Context Navigation

source: TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html @ 2921

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html@2921

Revision 2921, 179.0 KB checked in by pjkersha, 13 years ago (diff)
HTML version of installation guide.

Line
1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2	<HTML>
3	<HEAD>
4	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
5	<TITLE>NDG Security Installation Guide</TITLE>
6	<META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0 (Linux)">
7	<META NAME="AUTHOR" CONTENT="P J Kershaw">
8	<META NAME="CREATED" CONTENT="20071003;15320000">
9	<META NAME="CHANGEDBY" CONTENT="Authorised User">
10	<META NAME="CHANGED" CONTENT="20071003;15480000">
11	<STYLE TYPE="text/css">
12	<!--
13	@page { size: 21cm 29.7cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
14	@page:first { margin-top: 1.27cm; margin-bottom: 2.54cm }
15	P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
16	P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
17	P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
18	P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA }
19	H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always }
20	H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
21	H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
22	H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
23	H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
24	H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
25	H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
26	H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
27	H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
28	H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic }
29	H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic }
30	H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
31	H4 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
32	H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium }
33	H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium }
34	H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
35	A:link { color: #0000ff }
36	A:visited { color: #800080 }
37	-->
38	</STYLE>
39	</HEAD>
40	<BODY LANG="en-GB" TEXT="#000000" LINK="#0000ff" VLINK="#800080" DIR="LTR">
41	<DIV TYPE=HEADER>
42	<P ALIGN=JUSTIFY STYLE="margin-bottom: 1.17cm"><BR><BR>
43	</P>
44	</DIV>
45	<P ALIGN=LEFT><BR><BR>
46	</P>
47	<P ALIGN=LEFT><BR><BR>
48	</P>
49	<P ALIGN=LEFT><SPAN ID="Frame1" DIR="LTR" STYLE="float: left; width: 12.96cm; height: 4.77cm; border: none; padding: 0cm; background: #ffffff">
50	<P ALIGN=RIGHT><FONT SIZE=6 STYLE="font-size: 28pt"><B>NERC Data
51	Grid Security</B></FONT></P>
52	<P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P>
53	<P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.7</B></FONT></P>
54	</SPAN><BR><BR>
55	</P>
56	<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Document
57	Log</B></FONT></P>
58	<TABLE WIDTH=627 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
59	<COL WIDTH=194>
60	<COL WIDTH=195>
61	<COL WIDTH=195>
62	<TR VALIGN=TOP>
63	<TD WIDTH=194 BGCOLOR="#d9d9d9">
64	<P ALIGN=JUSTIFY><B>Version Number</B></P>
65	</TD>
66	<TD WIDTH=195 BGCOLOR="#d9d9d9">
67	<P CLASS="western" ALIGN=JUSTIFY><B>Date</B></P>
68	</TD>
69	<TD WIDTH=195 BGCOLOR="#d9d9d9">
70	<P CLASS="western" ALIGN=JUSTIFY><B>Comment</B></P>
71	</TD>
72	</TR>
73	<TR VALIGN=TOP>
74	<TD WIDTH=194>
75	<P ALIGN=JUSTIFY>0.1</P>
76	</TD>
77	<TD WIDTH=195>
78	<P CLASS="western" ALIGN=JUSTIFY>04/11/05</P>
79	</TD>
80	<TD WIDTH=195>
81	<P CLASS="western" ALIGN=JUSTIFY>First Draft</P>
82	</TD>
83	</TR>
84	<TR VALIGN=TOP>
85	<TD WIDTH=194>
86	<P ALIGN=JUSTIFY>0.2</P>
87	</TD>
88	<TD WIDTH=195>
89	<P CLASS="western" ALIGN=JUSTIFY>21/02//06</P>
90	</TD>
91	<TD WIDTH=195>
92	<P CLASS="western" ALIGN=JUSTIFY>Draft for installation at NOCS</P>
93	</TD>
94	</TR>
95	<TR VALIGN=TOP>
96	<TD WIDTH=194>
97	<P ALIGN=JUSTIFY>0.3</P>
98	</TD>
99	<TD WIDTH=195>
100	<P CLASS="western" ALIGN=JUSTIFY>07/04/06</P>
101	</TD>
102	<TD WIDTH=195>
103	<P CLASS="western" ALIGN=JUSTIFY>Updates following installation at
104	NOCS</P>
105	</TD>
106	</TR>
107	<TR VALIGN=TOP>
108	<TD WIDTH=194>
109	<P ALIGN=JUSTIFY>0.4</P>
110	</TD>
111	<TD WIDTH=195>
112	<P CLASS="western" ALIGN=JUSTIFY>25/07/06</P>
113	</TD>
114	<TD WIDTH=195>
115	<P CLASS="western" ALIGN=JUSTIFY>Include deployment model and
116	details about SysV style init scripts for web services.</P>
117	</TD>
118	</TR>
119	<TR VALIGN=TOP>
120	<TD WIDTH=194>
121	<P ALIGN=JUSTIFY>0.5</P>
122	</TD>
123	<TD WIDTH=195>
124	<P CLASS="western" ALIGN=JUSTIFY>16/01/07</P>
125	</TD>
126	<TD WIDTH=195>
127	<P CLASS="western" ALIGN=JUSTIFY>Instructions for installation of
128	python packages and associated C library dependencies from source
129	and corrections for MyProxy installation.</P>
130	<P CLASS="western" ALIGN=JUSTIFY>Installation instructions apply
131	to NDG-Security Post Alpha release 0.72.</P>
132	</TD>
133	</TR>
134	<TR VALIGN=TOP>
135	<TD WIDTH=194>
136	<P ALIGN=JUSTIFY>0.6</P>
137	</TD>
138	<TD WIDTH=195>
139	<P CLASS="western" ALIGN=JUSTIFY>17/08/07</P>
140	</TD>
141	<TD WIDTH=195>
142	<P CLASS="western" ALIGN=JUSTIFY>Updated for NDG Beta release.
143	</P>
144	<UL>
145	<LI><P CLASS="western" ALIGN=JUSTIFY>Installation of python
146	packages is now via distutils eggs.
