1myproxy-server.config(5)            MyProxy           myproxy-server.config(5)
2
3
4

NAME

6       myproxy-server.config - myproxy-server configuration file
7

DESCRIPTION

9       The  myproxy-server.config  file  sets  the  policy  for  the  myproxy-
10       server(8), specifying what credentials may be stored  in  the  server's
11       repository,  who  is authorized to retrieve credentials, and other con‐
12       figurable server behaviors.  By default,  the  myproxy-server(8)  looks
13       for  this  file  in  /etc/myproxy-server.config  and if it is not found
14       there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config.  A  tem‐
15       plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con‐
16       fig.  The myproxy-server -c option can be used to specify  an  alterna‐
17       tive location.
18
19       The  following  lines  set  access  control  policies  according to the
20       client's  certificate  subject  distinguished  name  (DN).   Note  that
21       MyProxy  uses  non-standard  regular expressions for distinguished name
22       (DN) matching. See the REGULAR EXPRESSIONS section below for details.
23
24       accepted_credentials “DN regex”
25              Each of these lines allows any clients whose DNs match the given
26              limited regex to connect to the myproxy-server and store creden‐
27              tials with it for future retrieval.  Any number of  these  lines
28              may  appear.   For backwards compatibility, these lines can also
29              start with allowed_clients instead of accepted_credentials.   If
30              no accepted_credentials lines are specified, the server will not
31              allow any clients to store credentials.
32
33       authorized_retrievers “DN regex”
34              Each of these lines  allows  the  server  administrator  to  set
35              server-wide policies for credential retrievers. If the client DN
36              does not match the  given  limited  regex,  the  client  is  not
37              allowed to retrieve credentials from the server.  In addition to
38              the server-wide policy, myproxy also provides support  for  per-
39              credential  policy.  The  user  can  specify the regex DN of the
40              allowed retrievers of the credential when uploading the  creden‐
41              tial (using myproxy-init(1) or myproxy-store(1)).  The retrieval
42              client DN must also match the user specified regex. In order  to
43              retrieve  credentials the client also needs to know the name and
44              pass phrase provided by the client  when  the  credentials  were
45              stored.  Any  number  of  these lines may appear.  For backwards
46              compatibility, these lines can also start with  allowed_services
47              instead  of  authorized_retrievers.  If no authorized_retrievers
48              lines are specified, the server will not allow  any  clients  to
49              retrieve credentials.
50
51       default_retrievers “DN regex”
52              Each  of  these  lines  allows  the  server administrator to set
53              server-wide default policies. The regex  specifies  the  clients
54              who  can access the credentials. The default retriever policy is
55              enforced if a per-credential policy is not specified  on  upload
56              (using  myproxy-init(1)  or  myproxy-store(1)).  In other words,
57              the client can override this policy for a credential on  upload.
58              The per-credential policy is enforced in addition to the server-
59              wide policy specified by the authorized_retrievers  line  (which
60              clients  can  not  override).   Any number of these lines may be
61              present.  For backwards compatibility, if no  default_retrievers
62              line  is  specified, the default policy is "*", which allows any
63              client to pass the per-credential  policy  check.   (The  client
64              must still pass the authorized_retrievers check.)
65
66       authorized_renewers “DN regex”
67              Each  of  these  lines  allows  the  server administrator to set
68              server-wide policies for authorized renewers. If the  client  DN
69              does not match the given limited regex the client is not allowed
70              to renew the credentials previously stored  by  a  client.   See
71              allow_self_authorization below for a further restriction on this
72              policy.  In addition to the  server-wide  policy,  myproxy  also
73              provides support for per-credential policy. The user can specify
74              the regex DN of the allowed renewers of the credential on upload
75              (using  myproxy-init(1)).  The renewal client DN must match both
76              this regex and the user  specified  regex.  In  this  case,  the
77              client  must  also  already have a credential with a DN matching
78              the DN of the credentials to be retrieved, to be used in a  sec‐
79              ond  authorization step (see the -a options for myproxy-logon(1)
80              and myproxy-retrieve(1)).
81
82       default_renewers “DN regex”
83              Each of these lines  allows  the  server  administrator  to  set
