Home -> Toolkit -> Docs -> Development -> 3.9.5 -> Security -> Myproxy

GT 3.9.5 Component Guide to Public Interfaces: MyProxy

• Semantics and syntax of APIs
• Semantics and syntax of WSDL
• Command-line tools
• GUIs
• Description of domain-specific interface data
• Configuration settings
• Environment variables

Semantics and syntax of APIs

A Java API is available.

Semantics and syntax of the WSDL

MyProxy does not have a WSDL interface.

Command-line tools

• myproxy-init
• myproxy-info
• myproxy-get-delegation
• myproxy-destroy
• myproxy-change-pass-phrase
• myproxy-admin-adduser
• myproxy-admin-change-pass
• myproxy-admin-query
• myproxy-admin-load-credential
• myproxy-server

myproxy-init

Tool description

The myproxy-init command uploads a credential to a myproxy-server for later retrieval. In the default mode, the command first prompts for the user's Grid pass phrase (if needed), which is used to create a proxy credential. The command then prompts for a MyProxy pass phrase, which will be required to later retrieve the credential. The MyProxy pass phrase must be entered a second time for confirmation. A credential with a lifetime of one week (by default) is then delegated to the myproxy-server and stored with the given MyProxy pass phrase. Proxy credentials with default lifetime of 12 hours can then be retrieved by myproxy-get-delegation using the MyProxy passphrase. The default behavior can be overridden by options specified below.

The myproxy-init command can also upload a credential to a myproxy-server to support credential renewal. Renewal allows a trusted service (for example, a batch job scheduler) to obtain a new credential for a user before the existing credential it has for that user expires. The -R argument to myproxy-init configures the credential for renewal by the specified service. Renewal requires two authentications. The renewing service must authenticate with its own credentials, matching the distinquished name specified by the -R argument, and must also authenticate with an existing credential that matches the distinguished name of the stored credential, to retrieve a new credential.

A credential may be used either for retrieval or renewal but not both. If both are desired, upload a different credential for each use, with a different name using the -k option.

The hostname where the myproxy-server is running must be specified by either defining the MYPROXY_SERVER environment variable or the -s option.

Command syntax

myproxy-init [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential should be stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-c hours, --cred_lifetime hours

Specifies the lifetime of the credential stored on the myproxy-server in hours. Specify 0 for the maximum possible life- time, i.e., the lifetime of the original credential. Default: 1 week (168 hours)

-t hours, --proxy_lifetime hours

Specifies the maximum lifetime of credentials retrieved from the myproxy-server using the stored credential. Default: 12 hours

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

-a, --allow_anonymous_retrievers

Allow credentials to be retrieved with just pass phrase authen- tication. By default, only entities with credentials that match the myproxy-server.config default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config server-wide policy must also allow "anonymous" clients for this option to have an effect.

-A, --allow_anonymous_renewers

Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repos- itory if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recom- mended. It is included only for sake of completeness.

-r dn, --retrievable_by dn

Allow the specified entity to retrieve credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead.

-R dn, --renewable_by dn

Allow the specified entity to renew credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead. This option implies -n since passphrase authentication is not used for cre- dential renewal.

-x, --regex_dn_match

Specifies that the DN used by options -r and -R will be matched as a regular expression.

-X, --match_cn_only

Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject.

-k name, --credname name

Specifies the credential name.

-K description

--creddesc description

Specifies credential description.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-info

Tool description

The myproxy-info command displays information about a user's creden- tials stored on a myproxy-server. The user must have a valid proxy credential as generated by grid-proxy-init or retrieved by myproxy-get-delegation when running this command.

Command syntax

myproxy-info [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l name, --username name

Specifies the MyProxy account to query. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

myproxy-get-delegation

Tool description

The myproxy-get-delegation command retrieves a credential from the myproxy-server that was previously stored using myproxy-init. In the default mode, the command prompts for the MyProxy pass phrase asso- ciated with the credential to be retrieved and stores the retrieved credential in the standard location ( /tmp/x509up_u<uid> ).

Command syntax

myproxy-get-delegation [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential to retrieve is stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable. When used with the -a option, the certificate subject of the authorization creden- tial is used. Otherwise, the certificate subject of the default credential is used.

