Home -> Toolkit -> Docs -> Development -> 3.9.5 -> Security -> Myproxy -> Admin

GT 3.9.5 MyProxy: System Administrator's Guide

• Introduction
• Building and Installing
• Configuring
• Deploying
• Testing
• Security Considerations
• Troubleshooting

Introduction

This guide contains advanced configuration information for system administrators working with MyProxy. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.

This information is in addition to the basic installation instructions in the GT 3.9.5 System Administrator's Guide.

A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.

Building and Installing

MyProxy is built and installed as part of a default GT 3.9.5 installation. For basic installation instructions, see the GT 3.9.5 System Administrator's Guide. No extra installation steps are required for this component.

Configuring

No additional configuration is required to use MyProxy clients after they are installed, although you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems.

To configure the myproxy-server, you must modify $GLOBUS_LOCATION/etc/myproxy-server.config. If you skip this step, your myproxy-server will not accept any requests. The default configuration does not enable any myproxy-server features to provide the greatest security until you have configured your server. To enable all myproxy-server features, uncomment the provided sample policy at the top of the myproxy-server.config config file, as follows:

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features. See below for more examples.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"

Please see below for additional documentation on the myproxy-server.config options.

If you have root access, you can copy your myproxy-server.config file to /etc/myproxy-server.config so it is not overwritten by later installations.

The myproxy-server.config file sets the policy for the myproxy-server(8), specifying what credentials may be stored in the server's repository and who is authorized to retrieve credentials. By default, the myproxy-server(8) looks for this file in /etc/myproxy-server.config and if it is not found there, it looks in $GLOBUS_LOCATION/etc/myproxy-server.config. The myproxy-server -c option can be used to specify an alternative location. The file installed by default does not allow any requests.

The file also supports a passphrase_policy_program command for specifying an external program for evaluating the quality of users' passphrases. A sample program is installed in $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy but is not enabled by default.

Lines in the configuration file use limited regular expressions for matching the distinguished names (DNs) of classes of users. The lim- ited regular expressions support the shell-stype characters '*' and '?', where '*' matches any number of characters and '?' matches any single character.

The DN limited regexes should be delimited with double quotes ("DN regex").

The configuration file has the following types of lines:

accepted_credentials "DN regex"

Each of these lines allows any clients whose DNs match the given limited regex to connect to the myproxy-server and store creden- tials with it for future retrieval. Any number of these lines may appear. For backwards compatibility, these lines can also start with allowed_clients instead of accepted_credentials.

authorized_retrievers "DN regex"

Each of these lines allows the server administrator to set server-wide policies for authorized retrievers. If the client DN does not match the given limited regex the client is not allowed to retrieve the credentials previously stored by a client. In addition to the server-wide policy, MyProxy also provides support for per-credential policy. The user can specify the regex DN of the allowed retrievers of the credential when uploading the credential (using myproxy-init(1)). The retrieval client DN must also match the user specified regex. In order to retrieve credentials the client also needs to know the name and pass phrase provided by the client when the credentials were stored. Any number of these lines may appear. For backwards compatibility, these lines can also start with allowed_services instead of authorized_retrievers.

default_retrievers "DN regex"

Each of these lines allows the server administrator to set server-wide default policies. The regex specifies the clients who can access the credentials. The default retriever policy is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)). In other words, the client can override this policy for a credential on upload. The per-credential policy is enforced in addition to the server-wide policy specified by the authorized_retrievers line (which clients can not override). Any number of these lines may be present. For backwards compatibility, if no default_retrievers line is specified, the default policy is "*", which allows any client to pass the per-credential policy check. (The client must still pass the authorized_retrievers check.)

authorized_renewers "DN regex"

Each of these lines allows the server administrator to set server-wide policies for authorized renewers. If the client DN does not match the given limited regex the client is not allowed to renew the credentials previously stored by a client. In addition to the server-wide policy, MyProxy also provides support for per-credential policy. The user can specify the regex DN of the allowed renewers of the credential on upload (using myproxy-init(1)). The renewal client DN must match both this regex and the user specified regex. In this case, the client must also already have a credential with a DN matching the DN of the credentials to be retrieved, to be used in a second autho- rization step (see the -a option for myproxy-get-delegation(1)).

default_renewers "DN regex"

Each of these lines allows the server administrator to set server-wide default renewer policies. The regex specifies the clients who can renew the credentials. The default renewer policy is enforced if a per-credential policy is not specified on upload (using myproxy-init(1)). This is enforced in addition to the server-wide policy specified by the authorized_renewers line. Any number of these lines may appear. For backwards compatibility, if no default_renewers line is specified, the default policy is "*", which allows any client to pass the per-credential policy check. (The client must still pass the authorized_renewers check.)

passphrase_policy_program full-path-to-script

This line specifies a program to run whenever a passphrase is set or changed for implementing a local password policy. The program is passed the new passphrase via stdin and is passed the following arguments: username, distinguished name, credential name (if any), per-credential retriever policy (if any), and per-credential renewal policy (if any). If the passphrase is acceptable, the program should exit with status 0. Otherwise, it should exit with non-zero status, causing the operation in progress (credential load, passphrase change) to fail with the error message provided by the program's stdout. Note: You must specify the full path to the external program. $GLOBUS_LOCATION can't be used in the myproxy-server.config file.

max_proxy_lifetime hours

This line specifies a server-wide maximum lifetime for retrieved proxy credentials. By default, no server-wide maximum is enforced. However, if this option is specified, the server will limit the lifetime of any retrieved proxy credentials to the value given.

Deploying

A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run 'chkconfig --add myproxy'. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.

Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:

• Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the /etc/services or /etc/inet/services file.
• Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications to /etc/inetd.conf or /etc/inet/inetd.conf, or copy $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy to /etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation.
• Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.

Testing

To verify your myproxy-server installation and configuration, you can run the myproxy-server directly from your shell. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.

For csh shells:

source $GLOBUS_LOCATION/etc/globus-user-env.csh

For sh shells:

. $GLOBUS_LOCATION/etc/globus-user-env.sh

Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d. The -d argument runs the myproxy-server in debug mode. It will write debugging messages to the terminal and exit after servicing a single request. You'll need to start it once for each test request. In another shell, you can run the MyProxy client programs to test the server.

If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.

Security Considerations

You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.

For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.

Troubleshooting

Please refer to the Troubleshooting section of the User's Guide.