Version 15 (modified by pjkersha, 10 years ago) (diff)



The MyProxyClient Python package has been developed as part of development activities for the  NERC DataGrid Security system. This work has been supported over the past year (2007-2008) by  OMII-UK.

The implementation is based on the  myproxy_logon script developed by Tom Uram of ANL. Rather than binding to the  MyProxy C libraries, it uses the M2Crypto Python OpenSSL library wrapper to make calls to a MyProxy server following the  MyProxy protocol.


1.2.0 30 Sept 2010

  • important fix for SSL peer verification. Verify callback for OpenSSL.SSL.Context.set_verify was not enforcing the pre-verify OK code passed to it. This means that when a DN was set as accepted it would ignore any possible error caused in verification of the server certs CA certificate chain.
  • added myproxyclient console script contributed by Stephen Pascoe.

1.1.0 2 June 2010

  • added bootstrap capability to initialise client CA certificate set-up to trust the server's SSL certificate.

1.0 26 April 2010

  • This version includes a new method getTrustRoots to support the ability to download the CA certificates for a given MyProxy server (command=7 - see:
  • 1.0 switches from M2Crypto to PyOpenSSL for its OpenSSL wrapper.
  • A put method is included as a stub only. Unfortunately, the PyOpenSSL X.509 Extensions interface doesn't support the proxyCertInfo extension type needed for creating proxy certificates.


MyProxyClient is available from PyPI:

$ easy_install MyProxyClient



Retrieve credentials from a MyProxy server running at myproxy.localhost on the default port:

>>> from myproxy.client import MyProxyClient
>>> myproxy = MyProxyClient(hostname='myproxy.localhost')
>>> credentials = myproxy.logon('myusername', 'mypassword', bootstrap=True)

credentials is a tuple containing certificate(s) and private key as strings. The bootstrap flag bootstraps the trust roots for the server downloading the CA certificate(s) to ~/.globus/certificates.

Console Script

The script follows a similar form to the myproxy-* executables included with the MyProxy? C distribution:

$ myproxyclient -h
Usage: myproxyclient [command] [options]

  logon        Retrieve credentials from a MyProxy service

  -h, --help            show this help message and exit
                        Set the file to store the retrieved creentials. If not
                        specified credentials will be stored in
                        X509_USER_PROXY environment variable.  To write the
                        credential tostdout use -o -.
  -C CADIR, --cadir=CADIR
                        Set location of trusted certificates.  By default this
                        is the X509_CERT_DIR  environment variable or
                        ~/.globus/certificates or /etc/grid-security.
  -s HOSTNAME, --pshost=HOSTNAME
                        Set hostname of myproxy server
  -p PORT, --psport=PORT
                        Set port of myproxy server
  -t PROXY_LIFETIME, --proxy_lifetime=PROXY_LIFETIME
                        Set proxy certificate Lifetime (hours)
  -S, --stdin_pass      Read the password directly from stdin
  -b, --bootstrap       Download trusted CA certificates
  -T, --trustroots      Update trustroots
  -l USERNAME, --username=USERNAME
                        Set username

Logon call:

$ myproxyclient logon -s -o ~/creds.pem

Only the logon command is currently supported for this console script. Other commands may be added in future releases.


epydoc generated  documentation is available at the Python package site.

SubVersion Repository


NDG3: Capability?, Discovery?, Vocab?, Software?, MOLES?, Security?, Community?, Roadmap?, Management?