Provided by: myproxy-server_5.5-1_i386 bug

NAME

       myproxy-server.config - myproxy-server configuration file

DESCRIPTION

       The  myproxy-server.config  file  sets  the  policy  for  the  myproxy-
       server(8), specifying what credentials may be stored  in  the  server's
       repository,  who  is  authorized  to  retrieve  credentials,  and other
       configurable server behaviors.  By default, the myproxy-server(8) looks
       for  this  file  in  /etc/myproxy-server.config  and if it is not found
       there,  it  looks  in  $GLOBUS_LOCATION/etc/myproxy-server.config.    A
       template   is   provided   at   $GLOBUS_LOCATION/share/myproxy/myproxy-
       server.config.  The myproxy-server -c option can be used to specify  an
       alternative location.

       The  following  lines  set  access  control  policies  according to the
       client's  certificate  subject  distinguished  name  (DN).   Note  that
       MyProxy  uses  non-standard  regular expressions for distinguished name
       (DN) matching. See the REGULAR EXPRESSIONS section below for details.

       accepted_credentials "DN regex"
              Each of these lines allows any clients whose DNs match the given
              limited  regex  to  connect  to  the  myproxy-server  and  store
              credentials with it for future retrieval.  Any number  of  these
              lines  may appear.  For backwards compatibility, these lines can
              also start with allowed_clients instead of accepted_credentials.
              If  no accepted_credentials lines are specified, the server will
              not allow any clients to store credentials.

       authorized_retrievers "DN regex"
              Each of these lines  allows  the  server  administrator  to  set
              server-wide policies for credential retrievers. If the client DN
              does not match the  given  limited  regex,  the  client  is  not
              allowed to retrieve credentials from the server.  In addition to
              the server-wide policy, myproxy also provides support  for  per-
              credential  policy.  The  user  can  specify the regex DN of the
              allowed  retrievers  of  the  credential  when   uploading   the
              credential  (using  myproxy-init(1)  or  myproxy-store(1)).  The
              retrieval client DN must also match the user specified regex. In
              order  to retrieve credentials the client also needs to know the
              name and pass phrase provided by the client when the credentials
              were  stored.  Any  number  of  these  lines  may  appear.   For
              backwards  compatibility,  these  lines  can  also  start   with
              allowed_services   instead   of  authorized_retrievers.   If  no
              authorized_retrievers lines are specified, the server  will  not
              allow any clients to retrieve credentials.

       default_retrievers "DN regex"
              Each  of  these  lines  allows  the  server administrator to set
              server-wide default policies. The regex  specifies  the  clients
              who  can access the credentials. The default retriever policy is
              enforced if a per-credential policy is not specified  on  upload
              (using  myproxy-init(1)  or  myproxy-store(1)).  In other words,
              the client can override this policy for a credential on  upload.
              The per-credential policy is enforced in addition to the server-
              wide policy specified by the authorized_retrievers  line  (which
              clients  can  not  override).   Any number of these lines may be
              present.  For backwards compatibility, if no  default_retrievers
              line  is  specified, the default policy is "*", which allows any
              client to pass the per-credential  policy  check.   (The  client
              must still pass the authorized_retrievers check.)

       authorized_renewers "DN regex"
              Each  of  these  lines  allows  the  server administrator to set
              server-wide policies for authorized renewers. If the  client  DN
              does not match the given limited regex the client is not allowed
              to renew the credentials previously stored  by  a  client.   See
              allow_self_authorization below for a further restriction on this
              policy.  In addition to the  server-wide  policy,  myproxy  also
              provides support for per-credential policy. The user can specify
              the regex DN of the allowed renewers of the credential on upload
              (using  myproxy-init(1)).  The renewal client DN must match both
              this regex and the user  specified  regex.  In  this  case,  the
              client  must  also  already have a credential with a DN matching
              the DN of the credentials to be  retrieved,  to  be  used  in  a
              second  authorization  step  (see  the  -a  options for myproxy-
              logon(1) and myproxy-retrieve(1)).

       default_renewers "DN regex"
              Each of these lines  allows  the  server  administrator  to  set
              server-wide  default  renewer  policies. The regex specifies the
              clients who can  renew  the  credentials.  The  default  renewer
              policy  is  enforced if a per-credential policy is not specified
              on upload (using myproxy-init(1)).  This is enforced in addition
              to  the  server-wide policy specified by the authorized_renewers
              line. Any number of  these  lines  may  appear.   For  backwards
              compatibility,  if  no  default_renewers  line is specified, the
              default policy is "*", which allows any client to pass the  per-
              credential  policy  check.   (The  client  must  still  pass the
              authorized_renewers check.)

