myproxy-server.config(5)            MyProxy           myproxy-server.config(5)




NAME

       myproxy-server.config - myproxy-server configuration file


DESCRIPTION

       The  myproxy-server.config  file  sets  the  policy  for  the  myproxy-
       server(8), specifying what credentials may be stored  in  the  server's
       repository,  who  is authorized to retrieve credentials, and other con-
       figurable server behaviors.  By default,  the  myproxy-server(8)  looks
       for  this  file  in  /etc/myproxy-server.config  and if it is not found
       there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config.  A  tem-
       plate is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.con-
       fig.  The myproxy-server -c option can be used to specify  an  alterna-
       tive location.

       The  following  lines  set  access  control  policies  according to the
       client's  certificate  subject  distinguished  name  (DN).   Note  that
       MyProxy  uses  non-standard  regular expressions for distinguished name
       (DN) matching. See the REGULAR EXPRESSIONS section below for details.

       accepted_credentials "DN regex"
              Each of these lines allows any clients whose DNs match the given
              limited regex to connect to the myproxy-server and store creden-
              tials with it for future retrieval.  Any number of  these  lines
              may  appear.   For backwards compatibility, these lines can also
              start with allowed_clients instead of accepted_credentials.   If
              no accepted_credentials lines are specified, the server will not
              allow any clients to store credentials.

       authorized_retrievers "DN regex"
              Each of these lines  allows  the  server  administrator  to  set
              server-wide policies for credential retrievers. If the client DN
              does not match the  given  limited  regex,  the  client  is  not
              allowed to retrieve credentials from the server.  In addition to
              the server-wide policy, myproxy also provides support  for  per-
              credential  policy.  The  user  can  specify the regex DN of the
              allowed retrievers of the credential when uploading the  creden-
              tial (using myproxy-init(1) or myproxy-store(1)).  The retrieval
              client DN must also match the user specified regex. In order  to
              retrieve  credentials the client also needs to know the name and
              pass phrase provided by the client  when  the  credentials  were
              stored.  Any  number  of  these lines may appear.  For backwards
              compatibility, these lines can also start with  allowed_services
              instead  of  authorized_retrievers.  If no authorized_retrievers
              lines are specified, the server will not allow  any  clients  to
              retrieve credentials.

       default_retrievers "DN regex"
              Each  of  these  lines  allows  the  server administrator to set
              server-wide default policies. The regex  specifies  the  clients
              who  can access the credentials. The default retriever policy is
              enforced if a per-credential policy is not specified  on  upload
              (using  myproxy-init(1)  or  myproxy-store(1)).  In other words,
              the client can override this policy for a credential on  upload.
              The per-credential policy is enforced in addition to the server-
              wide policy specified by the authorized_retrievers  line  (which
              clients  can  not  override).   Any number of these lines may be
              present.  For backwards compatibility, if no  default_retrievers
              line  is  specified, the default policy is "*", which allows any
              client to pass the per-credential  policy  check.   (The  client
              must still pass the authorized_retrievers check.)

       authorized_renewers "DN regex"
              Each  of  these  lines  allows  the  server administrator to set
              server-wide policies for authorized renewers. If the  client  DN
              does not match the given limited regex the client is not allowed
              to renew the credentials previously stored  by  a  client.   See
              allow_self_authorization below for a further restriction on this
              policy.  In addition to the  server-wide  policy,  myproxy  also
              provides support for per-credential policy. The user can specify
              the regex DN of the allowed renewers of the credential on upload
              (using  myproxy-init(1)).  The renewal client DN must match both
              this regex and the user  specified  regex.  In  this  case,  the
              client  must  also  already have a credential with a DN matching
              the DN of the credentials to be retrieved, to be used in a  sec-
              ond  authorization step (see the -a options for myproxy-logon(1)
              and myproxy-retrieve(1)).

       default_renewers "DN regex"
              Each of these lines  allows  the  server  administrator  to  set
              server-wide  default  renewer  policies. The regex specifies the
              clients who can renew the credentials. The default renewer  pol-
              icy  is  enforced if a per-credential policy is not specified on
              upload (using myproxy-init(1)).  This is enforced in addition to
              the  server-wide  policy  specified  by  the authorized_renewers
              line. Any number of these lines may appear.  For backwards  com-
              patibility,  if  no  default_renewers  line  is  specified,  the
              default policy is "*", which allows any client to pass the  per-
              credential policy check.  (The client must still pass the autho-
              rized_renewers check.)

