Provided by: myproxy-server_6.1.16-1_amd64 
NAME
myproxy-server.config - myproxy-server configuration file
DESCRIPTION
The myproxy-server.config file sets the policy for the myproxy-server(8), specifying what
credentials may be stored in the server's repository, who is authorized to retrieve
credentials, and other configurable server behaviors. By default, the myproxy-server(8)
looks for this file in /etc/myproxy-server.config and if it is not found there, it looks
in $GLOBUS_LOCATION/etc/myproxy-server.config. A template is provided at
$GLOBUS_LOCATION/share/myproxy/myproxy-server.config. The myproxy-server -c option can be
used to specify an alternative location.
The following lines set access control policies according to the client's certificate
subject distinguished name (DN). Note that MyProxy uses non-standard regular expressions
for distinguished name (DN) matching. See the REGULAR EXPRESSIONS section below for
details.
accepted_credentials “DN regex”
Each of these lines allows any clients whose DNs match the given limited regex to
connect to the myproxy-server and store credentials with it for future retrieval.
Any number of these lines may appear. For backwards compatibility, these lines can
also start with allowed_clients instead of accepted_credentials. If no
accepted_credentials lines are specified, the server will not allow any clients to
store credentials.
authorized_retrievers “DN regex”
Each of these lines allows the server administrator to set server-wide policies for
credential retrievers. If the client DN does not match the given limited regex, the
client is not allowed to retrieve credentials from the server. In addition to the
server-wide policy, myproxy also provides support for per-credential policy. The
user can specify the regex DN of the allowed retrievers of the credential when
uploading the credential (using myproxy-init(1) or myproxy-store(1)). The
retrieval client DN must also match the user specified regex. In order to retrieve
credentials the client also needs to know the name and pass phrase provided by the
client when the credentials were stored. Any number of these lines may appear. For
backwards compatibility, these lines can also start with allowed_services instead
of authorized_retrievers. If no authorized_retrievers lines are specified, the
server will not allow any clients to retrieve credentials.
default_retrievers “DN regex”
Each of these lines allows the server administrator to set server-wide default
policies. The regex specifies the clients who can access the credentials. The
default retriever policy is enforced if a per-credential policy is not specified on
upload (using myproxy-init(1) or myproxy-store(1)). In other words, the client can
override this policy for a credential on upload. The per-credential policy is
enforced in addition to the server-wide policy specified by the
authorized_retrievers line (which clients can not override). Any number of these
lines may be present. For backwards compatibility, if no default_retrievers line
is specified, the default policy is "*", which allows any client to pass the per-
credential policy check. (The client must still pass the authorized_retrievers
check.)
authorized_renewers “DN regex”
Each of these lines allows the server administrator to set server-wide policies for
authorized renewers. If the client DN does not match the given limited regex the
client is not allowed to renew the credentials previously stored by a client. See
allow_self_authorization below for a further restriction on this policy. In
addition to the server-wide policy, myproxy also provides support for per-
credential policy. The user can specify the regex DN of the allowed renewers of the
credential on upload (using myproxy-init(1)). The renewal client DN must match
both this regex and the user specified regex. In this case, the client must also
already have a credential with a DN matching the DN of the credentials to be
retrieved, to be used in a second authorization step (see the -a options for
myproxy-logon(1) and myproxy-retrieve(1)).
default_renewers “DN regex”
Each of these lines allows the server administrator to set server-wide default
renewer policies. The regex specifies the clients who can renew the credentials.
