This page provides basic MyProxy server installation instructions. Please refer to the other sections of the Admin Guide for additional information about MyProxy server configuration and administration.
You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.
Install the MyProxy distribution on the host where you want to run the myproxy-server (instructions here). You way want to install MyProxy in its own $GLOBUS_LOCATION for the myproxy-server service to keep it separate from any other GPT software on the system.
The MyProxy server requires a secure filesystem on which to store credentials. By default, it tries to use /var/myproxy and if that fails, it uses $GLOBUS_LOCATION/var/myproxy. If $GLOBUS_LOCATION/var/myproxy is not on a secure filesystem, make sure /var/myproxy is accessible by the myproxy-server.
For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key. (See this page for details on running the myproxy-server using a non-host certificate.) You should have been prompted during the Globus Toolkit installation to run the setup-gsi script, which will create the /etc/grid-security directory. To install a host certificate, either follow the instructions for your site's certificate authority or follow the instructions here to obtain a host certificate using Globus Toolkit software. Refer to this page for more information about the Grid Security Infrastructure.
In MyProxy version 4.0 and later, the myproxy-server can be
configured automatically by the
root# myproxy-server-setup Wrote a default myproxy-server configuration to /etc/myproxy-server.config. Installed /etc/init.d/myproxy. Starting up MyProxy server... done. Running myproxy-server tests... Success!
The following manual configuration steps are required
If your /etc/myproxy-server.config file is not already in place, modify the myproxy-server.config template provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.config and copy it to /etc/myproxy-server.config (if you have root access) or $GLOBUS_LOCATION//etc/myproxy-server.config (if you don't have root access). If you skip this step, your myproxy-server will not start. To enable all myproxy-server features, uncomment to provided sample policy at the top of the myproxy-server.config config file, as follows:
# Complete Sample Policy
# The following lines define a sample policy that enables all
# myproxy-server features. See below for more examples.
If your myproxy-server is not already running, you can run it directly from your shell to verify your installation and configuration. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.
For csh shells:
For sh shells:
Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d. The -d argument runs the myproxy-server in debug mode. It will write debugging messages to the terminal and exit after servicing a single request. You'll need to start it once for each test request. In another shell, you can run the MyProxy client programs to test the server. Refer to the User's Guide for examples.
If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.
A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run chkconfig --add myproxy. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.
Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:
In addition, an example cron script is provided in $GLOBUS_LOCATION/share/myproxy/myproxy.cron for removing expired/revoked credentials from the repository. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly before installing in (for example) /etc/cron.hourly.