1myproxy-server.config(5)            MyProxy           myproxy-server.config(5)
2
3
4

NAME

6       myproxy-server.config - myproxy-server configuration file
7

DESCRIPTION

9       The  myproxy-server.config  file  sets  the  policy  for  the  myproxy-
10       server(8), specifying what credentials may be stored  in  the  server's
11       repository,  who  is authorized to retrieve credentials, and other con‐
12       figurable server behaviors.  By default,  the  myproxy-server(8)  looks
13       for  this  file  in  /etc/myproxy-server.config  and if it is not found
14       there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config.  A  tem‐
15       plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con‐
16       fig.  The myproxy-server -c option can be used to specify  an  alterna‐
17       tive location.
18
19       The  following  lines  set  access  control  policies  according to the
20       client's  certificate  subject  distinguished  name  (DN).   Note  that
21       MyProxy  uses  non-standard  regular expressions for distinguished name
22       (DN) matching. See the REGULAR EXPRESSIONS section below for details.
23
24       accepted_credentials “DN regex”
25              Each of these lines allows any clients whose DNs match the given
26              limited regex to connect to the myproxy-server and store creden‐
27              tials with it for future retrieval.  Any number of  these  lines
28              may  appear.   For backwards compatibility, these lines can also
29              start with allowed_clients instead of accepted_credentials.   If
30              no accepted_credentials lines are specified, the server will not
31              allow any clients to store credentials.
32
33       authorized_retrievers “DN regex”
34              Each of these lines  allows  the  server  administrator  to  set
35              server-wide policies for credential retrievers. If the client DN
36              does not match the given limited regex, the client  is  not  al‐
37              lowed  to  retrieve credentials from the server.  In addition to
38              the server-wide policy, myproxy also provides support  for  per-
39              credential  policy. The user can specify the regex DN of the al‐
40              lowed retrievers of the credential when uploading the credential
41              (using  myproxy-init(1)  or  myproxy-store(1)).   The  retrieval
42              client DN must also match the user specified regex. In order  to
43              retrieve  credentials the client also needs to know the name and
44              pass phrase provided by the client  when  the  credentials  were
45              stored.  Any  number  of  these lines may appear.  For backwards
46              compatibility, these lines can also start with  allowed_services
47              instead  of  authorized_retrievers.  If no authorized_retrievers
48              lines are specified, the server will not allow  any  clients  to
49              retrieve credentials.
50
51       default_retrievers “DN regex”
52              Each  of  these  lines  allows  the  server administrator to set
53              server-wide default policies. The regex  specifies  the  clients
54              who  can access the credentials. The default retriever policy is
55              enforced if a per-credential policy is not specified  on  upload
56              (using  myproxy-init(1)  or  myproxy-store(1)).  In other words,
57              the client can override this policy for a credential on  upload.
58              The per-credential policy is enforced in addition to the server-
59              wide policy specified by the authorized_retrievers  line  (which
60              clients  can  not  override).   Any number of these lines may be
61              present.  For backwards compatibility, if no  default_retrievers
62              line  is  specified, the default policy is "*", which allows any
63              client to pass the per-credential  policy  check.   (The  client
64              must still pass the authorized_retrievers check.)
65
66       authorized_renewers “DN regex”
67              Each  of  these  lines  allows  the  server administrator to set
68              server-wide policies for authorized renewers. If the  client  DN
69              does not match the given limited regex the client is not allowed
70              to renew the credentials previously stored by a client.  See al‐
71              low_self_authorization  below  for a further restriction on this
72              policy.  In addition to the  server-wide  policy,  myproxy  also
73              provides support for per-credential policy. The user can specify
74              the regex DN of the allowed renewers of the credential on upload
75              (using  myproxy-init(1)).  The renewal client DN must match both
76              this regex and the user  specified  regex.  In  this  case,  the
77              client  must  also  already have a credential with a DN matching
78              the DN of the credentials to be retrieved, to be used in a  sec‐
79              ond  authorization step (see the -a options for myproxy-logon(1)
80              and myproxy-retrieve(1)).
81
82       default_renewers “DN regex”
83              Each of these lines  allows  the  server  administrator  to  set
