1myproxy-server.config(5) MyProxy myproxy-server.config(5)
2
6 myproxy-server.config - myproxy-server configuration file
7
9 The myproxy-server.config file sets the policy for the myproxy-
10 server(8), specifying what credentials may be stored in the server's
11 repository, who is authorized to retrieve credentials, and other con‐
12 figurable server behaviors. By default, the myproxy-server(8) looks
13 for this file in /etc/myproxy-server.config and if it is not found
14 there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. A tem‐
15 plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con‐
16 fig. The myproxy-server -c option can be used to specify an alterna‐
17 tive location.
18 The following lines set access control policies according to the
20 client's certificate subject distinguished name (DN). Note that
21 MyProxy uses non-standard regular expressions for distinguished name
22 (DN) matching. See the REGULAR EXPRESSIONS section below for details.
23 accepted_credentials “DN regex”
25 Each of these lines allows any clients whose DNs match the given
26 limited regex to connect to the myproxy-server and store creden‐
27 tials with it for future retrieval. Any number of these lines
28 may appear. For backwards compatibility, these lines can also
29 start with allowed_clients instead of accepted_credentials. If
30 no accepted_credentials lines are specified, the server will not
31 allow any clients to store credentials.
32 authorized_retrievers “DN regex”
34 Each of these lines allows the server administrator to set
35 server-wide policies for credential retrievers. If the client DN
36 does not match the given limited regex, the client is not
37 allowed to retrieve credentials from the server. In addition to
38 the server-wide policy, myproxy also provides support for per-
39 credential policy. The user can specify the regex DN of the
40 allowed retrievers of the credential when uploading the creden‐
41 tial (using myproxy-init(1) or myproxy-store(1)). The retrieval
42 client DN must also match the user specified regex. In order to
43 retrieve credentials the client also needs to know the name and
44 pass phrase provided by the client when the credentials were
45 stored. Any number of these lines may appear. For backwards
46 compatibility, these lines can also start with allowed_services
47 instead of authorized_retrievers. If no authorized_retrievers
48 lines are specified, the server will not allow any clients to
49 retrieve credentials.
50 default_retrievers “DN regex”
52 Each of these lines allows the server administrator to set
53 server-wide default policies. The regex specifies the clients
54 who can access the credentials. The default retriever policy is
55 enforced if a per-credential policy is not specified on upload
56 (using myproxy-init(1) or myproxy-store(1)). In other words,
57 the client can override this policy for a credential on upload.
58 The per-credential policy is enforced in addition to the server-
59 wide policy specified by the authorized_retrievers line (which
60 clients can not override). Any number of these lines may be
61 present. For backwards compatibility, if no default_retrievers
62 line is specified, the default policy is "*", which allows any
63 client to pass the per-credential policy check. (The client
64 must still pass the authorized_retrievers check.)
65 authorized_renewers “DN regex”
67 Each of these lines allows the server administrator to set
68 server-wide policies for authorized renewers. If the client DN
69 does not match the given limited regex the client is not allowed
70 to renew the credentials previously stored by a client. See
71 allow_self_authorization below for a further restriction on this
72 policy. In addition to the server-wide policy, myproxy also
73 provides support for per-credential policy. The user can specify
74 the regex DN of the allowed renewers of the credential on upload
75 (using myproxy-init(1)). The renewal client DN must match both
76 this regex and the user specified regex. In this case, the
77 client must also already have a credential with a DN matching
78 the DN of the credentials to be retrieved, to be used in a sec‐
79 ond authorization step (see the -a options for myproxy-logon(1)
80 and myproxy-retrieve(1)).
81 default_renewers “DN regex”
83 Each of these lines allows the server administrator to set
84 server-wide default renewer policies. The regex specifies the
85 clients who can renew the credentials. The default renewer pol‐
86 icy is enforced if a per-credential policy is not specified on
87 upload (using myproxy-init(1)). This is enforced in addition to
88 the server-wide policy specified by the authorized_renewers
89 line. Any number of these lines may appear. For backwards com‐
90 patibility, if no default_renewers line is specified, the
91 default policy is "*", which allows any client to pass the per-
92 credential policy check. (The client must still pass the autho‐
93 rized_renewers check.)