147	</P>
148	<LI><P CLASS="western" ALIGN=JUSTIFY>Python services use Twisted.</P>
149	</UL>
150	</TD>
151	</TR>
152	<TR VALIGN=TOP>
153	<TD WIDTH=194>
154	<P ALIGN=JUSTIFY>0.7</P>
155	</TD>
156	<TD WIDTH=195>
157	<P CLASS="western" ALIGN=JUSTIFY>03/10/07</P>
158	</TD>
159	<TD WIDTH=195>
160	<P CLASS="western" ALIGN=JUSTIFY>Tidied headers for creation of
161	HTML version</P>
162	</TD>
163	</TR>
164	</TABLE>
165	<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P>
166	<DIV ID="Table of Contents1" DIR="LTR">
167	<P ALIGN=JUSTIFY><A HREF="#1. References\|outline">1. References 5</A></P>
168	<P ALIGN=JUSTIFY><A HREF="#2.Introduction\|outline">2. Introduction 5</A></P>
169	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites \|outline">2.1
170	Pre-requisites 5</A></P>
171	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model\|outline">2.2
172	Deployment Model 5</A></P>
173	<P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components\|outline">3.
174	Software Installation Components 8</A></P>
175	<P ALIGN=JUSTIFY><A HREF="#4.Installation\|outline">4. Installation 9</A></P>
176	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Python Packages\|outline">4.1
177	Python Packages 9</A></P>
178	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.distutils\|outline">4.1.1
179	distutils 9</A></P>
180	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.NDG Security Packages\|outline">4.1.2
181	NDG Security Packages 9</A></P>
182	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.NDG Web Services Configuration\|outline">4.2
183	NDG Web Services Configuration 10</A></P>
184	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.NDG Security System Configuration Directory\|outline">4.2.1
185	NDG Security System Configuration Directory 10</A></P>
186	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.Certificate Generation\|outline">4.2.2
187	Certificate Generation 10</A></P>
188	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.Session Manager Configuration\|outline">4.3
189	Session Manager Configuration 11</A></P>
190	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.Session Manager Credential Repository\|outline">4.3.1
191	Session Manager Credential Repository 11</A></P>
192	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2.Session Manager Properties File Settings\|outline">4.3.2
193	Session Manager Properties File Settings 12</A></P>
194	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.3.Twisted Python server .tac file\|outline">4.3.3
195	Twisted Python server .tac file 15</A></P>
196	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.4.SysV-style Boot Script\|outline">4.3.4
197	SysV-style Boot Script 15</A></P>
198	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Attribute Authority Configuration\|outline">4.4
199	Attribute Authority Configuration 16</A></P>
200	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Attribute Authority Properties File Settings\|outline">4.4.1
201	Attribute Authority Properties File Settings 16</A></P>
202	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.User Roles Interface\|outline">4.4.2
203	User Roles Interface 17</A></P>
204	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.Role Mapping\|outline">4.4.3
205	Role Mapping 18</A></P>
206	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.4.Twisted Python server .tac file\|outline">4.4.4
207	Twisted Python server .tac file 18</A></P>
208	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.5.SysV-style Boot Script\|outline">4.4.5
209	SysV-style Boot Script 18</A></P>
210	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Python Unit Tests\|outline">4.5
211	Python Unit Tests 19</A></P>
212	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Globus MyProxy\|outline">4.6
213	Globus MyProxy 19</A></P>
214	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.1.MyProxy and NDG Security Background\|outline">4.6.1
215	MyProxy and NDG Security Background 19</A></P>
216	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.2.MyProxy user account and the repository location considerations\|outline">4.6.2
217	MyProxy user account and the repository location considerations 19</A></P>
218	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.3.Build Process\|outline">4.6.3
219	Build Process 20</A></P>
220	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.4.NDG SimpleCA Client Package \|outline">4.6.4
221	NDG SimpleCA Client Package 21</A></P>
222	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.5.Host Certificate Creation\|outline">4.6.5
223	Host Certificate Creation 23</A></P>
224	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.6.MyProxy Configuration File\|outline">4.6.6
225	MyProxy Configuration File 23</A></P>
226	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.7.Repository Directory\|outline">4.6.7
227	Repository Directory 24</A></P>
228	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.8.Adding MyProxy Server to the system start up\|outline">4.6.8
229	Adding MyProxy Server to the system start up 24</A></P>
230	<P ALIGN=JUSTIFY><A HREF="#5.Appendices\|outline">5. Appendices 26</A></P>
231	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1.MySQL Installation\|outline">5.1
232	MySQL Installation 26</A></P>
233	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1.Version\|outline">5.1.1
234	Version 26</A></P>
235	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.2.Getting the Binaries\|outline">5.1.2
236	Getting the Binaries 26</A></P>
237	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.3.New mysql User Account\|outline">5.1.3
238	New mysql User Account 26</A></P>
239	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.4.Unpacking the tarball\|outline">5.1.4
240	Unpacking the tarball 26</A></P>
241	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.5.Configuration File\|outline">5.1.5
242	Configuration File 27</A></P>
243	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.6.Create the Grant Tables\|outline">5.1.6
244	Create the Grant Tables 27</A></P>
245	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.7.File and Directory Permissions\|outline">5.1.7
246	File and Directory Permissions 28</A></P>
247	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.8.Starting the Server\|outline">5.1.8
248	Starting the Server 28</A></P>
249	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.9.Securing MySQL Accounts\|outline">5.1.9
250	Securing MySQL Accounts 28</A></P>
251	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.10.Server Automated Start up\|outline">5.1.10
252	Server Automated Start up 29</A></P>
253	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2.HTTPS set-up with Apache Web Server\|outline">5.2
254	HTTPS set-up with Apache Web Server 29</A></P>
255	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Web Server Host Certificate Generation\|outline">5.2.1
256	Web Server Host Certificate Generation 29</A></P>
257	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2.Apache Configuration File Settings\|outline">5.2.2
258	Apache Configuration File Settings 29</A></P>
259	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3.Apache Web Server Proxy Settings Configuration for Web Services\|outline">5.3
260	Apache Web Server Proxy Settings Configuration for Web Services 30</A></P>
261	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4.An Example Attribute Authority AAUserRoles interface class\|outline">5.4
262	An Example Attribute Authority AAUserRoles interface class 31</A></P>
263	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.Troubleshooting\|outline">5.5
