1myproxy-server.config(5) MyProxy myproxy-server.config(5)
2
6 myproxy-server.config - myproxy-server configuration file
7
9 The myproxy-server.config file sets the policy for the myproxy-
10 server(8), specifying what credentials may be stored in the server's
11 repository, who is authorized to retrieve credentials, and other con‐
12 figurable server behaviors. By default, the myproxy-server(8) looks
13 for this file in /etc/myproxy-server.config and if it is not found
14 there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. A tem‐
15 plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con‐
16 fig. The myproxy-server -c option can be used to specify an alterna‐
17 tive location.
18 The following lines in the configuration file use limited regular
20 expressions for matching the distinguished names (DNs) of classes of
21 users. The limited regular expressions support the shell-stype charac‐
22 ters '*' and '?', where '*' matches any (zero or more) number of char‐
23 acters and '?' matches any single (zero or one) character. The DN lim‐
24 ited regexes should be delimited with double quotes (“DN regex”).
25 Internally MyProxy uses the POSIX Extended Regular Expression matching
26 facilities where available. Hence, if any one of the metacharacters “.
27 [ ] ( ) { } ^ $ + |” is used without being escaped with a '\', it is
28 automatically escaped by MyProxy to prevent it from being interpreted
29 as an extended regular expression metacharacter. The user can also
30 explicitly escape a metacharacter by immediately preceding it with an
31 unescaped escape character '\'. A '\' can also be explicitly escaped by
32 an immediately preceding unescaped escape character. For example, the
33 metacharacter '|' in “\\|” would be automatically escaped as in “\\\|”
34 with the second '\' considered escaped by the first '\'. However the
35 metacharacter '|' in “\\\|” would NOT be automatically escaped since
36 the third '\' is considered to have explicitly escaped '|'.
37 accepted_credentials “DN regex”
39 Each of these lines allows any clients whose DNs match the given
40 limited regex to connect to the myproxy-server and store creden‐
41 tials with it for future retrieval. Any number of these lines
42 may appear. For backwards compatibility, these lines can also
43 start with allowed_clients instead of accepted_credentials. If
44 no accepted_credentials lines are specified, the server will not
45 allow any clients to store credentials.
46 authorized_retrievers “DN regex”
48 Each of these lines allows the server administrator to set
49 server-wide policies for credential retrievers. If the client DN
50 does not match the given limited regex, the client is not
51 allowed to retrieve credentials from the server. In addition to
52 the server-wide policy, myproxy also provides support for per-
53 credential policy. The user can specify the regex DN of the
54 allowed retrievers of the credential when uploading the creden‐
55 tial (using myproxy-init(1) or myproxy-store(1)). The retrieval
56 client DN must also match the user specified regex. In order to
57 retrieve credentials the client also needs to know the name and
58 pass phrase provided by the client when the credentials were
59 stored. Any number of these lines may appear. For backwards
60 compatibility, these lines can also start with allowed_services
61 instead of authorized_retrievers. If no authorized_retrievers
62 lines are specified, the server will not allow any clients to
63 retrieve credentials.
64 default_retrievers “DN regex”
66 Each of these lines allows the server administrator to set
67 server-wide default policies. The regex specifies the clients
68 who can access the credentials. The default retriever policy is
69 enforced if a per-credential policy is not specified on upload
70 (using myproxy-init(1) or myproxy-store(1)). In other words,
71 the client can override this policy for a credential on upload.
72 The per-credential policy is enforced in addition to the server-
73 wide policy specified by the authorized_retrievers line (which
74 clients can not override). Any number of these lines may be
75 present. For backwards compatibility, if no default_retrievers
76 line is specified, the default policy is "*", which allows any
77 client to pass the per-credential policy check. (The client
78 must still pass the authorized_retrievers check.)
79 authorized_renewers “DN regex”
81 Each of these lines allows the server administrator to set
82 server-wide policies for authorized renewers. If the client DN
83 does not match the given limited regex the client is not allowed
84 to renew the credentials previously stored by a client. See
85 allow_self_authorization below for a further restriction on this
86 policy. In addition to the server-wide policy, myproxy also
87 provides support for per-credential policy. The user can specify
88 the regex DN of the allowed renewers of the credential on upload
89 (using myproxy-init(1)). The renewal client DN must match both
90 this regex and the user specified regex. In this case, the
91 client must also already have a credential with a DN matching
92 the DN of the credentials to be retrieved, to be used in a sec‐
93 ond authorization step (see the -a options for myproxy-logon(1)
94 and myproxy-retrieve(1)).