94 authorized_key_retrievers “DN regex”
96 This policy controls who can retrieve credentials (certificates
97 and keys) directly from the repository using myproxy-
98 retrieve(1). Clients must also match the authorized_retrievers
99 policy. If no authorized_key_retrievers lines are specified,
100 the server will not allow any clients to retrieve keys directly
101 from the repository.
102 default_key_retrievers “DN regex”
104 This policy applies if a per-credential policy is not specified
105 on upload (using myproxy-init(1) or myproxy-store(1)). In other
106 words, the client can override this policy for a credential on
107 upload. The per-credential policy is enforced in addition to
108 the server-wide policy specified by the authorized_key_retriev‐
109 ers line (which clients can not override). Any number of these
110 lines may be present. If no default_key_retrievers line is
111 specified, the default policy is "*", which allows any client to
112 pass the per-credential policy check. (The client must still
113 pass the authorized_key_retrievers check.)
114 trusted_retrievers “DN regex”
116 This policy controls who can retrieve credentials without fur‐
117 ther authentication. By default, clients that match autho‐
118 rized_retrievers must perform additional authentication (such as
119 passphrase, PAM, or SASL) to retrieve credentials. However,
120 authenticated clients that match both authorized_retrievers and
121 trusted_retrievers do not need to perform additional authentica‐
122 tion, unless the credentials are protected by a passphrase, in
123 which case the passphrase is still required. Note: The myproxy-
124 server(8) will fail on startup or reconfig with an "unsafe pol‐
125 icy" error if a policy of trusted_retrievers “*” is specified
126 without also specifying a restrictive default_trusted_retrievers
127 policy, to avoid an unsafe policy that would release credentials
128 to all clients without additional authentication. See also
129 allow_self_authorization below for a further restriction on this
130 policy.
131 default_trusted_retrievers “DN regex”
133 If a user doesn't set a trusted retrieval policy with the cre‐
134 dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
135 will apply the following policy in addition to the
136 trusted_retrievers policy. If no default_trusted_retrievers
137 policy is set, then only the trusted_retrievers policy is
138 applied.
139 The following lines in the configuration file set other server options.
141 passphrase_policy_program full-path-to-script
143 This line specifies a program to run whenever a passphrase is
144 set or changed for implementing a local password policy. The
145 program is passed the new passphrase via stdin and is passed the
146 following arguments: username, distinguished name, credential
147 name (if any), per-credential retriever policy (if any), and
148 per-credential renewal policy (if any). If the passphrase is
149 acceptable, the program should exit with status 0. Otherwise,
150 it should exit with non-zero status, causing the operation in
151 progress (credential load, passphrase change) to fail with the
152 error message provided by the program's stdout. Note: You must
153 specify the full path to the external program. $GLOBUS_LOCATION
154 can't be used in the myproxy-server.config file. A sample pro‐
155 gram is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-
156 passphrase-policy but is not enabled by default.
157 Be sure to follow secure coding practices for this call-out:
159 - Don't allow input to overflow fixed-size buffers.
160 - Don't pass unchecked input to a shell command.
161 cert_dir full-path-to-certificates-directory
163 Specifies the path to the CA certificates directory to be
164 returned to clients requesting trust roots (such as via the
165 myproxy-logon(1) -T option).
166 max_proxy_lifetime hours
168 This line specifies a server-wide maximum lifetime for retrieved
169 proxy credentials. By default, no server-wide maximum is
170 enforced. However, if this option is specified, the server will
171 limit the lifetime of any retrieved proxy credentials to the
172 value given.
173 max_cred_lifetime hours
175 This line specifies a server-wide maximum lifetime for stored
176 credentials. By default, no server-wide maximum is enforced.
177 However, if this option is specified, the server will limit the
178 lifetime of any stored credentials to the value given.
179 ignore_globus_limited_proxy_flag boolean
181 By default, MyProxy will respect the policy of "limited" proxy
182 certificates as follows. If a client authenticates with a lim‐
183 ited proxy, the client should only be able to obtain another
184 limited proxy, not a full proxy or end entity certificate.
185 Thus, the MyProxy CA will not accept limited proxies for authen‐
186 tication. However, if this option is set to true, MyProxy will
187 treat limited proxy certificates as if they were full proxy cer‐
188 tificates.
189 allow_self_authorization boolean
191 By default, MyProxy will disallow trusted_retrievers and autho‐
192 rized_renewers whose DN matches the identity of the stored cre‐
193 dential, so a proxy by itself can not be refreshed or renewed.