       authorized_key_retrievers "DN regex"
              This policy controls who can retrieve credentials  (certificates
              and   keys)   directly   from   the  repository  using  myproxy-
              retrieve(1).  Clients must also match the  authorized_retrievers
              policy.   If  no  authorized_key_retrievers lines are specified,
              the server will not allow any clients to retrieve keys  directly
              from the repository.

       default_key_retrievers "DN regex"
              This  policy applies if a per-credential policy is not specified
              on upload (using myproxy-init(1) or myproxy-store(1)).  In other
              words,  the  client can override this policy for a credential on
              upload.  The per-credential policy is enforced  in  addition  to
              the  server-wide policy specified by the authorized_key_retriev-
              ers line (which clients can not override).  Any number of  these
              lines  may  be  present.   If  no default_key_retrievers line is
              specified, the default policy is "*", which allows any client to
              pass  the  per-credential  policy check.  (The client must still
              pass the authorized_key_retrievers check.)

       trusted_retrievers "DN regex"
              This policy controls who can retrieve credentials  without  fur-
              ther  authentication.   By  default,  clients  that match autho-
              rized_retrievers must perform additional authentication (such as
              passphrase,  PAM,  or  SASL)  to retrieve credentials.  However,
              authenticated clients that match both authorized_retrievers  and
              trusted_retrievers do not need to perform additional authentica-
              tion, unless the credentials are protected by a  passphrase,  in
              which case the passphrase is still required.  Note: The myproxy-
              server(8) will fail on startup or reconfig with an "unsafe  pol-
              icy"  error  if  a policy of trusted_retrievers "*" is specified
              without also specifying a restrictive default_trusted_retrievers
              policy, to avoid an unsafe policy that would release credentials
              to all clients  without  additional  authentication.   See  also
              allow_self_authorization below for a further restriction on this
              policy.

       default_trusted_retrievers "DN regex"
              If a user doesn't set a trusted retrieval policy with  the  cre-
              dential on upload (via 'myproxy-init -Z'), the myproxy-server(8)
              will  apply  the   following   policy   in   addition   to   the
              trusted_retrievers  policy.   If  no  default_trusted_retrievers
              policy is  set,  then  only  the  trusted_retrievers  policy  is
              applied.

       The following lines in the configuration file set other server options.

       passphrase_policy_program full-path-to-script
              This  line  specifies  a program to run whenever a passphrase is
              set or changed for implementing a local  password  policy.   The
              program is passed the new passphrase via stdin and is passed the
              following arguments: username,  distinguished  name,  credential
              name  (if  any),  per-credential  retriever policy (if any), and
              per-credential renewal policy (if any).  If  the  passphrase  is
              acceptable,  the  program should exit with status 0.  Otherwise,
              it should exit with non-zero status, causing  the  operation  in
              progress  (credential  load, passphrase change) to fail with the
              error message provided by the program's stdout.  Note: You  must
              specify the full path to the external program.  $GLOBUS_LOCATION
              can't be used in the myproxy-server.config file.  A sample  pro-
              gram  is  installed  in  $GLOBUS_LOCATION/share/myproxy/myproxy-
              passphrase-policy but is not enabled by default.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       cert_dir full-path-to-certificates-directory
              Specifies the path  to  the  CA  certificates  directory  to  be
              returned  to  clients  requesting  trust  roots (such as via the
              myproxy-logon(1) -T option).

       max_proxy_lifetime hours
              This line specifies a server-wide maximum lifetime for retrieved
              proxy  credentials.   By  default,  no  server-wide  maximum  is
              enforced.  However, if this option is specified, the server will
              limit  the  lifetime  of  any retrieved proxy credentials to the
              value given.

       max_cred_lifetime hours
              This line specifies a server-wide maximum  lifetime  for  stored
              credentials.   By  default,  no server-wide maximum is enforced.
              However, if this option is specified, the server will limit  the
              lifetime of any stored credentials to the value given.

       ignore_globus_limited_proxy_flag boolean
              By  default,  MyProxy will respect the policy of "limited" proxy
              certificates as follows.  If a client authenticates with a  lim-
              ited  proxy,  the  client  should only be able to obtain another
              limited proxy, not a  full  proxy  or  end  entity  certificate.
              Thus, the MyProxy CA will not accept limited proxies for authen-
              tication.  However, if this option is set to true, MyProxy  will
              treat limited proxy certificates as if they were full proxy cer-
              tificates.

