Scroll to navigation

myproxy-server.config(5) MyProxy myproxy-server.config(5)

NAME

myproxy-server.config - myproxy-server configuration file

DESCRIPTION

Themyproxy-server.configfile sets the policy for themyproxy-server(8),specifying what credentials may be stored in the server'srepository, who is authorized to retrieve credentials,and other configurable server behaviors.By default, themyproxy-server(8)looks for this file in/etc/myproxy-server.configand if it is not found there, it looks in$GLOBUS_LOCATION/etc/myproxy-server.config.A template is provided at$GLOBUS_LOCATION/share/myproxy/myproxy-server.config.Themyproxy-server -coption can be used to specify an alternative location.

The following lines set access control policies according to theclient's certificate subject distinguished name (DN).Note that MyProxy uses non-standard regular expressions fordistinguished name (DN) matching. See theREGULAR EXPRESSIONSsection below for details.

Each of these lines allows any clients whose DNs match thegiven limited regex to connect to the myproxy-server and storecredentials with it for future retrieval. Any number of theselines may appear. For backwards compatibility, these linescan also start withallowed_clientsinstead ofaccepted_credentials.If noaccepted_credentialslines are specified, the server will not allow any clients to storecredentials.
Each of these lines allows the server administrator to setserver-wide policies for credential retrievers. If the clientDN does not match the given limited regex, the client is notallowed to retrieve credentials from the server.In addition to the server-wide policy, myproxy alsoprovides support for per-credential policy. The user canspecify the regex DN of the allowed retrievers of thecredential when uploading the credential (usingmyproxy-init(1)ormyproxy-store(1)).The retrieval clientDN must also match the user specified regex. In order toretrieve credentials the client also needs to know the nameand pass phrase provided by the client when the credentialswere stored. Any number of these lines may appear. Forbackwards compatibility, these lines can also start withallowed_servicesinstead ofauthorized_retrievers.If noauthorized_retrieverslines are specified, the server will not allow any clients to retrievecredentials.
Each of these lines allows the server administrator to setserver-wide default policies. The regex specifies the clientswho can access the credentials. The default retriever policyis enforced if a per-credential policy is not specified onupload (usingmyproxy-init(1)ormyproxy-store(1)).In other words, the client can override this policyfor a credential on upload. The per-credential policy isenforced in addition to the server-wide policy specified bythe authorized_retrievers line (which clients can notoverride). Any number of these lines may be present. Forbackwards compatibility, if nodefault_retrieversline isspecified, the default policy is "*", which allows any clientto pass the per-credential policy check. (The client muststill pass theauthorized_retrieverscheck.)
Each of these lines allows the server administrator to setserver-wide policies for authorized renewers. If the client DNdoes not match the given limited regex the client is notallowed to renew the credentials previously stored by aclient.Seeallow_self_authorizationbelow for a further restriction on this policy.In addition to the server-wide policy, myproxy alsoprovides support for per-credential policy. The user canspecify the regex DN of the allowed renewers of the credentialon upload (usingmyproxy-init(1)).The renewal client DN must match both this regexand the user specified regex. In this case, the client mustalso already have a credential with a DN matching the DN ofthe credentials to be retrieved, to be used in a secondauthorization step (see the-aoptions formyproxy-logon(1)andmyproxy-retrieve(1)).
Each of these lines allows the server administrator to setserver-wide default renewer policies. The regex specifies theclients who can renew the credentials. The default renewerpolicy is enforced if a per-credential policy is not specifiedon upload (usingmyproxy-init(1)).This is enforced in addition to the server-widepolicy specified by theauthorized_renewersline. Any numberof these lines may appear. For backwards compatibility, if nodefault_renewers line is specified, the default policy is "*",which allows any client to pass the per-credential policycheck. (The client must still pass theauthorized_renewerscheck.)
This policy controls who can retrieve credentials (certificates andkeys) directly from the repository usingmyproxy-retrieve(1).Clients must also match theauthorized_retrieverspolicy.If noauthorized_key_retrieverslines are specified, the server will not allow any clients to retrievekeys directly from the repository.
This policy applies if a per-credential policy is not specified onupload (usingmyproxy-init(1)ormyproxy-store(1)).In other words, the client can override this policyfor a credential on upload. The per-credential policy isenforced in addition to the server-wide policy specified bythe authorized_key_retrievers line (which clients can notoverride). Any number of these lines may be present.If nodefault_key_retrieversline isspecified, the default policy is "*", which allows any clientto pass the per-credential policy check. (The client muststill pass theauthorized_key_retrieverscheck.)
This policy controls who can retrieve credentials without furtherauthentication.By default, clients that matchauthorized_retrieversmust perform additional authentication (such as passphrase, PAM, orSASL) to retrieve credentials. However, authenticated clients thatmatch bothauthorized_retrieversandtrusted_retrieversdo not need to perform additional authentication,unless the credentials are protected by a passphrase,in which case the passphrase is still required.Note: Themyproxy-server(8)will fail on startup or reconfig with an "unsafe policy" error if a policy oftrusted_retrievers “*”is specified without also specifying a restrictivedefault_trusted_retrieverspolicy, to avoid an unsafe policy that would release credentials toall clients without additional authentication.See alsoallow_self_authorizationbelow for a further restriction on this policy.
If a user doesn't set a trusted retrieval policy with the credentialon upload (via'myproxy-init-Z'),themyproxy-server(8)will apply the following policy in addition to thetrusted_retrieverspolicy. If nodefault_trusted_retrieverspolicy is set, then only thetrusted_retrieverspolicy is applied.