264	Troubleshooting 34</A></P>
265	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.1.M2Crypto SWIG Build Error\|outline">5.5.1
266	M2Crypto SWIG Build Error 34</A></P>
267	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.2.PyXML\|outline">5.5.2
268	PyXML 35</A></P>
269	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.3.4Suite-XML Build error\|outline">5.5.3
270	4Suite-XML Build error 35</A></P>
271	</DIV>
272	<H1 CLASS="western"><A NAME="1. References\|outline"></A>1. References</H1>
273	<OL>
274	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI">
275	- NCSA MyProxy site</SPAN></P>
276	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html"><SPAN LANG="fr-FR">http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html</SPAN></A></U></FONT><SPAN LANG="fr-FR">
277	- NCSA MyProxy installation instructions</SPAN></P>
278	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT>
279	- Globus 4.0 and Security</P>
280	<LI><P CLASS="western" ALIGN=LEFT><A NAME="_Ref132180158"></A>NDG
281	Security - Security Measures for Installation [v0.2, 7 September
282	2005],
283	<FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P>
284	</OL>
285	<H1 CLASS="western" STYLE="page-break-before: auto; page-break-after: auto"><A NAME="2.Introduction\|outline"></A>
286	2.Introduction</H1>
287	<P CLASS="western" ALIGN=JUSTIFY>This is a guide for system
288	administrators and developers deploying NDG security at a data
289	centre.</P>
290	<H2 CLASS="western"><A NAME="2.1.Pre-requisites \|outline"></A>2.1Pre-requisites
291	</H2>
292	<UL>
293	<LI><P CLASS="western" ALIGN=JUSTIFY>For NDG Security Web Services:
294	a host running RedHat Enterprise AS4 or later is recommended. Other
295	Linux distributions may also be suitable.</P>
296	<LI><P CLASS="western" ALIGN=JUSTIFY>For MyProxy: a separate host
297	machine (See MyProxy for details of operating systems supported).
298	The host must be secure: if possible a dedicated machine with
299	minimal other services running on it. It should be kept up to date
300	with patches and system logs monitored regularly.</P>
301	<LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy and Security web
302	services hosts must be configured to link with an NTP server to
303	enable clocks to be synchronised with security services running at
304	other NDG sites.</P>
305	<LI><P CLASS="western" ALIGN=JUSTIFY>Access to a web server if
306	security for web based applications is required. The web server
307	must be able to be configured to support HTTPS.</P>
308	<LI><P CLASS="western" ALIGN=JUSTIFY>[MySQL 3.23 or greater or
309	Postgres â these are optional and are required for the NDG
310	CredentialRepository only]</P>
311	<LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P>
312	<LI><P CLASS="western" ALIGN=JUSTIFY>Python distutils utility</P>
313	<LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version
314	0.9.8 or greater</P>
315	</UL>
316	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also
317	note document NDG <I>Security - Security Measures for Installation</I>
318	(see Ref 1above).</P>
319	<H2 CLASS="western"><A NAME="2.2.Deployment Model\|outline"></A>2.2Deployment
320	Model</H2>
321	<P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an
322	example deployment configuration for NDG security services.</P>
323	<P CLASS="western" ALIGN=JUSTIFY><IMG SRC="NDGSecurityInstallationGuide_html_m1b1d83c.png" NAME="graphics1" ALIGN=BOTTOM WIDTH=611 HEIGHT=614 BORDER=0></P>
324	<P CLASS="western" ALIGN=JUSTIFY>All services are positioned behind
325	the firewall. MyProxy is installed on a dedicated machine in order
326	to make its repository as secure as possible. Connections to MyProxy
327	may be made from the Session Manager web service only from within the
328	internal network.</P>
329	<P CLASS="western" ALIGN=JUSTIFY>In the above, security web services
330	are run together on the same host but this does not have to be the
331	case. They can be run on separate servers. Similarly, the web
332	server is on a separate host but could be run on the same machine as
333	the web services if it was felt to be appropriate.</P>
334	<P CLASS="western" ALIGN=JUSTIFY>In the above diagram Attribute
335	Authority accesses a user database. It is assumed that the target
336	site has a database to store user and user role/access right
337	information. This information neednât be stored by means of a
338	database and could be represented in some other way. It is for the
339	data provider to decide. Similarly, the Session Manager web service
340	interfaces with a Credential Repository. This is a database in the
341	above but could be some other kind of permanent store.</P>
342	<P CLASS="western" ALIGN=JUSTIFY>Databases are on a separate server
343	to the web services host. Web services access the databases over the
344	internal network.</P>
345	<P CLASS="western" ALIGN=JUSTIFY>Finally, the web services have ports
346	exposed in some way through the firewall to enable communication with
347	other NDG security web services at other sites.</P>
348	<H1 CLASS="western"><A NAME="3.Software Installation Components\|outline"></A>
349	3.Software Installation Components</H1>
350	<P CLASS="western" ALIGN=JUSTIFY>Python software is package using
351	distutils eggs. These are divided into separate components to suit
352	the particular installation required:</P>
353	<UL>
354	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_server â components
355	required to run services</P>
356	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_common â components
357	required by both server and common eggs</P>
358	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_client â components
359	for building clients to NDG security services. For example, a data
360	providerâs web application server would these to enable the
361	securing of access to resources or an organisationâs Identity
362	provider would need these to authenticate and allocate authorisation
363	attributes to users.</P>
364	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_test â unit tests
365	for all components</P>
366	<LI><P CLASS="western" ALIGN=LEFT>ndg_security â install all:
367	client, server and common components</P>
368	</UL>
369	<P CLASS="western" ALIGN=JUSTIFY>Eggs rely on the distutils
370	easy_install command to manage installation but NDG security uses an
371	additional script ndg_security_install.py to install eggs and carry
372	out the additional installation tasks to correctly configure the
373	software.</P>
374	<P CLASS="western" ALIGN=JUSTIFY>The following additional packages
375	are required:</P>
376	<UL>
377	<LI><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.1 (or later)
378	â source installer tar ball may be downloaded from the Globus
379	site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
380	<LI><P CLASS="western" ALIGN=JUSTIFY>NDG SimpleCA client package tar
381	ball â configures target machine to trust the NDG CA.</P>
382	</UL>
383	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These
384	two packages should be installed on the target host for MyProxy.</P>
385	<H1 CLASS="western"><A NAME="4.Installation\|outline"></A>4.Installation</H1>
386	<P CLASS="western" ALIGN=JUSTIFY>This section is divided into the
387	Python installation and MyProxy. Note that you will almost certainly
388	wish to install MyProxy on a separate secure server to the other
389	Python based security services.</P>
390	<H2 CLASS="western"><A NAME="4.1.Python Packages\|outline"></A>4.1Python
391	Packages</H2>
392	<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.