95 default_renewers “DN regex”
97 Each of these lines allows the server administrator to set
98 server-wide default renewer policies. The regex specifies the
99 clients who can renew the credentials. The default renewer pol‐
100 icy is enforced if a per-credential policy is not specified on
101 upload (using myproxy-init(1)). This is enforced in addition to
102 the server-wide policy specified by the authorized_renewers
103 line. Any number of these lines may appear. For backwards com‐
104 patibility, if no default_renewers line is specified, the
105 default policy is "*", which allows any client to pass the per-
106 credential policy check. (The client must still pass the autho‐
107 rized_renewers check.)
108 authorized_key_retrievers “DN regex”
110 This policy controls who can retrieve credentials (certificates
111 and keys) directly from the repository using myproxy-
112 retrieve(1). Clients must also match the authorized_retrievers
113 policy. If no authorized_key_retrievers lines are specified,
114 the server will not allow any clients to retrieve keys directly
115 from the repository.
116 default_key_retrievers “DN regex”
118 This policy applies if a per-credential policy is not specified
119 on upload (using myproxy-init(1) or myproxy-store(1)). In other
120 words, the client can override this policy for a credential on
121 upload. The per-credential policy is enforced in addition to
122 the server-wide policy specified by the authorized_key_retriev‐
123 ers line (which clients can not override). Any number of these
124 lines may be present. If no default_key_retrievers line is
125 specified, the default policy is "*", which allows any client to
126 pass the per-credential policy check. (The client must still
127 pass the authorized_key_retrievers check.)
128 trusted_retrievers “DN regex”
130 This policy controls who can retrieve credentials without fur‐
131 ther authentication. By default, clients that match autho‐
132 rized_retrievers must perform additional authentication (such as
133 passphrase, PAM, or SASL) to retrieve credentials. However,
134 authenticated clients that match both authorized_retrievers and
135 trusted_retrievers do not need to perform additional authentica‐
136 tion, unless the credentials are protected by a passphrase, in
137 which case the passphrase is still required. Note: The myproxy-
138 server(8) will fail on startup or reconfig with an "unsafe pol‐
139 icy" error if a policy of trusted_retrievers “*” is specified
140 without also specifying a restrictive default_trusted_retrievers
141 policy, to avoid an unsafe policy that would release credentials
142 to all clients without additional authentication. See also
143 allow_self_authorization below for a further restriction on this
144 policy.
145 default_trusted_retrievers “DN regex”
147 If a user doesn't set a trusted retrieval policy with the cre‐
148 dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
149 will apply the following policy in addition to the
150 trusted_retrievers policy. If no default_trusted_retrievers
151 policy is set, then only the trusted_retrievers policy is
152 applied.
153 The following lines in the configuration file set other server options.
155 passphrase_policy_program full-path-to-script
157 This line specifies a program to run whenever a passphrase is
158 set or changed for implementing a local password policy. The
159 program is passed the new passphrase via stdin and is passed the
160 following arguments: username, distinguished name, credential
161 name (if any), per-credential retriever policy (if any), and
162 per-credential renewal policy (if any). If the passphrase is
163 acceptable, the program should exit with status 0. Otherwise,
164 it should exit with non-zero status, causing the operation in
165 progress (credential load, passphrase change) to fail with the
166 error message provided by the program's stdout. Note: You must
167 specify the full path to the external program. $GLOBUS_LOCATION
168 can't be used in the myproxy-server.config file. A sample pro‐
169 gram is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-
170 passphrase-policy but is not enabled by default.
171 Be sure to follow secure coding practices for this call-out:
173 - Don't allow input to overflow fixed-size buffers.
174 - Don't pass unchecked input to a shell command.
175 cert_dir full-path-to-certificates-directory
177 Specifies the path to the CA certificates directory to be
178 returned to clients requesting trust roots (such as via the
179 myproxy-logon(1) -T option). Defaults to /etc/grid-secu‐
180 rity/certificates.