84              server-wide  default  renewer  policies. The regex specifies the
85              clients who can renew the credentials. The default renewer  pol‐
86              icy  is  enforced if a per-credential policy is not specified on
87              upload (using myproxy-init(1)).  This is enforced in addition to
88              the  server-wide  policy  specified  by  the authorized_renewers
89              line. Any number of these lines may appear.  For backwards  com‐
90              patibility,  if  no  default_renewers  line  is  specified,  the
91              default policy is "*", which allows any client to pass the  per-
92              credential policy check.  (The client must still pass the autho‐
93              rized_renewers check.)
94
95       authorized_key_retrievers “DN regex”
96              This policy controls who can retrieve credentials  (certificates
97              and   keys)   directly   from   the  repository  using  myproxy-
98              retrieve(1).  Clients must also match the  authorized_retrievers
99              policy.   If  no  authorized_key_retrievers lines are specified,
100              the server will not allow any clients to retrieve keys  directly
101              from the repository.
102
103       default_key_retrievers “DN regex”
104              This  policy applies if a per-credential policy is not specified
105              on upload (using myproxy-init(1) or myproxy-store(1)).  In other
106              words,  the  client can override this policy for a credential on
107              upload.  The per-credential policy is enforced  in  addition  to
108              the  server-wide policy specified by the authorized_key_retriev‐
109              ers line (which clients can not override).  Any number of  these
110              lines  may  be  present.   If  no default_key_retrievers line is
111              specified, the default policy is "*", which allows any client to
112              pass  the  per-credential  policy check.  (The client must still
113              pass the authorized_key_retrievers check.)
114
115       trusted_retrievers “DN regex”
116              This policy controls who can retrieve credentials  without  fur‐
117              ther  authentication.   By  default,  clients  that match autho‐
118              rized_retrievers must perform additional authentication (such as
119              passphrase,  PAM,  or  SASL)  to retrieve credentials.  However,
120              authenticated clients that match both authorized_retrievers  and
121              trusted_retrievers do not need to perform additional authentica‐
122              tion, unless the credentials are protected by a  passphrase,  in
123              which case the passphrase is still required.  Note: The myproxy-
124              server(8) will fail on startup or reconfig with an "unsafe  pol‐
125              icy"  error  if  a policy of trusted_retrievers “*” is specified
126              without also specifying a restrictive default_trusted_retrievers
127              policy, to avoid an unsafe policy that would release credentials
128              to all clients  without  additional  authentication.   See  also
129              allow_self_authorization below for a further restriction on this
130              policy.
131
132       default_trusted_retrievers “DN regex”
133              If a user doesn't set a trusted retrieval policy with  the  cre‐
134              dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
135              will  apply  the   following   policy   in   addition   to   the
136              trusted_retrievers  policy.   If  no  default_trusted_retrievers
137              policy is  set,  then  only  the  trusted_retrievers  policy  is
138              applied.
139
140       The following lines in the configuration file set other server options.
141
142       passphrase_policy_program full-path-to-script
143              This  line  specifies  a program to run whenever a passphrase is
144              set or changed for implementing a local  password  policy.   The
145              program is passed the new passphrase via stdin and is passed the
146              following arguments: username,  distinguished  name,  credential
147              name  (if  any),  per-credential  retriever policy (if any), and
148              per-credential renewal policy (if any).  If  the  passphrase  is
149              acceptable,  the  program should exit with status 0.  Otherwise,
150              it should exit with non-zero status, causing  the  operation  in
151              progress  (credential  load, passphrase change) to fail with the
152              error message provided by the program's stdout.  Note: You  must
153              specify the full path to the external program.  $GLOBUS_LOCATION
154              can't be used in the myproxy-server.config file.  A sample  pro‐
155              gram  is  installed  in  $GLOBUS_LOCATION/share/myproxy/myproxy-
156              passphrase-policy but is not enabled by default.
157
158              Be sure to follow secure coding practices for this call-out:
159              - Don't allow input to overflow fixed-size buffers.
160              - Don't pass unchecked input to a shell command.
161
162       cert_dir full-path-to-certificates-directory
163              Specifies the path  to  the  CA  certificates  directory  to  be