393	Change to a suitable directory to hold temporary installation files.
394
395	</P>
396	<H3 CLASS="western"><A NAME="4.1.1.distutils\|outline"></A>4.1.1distutils</H3>
397	<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python
398	distutils, the package that enables the use of Python eggs. Download
399	the distutils bootstrap script:</P>
400	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
401	<COL WIDTH=596>
402	<TR>
403	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
404	<P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
405	</P>
406	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
407	wget http://peak.telecommunity.com/dist/ez_setup.py</SPAN></FONT></P>
408	</TD>
409	</TR>
410	</TABLE>
411	<P CLASS="western" ALIGN=LEFT><BR><BR>
412	</P>
413	<P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment
414	for a http proxy at your site. For example,</P>
415	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
416	<COL WIDTH=596>
417	<TR>
418	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
419	<P STYLE="margin-bottom: 0cm"><BR>
420	</P>
421	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
422	export http_proxy=http://yourproxyurl.com:8080</FONT></P>
423	</TD>
424	</TR>
425	</TABLE>
426	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
427	</P>
428	<P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script. Make sure
429	to use the correct version of python in your system path. Some
430	systems may have multiple python versions installed:</P>
431	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
432	<COL WIDTH=596>
433	<TR>
434	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
435	<P STYLE="margin-bottom: 0cm"><BR>
436	</P>
437	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
438	python ez_setup.py</FONT></P>
439	</TD>
440	</TR>
441	</TABLE>
442	<H3 CLASS="western"></H3>
443	<P CLASS="western" ALIGN=JUSTIFY>Once completed, you can delete
444	ez_setup.py.</P>
445	<H3 CLASS="western"><A NAME="4.1.2.NDG Security Packages\|outline"></A>
446	4.1.2NDG Security Packages</H3>
447	<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to
448	distutils easy_install to enable custom installation steps to be
449	correctly carried out. Download the script from the NDG distribution
450	site:</P>
451	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
452	<COL WIDTH=596>
453	<TR>
454	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
455	<P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
456	</P>
457	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
458	wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</SPAN></FONT></P>
459	</TD>
460	</TR>
461	</TABLE>
462	<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
463	</P>
464	<P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of
465	the NDG security python packages:</P>
466	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
467	<COL WIDTH=596>
468	<TR>
469	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
470	<P STYLE="margin-bottom: 0cm"><BR>
471	</P>
472	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
473	python ./ndg-security-install.py -a</FONT></P>
474	</TD>
475	</TR>
476	</TABLE>
477	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
478	</P>
479	<P CLASS="western" ALIGN=JUSTIFY>The script options can be checked
480	using the âh option. âa selects all packages for installation.
481	If there are problems with the installation, see the Troubleshooting
482	Guide in the Appendices section 5.5.</P>
483	<H2 CLASS="western"><A NAME="4.2.NDG Web Services Configuration\|outline"></A>
484	4.2NDG Web Services Configuration</H2>
485	<H3 CLASS="western"><A NAME="4.2.1.NDG Security System Configuration Directory\|outline"></A>
486	4.2.1NDG Security System Configuration Directory</H3>
487	<P CLASS="western" ALIGN=JUSTIFY>Properties files set the
488	configuration settings for NDG security <I>server side</I> settings.
489	Templates for these are contained within the ndg_security_server
490	installed in your python distributionâs site-packages directory.
491	A future version of the ndg-security-install.py script will extract
492	these and install at a suitable location on the file system. For the
493	moment though, this is a manual process.</P>
494	<P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under
495	your servers /etc directory:</P>
496	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
497	<COL WIDTH=596>
498	<TR>
499	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
500	<P STYLE="margin-bottom: 0cm"><BR>
501	</P>
502	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
503	mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</SPAN></FONT></P>
504	</TD>
505	</TR>
506	</TABLE>
507	<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
508	</P>
509	<P CLASS="western" ALIGN=JUSTIFY>/etc/ndg/security is recognised by
510	the Python security software by the NDGSEC_DIR environment variable.
511	This variable can be set in the environment of the user account used
512	to run the security services or can be set in the init scripts used
513	to automatically start up the services from server boot up (See
514	sections 4.3.3).</P>
515	<P CLASS="western" ALIGN=JUSTIFY>Locate the ndg_security_server egg
516	and copy its conf/ directory into the configuration area. For
517	example if you are using python installed in /usr/local then the
518	conf/ directory will be in:</P>
519	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
520	<COL WIDTH=596>
521	<TR>
522	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
523	<P STYLE="margin-bottom: 0cm"><BR>
524	</P>
525	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python<python
526	version num>/site-packages/ndg_security_server-<version
527	info>.egg/ndg/security/server/conf</FONT></P>
528	</TD>
529	</TR>
530	</TABLE>
531	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
532	</P>
533	<P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P>
534	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
535	<COL WIDTH=596>
536	<TR>
537	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
538	<P STYLE="margin-bottom: 0cm"><BR>
539	</P>
540	<P CLASS="western" ALIGN=LEFT>$ cp /usr/local/lib/python<python
541	version num>/site-packages/ndg_security_server-<version
542	info>.egg/ndg/security/server/conf /etc/ndg/security</P>
543	</TD>
544	</TR>
545	</TABLE>
546	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
547	</P>
548	<P CLASS="western" ALIGN=JUSTIFY>The conf/ directory will containing
549	Session Manager and Attribute Authority properties XML files, certs/
550	directory for storing certificates and attCert/ directory for storing
551	Attribute Certificates issued by the Attribute Authority.</P>
552	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
553	</P>
554	<H3 CLASS="western"><A NAME="4.2.2.Certificate Generation\|outline"></A>
555	4.2.2Certificate Generation</H3>
556	<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute
557	Authority web services require individual X.509 certificates as a
558	means to identify them in the various interactions required for user
559	registration, authentication and authorisation. These may be created
560	by similar means to the host certificate creation.</P>
561	<P CLASS="western" ALIGN=JUSTIFY>Change directory to
562	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>.