       authorized_key_retrievers "DN regex"
              This policy controls who can retrieve credentials  (certificates
              and   keys)   directly   from   the  repository  using  myproxy-
              retrieve(1).  Clients must also match the  authorized_retrievers
              policy.   If  no  authorized_key_retrievers lines are specified,
              the server will not allow any clients to retrieve keys  directly
              from the repository.

       default_key_retrievers "DN regex"
              This  policy applies if a per-credential policy is not specified
              on upload (using myproxy-init(1) or myproxy-store(1)).  In other
              words,  the  client can override this policy for a credential on
              upload.  The per-credential policy is enforced  in  addition  to
              the      server-wide      policy      specified      by      the
              authorized_key_retrievers line (which clients can not override).
              Any   number   of   these   lines   may   be   present.   If  no
              default_key_retrievers line is specified, the default policy  is
              "*",  which  allows any client to pass the per-credential policy
              check.      (The     client     must     still     pass      the
              authorized_key_retrievers check.)

       trusted_retrievers "DN regex"
              This  policy  controls  who  can  retrieve  credentials  without
              further  authentication.   By  default,   clients   that   match
              authorized_retrievers  must  perform  additional  authentication
              (such as passphrase, PAM,  or  SASL)  to  retrieve  credentials.
              However,     authenticated     clients     that    match    both
              authorized_retrievers and  trusted_retrievers  do  not  need  to
              perform  additional  authentication,  unless the credentials are
              protected by a passphrase, in which case the passphrase is still
              required.   Note:  The myproxy-server(8) will fail on startup or
              reconfig  with  an  "unsafe  policy"  error  if  a   policy   of
              trusted_retrievers  "*"  is  specified without also specifying a
              restrictive  default_trusted_retrievers  policy,  to  avoid   an
              unsafe  policy  that  would  release  credentials to all clients
              without      additional      authentication.       See      also
              allow_self_authorization below for a further restriction on this
              policy.

       default_trusted_retrievers "DN regex"
              If a user doesn't  set  a  trusted  retrieval  policy  with  the
              credential  on  upload  (via  'myproxy-init  -Z'),  the myproxy-
              server(8) will apply the following policy  in  addition  to  the
              trusted_retrievers  policy.   If  no  default_trusted_retrievers
              policy is  set,  then  only  the  trusted_retrievers  policy  is
              applied.

       The following lines in the configuration file set other server options.

       passphrase_policy_program full-path-to-script
              This  line  specifies  a program to run whenever a passphrase is
              set or changed for implementing a local  password  policy.   The
              program is passed the new passphrase via stdin and is passed the
              following arguments: username,  distinguished  name,  credential
              name  (if  any),  per-credential  retriever policy (if any), and
              per-credential renewal policy (if any).  If  the  passphrase  is
              acceptable,  the  program should exit with status 0.  Otherwise,
              it should exit with non-zero status, causing  the  operation  in
              progress  (credential  load, passphrase change) to fail with the
              error message provided by the program's stdout.  Note: You  must
              specify the full path to the external program.  $GLOBUS_LOCATION
              can't be used  in  the  myproxy-server.config  file.   A  sample
              program  is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-
              passphrase-policy but is not enabled by default.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       cert_dir full-path-to-certificates-directory
              Specifies the path  to  the  CA  certificates  directory  to  be
              returned  to  clients  requesting  trust  roots (such as via the
              myproxy-logon(1) -T option).

       max_proxy_lifetime hours
              This line specifies a server-wide maximum lifetime for retrieved
              proxy  credentials.   By  default,  no  server-wide  maximum  is
              enforced.  However, if this option is specified, the server will
              limit  the  lifetime  of  any retrieved proxy credentials to the
              value given.

       max_cred_lifetime hours
              This line specifies a server-wide maximum  lifetime  for  stored
              credentials.   By  default,  no server-wide maximum is enforced.
              However, if this option is specified, the server will limit  the
              lifetime of any stored credentials to the value given.

