National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

This page provides basic MyProxy server installation instructions. Please refer to the other sections of the Admin Guide for additional information about MyProxy server configuration and administration.

Preparing for the MyProxy Server Installation

You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.

Installing the MyProxy Software

Install the MyProxy distribution on the host where you want to run the myproxy-server (instructions here). You way want to install MyProxy in its own $GLOBUS_LOCATION for the myproxy-server service to keep it separate from any other GPT software on the system.

The MyProxy server requires a secure filesystem on which to store credentials. By default, it tries to use /var/myproxy and if that fails, it uses $GLOBUS_LOCATION/var/myproxy. If $GLOBUS_LOCATION/var/myproxy is not on a secure filesystem, make sure /var/myproxy is accessible by the myproxy-server.

Installing a Host Certificate

For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key. (See this page for details on running the myproxy-server using a non-host certificate.) You should have been prompted during the Globus Toolkit installation to run the setup-gsi script, which will create the /etc/grid-security directory. To install a host certificate, either follow the instructions for your site's certificate authority or follow the instructions here to obtain a host certificate using Globus Toolkit software. Refer to this page for more information about the Grid Security Infrastructure.

Automatically Configuring the MyProxy Server

In MyProxy version 4.0 and later, the myproxy-server can be configured automatically by the myproxy-server-setup command as demonstrated by the following example.

root# myproxy-server-setup 
Wrote a default myproxy-server configuration to /etc/myproxy-server.config.
Installed /etc/init.d/myproxy.
Starting up MyProxy server... done.
Running myproxy-server tests...
Success!

The following manual configuration steps are required only if myproxy-server-setup is not used or a custom configuration is needed. If myproxy-server-setup completes successfully, it is not necessary to manually start your myproxy-server, because myproxy-server-setup starts it for you.

Configuring the MyProxy Server Installation

If your /etc/myproxy-server.config file is not already in place, modify the myproxy-server.config template provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.config and copy it to /etc/myproxy-server.config (if you have root access) or $GLOBUS_LOCATION//etc/myproxy-server.config (if you don't have root access). If you skip this step, your myproxy-server will not start. To enable all myproxy-server features, uncomment to provided sample policy at the top of the myproxy-server.config config file, as follows:

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features. See below for more examples.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"
authorized_key_retrievers "*"
default_key_retrievers "none"
trusted_retrievers "*"
default_trusted_retrievers "none"

Usage statistics collection

By default, the myproxy-server will send generic usage statistics (without user-identifying information) to the MyProxy Project. Please see the MyProxy Privacy Policy for more details, including instructions for opting out of usage statistics collection and for configuring your own usage statistics collector.

Manually Verifying the MyProxy Server installation

If your myproxy-server is not already running, you can run it directly from your shell to verify your installation and configuration. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.

For csh shells:

source $GLOBUS_LOCATION/etc/globus-user-env.csh

For sh shells:

. $GLOBUS_LOCATION/etc/globus-user-env.sh

Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d. The -d argument runs the myproxy-server in debug mode. It will write debugging messages to the terminal and exit after servicing a single request. You'll need to start it once for each test request. In another shell, you can run the MyProxy client programs to test the server. Refer to the User's Guide for examples.

If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.

Running the MyProxy Server as a System Service

A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run chkconfig --add myproxy. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.

Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:

  • Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the /etc/services or /etc/inet/services file.
  • Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications to /etc/inetd.conf or /etc/inet/inetd.conf, or copy $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy to /etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation.
  • Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.

In addition, an example cron script is provided in $GLOBUS_LOCATION/share/myproxy/myproxy.cron for removing expired/revoked credentials from the repository. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly before installing in (for example) /etc/cron.hourly.

Last modified 12/08/09.
©2000-2014 Board of Trustees of the University of Illinois.