This tag contains the MyProxy server configuration information.
Name | Required | Default | |
host | N | localhost | The host on which the MyProxy service resides. |
port | N | 7512 | The port of the service |
socketTimeout | N | 0 | The timeout for the connection, in ms. |
serverDN | N | (none) | A server DN (distinguished name) to be used when checking the name returned by a MyProxy server Note: this may also be set globally for all MyProxy instances in the service tag. Note that setting this in a MyProxy element will over-ride the global setting. If you are looking to set the DN of the certificate for the client, look at the entry for the trust store. |
Multiple MyProxy servers may be specified. These will be tried until one that is available is found. If none are available, then an exception will be thrown.
The OAuth for MyProxy server acts as a front-end to an existing MyProxy server. The OAuth
server can run on the same system as the MyProxy server or they can run on separate systems. To connect securely to
the MyProxy server, the OAuth for MyProxy install must include a trusted CA certificates directory (in /etc/grid-security/certificates
or $HOME/.globus/certificates
). Since we're installing as a regular system user, we use the myproxy-get-trustroots
command to create our $HOME/.globus/certificates
directory.
Alternatively, you can manually setup a $HOME/.globus/certificates
directory using a CA distribution
from IGTF or XSEDE or another trusted source. You will have to do this anyway
if your platform does not have a myproxy client available.
$ myproxy-get-trustroots -s myproxy.ncsa.uiuc.edu Bootstrapping MyProxy server root of trust. New trusted MyProxy server: /C=US/O=National Center for Supercomputing Applications/OU=Services/CN=myproxy.ncsa.uiuc.edu New trusted CA (9b95bbf2.0): /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL Trust roots have been installed in /Users/jbasney/.globus/certificates/.
Omitting the tag means to accept the defaults. So all of these are equivalent:
(no tag) <myproxy/> <myproxy host="localhost" port="7512"/>
<config> <service name="my-server"> <myproxy host="myproxy.teragrid.org" port="1234" socketTimeout=20000/> <!-- more configuration --> </service> </config>
Use the host at myproxy.teragrid.org with the port 1234 (instead of the default) with a timeout of 20000 ms. for the connection. If the MyProxy server does not respond withing 20000 ms, the attempt will end.
<config> <service name="my-server"> <myproxy host="myproxy.bigstate.edu" port="9352"/> <myproxy host="myproxy.xsede.org" serverDN="CN=myproxy.xsede.org,OU=IGTF Server,OU=UIUC - NCSA,O=University of Illinois,L=Urbana,ST=IL,C=US,DC=incommon,DC=org" /> <myproxy host="myproxy.teragrid.org"/> <!-- more configuration --> </service> </config>
Use the myproxy server at myproxy.bigstate.edu with the non-standard port. If that fails, there are two other backup
MyProxy servers to try. An exception is only raised if all of these fail and only the last failure
is returned.
Note: Listing any MyProxy servers means that localhost will not be tried unless explicitly added.
Note: the server DN in this case will be applied to the myproxy.xsede.org server. In that case, there may be
several servers that actually handle the request and any of them may respond. The server name is checked using a reverse
DNS lookup, so this the common name (CN) in this DN must match that.
Name | Required | Default | |
name | Y | - | The name assigned to this level of assurance. |
port | Y | - | The port of the service |
<config> <service name="my-server"> <myproxy host="myproxy.bigstate.edu" port="7512"> <loa name="openid" port="7516"/> <loa name="http://incommonfederation.org/assurance/silver" port="7514"/> <keystore path="/var/www/config/hostcred.p12" type="pkcs12" password="my-weird-password" factory="SunX509" useJavaKeystore="true"/> </myproxy> <!-- lots more configuration --> </service> </config>In this case, there is a basic Myproxy server residing at port 7512 on the machine myproxy.bigstate.edu. This same server also supports two additional levels of assurance. A custom keystore which contains the client certificate MyProxy accepts is also configured.