Table of Contents
MyProxy is built and installed as part of a default GT 4.0 installation. For basic installation instructions, see the GT 4.0 System Administrator's Guide. No extra installation steps are required for this component.
If you wish to install MyProxy without installing the rest of the Globus Toolkit, follow the instructions in the GT 4.0 System Administrator's Guide with the following changes:
First, you do not need Ant, a JDK, or a JDBC database to build only MyProxy.
Second, instead of running "make", run:
globus$ make gsi-myproxy
This will install the MyProxy client and server programs. For client-only installations, simply do not configure or use the installed server.
A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.
No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.
To configure the myproxy-server you must
modify the myproxy-server.config template provided at
$GLOBUS_LOCATION/share/myproxy/myproxy-server.config
and copy it to
/etc/myproxy-server.config
(if you have root access) or
$GLOBUS_LOCATION//etc/myproxy-server.config
(if you don't have root access).
If you skip this step, your myproxy-server will not start.
To enable all myproxy-server features uncomment the provided sample
policy at the top of the myproxy-server.config config file, as
follows:
# # Complete Sample Policy # # The following lines define a sample policy that enables all # myproxy-server features. See below for more examples. accepted_credentials "*" authorized_retrievers "*" default_retrievers "*" authorized_renewers "*" default_renewers "none" authorized_key_retrievers "*" default_key_retrievers "none" trusted_retrievers "*" default_trusted_retrievers "none"
Please see below for additional documentation on the myproxy-server.config options.
The myproxy-server.config file sets the policy for
the myproxy-server(8), specifying what credentials may be
stored in the server's repository and who is authorized to retrieve credentials.
By default, the myproxy-server(8) looks for this file in /etc/myproxy-server.config
and if it is not found there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config.
The myproxy-server -c option can
be used to specify an alternative location. The file installed by default
does not allow any requests.
The file also supports a passphrase_policy_program command for specifying an external program for evaluating the quality of users' passphrases. A sample program is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy but is not enabled by default.
Lines in the configuration file use limited regular expressions for matching the distinguished names (DNs) of classes of users. The limited regular expressions support the shell-style characters '*' and '?', where '*' matches any number of characters and '?' matches any single character.
The DN limited regexes should be delimited with double quotes ("DN regex").
The configuration file has the following types of lines:
Table 13.1. myproxy-server.config lines
| accepted_credentials "DNregex" | Each of these lines allows any clients whose DNs match the given
limited regex to connect to the myproxy-server and store
credentials with it for future retrieval. Any number of these
lines may appear. For backwards compatibility, these lines can
also start with allowed_clients instead of
accepted_credentials. |
| authorized_retrievers "DN regex" | Each of these lines allows the server administrator to set
server-wide policies for authorized retrievers. If the client DN
does not match the given limited regex, the client is not allowed
to retrieve the credentials previously stored by a client. In
addition to the server-wide policy, MyProxy also provides support
for per-credential policy. The user can specify the regex DN of the allowed
retrievers of the credential when uploading the credential (using myproxy-init(1)).
The retrieval client DN must also match the user specified regex. In order
to retrieve credentials the client also needs to know the name and pass
phrase provided by the client when the credentials were stored.
Any number of these lines may appear. For backwards compatibility,
these lines can also start with allowed_services instead
of
authorized_retrievers. |
| default_retrievers "DN regex" | Each of these lines allows the server administrator to set
server-wide default policies. The regex specifies the clients
who can access the credentials. The default retriever policy is
enforced if a per-credential policy is not specified on upload
(using myproxy-init(1)). In other words, the client
can override this policy for a credential on upload. The per-credential
policy is enforced in addition to the server-wide policy specified
by the authorized_retrievers line (which clients can
not override). Any number of these lines may be present. For backwards
compatibility, if no default_retrievers line is specified,
the default policy is "*", which allows any client to pass the
per-credential policy check. (The client must still pass the
authorized_retrievers check). |
| authorized_renewers "DN regex" | Each of these lines allows the server administrator to set
server-wide policies for authorized renewers. If the client DN
does not match the given limited regex the client is not allowed
to renew the credentials previously stored by a client. In
addition to the server-wide policy, MyProxy also provides support
for per-credential policy. The user can specify the regex DN of the allowed
renewers of the credential on upload (using
myproxy-init(1)). The renewal client DN must match both
this regex and the user specified regex. In this case, the client
must also already have a credential with a DN matching the DN of
the credentials to be retrieved, to be used in a second authorization step (see the -a option for myproxy-logon(1)). |
| default_renewers "DN regex" | Each of these lines allows the server administrator to set
server-wide default renewer policies. The regex specifies the
clients who can renew the credentials. The default renewer policy
is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)).
This is enforced in addition to the server-wide policy specified by the authorized_renewers
line. Any number of these lines may appear. For backwards compatibility,
if no default_renewers line is specified, the default
policy is "*",
which allows any client to pass the per-credential policy check.
(The client must still pass the authorized_renewers check). |
| passphrase_policy_program full-path-to-script | This line specifies a program to run whenever a passphrase is
set or changed for implementing a local password policy. The
program is passed the new passphrase via stdin and is passed the
following arguments: username, distinguished name, credential
name (if any), per-credential retriever policy (if any), and
per-credential renewal policy (if any). If the passphrase is
acceptable, the program should exit with status 0. Otherwise,
it should exit with non-zero status, causing the operation in
progress (credential load, passphrase change) to fail with the
error message provided by the program's stdout. Note: You must
specify the full path to the external program. $GLOBUS_LOCATION can't be used in the myproxy-server.config file. |
| max_proxy_lifetime hours | This line specifies a server-wide maximum lifetime for retrieved proxy credentials. By default, no server-wide maximum is enforced. However, if this option is specified, the server will limit the lifetime of any retrieved proxy credentials to the value given. |
A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run 'chkconfig --add myproxy'. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.
Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:
- Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the /etc/services or /etc/inet/services file.
- Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications to /etc/inetd.conf or /etc/inet/inetd.conf, or copy $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy to /etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation.
- Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.
To verify your myproxy-server installation and configuration, you can run the myproxy-server directly from your shell. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.
For csh shells:
source $GLOBUS_LOCATION/etc/globus-user-env.csh
For sh shells:
. $GLOBUS_LOCATION/etc/globus-user-env.sh
Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d.
The -d argument runs the myproxy-server in debug mode.
It will write debugging messages to the terminal and
exit after servicing a single request.
You'll need to start it once for each test request.
In another shell, you can run the MyProxy client programs to test the
server.
If run without the -d argument,
the myproxy-server program will start up and background itself.
It accepts connections on TCP port 7512, forking off a separate child
to handle each incoming connection.
It logs information via the syslog service under the daemon facility.
You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.
Please refer to the MyProxy user manual.