ java -jar MyProxyLogon.jar

A window should appear when the program is run.

  1. Enter your usual username/password in the Username and Passphrase textboxes respectively.
  2. For the Hostname field enter, for CEDAs MyProxy? service.
  3. Alter the Output field to read, <home directory>/.esg/credentials.pem where <home directory> is your home directory path e.g. /home/jbloggs
  4. Click on the tickbox to select Write trust roots
  5. Click the Logon button
  6. Copy CA files downloaded to the standard location for ESG:
    $ cp -r ~/.globus/certificates ~/.esg/

MyProxyClient Package

This package provides a command line script for obtaining credentials from a MyProxy server. To install,

$ sudo easy_install MyProxyClient

If you don't have sudo or admin access rights see [below] for alternative installation instructions.

Call the script

Give your usual CEDA / BADC username and when prompted enter your password.

$ ./bin/myproxyclient logon -s -b -C ~/.esg/certificates -o ~/.esg/credentials.pem -l <username>

Install without admin Privileges

This assumes a user who doesn't have root access.

  1. Make a new directory
    $ mkdir myproxy-env
    $ cd myproxy-env
  2. Get the bootstrap script (Tip: make sure your http_proxy environment variable is set up):
    $ wget
  3. Run the script installing the virtualenv package:
    $ export PYTHONPATH=. && python -d . virtualenv
  4. Make a new Virtual environment:
    $ ./virtualenv --no-site-packages .
  5. Install the MyProxyClient:
    $ ./bin/easy_install MyProxyClient
  6. Nb. To run the MyProxyClient script give the local path to the script:
    $ ./bin/myproxyclient

2) WGet Script

  1. Download the script
    $ wget
  2. Add execute permissions:
    $ chmod 755 ./
  3. Ensure you have credentials (following the steps in 1) above).
  4. Run the script:
    $ /

Nb. The script has many different options which can be set via command line switches or environment variables. Use the help option to check:

$ / -h