181 max_proxy_lifetime hours
183 This line specifies a server-wide maximum lifetime for retrieved
184 proxy credentials. By default, no server-wide maximum is
185 enforced. However, if this option is specified, the server will
186 limit the lifetime of any retrieved proxy credentials to the
187 value given.
188 max_cred_lifetime hours
190 This line specifies a server-wide maximum lifetime for stored
191 credentials. By default, no server-wide maximum is enforced.
192 However, if this option is specified, the server will limit the
193 lifetime of any stored credentials to the value given.
194 ignore_globus_limited_proxy_flag boolean
196 By default, MyProxy will respect the policy of "limited" proxy
197 certificates as follows. If a client authenticates with a lim‐
198 ited proxy, the client should only be able to obtain another
199 limited proxy, not a full proxy or end entity certificate.
200 Thus, the MyProxy CA will not accept limited proxies for authen‐
201 tication. However, if this option is set to true, MyProxy will
202 treat limited proxy certificates as if they were full proxy cer‐
203 tificates.
204 allow_self_authorization boolean
206 By default, MyProxy will disallow trusted_retrievers and autho‐
207 rized_renewers whose DN matches the identity of the stored cre‐
208 dential, so a proxy by itself can not be refreshed or renewed.
209 However, if this option is set to true, this restriction is
210 lifted.
211 syslog_ident name
213 You can optionally specify the string to be prepended to every
214 message written to the syslog. If not specified, the name
215 defaults to the the program name, i.e. myproxy-server.
216 syslog_facility name
218 By default, the myproxy-server will log to the syslog "daemon"
219 facility. With this option you can specify an alternate syslog
220 facility, such as "auth", "user", "security", or "local0". The
221 facility can also be specified numerically as with the logger(1)
222 command.
223 request_timeout seconds
225 Specifies the maximum time a myproxy-server(8) child process
226 should spend servicing a client request before aborting. By
227 default, child processes will abort after 120 seconds. A nega‐
228 tive value will disable the timeout.
229 request_size_limit bytes
231 Limits the amount of incoming application-level protocol data
232 the myproxy-server(8) will accept from clients, to avoid memory
233 exhaustion under heavy load. Specified in bytes. Defaults to
234 1MB (1048576 bytes). A zero or negative value disables the
235 limit.
236 proxy_extfile full-path-to-extension-file
238 Optionally specifies the full path to a file containing an
239 OpenSSL formatted set of certificate extensions to include in
240 all proxy certificates issued from the MyProxy repository (anal‐
241 ogous to certificate_extfile for the CA module).
242 proxy_extapp full-path-to-extension-callout-program
244 This is the call-out version of proxy_extfile. It optionally
245 specifies the full path to a call-out program for specifying
246 proxy certificate extensions. It will be passed the authenti‐
247 cated username and the proxy credential location as the two com‐
248 mand arguments. On success, it should write the OpenSSL format‐
249 ted set of certificate extensions to stdout and exit with zero
250 status. On error, it should write to stderr and exit with
251 nonzero status. Either proxy_extfile or proxy_extapp can be
252 specified but not both.
253 Be sure to follow secure coding practices for this call-out:
255 - Don't allow input to overflow fixed-size buffers.
256 - Don't pass unchecked input to a shell command.
257 voms_userconf full-path-to-voms-configuration-file
259 Optionally specifies the full path to the VOMS configuration
260 file containing VOMS server information. It is usually specified
261 in the environmental variable VOMS_USERCONF.
262 allow_voms_attribute_requests boolean
264 If this parameter is set to true and a GET request includes VON‐
265 AME and (optionally) VOMSES parameters, call-out to VOMS to add
266 the requested attributes to the issued certificate. Requires
267 linking with VOMS libraries. By default, VONAME and VOMSES
268 parameters in requests will be ignored unless this parameter is
269 set to true.
270 The MyProxy server can be optionally configured for authentication
272 based on Pluggable Authentication Modules (PAM) and/or the Simple
273 Authentication and Security Layer (SASL). Kerberos is one of the sup‐
274 ported SASL authentication methods. The following options control the
275 use of PAM and SASL.
