Table of Contents
A Java API is available.
Please see the MyProxy Command Reference.
MyProxy does not provide any domain-specific interfaces.
A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.
No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.
To configure the myproxy-server you must
modify the myproxy-server.config template provided at
$GLOBUS_LOCATION/share/myproxy/myproxy-server.config
and copy it to
/etc/myproxy-server.config
(if you have root access) or
$GLOBUS_LOCATION//etc/myproxy-server.config
(if you don't have root access).
If you skip this step, your myproxy-server will not start.
To enable all myproxy-server features uncomment the provided sample
policy at the top of the myproxy-server.config config file, as
follows:
# # Complete Sample Policy # # The following lines define a sample policy that enables all # myproxy-server features. See below for more examples. accepted_credentials "*" authorized_retrievers "*" default_retrievers "*" authorized_renewers "*" default_renewers "none" authorized_key_retrievers "*" default_key_retrievers "none" trusted_retrievers "*" default_trusted_retrievers "none"
Please see below for additional documentation on the myproxy-server.config options.
The myproxy-server.config file sets the policy for
the myproxy-server(8), specifying what credentials may be
stored in the server's repository and who is authorized to retrieve credentials.
By default, the myproxy-server(8) looks for this file in /etc/myproxy-server.config
and if it is not found there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config.
The myproxy-server -c option can
be used to specify an alternative location. The file installed by default
does not allow any requests.
The file also supports a passphrase_policy_program command for specifying an external program for evaluating the quality of users' passphrases. A sample program is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy but is not enabled by default.
Lines in the configuration file use limited regular expressions for matching the distinguished names (DNs) of classes of users. The limited regular expressions support the shell-style characters '*' and '?', where '*' matches any number of characters and '?' matches any single character.
The DN limited regexes should be delimited with double quotes ("DN regex").
The configuration file has the following types of lines:
Table 1. myproxy-server.config lines
| accepted_credentials "DNregex" | Each of these lines allows any clients whose DNs match the given
limited regex to connect to the myproxy-server and store
credentials with it for future retrieval. Any number of these
lines may appear. For backwards compatibility, these lines can
also start with allowed_clients instead of
accepted_credentials. |
| authorized_retrievers "DN regex" | Each of these lines allows the server administrator to set
server-wide policies for authorized retrievers. If the client DN
does not match the given limited regex, the client is not allowed
to retrieve the credentials previously stored by a client. In
addition to the server-wide policy, MyProxy also provides support
for per-credential policy. The user can specify the regex DN of the allowed
retrievers of the credential when uploading the credential (using myproxy-init(1)).
The retrieval client DN must also match the user specified regex. In order
to retrieve credentials the client also needs to know the name and pass
phrase provided by the client when the credentials were stored.
Any number of these lines may appear. For backwards compatibility,
these lines can also start with allowed_services instead
of
authorized_retrievers. |
| default_retrievers "DN regex" | Each of these lines allows the server administrator to set
server-wide default policies. The regex specifies the clients
who can access the credentials. The default retriever policy is
enforced if a per-credential policy is not specified on upload
(using myproxy-init(1)). In other words, the client
can override this policy for a credential on upload. The per-credential
policy is enforced in addition to the server-wide policy specified
by the authorized_retrievers line (which clients can
not override). Any number of these lines may be present. For backwards
compatibility, if no default_retrievers line is specified,
the default policy is "*", which allows any client to pass the
per-credential policy check. (The client must still pass the
authorized_retrievers check). |
| authorized_renewers "DN regex" | Each of these lines allows the server administrator to set
server-wide policies for authorized renewers. If the client DN
does not match the given limited regex the client is not allowed
to renew the credentials previously stored by a client. In
addition to the server-wide policy, MyProxy also provides support
for per-credential policy. The user can specify the regex DN of the allowed
renewers of the credential on upload (using
myproxy-init(1)). The renewal client DN must match both
this regex and the user specified regex. In this case, the client
must also already have a credential with a DN matching the DN of
the credentials to be retrieved, to be used in a second authorization step (see the -a option for myproxy-logon(1)). |
| default_renewers "DN regex" | Each of these lines allows the server administrator to set
server-wide default renewer policies. The regex specifies the
clients who can renew the credentials. The default renewer policy
is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)).