-t hours, --proxy_lifetime hours

Specifies the lifetime of credentials retrieved from the myproxy-server using the stored credential. The resulting lifetime is the shorter of the requested lifetime and the life- time specified when the credential was stored using myproxy-init. Default: 12 hours

-o file, --out file

Specifies where the retrieved proxy credential should be stored. If this option is not specified, the proxy credential will be stored in the default location (/tmp/x509up_u<uid>).

-a file, --authorization file

Specifies a credential to be used for authorizing the request instead of a passphrase. When renewing a credential, use this option to specify the existing, valid credential that you want to renew. Renewing a credential generally requires two certifi- cate-based authentications. The client authenticates with its identity, using the credential in the standard location or spec- ified by X509_USER_PROXY or X509_USER_CERT and X509_USER_KEY in addition to authenticating with the existing credential, in the location specified by this option, that it wants to renew.

-k name, --credname name

Specifies the name of the credential that is to be retrieved or renewed.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-destroy

Tool description

The myproxy-destroy command removes a credential from the myproxy-server that was previously stored using myproxy-init. The user must have a valid proxy credential as generated by grid-proxy-init or retrieved by myproxy-get-delegation when running this command.

Command syntax

myproxy-destroy [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential to destroy is stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

-k name, --credname name

Specifies name of the credential to be destroyed.

myproxy-change-pass-phrase

Tool description

The myproxy-change-pass-phrase command changes the passphrase under which a credential is protected in the MyProxy repository. The command first prompts for the current passphrase for the credential, then prompts twice for the new passphrase. Only the credential owner can change a credential's passphrase. The user must have a valid proxy credential as generated by grid-proxy-init or retrieved by myproxy-get-delegation when running this command.

Command syntax

myproxy-change-pass-phrase [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s hostname, --pshost hostname

Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable.

-p port, --psport port

Specifies the TCP port number of the myproxy-server. Default: 7512

-l, --username

Specifies the MyProxy account under which the credential should be stored. By default, the command uses the value of the LOG-NAME environment variable. Use this option to specify a differ- ent account username on the MyProxy server. The MyProxy user- name need not correspond to a real Unix username.

-d, --dn_as_username

Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable.

-k name, --credname name

Specifies the credential name.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-admin-adduser

Tool description

The myproxy-admin-adduser command creates a new credential for a user and loads it into the MyProxy repository. It is a perl script that runs grid-cert-request (a standard Globus Toolkit program) and grid-ca- sign (from the Globus Simple CA package) to create the credential and then runs myproxy-admin-load-credential to load the credential into the MyProxy repository. The command prompts for the common name to be included in the new cer- tificate (if the -c argument is not specified), the Globus Simple CA key password for signing the certificate, the MyProxy username (if the -l or -d arguments are not specified), and the MyProxy passphrase for the credential. Most of the command-line options for this command are passed directly to the myproxy-admin-load-credential command. The Globus Simple CA must be configured before using this command.

Command syntax

myproxy-admin-adduser [ options ] 

Command options

-h

Displays command usage text and exits.

-u

Displays command usage text and exits.

-c cn

Specifies the Common Name for the new credential (for example: "Jim Basney").

-s dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-l username

Specifies the MyProxy account under which the credential should be stored.

-t hours

Specifies the maximum lifetime of credentials retrieved from the myproxy-server using the stored credential. Default: 12 hours

-n

Disables passphrase authentication for the stored credential. If specified, the command will not prompt for a passphrase, the credential will not be encrypted by a passphrase in the reposi- tory, and the credential will not be retrievable using passphrase authentication with myproxy-get-delegation. This option is used for storing renewable credentials and is implied by -R.

-d

Use the certificate subject (DN) as the username.

-a

Allow credentials to be retrieved with just pass phrase authen- tication. By default, only entities with credentials that match the myproxy-server.config default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config server-wide policy must also allow "anonymous" clients for this option to have an effect.

-A

Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repos- itory if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recom- mended. It is included only for sake of completeness.

-r dn

Allow the specified entity to retrieve credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead.

-R dn

Allow the specified entity to renew credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead. This option implies -n since passphrase authentication is not used for cre- dential renewal.

-x

Specifies that the DN used by options -r and -R will be matched as a regular expression.

-X

Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject.