164              returned  to  clients  requesting  trust  roots (such as via the
165              myproxy-logon(1) -T option).
166
167       max_proxy_lifetime hours
168              This line specifies a server-wide maximum lifetime for retrieved
169              proxy  credentials.   By  default,  no  server-wide  maximum  is
170              enforced.  However, if this option is specified, the server will
171              limit  the  lifetime  of  any retrieved proxy credentials to the
172              value given.
173
174       max_cred_lifetime hours
175              This line specifies a server-wide maximum  lifetime  for  stored
176              credentials.   By  default,  no server-wide maximum is enforced.
177              However, if this option is specified, the server will limit  the
178              lifetime of any stored credentials to the value given.
179
180       ignore_globus_limited_proxy_flag boolean
181              By  default,  MyProxy will respect the policy of "limited" proxy
182              certificates as follows.  If a client authenticates with a  lim‐
183              ited  proxy,  the  client  should only be able to obtain another
184              limited proxy, not a  full  proxy  or  end  entity  certificate.
185              Thus, the MyProxy CA will not accept limited proxies for authen‐
186              tication.  However, if this option is set to true, MyProxy  will
187              treat limited proxy certificates as if they were full proxy cer‐
188              tificates.
189
190       allow_self_authorization boolean
191              By default, MyProxy will disallow trusted_retrievers and  autho‐
192              rized_renewers  whose DN matches the identity of the stored cre‐
193              dential, so a proxy by itself can not be refreshed  or  renewed.
194              However,  if  this  option  is  set to true, this restriction is
195              lifted.
196
197       syslog_ident name
198              You can optionally specify the string to be prepended  to  every
199              message  written  to  the  syslog.   If  not specified, the name
200              defaults to the the program name, i.e. myproxy-server.
201
202       syslog_facility name
203              By default, the myproxy-server will log to the  syslog  "daemon"
204              facility.  With  this option you can specify an alternate syslog
205              facility, such as "auth", "user", "security", or "local0".   The
206              facility can also be specified numerically as with the logger(1)
207              command.
208
209       request_timeout seconds
210              Specifies the maximum time  a  myproxy-server(8)  child  process
211              should  spend  servicing  a  client request before aborting.  By
212              default, child processes will abort after 120 seconds.  A  nega‐
213              tive value will disable the timeout.
214
215       request_size_limit bytes
216              Limits  the  amount  of incoming application-level protocol data
217              the myproxy-server(8) will accept from clients, to avoid  memory
218              exhaustion  under  heavy  load. Specified in bytes.  Defaults to
219              1MB (1048576 bytes).  A zero  or  negative  value  disables  the
220              limit.
221
222       proxy_extfile full-path-to-extension-file
223              Optionally  specifies  the  full  path  to  a file containing an
224              OpenSSL formatted set of certificate extensions  to  include  in
225              all proxy certificates issued from the MyProxy repository (anal‐
226              ogous to certificate_extfile for the CA module).
227
228       proxy_extapp full-path-to-extension-callout-program
229              This is the call-out version of  proxy_extfile.   It  optionally
230              specifies  the  full  path  to a call-out program for specifying
231              proxy certificate extensions.  It will be passed  the  authenti‐
232              cated username and the proxy credential location as the two com‐
233              mand arguments.  On success, it should write the OpenSSL format‐
234              ted  set  of certificate extensions to stdout and exit with zero
235              status.  On error, it should  write  to  stderr  and  exit  with
236              nonzero  status.   Either  proxy_extfile  or proxy_extapp can be
237              specified but not both.
238
239              Be sure to follow secure coding practices for this call-out:
240              - Don't allow input to overflow fixed-size buffers.
241              - Don't pass unchecked input to a shell command.
242
243       voms_userconf full-path-to-voms-configuration-file
244              Optionally specifies the full path  to  the  VOMS  configuration
245              file containing VOMS server information. It is usually specified
246              in the environmental variable VOMS_USERCONF.
247
248       allow_voms_attribute_requests boolean
249              If this parameter is set to true and a GET request includes VON‐
250              AME  and (optionally) VOMSES parameters, call-out to VOMS to add
251              the requested attributes to  the  issued  certificate.  Requires
252              linking  with  VOMS  libraries.  By  default,  VONAME and VOMSES