276 pam option
278 This line governs the use of PAM to check passphrases. MyProxy
279 will attempt to authenticate via PAM, with the supplied username
280 and passphrase. Note that PAM will need to be configured exter‐
281 nally for the application "myproxy" (usually in /etc/pam.d/), or
282 for the application named by pam_id, below. Accepted values:
283 required
285 PAM password authentication is required under all condi‐
286 tions. If the credential is unencrypted (that is, it has
287 no passphrase), a PAM password check is still required
288 for authentication. If the credential is encrypted, its
289 passphrase must match the PAM password.
290 sufficient
292 The user's passphrase may match either the credential
293 passphrase or, if the credential is unencrypted, the PAM
294 passphrase. If the credential is encrypted, then the PAM
295 password is not relevant.
296 disabled (default)
298 PAM is not used to check passphrases.
299 pam_id string
301 The name that myproxy uses to identify itself to PAM. Default
302 is "myproxy". For example, on most Unix-like systems, if pam_id
303 is set to "login", MyProxy will authenticate against the sys‐
304 tem's own usernames and passwords.
305 sasl option
307 This line governs the use of SASL authentication. Accepted val‐
308 ues:
309 required
311 SASL authentication is required for retrieving creden‐
312 tials.
313 sufficient
315 SASL authentication is sufficient for retrieving creden‐
316 tials, but other authentication methods may be used
317 instead.
318 disabled (default)
320 SASL authentication isn't used.
321 sasl_mech mechanism
323 Forces the use of a single SASL mechanism, overriding the SASL
324 configuration file. (Typically not required.)
325 sasl_serverFQDN hostname
327 Configures the SASL server fully-qualified domain name for
328 multi-homed servers. (Typically not required.)
329 sasl_user_realm realm
331 Configures the SASL user realm. (Typically not required.)
332 The MyProxy server can also be configured to act as a Certificate
334 Authority (CA) to issue credentials to clients. The following parame‐
335 ters enable and configure the CA functionality.
336 certificate_issuer_cert full-path-to-certificate
338 This line specifies the full path to the issuer certificate to
339 optionally configure the myproxy-server to act as an online cer‐
340 tificate authority.
341 certificate_issuer_key full-path-to-key
343 When specifying certificate_issuer_cert above, you must also
344 give the name of the CA private key for signing certificates.
345 This is normally path to a CA private key in PEM format, but if
346 you are using an OpenSSL engine (see certifi‐
347 cate_openssl_engine_id ) then it can be the key name.
348 certificate_issuer_key_passphrase “passphrase”
350 If the certificate_issuer_key is encrypted, give the passphrase
351 here.
352 certificate_issuer_subca_certfile full-path-to-subca-certificate-file
354 If you would like an intermediate/sub-CA certificate chain to be
355 sent along with the EEC (End Entity Certificate) generated using
356 a local intermediate/sub-CA, specify the file that contains
357 those certificates in PEM format. This is meant to aid scenarios
358 where the CA used is an intermediate CA (i.e. not a root CA) and
359 the client may not have the intermediate CA(s) in its trust
360 store. The client will write out the chain into the same file as
361 the EEC, following the EEC.
362 certificate_issuer_hashalg algorithm
364 Specifies the hash algorithm to use when signing end-entity cer‐
365 tificates. Defaults to "sha1". When linked with OpenSSL 0.9.8
366 or later, "sha224", "sha256", "sha384" and "sha512" are also
367 supported.
368 certificate_issuer_email_domain “domain”
370 If set, specifies the domain part of the X509v3 Subject Alterna‐
371 tive Name email address included in issued certificates.