194 However, if this option is set to true, this restriction is
195 lifted.
196 syslog_ident name
198 You can optionally specify the string to be prepended to every
199 message written to the syslog. If not specified, the name
200 defaults to the the program name, i.e. myproxy-server.
201 syslog_facility name
203 By default, the myproxy-server will log to the syslog "daemon"
204 facility. With this option you can specify an alternate syslog
205 facility, such as "auth", "user", "security", or "local0". The
206 facility can also be specified numerically as with the logger(1)
207 command.
208 request_timeout seconds
210 Specifies the maximum time a myproxy-server(8) child process
211 should spend servicing a client request before aborting. By
212 default, child processes will abort after 120 seconds. A nega‐
213 tive value will disable the timeout.
214 request_size_limit bytes
216 Limits the amount of incoming application-level protocol data
217 the myproxy-server(8) will accept from clients, to avoid memory
218 exhaustion under heavy load. Specified in bytes. Defaults to
219 1MB (1048576 bytes). A zero or negative value disables the
220 limit.
221 proxy_extfile full-path-to-extension-file
223 Optionally specifies the full path to a file containing an
224 OpenSSL formatted set of certificate extensions to include in
225 all proxy certificates issued from the MyProxy repository (anal‐
226 ogous to certificate_extfile for the CA module).
227 proxy_extapp full-path-to-extension-callout-program
229 This is the call-out version of proxy_extfile. It optionally
230 specifies the full path to a call-out program for specifying
231 proxy certificate extensions. It will be passed the authenti‐
232 cated username and the proxy credential location as the two com‐
233 mand arguments. On success, it should write the OpenSSL format‐
234 ted set of certificate extensions to stdout and exit with zero
235 status. On error, it should write to stderr and exit with
236 nonzero status. Either proxy_extfile or proxy_extapp can be
237 specified but not both.
238 Be sure to follow secure coding practices for this call-out:
240 - Don't allow input to overflow fixed-size buffers.
241 - Don't pass unchecked input to a shell command.
242 voms_userconf full-path-to-voms-configuration-file
244 Optionally specifies the full path to the VOMS configuration
245 file containing VOMS server information. It is usually specified
246 in the environmental variable VOMS_USERCONF.
247 allow_voms_attribute_requests boolean
249 If this parameter is set to true and a GET request includes VON‐
250 AME and (optionally) VOMSES parameters, call-out to VOMS to add
251 the requested attributes to the issued certificate. Requires
252 linking with VOMS libraries. By default, VONAME and VOMSES
253 parameters in requests will be ignored unless this parameter is
254 set to true.
255 The MyProxy server can be optionally configured for authentication
257 based on Pluggable Authentication Modules (PAM) and/or the Simple
258 Authentication and Security Layer (SASL). Kerberos is one of the sup‐
259 ported SASL authentication methods. The following options control the
260 use of PAM and SASL.
261 pam option
263 This line governs the use of PAM to check passphrases. MyProxy
264 will attempt to authenticate via PAM, with the supplied username
265 and passphrase. Note that PAM will need to be configured exter‐
266 nally for the application "myproxy" (usually in /etc/pam.d/), or
267 for the application named by pam_id, below. Accepted values:
268 required
270 PAM password authentication is required under all condi‐
271 tions. If the credential is unencrypted (that is, it has
272 no passphrase), a PAM password check is still required
273 for authentication. If the credential is encrypted, its
274 passphrase must match the PAM password.
275 sufficient
277 The user's passphrase may match either the credential
278 passphrase or, if the credential is unencrypted, the PAM
279 passphrase. If the credential is encrypted, then the PAM
280 password is not relevant.
281 disabled (default)
283 PAM is not used to check passphrases.
284 pam_id string
286 The name that myproxy uses to identify itself to PAM. Default
287 is "myproxy". For example, on most Unix-like systems, if pam_id
288 is set to "login", MyProxy will authenticate against the sys‐
289 tem's own usernames and passwords.
290 sasl option
292 This line governs the use of SASL authentication. Accepted val‐
293 ues:
294 required
296 SASL authentication is required for retrieving creden‐
297 tials.
298 sufficient
300 SASL authentication is sufficient for retrieving creden‐
301 tials, but other authentication methods may be used
302 instead.