The default renewer policy is enforced if a per-credential policy is not specified
on upload (using myproxy-init(1)). This is enforced in addition to the server-wide
policy specified by the authorized_renewers line. Any number of these lines may
appear. For backwards compatibility, if no default_renewers line is specified, the
default policy is "*", which allows any client to pass the per-credential policy
check. (The client must still pass the authorized_renewers check.)
authorized_key_retrievers “DN regex”
This policy controls who can retrieve credentials (certificates and keys) directly
from the repository using myproxy-retrieve(1). Clients must also match the
authorized_retrievers policy. If no authorized_key_retrievers lines are specified,
the server will not allow any clients to retrieve keys directly from the
repository.
default_key_retrievers “DN regex”
This policy applies if a per-credential policy is not specified on upload (using
myproxy-init(1) or myproxy-store(1)). In other words, the client can override this
policy for a credential on upload. The per-credential policy is enforced in
addition to the server-wide policy specified by the authorized_key_retrievers line
(which clients can not override). Any number of these lines may be present. If no
default_key_retrievers line is specified, the default policy is "*", which allows
any client to pass the per-credential policy check. (The client must still pass
the authorized_key_retrievers check.)
trusted_retrievers “DN regex”
This policy controls who can retrieve credentials without further authentication.
By default, clients that match authorized_retrievers must perform additional
authentication (such as passphrase, PAM, or SASL) to retrieve credentials.
However, authenticated clients that match both authorized_retrievers and
trusted_retrievers do not need to perform additional authentication, unless the
credentials are protected by a passphrase, in which case the passphrase is still
required. Note: The myproxy-server(8) will fail on startup or reconfig with an
"unsafe policy" error if a policy of trusted_retrievers “*” is specified without
also specifying a restrictive default_trusted_retrievers policy, to avoid an unsafe
policy that would release credentials to all clients without additional
authentication. See also allow_self_authorization below for a further restriction
on this policy.
default_trusted_retrievers “DN regex”
If a user doesn't set a trusted retrieval policy with the credential on upload (via
'myproxy-init -Z'), the myproxy-server(8) will apply the following policy in
addition to the trusted_retrievers policy. If no default_trusted_retrievers policy
is set, then only the trusted_retrievers policy is applied.
The following lines in the configuration file set other server options.
passphrase_policy_program full-path-to-script
This line specifies a program to run whenever a passphrase is set or changed for
implementing a local password policy. The program is passed the new passphrase via
stdin and is passed the following arguments: username, distinguished name,
credential name (if any), per-credential retriever policy (if any), and per-
credential renewal policy (if any). If the passphrase is acceptable, the program
should exit with status 0. Otherwise, it should exit with non-zero status, causing
the operation in progress (credential load, passphrase change) to fail with the
error message provided by the program's stdout. Note: You must specify the full
path to the external program. $GLOBUS_LOCATION can't be used in the myproxy-
server.config file. A sample program is installed in
$GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy but is not enabled by
default.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
cert_dir full-path-to-certificates-directory
Specifies the path to the CA certificates directory to be returned to clients
requesting trust roots (such as via the myproxy-logon(1) -T option).
max_proxy_lifetime hours
This line specifies a server-wide maximum lifetime for retrieved proxy credentials.
By default, no server-wide maximum is enforced. However, if this option is
specified, the server will limit the lifetime of any retrieved proxy credentials to
the value given.
max_cred_lifetime hours
This line specifies a server-wide maximum lifetime for stored credentials. By
default, no server-wide maximum is enforced. However, if this option is specified,
the server will limit the lifetime of any stored credentials to the value given.
ignore_globus_limited_proxy_flag boolean
By default, MyProxy will respect the policy of "limited" proxy certificates as
follows. If a client authenticates with a limited proxy, the client should only be
able to obtain another limited proxy, not a full proxy or end entity certificate.
Thus, the MyProxy CA will not accept limited proxies for authentication. However,
if this option is set to true, MyProxy will treat limited proxy certificates as if
they were full proxy certificates.
allow_self_authorization boolean
By default, MyProxy will disallow trusted_retrievers and authorized_renewers whose
DN matches the identity of the stored credential, so a proxy by itself can not be
refreshed or renewed. However, if this option is set to true, this restriction is
lifted.
syslog_ident name
You can optionally specify the string to be prepended to every message written to
the syslog. If not specified, the name defaults to the the program name, i.e.
myproxy-server.
syslog_facility name
By default, the myproxy-server will log to the syslog "daemon" facility. With this
option you can specify an alternate syslog facility, such as "auth", "user",
"security", or "local0". The facility can also be specified numerically as with
the logger(1) command.