       ignore_globus_limited_proxy_flag boolean
              By  default,  MyProxy will respect the policy of "limited" proxy
              certificates as follows.   If  a  client  authenticates  with  a
              limited  proxy, the client should only be able to obtain another
              limited proxy, not a  full  proxy  or  end  entity  certificate.
              Thus,  the  MyProxy  CA  will  not  accept  limited  proxies for
              authentication.  However, if this option is set to true, MyProxy
              will treat limited proxy certificates as if they were full proxy
              certificates.

       allow_self_authorization boolean
              By  default,  MyProxy  will  disallow   trusted_retrievers   and
              authorized_renewers  whose DN matches the identity of the stored
              credential, so a  proxy  by  itself  can  not  be  refreshed  or
              renewed.    However,  if  this  option  is  set  to  true,  this
              restriction is lifted.

       syslog_ident name
              You can optionally specify the string to be prepended  to  every
              message  written  to  the  syslog.   If  not specified, the name
              defaults to the the program name, i.e. myproxy-server.

       syslog_facility name
              By default, the myproxy-server will log to the  syslog  "daemon"
              facility.  With  this option you can specify an alternate syslog
              facility, such as "auth", "user", "security", or "local0".   The
              facility can also be specified numerically as with the logger(1)
              command.

       request_timeout seconds
              Specifies the maximum time  a  myproxy-server(8)  child  process
              should  spend  servicing  a  client request before aborting.  By
              default, child  processes  will  abort  after  120  seconds.   A
              negative value will disable the timeout.

       request_size_limit bytes
              Limits  the  amount  of incoming application-level protocol data
              the myproxy-server(8) will accept from clients, to avoid  memory
              exhaustion  under  heavy  load. Specified in bytes.  Defaults to
              1MB (1048576 bytes).  A zero  or  negative  value  disables  the
              limit.

       proxy_extfile full-path-to-extension-file
              Optionally  specifies  the  full  path  to  a file containing an
              OpenSSL formatted set of certificate extensions  to  include  in
              all  proxy  certificates  issued  from  the  MyProxy  repository
              (analogous to certificate_extfile for the CA module).

       proxy_extapp full-path-to-extension-callout-program
              This is the call-out version of  proxy_extfile.   It  optionally
              specifies  the  full  path  to a call-out program for specifying
              proxy  certificate  extensions.    It   will   be   passed   the
              authenticated  username and the proxy credential location as the
              two command arguments.  On success, it should write the  OpenSSL
              formatted  set of certificate extensions to stdout and exit with
              zero status.  On error, it should write to stderr and exit  with
              nonzero  status.   Either  proxy_extfile  or proxy_extapp can be
              specified but not both.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       voms_userconf full-path-to-voms-configuration-file
              Optionally specifies the full path  to  the  VOMS  configuration
              file containing VOMS server information. It is usually specified
              in the environmental variable VOMS_USERCONF.

       allow_voms_attribute_requests boolean
              If this parameter is set to true  and  a  GET  request  includes
              VONAME  and  (optionally) VOMSES parameters, call-out to VOMS to
              add the requested attributes to the issued certificate. Requires
              linking  with  VOMS  libraries.  By  default,  VONAME and VOMSES
              parameters in requests will be ignored unless this parameter  is
              set to true.

       The  MyProxy  server  can  be  optionally configured for authentication
       based on Pluggable  Authentication  Modules  (PAM)  and/or  the  Simple
       Authentication  and  Security  Layer  (SASL).   Kerberos  is one of the
       supported SASL authentication methods.  The following  options  control
       the use of PAM and SASL.

       pam option
              This  line governs the use of PAM to check passphrases.  MyProxy
              will attempt to authenticate via PAM, with the supplied username
              and  passphrase.   Note  that  PAM  will  need  to be configured
              externally   for   the   application   "myproxy"   (usually   in
              /etc/pam.d/),  or  for  the  application named by pam_id, below.
              Accepted values:

              required
                     PAM  password  authentication  is  required   under   all
                     conditions.   If  the credential is unencrypted (that is,
                     it has no passphrase), a  PAM  password  check  is  still
                     required   for  authentication.   If  the  credential  is
                     encrypted, its passphrase must match the PAM password.

              sufficient
                     The user's passphrase may  match  either  the  credential
                     passphrase  or, if the credential is unencrypted, the PAM
                     passphrase.  If the credential is encrypted, then the PAM
                     password is not relevant.

              disabled (default)
                     PAM is not used to check passphrases.