-k name

Specifies the credential name.

-K description

Specifies credential description.

myproxy-admin-change-pass

Tool description

The myproxy-admin-change-pass command changes the passphrase used to encrypt a credential in the MyProxy repository. The command first prompts for the current passphrase for the credential, then prompts twice for the new passphrase. If an empty passphrase is given, the credential will not be encrypted. It accesses the repository directly and must be run on the machine where the myproxy-server is installed from the account that owns the repository.

Command syntax

myproxy-admin-change-pass [ options ] 

Command options

-h

Displays command usage text and exits.

-u

Displays command usage text and exits.

-s dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-l username

Specifies the MyProxy account under which the credential should be stored.

-k name

Specifies the credential name.

-S, --stdin_pass

By default, the command prompts for a passphrase and reads the passphrase from the active tty. When running the command non- interactively, there may be no associated tty. Specifying this option tells the command to read passphrases from standard input without prompts or confirmation.

myproxy-admin-query

Tool description

The myproxy-admin-query command displays information about the creden- tials stored in the MyProxy repository. It can also be used to remove credentials from the repository. It accesses the repository directly and must be run on the machine where the myproxy-server is installed from the account that owns the repository.

Command syntax

myproxy-admin-query [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-l name, --username name

Return information on credentials for a single username. By default, the command returns information on all credentials for all usernames.

-k name, --credname name

Return information on the credentials with the specified name.

-e hours, --expiring_in hours

Return information on credentials with remaining lifetime less than the specified number of hours. For example, -e 0 will return all expired credentials.

-t hours, --time_left hours

Return information on credentials with remaining lifetime greater than the specified number of hours.

-s dir, --storage dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-r, --remove

Remove the credentials matching the query from the repository. For example, myproxy-admin-query -e 0 -r will remove all expired credentials from the repository.

-L msg, --lock msg

Places the credentials matching the query under an administrative lock and specifies a message to be returned on access attempts.

-U, --unlock

Removes any administrative locks for the credentials matching the query.

myproxy-admin-load-credential

Tool description

The myproxy-admin-load-credential command stores a credential directly in the local MyProxy repository. It must be run from the account that owns the repository. Many of the options are similar to myproxy-init. However, unlike myproxy-init, myproxy-admin-load-credential does not create a proxy from the source credential but instead directly loads a copy of the source credential into the repository. The pass phrase of the source credential is unchanged. Use myproxy-admin-change-pass to change the pass phrase after the credential is stored if desired. Proxy credentials with default lifetime of 12 hours can then be retrieved by myproxy-get-delegation using the MyProxy passphrase. The command's behavior is controlled by the following options.

Command syntax

myproxy-admin-load-credential [ options ] 

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-s dir, --storage dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

-c filename, --certfile filename

Specifies the filename of the source certificate. This is a required parameter.

-y filename, --keyfile filename

Specifies the filename of the source private key. This is a required parameter.

-l username, --username username

Specifies the MyProxy account under which the credential should be stored. By default, the command uses the value of the LOGNAME environment variable. Use this option to specify a differ- ent account username on the MyProxy server. The MyProxy user- name need not correspond to a real Unix username.

-t hours, --proxy_lifetime hours

Specifies the maximum lifetime of credentials retrieved from the myproxy-server using the stored credential. Default: 12 hours

-d, --dn_as_username

Use the certificate subject (DN) as the username.

-a, --allow_anonymous_retrievers

Allow credentials to be retrieved with just pass phrase authentication. By default, only entities with credentials that match the myproxy-server.config default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config server-wide policy must also allow "anonymous" clients for this option to have an effect.

-A, --allow_anonymous_renewers

Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repos- itory if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recom- mended. It is included only for sake of completeness.

-r dn, --retrievable_by dn

Allow the specified entity to retrieve credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead.

-R dn, --renewable_by dn

Allow the specified entity to renew credentials. By default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead.

-x, --regex_dn_match

Specifies that the DN used by options -r and -R will be matched as a regular expression.

-X, --match_cn_only

Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject.

-k name, --credname name

Specifies the credential name.