       allow_self_authorization boolean
              By default, MyProxy will disallow trusted_retrievers and  autho-
              rized_renewers  whose DN matches the identity of the stored cre-
              dential, so a proxy by itself can not be refreshed  or  renewed.
              However,  if  this  option  is  set to true, this restriction is
              lifted.

       syslog_ident name
              You can optionally specify the string to be prepended  to  every
              message  written  to  the  syslog.   If  not specified, the name
              defaults to the the program name, i.e. myproxy-server.

       syslog_facility name
              By default, the myproxy-server will log to the  syslog  "daemon"
              facility.  With  this option you can specify an alternate syslog
              facility, such as "auth", "user", "security", or "local0".   The
              facility can also be specified numerically as with the logger(1)
              command.

       request_timeout seconds
              Specifies the maximum time  a  myproxy-server(8)  child  process
              should  spend  servicing  a  client request before aborting.  By
              default, child processes will abort after 120 seconds.  A  nega-
              tive value will disable the timeout.

       request_size_limit bytes
              Limits  the  amount  of incoming application-level protocol data
              the myproxy-server(8) will accept from clients, to avoid  memory
              exhaustion  under  heavy  load. Specified in bytes.  Defaults to
              1MB (1048576 bytes).  A zero  or  negative  value  disables  the
              limit.

       proxy_extfile full-path-to-extension-file
              Optionally  specifies  the  full  path  to  a file containing an
              OpenSSL formatted set of certificate extensions  to  include  in
              all proxy certificates issued from the MyProxy repository (anal-
              ogous to certificate_extfile for the CA module).

       proxy_extapp full-path-to-extension-callout-program
              This is the call-out version of  proxy_extfile.   It  optionally
              specifies  the  full  path  to a call-out program for specifying
              proxy certificate extensions.  It will be passed  the  authenti-
              cated username and the proxy credential location as the two com-
              mand arguments.  On success, it should write the OpenSSL format-
              ted  set  of certificate extensions to stdout and exit with zero
              status.  On error, it should  write  to  stderr  and  exit  with
              nonzero  status.   Either  proxy_extfile  or proxy_extapp can be
              specified but not both.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       voms_userconf full-path-to-voms-configuration-file
              Optionally specifies the full path  to  the  VOMS  configuration
              file containing VOMS server information. It is usually specified
              in the environmental variable VOMS_USERCONF.

       allow_voms_attribute_requests boolean
              If this parameter is set to true and a GET request includes VON-
              AME  and (optionally) VOMSES parameters, call-out to VOMS to add
              the requested attributes to  the  issued  certificate.  Requires
              linking  with  VOMS  libraries.  By  default,  VONAME and VOMSES
              parameters in requests will be ignored unless this parameter  is
              set to true.

       The  MyProxy  server  can  be  optionally configured for authentication
       based on Pluggable  Authentication  Modules  (PAM)  and/or  the  Simple
       Authentication  and Security Layer (SASL).  Kerberos is one of the sup-
       ported SASL authentication methods.  The following options control  the
       use of PAM and SASL.

       pam option
              This  line governs the use of PAM to check passphrases.  MyProxy
              will attempt to authenticate via PAM, with the supplied username
              and passphrase.  Note that PAM will need to be configured exter-
              nally for the application "myproxy" (usually in /etc/pam.d/), or
              for the application named by pam_id, below.  Accepted values:

              required
                     PAM  password authentication is required under all condi-
                     tions.  If the credential is unencrypted (that is, it has
                     no  passphrase),  a  PAM password check is still required
                     for authentication.  If the credential is encrypted,  its
                     passphrase must match the PAM password.

              sufficient
                     The  user's  passphrase  may  match either the credential
                     passphrase or, if the credential is unencrypted, the  PAM
                     passphrase.  If the credential is encrypted, then the PAM
                     password is not relevant.

              disabled (default)
                     PAM is not used to check passphrases.

       pam_id string
              The name that myproxy uses to identify itself to  PAM.   Default
              is "myproxy".  For example, on most Unix-like systems, if pam_id
              is set to "login", MyProxy will authenticate  against  the  sys-
              tem's own usernames and passwords.