The following lines in the configuration file set other serveroptions.

This line specifies a program to run whenever a passphrase is set orchanged for implementing a local password policy.The program is passed the new passphrase via stdin and is passed thefollowing arguments: username, distinguished name, credential name (ifany), per-credential retriever policy (if any), and per-credentialrenewal policy (if any).If the passphrase is acceptable, the program should exit with status 0.Otherwise, it should exit with non-zero status, causing the operationin progress (credential load, passphrase change) to fail with the errormessage provided by the program's stdout.Note: You must specify the full path to the external program.$GLOBUS_LOCATION can't be used in the myproxy-server.config file.A sample program is installed in$GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policybut is not enabled by default.

Be sure to follow secure coding practices for this call-out:

- Don't allow input to overflow fixed-size buffers.

- Don't pass unchecked input to a shell command.

Specifies the path to the CA certificates directory to be returnedto clients requesting trust roots (such as via themyproxy-logon(1)-Toption).
This line specifies a server-wide maximum lifetime forretrieved proxy credentials.By default, no server-wide maximum is enforced.However, if this option is specified, the server will limit thelifetime of any retrieved proxy credentials to the value given.
This line specifies a server-wide maximum lifetime forstored credentials.By default, no server-wide maximum is enforced.However, if this option is specified, the server will limit thelifetime of any stored credentials to the value given.
By default, MyProxy will respect the policy of "limited" proxycertificates as follows. If a client authenticates with a limitedproxy, the client should only be able to obtain another limitedproxy, not a full proxy or end entity certificate. Thus, theMyProxy CA will not accept limited proxies for authentication.However, if this option is set to true, MyProxy will treat limited proxycertificates as if they were full proxy certificates.
By default, MyProxy will disallowtrusted_retrieversandauthorized_renewerswhose DN matches the identity of the stored credential,so a proxy by itself can not be refreshed or renewed.However, if this option is set to true, this restriction is lifted.
You can optionally specify the string to be prepended to every messagewritten to the syslog. If not specified, the name defaults to the theprogram name, i.e. myproxy-server.
By default, the myproxy-server will log to the syslog "daemon"facility. With this option you can specify an alternate syslogfacility, such as "auth", "user", "security", or "local0".The facility can also be specified numerically as with thelogger(1)command.
Specifies the maximum time amyproxy-server(8)child process should spend servicing a client request before aborting.By default, child processes will abort after 120 seconds.A negative value will disable the timeout.
Limits the amount of incoming application-level protocol data themyproxy-server(8)will accept from clients, to avoid memory exhaustionunder heavy load. Specified in bytes.Defaults to 1MB (1048576 bytes).A zero or negative value disables the limit.
Optionally specifies the full path to a file containing an OpenSSLformatted set of certificate extensions to include in allproxy certificates issued from the MyProxy repository (analogous tocertificate_extfilefor the CA module).
This is the call-out version of proxy_extfile. It optionallyspecifies the full path to a call-out program for specifyingproxy certificate extensions. It will be passed the authenticatedusername and the proxy credential location as the two command arguments.On success, it shouldwrite the OpenSSL formatted set of certificate extensions to stdoutand exit with zero status. On error, it should write to stderr andexit with nonzero status.Eitherproxy_extfileorproxy_extappcan be specified but not both.