563	The certificates will be stored here. Make a new private key and
564	certificate request for the Session Manager:</P>
565	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
566	<COL WIDTH=610>
567	<TR>
568	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
569	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
570	</P>
571	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
572	openssl genrsa âout sm-key.pem 2048</FONT></P>
573	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
574	openssl req ânew âkey sm-key.pem âout sm.csr</FONT></P>
575	<P CLASS="western" ALIGN=LEFT><BR>
576	</P>
577	</TD>
578	</TR>
579	</TABLE>
580	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
581	</P>
582	<P CLASS="western" ALIGN=JUSTIFY>The private key may be password
583	protected if required by adding the âdes3 option to the genrsa
584	command. Type in a password when prompted. The req command will
585	prompt you for the components of the Distinguished Name for the new
586	certificate. When prompted for the Common Name, enter
587	âSessionManagerâ. The other fields can be set as required but by
588	convention for NDG, the Organisation field has been set to NDG and
589	the Organisation Unit to the individual data provider name e.g. BADC.
590	All other fields have been omitted. You can skip individual fields
591	by enter â.â When prompted.</P>
592	<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the NDG
593	CA. The CA will issue a certificate file. Copy this file as
594	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
595	</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
596	</FONT>file can be deleted once a certificate has been obtained from
597	the CA.</P>
598	<P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the
599	Attribute Authority, selecting âAttributeAuthorityâ for the
600	Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P>
601	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
602	<COL WIDTH=610>
603	<TR>
604	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
605	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
606	</P>
607	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
608	openssl genrsa âout aa-key.pem 2048</FONT></P>
609	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
610	openssl req ânew âkey aa-key.pem âout aa.csr</FONT></P>
611	<P CLASS="western" ALIGN=LEFT><BR>
612	</P>
613	</TD>
614	</TR>
615	</TABLE>
616	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
617	</P>
618	<P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session
619	Manager is run over https to keep user login credentials secured. A
620	server certificate and key will be required in addition to enable
621	this. These can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
622	directory and can be referenced by the Session Managerâs properties
623	file.</SPAN></FONT></P>
624	<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate
625	Authorityâs X.509 certificate is also required. Obtain this from
626	the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
627	</SPAN></FONT>directory.</P>
628	<H2 CLASS="western"><A NAME="4.3.Session Manager Configuration\|outline"></A>
629	4.3Session Manager Configuration</H2>
630	<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set
631	via a properties file. In addition, the SessionManager can
632	optionally make use of a Credential Repository database. This
633	enables the credentials that users acquire during a session to be
634	stored so that they may be retrieved. When installed, the default
635	configuration set in the Session Manager properties file is to <I>not</I>
636	use a Credential Repository. If this is the case, skip this
637	section.</P>
638	<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.3.1.Session Manager Credential Repository\|outline"></A>
639	4.3.1Session Manager Credential Repository</H3>
640	<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository
641	database. In the example below a MySQL database is assumed. Notes
642	on installing MySQL are given in the Appendices section 5.1.
643	</P>
644	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
645	<COL WIDTH=610>
646	<TR>
647	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
648	<P STYLE="margin-bottom: 0cm"><BR>
649	</P>
650	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
651	mysql âu root âp</FONT></P>
652	<P CLASS="western" ALIGN=JUSTIFY>mysql> create database
653	ndgCredRepos;</P>
654	<P><BR>
655	</P>
656	</TD>
657	</TR>
658	</TABLE>
659	<P CLASS="western" ALIGN=JUSTIFY><BR>Make use of the script
660	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">initCredReposDb.py</SPAN></FONT>
661	to create the tables. As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
662	user, run the script. Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
663	account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT>
664	to confirm creation of the tables:</P>
665	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
666	<COL WIDTH=610>
667	<TR>
668	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
669	<P STYLE="margin-bottom: 0cm"><BR>
670	</P>
671	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
672	cd $NDGSEC_DIR/bin</FONT></P>
673	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
674	./initCredReposDb.py âu root</FONT></P>
675	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database
676	password:</FONT></P>
677	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are
678	you sure you want to initialise the database tables? (yes/no) yes</FONT></P>
679	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables
680	created</FONT></P>
681	<P STYLE="margin-bottom: 0cm"><BR>
682	</P>
683	<P><BR>
684	</P>
685	</TD>
686	</TR>
687	</TABLE>
688	<P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have
689	been created, restart the database client:</P>
690	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
691	<COL WIDTH=610>
692	<TR>
693	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
694	<P STYLE="margin-bottom: 0cm"><BR>
695	</P>
696	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$
697	mysql âu root âp âD ndgCredRepos</P>
698	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql>
699	show tables;</P>
700	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
701	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">\|
702	Tables_in_ndgCredRepos \|</FONT></FONT></P>
703	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
704	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">\|
705	UserCredential \|</FONT></FONT></P>
706	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">\|
707	UserID \|</FONT></FONT></P>
708	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
709	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2
710	rows in set (0.00 sec)</FONT></FONT></P>
711	<P><BR>
712	</P>
713	</TD>
714	</TR>
715	</TABLE>
716	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
717	</P>
718	<P CLASS="western" ALIGN=JUSTIFY>A separate account should be created
719	for the Session Manager to access the database. It should have
720	sufficient permissions to be able to read and write records. For
721	details of how to create an account in MySQL see the Appendices
722	section 5.1.9.</P>
723	<H3 CLASS="western"><A NAME="4.3.2.Session Manager Properties File Settings\|outline"></A>
724	4.3.2Session Manager Properties File Settings</H3>
725	<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT>
726	in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
727	and modify the default settings:</P>
728	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
729	<COL WIDTH=610>
730	<TR>
731	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
732	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><?xml
733	version="1.0" encoding="utf-8"?></FONT></FONT></P>
734	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrProp></FONT></FONT></P>
735	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><portNum></portNum></FONT></FONT></P>
736	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSSL>Yes</useSSL>
737	<!-- leave blank to use http --></FONT></FONT></P>
738	<P STYLE="margin-bottom: 0cm">
739	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslCertFile>$NDGSEC_DIR/conf/certs/server-cert.pem</sslCertFile></FONT></FONT></P>
740	<P STYLE="margin-bottom: 0cm">
741	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile>>$NDGSEC_DIR/conf/certs/server-key.pem
742	</sslKeyFile></FONT></FONT></P>
743	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
744	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