       sasl option
              This line governs the use of SASL authentication.  Accepted val-
              ues:

              required
                     SASL authentication is required  for  retrieving  creden-
                     tials.

              sufficient
                     SASL  authentication is sufficient for retrieving creden-
                     tials, but  other  authentication  methods  may  be  used
                     instead.

              disabled (default)
                     SASL authentication isn't used.

       sasl_mech mechanism
              Forces  the  use of a single SASL mechanism, overriding the SASL
              configuration file. (Typically not required.)

       sasl_serverFQDN hostname
              Configures the  SASL  server  fully-qualified  domain  name  for
              multi-homed servers. (Typically not required.)

       sasl_user_realm realm
              Configures the SASL user realm. (Typically not required.)

       The  MyProxy  server  can  also  be  configured to act as a Certificate
       Authority (CA) to issue credentials to clients.  The following  parame-
       ters enable and configure the CA functionality.

       certificate_issuer_cert full-path-to-certificate
              This  line  specifies the full path to the issuer certificate to
              optionally configure the myproxy-server to act as an online cer-
              tificate authority.

       certificate_issuer_key full-path-to-key
              When  specifying  certificate_issuer_cert  above,  you must also
              give the name of the CA private key  for  signing  certificates.
              This  is normally path to a CA private key in PEM format, but if
              you   are   using    an    OpenSSL    engine    (see    certifi-
              cate_openssl_engine_id ) then it can be the key name.

       certificate_issuer_key_passphrase "passphrase"
              If  the certificate_issuer_key is encrypted, give the passphrase
              here.

       certificate_issuer_subca_certfile full-path-to-subca-certificate-file
              If you would like an intermediate/sub-CA certificate chain to be
              sent along with the EEC (End Entity Certificate) generated using
              a local intermediate/sub-CA,  specify  the  file  that  contains
              those certificates in PEM format. This is meant to aid scenarios
              where the CA used is an intermediate CA (i.e. not a root CA) and
              the  client  may  not  have  the intermediate CA(s) in its trust
              store. The client will write out the chain into the same file as
              the EEC, following the EEC.

       certificate_issuer_hashalg algorithm
              Specifies the hash algorithm to use when signing end-entity cer-
              tificates.  Defaults to "sha1".  When linked with OpenSSL  0.9.8
              or  later,  "sha224",  "sha256",  "sha384" and "sha512" are also
              supported.

       certificate_issuer_email_domain "domain"
              If set, specifies the domain part of the X509v3 Subject Alterna-
              tive Name email address included in issued certificates.

       certificate_openssl_engine_id engineId

       certificate_openssl_engine_pre pre-initialization-commands

       certificate_openssl_engine_post post-initialization-commands
              These  commands  can  be  used to allow any OpenSSL engine to be
              used with MyProxy.  This enables the use of hardware tokens  and
              signing  modules  to sign certificates.  Given the parameters of
              an OpenSSL "engine" command, the first argument, the identity of
              the engine becomes the argument to certificate_openssl_engine_id
              and  -pre  commands  are  listed   in   order   using   certifi-
              cate_openssl_engine_pre  and  -post commands are listed in order
              using certificate_openssl_engine_post.  For example the command-
              line:

                 openssl             engine            dynamic            -pre
              SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre  ID:pkcs11  -pre
              LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pksc11.so

              becomes:

                 certificate_openssl_engine_id "dynamic"

                 certificate_openssl_engine_pre
              "SO_PATH:/usr/lib/engines/engine_pkcs11.so"          "ID:pkcs11"
              "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"

              Please  note  that any shared library engines loaded through the
              "dynamic" engine MUST be compiled againt the correct version  of
              OpenSSL.  The Globus toolkit has its own installation and can be
              found by running $GLOBUS_LOCATION/bin/openssl version.

       certificate_openssl_engine_lockfile full-path-to-file
              If your hardware token or HSM is unable to  handle  simultaneous
              operations, provide a path to a lockfile for synchronizing oper-
              ations to the engine device.  The myproxy-server will create the
              file if it does not already exist.

       certificate_issuer_program full-path-to-script
              This  line specifies the path to a program to issue certificates
              for authenticated clients that don't  have  credentials  stored.
              This  optionally  configures  the  myproxy-server  to  act as an
              online certificate authority, allowing programmatic control over
              the  certificate  issuance process.  You can either specify cer-
              tificate_issuer_cert or certificate_issuer_program.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       certificate_serialfile full-path-to-serial-file
              Specifies the path to a file to store the serial number  counter
              for issued certificates.  Defaults to /var/lib/myproxy/serial.