253              parameters in requests will be ignored unless this parameter  is
254              set to true.
255
256       The  MyProxy  server  can  be  optionally configured for authentication
257       based on Pluggable  Authentication  Modules  (PAM)  and/or  the  Simple
258       Authentication  and Security Layer (SASL).  Kerberos is one of the sup‐
259       ported SASL authentication methods.  The following options control  the
260       use of PAM and SASL.
261
262       pam option
263              This  line governs the use of PAM to check passphrases.  MyProxy
264              will attempt to authenticate via PAM, with the supplied username
265              and passphrase.  Note that PAM will need to be configured exter‐
266              nally for the application "myproxy" (usually in /etc/pam.d/), or
267              for the application named by pam_id, below.  Accepted values:
268
269              required
270                     PAM  password authentication is required under all condi‐
271                     tions.  If the credential is unencrypted (that is, it has
272                     no  passphrase),  a  PAM password check is still required
273                     for authentication.  If the credential is encrypted,  its
274                     passphrase must match the PAM password.
275
276              sufficient
277                     The  user's  passphrase  may  match either the credential
278                     passphrase or, if the credential is unencrypted, the  PAM
279                     passphrase.  If the credential is encrypted, then the PAM
280                     password is not relevant.
281
282              disabled (default)
283                     PAM is not used to check passphrases.
284
285       pam_id string
286              The name that myproxy uses to identify itself to  PAM.   Default
287              is "myproxy".  For example, on most Unix-like systems, if pam_id
288              is set to "login", MyProxy will authenticate  against  the  sys‐
289              tem's own usernames and passwords.
290
291       sasl option
292              This line governs the use of SASL authentication.  Accepted val‐
293              ues:
294
295              required
296                     SASL authentication is required  for  retrieving  creden‐
297                     tials.
298
299              sufficient
300                     SASL  authentication is sufficient for retrieving creden‐
301                     tials, but  other  authentication  methods  may  be  used
302                     instead.
303
304              disabled (default)
305                     SASL authentication isn't used.
306
307       sasl_mech mechanism
308              Forces  the  use of a single SASL mechanism, overriding the SASL
309              configuration file. (Typically not required.)
310
311       sasl_serverFQDN hostname
312              Configures the  SASL  server  fully-qualified  domain  name  for
313              multi-homed servers. (Typically not required.)
314
315       sasl_user_realm realm
316              Configures the SASL user realm. (Typically not required.)
317
318       The  MyProxy  server  can  also  be  configured to act as a Certificate
319       Authority (CA) to issue credentials to clients.  The following  parame‐
320       ters enable and configure the CA functionality.
321
322       certificate_issuer_cert full-path-to-certificate
323              This  line  specifies the full path to the issuer certificate to
324              optionally configure the myproxy-server to act as an online cer‐
325              tificate authority.
326
327       certificate_issuer_key full-path-to-key
328              When  specifying  certificate_issuer_cert  above,  you must also
329              give the name of the CA private key  for  signing  certificates.
330              This  is normally path to a CA private key in PEM format, but if
331              you   are   using    an    OpenSSL    engine    (see    certifi‐
332              cate_openssl_engine_id ) then it can be the key name.
333
334       certificate_issuer_key_passphrase “passphrase”
335              If  the certificate_issuer_key is encrypted, give the passphrase
336              here.
337
338       certificate_issuer_subca_certfile full-path-to-subca-certificate-file
339              If you would like an intermediate/sub-CA certificate chain to be
340              sent along with the EEC (End Entity Certificate) generated using
341              a local intermediate/sub-CA,  specify  the  file  that  contains
342              those certificates in PEM format. This is meant to aid scenarios
343              where the CA used is an intermediate CA (i.e. not a root CA) and
344              the  client  may  not  have  the intermediate CA(s) in its trust
345              store. The client will write out the chain into the same file as
346              the EEC, following the EEC.
347
348       certificate_issuer_hashalg algorithm
349              Specifies the hash algorithm to use when signing end-entity cer‐
350              tificates.  Defaults to "sha256".
351
352       certificate_issuer_email_domain “domain”
353              If set, specifies the domain part of the X509v3 Subject Alterna‐
354              tive Name email address included in issued certificates.
355
356       certificate_openssl_engine_id engineId
357