745	settings for signature of outbound SOAP messages</FONT></FONT></P>
746	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
747	<P STYLE="margin-bottom: 0cm">
748	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler>
749	<!-- leave blank for no signature --></FONT></FONT></P>
750	<P STYLE="margin-bottom: 0cm">
751	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><certFile>>$NDGSEC_DIR/conf/certs/sm-cert.pem</certFile></FONT></FONT></P>
752	<P STYLE="margin-bottom: 0cm">
753	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyFile>>$NDGSEC_DIR/conf/certs/server-key.pem</keyFile></FONT></FONT></P>
754	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P>
755	<P STYLE="margin-bottom: 0cm">
756	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><caCertFile>>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile></FONT></FONT></P>
757	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
758	</FONT></FONT>
759	</P>
760	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
761	the certificate used to verify the signature of messages from the </FONT></FONT>
762	</P>
763	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
764	This can usually be left blank since the client is expected to </FONT></FONT>
765	</P>
766	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
767	the cert with the signature in the inbound SOAP message</FONT></FONT></P>
768	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
769	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><clntCertFile></clntCertFile>
770	</FONT></FONT>
771	</P>
772	<P STYLE="margin-bottom: 0cm">
773	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrEncrKey></sessMgrEncrKey></FONT></FONT></P>
774	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrURI></sessMgrURI></FONT></FONT></P>
775	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><cookieDomain></cookieDomain></FONT></FONT></P>
776	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><myProxyProp></FONT></FONT></P>
777	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--
778	</FONT></FONT>
779	</P>
780	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Delete
781	this element and take setting from MYPROXY_SERVER environment </FONT></FONT>
782	</P>
783	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> variable
784	if required</FONT></FONT></P>
785	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
786	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <hostname>ENTER
787	THE FULLY QUALIFIED HOSTNAME OF THE SERVER</hostname></FONT></FONT></P>
788	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--
789	</FONT></FONT>
790	</P>
791	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Delete
792	this element to take default setting 7512 or read </FONT></FONT>
793	</P>
794	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <SPAN LANG="fr-FR">MYPROXY_SERVER_PORT
795	setting</SPAN></FONT></FONT></P>
796	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
797	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <port>7512</port></FONT></FONT></P>
798	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR"> </SPAN><!--</FONT></FONT></P>
799	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Useful
800	if hostname and certificate CN don't match correctly. Globus </FONT></FONT>
801	</P>
802	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> host
803	DN is set to "host/<fqdn>". Delete this element
804	and set from </FONT></FONT>
805	</P>
806	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> MYPROXY_SERVER_DN
807	environment variable if prefered</FONT></FONT></P>
808	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <serverDN></serverDN></FONT></FONT></P>
809	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
810	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--</FONT></FONT></P>
811	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Set
812	"host/" prefix to host cert CN as is default with globus</FONT></FONT></P>
813	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
814	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <serverCNprefix>host/</serverCNprefix> </FONT></FONT></P>
815	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--</FONT></FONT></P>
816	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> This
817	directory path is used to locate the OpenSSL configuration file</FONT></FONT></P>
818	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </FONT></FONT></P>
819	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> The
820	settings are used to set up the defaults for the Distinguished
821	Name of</FONT></FONT></P>
822	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> the
823	new proxy cert. issued </FONT></FONT>
824	</P>
825	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </FONT></FONT></P>
826	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> GLOBUS_LOCATION
827	or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P>
828	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> but
829	the settings can be independent of any Globus installation</FONT></FONT></P>
830	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR> --></FONT></FONT></P>
831	<P STYLE="margin-bottom: 0cm">
832	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><girdSecurityDir>$NDGSEC_DIR/conf</gridSecurityDir></FONT></FONT></P>
833	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <openSSLConfFileName>openssl.conf</openSSLConfFileName></FONT></FONT></P>
834	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <tmpDir>/tmp</tmpDir></FONT></FONT></P>
835	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--
836	</FONT></FONT>
837	</P>
838	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Limit
839	on maximum lifetime any proxy certificate can have - </FONT></FONT>
840	</P>
841	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> specified
842	when a certificate is first created by store() method</FONT></FONT></P>
843	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
844	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <proxyCertMaxLifetime>24</proxyCertMaxLifetime>
845	<!-- in hours --></FONT></FONT></P>
846	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--
847	</FONT></FONT>
848	</P>
849	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Life
850	time of a proxy certificate when issued from the Proxy Server </FONT></FONT>
851	</P>
852	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> with
853	getDelegation() method</FONT></FONT></P>
854	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
855	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <proxyCertLifetime>8</proxyCertLifetime>
856	<!-- in hours --></FONT></FONT></P>
857	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <SPAN LANG="fr-FR"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile></SPAN></FONT></FONT></P>
858	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"> </myProxyProp></FONT></SPAN></FONT></P>
859	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCACltProp>
860	</FONT></SPAN></FONT>
861	</P>
862	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
863	<uri></uri></FONT></FONT></P>
864	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
865	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigKeyFile></xmlSigKeyFile></FONT></FONT></P>
866	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
867	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigCertFile></xmlSigCertFile></FONT></FONT></P>
868	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
869	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigCertPwd></xmlSigCertPwd></FONT></FONT></P>
870	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></simpleCACltProp></FONT></FONT></P>
871	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--</FONT></FONT></P>
872	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCASrvProp></FONT></FONT></P>
873	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
874	<certExpiryDate></certExpiryDate></FONT></FONT></P>
875	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
876	<certLifetimeDays></certLifetimeDays></FONT></FONT></P>
877	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">
878	<certTmpDir></certTmpDir></FONT></SPAN></FONT></P>
879	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
880	<caCertFile></caCertFile></FONT></FONT></P>
881	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
882	<signExe></signExe></FONT></FONT></P>
883	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
884	<path></path></FONT></FONT></P>
885	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </simpleCASrvProp></FONT></FONT></P>
