myproxy-server.config(5) MyProxy myproxy-server.config(5)
NAME
myproxy-server.config - myproxy-server configuration file
DESCRIPTION
The myproxy-server.config file sets the policy for the myproxy-
server(8), specifying what credentials may be stored in the server's
repository, who is authorized to retrieve credentials, and other con-
figurable server behaviors. By default, the myproxy-server(8) looks
for this file in /etc/myproxy-server.config and if it is not found
there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. A tem-
plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con-
fig. The myproxy-server -c option can be used to specify an alterna-
tive location.
The following lines in the configuration file use limited regular
expressions for matching the distinguished names (DNs) of classes of
users. The limited regular expressions support the shell-stype charac-
ters '*' and '?', where '*' matches any number of characters and '?'
matches any single character. The DN limited regexes should be delim-
ited with double quotes ("DN regex").
accepted_credentials "DN regex"
Each of these lines allows any clients whose DNs match the given
limited regex to connect to the myproxy-server and store creden-
tials with it for future retrieval. Any number of these lines
may appear. For backwards compatibility, these lines can also
start with allowed_clients instead of accepted_credentials. If
no accepted_credentials lines are specified, the server will not
allow any clients to store credentials.
authorized_retrievers "DN regex"
Each of these lines allows the server administrator to set
server-wide policies for credential retrievers. If the client DN
does not match the given limited regex, the client is not
allowed to retrieve credentials from the server. In addition to
the server-wide policy, myproxy also provides support for per-
credential policy. The user can specify the regex DN of the
allowed retrievers of the credential when uploading the creden-
tial (using myproxy-init(1) or myproxy-store(1)). The retrieval
client DN must also match the user specified regex. In order to
retrieve credentials the client also needs to know the name and
pass phrase provided by the client when the credentials were
stored. Any number of these lines may appear. For backwards
compatibility, these lines can also start with allowed_services
instead of authorized_retrievers. If no authorized_retrievers
lines are specified, the server will not allow any clients to
retrieve credentials.
default_retrievers "DN regex"
Each of these lines allows the server administrator to set
server-wide default policies. The regex specifies the clients
who can access the credentials. The default retriever policy is
enforced if a per-credential policy is not specified on upload
(using myproxy-init(1) or myproxy-store(1)). In other words,
the client can override this policy for a credential on upload.
The per-credential policy is enforced in addition to the server-
wide policy specified by the authorized_retrievers line (which
clients can not override). Any number of these lines may be
present. For backwards compatibility, if no default_retrievers
line is specified, the default policy is "*", which allows any
client to pass the per-credential policy check. (The client
must still pass the authorized_retrievers check.)
authorized_renewers "DN regex"
Each of these lines allows the server administrator to set
server-wide policies for authorized renewers. If the client DN
does not match the given limited regex the client is not allowed
to renew the credentials previously stored by a client. In
addition to the server-wide policy, myproxy also provides sup-
port for per-credential policy. The user can specify the regex
DN of the allowed renewers of the credential on upload (using
myproxy-init(1)). The renewal client DN must match both this
regex and the user specified regex. In this case, the client
must also already have a credential with a DN matching the DN of
the credentials to be retrieved, to be used in a second autho-
rization step (see the -a options for myproxy-logon(1) and
myproxy-retrieve(1)).
default_renewers "DN regex"
Each of these lines allows the server administrator to set
server-wide default renewer policies. The regex specifies the
clients who can renew the credentials. The default renewer pol-
icy is enforced if a per-credential policy is not specified on
upload (using myproxy-init(1)). This is enforced in addition to
the server-wide policy specified by the authorized_renewers
line. Any number of these lines may appear. For backwards com-
patibility, if no default_renewers line is specified, the
default policy is "*", which allows any client to pass the per-
credential policy check. (The client must still pass the autho-
rized_renewers check.)
authorized_key_retrievers "DN regex"
This policy controls who can retrieve credentials (certificates
and keys) directly from the repository using myproxy-
retrieve(1). Clients must also match the authorized_retrievers
policy. If no authorized_key_retrievers lines are specified,
the server will not allow any clients to retrieve keys directly
from the repository.
