1myproxy-server.config(5) MyProxy myproxy-server.config(5)
2
6 myproxy-server.config - myproxy-server configuration file
7
9 The myproxy-server.config file sets the policy for the myproxy-
10 server(8), specifying what credentials may be stored in the server's
11 repository, who is authorized to retrieve credentials, and other con‐
12 figurable server behaviors. By default, the myproxy-server(8) looks
13 for this file in /etc/myproxy-server.config and if it is not found
14 there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. A tem‐
15 plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con‐
16 fig. The myproxy-server -c option can be used to specify an alterna‐
17 tive location.
18 The following lines set access control policies according to the
20 client's certificate subject distinguished name (DN). Note that
21 MyProxy uses non-standard regular expressions for distinguished name
22 (DN) matching. See the REGULAR EXPRESSIONS section below for details.
23 accepted_credentials “DN regex”
25 Each of these lines allows any clients whose DNs match the given
26 limited regex to connect to the myproxy-server and store creden‐
27 tials with it for future retrieval. Any number of these lines
28 may appear. For backwards compatibility, these lines can also
29 start with allowed_clients instead of accepted_credentials. If
30 no accepted_credentials lines are specified, the server will not
31 allow any clients to store credentials.
32 authorized_retrievers “DN regex”
34 Each of these lines allows the server administrator to set
35 server-wide policies for credential retrievers. If the client DN
36 does not match the given limited regex, the client is not al‐
37 lowed to retrieve credentials from the server. In addition to
38 the server-wide policy, myproxy also provides support for per-
39 credential policy. The user can specify the regex DN of the al‐
40 lowed retrievers of the credential when uploading the credential
41 (using myproxy-init(1) or myproxy-store(1)). The retrieval
42 client DN must also match the user specified regex. In order to
43 retrieve credentials the client also needs to know the name and
44 pass phrase provided by the client when the credentials were
45 stored. Any number of these lines may appear. For backwards
46 compatibility, these lines can also start with allowed_services
47 instead of authorized_retrievers. If no authorized_retrievers
48 lines are specified, the server will not allow any clients to
49 retrieve credentials.
50 default_retrievers “DN regex”
52 Each of these lines allows the server administrator to set
53 server-wide default policies. The regex specifies the clients
54 who can access the credentials. The default retriever policy is
55 enforced if a per-credential policy is not specified on upload
56 (using myproxy-init(1) or myproxy-store(1)). In other words,
57 the client can override this policy for a credential on upload.
58 The per-credential policy is enforced in addition to the server-
59 wide policy specified by the authorized_retrievers line (which
60 clients can not override). Any number of these lines may be
61 present. For backwards compatibility, if no default_retrievers
62 line is specified, the default policy is "*", which allows any
63 client to pass the per-credential policy check. (The client
64 must still pass the authorized_retrievers check.)
65 authorized_renewers “DN regex”
67 Each of these lines allows the server administrator to set
68 server-wide policies for authorized renewers. If the client DN
69 does not match the given limited regex the client is not allowed
70 to renew the credentials previously stored by a client. See al‐
71 low_self_authorization below for a further restriction on this
72 policy. In addition to the server-wide policy, myproxy also
73 provides support for per-credential policy. The user can specify
74 the regex DN of the allowed renewers of the credential on upload
75 (using myproxy-init(1)). The renewal client DN must match both
76 this regex and the user specified regex. In this case, the
77 client must also already have a credential with a DN matching
78 the DN of the credentials to be retrieved, to be used in a sec‐
79 ond authorization step (see the -a options for myproxy-logon(1)
80 and myproxy-retrieve(1)).
81 default_renewers “DN regex”
83 Each of these lines allows the server administrator to set
84 server-wide default renewer policies. The regex specifies the
85 clients who can renew the credentials. The default renewer pol‐
86 icy is enforced if a per-credential policy is not specified on
87 upload (using myproxy-init(1)). This is enforced in addition to
88 the server-wide policy specified by the authorized_renewers
89 line. Any number of these lines may appear. For backwards com‐
90 patibility, if no default_renewers line is specified, the de‐
91 fault policy is "*", which allows any client to pass the per-
92 credential policy check. (The client must still pass the autho‐
93 rized_renewers check.)
