Home -> Toolkit -> Docs -> Development -> 3.9.4 -> Security -> Myproxy -> Admin

GT 3.9.4 MyProxy: System Administrator's Guide

• Introduction
• Building and Installing
• Configuring
• Deploying
• Testing
• Security Considerations
• Troubleshooting

Introduction

The MyProxy service allows your users to retrieve proxy credentials for Globus Toolkit authentication with a username and passphrase. A typical MyProxy configuration has one dedicated myproxy-server for the site, with MyProxy clients installed on all systems where other Globus Toolkit client software is installed.

Building and Installing

Please refer to the Globus Toolkit System Administrator's Guide for installation instructions. No extra installation steps are required for MyProxy.

Configuring

Information on configuration settings and environment variables can be found in the public interface guide.

No additional configuration is required to use MyProxy clients after they are installed, though you may want to set the MYPROXY_SERVER environment variable to the hostname of your myproxy-server in the default user environment on your systems. Information for configuring the myproxy-server follows.

Configuring a MyProxy Server Installation

You should choose a well-protected host to run the myproxy-server on. Consult with security-aware personnel at your site. You want a host that is secured to the level of a Kerberos KDC, that has limited user access, runs limited services, and is well monitored and maintained in terms of security patches.

For a typical myproxy-server installation, the host on which the myproxy-server is running must have /etc/grid-security created and a host certificate installed. In this case, the myproxy-server will run as root so it can access the host certificate and key.

Next, modify $GLOBUS_LOCATION/etc/myproxy-server.config to configure the MyProxy server. If you skip this step, your myproxy-server will not accept any requests. The default configuration does not enable any myproxy-server features to provide the greatest security until you have configured your server. To enable all myproxy-server features, uncomment to provided sample policy at the top of the myproxy-server.config config file, as follows:

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features. See below for more examples.
accepted_credentials "*"
authorized_retrievers "*"
default_retrievers "*"
authorized_renewers "*"
default_renewers "none"

If you have root access, you can copy your myproxy-server.config file to /etc/myproxy-server.config so it is not overwritten by later installations.

Deploying

A sample SysV-style boot script for MyProxy is installed at $GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy. To install on Linux, copy the file to /etc/rc.d/init.d/myproxy and run 'chkconfig --add myproxy'. You will need to edit the file to set the GLOBUS_LOCATION environment variable correctly.

Alternatively, to run the myproxy server out of inetd or xinetd, you need to do the following as root:

• Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.services.modifications to the /etc/services or /etc/inet/services file.
• Add the entries in $GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications to /etc/inetd.conf or /etc/inet/inetd.conf, or copy $GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy to /etc/xinetd.d/myproxy. You'll need to modify the paths in the file according to your installation.
• Reactivate the inetd (or xinetd). This is typically accomplished by sending the SIGHUP signal to the daemon. Refer to the inetd or xinetd man page for your system.

Testing

To verify your myproxy-server installation and configuration, you can run the myproxy-server directly from your shell. If using a host certificate, you will need to run the myproxy-server as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your MyProxy installation. Then, depending on your shell, run one of the following commands.

For csh shells:

source $GLOBUS_LOCATION/etc/globus-user-env.csh

For sh shells:

. $GLOBUS_LOCATION/etc/globus-user-env.sh

Then, run $GLOBUS_LOCATION/sbin/myproxy-server -d. The -d argument runs the myproxy-server in debug mode. It will write debugging messages to the terminal and exit after servicing a single request. You'll need to start it once for each test request. In another shell, you can run the MyProxy client programs to test the server.

If run without the -d argument, the myproxy-server program will start up and background itself. It accepts connections on TCP port 7512, forking off a separate child to handle each incoming connection. It logs information via the syslog service under the daemon facility.

Security Considerations

[describe security considerations relevant for this component]

Troubleshooting

Please refer to the Troubleshooting section of the User's Guide.