       pam_id string
              The  name  that myproxy uses to identify itself to PAM.  Default
              is "myproxy".  For example, on most Unix-like systems, if pam_id
              is  set  to  "login",  MyProxy  will  authenticate  against  the
              system's own usernames and passwords.

       sasl option
              This line governs the  use  of  SASL  authentication.   Accepted
              values:

              required
                     SASL    authentication   is   required   for   retrieving
                     credentials.

              sufficient
                     SASL  authentication   is   sufficient   for   retrieving
                     credentials, but other authentication methods may be used
                     instead.

              disabled (default)
                     SASL authentication isn't used.

       sasl_mech mechanism
              Forces the use of a single SASL mechanism, overriding  the  SASL
              configuration file. (Typically not required.)

       sasl_serverFQDN hostname
              Configures  the  SASL  server  fully-qualified  domain  name for
              multi-homed servers. (Typically not required.)

       sasl_user_realm realm
              Configures the SASL user realm. (Typically not required.)

       The MyProxy server can also be  configured  to  act  as  a  Certificate
       Authority   (CA)  to  issue  credentials  to  clients.   The  following
       parameters enable and configure the CA functionality.

       certificate_issuer_cert full-path-to-certificate
              This line specifies the full path to the issuer  certificate  to
              optionally  configure  the  myproxy-server  to  act as an online
              certificate authority.

       certificate_issuer_key full-path-to-key
              When specifying certificate_issuer_cert  above,  you  must  also
              give  the  name  of the CA private key for signing certificates.
              This is normally path to a CA private key in PEM format, but  if
              you      are      using      an      OpenSSL     engine     (see
              certificate_openssl_engine_id ) then it can be the key name.

       certificate_issuer_key_passphrase "passphrase"
              If the certificate_issuer_key is encrypted, give the  passphrase
              here.

       certificate_issuer_subca_certfile full-path-to-subca-certificate-file
              If you would like an intermediate/sub-CA certificate chain to be
              sent along with the EEC (End Entity Certificate) generated using
              a  local  intermediate/sub-CA,  specify  the  file that contains
              those certificates in PEM format. This is meant to aid scenarios
              where the CA used is an intermediate CA (i.e. not a root CA) and
              the client may not have the  intermediate  CA(s)  in  its  trust
              store. The client will write out the chain into the same file as
              the EEC, following the EEC.

       certificate_issuer_hashalg algorithm
              Specifies the hash algorithm  to  use  when  signing  end-entity
              certificates.   Defaults  to  "sha1".   When linked with OpenSSL
              0.9.8 or later, "sha224", "sha256", "sha384"  and  "sha512"  are
              also supported.

       certificate_issuer_email_domain "domain"
              If  set,  specifies  the  domain  part  of  the  X509v3  Subject
              Alternative Name email address included in issued certificates.

       certificate_openssl_engine_id engineId

       certificate_openssl_engine_pre pre-initialization-commands

       certificate_openssl_engine_post post-initialization-commands
              These commands can be used to allow any  OpenSSL  engine  to  be
              used  with MyProxy.  This enables the use of hardware tokens and
              signing modules to sign certificates.  Given the  parameters  of
              an OpenSSL "engine" command, the first argument, the identity of
              the engine becomes the argument to certificate_openssl_engine_id
              and    -pre    commands    are    listed    in    order    using
              certificate_openssl_engine_pre and -post commands are listed  in
              order  using  certificate_openssl_engine_post.   For example the
              command-line:

                 openssl            engine            dynamic             -pre
              SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre  ID:pkcs11  -pre
              LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so

              becomes:

                 certificate_openssl_engine_id "dynamic"

                 certificate_openssl_engine_pre
              "SO_PATH:/usr/lib/engines/engine_pkcs11.so"          "ID:pkcs11"
              "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"

              Please note that any shared library engines loaded  through  the
              "dynamic"  engine MUST be compiled againt the correct version of
              OpenSSL.  The Globus toolkit has its own installation and can be
              found by running $GLOBUS_LOCATION/bin/openssl version.

       certificate_openssl_engine_lockfile full-path-to-file
              If  your  hardware token or HSM is unable to handle simultaneous
              operations, provide a  path  to  a  lockfile  for  synchronizing
              operations to the engine device.  The myproxy-server will create
              the file if it does not already exist.