358       certificate_openssl_engine_pre pre-initialization-commands
359
360       certificate_openssl_engine_post post-initialization-commands
361              These  commands  can  be  used to allow any OpenSSL engine to be
362              used with MyProxy.  This enables the use of hardware tokens  and
363              signing  modules  to sign certificates.  Given the parameters of
364              an OpenSSL "engine" command, the first argument, the identity of
365              the engine becomes the argument to certificate_openssl_engine_id
366              and  -pre  commands  are  listed   in   order   using   certifi‐
367              cate_openssl_engine_pre  and  -post commands are listed in order
368              using certificate_openssl_engine_post.  For example the command-
369              line:
370
371                 openssl             engine            dynamic            -pre
372              SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre  ID:pkcs11  -pre
373              LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so
374
375              becomes:
376
377                 certificate_openssl_engine_id "dynamic"
378
379                 certificate_openssl_engine_pre
380              "SO_PATH:/usr/lib/engines/engine_pkcs11.so"          "ID:pkcs11"
381              "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"
382
383              Please  note  that any shared library engines loaded through the
384              "dynamic" engine MUST be compiled againt the correct version  of
385              OpenSSL.
386
387       certificate_openssl_engine_lockfile full-path-to-file
388              If  your  hardware token or HSM is unable to handle simultaneous
389              operations, provide a path to a lockfile for synchronizing oper‐
390              ations to the engine device.  The myproxy-server will create the
391              file if it does not already exist.
392
393       certificate_issuer_program full-path-to-script
394              This line specifies the path to a program to issue  certificates
395              for  authenticated  clients  that don't have credentials stored.
396              This optionally configures  the  myproxy-server  to  act  as  an
397              online certificate authority, allowing programmatic control over
398              the certificate issuance process.  You can either  specify  cer‐
399              tificate_issuer_cert or certificate_issuer_program.
400
401              Be sure to follow secure coding practices for this call-out:
402              - Don't allow input to overflow fixed-size buffers.
403              - Don't pass unchecked input to a shell command.
404
405       certificate_serialfile full-path-to-serial-file
406              Specifies  the path to a file to store the serial number counter
407              for issued certificates.  Defaults to /var/lib/myproxy/serial.
408
409       certificate_serial_skip increment
410              Specifies the number to add to the serial  number  each  time  a
411              certificate is issued. Use this to stagger serial numbers across
412              multiple CA instances to avoid serial number  clashes.  Defaults
413              to 1.
414
415       certificate_out_dir full-path-to-putput-directory
416              Specifies the path to a directory where new certificates will be
417              archived.
418
419       max_cert_lifetime hours
420              Specifies the  maximum  lifetime  (in  hours)  for  certificates
421              issued by the CA module.  Defaults to 12 hours.
422
423       min_keylen bits
424              Specifies  the minimum RSA key length (in bits) for certificates
425              issued by the CA module.
426
427       certificate_extfile full-path-to-extension-file
428              Optionally specifies the full  path  to  a  file  containing  an
429              OpenSSL  formatted  set  of certificate extensions to include in
430              all issued certificates.  For example:
431                 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
432                 subjectKeyIdentifier=hash
433                 authorityKeyIdentifier=keyid,issuer:always
434                 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
435                 basicConstraints=CA:FALSE
436              If not set, the MyProxy CA will include a basic  set  of  exten‐
437              sions in issued certificates.
438
439       certificate_extapp full-path-to-extension-callout-program
440              This is the call-out version of certificate_extfile.  It option‐
441              ally specifies the full path to a call-out program for  specify‐
442              ing certificate extensions.  It will be passed the authenticated
443              username as the single command argument.  On success, it  should
444              write  the  OpenSSL  formatted  set of certificate extensions to
445              stdout and exit with zero status.  On error, it should write  to
446              stderr and exit with nonzero status.  Either certificate_extfile
447              or certificate_extapp can be specified but not both.
448
449              Be sure to follow secure coding practices for this call-out:
450              - Don't allow input to overflow fixed-size buffers.
451              - Don't pass unchecked input to a shell command.
452