84              server-wide  default  renewer  policies. The regex specifies the
85              clients who can renew the credentials. The default renewer  pol‐
86              icy  is  enforced if a per-credential policy is not specified on
87              upload (using myproxy-init(1)).  This is enforced in addition to
88              the  server-wide  policy  specified  by  the authorized_renewers
89              line. Any number of these lines may appear.  For backwards  com‐
90              patibility,  if  no  default_renewers line is specified, the de‐
91              fault policy is "*", which allows any client to  pass  the  per-
92              credential policy check.  (The client must still pass the autho‐
93              rized_renewers check.)
94
95       authorized_key_retrievers “DN regex”
96              This policy controls who can retrieve credentials  (certificates
97              and   keys)  directly  from  the  repository  using  myproxy-re‐
98              trieve(1).  Clients must also  match  the  authorized_retrievers
99              policy.   If  no  authorized_key_retrievers lines are specified,
100              the server will not allow any clients to retrieve keys  directly
101              from the repository.
102
103       default_key_retrievers “DN regex”
104              This  policy applies if a per-credential policy is not specified
105              on upload (using myproxy-init(1) or myproxy-store(1)).  In other
106              words,  the  client can override this policy for a credential on
107              upload.  The per-credential policy is enforced  in  addition  to
108              the  server-wide policy specified by the authorized_key_retriev‐
109              ers line (which clients can not override).  Any number of  these
110              lines  may  be  present.   If  no default_key_retrievers line is
111              specified, the default policy is "*", which allows any client to
112              pass  the  per-credential  policy check.  (The client must still
113              pass the authorized_key_retrievers check.)
114
115       trusted_retrievers “DN regex”
116              This policy controls who can retrieve credentials  without  fur‐
117              ther  authentication.   By  default,  clients  that match autho‐
118              rized_retrievers must perform additional authentication (such as
119              passphrase, PAM, or SASL) to retrieve credentials.  However, au‐
120              thenticated clients that match  both  authorized_retrievers  and
121              trusted_retrievers do not need to perform additional authentica‐
122              tion, unless the credentials are protected by a  passphrase,  in
123              which case the passphrase is still required.  Note: The myproxy-
124              server(8) will fail on startup or reconfig with an "unsafe  pol‐
125              icy"  error  if  a policy of trusted_retrievers “*” is specified
126              without also specifying a restrictive default_trusted_retrievers
127              policy, to avoid an unsafe policy that would release credentials
128              to all clients without additional authentication.  See also  al‐
129              low_self_authorization  below  for a further restriction on this
130              policy.
131
132       default_trusted_retrievers “DN regex”
133              If a user doesn't set a trusted retrieval policy with  the  cre‐
134              dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
135              will apply the following policy in addition to  the  trusted_re‐
136              trievers  policy.   If  no  default_trusted_retrievers policy is
137              set, then only the trusted_retrievers policy is applied.
138
139       The following lines in the configuration file set other server options.
140
141       passphrase_policy_program full-path-to-script
142              This line specifies a program to run whenever  a  passphrase  is
143              set  or  changed  for implementing a local password policy.  The
144              program is passed the new passphrase via stdin and is passed the
145              following  arguments:  username,  distinguished name, credential
146              name (if any), per-credential retriever  policy  (if  any),  and
147              per-credential  renewal  policy  (if any).  If the passphrase is
148              acceptable, the program should exit with status  0.   Otherwise,
149              it  should  exit  with non-zero status, causing the operation in
150              progress (credential load, passphrase change) to fail  with  the
151              error  message provided by the program's stdout.  Note: You must
152              specify the full path to the external program.  $GLOBUS_LOCATION
153              can't  be used in the myproxy-server.config file.  A sample pro‐
154              gram  is  installed  in  $GLOBUS_LOCATION/share/myproxy/myproxy-
155              passphrase-policy but is not enabled by default.
156
157              Be sure to follow secure coding practices for this call-out:
158              - Don't allow input to overflow fixed-size buffers.
159              - Don't pass unchecked input to a shell command.
160
161       cert_dir full-path-to-certificates-directory
162              Specifies  the  path  to the CA certificates directory to be re‐