default_key_retrievers "DN regex"
This policy applies if a per-credential policy is not specified
on upload (using myproxy-init(1) or myproxy-store(1)). In other
words, the client can override this policy for a credential on
upload. The per-credential policy is enforced in addition to
the server-wide policy specified by the authorized_key_retriev-
ers line (which clients can not override). Any number of these
lines may be present. If no default_key_retrievers line is
specified, the default policy is "*", which allows any client to
pass the per-credential policy check. (The client must still
pass the authorized_key_retrievers check.)
trusted_retrievers "DN regex"
This policy controls who can retrieve credentials without fur-
ther authentication. By default, clients that match autho-
rized_retrievers must perform additional authentication (such as
passphrase, PAM, or SASL) to retrieve credentials. However,
authenticated clients that match both authorized_retrievers and
trusted_retrievers do not need to perform additional authentica-
tion, unless the credentials are protected by a passphrase, in
which case the passphrase is still required.
default_trusted_retrievers "DN regex"
If a user doesn't set a trusted retrieval policy with the cre-
dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
will apply the following policy in addition to the
trusted_retrievers policy. If no default_trusted_retrievers
policy is set, then only the trusted_retrievers policy is
applied.
The following lines in the configuration file set other server options.
passphrase_policy_program full-path-to-script
This line specifies a program to run whenever a passphrase is
set or changed for implementing a local password policy. The
program is passed the new passphrase via stdin and is passed the
following arguments: username, distinguished name, credential
name (if any), per-credential retriever policy (if any), and
per-credential renewal policy (if any). If the passphrase is
acceptable, the program should exit with status 0. Otherwise,
it should exit with non-zero status, causing the operation in
progress (credential load, passphrase change) to fail with the
error message provided by the program's stdout. Note: You must
specify the full path to the external program. $GLOBUS_LOCATION
can't be used in the myproxy-server.config file. A sample pro-
gram is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-
passphrase-policy but is not enabled by default.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
cert_dir full-path-to-certificates-directory
Specifies the path to the CA certificates directory to be
returned to clients requesting trust roots (such as via the
myproxy-logon(1) -T option). Defaults to /etc/grid-secu-
rity/certificates.
max_proxy_lifetime hours
This line specifies a server-wide maximum lifetime for retrieved
proxy credentials. By default, no server-wide maximum is
enforced. However, if this option is specified, the server will
limit the lifetime of any retrieved proxy credentials to the
value given.
ignore_globus_limited_proxy_flag boolean
By default, MyProxy will respect the policy of "limited" proxy
certificates as follows. If a client authenticates with a lim-
ited proxy, the client should only be able to obtain another
limited proxy, not a full proxy or end entity certificate.
Thus, the MyProxy CA will not accept limited proxies for authen-
tication. However, if this option is set, MyProxy will treat
limited proxy certificates as if they were full proxy certifi-
cates.
syslog_ident name
You can optionally specify the string to be prepended to every
message written to the syslog. If not specified, the name
defaults to the the program name, i.e. myproxy-server.
The MyProxy server can be optionally configured for authentication
based on Pluggable Authentication Modules (PAM) and/or the Simple
Authentication and Security Layer (SASL). Kerberos is one of the sup-
ported SASL authentication methods. The following options control the
use of PAM and SASL.
pam option
This line governs the use of PAM to check passphrases. MyProxy
will attempt to authenticate via PAM, with the supplied username
and passphrase. Note that PAM will need to be configured exter-
nally for the application "myproxy" (usually in /etc/pam.d/), or
for the application named by pam_id, below. Accepted values:
required
PAM password authentication is required under all condi-
tions. If the credential is unencrypted (that is, it has
no passphrase), a PAM password check is still required
for authentication. If the credential is encrypted, its
passphrase must match the PAM password.
sufficient
The user's passphrase may match either the credential
passphrase or, if the credential is unencrypted, the PAM
passphrase. If the credential is encrypted, then the PAM
password is not relevant.
disabled (default)
PAM is not used to check passphrases.
pam_id string
The name that myproxy uses to identify itself to PAM. Default
is "myproxy". For example, on most Unix-like systems, if pam_id
is set to "login", MyProxy will authenticate against the sys-
tem's own usernames and passwords.
sasl option
This line governs the use of SASL authentication. Accepted val-
ues:
required
SASL authentication is required for retrieving creden-
tials.
sufficient
SASL authentication is sufficient for retrieving creden-
tials, but other authentication methods may be used
instead.
disabled (default)
SASL authentication isn't used.