Be sure to follow secure coding practices for this call-out:

- Don't allow input to overflow fixed-size buffers.

- Don't pass unchecked input to a shell command.

Optionally specifies the full path to the VOMS configuration filecontaining VOMS server information. It is usually specified inthe environmental variable VOMS_USERCONF.
If this parameter is set to true and a GET request includes VONAMEand (optionally) VOMSES parameters, call-out to VOMS to add therequested attributes to the issued certificate. Requires linkingwith VOMS libraries. By default, VONAME and VOMSES parameters inrequests will be ignored unless this parameter is set to true.

The MyProxy server can be optionally configured for authenticationbased on Pluggable Authentication Modules (PAM) and/orthe Simple Authentication and Security Layer (SASL).Kerberos is one of the supported SASL authentication methods.The following options control the use of PAM and SASL.

This linegoverns the use of PAM to check passphrases.MyProxy will attempt toauthenticate via PAM, with the supplied username and passphrase.Note that PAM will need to be configured externally for theapplication "myproxy" (usually in /etc/pam.d/), or for theapplication named by pam_id, below.Accepted values:
PAM password authentication is required under all conditions. If thecredential is unencrypted (that is, it has no passphrase), a PAMpassword check is still required for authentication. If thecredential is encrypted, its passphrase must match the PAM password.
The user's passphrase may match either the credential passphrase or,if the credential is unencrypted, the PAM passphrase. If thecredential is encrypted, then the PAM password is not relevant.
PAM is not used to check passphrases.
The name that myproxy uses to identify itself to PAM. Default is"myproxy".For example, on most Unix-like systems, if pam_id is set to "login",MyProxy will authenticate against the system's own usernames andpasswords.
This linegoverns the use of SASL authentication.Accepted values:
SASL authentication is required for retrieving credentials.
SASL authentication is sufficient for retrieving credentials, butother authentication methods may be used instead.
SASL authentication isn't used.
Forces the use of a single SASL mechanism, overriding the SASLconfiguration file. (Typically not required.)
Configures the SASL server fully-qualified domain name formulti-homed servers. (Typically not required.)
Configures the SASL user realm. (Typically not required.)

The MyProxy server can also be configured to act as a CertificateAuthority (CA) to issue credentials to clients. The followingparameters enable and configure the CA functionality.

This line specifies the full path to the issuer certificate tooptionally configure the myproxy-server to act as an onlinecertificate authority.
When specifyingcertificate_issuer_certabove, you must also give the name of the CA private key forsigning certificates. This isnormally path to a CA private key in PEM format, but if youare using an OpenSSL engine (seecertificate_openssl_engine_id) then it can be the key name.
If thecertificate_issuer_keyis encrypted, give the passphrase here.
If you would like an intermediate/sub-CA certificate chain to be sentalong with the EEC (End Entity Certificate) generated using a localintermediate/sub-CA, specify the file that contains those certificates inPEM format. This is meant to aid scenarios where the CA used is anintermediate CA (i.e. not a root CA) and the client may not have theintermediate CA(s) in its trust store. The client will write out thechain into the same file as the EEC, following the EEC.
Specifies the hash algorithm to use when signing end-entitycertificates.Defaults to "sha256".
If set, specifies the domain part of the X509v3 Subject AlternativeName email address included in issued certificates.