163              turned to clients  requesting  trust  roots  (such  as  via  the
164              myproxy-logon(1) -T option).
165
166       max_proxy_lifetime hours
167              This line specifies a server-wide maximum lifetime for retrieved
168              proxy credentials.  By default, no server-wide  maximum  is  en‐
169              forced.   However,  if this option is specified, the server will
170              limit the lifetime of any retrieved  proxy  credentials  to  the
171              value given.
172
173       max_cred_lifetime hours
174              This  line  specifies  a server-wide maximum lifetime for stored
175              credentials.  By default, no server-wide  maximum  is  enforced.
176              However,  if this option is specified, the server will limit the
177              lifetime of any stored credentials to the value given.
178
179       ignore_globus_limited_proxy_flag boolean
180              By default, MyProxy will respect the policy of  "limited"  proxy
181              certificates  as follows.  If a client authenticates with a lim‐
182              ited proxy, the client should only be  able  to  obtain  another
183              limited  proxy,  not  a  full  proxy  or end entity certificate.
184              Thus, the MyProxy CA will not accept limited proxies for authen‐
185              tication.   However, if this option is set to true, MyProxy will
186              treat limited proxy certificates as if they were full proxy cer‐
187              tificates.
188
189       allow_self_authorization boolean
190              By  default, MyProxy will disallow trusted_retrievers and autho‐
191              rized_renewers whose DN matches the identity of the stored  cre‐
192              dential,  so  a proxy by itself can not be refreshed or renewed.
193              However, if this option is set  to  true,  this  restriction  is
194              lifted.
195
196       syslog_ident name
197              You  can  optionally specify the string to be prepended to every
198              message written to the syslog.  If not specified, the  name  de‐
199              faults to the the program name, i.e. myproxy-server.
200
201       syslog_facility name
202              By  default,  the myproxy-server will log to the syslog "daemon"
203              facility. With this option you can specify an  alternate  syslog
204              facility,  such as "auth", "user", "security", or "local0".  The
205              facility can also be specified numerically as with the logger(1)
206              command.
207
208       request_timeout seconds
209              Specifies  the  maximum  time  a myproxy-server(8) child process
210              should spend servicing a client request before aborting.  By de‐
211              fault, child processes will abort after 120 seconds.  A negative
212              value will disable the timeout.
213
214       request_size_limit bytes
215              Limits the amount of incoming  application-level  protocol  data
216              the  myproxy-server(8) will accept from clients, to avoid memory
217              exhaustion under heavy load. Specified in  bytes.   Defaults  to
218              1MB  (1048576  bytes).   A  zero  or negative value disables the
219              limit.
220
221       proxy_extfile full-path-to-extension-file
222              Optionally specifies the full  path  to  a  file  containing  an
223              OpenSSL  formatted  set  of certificate extensions to include in
224              all proxy certificates issued from the MyProxy repository (anal‐
225              ogous to certificate_extfile for the CA module).
226
227       proxy_extapp full-path-to-extension-callout-program
228              This  is  the  call-out version of proxy_extfile.  It optionally
229              specifies the full path to a  call-out  program  for  specifying
230              proxy  certificate  extensions.  It will be passed the authenti‐
231              cated username and the proxy credential location as the two com‐
232              mand arguments.  On success, it should write the OpenSSL format‐
233              ted set of certificate extensions to stdout and exit  with  zero
234              status.   On error, it should write to stderr and exit with non‐
235              zero status.  Either proxy_extfile or proxy_extapp can be speci‐
236              fied but not both.
237
238              Be sure to follow secure coding practices for this call-out:
239              - Don't allow input to overflow fixed-size buffers.
240              - Don't pass unchecked input to a shell command.
241
242       voms_userconf full-path-to-voms-configuration-file
243              Optionally  specifies  the  full  path to the VOMS configuration
244              file containing VOMS server information. It is usually specified
245              in the environmental variable VOMS_USERCONF.
246
247       allow_voms_attribute_requests boolean
248              If this parameter is set to true and a GET request includes VON‐
249              AME and (optionally) VOMSES parameters, call-out to VOMS to  add
250              the  requested  attributes  to  the issued certificate. Requires
251              linking with VOMS libraries. By default, VONAME and  VOMSES  pa‐