The MyProxy server can also be configured to act as a Certificate
Authority (CA) to issue credentials to clients. The following parame-
ters enable and configure the CA functionality.
certificate_issuer_cert full-path-to-certificate
This line specifies the full path to the issuer certificate to
optionally configure the myproxy-server to act as an online cer-
tificate authority.
certificate_issuer_key full-path-to-key
When specifying certificate_issuer_cert above, you must also
give the name of the CA private key for signing certificates.
This is normally path to a CA private key in PEM format, but if
you are using an OpenSSL engine (see certifi-
cate_openssl_engine_id ) then it can be the key name.
certificate_issuer_key_passphrase "passphrase"
If the certificate_issuer_key is encrypted, give the passphrase
here.
certificate_issuer_email_domain "domain"
If set, specifies the domain part of the X509v3 Subject Alterna-
tive Name email address included in issued certificates.
certificate_openssl_engine_id engineId
certificate_openssl_engine_pre pre-initialization-commands
certificate_openssl_engine_post post-initialization-commands
These commands can be used to allow any OpenSSL engine to be
used with MyProxy. This enables the use of hardware tokens and
signing modules to sign certificates. Given the parameters of
an OpenSSL "engine" command, the first argument, the identity of
the engine becomes the argument to certificate_openssl_engine_id
and -pre commands are listed in order using certifi-
cate_openssl_engine_pre and -post commands are listed in order
using certificate_openssl_engine_post. For example the command-
line:
openssl engine dynamic -pre
SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so
becomes:
certificate_openssl_engine_id "dynamic"
certificate_openssl_engine_pre
"SO_PATH:/usr/lib/engines/engine_pkcs11.so" "ID:pkcs11"
"LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"
Please note that any shared library engines loaded through the
"dynamic" engine MUST be compiled againt the correct version of
OpenSSL. The Globus toolkit has its own installation and can be
found by running $GLOBUS_LOCATION/bin/openssl version.
certificate_openssl_engine_lockfile full-path-to-file
If your hardware token or HSM is unable to handle simultaneous
operations, provide a path to a lockfile for synchronizing oper-
ations to the engine device. The myproxy-server will create the
file if it does not already exist.
certificate_issuer_program full-path-to-script
This line specifies the path to a program to issue certificates
for authenticated clients that don't have credentials stored.
This optionally configures the myproxy-server to act as an
online certificate authority, allowing programmatic control over
the certificate issuance process. You can either specify cer-
tificate_issuer_cert or certificate_issuer_program.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
certificate_serialfile full-path-to-serial-file
Specifies the path to a file to store the serial number counter
for issued certificates. Defaults to /var/myproxy/serial.
max_cert_lifetime hours
Specifies the maximum lifetime (in hours) for certificates
issued by the CA module. Defaults to 12 hours.
certificate_extfile full-path-to-extension-file
Optionally specifies the full path to a file containing an
OpenSSL formatted set of certificate extensions to include in
all issued certificates. For example:
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
basicConstraints=CA:FALSE
If not set, the MyProxy CA will include a basic set of exten-
sions in issued certificates.
certificate_extapp full-path-to-extension-callout-program
This is the call-out version of certificate_extfile. It option-
ally specifies the full path to a call-out program for specify-
ing certificate extensions. It will be passed the authenticated
username as the single command argument. On success, it should
write the OpenSSL formatted set of certificate extensions #to
stdout and exit with zero status. On error, it should write to
stderr and exit with nonzero status.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
certificate_mapfile full-path-to-mapfile
When specifying certificate_issuer_cert above, you can map
account names to certificate subject distinguished names for the
issued certificates using this mapfile, which has the same for-
mat as used by other Globus Toolkit services. By default,
/etc/grid-security/grid-mapfile is used. The Globus Toolkit
grid-mapfile-add-entry and grid-mapfile-delete-entry commands
can be used to manage the grid-mapfile.