372 certificate_openssl_engine_id engineId
374 certificate_openssl_engine_pre pre-initialization-commands
376 certificate_openssl_engine_post post-initialization-commands
378 These commands can be used to allow any OpenSSL engine to be
379 used with MyProxy. This enables the use of hardware tokens and
380 signing modules to sign certificates. Given the parameters of
381 an OpenSSL "engine" command, the first argument, the identity of
382 the engine becomes the argument to certificate_openssl_engine_id
383 and -pre commands are listed in order using certifi‐
384 cate_openssl_engine_pre and -post commands are listed in order
385 using certificate_openssl_engine_post. For example the command-
386 line:
387 openssl engine dynamic -pre
389 SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
390 LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so
391 becomes:
393 certificate_openssl_engine_id "dynamic"
395 certificate_openssl_engine_pre
397 "SO_PATH:/usr/lib/engines/engine_pkcs11.so" "ID:pkcs11"
398 "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"
399 Please note that any shared library engines loaded through the
401 "dynamic" engine MUST be compiled againt the correct version of
402 OpenSSL. The Globus toolkit has its own installation and can be
403 found by running $GLOBUS_LOCATION/bin/openssl version.
404 certificate_openssl_engine_lockfile full-path-to-file
406 If your hardware token or HSM is unable to handle simultaneous
407 operations, provide a path to a lockfile for synchronizing oper‐
408 ations to the engine device. The myproxy-server will create the
409 file if it does not already exist.
410 certificate_issuer_program full-path-to-script
412 This line specifies the path to a program to issue certificates
413 for authenticated clients that don't have credentials stored.
414 This optionally configures the myproxy-server to act as an
415 online certificate authority, allowing programmatic control over
416 the certificate issuance process. You can either specify cer‐
417 tificate_issuer_cert or certificate_issuer_program.
418 Be sure to follow secure coding practices for this call-out:
420 - Don't allow input to overflow fixed-size buffers.
421 - Don't pass unchecked input to a shell command.
422 certificate_serialfile full-path-to-serial-file
424 Specifies the path to a file to store the serial number counter
425 for issued certificates. Defaults to /var/myproxy/serial.
426 certificate_serial_skip increment
428 Specifies the number to add to the serial number each time a
429 certificate is issued. Use this to stagger serial numbers across
430 multiple CA instances to avoid serial number clashes. Defaults
431 to 1.
432 certificate_out_dir full-path-to-putput-directory
434 Specifies the path to a directory where new certificates will be
435 archived.
436 max_cert_lifetime hours
438 Specifies the maximum lifetime (in hours) for certificates
439 issued by the CA module. Defaults to 12 hours.
440 min_keylen bits
442 Specifies the minimum RSA key length (in bits) for certificates
443 issued by the CA module.
444 certificate_extfile full-path-to-extension-file
446 Optionally specifies the full path to a file containing an
447 OpenSSL formatted set of certificate extensions to include in
448 all issued certificates. For example:
449 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
450 subjectKeyIdentifier=hash
451 authorityKeyIdentifier=keyid,issuer:always
452 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
453 basicConstraints=CA:FALSE
454 If not set, the MyProxy CA will include a basic set of exten‐
455 sions in issued certificates.
456 certificate_extapp full-path-to-extension-callout-program
458 This is the call-out version of certificate_extfile. It option‐
459 ally specifies the full path to a call-out program for specify‐
460 ing certificate extensions. It will be passed the authenticated
461 username as the single command argument. On success, it should
462 write the OpenSSL formatted set of certificate extensions to
463 stdout and exit with zero status. On error, it should write to
464 stderr and exit with nonzero status. Either certificate_extfile
465 or certificate_extapp can be specified but not both.
466 Be sure to follow secure coding practices for this call-out:
468 - Don't allow input to overflow fixed-size buffers.
469 - Don't pass unchecked input to a shell command.
470 certificate_mapfile full-path-to-mapfile
472 When specifying certificate_issuer_cert above, you can map
473 account names to certificate subject distinguished names for the
474 issued certificates using this mapfile, which has the same for‐
475 mat as used by other Globus Toolkit services. By default,
476 /etc/grid-security/grid-mapfile is used. The Globus Toolkit
477 grid-mapfile-add-entry and grid-mapfile-delete-entry commands
478 can be used to manage the grid-mapfile.
479 certificate_mapapp full-path-to-mapapp
481 When specifying certificate_issuer_cert above, you can map
482 account names to certificate subject distinguished names for the
483 issued certificates using this call-out. It will be passed the
484 authenticated username as the single command argument. On suc‐
485 cess, it should write the distinguished name in OpenSSL one line
486 format (for example, "/C=US/O=National Computational Science
487 Alliance/CN=Jim Basney") to stdout and exit with zero status.
488 On error, it should write to stderr and exit with nonzero sta‐
489 tus. If it is not defined, then mapfile lookup will be executed
490 instead (see certificate_mapfile above). An example is
491 installed in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-
492 mapapp.