       certificate_issuer_program full-path-to-script
              This line specifies the path to a program to issue  certificates
              for  authenticated  clients  that don't have credentials stored.
              This optionally configures  the  myproxy-server  to  act  as  an
              online certificate authority, allowing programmatic control over
              the  certificate  issuance  process.   You  can  either  specify
              certificate_issuer_cert or certificate_issuer_program.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       certificate_serialfile full-path-to-serial-file
              Specifies  the path to a file to store the serial number counter
              for issued certificates.  Defaults to /var/lib/myproxy/serial.

       certificate_serial_skip increment
              Specifies the number to add to the serial  number  each  time  a
              certificate is issued. Use this to stagger serial numbers across
              multiple CA instances to avoid serial number  clashes.  Defaults
              to 1.

       certificate_out_dir full-path-to-putput-directory
              Specifies the path to a directory where new certificates will be
              archived.

       max_cert_lifetime hours
              Specifies the  maximum  lifetime  (in  hours)  for  certificates
              issued by the CA module.  Defaults to 12 hours.

       min_keylen bits
              Specifies  the minimum RSA key length (in bits) for certificates
              issued by the CA module.

       certificate_extfile full-path-to-extension-file
              Optionally specifies the full  path  to  a  file  containing  an
              OpenSSL  formatted  set  of certificate extensions to include in
              all issued certificates.  For example:
                 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
                 subjectKeyIdentifier=hash
                 authorityKeyIdentifier=keyid,issuer:always
                 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
                 basicConstraints=CA:FALSE
              If not  set,  the  MyProxy  CA  will  include  a  basic  set  of
              extensions in issued certificates.

       certificate_extapp full-path-to-extension-callout-program
              This   is  the  call-out  version  of  certificate_extfile.   It
              optionally specifies the full path to  a  call-out  program  for
              specifying  certificate  extensions.   It  will  be  passed  the
              authenticated username  as  the  single  command  argument.   On
              success,   it   should   write  the  OpenSSL  formatted  set  of
              certificate extensions to stdout and exit with zero status.   On
              error,  it  should write to stderr and exit with nonzero status.
              Either  certificate_extfile   or   certificate_extapp   can   be
              specified but not both.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       certificate_mapfile full-path-to-mapfile
              When  specifying  certificate_issuer_cert  above,  you  can  map
              account names to certificate subject distinguished names for the
              issued  certificates  using  this  mapfile,  which  has the same
              format as used by other Globus Toolkit  services.   By  default,
              /etc/grid-security/grid-mapfile  is  used.   The  Globus Toolkit
              grid-mapfile-add-entry  and  grid-mapfile-delete-entry  commands
              can be used to manage the grid-mapfile.

       certificate_mapapp full-path-to-mapapp
              When  specifying  certificate_issuer_cert  above,  you  can  map
              account names to certificate subject distinguished names for the
              issued  certificates using this call-out.  It will be passed the
              authenticated username  as  the  single  command  argument.   On
              success,  it  should write the distinguished name in OpenSSL one
              line  format  (for  example,   "/C=US/O=National   Computational
              Science  Alliance/CN=Jim  Basney")  to stdout and exit with zero
              status.  On error, it should  write  to  stderr  and  exit  with
              nonzero  status.  If it is not defined, then mapfile lookup will
              be executed instead (see certificate_mapfile above).  An example
              is    installed    in    $GLOBUS_LOCATION/share/myproxy/myproxy-
              certificate-mapapp.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       certificate_request_checker full-path-to-callout-program
              This CA call-out can be  used  to  perform  checks  on  incoming
              certificate  requests. It will be passed the certificate request
              in PEM format on stdin. If it returns a nonzero exit status, the
              CA  will  abort  without  signing the request.  When returning a
              nonzero exit status, the callout should indicate the problem  on
              stderr.        An       example       is       installed      in
              $GLOBUS_LOCATION/share/myproxy/myproxy-certreq-checker.

       certificate_issuer_checker full-path-to-callout-program
              This CA call-out  can  be  used  to  perform  checks  on  issued
              certificates  before  the certificate is returned to the client.
              It will be passed the certificate in PEM format on stdin. If  it
              returns  a  nonzero  exit  status,  the  CA  will  abort without
              returning the signed certificate to the client. When returning a
              nonzero  exit status, the callout should indicate the problem on
              stderr.       An       example       is       installed       in
              $GLOBUS_LOCATION/share/myproxy/myproxy-cert-checker.