request_timeout seconds
Specifies the maximum time a myproxy-server(8) child process should spend servicing
a client request before aborting. By default, child processes will abort after 120
seconds. A negative value will disable the timeout.
request_size_limit bytes
Limits the amount of incoming application-level protocol data the myproxy-server(8)
will accept from clients, to avoid memory exhaustion under heavy load. Specified in
bytes. Defaults to 1MB (1048576 bytes). A zero or negative value disables the
limit.
proxy_extfile full-path-to-extension-file
Optionally specifies the full path to a file containing an OpenSSL formatted set of
certificate extensions to include in all proxy certificates issued from the MyProxy
repository (analogous to certificate_extfile for the CA module).
proxy_extapp full-path-to-extension-callout-program
This is the call-out version of proxy_extfile. It optionally specifies the full
path to a call-out program for specifying proxy certificate extensions. It will be
passed the authenticated username and the proxy credential location as the two
command arguments. On success, it should write the OpenSSL formatted set of
certificate extensions to stdout and exit with zero status. On error, it should
write to stderr and exit with nonzero status. Either proxy_extfile or proxy_extapp
can be specified but not both.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
voms_userconf full-path-to-voms-configuration-file
Optionally specifies the full path to the VOMS configuration file containing VOMS
server information. It is usually specified in the environmental variable
VOMS_USERCONF.
allow_voms_attribute_requests boolean
If this parameter is set to true and a GET request includes VONAME and (optionally)
VOMSES parameters, call-out to VOMS to add the requested attributes to the issued
certificate. Requires linking with VOMS libraries. By default, VONAME and VOMSES
parameters in requests will be ignored unless this parameter is set to true.
The MyProxy server can be optionally configured for authentication based on Pluggable
Authentication Modules (PAM) and/or the Simple Authentication and Security Layer (SASL).
Kerberos is one of the supported SASL authentication methods. The following options
control the use of PAM and SASL.
pam option
This line governs the use of PAM to check passphrases. MyProxy will attempt to
authenticate via PAM, with the supplied username and passphrase. Note that PAM
will need to be configured externally for the application "myproxy" (usually in
/etc/pam.d/), or for the application named by pam_id, below. Accepted values:
required
PAM password authentication is required under all conditions. If the
credential is unencrypted (that is, it has no passphrase), a PAM password
check is still required for authentication. If the credential is encrypted,
its passphrase must match the PAM password.
sufficient
The user's passphrase may match either the credential passphrase or, if the
credential is unencrypted, the PAM passphrase. If the credential is
encrypted, then the PAM password is not relevant.
disabled (default)
PAM is not used to check passphrases.
pam_id string
The name that myproxy uses to identify itself to PAM. Default is "myproxy". For
example, on most Unix-like systems, if pam_id is set to "login", MyProxy will
authenticate against the system's own usernames and passwords.
sasl option
This line governs the use of SASL authentication. Accepted values:
required
SASL authentication is required for retrieving credentials.
sufficient
SASL authentication is sufficient for retrieving credentials, but other
authentication methods may be used instead.
disabled (default)
SASL authentication isn't used.
sasl_mech mechanism
Forces the use of a single SASL mechanism, overriding the SASL configuration file.
(Typically not required.)
sasl_serverFQDN hostname
Configures the SASL server fully-qualified domain name for multi-homed servers.
(Typically not required.)
sasl_user_realm realm
Configures the SASL user realm. (Typically not required.)