       certificate_serial_skip increment
              Specifies  the  number  to  add to the serial number each time a
              certificate is issued. Use this to stagger serial numbers across
              multiple  CA  instances to avoid serial number clashes. Defaults
              to 1.

       certificate_out_dir full-path-to-putput-directory
              Specifies the path to a directory where new certificates will be
              archived.

       max_cert_lifetime hours
              Specifies  the  maximum  lifetime  (in  hours)  for certificates
              issued by the CA module.  Defaults to 12 hours.

       min_keylen bits
              Specifies the minimum RSA key length (in bits) for  certificates
              issued by the CA module.

       certificate_extfile full-path-to-extension-file
              Optionally  specifies  the  full  path  to  a file containing an
              OpenSSL formatted set of certificate extensions  to  include  in
              all issued certificates.  For example:
                 keyUsage=digitalSignature,keyEncipherment,dataEncipherment
                 subjectKeyIdentifier=hash
                 authorityKeyIdentifier=keyid,issuer:always
                 crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
                 basicConstraints=CA:FALSE
              If  not  set,  the MyProxy CA will include a basic set of exten-
              sions in issued certificates.

       certificate_extapp full-path-to-extension-callout-program
              This is the call-out version of certificate_extfile.  It option-
              ally  specifies the full path to a call-out program for specify-
              ing certificate extensions.  It will be passed the authenticated
              username  as the single command argument.  On success, it should
              write the OpenSSL formatted set  of  certificate  extensions  to
              stdout  and exit with zero status.  On error, it should write to
              stderr and exit with nonzero status.  Either certificate_extfile
              or certificate_extapp can be specified but not both.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       certificate_mapfile full-path-to-mapfile
              When  specifying  certificate_issuer_cert  above,  you  can  map
              account names to certificate subject distinguished names for the
              issued  certificates using this mapfile, which has the same for-
              mat as used by  other  Globus  Toolkit  services.   By  default,
              /etc/grid-security/grid-mapfile  is  used.   The  Globus Toolkit
              grid-mapfile-add-entry  and  grid-mapfile-delete-entry  commands
              can be used to manage the grid-mapfile.

       certificate_mapapp full-path-to-mapapp
              When  specifying  certificate_issuer_cert  above,  you  can  map
              account names to certificate subject distinguished names for the
              issued  certificates using this call-out.  It will be passed the
              authenticated username as the single command argument.  On  suc-
              cess, it should write the distinguished name in OpenSSL one line
              format (for  example,  "/C=US/O=National  Computational  Science
              Alliance/CN=Jim  Basney")  to  stdout and exit with zero status.
              On error, it should write to stderr and exit with  nonzero  sta-
              tus.  If it is not defined, then mapfile lookup will be executed
              instead  (see  certificate_mapfile  above).    An   example   is
              installed in $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-
              mapapp.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       certificate_request_checker full-path-to-callout-program
              This CA call-out can be used to perform checks on incoming  cer-
              tificate  requests. It will be passed the certificate request in
              PEM format on stdin. If it returns a nonzero exit status, the CA
              will  abort  without  signing  the  request.   When  returning a
              nonzero exit status, the callout should indicate the problem  on
              stderr.     An    example    is   installed   in   $GLOBUS_LOCA-
              TION/share/myproxy/myproxy-certreq-checker.

       certificate_issuer_checker full-path-to-callout-program
              This CA call-out can be used to perform checks  on  issued  cer-
              tificates  before the certificate is returned to the client.  It
              will be passed the certificate in PEM format  on  stdin.  If  it
              returns a nonzero exit status, the CA will abort without return-
              ing the signed certificate  to  the  client.  When  returning  a
              nonzero  exit status, the callout should indicate the problem on
              stderr.    An   example   is    installed    in    $GLOBUS_LOCA-
              TION/share/myproxy/myproxy-cert-checker.