303 disabled (default)
305 SASL authentication isn't used.
306 sasl_mech mechanism
308 Forces the use of a single SASL mechanism, overriding the SASL
309 configuration file. (Typically not required.)
310 sasl_serverFQDN hostname
312 Configures the SASL server fully-qualified domain name for
313 multi-homed servers. (Typically not required.)
314 sasl_user_realm realm
316 Configures the SASL user realm. (Typically not required.)
317 The MyProxy server can also be configured to act as a Certificate
319 Authority (CA) to issue credentials to clients. The following parame‐
320 ters enable and configure the CA functionality.
321 certificate_issuer_cert full-path-to-certificate
323 This line specifies the full path to the issuer certificate to
324 optionally configure the myproxy-server to act as an online cer‐
325 tificate authority.
326 certificate_issuer_key full-path-to-key
328 When specifying certificate_issuer_cert above, you must also
329 give the name of the CA private key for signing certificates.
330 This is normally path to a CA private key in PEM format, but if
331 you are using an OpenSSL engine (see certifi‐
332 cate_openssl_engine_id ) then it can be the key name.
333 certificate_issuer_key_passphrase “passphrase”
335 If the certificate_issuer_key is encrypted, give the passphrase
336 here.
337 certificate_issuer_subca_certfile full-path-to-subca-certificate-file
339 If you would like an intermediate/sub-CA certificate chain to be
340 sent along with the EEC (End Entity Certificate) generated using
341 a local intermediate/sub-CA, specify the file that contains
342 those certificates in PEM format. This is meant to aid scenarios
343 where the CA used is an intermediate CA (i.e. not a root CA) and
344 the client may not have the intermediate CA(s) in its trust
345 store. The client will write out the chain into the same file as
346 the EEC, following the EEC.
347 certificate_issuer_hashalg algorithm
349 Specifies the hash algorithm to use when signing end-entity cer‐
350 tificates. Defaults to "sha256".
351 certificate_issuer_email_domain “domain”
353 If set, specifies the domain part of the X509v3 Subject Alterna‐
354 tive Name email address included in issued certificates.
355 certificate_openssl_engine_id engineId
357 certificate_openssl_engine_pre pre-initialization-commands
359 certificate_openssl_engine_post post-initialization-commands
361 These commands can be used to allow any OpenSSL engine to be
362 used with MyProxy. This enables the use of hardware tokens and
363 signing modules to sign certificates. Given the parameters of
364 an OpenSSL "engine" command, the first argument, the identity of
365 the engine becomes the argument to certificate_openssl_engine_id
366 and -pre commands are listed in order using certifi‐
367 cate_openssl_engine_pre and -post commands are listed in order
368 using certificate_openssl_engine_post. For example the command-
369 line:
370 openssl engine dynamic -pre
372 SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
373 LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so
374 becomes:
376 certificate_openssl_engine_id "dynamic"
378 certificate_openssl_engine_pre
380 "SO_PATH:/usr/lib/engines/engine_pkcs11.so" "ID:pkcs11"
381 "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"
382 Please note that any shared library engines loaded through the
384 "dynamic" engine MUST be compiled againt the correct version of
385 OpenSSL.
386 certificate_openssl_engine_lockfile full-path-to-file
388 If your hardware token or HSM is unable to handle simultaneous
389 operations, provide a path to a lockfile for synchronizing oper‐
390 ations to the engine device. The myproxy-server will create the
391 file if it does not already exist.
392 certificate_issuer_program full-path-to-script
394 This line specifies the path to a program to issue certificates
395 for authenticated clients that don't have credentials stored.
396 This optionally configures the myproxy-server to act as an
397 online certificate authority, allowing programmatic control over
398 the certificate issuance process. You can either specify cer‐
399 tificate_issuer_cert or certificate_issuer_program.
400 Be sure to follow secure coding practices for this call-out:
402 - Don't allow input to overflow fixed-size buffers.
403 - Don't pass unchecked input to a shell command.
404 certificate_serialfile full-path-to-serial-file
406 Specifies the path to a file to store the serial number counter
407 for issued certificates. Defaults to /var/lib/myproxy/serial.
408 certificate_serial_skip increment
410 Specifies the number to add to the serial number each time a
411 certificate is issued. Use this to stagger serial numbers across
412 multiple CA instances to avoid serial number clashes. Defaults
413 to 1.