-K description, --creddesc description

Specifies credential description.

myproxy-server

Tool description

The myproxy-server is a server that runs on a trusted, secure host and manages a database of security credentials for use from remote sites. The myproxy-init program stores credentials with associated policies that specify credential lifetimes and who is authorized to retrieve credentials. The myproxy-server.config file sets server-wide policies that are used in conjunction with the policies set by myproxy-init to control who is authorized to store and retrieve credentials.

Command syntax

myproxy-server [ options ]

Command options

-h, --help

Displays command usage text and exits.

-u, --usage

Displays command usage text and exits.

-v, --verbose

Enables verbose debugging output to the terminal.

-V, --version

Displays version information and exits.

-d, --debug

Run the server in debug mode. In this mode, the server will run in the foreground, will accept one connection, write log mes- sages to the terminal while processing the incoming request, and exit after completing one request.

-p port, --port port

Specifies the TCP port number that the myproxy-server should listen on. Default: 7512

-c file, --config file

Specifies the location of the myproxy-server configuration file. Default: /etc/myproxy-server.config or $GLOBUS_LOCA- TION/etc/myproxy-server.config

-s dir, --storage dir

Specifies the location of the credential storage directory. The directory must be accessible only by the user running the myproxy-server process for security reasons. Default: /var/myproxy or $GLOBUS_LOCATION/var/myproxy

Graphical User Interface

MyProxy does not have a GUI.

Semantics and syntax of domain-specific interface

MyProxy does not provide any domain-specific interfaces.

Configuration interface

No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.

To configure the myproxy-server, you must modify $GLOBUS_LOCATION/etc/myproxy-server.config. If you skip this step, your myproxy-server will not accept any requests. The default configuration does not enable any myproxy-server features to provide the greatest security until you have configured your server. To enable all myproxy-server features, uncomment the provided sample policy at the top of the myproxy-server.config config file, as follows:

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features. See below for more examples.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"

Please see below for additional documentation on the myproxy-server.config options.

If you have root access, you can copy your myproxy-server.config file to /etc/myproxy-server.config so it is not overwritten by later installations.

The myproxy-server.config file sets the policy for the myproxy-server(8), specifying what credentials may be stored in the server's repository and who is authorized to retrieve credentials. By default, the myproxy-server(8) looks for this file in /etc/myproxy-server.config and if it is not found there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. The myproxy-server -c option can be used to specify an alternative location. The file installed by default does not allow any requests.

The file also supports a passphrase_policy_program command for specifying an external program for evaluating the quality of users' passphrases. A sample program is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy but is not enabled by default.

Lines in the configuration file use limited regular expressions for matching the distinguished names (DNs) of classes of users. The lim- ited regular expressions support the shell-stype characters '*' and '?', where '*' matches any number of characters and '?' matches any single character.

The DN limited regexes should be delimited with double quotes ("DN regex").

The configuration file has the following types of lines:

accepted_credentials "DN regex"

Each of these lines allows any clients whose DNs match the given limited regex to connect to the myproxy-server and store creden- tials with it for future retrieval. Any number of these lines may appear. For backwards compatibility, these lines can also start with allowed_clients instead of accepted_credentials.

authorized_retrievers "DN regex"

Each of these lines allows the server administrator to set server-wide policies for authorized retrievers. If the client DN does not match the given limited regex the client is not allowed to retrieve the credentials previously stored by a client. In addition to the server-wide policy, MyProxy also provides support for per-credential policy. The user can specify the regex DN of the allowed retrievers of the credential when uploading the credential (using myproxy-init(1)). The retrieval client DN must also match the user specified regex. In order to retrieve credentials the client also needs to know the name and pass phrase provided by the client when the credentials were stored. Any number of these lines may appear. For backwards compatibility, these lines can also start with allowed_services instead of authorized_retrievers.

default_retrievers "DN regex"

Each of these lines allows the server administrator to set server-wide default policies. The regex specifies the clients who can access the credentials. The default retriever policy is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)). In other words, the client can override this policy for a credential on upload. The per-credential policy is enforced in addition to the server-wide policy specified by the authorized_retrievers line (which clients can not override). Any number of these lines may be present. For backwards compatibility, if no default_retrievers line is specified, the default policy is "*", which allows any client to pass the per-credential policy check. (The client must still pass the authorized_retrievers check.)

authorized_renewers "DN regex"