94 authorized_key_retrievers “DN regex”
96 This policy controls who can retrieve credentials (certificates
97 and keys) directly from the repository using myproxy-re‐
98 trieve(1). Clients must also match the authorized_retrievers
99 policy. If no authorized_key_retrievers lines are specified,
100 the server will not allow any clients to retrieve keys directly
101 from the repository.
102 default_key_retrievers “DN regex”
104 This policy applies if a per-credential policy is not specified
105 on upload (using myproxy-init(1) or myproxy-store(1)). In other
106 words, the client can override this policy for a credential on
107 upload. The per-credential policy is enforced in addition to
108 the server-wide policy specified by the authorized_key_retriev‐
109 ers line (which clients can not override). Any number of these
110 lines may be present. If no default_key_retrievers line is
111 specified, the default policy is "*", which allows any client to
112 pass the per-credential policy check. (The client must still
113 pass the authorized_key_retrievers check.)
114 trusted_retrievers “DN regex”
116 This policy controls who can retrieve credentials without fur‐
117 ther authentication. By default, clients that match autho‐
118 rized_retrievers must perform additional authentication (such as
119 passphrase, PAM, or SASL) to retrieve credentials. However, au‐
120 thenticated clients that match both authorized_retrievers and
121 trusted_retrievers do not need to perform additional authentica‐
122 tion, unless the credentials are protected by a passphrase, in
123 which case the passphrase is still required. Note: The myproxy-
124 server(8) will fail on startup or reconfig with an "unsafe pol‐
125 icy" error if a policy of trusted_retrievers “*” is specified
126 without also specifying a restrictive default_trusted_retrievers
127 policy, to avoid an unsafe policy that would release credentials
128 to all clients without additional authentication. See also al‐
129 low_self_authorization below for a further restriction on this
130 policy.
131 default_trusted_retrievers “DN regex”
133 If a user doesn't set a trusted retrieval policy with the cre‐
134 dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
135 will apply the following policy in addition to the trusted_re‐
136 trievers policy. If no default_trusted_retrievers policy is
137 set, then only the trusted_retrievers policy is applied.
138 The following lines in the configuration file set other server options.
140 passphrase_policy_program full-path-to-script
142 This line specifies a program to run whenever a passphrase is
143 set or changed for implementing a local password policy. The
144 program is passed the new passphrase via stdin and is passed the
145 following arguments: username, distinguished name, credential
146 name (if any), per-credential retriever policy (if any), and
147 per-credential renewal policy (if any). If the passphrase is
148 acceptable, the program should exit with status 0. Otherwise,
149 it should exit with non-zero status, causing the operation in
150 progress (credential load, passphrase change) to fail with the
151 error message provided by the program's stdout. Note: You must
152 specify the full path to the external program. $GLOBUS_LOCATION
153 can't be used in the myproxy-server.config file. A sample pro‐
154 gram is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-
155 passphrase-policy but is not enabled by default.
156 Be sure to follow secure coding practices for this call-out:
158 - Don't allow input to overflow fixed-size buffers.
159 - Don't pass unchecked input to a shell command.
160 cert_dir full-path-to-certificates-directory
162 Specifies the path to the CA certificates directory to be re‐
163 turned to clients requesting trust roots (such as via the
164 myproxy-logon(1) -T option).
165 max_proxy_lifetime hours
167 This line specifies a server-wide maximum lifetime for retrieved
168 proxy credentials. By default, no server-wide maximum is en‐
169 forced. However, if this option is specified, the server will
170 limit the lifetime of any retrieved proxy credentials to the
171 value given.
172 max_cred_lifetime hours
174 This line specifies a server-wide maximum lifetime for stored
175 credentials. By default, no server-wide maximum is enforced.
176 However, if this option is specified, the server will limit the
177 lifetime of any stored credentials to the value given.
178 ignore_globus_limited_proxy_flag boolean
180 By default, MyProxy will respect the policy of "limited" proxy
181 certificates as follows. If a client authenticates with a lim‐
182 ited proxy, the client should only be able to obtain another
183 limited proxy, not a full proxy or end entity certificate.
184 Thus, the MyProxy CA will not accept limited proxies for authen‐
185 tication. However, if this option is set to true, MyProxy will
186 treat limited proxy certificates as if they were full proxy cer‐
187 tificates.
188 allow_self_authorization boolean
190 By default, MyProxy will disallow trusted_retrievers and autho‐
191 rized_renewers whose DN matches the identity of the stored cre‐
192 dential, so a proxy by itself can not be refreshed or renewed.