certificate_openssl_engine_id engineId

certificate_openssl_engine_pre pre-initialization-commands

These commands can be used to allow any OpenSSL engine to be usedwith MyProxy. This enables the use of hardware tokens and signingmodules to sign certificates. Given the parameters of an OpenSSL"engine" command, the first argument, the identity of the enginebecomes the argument tocertificate_openssl_engine_idand -pre commands are listed in order usingcertificate_openssl_engine_preand -post commands are listed in order usingcertificate_openssl_engine_post.For example the command-line:

openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD-pre MODULE_PATH:/usr/lib/opensc-pksc11.so
becomes:

certificate_openssl_engine_id "dynamic"

certificate_openssl_engine_pre"SO_PATH:/usr/lib/engines/engine_pkcs11.so""ID:pkcs11" "LIST_ADD:1" "LOAD""MODULE_PATH:/usr/lib/opensc-pksc11.so"
Please note that any shared library engines loaded through the"dynamic" engine MUST be compiled againt the correct version ofOpenSSL.
If your hardware token or HSM is unable to handle simultaneousoperations, provide a path to a lockfile for synchronizingoperations to the engine device. The myproxy-server will create thefile if it does not already exist.
This line specifies the path to a program to issue certificates forauthenticated clients that don't have credentials stored.This optionallyconfigures the myproxy-server to act as an online certificateauthority, allowing programmatic control over the certificateissuance process.You can either specifycertificate_issuer_certorcertificate_issuer_program.

Be sure to follow secure coding practices for this call-out:

- Don't allow input to overflow fixed-size buffers.

- Don't pass unchecked input to a shell command.

Specifies the path to a file to store the serial number counter forissued certificates. Defaults to /var/lib/myproxy/serial.
Specifies the number to add to the serial number each time a certificate isissued. Use this to stagger serial numbers across multiple CAinstances to avoid serial number clashes. Defaults to 1.
Specifies the path to a directory where new certificates will be archived.
Specifies the maximum lifetime (in hours) for certificates issued bythe CA module. Defaults to 12 hours.
Specifies the minimum RSA key length (in bits)for certificates issued by the CA module.
Optionally specifies the full path to a file containing an OpenSSLformatted set of certificate extensions to include in all issuedcertificates. For example:

keyUsage=digitalSignature,keyEncipherment,dataEncipherment


subjectKeyIdentifier=hash


authorityKeyIdentifier=keyid,issuer:always


crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0


basicConstraints=CA:FALSE

If not set, the MyProxy CA will include a basic set of extensions inissued certificates.
This is the call-out version of certificate_extfile. It optionallyspecifies the full path to a call-out program for specifyingcertificate extensions. It will be passed the authenticatedusername as the single command argument. On success, it shouldwrite the OpenSSL formatted set of certificate extensions to stdoutand exit with zero status. On error, it should write to stderr andexit with nonzero status.Eithercertificate_extfileorcertificate_extappcan be specified but not both.

Be sure to follow secure coding practices for this call-out:

- Don't allow input to overflow fixed-size buffers.

- Don't pass unchecked input to a shell command.

When specifying certificate_issuer_cert above, you can map account namesto certificate subject distinguished names for the issuedcertificates using this mapfile, which has the same format as usedby other Grid Community Toolkit services.By default, /etc/grid-security/grid-mapfile is used.The Grid Community Toolkitgrid-mapfile-add-entryandgrid-mapfile-delete-entrycommands can be used to manage the grid-mapfile.
When specifying certificate_issuer_cert above, you can map account namesto certificate subject distinguished names for the issuedcertificates using this call-out. It will be passed theauthenticated username as the single command argument. On success,it should write the distinguished namein OpenSSL one line format(for example,"/C=US/O=National Computational Science Alliance/CN=Jim Basney")to stdout and exit with zerostatus. On error, it should write to stderr and exit with nonzerostatus. If it is not defined, then mapfile lookup will be executedinstead (see certificate_mapfile above).An example is installed in$GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp.

Be sure to follow secure coding practices for this call-out:

- Don't allow input to overflow fixed-size buffers.

- Don't pass unchecked input to a shell command.