493 Be sure to follow secure coding practices for this call-out:
495 - Don't allow input to overflow fixed-size buffers.
496 - Don't pass unchecked input to a shell command.
497 certificate_request_checker full-path-to-callout-program
499 This CA call-out can be used to perform checks on incoming cer‐
500 tificate requests. It will be passed the certificate request in
501 PEM format on stdin. If it returns a nonzero exit status, the CA
502 will abort without signing the request. When returning a
503 nonzero exit status, the callout should indicate the problem on
504 stderr. An example is installed in $GLOBUS_LOCA‐
505 TION/share/myproxy/myproxy-certreq-checker.
506 certificate_issuer_checker full-path-to-callout-program
508 This CA call-out can be used to perform checks on issued cer‐
509 tificates before the certificate is returned to the client. It
510 will be passed the certificate in PEM format on stdin. If it
511 returns a nonzero exit status, the CA will abort without return‐
512 ing the signed certificate to the client. When returning a
513 nonzero exit status, the callout should indicate the problem on
514 stderr. An example is installed in $GLOBUS_LOCA‐
515 TION/share/myproxy/myproxy-cert-checker.
516 If OpenLDAP support is built-in to the myproxy-server(8), the following
518 parameters can be used to configure the CA module to map account names
519 to certificate subject distinguished names via LDAP.
520 ca_ldap_server “ldap://localhost:389/”
522 This parameter specifies the URI to the LDAP server to use for
523 username to DN resolution in the CA module. Both ldap:// and
524 ldaps:// protocols are supported. A port number may optionally
525 be specified as well. Defining this directive is the "trigger"
526 that causes the name resolution module to use LDAP querying. If
527 it is not defined, then mapfile lookup will be executed instead
528 (see certificate_mapfile above).
529 ca_ldap_uid_attribute “uid”
531 The name of the record attribute that maps to the MyProxy user‐
532 name. Required for LDAP username to DN resolution.
533 ca_ldap_searchbase “ou=people,dc=bullwinkle,dc=lbl,dc=gov”
535 The DN of the region of the ldap database to be searched.
536 Required for LDAP username to DN resolution.
537 ca_ldap_dn_attribute “subjectDN”
539 If this directive is set, the LDAP resolver will pull the DN
540 from the specified attribute in the returned record. If it is
541 not set, the default is to use the DN of the record itself.
542 ca_ldap_connect_dn “cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov”
544 DN for LDAP basic authentication (optional).
545 ca_ldap_connect_passphrase “passphrase”
547 Passphrase for LDAP basic authentication (optional).
548 The following parameters control server replication with the myproxy-
550 replicate(1) utility.
551 slave_servers server:port;
553 This value is for use with the myproxy-replicate(1) utility.
554 This tag provides a list of servers that will be used as sec‐
555 ondary repositories for the MyProxy database. Each server
556 should be seperated by a ";". Also, a port may be provided if
557 the slave server is using a port other then the default. The
558 server name maybe a recognized DNS or an IP address.
559 The following parameters control Pubcookie (http://www.pubcookie.org)
561 authentication.
562 pubcookie_granting_cert full-path-to-pem-file
564 Sets the full path to the PEM-encoded Pubcookie granting cer‐
565 tificate for verifying signatures on Pubcookie granting cookies.
566 Setting this parameter enables Pubcookie support.
567 pubcookie_app_server_key full-path-to-key-file
569 Sets the full path to the 2048 byte application server key (see
570 Pubcookie's Apache directive PubcookieCryptKeyfile). This
571 parameter is optional; if omitted, cookie decryption will be
572 disabled, and MyProxy will only accept plaintext cookies,
573 although it will still verify their signatures with pub‐
574 cookie_granting_cert (see above).
575 The following parameters are used primarily when utilizing MyProxy as a
577 delegation service for web portals.