       If OpenLDAP support is built-in to the myproxy-server(8), the following
       parameters can be used to configure the CA module to map account  names
       to certificate subject distinguished names via LDAP.

       ca_ldap_server "ldap://localhost:389/"
              This  parameter  specifies the URI to the LDAP server to use for
              username to DN resolution in the CA module.   Both  ldap://  and
              ldaps://  protocols are supported.  A port number may optionally
              be specified as well.  Defining this directive is the  "trigger"
              that causes the name resolution module to use LDAP querying.  If
              it is not defined, then mapfile lookup will be executed  instead
              (see certificate_mapfile above).

       ca_ldap_uid_attribute "uid"
              The  name of the record attribute that maps to the MyProxy user-
              name.  Required for LDAP username to DN resolution.

       ca_ldap_searchbase "ou=people,dc=bullwinkle,dc=lbl,dc=gov"
              The DN of the region  of  the  ldap  database  to  be  searched.
              Required for LDAP username to DN resolution.

       ca_ldap_dn_attribute "subjectDN"
              If  this  directive  is  set, the LDAP resolver will pull the DN
              from the specified attribute in the returned record.  If  it  is
              not set, the default is to use the DN of the record itself.

       ca_ldap_connect_dn "cn=MyProxy,ou=ldapusers,dc=lbl,dc=gov"
              DN for LDAP basic authentication (optional).

       ca_ldap_connect_passphrase "passphrase"
              Passphrase for LDAP basic authentication (optional).

       The  following  parameters control server replication with the myproxy-
       replicate(1) utility.

       slave_servers server:port;
              This value is for use  with  the  myproxy-replicate(1)  utility.
              This  tag  provides  a list of servers that will be used as sec-
              ondary repositories  for  the  MyProxy  database.   Each  server
              should  be  seperated by a ";".  Also, a port may be provided if
              the slave server is using a port other then  the  default.   The
              server name maybe a recognized DNS or an IP address.

       The  following  parameters control Pubcookie (http://www.pubcookie.org)
       authentication.

       pubcookie_granting_cert full-path-to-pem-file
              Sets the full path to the PEM-encoded  Pubcookie  granting  cer-
              tificate for verifying signatures on Pubcookie granting cookies.
              Setting this parameter enables Pubcookie support.

       pubcookie_app_server_key full-path-to-key-file
              Sets the full path to the 2048 byte application server key  (see
              Pubcookie's   Apache   directive  PubcookieCryptKeyfile).   This
              parameter is optional; if omitted,  cookie  decryption  will  be
              disabled,  and  MyProxy  will  only  accept  plaintext  cookies,
              although  it  will  still  verify  their  signatures  with  pub-
              cookie_granting_cert (see above).

       The following parameters are used primarily when utilizing MyProxy as a
       delegation service for web portals.

       accepted_credentials_mapfile full-path-to-mapfile
              This parameter points to a grid-mapfile, which is possibly  dif-
              ferent  from  other mapfiles above. When specified, this mapfile
              is utilized during puts/stores (e.g.  with  myproxy-init(1)  and
              myproxy-store(1)).   A credential is authorized to be put/stored
              only under the username specified in the mapfile.  This prevents
              storing  a  user's  credential under a different username.  Note
              that  the  credential  checked  for  the  presence  of  a   Sub-
              jectDN/Username  entry in the mapfile is the credential utilized
              to secure the connection between  client  and  server,  NOT  the
              actual credential being stored.  As the credential which secures
              the TLS connection is typically the same as the credential being
              stored,  this  should  not be a major issue.  The Globus Toolkit
              grid-mapfile-add-entry  and  grid-mapfile-delete-entry  commands
              can be used to manage the grid-mapfile.

       accepted_credentials_mapapp full-path-to-mapapp
              As  an  alternative  to  the accepted_credentials_mapfile option
              above, you can specify a call-out which is  passed  two  parame-
              ters:  a  certificate  subject distinguished name and a username
              (in that order).  In essence, the call-out performs a lookup  in
              a   'virtual'   accepted_credentials_mapfile.    If   the   Sub-
              jectDN/Username line would appear in such a  mapfile,  then  the
              call-out  should exit with zero status indicating that a creden-
              tial with the given SubjectDN is allowed to be stored under  the
              given  Username.   Otherwise,  the  call-out  should  exit  with
              nonzero status indicating error.  An  example  is  installed  in
              $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-
              mapapp.