This CA call-out can be used to perform checks on incomingcertificate requests. It will be passed the certificate request inPEM format on stdin. If it returns a nonzero exit status, the CAwill abort without signing the request. When returning a nonzeroexit status, the callout should indicate the problem on stderr.An example is installed in$GLOBUS_LOCATION/share/myproxy/myproxy-certreq-checker.
This CA call-out can be used to perform checks on issuedcertificates before the certificate is returned to the client. Itwill be passed the certificate in PEM format on stdin. If it returnsa nonzero exit status, the CA will abort without returning thesigned certificate to the client. When returning a nonzero exitstatus, the callout should indicate the problem on stderr.An example is installed in$GLOBUS_LOCATION/share/myproxy/myproxy-cert-checker.

If OpenLDAP support is built-in to themyproxy-server(8),the following parameters can be used to configure the CA module to mapaccount names to certificate subject distinguished names via LDAP.

This parameter specifies the URI to the LDAP server to use forusername to DN resolution in the CA module. Both ldap:// and ldaps://protocols are supported. A port number may optionally be specified aswell. Defining this directive is the "trigger" that causes the nameresolution module to use LDAP querying. If it is not defined, thenmapfile lookup will be executed instead (seecertificate_mapfileabove).
The name of the record attribute that maps to the MyProxy username.Required for LDAP username to DN resolution.
The DN of the region of the ldap database to be searched.Required for LDAP username to DN resolution.
If this directive is set, the LDAP resolver will pull the DN fromthe specified attribute in the returned record. If it is not set,the default is to use the DN of the record itself.
DN for LDAP basic authentication (optional).
Passphrase for LDAP basic authentication (optional).

The following parameters control server replication with themyproxy-replicate(1)utility.

This value is for use with themyproxy-replicate(1)utility. This tag provides a list of servers that will be used as secondaryrepositories for the MyProxy database. Each server should be separated bya ";". Also, a port may be provided if the slave server is using a portother then the default. The server name maybe a recognized DNS or an IPaddress.

The following parameters are used primarily when utilizing MyProxy as adelegation service for web portals.

This parameter points to a grid-mapfile, which is possibly different fromother mapfiles above. When specified, this mapfile is utilized duringputs/stores (e.g. withmyproxy-init(1)andmyproxy-store(1)).A credential is authorized to be put/stored only under the usernamespecified in the mapfile. This prevents storing a user's credential under adifferent username. Note that the credential checked for the presence of aSubjectDN/Username entry in the mapfile is the credential utilized to securethe connection between client and server, NOT the actual credential beingstored. As the credential which secures the TLS connection is typically thesame as the credential being stored, this should not be a major issue.The Grid Community Toolkitgrid-mapfile-add-entryandgrid-mapfile-delete-entrycommands can be used to manage the grid-mapfile.
As an alternative to the accepted_credentials_mapfile option above, you canspecify a call-out which is passed two parameters: a certificate subjectdistinguished name and a username (in that order). In essence, the call-outperforms a lookup in a 'virtual' accepted_credentials_mapfile. If theSubjectDN/Username line would appear in such a mapfile, then the call-outshould exit with zero status indicating that a credential with the givenSubjectDN is allowed to be stored under the given Username. Otherwise, thecall-out should exit with nonzero status indicating error.An example is installed in$GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp.

Be sure to follow secure coding practices for this call-out:

- Don't allow input to overflow fixed-size buffers.

- Don't pass unchecked input to a shell command.

Typically when a credential is accessed by a client, the server checks onlyone credential for possible access authorization, even if there are multiplecredentials stored under the given username. If this option is set to"true" AND the client does not specify a credential name for a MyProxyGET operation (i.e., frommyproxy-logon(1)),then the server will check multiple credentials with the givenusername. If a credential is found to be authorized for client access, thenthat one will be used during processing. The default value for this optionis "false".

The following parameters enable OCSP status checking of storedcredentials in themyproxy-server(8)repository, to avoid use of expired credentials.

Controls the policy for checking certificate validity via OCSPbefore credentials may be delegated.Currently, only the status of the end entity certificate is checkedvia OCSP (and not any proxy certificates or CA certificates).OCSP will not be used unless ocsp_responder_url and/or ocsp_policyare set.Supported policies are:
"aia" - use OCSP responder in certificate AIA extension, if
present; otherwise use ocsp_responder_url, if set
Specifies the URL of an OCSP responder to use to check the validityof credentials stored in the myproxy-server repository beforethey may be delegated, so that revoked credentials can not beretrieved and used where their revocation status may not be checked.Currently, only the status of the end entity certificate is checkedvia OCSP (and not any proxy certificates or CA certificates).In any case, CRL checks are always performed.Both http and https urls are supported.OCSP will not be used unless ocsp_responder_url and/or ocsp_policyare set.
Specifies the path to the certificate of a trusted OCSP responder.This is needed if the OCSP responder must be explicitly trusted incases where standard path validation fails for the OCSP responder'scertificate.