193 However, if this option is set to true, this restriction is
194 lifted.
195 syslog_ident name
197 You can optionally specify the string to be prepended to every
198 message written to the syslog. If not specified, the name de‐
199 faults to the the program name, i.e. myproxy-server.
200 syslog_facility name
202 By default, the myproxy-server will log to the syslog "daemon"
203 facility. With this option you can specify an alternate syslog
204 facility, such as "auth", "user", "security", or "local0". The
205 facility can also be specified numerically as with the logger(1)
206 command.
207 request_timeout seconds
209 Specifies the maximum time a myproxy-server(8) child process
210 should spend servicing a client request before aborting. By de‐
211 fault, child processes will abort after 120 seconds. A negative
212 value will disable the timeout.
213 request_size_limit bytes
215 Limits the amount of incoming application-level protocol data
216 the myproxy-server(8) will accept from clients, to avoid memory
217 exhaustion under heavy load. Specified in bytes. Defaults to
218 1MB (1048576 bytes). A zero or negative value disables the
219 limit.
220 proxy_extfile full-path-to-extension-file
222 Optionally specifies the full path to a file containing an
223 OpenSSL formatted set of certificate extensions to include in
224 all proxy certificates issued from the MyProxy repository (anal‐
225 ogous to certificate_extfile for the CA module).
226 proxy_extapp full-path-to-extension-callout-program
228 This is the call-out version of proxy_extfile. It optionally
229 specifies the full path to a call-out program for specifying
230 proxy certificate extensions. It will be passed the authenti‐
231 cated username and the proxy credential location as the two com‐
232 mand arguments. On success, it should write the OpenSSL format‐
233 ted set of certificate extensions to stdout and exit with zero
234 status. On error, it should write to stderr and exit with non‐
235 zero status. Either proxy_extfile or proxy_extapp can be speci‐
236 fied but not both.
237 Be sure to follow secure coding practices for this call-out:
239 - Don't allow input to overflow fixed-size buffers.
240 - Don't pass unchecked input to a shell command.
241 voms_userconf full-path-to-voms-configuration-file
243 Optionally specifies the full path to the VOMS configuration
244 file containing VOMS server information. It is usually specified
245 in the environmental variable VOMS_USERCONF.
246 allow_voms_attribute_requests boolean
248 If this parameter is set to true and a GET request includes VON‐
249 AME and (optionally) VOMSES parameters, call-out to VOMS to add
250 the requested attributes to the issued certificate. Requires
251 linking with VOMS libraries. By default, VONAME and VOMSES pa‐
252 rameters in requests will be ignored unless this parameter is
253 set to true.
254 The MyProxy server can be optionally configured for authentication
256 based on Pluggable Authentication Modules (PAM) and/or the Simple Au‐
257 thentication and Security Layer (SASL). Kerberos is one of the sup‐
258 ported SASL authentication methods. The following options control the
259 use of PAM and SASL.
260 pam option
262 This line governs the use of PAM to check passphrases. MyProxy
263 will attempt to authenticate via PAM, with the supplied username
264 and passphrase. Note that PAM will need to be configured exter‐
265 nally for the application "myproxy" (usually in /etc/pam.d/), or
266 for the application named by pam_id, below. Accepted values:
267 required
269 PAM password authentication is required under all condi‐
270 tions. If the credential is unencrypted (that is, it has
271 no passphrase), a PAM password check is still required
272 for authentication. If the credential is encrypted, its
273 passphrase must match the PAM password.
274 sufficient
276 The user's passphrase may match either the credential
277 passphrase or, if the credential is unencrypted, the PAM
278 passphrase. If the credential is encrypted, then the PAM
279 password is not relevant.
280 disabled (default)
282 PAM is not used to check passphrases.
283 pam_id string
285 The name that myproxy uses to identify itself to PAM. Default
286 is "myproxy". For example, on most Unix-like systems, if pam_id
287 is set to "login", MyProxy will authenticate against the sys‐
288 tem's own usernames and passwords.
289 sasl option
291 This line governs the use of SASL authentication. Accepted val‐
292 ues:
293 required
295 SASL authentication is required for retrieving creden‐
296 tials.
297 sufficient
299 SASL authentication is sufficient for retrieving creden‐
300 tials, but other authentication methods may be used in‐
301 stead.