The MyProxy server can also be configured to act as a Certificate Authority (CA) to issue
credentials to clients. The following parameters enable and configure the CA
functionality.
certificate_issuer_cert full-path-to-certificate
This line specifies the full path to the issuer certificate to optionally configure
the myproxy-server to act as an online certificate authority.
certificate_issuer_key full-path-to-key
When specifying certificate_issuer_cert above, you must also give the name of the
CA private key for signing certificates. This is normally path to a CA private key
in PEM format, but if you are using an OpenSSL engine (see
certificate_openssl_engine_id ) then it can be the key name.
certificate_issuer_key_passphrase “passphrase”
If the certificate_issuer_key is encrypted, give the passphrase here.
certificate_issuer_subca_certfile full-path-to-subca-certificate-file
If you would like an intermediate/sub-CA certificate chain to be sent along with
the EEC (End Entity Certificate) generated using a local intermediate/sub-CA,
specify the file that contains those certificates in PEM format. This is meant to
aid scenarios where the CA used is an intermediate CA (i.e. not a root CA) and the
client may not have the intermediate CA(s) in its trust store. The client will
write out the chain into the same file as the EEC, following the EEC.
certificate_issuer_hashalg algorithm
Specifies the hash algorithm to use when signing end-entity certificates. Defaults
to "sha256".
certificate_issuer_email_domain “domain”
If set, specifies the domain part of the X509v3 Subject Alternative Name email
address included in issued certificates.
certificate_openssl_engine_id engineId
certificate_openssl_engine_pre pre-initialization-commands
certificate_openssl_engine_post post-initialization-commands
These commands can be used to allow any OpenSSL engine to be used with MyProxy.
This enables the use of hardware tokens and signing modules to sign certificates.
Given the parameters of an OpenSSL "engine" command, the first argument, the
identity of the engine becomes the argument to certificate_openssl_engine_id and
-pre commands are listed in order using certificate_openssl_engine_pre and -post
commands are listed in order using certificate_openssl_engine_post. For example
the command-line:
openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so
becomes:
certificate_openssl_engine_id "dynamic"
certificate_openssl_engine_pre "SO_PATH:/usr/lib/engines/engine_pkcs11.so"
"ID:pkcs11" "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"
Please note that any shared library engines loaded through the "dynamic" engine
MUST be compiled againt the correct version of OpenSSL. The Globus toolkit has its
own installation and can be found by running $GLOBUS_LOCATION/bin/openssl version.
certificate_openssl_engine_lockfile full-path-to-file
If your hardware token or HSM is unable to handle simultaneous operations, provide
a path to a lockfile for synchronizing operations to the engine device. The
myproxy-server will create the file if it does not already exist.
certificate_issuer_program full-path-to-script
This line specifies the path to a program to issue certificates for authenticated
clients that don't have credentials stored. This optionally configures the
myproxy-server to act as an online certificate authority, allowing programmatic
control over the certificate issuance process. You can either specify
certificate_issuer_cert or certificate_issuer_program.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
certificate_serialfile full-path-to-serial-file
Specifies the path to a file to store the serial number counter for issued
certificates. Defaults to /var/lib/myproxy/serial.
certificate_serial_skip increment
Specifies the number to add to the serial number each time a certificate is issued.
Use this to stagger serial numbers across multiple CA instances to avoid serial
number clashes. Defaults to 1.
certificate_out_dir full-path-to-putput-directory
Specifies the path to a directory where new certificates will be archived.
max_cert_lifetime hours
Specifies the maximum lifetime (in hours) for certificates issued by the CA module.
Defaults to 12 hours.
min_keylen bits
Specifies the minimum RSA key length (in bits) for certificates issued by the CA
module.
certificate_extfile full-path-to-extension-file
Optionally specifies the full path to a file containing an OpenSSL formatted set of
certificate extensions to include in all issued certificates. For example:
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
basicConstraints=CA:FALSE
If not set, the MyProxy CA will include a basic set of extensions in issued
certificates.
certificate_extapp full-path-to-extension-callout-program
This is the call-out version of certificate_extfile. It optionally specifies the
full path to a call-out program for specifying certificate extensions. It will be
passed the authenticated username as the single command argument. On success, it
should write the OpenSSL formatted set of certificate extensions to stdout and exit
with zero status. On error, it should write to stderr and exit with nonzero
status. Either certificate_extfile or certificate_extapp can be specified but not
both.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
certificate_mapfile full-path-to-mapfile
When specifying certificate_issuer_cert above, you can map account names to
certificate subject distinguished names for the issued certificates using this
mapfile, which has the same format as used by other Globus Toolkit services. By
default, /etc/grid-security/grid-mapfile is used. The Globus Toolkit grid-mapfile-
add-entry and grid-mapfile-delete-entry commands can be used to manage the grid-
mapfile.