252              rameters  in  requests  will be ignored unless this parameter is
253              set to true.
254
255       The MyProxy server can  be  optionally  configured  for  authentication
256       based  on  Pluggable Authentication Modules (PAM) and/or the Simple Au‐
257       thentication and Security Layer (SASL).  Kerberos is one  of  the  sup‐
258       ported  SASL authentication methods.  The following options control the
259       use of PAM and SASL.
260
261       pam option
262              This line governs the use of PAM to check passphrases.   MyProxy
263              will attempt to authenticate via PAM, with the supplied username
264              and passphrase.  Note that PAM will need to be configured exter‐
265              nally for the application "myproxy" (usually in /etc/pam.d/), or
266              for the application named by pam_id, below.  Accepted values:
267
268              required
269                     PAM password authentication is required under all  condi‐
270                     tions.  If the credential is unencrypted (that is, it has
271                     no passphrase), a PAM password check  is  still  required
272                     for  authentication.  If the credential is encrypted, its
273                     passphrase must match the PAM password.
274
275              sufficient
276                     The user's passphrase may  match  either  the  credential
277                     passphrase  or, if the credential is unencrypted, the PAM
278                     passphrase.  If the credential is encrypted, then the PAM
279                     password is not relevant.
280
281              disabled (default)
282                     PAM is not used to check passphrases.
283
284       pam_id string
285              The  name  that myproxy uses to identify itself to PAM.  Default
286              is "myproxy".  For example, on most Unix-like systems, if pam_id
287              is  set  to  "login", MyProxy will authenticate against the sys‐
288              tem's own usernames and passwords.
289
290       sasl option
291              This line governs the use of SASL authentication.  Accepted val‐
292              ues:
293
294              required
295                     SASL  authentication  is  required for retrieving creden‐
296                     tials.
297
298              sufficient
299                     SASL authentication is sufficient for retrieving  creden‐
300                     tials,  but  other authentication methods may be used in‐
301                     stead.
302
303              disabled (default)
304                     SASL authentication isn't used.
305
306       sasl_mech mechanism
307              Forces the use of a single SASL mechanism, overriding  the  SASL
308              configuration file. (Typically not required.)
309
310       sasl_serverFQDN hostname
311              Configures  the  SASL  server  fully-qualified  domain  name for
312              multi-homed servers. (Typically not required.)
313
314       sasl_user_realm realm
315              Configures the SASL user realm. (Typically not required.)
316
317       The MyProxy server can also be configured to act as a  Certificate  Au‐
318       thority (CA) to issue credentials to clients.  The following parameters
319       enable and configure the CA functionality.
320
321       certificate_issuer_cert full-path-to-certificate
322              This line specifies the full path to the issuer  certificate  to
323              optionally configure the myproxy-server to act as an online cer‐
324              tificate authority.
325
326       certificate_issuer_key full-path-to-key
327              When specifying certificate_issuer_cert  above,  you  must  also
328              give  the  name  of the CA private key for signing certificates.
329              This is normally path to a CA private key in PEM format, but  if
330              you  are  using  an  OpenSSL engine (see certificate_openssl_en‐
331              gine_id ) then it can be the key name.
332
333       certificate_issuer_key_passphrase “passphrase”
334              If the certificate_issuer_key is encrypted, give the  passphrase
335              here.
336
337       certificate_issuer_subca_certfile full-path-to-subca-certificate-file
338              If you would like an intermediate/sub-CA certificate chain to be
339              sent along with the EEC (End Entity Certificate) generated using
340              a  local  intermediate/sub-CA,  specify  the  file that contains
341              those certificates in PEM format. This is meant to aid scenarios
342              where the CA used is an intermediate CA (i.e. not a root CA) and
343              the client may not have the  intermediate  CA(s)  in  its  trust
344              store. The client will write out the chain into the same file as
345              the EEC, following the EEC.
346
347       certificate_issuer_hashalg algorithm
348              Specifies the hash algorithm to use when signing end-entity cer‐
349              tificates.  Defaults to "sha256".
350
351       certificate_issuer_email_domain “domain”
352              If set, specifies the domain part of the X509v3 Subject Alterna‐
353              tive Name email address included in issued certificates.
354
355       certificate_openssl_engine_id engineId
356