302 disabled (default)
304 SASL authentication isn't used.
305 sasl_mech mechanism
307 Forces the use of a single SASL mechanism, overriding the SASL
308 configuration file. (Typically not required.)
309 sasl_serverFQDN hostname
311 Configures the SASL server fully-qualified domain name for
312 multi-homed servers. (Typically not required.)
313 sasl_user_realm realm
315 Configures the SASL user realm. (Typically not required.)
316 The MyProxy server can also be configured to act as a Certificate Au‐
318 thority (CA) to issue credentials to clients. The following parameters
319 enable and configure the CA functionality.
320 certificate_issuer_cert full-path-to-certificate
322 This line specifies the full path to the issuer certificate to
323 optionally configure the myproxy-server to act as an online cer‐
324 tificate authority.
325 certificate_issuer_key full-path-to-key
327 When specifying certificate_issuer_cert above, you must also
328 give the name of the CA private key for signing certificates.
329 This is normally path to a CA private key in PEM format, but if
330 you are using an OpenSSL engine (see certificate_openssl_en‐
331 gine_id ) then it can be the key name.
332 certificate_issuer_key_passphrase “passphrase”
334 If the certificate_issuer_key is encrypted, give the passphrase
335 here.
336 certificate_issuer_subca_certfile full-path-to-subca-certificate-file
338 If you would like an intermediate/sub-CA certificate chain to be
339 sent along with the EEC (End Entity Certificate) generated using
340 a local intermediate/sub-CA, specify the file that contains
341 those certificates in PEM format. This is meant to aid scenarios
342 where the CA used is an intermediate CA (i.e. not a root CA) and
343 the client may not have the intermediate CA(s) in its trust
344 store. The client will write out the chain into the same file as
345 the EEC, following the EEC.
346 certificate_issuer_hashalg algorithm
348 Specifies the hash algorithm to use when signing end-entity cer‐
349 tificates. Defaults to "sha256".
350 certificate_issuer_email_domain “domain”
352 If set, specifies the domain part of the X509v3 Subject Alterna‐
353 tive Name email address included in issued certificates.
354 certificate_openssl_engine_id engineId
356 certificate_openssl_engine_pre pre-initialization-commands
358 certificate_openssl_engine_post post-initialization-commands
360 These commands can be used to allow any OpenSSL engine to be
361 used with MyProxy. This enables the use of hardware tokens and
362 signing modules to sign certificates. Given the parameters of
363 an OpenSSL "engine" command, the first argument, the identity of
364 the engine becomes the argument to certificate_openssl_engine_id
365 and -pre commands are listed in order using certifi‐
366 cate_openssl_engine_pre and -post commands are listed in order
367 using certificate_openssl_engine_post. For example the command-
368 line:
369 openssl engine dynamic -pre SO_PATH:/usr/lib/engines/en‐
371 gine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
372 MODULE_PATH:/usr/lib/opensc-pksc11.so
373 becomes:
375 certificate_openssl_engine_id "dynamic"
377 certificate_openssl_engine_pre "SO_PATH:/usr/lib/engines/en‐
379 gine_pkcs11.so" "ID:pkcs11" "LIST_ADD:1" "LOAD" "MOD‐
380 ULE_PATH:/usr/lib/opensc-pksc11.so"
381 Please note that any shared library engines loaded through the
383 "dynamic" engine MUST be compiled againt the correct version of
384 OpenSSL.
385 certificate_openssl_engine_lockfile full-path-to-file
387 If your hardware token or HSM is unable to handle simultaneous
388 operations, provide a path to a lockfile for synchronizing oper‐
389 ations to the engine device. The myproxy-server will create the
390 file if it does not already exist.
391 certificate_issuer_program full-path-to-script
393 This line specifies the path to a program to issue certificates
394 for authenticated clients that don't have credentials stored.
395 This optionally configures the myproxy-server to act as an on‐
396 line certificate authority, allowing programmatic control over
397 the certificate issuance process. You can either specify cer‐
398 tificate_issuer_cert or certificate_issuer_program.
399 Be sure to follow secure coding practices for this call-out:
401 - Don't allow input to overflow fixed-size buffers.
402 - Don't pass unchecked input to a shell command.
403 certificate_serialfile full-path-to-serial-file
405 Specifies the path to a file to store the serial number counter
406 for issued certificates. Defaults to /var/lib/myproxy/serial.