certificate_mapapp full-path-to-mapapp
When specifying certificate_issuer_cert above, you can map account names to
certificate subject distinguished names for the issued certificates using this
call-out. It will be passed the authenticated username as the single command
argument. On success, it should write the distinguished name in OpenSSL one line
format (for example, "/C=US/O=National Computational Science Alliance/CN=Jim
Basney") to stdout and exit with zero status. On error, it should write to stderr
and exit with nonzero status. If it is not defined, then mapfile lookup will be
executed instead (see certificate_mapfile above). An example is installed in
$GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
certificate_request_checker full-path-to-callout-program
This CA call-out can be used to perform checks on incoming certificate requests. It
will be passed the certificate request in PEM format on stdin. If it returns a
nonzero exit status, the CA will abort without signing the request. When returning
a nonzero exit status, the callout should indicate the problem on stderr. An
example is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-certreq-checker.
certificate_issuer_checker full-path-to-callout-program
This CA call-out can be used to perform checks on issued certificates before the
certificate is returned to the client. It will be passed the certificate in PEM
format on stdin. If it returns a nonzero exit status, the CA will abort without
returning the signed certificate to the client. When returning a nonzero exit
status, the callout should indicate the problem on stderr. An example is installed
in $GLOBUS_LOCATION/share/myproxy/myproxy-cert-checker.
If OpenLDAP support is built-in to the myproxy-server(8), the following parameters can be
used to configure the CA module to map account names to certificate subject distinguished
names via LDAP.
ca_ldap_server “ldap://localhost:389/”
This parameter specifies the URI to the LDAP server to use for username to DN
resolution in the CA module. Both ldap:// and ldaps:// protocols are supported. A
port number may optionally be specified as well. Defining this directive is the
"trigger" that causes the name resolution module to use LDAP querying. If it is
not defined, then mapfile lookup will be executed instead (see certificate_mapfile
above).
ca_ldap_uid_attribute “uid”
The name of the record attribute that maps to the MyProxy username. Required for
LDAP username to DN resolution.
ca_ldap_searchbase “ou=people,dc=bullwinkle,dc=lbl,dc=gov”
The DN of the region of the ldap database to be searched. Required for LDAP
username to DN resolution.
ca_ldap_dn_attribute “subjectDN”
If this directive is set, the LDAP resolver will pull the DN from the specified
attribute in the returned record. If it is not set, the default is to use the DN
of the record itself.
ca_ldap_connect_dn “cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov”
DN for LDAP basic authentication (optional).
ca_ldap_connect_passphrase “passphrase”
Passphrase for LDAP basic authentication (optional).
The following parameters control server replication with the myproxy-replicate(1) utility.
slave_servers server:port;
This value is for use with the myproxy-replicate(1) utility. This tag provides a
list of servers that will be used as secondary repositories for the MyProxy
database. Each server should be seperated by a ";". Also, a port may be provided
if the slave server is using a port other then the default. The server name maybe
a recognized DNS or an IP address.
The following parameters are used primarily when utilizing MyProxy as a delegation service
for web portals.
accepted_credentials_mapfile full-path-to-mapfile
This parameter points to a grid-mapfile, which is possibly different from other
mapfiles above. When specified, this mapfile is utilized during puts/stores (e.g.
with myproxy-init(1) and myproxy-store(1)). A credential is authorized to be
put/stored only under the username specified in the mapfile. This prevents storing
a user's credential under a different username. Note that the credential checked
for the presence of a SubjectDN/Username entry in the mapfile is the credential
utilized to secure the connection between client and server, NOT the actual
credential being stored. As the credential which secures the TLS connection is
typically the same as the credential being stored, this should not be a major
issue. The Globus Toolkit grid-mapfile-add-entry and grid-mapfile-delete-entry
commands can be used to manage the grid-mapfile.