453       certificate_mapfile full-path-to-mapfile
454              When  specifying  certificate_issuer_cert  above,  you  can  map
455              account names to certificate subject distinguished names for the
456              issued certificates using this mapfile, which has the same  for‐
457              mat  as  used  by  other  Grid  Community  Toolkit services.  By
458              default, /etc/grid-security/grid-mapfile is used.  The Grid Com‐
459              munity  Toolkit  grid-mapfile-add-entry and grid-mapfile-delete-
460              entry commands can be used to manage the grid-mapfile.
461
462       certificate_mapapp full-path-to-mapapp
463              When  specifying  certificate_issuer_cert  above,  you  can  map
464              account names to certificate subject distinguished names for the
465              issued certificates using this call-out.  It will be passed  the
466              authenticated  username as the single command argument.  On suc‐
467              cess, it should write the distinguished name in OpenSSL one line
468              format  (for  example,  "/C=US/O=National  Computational Science
469              Alliance/CN=Jim Basney") to stdout and exit  with  zero  status.
470              On  error,  it should write to stderr and exit with nonzero sta‐
471              tus.  If it is not defined, then mapfile lookup will be executed
472              instead   (see   certificate_mapfile   above).   An  example  is
473              installed in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-
474              mapapp.
475
476              Be sure to follow secure coding practices for this call-out:
477              - Don't allow input to overflow fixed-size buffers.
478              - Don't pass unchecked input to a shell command.
479
480       certificate_request_checker full-path-to-callout-program
481              This  CA call-out can be used to perform checks on incoming cer‐
482              tificate requests. It will be passed the certificate request  in
483              PEM format on stdin. If it returns a nonzero exit status, the CA
484              will abort  without  signing  the  request.   When  returning  a
485              nonzero  exit status, the callout should indicate the problem on
486              stderr.    An   example   is    installed    in    $GLOBUS_LOCA‐
487              TION/share/myproxy/myproxy-certreq-checker.
488
489       certificate_issuer_checker full-path-to-callout-program
490              This  CA  call-out  can be used to perform checks on issued cer‐
491              tificates before the certificate is returned to the client.   It
492              will  be  passed  the  certificate in PEM format on stdin. If it
493              returns a nonzero exit status, the CA will abort without return‐
494              ing  the  signed  certificate  to  the  client. When returning a
495              nonzero exit status, the callout should indicate the problem  on
496              stderr.     An    example    is   installed   in   $GLOBUS_LOCA‐
497              TION/share/myproxy/myproxy-cert-checker.
498
499       If OpenLDAP support is built-in to the myproxy-server(8), the following
500       parameters  can be used to configure the CA module to map account names
501       to certificate subject distinguished names via LDAP.
502
503       ca_ldap_server “ldap://localhost:389/”
504              This parameter specifies the URI to the LDAP server to  use  for
505              username  to  DN  resolution in the CA module.  Both ldap:// and
506              ldaps:// protocols are supported.  A port number may  optionally
507              be  specified as well.  Defining this directive is the "trigger"
508              that causes the name resolution module to use LDAP querying.  If
509              it  is not defined, then mapfile lookup will be executed instead
510              (see certificate_mapfile above).
511
512       ca_ldap_uid_attribute “uid”
513              The name of the record attribute that maps to the MyProxy  user‐
514              name.  Required for LDAP username to DN resolution.
515
516       ca_ldap_searchbase “ou=people,dc=bullwinkle,dc=lbl,dc=gov”
517              The  DN  of  the  region  of  the  ldap database to be searched.
518              Required for LDAP username to DN resolution.
519
520       ca_ldap_dn_attribute “subjectDN”
521              If this directive is set, the LDAP resolver  will  pull  the  DN
522              from  the  specified attribute in the returned record.  If it is
523              not set, the default is to use the DN of the record itself.
524
525       ca_ldap_connect_dn “cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov”
526              DN for LDAP basic authentication (optional).
527
528       ca_ldap_connect_passphrase “passphrase”
529              Passphrase for LDAP basic authentication (optional).
530
531       The following parameters control server replication with  the  myproxy-
532       replicate(1) utility.
533
534       slave_servers server:port;
535              This  value  is  for  use with the myproxy-replicate(1) utility.
536              This tag provides a list of servers that will be  used  as  sec‐
537              ondary  repositories  for  the  MyProxy  database.   Each server
538              should be seperated by a ";".  Also, a port may be  provided  if