       If OpenLDAP support is built-in to the myproxy-server(8), the following
       parameters can be used to configure the CA module to map account  names
       to certificate subject distinguished names via LDAP.

       ca_ldap_server "ldap://localhost:389/"
              This  parameter  specifies the URI to the LDAP server to use for
              username to DN resolution in the CA module.   Both  ldap://  and
              ldaps://  protocols are supported.  A port number may optionally
              be specified as well.  Defining this directive is the  "trigger"
              that causes the name resolution module to use LDAP querying.  If
              it is not defined, then mapfile lookup will be executed  instead
              (see certificate_mapfile above).

       ca_ldap_uid_attribute "uid"
              The  name  of  the  record  attribute  that  maps to the MyProxy
              username.  Required for LDAP username to DN resolution.

       ca_ldap_searchbase "ou=people,dc=bullwinkle,dc=lbl,dc=gov"
              The DN of the region  of  the  ldap  database  to  be  searched.
              Required for LDAP username to DN resolution.

       ca_ldap_dn_attribute "subjectDN"
              If  this  directive  is  set, the LDAP resolver will pull the DN
              from the specified attribute in the returned record.  If  it  is
              not set, the default is to use the DN of the record itself.

       ca_ldap_connect_dn "cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov"
              DN for LDAP basic authentication (optional).

       ca_ldap_connect_passphrase "passphrase"
              Passphrase for LDAP basic authentication (optional).

       The  following  parameters control server replication with the myproxy-
       replicate(1) utility.

       slave_servers server:port;
              This value is for use  with  the  myproxy-replicate(1)  utility.
              This  tag  provides  a  list  of  servers  that  will be used as
              secondary repositories for the MyProxy  database.   Each  server
              should  be  seperated by a ";".  Also, a port may be provided if
              the slave server is using a port other then  the  default.   The
              server name maybe a recognized DNS or an IP address.

       The  following  parameters control Pubcookie (http://www.pubcookie.org)
       authentication.

       pubcookie_granting_cert full-path-to-pem-file
              Sets  the  full  path  to  the  PEM-encoded  Pubcookie  granting
              certificate  for  verifying  signatures  on  Pubcookie  granting
              cookies.  Setting this parameter enables Pubcookie support.

       pubcookie_app_server_key full-path-to-key-file
              Sets the full path to the 2048 byte application server key  (see
              Pubcookie's   Apache   directive  PubcookieCryptKeyfile).   This
              parameter is optional; if omitted,  cookie  decryption  will  be
              disabled,  and  MyProxy  will  only  accept  plaintext  cookies,
              although  it   will   still   verify   their   signatures   with
              pubcookie_granting_cert (see above).

       The following parameters are used primarily when utilizing MyProxy as a
       delegation service for web portals.

       accepted_credentials_mapfile full-path-to-mapfile
              This parameter points  to  a  grid-mapfile,  which  is  possibly
              different  from  other  mapfiles  above.  When  specified,  this
              mapfile is  utilized  during  puts/stores  (e.g.  with  myproxy-
              init(1) and myproxy-store(1)).  A credential is authorized to be
              put/stored only under the username  specified  in  the  mapfile.
              This  prevents  storing  a  user's  credential under a different
              username.  Note that the credential checked for the presence  of
              a  SubjectDN/Username  entry  in  the  mapfile is the credential
              utilized to secure the connection between client and server, NOT
              the  actual  credential  being  stored.  As the credential which
              secures  the  TLS  connection  is  typically  the  same  as  the
              credential  being stored, this should not be a major issue.  The
              Globus Toolkit grid-mapfile-add-entry  and  grid-mapfile-delete-
              entry commands can be used to manage the grid-mapfile.

       accepted_credentials_mapapp full-path-to-mapapp
              As  an  alternative  to  the accepted_credentials_mapfile option
              above,  you  can  specify  a  call-out  which  is   passed   two
              parameters:  a  certificate  subject  distinguished  name  and a
              username (in that order).  In essence, the call-out  performs  a
              lookup  in  a  'virtual'  accepted_credentials_mapfile.   If the
              SubjectDN/Username line would appear in such a mapfile, then the
              call-out   should  exit  with  zero  status  indicating  that  a
              credential with the given SubjectDN  is  allowed  to  be  stored
              under  the  given Username.  Otherwise, the call-out should exit
              with nonzero status indicating error.  An example  is  installed
              in  $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-
              mapapp.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       check_multiple_credentials boolean
              Typically when a credential is accessed by a client, the  server
              checks  only  one  credential for possible access authorization,
              even if there are multiple credentials stored  under  the  given
              username.   If  this option is set to "true" AND the client does
              not specify a credential name for a MyProxy GET operation (i.e.,
              from  myproxy-logon(1)),  then  the  server  will check multiple
              credentials with the given username.  If a credential  is  found
              to  be  authorized for client access, then that one will be used
              during  processing.   The  default  value  for  this  option  is
              "false".