578 accepted_credentials_mapfile full-path-to-mapfile
580 This parameter points to a grid-mapfile, which is possibly dif‐
581 ferent from other mapfiles above. When specified, this mapfile
582 is utilized during puts/stores (e.g. with myproxy-init(1) and
583 myproxy-store(1)). A credential is authorized to be put/stored
584 only under the username specified in the mapfile. This prevents
585 storing a user's credential under a different username. Note
586 that the credential checked for the presence of a Sub‐
587 jectDN/Username entry in the mapfile is the credential utilized
588 to secure the connection between client and server, NOT the
589 actual credential being stored. As the credential which secures
590 the TLS connection is typically the same as the credential being
591 stored, this should not be a major issue. The Globus Toolkit
592 grid-mapfile-add-entry and grid-mapfile-delete-entry commands
593 can be used to manage the grid-mapfile.
594 accepted_credentials_mapapp full-path-to-mapapp
596 As an alternative to the accepted_credentials_mapfile option
597 above, you can specify a call-out which is passed two parame‐
598 ters: a certificate subject distinguished name and a username
599 (in that order). In essence, the call-out performs a lookup in
600 a 'virtual' accepted_credentials_mapfile. If the Sub‐
601 jectDN/Username line would appear in such a mapfile, then the
602 call-out should exit with zero status indicating that a creden‐
603 tial with the given SubjectDN is allowed to be stored under the
604 given Username. Otherwise, the call-out should exit with
605 nonzero status indicating error. An example is installed in
606 $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-
607 mapapp.
608 Be sure to follow secure coding practices for this call-out:
610 - Don't allow input to overflow fixed-size buffers.
611 - Don't pass unchecked input to a shell command.
612 check_multiple_credentials boolean
614 Typically when a credential is accessed by a client, the server
615 checks only one credential for possible access authorization,
616 even if there are multiple credentials stored under the given
617 username. If this option is set to "true" AND the client does
618 not specify a credential name for a MyProxy GET operation (i.e.,
619 from myproxy-logon(1)), then the server will check multiple cre‐
620 dentials with the given username. If a credential is found to
621 be authorized for client access, then that one will be used dur‐
622 ing processing. The default value for this option is "false".
623 The following parameters enable OCSP status checking of stored creden‐
625 tials in the myproxy-server(8) repository, to avoid use of expired cre‐
626 dentials.
627 ocsp_policy policy
629 Controls the policy for checking certificate validity via OCSP
630 before credentials may be delegated. Currently, only the status
631 of the end entity certificate is checked via OCSP (and not any
632 proxy certificates or CA certificates). OCSP will not be used
633 unless ocsp_responder_url and/or ocsp_policy are set. Supported
634 policies are:
635 "aia" - use OCSP responder in certificate AIA extension, if
636 present; otherwise use ocsp_responder_url, if set
637 ocsp_responder_url URL
639 Specifies the URL of an OCSP responder to use to check the
640 validity of credentials stored in the myproxy-server repository
641 before they may be delegated, so that revoked credentials can
642 not be retrieved and used where their revocation status may not
643 be checked. Currently, only the status of the end entity cer‐
644 tificate is checked via OCSP (and not any proxy certificates or
645 CA certificates). In any case, CRL checks are always performed.
646 Both http and https urls are supported. OCSP will not be used
647 unless ocsp_responder_url and/or ocsp_policy are set.
648 ocsp_responder_cert path
650 Specifies the path to the certificate of a trusted OCSP respon‐
651 der. This is needed if the OCSP responder must be explicity
652 trusted in cases where standard path validation fails for the
653 OCSP responder's certificate.
654 The following parameters control Usage Metrics reporting by the
656 myproxy-server(8).
657 disable_usage_stats value
659 By default Usage Metrics reporting is enabled. Specifying
660 "true", "enabled", "yes", "on" or "1" for value will disable
661 Usage Metrics reporting. Setting the GLOBUS_USAGE_OPTOUT envi‐
662 ronment variable to "1" will also disable the reporting of usage
663 metrics. Disabling reporting of usage metrics will cause the
664 usage_stats_target setting to be ignored.