407 certificate_serial_skip increment
409 Specifies the number to add to the serial number each time a
410 certificate is issued. Use this to stagger serial numbers across
411 multiple CA instances to avoid serial number clashes. Defaults
412 to 1.
413 certificate_out_dir full-path-to-putput-directory
415 Specifies the path to a directory where new certificates will be
416 archived.
417 max_cert_lifetime hours
419 Specifies the maximum lifetime (in hours) for certificates is‐
420 sued by the CA module. Defaults to 12 hours.
421 min_keylen bits
423 Specifies the minimum RSA key length (in bits) for certificates
424 issued by the CA module.
425 certificate_extfile full-path-to-extension-file
427 Optionally specifies the full path to a file containing an
428 OpenSSL formatted set of certificate extensions to include in
429 all issued certificates. For example:
430 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
431 subjectKeyIdentifier=hash
432 authorityKeyIdentifier=keyid,issuer:always
433 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
434 basicConstraints=CA:FALSE
435 If not set, the MyProxy CA will include a basic set of exten‐
436 sions in issued certificates.
437 certificate_extapp full-path-to-extension-callout-program
439 This is the call-out version of certificate_extfile. It option‐
440 ally specifies the full path to a call-out program for specify‐
441 ing certificate extensions. It will be passed the authenticated
442 username as the single command argument. On success, it should
443 write the OpenSSL formatted set of certificate extensions to
444 stdout and exit with zero status. On error, it should write to
445 stderr and exit with nonzero status. Either certificate_extfile
446 or certificate_extapp can be specified but not both.
447 Be sure to follow secure coding practices for this call-out:
449 - Don't allow input to overflow fixed-size buffers.
450 - Don't pass unchecked input to a shell command.
451 certificate_mapfile full-path-to-mapfile
453 When specifying certificate_issuer_cert above, you can map ac‐
454 count names to certificate subject distinguished names for the
455 issued certificates using this mapfile, which has the same for‐
456 mat as used by other Grid Community Toolkit services. By de‐
457 fault, /etc/grid-security/grid-mapfile is used. The Grid Commu‐
458 nity Toolkit grid-mapfile-add-entry and grid-mapfile-delete-en‐
459 try commands can be used to manage the grid-mapfile.
460 certificate_mapapp full-path-to-mapapp
462 When specifying certificate_issuer_cert above, you can map ac‐
463 count names to certificate subject distinguished names for the
464 issued certificates using this call-out. It will be passed the
465 authenticated username as the single command argument. On suc‐
466 cess, it should write the distinguished name in OpenSSL one line
467 format (for example, "/C=US/O=National Computational Science Al‐
468 liance/CN=Jim Basney") to stdout and exit with zero status. On
469 error, it should write to stderr and exit with nonzero status.
470 If it is not defined, then mapfile lookup will be executed in‐
471 stead (see certificate_mapfile above). An example is installed
472 in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp.
473 Be sure to follow secure coding practices for this call-out:
475 - Don't allow input to overflow fixed-size buffers.
476 - Don't pass unchecked input to a shell command.
477 certificate_request_checker full-path-to-callout-program
479 This CA call-out can be used to perform checks on incoming cer‐
480 tificate requests. It will be passed the certificate request in
481 PEM format on stdin. If it returns a nonzero exit status, the CA
482 will abort without signing the request. When returning a non‐
483 zero exit status, the callout should indicate the problem on
484 stderr. An example is installed in $GLOBUS_LOCA‐
485 TION/share/myproxy/myproxy-certreq-checker.
486 certificate_issuer_checker full-path-to-callout-program
488 This CA call-out can be used to perform checks on issued cer‐
489 tificates before the certificate is returned to the client. It
490 will be passed the certificate in PEM format on stdin. If it re‐
491 turns a nonzero exit status, the CA will abort without returning
492 the signed certificate to the client. When returning a nonzero
493 exit status, the callout should indicate the problem on stderr.
494 An example is installed in $GLOBUS_LOCA‐
495 TION/share/myproxy/myproxy-cert-checker.
496 If OpenLDAP support is built-in to the myproxy-server(8), the following
498 parameters can be used to configure the CA module to map account names
499 to certificate subject distinguished names via LDAP.