357       certificate_openssl_engine_pre pre-initialization-commands
358
359       certificate_openssl_engine_post post-initialization-commands
360              These commands can be used to allow any  OpenSSL  engine  to  be
361              used  with MyProxy.  This enables the use of hardware tokens and
362              signing modules to sign certificates.  Given the  parameters  of
363              an OpenSSL "engine" command, the first argument, the identity of
364              the engine becomes the argument to certificate_openssl_engine_id
365              and   -pre   commands   are   listed  in  order  using  certifi‐
366              cate_openssl_engine_pre and -post commands are listed  in  order
367              using certificate_openssl_engine_post.  For example the command-
368              line:
369
370                 openssl  engine  dynamic  -pre   SO_PATH:/usr/lib/engines/en‐
371              gine_pkcs11.so  -pre  ID:pkcs11  -pre  LIST_ADD:1 -pre LOAD -pre
372              MODULE_PATH:/usr/lib/opensc-pksc11.so
373
374              becomes:
375
376                 certificate_openssl_engine_id "dynamic"
377
378                 certificate_openssl_engine_pre  "SO_PATH:/usr/lib/engines/en‐
379              gine_pkcs11.so"    "ID:pkcs11"    "LIST_ADD:1"    "LOAD"   "MOD‐
380              ULE_PATH:/usr/lib/opensc-pksc11.so"
381
382              Please note that any shared library engines loaded  through  the
383              "dynamic"  engine MUST be compiled againt the correct version of
384              OpenSSL.
385
386       certificate_openssl_engine_lockfile full-path-to-file
387              If your hardware token or HSM is unable to  handle  simultaneous
388              operations, provide a path to a lockfile for synchronizing oper‐
389              ations to the engine device.  The myproxy-server will create the
390              file if it does not already exist.
391
392       certificate_issuer_program full-path-to-script
393              This  line specifies the path to a program to issue certificates
394              for authenticated clients that don't  have  credentials  stored.
395              This  optionally  configures the myproxy-server to act as an on‐
396              line certificate authority, allowing programmatic  control  over
397              the  certificate  issuance process.  You can either specify cer‐
398              tificate_issuer_cert or certificate_issuer_program.
399
400              Be sure to follow secure coding practices for this call-out:
401              - Don't allow input to overflow fixed-size buffers.
402              - Don't pass unchecked input to a shell command.
403
404       certificate_serialfile full-path-to-serial-file
405              Specifies the path to a file to store the serial number  counter
406              for issued certificates.  Defaults to /var/lib/myproxy/serial.
407
408       certificate_serial_skip increment
409              Specifies  the  number  to  add to the serial number each time a
410              certificate is issued. Use this to stagger serial numbers across
411              multiple  CA  instances to avoid serial number clashes. Defaults
412              to 1.
413
414       certificate_out_dir full-path-to-putput-directory
415              Specifies the path to a directory where new certificates will be
416              archived.
417
418       max_cert_lifetime hours
419              Specifies  the  maximum lifetime (in hours) for certificates is‐
420              sued by the CA module.  Defaults to 12 hours.
421
422       min_keylen bits
423              Specifies the minimum RSA key length (in bits) for  certificates
424              issued by the CA module.
425
426       certificate_extfile full-path-to-extension-file
427              Optionally  specifies  the  full  path  to  a file containing an
428              OpenSSL formatted set of certificate extensions  to  include  in
429              all issued certificates.  For example:
430                 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
431                 subjectKeyIdentifier=hash
432                 authorityKeyIdentifier=keyid,issuer:always
433                 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
434                 basicConstraints=CA:FALSE
435              If  not  set,  the MyProxy CA will include a basic set of exten‐
436              sions in issued certificates.
437
438       certificate_extapp full-path-to-extension-callout-program
439              This is the call-out version of certificate_extfile.  It option‐
440              ally  specifies the full path to a call-out program for specify‐
441              ing certificate extensions.  It will be passed the authenticated
442              username  as the single command argument.  On success, it should
443              write the OpenSSL formatted set  of  certificate  extensions  to
444              stdout  and exit with zero status.  On error, it should write to
445              stderr and exit with nonzero status.  Either certificate_extfile
446              or certificate_extapp can be specified but not both.
447
448              Be sure to follow secure coding practices for this call-out:
449              - Don't allow input to overflow fixed-size buffers.
450              - Don't pass unchecked input to a shell command.
451