539              the  slave  server  is using a port other then the default.  The
540              server name maybe a recognized DNS or an IP address.
541
542       The following parameters are used primarily when utilizing MyProxy as a
543       delegation service for web portals.
544
545       accepted_credentials_mapfile full-path-to-mapfile
546              This  parameter points to a grid-mapfile, which is possibly dif‐
547              ferent from other mapfiles above. When specified,  this  mapfile
548              is  utilized  during  puts/stores (e.g. with myproxy-init(1) and
549              myproxy-store(1)).  A credential is authorized to be  put/stored
550              only under the username specified in the mapfile.  This prevents
551              storing a user's credential under a  different  username.   Note
552              that   the  credential  checked  for  the  presence  of  a  Sub‐
553              jectDN/Username entry in the mapfile is the credential  utilized
554              to  secure  the  connection  between  client and server, NOT the
555              actual credential being stored.  As the credential which secures
556              the TLS connection is typically the same as the credential being
557              stored, this should not be a major issue.   The  Grid  Community
558              Toolkit   grid-mapfile-add-entry  and  grid-mapfile-delete-entry
559              commands can be used to manage the grid-mapfile.
560
561       accepted_credentials_mapapp full-path-to-mapapp
562              As an alternative  to  the  accepted_credentials_mapfile  option
563              above,  you  can  specify a call-out which is passed two parame‐
564              ters: a certificate subject distinguished name  and  a  username
565              (in  that order).  In essence, the call-out performs a lookup in
566              a   'virtual'   accepted_credentials_mapfile.    If   the   Sub‐
567              jectDN/Username  line  would  appear in such a mapfile, then the
568              call-out should exit with zero status indicating that a  creden‐
569              tial  with the given SubjectDN is allowed to be stored under the
570              given  Username.   Otherwise,  the  call-out  should  exit  with
571              nonzero  status  indicating  error.   An example is installed in
572              $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-
573              mapapp.
574
575              Be sure to follow secure coding practices for this call-out:
576              - Don't allow input to overflow fixed-size buffers.
577              - Don't pass unchecked input to a shell command.
578
579       check_multiple_credentials boolean
580              Typically  when a credential is accessed by a client, the server
581              checks only one credential for  possible  access  authorization,
582              even  if  there  are multiple credentials stored under the given
583              username.  If this option is set to "true" AND the  client  does
584              not specify a credential name for a MyProxy GET operation (i.e.,
585              from myproxy-logon(1)), then the server will check multiple cre‐
586              dentials  with  the given username.  If a credential is found to
587              be authorized for client access, then that one will be used dur‐
588              ing processing.  The default value for this option is "false".
589
590       The  following parameters enable OCSP status checking of stored creden‐
591       tials in the myproxy-server(8) repository, to avoid use of expired cre‐
592       dentials.
593
594       ocsp_policy policy
595              Controls  the  policy for checking certificate validity via OCSP
596              before credentials may be delegated.  Currently, only the status
597              of  the  end entity certificate is checked via OCSP (and not any
598              proxy certificates or CA certificates).  OCSP will not  be  used
599              unless ocsp_responder_url and/or ocsp_policy are set.  Supported
600              policies are:
601                "aia" - use OCSP responder in certificate AIA extension, if
602                        present; otherwise use ocsp_responder_url, if set
603
604       ocsp_responder_url URL
605              Specifies the URL of an OCSP  responder  to  use  to  check  the
606              validity  of credentials stored in the myproxy-server repository
607              before they may be delegated, so that  revoked  credentials  can
608              not  be retrieved and used where their revocation status may not
609              be checked.  Currently, only the status of the end  entity  cer‐
610              tificate  is checked via OCSP (and not any proxy certificates or
611              CA certificates).  In any case, CRL checks are always performed.
612              Both  http  and https urls are supported.  OCSP will not be used
613              unless ocsp_responder_url and/or ocsp_policy are set.
614
615       ocsp_responder_cert path
616              Specifies the path to the certificate of a trusted OCSP  respon‐
617              der.   This  is  needed  if the OCSP responder must be explicity
618              trusted in cases where standard path validation  fails  for  the
619              OCSP responder's certificate.
620