certificate_mapapp full-path-to-mapapp
When specifying certificate_issuer_cert above, you can map
account names to certificate subject distinguished names for the
issued certificates using this call-out. It will be passed the
authenticated username as the single command argument. On suc-
cess, it should write the distinguished name in OpenSSL one line
format (for example, "/C=US/O=National Computational Science
Alliance/CN=Jim Basney") to stdout and exit with zero status.
On error, it should write to stderr and exit with nonzero sta-
tus. If it is not defined, then mapfile lookup will be executed
instead (see certificate_mapfile above). An example is
installed in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-
mapapp.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
If OpenLDAP support is built-in to the myproxy-server(8), the following
parameters can be used to configure the CA module to map account names
to certificate subject distinguished names via LDAP.
ca_ldap_server "ldap://localhost:389/"
This parameter specifies the URI to the LDAP server to use for
username to DN resolution in the CA module. Both ldap:// and
ldaps:// protocols are supported. A port number may optionally
be specified as well. Defining this directive is the "trigger"
that causes the name resolution module to use LDAP querying. If
it is not defined, then mapfile lookup will be executed instead
(see certificate_mapfile above).
ca_ldap_uid_attribute "uid"
The name of the record attribute that maps to the MyProxy user-
name. Required for LDAP username to DN resolution.
ca_ldap_searchbase "ou=people,dc=bullwinkle,dc=lbl,dc=gov"
The DN of the region of the ldap database to be searched.
Required for LDAP username to DN resolution.
ca_ldap_dn_attribute "subjectDN"
If this directive is set, the LDAP resolver will pull the DN
from the specified attribute in the returned record. If it is
not set, the default is to use the DN of the record itself.
ca_ldap_connect_dn "cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov"
DN for LDAP basic authentication (optional).
ca_ldap_connect_passphrase "passphrase"
Passphrase for LDAP basic authentication (optional).
The following parameters control server replication with the myproxy-
replicate(1) utility.
slave_servers server:port;
This value is for use with the myproxy-replicate(1) utility.
This tag provides a list of servers that will be used as sec-
ondary repositories for the MyProxy database. Each server
should be seperated by a ";". Also, a port may be provided if
the slave server is using a port other then the default. The
server name maybe a recognized DNS or an IP address.
The following parameters control Pubcookie (http://www.pubcookie.org)
authentication.
pubcookie_granting_cert full-path-to-pem-file
Sets the full path to the PEM-encoded Pubcookie granting cer-
tificate for verifying signatures on Pubcookie granting cookies.
Setting this parameter enables Pubcookie support.
pubcookie_app_server_key full-path-to-key-file
Sets the full path to the 2048 byte application server key (see
Pubcookie's Apache directive PubcookieCryptKeyfile). This
parameter is optional; if omitted, cookie decryption will be
disabled, and MyProxy will only accept plaintext cookies,
although it will still verify their signatures with pub-
cookie_granting_cert (see above).
The following parameters are used primarily when utilizing MyProxy as a
delegation service for web portals.
accepted_credentials_mapfile full-path-to-mapfile
This parameter points to a grid-mapfile, which is possibly dif-
ferent from other mapfiles above. When specified, this mapfile
is utilized during puts/stores (e.g. with myproxy-init(1) and
myproxy-store(1)). A credential is authorized to be put/stored
only under the username specified in the mapfile. This prevents
storing a user's credential under a different username. Note
that the credential checked for the presence of a Sub-
jectDN/Username entry in the mapfile is the credential utilized
to secure the connection between client and server, NOT the
actual credential being stored. As the credential which secures
the TLS connection is typically the same as the credential being
stored, this should not be a major issue. The Globus Toolkit
grid-mapfile-add-entry and grid-mapfile-delete-entry commands
can be used to manage the grid-mapfile.
accepted_credentials_mapapp full-path-to-mapapp
As an alternative to the accepted_credentials_mapfile option
above, you can specify a call-out which is passed two parame-
ters: a certificate subject distinguished name and a username
(in that order). In essence, the call-out performs a lookup in
a 'virtual' accepted_credentials_mapfile. If the Sub-
jectDN/Username line would appear in such a mapfile, then the
call-out should exit with zero status indicating that a creden-
tial with the given SubjectDN is allowed to be stored under the
given Username. Otherwise, the call-out should exit with
nonzero status indicating error. An example is installed in
$GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-
mapapp.