886	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
887	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><credReposProp></FONT></FONT></P>
888	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
889	<modFilePath></modFilePath></FONT></FONT></P>
890	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
891	<modName>ndg.security.common.CredWallet</modName></FONT></FONT></P>
892	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
893	<className>NullCredRepos</className></FONT></FONT></P>
894	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
895	<propFile></propFile></FONT></FONT></P>
896	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></credReposProp></FONT></FONT></P>
897	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></sessMgrProp></FONT></FONT></P>
898	<P>
899	</P>
900	</TD>
901	</TR>
902	</TABLE>
903	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
904	</P>
905	<P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P>
906	<UL>
907	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The
908	property file reading software will expand any environment variables
909	included in the file.</FONT></SPAN></FONT></P>
910	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">Openssl.conf
911	file uses the standard OpenSSL configuration file format. It is
912	used by the Session Manager MyProxy client to formulate a
913	certificate request for a proxy certificate generated for a users
914	session when they login. An example is given below. The important
915	section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P>
916	</UL>
917	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
918	</P>
919	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
920	<COL WIDTH=610>
921	<TR>
922	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
923	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
924	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
925	SSLeay example configuration file.</FONT></FONT></P>
926	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
927	This is mostly being used for generation of certificate requests.</FONT></FONT></P>
928	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
929	<P STYLE="margin-bottom: 0cm"><BR>
930	</P>
931	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
932	= $ENV::HOME/.rnd</FONT></FONT></P>
933	<P STYLE="margin-bottom: 0cm"><BR>
934	</P>
935	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
936	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
937	ca ]</FONT></FONT></P>
938	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca
939	= CA_default # The default ca section</FONT></FONT></P>
940	<P STYLE="margin-bottom: 0cm"><BR>
941	</P>
942	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
943	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
944	CA_default ]</FONT></FONT></P>
945	<P STYLE="margin-bottom: 0cm"><BR>
946	</P>
947	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir
948	= ./demoCA # Where everything is kept</FONT></FONT></P>
949	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs
950	= $dir/certs # Where the issued certs are
951	kept</FONT></FONT></P>
952	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir
953	= $dir/crl # Where the issued crl are kept</FONT></FONT></P>
954	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database
955	= $dir/index.txt # database index file.</FONT></FONT></P>
956	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir
957	= $dir/newcerts # default place for new certs.</FONT></FONT></P>
958	<P STYLE="margin-bottom: 0cm"><BR>
959	</P>
960	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate
961	= $dir/cacert.pem # The CA certificate</FONT></FONT></P>
962	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial
963	= $dir/serial # The current serial number</FONT></FONT></P>
964	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl
965	= $dir/crl.pem # The current CRL</FONT></FONT></P>
966	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key
967	= $dir/private/cakey.pem# The private key</FONT></FONT></P>
968	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
969	= $dir/private/.rand # private random number file</FONT></FONT></P>
970	<P STYLE="margin-bottom: 0cm"><BR>
971	</P>
972	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions
973	= x509v3_extensions # The extentions to add to the cert</FONT></FONT></P>
974	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days
975	= 365 # how long to certify for</FONT></FONT></P>
976	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days=
977	365 # DEE 30 # how long before next CRL</FONT></FONT></P>
978	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md
979	= md5 # which md to use.</FONT></FONT></P>
980	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve
981	= no # keep passed DN ordering</FONT></FONT></P>
982	<P STYLE="margin-bottom: 0cm"><BR>
983	</P>
984	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
985	A few difference way of specifying how similar the request should
986	look</FONT></FONT></P>
987	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
988	For type CA, the listed attributes must be the same, and the
989	optional</FONT></FONT></P>
990	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
991	and supplied fields are just that :-)</FONT></FONT></P>
992	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy
993	= policy_match</FONT></FONT></P>
994	<P STYLE="margin-bottom: 0cm"><BR>
995	</P>
996	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
997	For the CA policy</FONT></FONT></P>
998	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
999	policy_match ]</FONT></FONT></P>
1000	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1001	= optional</FONT></FONT></P>
1002	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1003	= optional</FONT></FONT></P>
1004	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1005	= match</FONT></FONT></P>
1006	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1007	= optional</FONT></FONT></P>
1008	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1009	= supplied</FONT></FONT></P>
1010	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1011	= optional</FONT></FONT></P>
1012	<P STYLE="margin-bottom: 0cm"><BR>
1013	</P>
1014	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1015	For the 'anything' policy</FONT></FONT></P>
1016	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1017	At this point in time, you must list all acceptable 'object'</FONT></FONT></P>
1018	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1019	types.</FONT></FONT></P>
1020	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1021	policy_anything ]</FONT></FONT></P>
1022	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1023	= optional</FONT></FONT></P>
1024	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1025	= optional</FONT></FONT></P>
1026	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName
1027	= optional</FONT></FONT></P>
1028	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1029	= optional</FONT></FONT></P>
1030	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1031	= optional</FONT></FONT></P>
1032	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1033	= supplied</FONT></FONT></P>
1034	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1035	= optional</FONT></FONT></P>
1036	<P STYLE="margin-bottom: 0cm"><BR>
1037	</P>
1038	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1039	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1040	req ]</FONT></FONT></P>
1041	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits
1042	= 1024</FONT></FONT></P>
1043	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile
1044	= privkey.pem</FONT></FONT></P>
1045	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name
1046	= req_distinguished_name</FONT></FONT></P>
1047	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions
1048	= v3_req</FONT></FONT></P>
1049	<P STYLE="margin-bottom: 0cm"><BR>
1050	</P>
1051	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1052	req_distinguished_name ]</FONT></FONT></P>
1053	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1054	BEGIN CONFIG</FONT></FONT></P>
1055	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName
1056	= Level 0 Organization</FONT></FONT></P>
1057	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default
1058	= NDG</FONT></FONT></P>
1059	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName
1060	= Level 0 Organizational Unit</FONT></FONT></P>
1061	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default
1062	= BADC</FONT></FONT></P>