REGULAREXPRESSIONS

For matching distinguished names (DNs) in access control policies,MyProxy uses POSIX Extended Regular Expressions (seere_format(7)),with custom processing of '*', '?', and '.' metacharactersto simulate Unix shell style wildcard processing(for backward compatibility and other historical reasons).MyProxy's custom regular expressions are converted to POSIX EREsaccording to the following rules:


[ MyProxy regex ] => [ POSIX ERE ]
----------------------------------
'*' => '.*'
'?' => '.'
'.' => '\.'
'\*' => '*'
'\?' => '?'
'\.' => '.'

Additionally, MyProxy wraps all regular expressions inside '^(' and ')$'to require full DN matching.

Be aware that parentheses are metacharacters according to POSIX,so escaping is required for literal matching. For example:


"*/CN=Jim Basney \(admin\)"

The following examples illustrate how MyProxy regular expressions areconverted to POSIX EREs:


[ MyProxy regex ] => [ POSIX ERE ]
------------------------------------------------------------
"*/CN=Jim Basney" => "^(.*/CN=Jim Basney)$"
"*/CN=Test User ?" => "^(.*/CN=Test User .)$"
"*/CN=James A. Basney" => "^(.*/CN=James A\. Basney)$"
"/O=Test/CN=[:alnum:]\*" => "^(/O=Test/CN=[:alnum:]*)$"


"*/CN=Jim Basney|*/CN=James Basney" =>
"^(.*/CN=Jim Basney|.*/CN=James Basney)$"

EXAMPLES

The following policy enables all credential repository features.

accepted_credentials "*"

authorized_retrievers "*"

default_retrievers "*"

authorized_renewers "*"

default_renewers "none"

authorized_key_retrievers "*"

default_key_retrievers "none"

trusted_retrievers "*"

default_trusted_retrievers "none"

cert_dir /etc/grid-security/certificates

The following enables CA functionality using an existing Globus SimpleCA configuration.

authorized_retrievers "*"

pam "sufficient"

sasl "sufficient"

certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem

certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem

certificate_issuer_key_passphrase "myproxy"

certificate_serialfile /home/globus/.globus/simpleCA/serial

certificate_mapfile /etc/grid-security/grid-mapfile

cert_dir /etc/grid-security/certificates

FILES

/etc/myproxy-server.config
Default location for the server configuration file.
$GLOBUS_LOCATION/etc/myproxy-server.config
Alternate location for the server configuration file.A different location can be specified by using themyproxy-server(8)-coption.
$GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policy
A sample program for evaluating passphrase quality for use with thepassphrase_policy_programoption.
$GLOBUS_LOCATION/share/myproxy/myproxy-certificate-mapapp
A samplecertificate_mapappprogram for mapping account names to certificate subject distinguishednames.
$GLOBUS_LOCATION/share/myproxy/myproxy-accepted-credentials-mapapp
A sampleaccepted_credentials_mapappprogram for authorizingputs/stores (e.g. withmyproxy-init(1)andmyproxy-store(1)).

ENVIRONMENT

Specifies the root of the MyProxy installation, used to find thedefault location of themyproxy-server.configfile.

AUTHORS

Seehttp://grid.ncsa.illinois.edu/myproxy/aboutfor the list of MyProxy authors.

SEE ALSO

myproxy-change-pass-phrase(1),myproxy-destroy(1),myproxy-get-trustroots(1),myproxy-info(1),myproxy-init(1),myproxy-logon(1),myproxy-retrieve(1),myproxy-store(1),myproxy-admin-adduser(8),myproxy-admin-change-pass(8),myproxy-admin-load-credential(8),myproxy-admin-query(8),myproxy-server(8)

2014-07-12 MyProxy