452       certificate_mapfile full-path-to-mapfile
453              When  specifying  certificate_issuer_cert above, you can map ac‐
454              count names to certificate subject distinguished names  for  the
455              issued  certificates using this mapfile, which has the same for‐
456              mat as used by other Grid Community Toolkit  services.   By  de‐
457              fault, /etc/grid-security/grid-mapfile is used.  The Grid Commu‐
458              nity Toolkit grid-mapfile-add-entry and  grid-mapfile-delete-en‐
459              try commands can be used to manage the grid-mapfile.
460
461       certificate_mapapp full-path-to-mapapp
462              When  specifying  certificate_issuer_cert above, you can map ac‐
463              count names to certificate subject distinguished names  for  the
464              issued  certificates using this call-out.  It will be passed the
465              authenticated username as the single command argument.  On  suc‐
466              cess, it should write the distinguished name in OpenSSL one line
467              format (for example, "/C=US/O=National Computational Science Al‐
468              liance/CN=Jim  Basney") to stdout and exit with zero status.  On
469              error, it should write to stderr and exit with  nonzero  status.
470              If  it  is not defined, then mapfile lookup will be executed in‐
471              stead (see certificate_mapfile above).  An example is  installed
472              in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp.
473
474              Be sure to follow secure coding practices for this call-out:
475              - Don't allow input to overflow fixed-size buffers.
476              - Don't pass unchecked input to a shell command.
477
478       certificate_request_checker full-path-to-callout-program
479              This  CA call-out can be used to perform checks on incoming cer‐
480              tificate requests. It will be passed the certificate request  in
481              PEM format on stdin. If it returns a nonzero exit status, the CA
482              will abort without signing the request.  When returning  a  non‐
483              zero  exit  status,  the  callout should indicate the problem on
484              stderr.    An   example   is    installed    in    $GLOBUS_LOCA‐
485              TION/share/myproxy/myproxy-certreq-checker.
486
487       certificate_issuer_checker full-path-to-callout-program
488              This  CA  call-out  can be used to perform checks on issued cer‐
489              tificates before the certificate is returned to the client.   It
490              will be passed the certificate in PEM format on stdin. If it re‐
491              turns a nonzero exit status, the CA will abort without returning
492              the  signed  certificate to the client. When returning a nonzero
493              exit status, the callout should indicate the problem on  stderr.
494              An      example      is      installed      in     $GLOBUS_LOCA‐
495              TION/share/myproxy/myproxy-cert-checker.
496
497       If OpenLDAP support is built-in to the myproxy-server(8), the following
498       parameters  can be used to configure the CA module to map account names
499       to certificate subject distinguished names via LDAP.
500
501       ca_ldap_server “ldap://localhost:389/”
502              This parameter specifies the URI to the LDAP server to  use  for
503              username  to  DN  resolution in the CA module.  Both ldap:// and
504              ldaps:// protocols are supported.  A port number may  optionally
505              be  specified as well.  Defining this directive is the "trigger"
506              that causes the name resolution module to use LDAP querying.  If
507              it  is not defined, then mapfile lookup will be executed instead
508              (see certificate_mapfile above).
509
510       ca_ldap_uid_attribute “uid”
511              The name of the record attribute that maps to the MyProxy  user‐
512              name.  Required for LDAP username to DN resolution.
513
514       ca_ldap_searchbase “ou=people,dc=bullwinkle,dc=lbl,dc=gov”
515              The  DN  of the region of the ldap database to be searched.  Re‐
516              quired for LDAP username to DN resolution.
517
518       ca_ldap_dn_attribute “subjectDN”
519              If this directive is set, the LDAP resolver  will  pull  the  DN
520              from  the  specified attribute in the returned record.  If it is
521              not set, the default is to use the DN of the record itself.
522
523       ca_ldap_connect_dn “cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov”
524              DN for LDAP basic authentication (optional).
525
526       ca_ldap_connect_passphrase “passphrase”
527              Passphrase for LDAP basic authentication (optional).
528
529       The following parameters control server replication with  the  myproxy-
530       replicate(1) utility.
531
532       slave_servers server:port;
533              This  value  is  for  use with the myproxy-replicate(1) utility.
534              This tag provides a list of servers that will be  used  as  sec‐
535              ondary  repositories  for  the  MyProxy  database.   Each server
536              should be separated by a ";".  Also, a port may be  provided  if
