Chapter 13. MyProxy Admin Guide

1. Building and Installing

MyProxy is built and installed as part of a default GT 4.0 installation. For basic installation instructions, see the GT 4.0 System Administrator's Guide. No extra installation steps are required for this component.

1.1. Building and Installing only MyProxy

If you wish to install MyProxy without installing the rest of the Globus Toolkit, follow the instructions in the GT 4.0 System Administrator's Guide with the following changes:

  1. First, you do not need Ant, a JDK, or a JDBC database to build only MyProxy.

  2. Second, instead of running "make", run:

    globus$ make gsi-myproxy

    then:

    globus$ make install

This will install the MyProxy client and server programs. For client-only installations, simply do not configure or use the installed server.

2. Configuring

A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.

No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.

To configure the myproxy-server you must modify the myproxy-server.config template provided at $GLOBUS_LOCATION/share/myproxy/myproxy-server.config and copy it to /etc/myproxy-server.config (if you have root access) or $GLOBUS_LOCATION//etc/myproxy-server.config (if you don't have root access). If you skip this step, your myproxy-server will not start. To enable all myproxy-server features uncomment the provided sample policy at the top of the myproxy-server.config config file, as follows:

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features.  See below for more examples.
accepted_credentials       "*"
authorized_retrievers      "*"
default_retrievers         "*"
authorized_renewers        "*"
default_renewers           "none"
authorized_key_retrievers  "*"
default_key_retrievers     "none"
trusted_retrievers         "*"
default_trusted_retrievers "none"

Please see below for additional documentation on the myproxy-server.config options.

The myproxy-server.config file sets the policy for the myproxy-server(8), specifying what credentials may be stored in the server's repository and who is authorized to retrieve credentials. By default, the myproxy-server(8) looks for this file in /etc/myproxy-server.config and if it is not found there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. The myproxy-server -c option can be used to specify an alternative location. The file installed by default does not allow any requests.

The file also supports a passphrase_policy_program command for specifying an external program for evaluating the quality of users' passphrases. A sample program is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy but is not enabled by default.

Lines in the configuration file use limited regular expressions for matching the distinguished names (DNs) of classes of users. The limited regular expressions support the shell-style characters '*' and '?', where '*' matches any number of characters and '?' matches any single character.

The DN limited regexes should be delimited with double quotes ("DN regex").

The configuration file has the following types of lines:

Table 13.1. myproxy-server.config lines

accepted_credentials "DNregex" Each of these lines allows any clients whose DNs match the given limited regex to connect to the myproxy-server and store credentials with it for future retrieval. Any number of these lines may appear. For backwards compatibility, these lines can also start with allowed_clients instead of accepted_credentials.
authorized_retrievers "DN regex" Each of these lines allows the server administrator to set server-wide policies for authorized retrievers. If the client DN does not match the given limited regex, the client is not allowed to retrieve the credentials previously stored by a client. In addition to the server-wide policy, MyProxy also provides support for per-credential policy. The user can specify the regex DN of the allowed retrievers of the credential when uploading the credential (using myproxy-init(1)). The retrieval client DN must also match the user specified regex. In order to retrieve credentials the client also needs to know the name and pass phrase provided by the client when the credentials were stored. Any number of these lines may appear. For backwards compatibility, these lines can also start with allowed_services instead of authorized_retrievers.
default_retrievers "DN regex" Each of these lines allows the server administrator to set server-wide default policies. The regex specifies the clients who can access the credentials. The default retriever policy is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)). In other words, the client can override this policy for a credential on upload. The per-credential policy is enforced in addition to the server-wide policy specified by the authorized_retrievers line (which clients can not override). Any number of these lines may be present. For backwards compatibility, if no default_retrievers line is specified, the default policy is "*", which allows any client to pass the per-credential policy check. (The client must still pass the authorized_retrievers check).
authorized_renewers "DN regex" Each of these lines allows the server administrator to set server-wide policies for authorized renewers. If the client DN does not match the given limited regex the client is not allowed to renew the credentials previously stored by a client. In addition to the server-wide policy, MyProxy also provides support for per-credential policy. The user can specify the regex DN of the allowed renewers of the credential on upload (using myproxy-init(1)). The renewal client DN must match both this regex and the user specified regex. In this case, the client must also already have a credential with a DN matching the DN of the credentials to be retrieved, to be used in a second authorization step (see the -a option for myproxy-logon(1)).
default_renewers "DN regex" Each of these lines allows the server administrator to set server-wide default renewer policies. The regex specifies the clients who can renew the credentials. The default renewer policy is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)). This is enforced in addition to the server-wide policy specified by the authorized_renewers line. Any number of these lines may appear. For backwards compatibility, if no default_renewers line is specified, the default policy is "*", which allows any client to pass the per-credential policy check. (The client must still pass the authorized_renewers check).
passphrase_policy_program full-path-to-script This line specifies a program to run whenever a passphrase is set or changed for implementing a local password policy. The program is passed the new passphrase via stdin and is passed the following arguments: username, distinguished name, credential name (if any), per-credential retriever policy (if any), and per-credential renewal policy (if any). If the passphrase is acceptable, the program should exit with status 0. Otherwise, it should exit with non-zero status, causing the operation in progress (credential load, passphrase change) to fail with the error message provided by the program's stdout. Note: You must specify the full path to the external program. $GLOBUS_LOCATION can't be used in the myproxy-server.config file.
max_proxy_lifetime hours This line specifies a server-wide maximum lifetime for retrieved proxy credentials. By default, no server-wide maximum is enforced. However, if this option is specified, the server will limit the lifetime of any retrieved proxy credentials to the value given.

3. Deploying

A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run 'chkconfig --add myproxy'. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.

Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:

  • Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the /etc/services or /etc/inet/services file.
  • Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications to /etc/inetd.conf or /etc/inet/inetd.conf, or copy $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy to /etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation.
  • Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.

4. Testing

To verify your myproxy-server installation and configuration, you can run the myproxy-server directly from your shell. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.

For csh shells:

source $GLOBUS_LOCATION/etc/globus-user-env.csh

For sh shells:

. $GLOBUS_LOCATION/etc/globus-user-env.sh

Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d. The -d argument runs the myproxy-server in debug mode. It will write debugging messages to the terminal and exit after servicing a single request. You'll need to start it once for each test request. In another shell, you can run the MyProxy client programs to test the server.

If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.

5. Security Considerations

You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.

For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.

6. Troubleshooting

Please refer to the MyProxy user manual.