500 ca_ldap_server “ldap://localhost:389/”
502 This parameter specifies the URI to the LDAP server to use for
503 username to DN resolution in the CA module. Both ldap:// and
504 ldaps:// protocols are supported. A port number may optionally
505 be specified as well. Defining this directive is the "trigger"
506 that causes the name resolution module to use LDAP querying. If
507 it is not defined, then mapfile lookup will be executed instead
508 (see certificate_mapfile above).
509 ca_ldap_uid_attribute “uid”
511 The name of the record attribute that maps to the MyProxy user‐
512 name. Required for LDAP username to DN resolution.
513 ca_ldap_searchbase “ou=people,dc=bullwinkle,dc=lbl,dc=gov”
515 The DN of the region of the ldap database to be searched. Re‐
516 quired for LDAP username to DN resolution.
517 ca_ldap_dn_attribute “subjectDN”
519 If this directive is set, the LDAP resolver will pull the DN
520 from the specified attribute in the returned record. If it is
521 not set, the default is to use the DN of the record itself.
522 ca_ldap_connect_dn “cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov”
524 DN for LDAP basic authentication (optional).
525 ca_ldap_connect_passphrase “passphrase”
527 Passphrase for LDAP basic authentication (optional).
528 The following parameters control server replication with the myproxy-
530 replicate(1) utility.
531 slave_servers server:port;
533 This value is for use with the myproxy-replicate(1) utility.
534 This tag provides a list of servers that will be used as sec‐
535 ondary repositories for the MyProxy database. Each server
536 should be separated by a ";". Also, a port may be provided if
537 the slave server is using a port other then the default. The
538 server name maybe a recognized DNS or an IP address.
539 The following parameters are used primarily when utilizing MyProxy as a
541 delegation service for web portals.
542 accepted_credentials_mapfile full-path-to-mapfile
544 This parameter points to a grid-mapfile, which is possibly dif‐
545 ferent from other mapfiles above. When specified, this mapfile
546 is utilized during puts/stores (e.g. with myproxy-init(1) and
547 myproxy-store(1)). A credential is authorized to be put/stored
548 only under the username specified in the mapfile. This prevents
549 storing a user's credential under a different username. Note
550 that the credential checked for the presence of a Sub‐
551 jectDN/Username entry in the mapfile is the credential utilized
552 to secure the connection between client and server, NOT the ac‐
553 tual credential being stored. As the credential which secures
554 the TLS connection is typically the same as the credential being
555 stored, this should not be a major issue. The Grid Community
556 Toolkit grid-mapfile-add-entry and grid-mapfile-delete-entry
557 commands can be used to manage the grid-mapfile.
558 accepted_credentials_mapapp full-path-to-mapapp
560 As an alternative to the accepted_credentials_mapfile option
561 above, you can specify a call-out which is passed two parame‐
562 ters: a certificate subject distinguished name and a username
563 (in that order). In essence, the call-out performs a lookup in
564 a 'virtual' accepted_credentials_mapfile. If the Sub‐
565 jectDN/Username line would appear in such a mapfile, then the
566 call-out should exit with zero status indicating that a creden‐
567 tial with the given SubjectDN is allowed to be stored under the
568 given Username. Otherwise, the call-out should exit with non‐
569 zero status indicating error. An example is installed in
570 $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-ma‐
571 papp.
572 Be sure to follow secure coding practices for this call-out:
574 - Don't allow input to overflow fixed-size buffers.
575 - Don't pass unchecked input to a shell command.
576 check_multiple_credentials boolean
578 Typically when a credential is accessed by a client, the server
579 checks only one credential for possible access authorization,
580 even if there are multiple credentials stored under the given
581 username. If this option is set to "true" AND the client does
582 not specify a credential name for a MyProxy GET operation (i.e.,
583 from myproxy-logon(1)), then the server will check multiple cre‐
584 dentials with the given username. If a credential is found to
585 be authorized for client access, then that one will be used dur‐
586 ing processing. The default value for this option is "false".
587 The following parameters enable OCSP status checking of stored creden‐
589 tials in the myproxy-server(8) repository, to avoid use of expired cre‐
590 dentials.
