Closed ickc closed 9 months ago
A VOMS proxy consists of a grid proxy and a VOMS AC (attribute certificate) that is added to the grid proxy as an extension. Both have their own expiration date which you can check by running voms-proxy-info --all
.
The --voms-life
option sets the the lifetime of the AC, but not of the proxy, which defaults to 12 hours. The AC can't be used without a valid proxy, extending it beyond the lifetime of the proxy isn't going to work.
Don't use --voms-life
, use --valid <h:m>
instead to set the lifetime of both, the proxy and the AC, to the same value.
Proxies should be short-lived. Long-lived proxies can become a security risk as they cannot be revoked.
If a proxy is compromised, the user certificate has to be revoked instead.
Thanks!
The official documentation is misleading: VOMS Client Guide. So is the stdout/stderr above. it seems they make it impossible to read through the documentation and knows what's going on. At this page, https://italiangrid.github.io/voms/documentation.html, they have 3 different guides and 7 different versions without any description on how to navigate it.
We plan to release our own documentation in https://souk-data-centre.readthedocs.io/en/latest/user/pipeline/4-IO/1-grid-storage-system/ and https://souk-data-centre.readthedocs.io/en/latest/user/pipeline/4-IO/1-grid-storage-system-2/. Could you take a quick look if there's anything inaccurate or worth expanding there?
Also, is there other better documentations out there? Processes like this must have been done a million times and I imagine someone must have documented it for end users already?
Hi, @rwf14f,
MWE, running on
vm77
:Explanation:
date
command is run immediately after that. From that we can deduce the time is actually only 43200 seconds (12 hours).When running instead
i.e. Requesting for 1 hour also resulted in 12 hours.