              Be sure to follow secure coding practices for this call-out:
              - Don't allow input to overflow fixed-size buffers.
              - Don't pass unchecked input to a shell command.

       check_multiple_credentials boolean
              Typically when a credential is accessed by a client, the  server
              checks  only  one  credential for possible access authorization,
              even if there are multiple credentials stored  under  the  given
              username.   If  this option is set to "true" AND the client does
              not specify a credential name for a MyProxy GET operation (i.e.,
              from myproxy-logon(1)), then the server will check multiple cre-
              dentials with the given username.  If a credential is  found  to
              be authorized for client access, then that one will be used dur-
              ing processing.  The default value for this option is "false".

       The following parameters enable OCSP status checking of stored  creden-
       tials in the myproxy-server(8) repository, to avoid use of expired cre-
       dentials.

       ocsp_policy policy
              Controls the policy for checking certificate validity  via  OCSP
              before credentials may be delegated.  Currently, only the status
              of the end entity certificate is checked via OCSP (and  not  any
              proxy  certificates  or CA certificates).  OCSP will not be used
              unless ocsp_responder_url and/or ocsp_policy are set.  Supported
              policies are:
                "aia" - use OCSP responder in certificate AIA extension, if
                        present; otherwise use ocsp_responder_url, if set

       ocsp_responder_url URL
              Specifies  the  URL  of  an  OCSP  responder to use to check the
              validity of credentials stored in the myproxy-server  repository
              before  they  may  be delegated, so that revoked credentials can
              not be retrieved and used where their revocation status may  not
              be  checked.   Currently, only the status of the end entity cer-
              tificate is checked via OCSP (and not any proxy certificates  or
              CA certificates).  In any case, CRL checks are always performed.
              Both http and https urls are supported.  OCSP will not  be  used
              unless ocsp_responder_url and/or ocsp_policy are set.

       ocsp_responder_cert path
              Specifies  the path to the certificate of a trusted OCSP respon-
              der.  This is needed if the OCSP  responder  must  be  explicity
              trusted  in  cases  where standard path validation fails for the
              OCSP responder's certificate.

       The  following  parameters  control  Usage  Metrics  reporting  by  the
       myproxy-server(8).

       disable_usage_stats value
              By  default  Usage  Metrics  reporting  is  enabled.  Specifying
              "true", "enabled", "yes", "on" or "1"  for  value  will  disable
              Usage  Metrics  reporting. Setting the GLOBUS_USAGE_OPTOUT envi-
              ronment variable to "1" will also disable the reporting of usage
              metrics.  Disabling  reporting  of  usage metrics will cause the
              usage_stats_target setting to be ignored.

       usage_stats_target target_list
              This option can be used to specify the target collector hosts to
              which  usage  metrics  should  be reported. This setting will be
              ignored if disable_usage_stats is enabled.  Multiple targets can
              be  specified  in target_list separated by comma(s). Each target
              specification is of the  format  host:port[!tags]  tags  control
              what  data  elements  are reported. The following list specifies
              the tags for the corresponding data elements.
              V - Major Version number of MyProxy server
              v - Minor Version number of MyProxy server
              t - Task Code (0=Get, 1=Put,  2=Info,  3=Destroy,  4=ChangeCred-
              Passphrase,   5=StoreEndEntCred,  6=RetrEndEntCred,  7=GetTrust-
              Roots)
              r - Task Return Code.
              l - Requested Lifetime for Credential.
              L - Actual Lifetime for Credential.
              B - Informational Bit mask to be interpreted left  to  right  as
              follows:
                     PAM used
                     SASL used
                     Credential passphrase check used
                     Trusted Retriever (Certificate-based authentication)
                     Certificate Authorization method used (Trusted Renewer)
                     Pubcookie was used
                     Trustroots requested
                     Trustroots delivered
              I - Client IP address
              u - Username
              U - User DN

              In  addition  to  the  above selected information, the following
              data are reported to ALL the  specified/default  target  collec-
              tors.  There's no way to exclude these from being reported other
              than by disabling the reporting of usage metrics:

              Component code - 11 for MyProxy
              Component Data Format version - 0 currently
              IP Address of Reporting Server
              Timestamp
              Hostname

              If no tags are specified in a host spec, or the  special  string
              "default"  is  specified,  the  tags VvtrlLB are assumed. A site
              could choose to allow a different set of data to be reported  by
              specifying a different tag set. The last 3 tags I, u and U above
              are more meant for a local collector that a site might  like  to
              deploy since they could be construed as private information. The
              special string "all" denotes all tags.