591 ocsp_policy policy
593 Controls the policy for checking certificate validity via OCSP
594 before credentials may be delegated. Currently, only the status
595 of the end entity certificate is checked via OCSP (and not any
596 proxy certificates or CA certificates). OCSP will not be used
597 unless ocsp_responder_url and/or ocsp_policy are set. Supported
598 policies are:
599 "aia" - use OCSP responder in certificate AIA extension, if
600 present; otherwise use ocsp_responder_url, if set
601 ocsp_responder_url URL
603 Specifies the URL of an OCSP responder to use to check the va‐
604 lidity of credentials stored in the myproxy-server repository
605 before they may be delegated, so that revoked credentials can
606 not be retrieved and used where their revocation status may not
607 be checked. Currently, only the status of the end entity cer‐
608 tificate is checked via OCSP (and not any proxy certificates or
609 CA certificates). In any case, CRL checks are always performed.
610 Both http and https urls are supported. OCSP will not be used
611 unless ocsp_responder_url and/or ocsp_policy are set.
612 ocsp_responder_cert path
614 Specifies the path to the certificate of a trusted OCSP respon‐
615 der. This is needed if the OCSP responder must be explicitly
616 trusted in cases where standard path validation fails for the
617 OCSP responder's certificate.
618
620 For matching distinguished names (DNs) in access control policies,
621 MyProxy uses POSIX Extended Regular Expressions (see re_format(7)),
622 with custom processing of '*', '?', and '.' metacharacters to simulate
623 Unix shell style wildcard processing (for backward compatibility and
624 other historical reasons). MyProxy's custom regular expressions are
625 converted to POSIX EREs according to the following rules:
626 [ MyProxy regex ] => [ POSIX ERE ]
628 ----------------------------------
629 '*' => '.*'
630 '?' => '.'
631 '.' => '\.'
632 '\*' => '*'
633 '\?' => '?'
634 '\.' => '.'
635 Additionally, MyProxy wraps all regular expressions inside '^(' and
637 ')$' to require full DN matching.
638 Be aware that parentheses are metacharacters according to POSIX, so es‐
640 caping is required for literal matching. For example:
641 "*/CN=Jim Basney \(admin\)"
643 The following examples illustrate how MyProxy regular expressions are
645 converted to POSIX EREs:
646 [ MyProxy regex ] => [ POSIX ERE ]
648 ------------------------------------------------------------
649 "*/CN=Jim Basney" => "^(.*/CN=Jim Basney)$"
650 "*/CN=Test User ?" => "^(.*/CN=Test User .)$"
651 "*/CN=James A. Basney" => "^(.*/CN=James A\. Basney)$"
652 "/O=Test/CN=[:alnum:]\*" => "^(/O=Test/CN=[:alnum:]*)$"
653 "*/CN=Jim Basney|*/CN=James Basney" =>
655 "^(.*/CN=Jim Basney|.*/CN=James Basney)$"
656
658 The following policy enables all credential repository features.
659 accepted_credentials "*"
661 authorized_retrievers "*"
662 default_retrievers "*"
663 authorized_renewers "*"
664 default_renewers "none"
665 authorized_key_retrievers "*"
666 default_key_retrievers "none"
667 trusted_retrievers "*"
668 default_trusted_retrievers "none"
669 cert_dir /etc/grid-security/certificates
670 The following enables CA functionality using an existing Globus Simple
672 CA configuration.
673 authorized_retrievers "*"
675 pam "sufficient"
676 sasl "sufficient"
677 certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
678 certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
679 certificate_issuer_key_passphrase "myproxy"
680 certificate_serialfile /home/globus/.globus/simpleCA/serial
681 certificate_mapfile /etc/grid-security/grid-mapfile
682 cert_dir /etc/grid-security/certificates
683
685 /etc/myproxy-server.config
686 Default location for the server configuration file.
687 $GLOBUS_LOCATION/etc/myproxy-server.config
689 Alternate location for the server configuration file. A differ‐
690 ent location can be specified by using the myproxy-server(8) -c
691 option.
692 $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
694 A sample program for evaluating passphrase quality for use with
695 the passphrase_policy_program option.
696 $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
698 A sample certificate_mapapp program for mapping account names to
699 certificate subject distinguished names.
700 $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
702 A sample accepted_credentials_mapapp program for authorizing
703 puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).
704
706 GLOBUS_LOCATION
707 Specifies the root of the MyProxy installation, used to find the
708 default location of the myproxy-server.config file.
709
711 See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
712 authors.
713
715 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
716 roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-
717 retrieve(1), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-
718 change-pass(8), myproxy-admin-load-credential(8), myproxy-admin-
719 query(8), myproxy-server(8)
720MyProxy 2014-07-12 myproxy-server.config(5)