accepted_credentials_mapapp full-path-to-mapapp
As an alternative to the accepted_credentials_mapfile option above, you can specify
a call-out which is passed two parameters: a certificate subject distinguished name
and a username (in that order). In essence, the call-out performs a lookup in a
'virtual' accepted_credentials_mapfile. If the SubjectDN/Username line would
appear in such a mapfile, then the call-out should exit with zero status indicating
that a credential with the given SubjectDN is allowed to be stored under the given
Username. Otherwise, the call-out should exit with nonzero status indicating
error. An example is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-
credentials-mapapp.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
check_multiple_credentials boolean
Typically when a credential is accessed by a client, the server checks only one
credential for possible access authorization, even if there are multiple
credentials stored under the given username. If this option is set to "true" AND
the client does not specify a credential name for a MyProxy GET operation (i.e.,
from myproxy-logon(1)), then the server will check multiple credentials with the
given username. If a credential is found to be authorized for client access, then
that one will be used during processing. The default value for this option is
"false".
The following parameters enable OCSP status checking of stored credentials in the myproxy-
server(8) repository, to avoid use of expired credentials.
ocsp_policy policy
Controls the policy for checking certificate validity via OCSP before credentials
may be delegated. Currently, only the status of the end entity certificate is
checked via OCSP (and not any proxy certificates or CA certificates). OCSP will
not be used unless ocsp_responder_url and/or ocsp_policy are set. Supported
policies are:
"aia" - use OCSP responder in certificate AIA extension, if
present; otherwise use ocsp_responder_url, if set
ocsp_responder_url URL
Specifies the URL of an OCSP responder to use to check the validity of credentials
stored in the myproxy-server repository before they may be delegated, so that
revoked credentials can not be retrieved and used where their revocation status may
not be checked. Currently, only the status of the end entity certificate is
checked via OCSP (and not any proxy certificates or CA certificates). In any case,
CRL checks are always performed. Both http and https urls are supported. OCSP
will not be used unless ocsp_responder_url and/or ocsp_policy are set.
ocsp_responder_cert path
Specifies the path to the certificate of a trusted OCSP responder. This is needed
if the OCSP responder must be explicity trusted in cases where standard path
validation fails for the OCSP responder's certificate.
The following parameters control Usage Metrics reporting by the myproxy-server(8).
disable_usage_stats value
By default Usage Metrics reporting is enabled. Specifying "true", "enabled", "yes",
"on" or "1" for value will disable Usage Metrics reporting. Setting the
GLOBUS_USAGE_OPTOUT environment variable to "1" will also disable the reporting of
usage metrics. Disabling reporting of usage metrics will cause the
usage_stats_target setting to be ignored.
usage_stats_target target_list
This option can be used to specify the target collector hosts to which usage
metrics should be reported. This setting will be ignored if disable_usage_stats is
enabled. Multiple targets can be specified in target_list separated by comma(s).
Each target specification is of the format host:port[!tags]. The tags control what
data elements are reported. The following list specifies the tags for the
corresponding data elements.
V - Major Version number of MyProxy server
v - Minor Version number of MyProxy server
t - Task Code (0=Get, 1=Put, 2=Info, 3=Destroy, 4=ChangeCredPassphrase,
5=StoreEndEntCred, 6=RetrEndEntCred, 7=GetTrustRoots)
r - Task Return Code.
l - Requested Lifetime for Credential.
L - Actual Lifetime for Credential.
B - Informational Bit mask to be interpreted left to right as follows:
PAM used
SASL used
Credential passphrase check used
Trusted Retriever (Certificate-based authentication)
Certificate Authorization method used (Trusted Renewer)
Pubcookie was used
Trustroots requested
Trustroots delivered
I - Client IP address
u - Username
U - User DN
In addition to the above selected information, the following data are reported to
ALL the specified/default target collectors. There's no way to exclude these from
being reported other than by disabling the reporting of usage metrics:
Component code - 11 for MyProxy
Component Data Format version - 0 currently
IP Address of Reporting Server
Timestamp
Hostname
If no tags are specified in a host spec, or the special string "default" is
specified, the tags VvtrlLB are assumed. A site could choose to allow a different
set of data to be reported by specifying a different tag set. The last 3 tags I, u
and U above are more meant for a local collector that a site might like to deploy
since they could be construed as private information. The special string "all"
denotes all tags.