414 certificate_out_dir full-path-to-putput-directory
416 Specifies the path to a directory where new certificates will be
417 archived.
418 max_cert_lifetime hours
420 Specifies the maximum lifetime (in hours) for certificates
421 issued by the CA module. Defaults to 12 hours.
422 min_keylen bits
424 Specifies the minimum RSA key length (in bits) for certificates
425 issued by the CA module.
426 certificate_extfile full-path-to-extension-file
428 Optionally specifies the full path to a file containing an
429 OpenSSL formatted set of certificate extensions to include in
430 all issued certificates. For example:
431 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
432 subjectKeyIdentifier=hash
433 authorityKeyIdentifier=keyid,issuer:always
434 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
435 basicConstraints=CA:FALSE
436 If not set, the MyProxy CA will include a basic set of exten‐
437 sions in issued certificates.
438 certificate_extapp full-path-to-extension-callout-program
440 This is the call-out version of certificate_extfile. It option‐
441 ally specifies the full path to a call-out program for specify‐
442 ing certificate extensions. It will be passed the authenticated
443 username as the single command argument. On success, it should
444 write the OpenSSL formatted set of certificate extensions to
445 stdout and exit with zero status. On error, it should write to
446 stderr and exit with nonzero status. Either certificate_extfile
447 or certificate_extapp can be specified but not both.
448 Be sure to follow secure coding practices for this call-out:
450 - Don't allow input to overflow fixed-size buffers.
451 - Don't pass unchecked input to a shell command.
452 certificate_mapfile full-path-to-mapfile
454 When specifying certificate_issuer_cert above, you can map
455 account names to certificate subject distinguished names for the
456 issued certificates using this mapfile, which has the same for‐
457 mat as used by other Grid Community Toolkit services. By
458 default, /etc/grid-security/grid-mapfile is used. The Grid Com‐
459 munity Toolkit grid-mapfile-add-entry and grid-mapfile-delete-
460 entry commands can be used to manage the grid-mapfile.
461 certificate_mapapp full-path-to-mapapp
463 When specifying certificate_issuer_cert above, you can map
464 account names to certificate subject distinguished names for the
465 issued certificates using this call-out. It will be passed the
466 authenticated username as the single command argument. On suc‐
467 cess, it should write the distinguished name in OpenSSL one line
468 format (for example, "/C=US/O=National Computational Science
469 Alliance/CN=Jim Basney") to stdout and exit with zero status.
470 On error, it should write to stderr and exit with nonzero sta‐
471 tus. If it is not defined, then mapfile lookup will be executed
472 instead (see certificate_mapfile above). An example is
473 installed in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-
474 mapapp.
475 Be sure to follow secure coding practices for this call-out:
477 - Don't allow input to overflow fixed-size buffers.
478 - Don't pass unchecked input to a shell command.
479 certificate_request_checker full-path-to-callout-program
481 This CA call-out can be used to perform checks on incoming cer‐
482 tificate requests. It will be passed the certificate request in
483 PEM format on stdin. If it returns a nonzero exit status, the CA
484 will abort without signing the request. When returning a
485 nonzero exit status, the callout should indicate the problem on
486 stderr. An example is installed in $GLOBUS_LOCA‐
487 TION/share/myproxy/myproxy-certreq-checker.
488 certificate_issuer_checker full-path-to-callout-program
490 This CA call-out can be used to perform checks on issued cer‐
491 tificates before the certificate is returned to the client. It
492 will be passed the certificate in PEM format on stdin. If it
493 returns a nonzero exit status, the CA will abort without return‐
494 ing the signed certificate to the client. When returning a
495 nonzero exit status, the callout should indicate the problem on
496 stderr. An example is installed in $GLOBUS_LOCA‐
497 TION/share/myproxy/myproxy-cert-checker.
498 If OpenLDAP support is built-in to the myproxy-server(8), the following
500 parameters can be used to configure the CA module to map account names
501 to certificate subject distinguished names via LDAP.
502 ca_ldap_server “ldap://localhost:389/”
504 This parameter specifies the URI to the LDAP server to use for
505 username to DN resolution in the CA module. Both ldap:// and
506 ldaps:// protocols are supported. A port number may optionally
507 be specified as well. Defining this directive is the "trigger"
508 that causes the name resolution module to use LDAP querying. If
509 it is not defined, then mapfile lookup will be executed instead
510 (see certificate_mapfile above).