Each of these lines allows the server administrator to set server-wide policies for authorized renewers. If the client DN does not match the given limited regex the client is not allowed to renew the credentials previously stored by a client. In addition to the server-wide policy, MyProxy also provides support for per-credential policy. The user can specify the regex DN of the allowed renewers of the credential on upload (using myproxy-init(1)). The renewal client DN must match both this regex and the user specified regex. In this case, the client must also already have a credential with a DN matching the DN of the credentials to be retrieved, to be used in a second autho- rization step (see the -a option for myproxy-get-delegation(1)).

default_renewers "DN regex"

Each of these lines allows the server administrator to set server-wide default renewer policies. The regex specifies the clients who can renew the credentials. The default renewer policy is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)). This is enforced in addition to the server-wide policy specified by the authorized_renewers line. Any number of these lines may appear. For backwards compatibility, if no default_renewers line is specified, the default policy is "*", which allows any client to pass the per-credential policy check. (The client must still pass the authorized_renewers check.)

passphrase_policy_program full-path-to-script

This line specifies a program to run whenever a passphrase is set or changed for implementing a local password policy. The program is passed the new passphrase via stdin and is passed the following arguments: username, distinguished name, credential name (if any), per-credential retriever policy (if any), and per-credential renewal policy (if any). If the passphrase is acceptable, the program should exit with status 0. Otherwise, it should exit with non-zero status, causing the operation in progress (credential load, passphrase change) to fail with the error message provided by the program's stdout. Note: You must specify the full path to the external program. $GLOBUS_LOCATION can't be used in the myproxy-server.config file.

max_proxy_lifetime hours

This line specifies a server-wide maximum lifetime for retrieved proxy credentials. By default, no server-wide maximum is enforced. However, if this option is specified, the server will limit the lifetime of any retrieved proxy credentials to the value given.

Environment variable interface

MYPROXY_SERVER

Specifies the hostname where the myproxy-server is running. This environment variable can be used in place of the -s option.

MYPROXY_SERVER_PORT

Specifies the port where the myproxy-server is running. This environment variable can be used in place of the -p option.

MYPROXY_SERVER_DN

Specifies the distinguished name (DN) of the myproxy-server. All MyProxy client programs authenticate the server's identity. By default, MyProxy servers run with host credentials, so the MyProxy client programs expect the server to have a distinguished name of the form "host/<fqhn>" or "myproxy/<fqhn>" (where <fqhn> is the fully-qualified hostname of the server). If the server is running with some other DN, you can set this environment variable to tell the MyProxy clients to accept the alternative DN.

X509_USER_CERT

Specifies a non-standard location for the certificate from which the proxy credential is created by myproxy-init. Also specifies an alternative location for the server's certificate. By default, the server uses /etc/grid-security/hostcert.pem when running as root or ~/.globus/usercert.pem when running as non- root.

X509_USER_KEY

Specifies a non-standard location for the private key from which the proxy credential is created by myproxy-init. Also specifies an alternative location for the server's private key. By default, the server uses /etc/grid-security/hostkey.pem when running as root or ~/.globus/userkey.pem when running as non- root.

X509_USER_PROXY

Specifies an alternative location for the server's certificate and private key (in the same file). Use when running the server with a proxy credential. Note that the proxy will need to be periodically renewed before expiration to allow the myproxy-server to keep functioning. When the myproxy-server runs with a non-host credential, clients must have the MYPROXY_SERVER_DN environment variable set to the distinguished name of the certificate being used by the server.

GLOBUS_LOCATION

Specifies the root of the MyProxy installation, used to find the default location of the myproxy-server.config file and the credential storage directory.

LD_LIBRARY_PATH

The MyProxy server is typically linked dynamically with Globus security libraries, which must be present in the dynamic linker's search path. This typically requires $GLOBUS_LOCATION/lib to be included in the list in the LD_LIBRARY_PATH environment variable, which is set by the $GLOBUS_LOCATION/libexec/globus-script-initializer script, which should be called from any myproxy-server startup script. Alternatively, to set LD_LIBRARY_PATH appropriately for the Globus libraries in an interactive shell, source $GLOBUS_LOCATION/etc/globus-user- env.sh (for sh shells) or $GLOBUS_LOCATION/etc/globus- user.env.csh (for csh shells).