By default, Usage Metrics reporting is disabled. This can be made explicit by
specifying "default" (all by itself) for the target specification as in:
usage_stats_target "default"
REGULAR EXPRESSIONS
For matching distinguished names (DNs) in access control policies, MyProxy uses POSIX
Extended Regular Expressions (see re_format(7)), with custom processing of '*', '?', and
'.' metacharacters to simulate Unix shell style wildcard processing (for backward
compatibility and other historical reasons). MyProxy's custom regular expressions are
converted to POSIX EREs according to the following rules:
[ MyProxy regex ] => [ POSIX ERE ]
----------------------------------
'*' => '.*'
'?' => '.'
'.' => '\.'
'\*' => '*'
'\?' => '?'
'\.' => '.'
Additionally, MyProxy wraps all regular expressions inside '^(' and ')$' to require full
DN matching.
Be aware that parentheses are metacharacters according to POSIX, so escaping is required
for literal matching. For example:
"*/CN=Jim Basney \(admin\)"
The following examples illustrate how MyProxy regular expressions are converted to POSIX
EREs:
[ MyProxy regex ] => [ POSIX ERE ]
------------------------------------------------------------
"*/CN=Jim Basney" => "^(.*/CN=Jim Basney)$"
"*/CN=Test User ?" => "^(.*/CN=Test User .)$"
"*/CN=James A. Basney" => "^(.*/CN=James A\. Basney)$"
"/O=Test/CN=[:alnum:]\*" => "^(/O=Test/CN=[:alnum:]*)$"
"*/CN=Jim Basney|*/CN=James Basney" =>
"^(.*/CN=Jim Basney|.*/CN=James Basney)$"
EXAMPLES
The following policy enables all credential repository features.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"
authorized_key_retrievers "*"
default_key_retrievers "none"
trusted_retrievers "*"
default_trusted_retrievers "none"
cert_dir /etc/grid-security/certificates
The following enables CA functionality using an existing Globus Simple CA configuration.
authorized_retrievers "*"
pam "sufficient"
sasl "sufficient"
certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
certificate_issuer_key_passphrase "myproxy"
certificate_serialfile /home/globus/.globus/simpleCA/serial
certificate_mapfile /etc/grid-security/grid-mapfile
cert_dir /etc/grid-security/certificates
The following will cause usage metrics to be reported to the default target (only the
default tags) as well as a local collector (including the tags IuU):
usage_stats_target "usage-
stats.cilogon.org:4810,localcollector.somedomain:4810!VvtrlLBIuU"
FILES
/etc/myproxy-server.config
Default location for the server configuration file.
$GLOBUS_LOCATION/etc/myproxy-server.config
Alternate location for the server configuration file. A different location can be
specified by using the myproxy-server(8) -c option.
$GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
A sample program for evaluating passphrase quality for use with the
passphrase_policy_program option.
$GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
A sample certificate_mapapp program for mapping account names to certificate
subject distinguished names.
$GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
A sample accepted_credentials_mapapp program for authorizing puts/stores (e.g. with
myproxy-init(1) and myproxy-store(1)).
ENVIRONMENT
GLOBUS_LOCATION
Specifies the root of the MyProxy installation, used to find the default location
of the myproxy-server.config file.
AUTHORS
See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy authors.
SEE ALSO
myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trustroots(1), myproxy-
info(1), myproxy-init(1), myproxy-logon(1), myproxy-retrieve(1), myproxy-store(1),
myproxy-admin-adduser(8), myproxy-admin-change-pass(8), myproxy-admin-load-credential(8),
myproxy-admin-query(8), myproxy-server(8)