       The   following  parameters  enable  OCSP  status  checking  of  stored
       credentials in  the  myproxy-server(8)  repository,  to  avoid  use  of
       expired credentials.

       ocsp_policy policy
              Controls  the  policy for checking certificate validity via OCSP
              before credentials may be delegated.  Currently, only the status
              of  the  end entity certificate is checked via OCSP (and not any
              proxy certificates or CA certificates).  OCSP will not  be  used
              unless ocsp_responder_url and/or ocsp_policy are set.  Supported
              policies are:
                "aia" - use OCSP responder in certificate AIA extension, if
                        present; otherwise use ocsp_responder_url, if set

       ocsp_responder_url URL
              Specifies the URL of an OCSP  responder  to  use  to  check  the
              validity  of credentials stored in the myproxy-server repository
              before they may be delegated, so that  revoked  credentials  can
              not  be retrieved and used where their revocation status may not
              be checked.  Currently,  only  the  status  of  the  end  entity
              certificate  is checked via OCSP (and not any proxy certificates
              or CA  certificates).   In  any  case,  CRL  checks  are  always
              performed.   Both  http and https urls are supported.  OCSP will
              not be used unless  ocsp_responder_url  and/or  ocsp_policy  are
              set.

       ocsp_responder_cert path
              Specifies  the  path  to  the  certificate  of  a  trusted  OCSP
              responder.  This  is  needed  if  the  OCSP  responder  must  be
              explicity  trusted in cases where standard path validation fails
              for the OCSP responder's certificate.

       The  following  parameters  control  Usage  Metrics  reporting  by  the
       myproxy-server(8).

       disable_usage_stats value
              By  default  Usage  Metrics  reporting  is  enabled.  Specifying
              "true", "enabled", "yes", "on" or "1"  for  value  will  disable
              Usage   Metrics   reporting.   Setting  the  GLOBUS_USAGE_OPTOUT
              environment variable to "1" will also disable the  reporting  of
              usage  metrics.  Disabling reporting of usage metrics will cause
              the usage_stats_target setting to be ignored.

       usage_stats_target target_list
              This option can be used to specify the target collector hosts to
              which  usage  metrics  should  be reported. This setting will be
              ignored if disable_usage_stats is enabled.  Multiple targets can
              be  specified  in target_list separated by comma(s). Each target
              specification is of the  format  host:port[!tags]  tags  control
              what  data  elements  are reported. The following list specifies
              the tags for the corresponding data elements.
              V - Major Version number of MyProxy server
              v - Minor Version number of MyProxy server
              t   -   Task   Code   (0=Get,    1=Put,    2=Info,    3=Destroy,
              4=ChangeCredPassphrase,   5=StoreEndEntCred,   6=RetrEndEntCred,
              7=GetTrustRoots)
              r - Task Return Code.
              l - Requested Lifetime for Credential.
              L - Actual Lifetime for Credential.
              B - Informational Bit mask to be interpreted left  to  right  as
              follows:
                     PAM used
                     SASL used
                     Credential passphrase check used
                     Trusted Retriever (Certificate-based authentication)
                     Certificate Authorization method used (Trusted Renewer)
                     Pubcookie was used
                     Trustroots requested
                     Trustroots delivered
              I - Client IP address
              u - Username
              U - User DN

              In  addition  to  the  above selected information, the following
              data  are  reported  to   ALL   the   specified/default   target
              collectors.  There's no way to exclude these from being reported
              other than by disabling the reporting of usage metrics:

              Component code - 11 for MyProxy
              Component Data Format version - 0 currently
              IP Address of Reporting Server
              Timestamp
              Hostname

              If no tags are specified in a host spec, or the  special  string
              "default"  is  specified,  the  tags VvtrlLB are assumed. A site
              could choose to allow a different set of data to be reported  by
              specifying a different tag set. The last 3 tags I, u and U above
              are more meant for a local collector that a site might  like  to
              deploy since they could be construed as private information. The
              special string "all" denotes all tags.