537              the  slave  server  is using a port other then the default.  The
538              server name maybe a recognized DNS or an IP address.
539
540       The following parameters are used primarily when utilizing MyProxy as a
541       delegation service for web portals.
542
543       accepted_credentials_mapfile full-path-to-mapfile
544              This  parameter points to a grid-mapfile, which is possibly dif‐
545              ferent from other mapfiles above. When specified,  this  mapfile
546              is  utilized  during  puts/stores (e.g. with myproxy-init(1) and
547              myproxy-store(1)).  A credential is authorized to be  put/stored
548              only under the username specified in the mapfile.  This prevents
549              storing a user's credential under a  different  username.   Note
550              that   the  credential  checked  for  the  presence  of  a  Sub‐
551              jectDN/Username entry in the mapfile is the credential  utilized
552              to  secure the connection between client and server, NOT the ac‐
553              tual credential being stored.  As the credential  which  secures
554              the TLS connection is typically the same as the credential being
555              stored, this should not be a major issue.   The  Grid  Community
556              Toolkit   grid-mapfile-add-entry  and  grid-mapfile-delete-entry
557              commands can be used to manage the grid-mapfile.
558
559       accepted_credentials_mapapp full-path-to-mapapp
560              As an alternative  to  the  accepted_credentials_mapfile  option
561              above,  you  can  specify a call-out which is passed two parame‐
562              ters: a certificate subject distinguished name  and  a  username
563              (in  that order).  In essence, the call-out performs a lookup in
564              a   'virtual'   accepted_credentials_mapfile.    If   the   Sub‐
565              jectDN/Username  line  would  appear in such a mapfile, then the
566              call-out should exit with zero status indicating that a  creden‐
567              tial  with the given SubjectDN is allowed to be stored under the
568              given Username.  Otherwise, the call-out should exit  with  non‐
569              zero  status  indicating  error.   An  example  is  installed in
570              $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-ma‐
571              papp.
572
573              Be sure to follow secure coding practices for this call-out:
574              - Don't allow input to overflow fixed-size buffers.
575              - Don't pass unchecked input to a shell command.
576
577       check_multiple_credentials boolean
578              Typically  when a credential is accessed by a client, the server
579              checks only one credential for  possible  access  authorization,
580              even  if  there  are multiple credentials stored under the given
581              username.  If this option is set to "true" AND the  client  does
582              not specify a credential name for a MyProxy GET operation (i.e.,
583              from myproxy-logon(1)), then the server will check multiple cre‐
584              dentials  with  the given username.  If a credential is found to
585              be authorized for client access, then that one will be used dur‐
586              ing processing.  The default value for this option is "false".
587
588       The  following parameters enable OCSP status checking of stored creden‐
589       tials in the myproxy-server(8) repository, to avoid use of expired cre‐
590       dentials.
591
592       ocsp_policy policy
593              Controls  the  policy for checking certificate validity via OCSP
594              before credentials may be delegated.  Currently, only the status
595              of  the  end entity certificate is checked via OCSP (and not any
596              proxy certificates or CA certificates).  OCSP will not  be  used
597              unless ocsp_responder_url and/or ocsp_policy are set.  Supported
598              policies are:
599                "aia" - use OCSP responder in certificate AIA extension, if
600                        present; otherwise use ocsp_responder_url, if set
601
602       ocsp_responder_url URL
603              Specifies the URL of an OCSP responder to use to check  the  va‐
604              lidity  of  credentials  stored in the myproxy-server repository
605              before they may be delegated, so that  revoked  credentials  can
606              not  be retrieved and used where their revocation status may not
607              be checked.  Currently, only the status of the end  entity  cer‐
608              tificate  is checked via OCSP (and not any proxy certificates or
609              CA certificates).  In any case, CRL checks are always performed.
610              Both  http  and https urls are supported.  OCSP will not be used
611              unless ocsp_responder_url and/or ocsp_policy are set.
612
613       ocsp_responder_cert path
614              Specifies the path to the certificate of a trusted OCSP  respon‐
615              der.   This  is  needed if the OCSP responder must be explicitly
616              trusted in cases where standard path validation  fails  for  the
617              OCSP responder's certificate.
618