              By default, Usage Metrics reporting is sent to "usage-stats.cil-
              ogon.org:4810".    This  can  be  made  explicit  by  specifying
              "default" (all by itself) for the target specification as in:

              usage_stats_target "default"

              If usage_stats_target is not specified, a  comma-separated  list
              of  targets  (without  any  tags  specified) if specified in the
              environment variable GLOBUS_USAGE_TARGETS will be used.


REGULAR EXPRESSIONS

       For matching distinguished names  (DNs)  in  access  control  policies,
       MyProxy  uses  POSIX  Extended  Regular Expressions (see re_format(7)),
       with custom processing of '*', '?', and '.' metacharacters to  simulate
       Unix  shell  style  wildcard processing (for backward compatibility and
       other historical reasons).  MyProxy's custom  regular  expressions  are
       converted to POSIX EREs according to the following rules:

         [ MyProxy regex ] => [ POSIX ERE ]
         ----------------------------------
                '*'        =>      '.*'
                '?'        =>      '.'
                '.'        =>      '\.'
                '\*'       =>      '*'
                '\?'       =>      '?'
                '\.'       =>      '.'

       Additionally, MyProxy wraps all regular expressions with '^' and '$' to
       require full DN matching.

       Be aware that parentheses are metacharacters  according  to  POSIX,  so
       escaping is required for literal matching. For example:

         "*/CN=Jim Basney \(admin\)"

       The  following  examples illustrate how MyProxy regular expressions are
       converted to POSIX EREs:

            [ MyProxy regex ]     =>    [ POSIX ERE ]
         ------------------------------------------------------------
         "*/CN=Jim Basney"        => "^.*/CN=Jim Basney$"
         "*/CN=Test User ?"       => "^.*/CN=Test User .$"
         "*/CN=James A. Basney"   => "^.*/CN=James A\. Basney$"
         "/O=Test/CN=[:alnum:]\*" => "^/O=Test/CN=[:alnum:]*$"

         "*/CN=Jim Basney|*/CN=James Basney" =>
             "^.*/CN=Jim Basney|.*/CN=James Basney$"



EXAMPLES

       The following policy enables all credential repository features.

       accepted_credentials       "*"
       authorized_retrievers      "*"
       default_retrievers         "*"
       authorized_renewers        "*"
       default_renewers           "none"
       authorized_key_retrievers  "*"
       default_key_retrievers     "none"
       trusted_retrievers         "*"
       default_trusted_retrievers "none"
       cert_dir                   /etc/grid-security/certificates

       The following enables CA functionality using an existing Globus  Simple
       CA configuration.

       authorized_retrievers "*"
       pam  "sufficient"
       sasl "sufficient"
       certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
       certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
       certificate_issuer_key_passphrase "myproxy"
       certificate_serialfile /home/globus/.globus/simpleCA/serial
       certificate_mapfile /etc/grid-security/grid-mapfile
       cert_dir /etc/grid-security/certificates

       The  following  will  cause usage metrics to be reported to the default
       target (only the default tags) as well as a local collector  (including
       the tags IuU):

       usage_stats_target "usage-stats.cilogon.org:4810,localcollector.somedo-
       main:4810!VvtrlLBIuU"


FILES

       /etc/myproxy-server.config
              Default location for the server configuration file.

       $GLOBUS_LOCATION/etc/myproxy-server.config
              Alternate location for the server configuration file.  A differ-
              ent  location can be specified by using the myproxy-server(8) -c
              option.

       $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
              A sample program for evaluating passphrase quality for use  with
              the passphrase_policy_program option.

       $GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
              A sample certificate_mapapp program for mapping account names to
              certificate subject distinguished names.

       $GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
              A sample  accepted_credentials_mapapp  program  for  authorizing
              puts/stores (e.g. with myproxy-init(1) and myproxy-store(1)).


ENVIRONMENT

       GLOBUS_LOCATION
              Specifies the root of the MyProxy installation, used to find the
              default location of the myproxy-server.config file.


AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.


SEE ALSO

       myproxy-change-pass-phrase(1),  myproxy-destroy(1),  myproxy-get-trust-
       roots(1),  myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-
       retrieve(1), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-
       change-pass(8),     myproxy-admin-load-credential(8),    myproxy-admin-
       query(8), myproxy-server(8)



MyProxy                           2011-09-05          myproxy-server.config(5)

Man(1) output converted with man2html