              By  default,  Usage  Metrics  reporting  is  sent   to   "usage-
              stats.cilogon.org:4810".    This   can   be   made  explicit  by
              specifying  "default"   (all   by   itself)   for   the   target
              specification as in:

              usage_stats_target "default"

              If  usage_stats_target  is not specified, a comma-separated list
              of targets (without any tags  specified)  if  specified  in  the
              environment variable GLOBUS_USAGE_TARGETS will be used.

REGULAR EXPRESSIONS

       For  matching  distinguished  names  (DNs)  in access control policies,
       MyProxy uses POSIX Extended  Regular  Expressions  (see  re_format(7)),
       with  custom processing of '*', '?', and '.' metacharacters to simulate
       Unix shell style wildcard processing (for  backward  compatibility  and
       other  historical  reasons).   MyProxy's custom regular expressions are
       converted to POSIX EREs according to the following rules:

         [ MyProxy regex ] => [ POSIX ERE ]
         ----------------------------------
                '*'        =>      '.*'
                '?'        =>      '.'
                '.'        =>      '\.'
                '\*'       =>      '*'
                '\?'       =>      '?'
                '\.'       =>      '.'

       Additionally, MyProxy wraps all regular expressions with '^' and '$' to
       require full DN matching.

       Be  aware  that  parentheses  are metacharacters according to POSIX, so
       escaping is required for literal matching. For example:

         "*/CN=Jim Basney \(admin\)"

       The following examples illustrate how MyProxy regular  expressions  are
       converted to POSIX EREs:

            [ MyProxy regex ]     =>    [ POSIX ERE ]
         ------------------------------------------------------------
         "*/CN=Jim Basney"        => "^.*/CN=Jim Basney$"
         "*/CN=Test User ?"       => "^.*/CN=Test User .?$"
         "*/CN=James A. Basney"   => "^.*/CN=James A\. Basney$"
         "/O=Test/CN=[:alnum:]\*" => "^/O=Test/CN=[:alnum:]*$"

         "*/CN=Jim Basney|*/CN=James Basney" =>
             "^.*/CN=Jim Basney|.*/CN=James Basney$"

EXAMPLES

       The following policy enables all credential repository features.

       accepted_credentials       "*"
       authorized_retrievers      "*"
       default_retrievers         "*"
       authorized_renewers        "*"
       default_renewers           "none"
       authorized_key_retrievers  "*"
       default_key_retrievers     "none"
       trusted_retrievers         "*"
       default_trusted_retrievers "none"
       cert_dir                   /etc/grid-security/certificates

       The  following enables CA functionality using an existing Globus Simple
       CA configuration.

       authorized_retrievers "*"
       pam  "sufficient"
       sasl "sufficient"
       certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
       certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
       certificate_issuer_key_passphrase "myproxy"
       certificate_serialfile /home/globus/.globus/simpleCA/serial
       certificate_mapfile /etc/grid-security/grid-mapfile
       cert_dir /etc/grid-security/certificates

       The following will cause usage metrics to be reported  to  the  default
       target  (only the default tags) as well as a local collector (including
       the tags IuU):

       usage_stats_target                                              "usage-
       stats.cilogon.org:4810,localcollector.somedomain:4810!VvtrlLBIuU"

FILES

       /etc/myproxy-server.config
              Default location for the server configuration file.

       $GLOBUS_LOCATION/etc/myproxy-server.config
              Alternate   location  for  the  server  configuration  file.   A
              different location  can  be  specified  by  using  the  myproxy-
              server(8) -c option.

       $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
              A  sample program for evaluating passphrase quality for use with
              the passphrase_policy_program option.

       $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
              A sample certificate_mapapp program for mapping account names to
              certificate subject distinguished names.

       $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
              A  sample  accepted_credentials_mapapp  program  for authorizing
              puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).

ENVIRONMENT

       GLOBUS_LOCATION
              Specifies the root of the MyProxy installation, used to find the
              default location of the myproxy-server.config file.

AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.

SEE ALSO

       myproxy-change-pass-phrase(1),     myproxy-destroy(1),     myproxy-get-
       trustroots(1),  myproxy-info(1),   myproxy-init(1),   myproxy-logon(1),
       myproxy-retrieve(1),     myproxy-store(1),    myproxy-admin-adduser(8),
       myproxy-admin-change-pass(8),         myproxy-admin-load-credential(8),
       myproxy-admin-query(8), myproxy-server(8)