511 ca_ldap_uid_attribute “uid”
513 The name of the record attribute that maps to the MyProxy user‐
514 name. Required for LDAP username to DN resolution.
515 ca_ldap_searchbase “ou=people,dc=bullwinkle,dc=lbl,dc=gov”
517 The DN of the region of the ldap database to be searched.
518 Required for LDAP username to DN resolution.
519 ca_ldap_dn_attribute “subjectDN”
521 If this directive is set, the LDAP resolver will pull the DN
522 from the specified attribute in the returned record. If it is
523 not set, the default is to use the DN of the record itself.
524 ca_ldap_connect_dn “cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov”
526 DN for LDAP basic authentication (optional).
527 ca_ldap_connect_passphrase “passphrase”
529 Passphrase for LDAP basic authentication (optional).
530 The following parameters control server replication with the myproxy-
532 replicate(1) utility.
533 slave_servers server:port;
535 This value is for use with the myproxy-replicate(1) utility.
536 This tag provides a list of servers that will be used as sec‐
537 ondary repositories for the MyProxy database. Each server
538 should be seperated by a ";". Also, a port may be provided if
539 the slave server is using a port other then the default. The
540 server name maybe a recognized DNS or an IP address.
541 The following parameters are used primarily when utilizing MyProxy as a
543 delegation service for web portals.
544 accepted_credentials_mapfile full-path-to-mapfile
546 This parameter points to a grid-mapfile, which is possibly dif‐
547 ferent from other mapfiles above. When specified, this mapfile
548 is utilized during puts/stores (e.g. with myproxy-init(1) and
549 myproxy-store(1)). A credential is authorized to be put/stored
550 only under the username specified in the mapfile. This prevents
551 storing a user's credential under a different username. Note
552 that the credential checked for the presence of a Sub‐
553 jectDN/Username entry in the mapfile is the credential utilized
554 to secure the connection between client and server, NOT the
555 actual credential being stored. As the credential which secures
556 the TLS connection is typically the same as the credential being
557 stored, this should not be a major issue. The Grid Community
558 Toolkit grid-mapfile-add-entry and grid-mapfile-delete-entry
559 commands can be used to manage the grid-mapfile.
560 accepted_credentials_mapapp full-path-to-mapapp
562 As an alternative to the accepted_credentials_mapfile option
563 above, you can specify a call-out which is passed two parame‐
564 ters: a certificate subject distinguished name and a username
565 (in that order). In essence, the call-out performs a lookup in
566 a 'virtual' accepted_credentials_mapfile. If the Sub‐
567 jectDN/Username line would appear in such a mapfile, then the
568 call-out should exit with zero status indicating that a creden‐
569 tial with the given SubjectDN is allowed to be stored under the
570 given Username. Otherwise, the call-out should exit with
571 nonzero status indicating error. An example is installed in
572 $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-
573 mapapp.
574 Be sure to follow secure coding practices for this call-out:
576 - Don't allow input to overflow fixed-size buffers.
577 - Don't pass unchecked input to a shell command.
578 check_multiple_credentials boolean
580 Typically when a credential is accessed by a client, the server
581 checks only one credential for possible access authorization,
582 even if there are multiple credentials stored under the given
583 username. If this option is set to "true" AND the client does
584 not specify a credential name for a MyProxy GET operation (i.e.,
585 from myproxy-logon(1)), then the server will check multiple cre‐
586 dentials with the given username. If a credential is found to
587 be authorized for client access, then that one will be used dur‐
588 ing processing. The default value for this option is "false".
589 The following parameters enable OCSP status checking of stored creden‐
591 tials in the myproxy-server(8) repository, to avoid use of expired cre‐
592 dentials.