Be sure to follow secure coding practices for this call-out:
- Don't allow input to overflow fixed-size buffers.
- Don't pass unchecked input to a shell command.
check_multiple_credentials boolean
Typically when a credential is accessed by a client, the server
checks only one credential for possible access authorization,
even if there are multiple credentials stored under the given
username. If this option is set to "true" AND the client does
not specify a credential name for a MyProxy operation, then the
server will check multiple credentials with the given username.
If a credential is found to be authorized for client access,
then that one will be used during processing. The default value
for this option is "false".
The following parameters enable OCSP status checking of stored creden-
tials in the myproxy-server(8) repository, to avoid use of expired cre-
dentials.
ocsp_policy policy
Controls the policy for checking certificate validity via OCSP
before credentials may be delegated. Currently, only the status
of the end entity certificate is checked via OCSP (and not any
proxy certificates or CA certificates). OCSP will not be used
unless ocsp_responder_url and/or ocsp_policy are set. Supported
policies are:
"aia" - use OCSP responder in certificate AIA extension, if
present; otherwise use ocsp_responder_url, if set
ocsp_responder_url URL
Specifies the URL of an OCSP responder to use to check the
validity of credentials stored in the myproxy-server repository
before they may be delegated, so that revoked credentials can
not be retrieved and used where their revocation status may not
be checked. Currently, only the status of the end entity cer-
tificate is checked via OCSP (and not any proxy certificates or
CA certificates). In any case, CRL checks are always performed.
Both http and https urls are supported. OCSP will not be used
unless ocsp_responder_url and/or ocsp_policy are set.
ocsp_responder_cert path
Specifies the path to the certificate of a trusted OCSP respon-
der. This is needed if the OCSP responder must be explicity
trusted in cases where standard path validation fails for the
OCSP responder's certificate.
EXAMPLES
The following policy enables all credential repository features.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"
authorized_key_retrievers "*"
default_key_retrievers "none"
The following enables CA functionality using an existing Globus Simple
CA configuration.
pam "sufficient"
sasl "sufficient"
certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
certificate_issuer_key_passphrase "myproxy"
certificate_serialfile /home/globus/.globus/simpleCA/serial
certificate_mapfile /etc/grid-security/grid-mapfile
FILES
/etc/myproxy-server.config
Default location for the server configuration file.
$GLOBUS_LOCATION/etc/myproxy-server.config
Alternate location for the server configuration file. A differ-
ent location can be specified by using the myproxy-server(8) -c
option.
$GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
A sample program for evaluating passphrase quality for use with
the passphrase_policy_program option.
$GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
A sample certificate_mapapp program for mapping account names to
certificate subject distinguished names.
$GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
A sample accepted_credentials_mapapp program for authorizing
puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).
ENVIRONMENT
GLOBUS_LOCATION
Specifies the root of the MyProxy installation, used to find the
default location of the myproxy-server.config file.
AUTHORS
Bill Baker, Jim Basney, Shiva Shankar Chetan, Patrick Duda, Terry
Fleury, Jarek Gawor, Monte Goode, Daniel Kouril, Zhenmin Li, Jason
Novotny, Miroslav Ruda, Benjamin Temko, and Von Welch
SEE ALSO
myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-info(1),
myproxy-init(1), myproxy-logon(1), myproxy-retrieve(1), myproxy-
store(1), myproxy-admin-adduser(8), myproxy-admin-change-pass(8),
myproxy-admin-load-credential(8), myproxy-admin-query(8), myproxy-
server(8)
NCSA 2007-08-20 myproxy-server.config(5)
Man(1) output converted with
man2html