665 usage_stats_target target_list
667 This option can be used to specify the target collector hosts to
668 which usage metrics should be reported. This setting will be
669 ignored if disable_usage_stats is enabled. Multiple targets can
670 be specified in target_list separated by comma(s). Each target
671 specification is of the format host:port[!tags] tags control
672 what data elements are reported. The following list specifies
673 the tags for the corresponding data elements.
674 V - Major Version number of MyProxy server
675 v - Minor Version number of MyProxy server
676 t - Task Code (0=Get, 1=Put, 2=Info, 3=Destroy, 4=ChangeCred‐
677 Passphrase, 5=StoreEndEntCred, 6=RetrEndEntCred, 7=GetTrust‐
678 Roots)
679 r - Task Return Code.
680 l - Requested Lifetime for Credential.
681 L - Actual Lifetime for Credential.
682 B - Informational Bit mask to be interpreted left to right as
683 follows:
684 PAM used
685 SASL used
686 Credential passphrase check used
687 Trusted Retriever (Certificate-based authentication)
688 Certificate Authorization method used (Trusted Renewer)
689 Pubcookie was used
690 Trustroots requested
691 Trustroots delivered
692 I - Client IP address
693 u - Username
694 U - User DN
695 In addition to the above selected information, the following
697 data are reported to ALL the specified/default target collec‐
698 tors. There's no way to exclude these from being reported other
699 than by disabling the reporting of usage metrics:
700 Component code - 11 for MyProxy
702 Component Data Format version - 0 currently
703 IP Address of Reporting Server
704 Timestamp
705 Hostname
706 If no tags are specified in a host spec, or the special string
708 "default" is specified, the tags VvtrlLB are assumed. A site
709 could choose to allow a different set of data to be reported by
710 specifying a different tag set. The last 3 tags I, u and U above
711 are more meant for a local collector that a site might like to
712 deploy since they could be construed as private information. The
713 special string "all" denotes all tags.
714 By default, Usage Metrics reporting is sent to "usage-stats.cil‐
716 ogon.org:4810". This can be made explicit by specifying
717 "default" (all by itself) for the target specification as in:
718 usage_stats_target "default"
720 If usage_stats_target is not specified, a comma-separated list
722 of targets (without any tags specified) if specified in the
723 environment variable GLOBUS_USAGE_TARGETS will be used.
724
726 The following policy enables all credential repository features.
727 accepted_credentials "*"
728 authorized_retrievers "*"
729 default_retrievers "*"
730 authorized_renewers "*"
731 default_renewers "none"
732 authorized_key_retrievers "*"
733 default_key_retrievers "none"
734 trusted_retrievers "*"
735 default_trusted_retrievers "none"
736 The following enables CA functionality using an existing Globus Simple
738 CA configuration.
739 authorized_retrievers "*"
741 pam "sufficient"
742 sasl "sufficient"
743 certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
744 certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
745 certificate_issuer_key_passphrase "myproxy"
746 certificate_serialfile /home/globus/.globus/simpleCA/serial
747 certificate_mapfile /etc/grid-security/grid-mapfile
748 The following will cause usage metrics to be reported to the default
750 target (only the default tags) as well as a local collector (including
751 the tags IuU):
752 usage_stats_target "usage-stats.cilogon.org:4810,localcollector.somedo‐
754 main:4810!VvtrlLBIuU"
755
757 /etc/myproxy-server.config
758 Default location for the server configuration file.
759 $GLOBUS_LOCATION/etc/myproxy-server.config
761 Alternate location for the server configuration file. A differ‐
762 ent location can be specified by using the myproxy-server(8) -c
763 option.
764 $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
766 A sample program for evaluating passphrase quality for use with
767 the passphrase_policy_program option.
768 $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
770 A sample certificate_mapapp program for mapping account names to
771 certificate subject distinguished names.
772 $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
774 A sample accepted_credentials_mapapp program for authorizing
775 puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).
776
778 GLOBUS_LOCATION
779 Specifies the root of the MyProxy installation, used to find the
780 default location of the myproxy-server.config file.
781
783 See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.
784
786 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
787 roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-
788 retrieve(1), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-
789 change-pass(8), myproxy-admin-load-credential(8), myproxy-admin-
790 query(8), myproxy-server(8)
791MyProxy 2009-12-1 myproxy-server.config(5)