593 ocsp_policy policy
595 Controls the policy for checking certificate validity via OCSP
596 before credentials may be delegated. Currently, only the status
597 of the end entity certificate is checked via OCSP (and not any
598 proxy certificates or CA certificates). OCSP will not be used
599 unless ocsp_responder_url and/or ocsp_policy are set. Supported
600 policies are:
601 "aia" - use OCSP responder in certificate AIA extension, if
602 present; otherwise use ocsp_responder_url, if set
603 ocsp_responder_url URL
605 Specifies the URL of an OCSP responder to use to check the
606 validity of credentials stored in the myproxy-server repository
607 before they may be delegated, so that revoked credentials can
608 not be retrieved and used where their revocation status may not
609 be checked. Currently, only the status of the end entity cer‐
610 tificate is checked via OCSP (and not any proxy certificates or
611 CA certificates). In any case, CRL checks are always performed.
612 Both http and https urls are supported. OCSP will not be used
613 unless ocsp_responder_url and/or ocsp_policy are set.
614 ocsp_responder_cert path
616 Specifies the path to the certificate of a trusted OCSP respon‐
617 der. This is needed if the OCSP responder must be explicity
618 trusted in cases where standard path validation fails for the
619 OCSP responder's certificate.
620
622 For matching distinguished names (DNs) in access control policies,
623 MyProxy uses POSIX Extended Regular Expressions (see re_format(7)),
624 with custom processing of '*', '?', and '.' metacharacters to simulate
625 Unix shell style wildcard processing (for backward compatibility and
626 other historical reasons). MyProxy's custom regular expressions are
627 converted to POSIX EREs according to the following rules:
628 [ MyProxy regex ] => [ POSIX ERE ]
630 ----------------------------------
631 '*' => '.*'
632 '?' => '.'
633 '.' => '\.'
634 '\*' => '*'
635 '\?' => '?'
636 '\.' => '.'
637 Additionally, MyProxy wraps all regular expressions inside '^(' and
639 ')$' to require full DN matching.
640 Be aware that parentheses are metacharacters according to POSIX, so
642 escaping is required for literal matching. For example:
643 "*/CN=Jim Basney \(admin\)"
645 The following examples illustrate how MyProxy regular expressions are
647 converted to POSIX EREs:
648 [ MyProxy regex ] => [ POSIX ERE ]
650 ------------------------------------------------------------
651 "*/CN=Jim Basney" => "^(.*/CN=Jim Basney)$"
652 "*/CN=Test User ?" => "^(.*/CN=Test User .)$"
653 "*/CN=James A. Basney" => "^(.*/CN=James A\. Basney)$"
654 "/O=Test/CN=[:alnum:]\*" => "^(/O=Test/CN=[:alnum:]*)$"
655 "*/CN=Jim Basney|*/CN=James Basney" =>
657 "^(.*/CN=Jim Basney|.*/CN=James Basney)$"
658
660 The following policy enables all credential repository features.
661 accepted_credentials "*"
663 authorized_retrievers "*"
664 default_retrievers "*"
665 authorized_renewers "*"
666 default_renewers "none"
667 authorized_key_retrievers "*"
668 default_key_retrievers "none"
669 trusted_retrievers "*"
670 default_trusted_retrievers "none"
671 cert_dir /etc/grid-security/certificates
672 The following enables CA functionality using an existing Globus Simple
674 CA configuration.
675 authorized_retrievers "*"
677 pam "sufficient"
678 sasl "sufficient"
679 certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
680 certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
681 certificate_issuer_key_passphrase "myproxy"
682 certificate_serialfile /home/globus/.globus/simpleCA/serial
683 certificate_mapfile /etc/grid-security/grid-mapfile
684 cert_dir /etc/grid-security/certificates
685
687 /etc/myproxy-server.config
688 Default location for the server configuration file.
689 $GLOBUS_LOCATION/etc/myproxy-server.config
691 Alternate location for the server configuration file. A differ‐
692 ent location can be specified by using the myproxy-server(8) -c
693 option.
694 $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
696 A sample program for evaluating passphrase quality for use with
697 the passphrase_policy_program option.
698 $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
700 A sample certificate_mapapp program for mapping account names to
701 certificate subject distinguished names.
702 $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
704 A sample accepted_credentials_mapapp program for authorizing
705 puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).
706
708 GLOBUS_LOCATION
709 Specifies the root of the MyProxy installation, used to find the
710 default location of the myproxy-server.config file.
711
713 See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
714 authors.
715
717 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
718 roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-
719 retrieve(1), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-
720 change-pass(8), myproxy-admin-load-credential(8), myproxy-admin-
721 query(8), myproxy-server(8)
722MyProxy 2014-07-12 myproxy-server.config(5)