REGULAR EXPRESSIONS

620       For  matching  distinguished  names  (DNs)  in access control policies,
621       MyProxy uses POSIX Extended  Regular  Expressions  (see  re_format(7)),
622       with  custom processing of '*', '?', and '.' metacharacters to simulate
623       Unix shell style wildcard processing (for  backward  compatibility  and
624       other  historical  reasons).   MyProxy's custom regular expressions are
625       converted to POSIX EREs according to the following rules:
626
627         [ MyProxy regex ] => [ POSIX ERE ]
628         ----------------------------------
629                '*'        =>      '.*'
630                '?'        =>      '.'
631                '.'        =>      '\.'
632                '\*'       =>      '*'
633                '\?'       =>      '?'
634                '\.'       =>      '.'
635
636       Additionally, MyProxy wraps all regular  expressions  inside  '^('  and
637       ')$' to require full DN matching.
638
639       Be aware that parentheses are metacharacters according to POSIX, so es‐
640       caping is required for literal matching. For example:
641
642         "*/CN=Jim Basney \(admin\)"
643
644       The following examples illustrate how MyProxy regular  expressions  are
645       converted to POSIX EREs:
646
647            [ MyProxy regex ]     =>    [ POSIX ERE ]
648         ------------------------------------------------------------
649         "*/CN=Jim Basney"        => "^(.*/CN=Jim Basney)$"
650         "*/CN=Test User ?"       => "^(.*/CN=Test User .)$"
651         "*/CN=James A. Basney"   => "^(.*/CN=James A\. Basney)$"
652         "/O=Test/CN=[:alnum:]\*" => "^(/O=Test/CN=[:alnum:]*)$"
653
654         "*/CN=Jim Basney|*/CN=James Basney" =>
655             "^(.*/CN=Jim Basney|.*/CN=James Basney)$"
656

EXAMPLES

658       The following policy enables all credential repository features.
659
660       accepted_credentials       "*"
661       authorized_retrievers      "*"
662       default_retrievers         "*"
663       authorized_renewers        "*"
664       default_renewers           "none"
665       authorized_key_retrievers  "*"
666       default_key_retrievers     "none"
667       trusted_retrievers         "*"
668       default_trusted_retrievers "none"
669       cert_dir                   /etc/grid-security/certificates
670
671       The  following enables CA functionality using an existing Globus Simple
672       CA configuration.
673
674       authorized_retrievers "*"
675       pam  "sufficient"
676       sasl "sufficient"
677       certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
678       certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
679       certificate_issuer_key_passphrase "myproxy"
680       certificate_serialfile /home/globus/.globus/simpleCA/serial
681       certificate_mapfile /etc/grid-security/grid-mapfile
682       cert_dir /etc/grid-security/certificates
683

FILES

685       /etc/myproxy-server.config
686              Default location for the server configuration file.
687
688       $GLOBUS_LOCATION/etc/myproxy-server.config
689              Alternate location for the server configuration file.  A differ‐
690              ent  location can be specified by using the myproxy-server(8) -c
691              option.
692
693       $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
694              A sample program for evaluating passphrase quality for use  with
695              the passphrase_policy_program option.
696
697       $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
698              A sample certificate_mapapp program for mapping account names to
699              certificate subject distinguished names.
700
701       $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
702              A sample  accepted_credentials_mapapp  program  for  authorizing
703              puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).
704

ENVIRONMENT

706       GLOBUS_LOCATION
707              Specifies the root of the MyProxy installation, used to find the
708              default location of the myproxy-server.config file.
709

AUTHORS

711       See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
712       authors.
713

SEE ALSO

715       myproxy-change-pass-phrase(1),  myproxy-destroy(1),  myproxy-get-trust‐
716       roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1),  myproxy-
717       retrieve(1), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-
718       change-pass(8),    myproxy-admin-load-credential(8),     myproxy-admin-
719       query(8), myproxy-server(8)
720
721
722
723MyProxy                           2014-07-12          myproxy-server.config(5)
Impressum