This is enforced in addition to the server-wide policy specified by the authorized_renewers
line. Any number of these lines may appear. For backwards compatibility,
if no default_renewers line is specified, the default
policy is "*",
which allows any client to pass the per-credential policy check.
(The client must still pass the authorized_renewers check). |
| passphrase_policy_program full-path-to-script | This line specifies a program to run whenever a passphrase is
set or changed for implementing a local password policy. The
program is passed the new passphrase via stdin and is passed the
following arguments: username, distinguished name, credential
name (if any), per-credential retriever policy (if any), and
per-credential renewal policy (if any). If the passphrase is
acceptable, the program should exit with status 0. Otherwise,
it should exit with non-zero status, causing the operation in
progress (credential load, passphrase change) to fail with the
error message provided by the program's stdout. Note: You must
specify the full path to the external program. $GLOBUS_LOCATION can't be used in the myproxy-server.config file. |
| max_proxy_lifetime hours | This line specifies a server-wide maximum lifetime for retrieved proxy credentials. By default, no server-wide maximum is enforced. However, if this option is specified, the server will limit the lifetime of any retrieved proxy credentials to the value given. |
Table 2. Environment variables
| MYPROXY_SERVER | Specifies the hostname where the myproxy-server is running.
This environment variable can be used in place of the -s option. |
| MYPROXY_SERVER_PORT | Specifies the port where the myproxy-server is running. This
environment variable can be used in place of the -p option. |
| MYPROXY_SERVER_DN | Specifies the distinguished name (DN) of the myproxy-server. All MyProxy client programs authenticate the server's identity. By default, MyProxy servers run with host credentials, so the MyProxy client programs expect the server to have a distinguished name of the form "host/<fqhn>" or "myproxy/<fqhn>" (where <fqhn> is the fully-qualified hostname of the server). If the server is running with some other DN, you can set this environment variable to tell the MyProxy clients to accept the alternative DN. |
| X509_USER_CERT | Specifies a non-standard location for the certificate from which
the proxy credential is created by myproxy-init.
It also specifies an alternative location for the server's certificate.
By default, the server uses /etc/grid-security/hostcert.pem when
running as root or ~/.globus/usercert.pem when running as non-root. |
| X509_USER_KEY | Specifies a non-standard location for the private key from which
the proxy credential is created by myproxy-init.
It also specifies an alternative location for the server's private key.
By default the server uses /etc/grid-security/hostkey.pem when
running as root or ~/.globus/userkey.pem when running as non-root. |
| X509_USER_PROXY | Specifies an alternative location for the server's certificate
and private key (in the same file). Use when running the server
with a proxy credential. Note that the proxy will need to be
periodically renewed before expiration to allow the myproxy-server to
keep functioning. When the myproxy-server runs with
a non-host credential, clients must have the MYPROXY_SERVER_DN
environment variable set to the distinguished name of the certificate
being used by the server. |
| GLOBUS_LOCATION | Specifies the root of the MyProxy installation, used to find the
default location of the myproxy-server.config file
and the credential storage directory. |
| LD_LIBRARY_PATH | The MyProxy server is typically linked dynamically with Globus
security libraries, which must be present in the dynamic
linker's search path. This typically requires $GLOBUS_LOCATION/lib to
be included in the list in the LD_LIBRARY_PATH environment
variable, which is set by the $GLOBUS_LOCATION/libexec/globus-script-initializer script,
which should be called from any myproxy-server startup script.
Alternatively, to set LD_LIBRARY_PATH appropriately
for the Globus libraries in an interactive shell, source $GLOBUS_LOCATION/etc/globus-user-env.sh (for sh shells) or $GLOBUS_LOCATION/etc/globus-user.env.csh (for csh shells). |
| GT_PROXY_MODE |
Set to "old" to use the "legacy globus proxy" format.
By default, MyProxy uses the RFC 3820 compliant proxy
(also known as "proxy draft compliant") format.
If GT_PROXY_MODE is set to "old", then
myproxy-init will store a legacy proxy and
myproxy-logon will retrieve a legacy proxy (if
possible). Note that if the repository contains a proxy
certificate, rather than an end-entity certificate, the
retrieved proxy will be of the same type as the stored
proxy, regardless of the setting of this environment
variable. |