REGULAR EXPRESSIONS

622       For  matching  distinguished  names  (DNs)  in access control policies,
623       MyProxy uses POSIX Extended  Regular  Expressions  (see  re_format(7)),
624       with  custom processing of '*', '?', and '.' metacharacters to simulate
625       Unix shell style wildcard processing (for  backward  compatibility  and
626       other  historical  reasons).   MyProxy's custom regular expressions are
627       converted to POSIX EREs according to the following rules:
628
629         [ MyProxy regex ] => [ POSIX ERE ]
630         ----------------------------------
631                '*'        =>      '.*'
632                '?'        =>      '.'
633                '.'        =>      '\.'
634                '\*'       =>      '*'
635                '\?'       =>      '?'
636                '\.'       =>      '.'
637
638       Additionally, MyProxy wraps all regular  expressions  inside  '^('  and
639       ')$' to require full DN matching.
640
641       Be  aware  that  parentheses  are metacharacters according to POSIX, so
642       escaping is required for literal matching. For example:
643
644         "*/CN=Jim Basney \(admin\)"
645
646       The following examples illustrate how MyProxy regular  expressions  are
647       converted to POSIX EREs:
648
649            [ MyProxy regex ]     =>    [ POSIX ERE ]
650         ------------------------------------------------------------
651         "*/CN=Jim Basney"        => "^(.*/CN=Jim Basney)$"
652         "*/CN=Test User ?"       => "^(.*/CN=Test User .)$"
653         "*/CN=James A. Basney"   => "^(.*/CN=James A\. Basney)$"
654         "/O=Test/CN=[:alnum:]\*" => "^(/O=Test/CN=[:alnum:]*)$"
655
656         "*/CN=Jim Basney|*/CN=James Basney" =>
657             "^(.*/CN=Jim Basney|.*/CN=James Basney)$"
658

EXAMPLES

660       The following policy enables all credential repository features.
661
662       accepted_credentials       "*"
663       authorized_retrievers      "*"
664       default_retrievers         "*"
665       authorized_renewers        "*"
666       default_renewers           "none"
667       authorized_key_retrievers  "*"
668       default_key_retrievers     "none"
669       trusted_retrievers         "*"
670       default_trusted_retrievers "none"
671       cert_dir                   /etc/grid-security/certificates
672
673       The  following enables CA functionality using an existing Globus Simple
674       CA configuration.
675
676       authorized_retrievers "*"
677       pam  "sufficient"
678       sasl "sufficient"
679       certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
680       certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
681       certificate_issuer_key_passphrase "myproxy"
682       certificate_serialfile /home/globus/.globus/simpleCA/serial
683       certificate_mapfile /etc/grid-security/grid-mapfile
684       cert_dir /etc/grid-security/certificates
685

FILES

687       /etc/myproxy-server.config
688              Default location for the server configuration file.
689
690       $GLOBUS_LOCATION/etc/myproxy-server.config
691              Alternate location for the server configuration file.  A differ‐
692              ent  location can be specified by using the myproxy-server(8) -c
693              option.
694
695       $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
696              A sample program for evaluating passphrase quality for use  with
697              the passphrase_policy_program option.
698
699       $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
700              A sample certificate_mapapp program for mapping account names to
701              certificate subject distinguished names.
702
703       $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
704              A sample  accepted_credentials_mapapp  program  for  authorizing
705              puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).
706

ENVIRONMENT

708       GLOBUS_LOCATION
709              Specifies the root of the MyProxy installation, used to find the
710              default location of the myproxy-server.config file.
711

AUTHORS

713       See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
714       authors.
715

SEE ALSO

717       myproxy-change-pass-phrase(1),  myproxy-destroy(1),  myproxy-get-trust‐
718       roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1),  myproxy-
719       retrieve(1), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-
720       change-pass(8),    myproxy-admin-load-credential(8),     myproxy-admin-
721       query(8), myproxy-server(8)
722
723
724
725MyProxy                           2014-07-12          myproxy-server.config(5)
Impressum