1063	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName
1064	= Level 1 Organizational Unit</FONT></FONT></P>
1065	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default
1066	= localdomain</FONT></FONT></P>
1067	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1068	= Name (e.g., John M. Smith)</FONT></FONT></P>
1069	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max
1070	= 64</FONT></FONT></P>
1071	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1072	END CONFIG</FONT></FONT></P>
1073	<P STYLE="margin-bottom: 0cm"><BR>
1074	</P>
1075	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1076	v3_req ]</FONT></FONT></P>
1077	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType
1078	= objsign,email,server,client</FONT></FONT></P>
1079	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints
1080	= critical,CA:false</FONT></FONT></P>
1081	<P><BR>
1082	</P>
1083	</TD>
1084	</TR>
1085	</TABLE>
1086	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1087	</P>
1088	<H3 CLASS="western"><A NAME="4.3.3.Twisted Python server .tac file\|outline"></A>
1089	4.3.3Twisted Python server .tac file</H3>
1090	<P CLASS="western" ALIGN=JUSTIFY>Python security services use the
1091	Python Twisted package application server. A special .tac
1092	configuration file is loaded by the Twisted server. Copy this from
1093	the ndg_security_server to the NDG security conf/ area:</P>
1094	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1095	<COL WIDTH=602>
1096	<TR>
1097	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1098	<P STYLE="margin-bottom: 0cm"><BR>
1099	</P>
1100	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1101	cp /usr/local/lib/python<python version
1102	num>/site-packages/ndg_security_server-<version
1103	info>.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1104	$NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1105	<P><BR>
1106	</P>
1107	</TD>
1108	</TR>
1109	</TABLE>
1110	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1111	</P>
1112	<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="4.3.4.SysV-style Boot Script\|outline"></A>
1113	4.3.4SysV-style Boot Script</H3>
1114	<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be
1115	configured to start up at system boot of the host machine. A SysV
1116	style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1117	is provided in the installation in:</P>
1118	<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python<python
1119	version num>/site-packages/ndg_security_server-<version
1120	info>.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1121
1122	</P>
1123	<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1124	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1125	<COL WIDTH=602>
1126	<TR>
1127	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1128	<P STYLE="margin-bottom: 0cm"><BR>
1129	</P>
1130	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1131	cp /usr/local/lib/python<python version
1132	num>/site-packages/ndg_security_server-<version
1133	info>.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1134	/share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1135	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1136	chkconfig --add ndg-sm</SPAN></FONT></FONT></P>
1137	<P><BR>
1138	</P>
1139	</TD>
1140	</TR>
1141	</TABLE>
1142	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1143	</P>
1144	<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-sm so that it uses the
1145	NDGSEC_DIR environment variable to point to the correct location of
1146	the .tac file in the conf/ directory. User and group ID settings can
1147	be made to run under alternative account to root. If used ensure
1148	that $NDGSEC_DIR is set with the necessary permissions to enable
1149	access.
1150	</P>
1151	<H2 CLASS="western"><A NAME="4.4.Attribute Authority Configuration\|outline"></A>
1152	4.4Attribute Authority Configuration</H2>
1153	<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a
1154	properties file for the setting of configuration parameters.</P>
1155	<H3 CLASS="western"><A NAME="4.4.1.Attribute Authority Properties File Settings\|outline"></A>
1156	4.4.1Attribute Authority Properties File Settings</H3>
1157	<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1158	in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1159	and modify the default settings:</P>
1160	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1161	<COL WIDTH=610>
1162	<TR>
1163	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1164	<P STYLE="margin-bottom: 0cm"><BR>
1165	</P>
1166	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><?xml
1167	version="1.0" encoding="utf-8"?></FONT></FONT></P>
1168	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><AAprop></FONT></FONT></P>
1169	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--
1170	</FONT></FONT>
1171	</P>
1172	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> 'name'
1173	setting MUST agree with map config file 'thisHost' name</FONT></FONT></P>
1174	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> attribute</FONT></FONT></P>
1175	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
1176	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><name>BADC</name>
1177	</FONT></FONT>
1178	</P>
1179	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><portNum>SELECT
1180	A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE</portNum></FONT></FONT></FONT></P>
1181	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
1182	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1183	settings for transport level encryption</FONT></FONT></P>
1184	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1185	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSSL></useSSL>
1186	<!-- leave blank to use http --></FONT></FONT></P>
1187	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslCertFile></sslCertFile></FONT></FONT></P>
1188	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile></sslKeyFile></FONT></FONT></P>
1189	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyPwd></sslKeyPwd></FONT></FONT></P>
1190	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
1191	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1192	settings for signature of outbound SOAP messages</FONT></FONT></P>
1193	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1194	<P STYLE="margin-bottom: 0cm">
1195	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler>
1196	<!-- leave blank for no signature --></FONT></FONT></P>
1197	<P STYLE="margin-bottom: 0cm">
1198	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><certFile>$NDGSEC_DIR/conf/certs/aa-cert.pem</certFile></FONT></FONT></FONT></P>
1199	<P STYLE="margin-bottom: 0cm">
1200	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem
1201	</keyFile></FONT></FONT></FONT></P>
1202	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P>
1203	<P STYLE="margin-bottom: 0cm">
1204	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem
1205	</caCertFile></FONT></FONT></P>
1206	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><!--
1207	</FONT></FONT></FONT>
1208	</P>
1209	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
1210	the certificate used to verify the signature of messages from the </FONT></FONT>
1211	</P>
1212	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
1213	This can usually be left blank since the client is expected to </FONT></FONT>
1214	</P>
1215	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
1216	the cert with the signature in the inbound SOAP message</FONT></FONT></P>
1217	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1218	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><clntCertFile></clntCertFile>
1219	</FONT></FONT>
1220	</P>
1221	<P STYLE="margin-bottom: 0cm">
1222	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertLifetime>86400</attCertLifetime>
1223	<!-- Measured in seconds --></FONT></FONT></P>
1224	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--
1225	</FONT></FONT>
1226	</P>
1227	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> Allow
1228	an offset for clock skew between servers running </FONT></FONT>
1229	</P>
1230	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> security
1231	services. - Use minus sign for time in the past</FONT></FONT></P>
1232	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
1233	<P STYLE="margin-bottom: 0cm">
1234	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertNotBeforeOff>0</attCertNotBeforeOff></FONT></FONT></P>
1235	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1236	Location of role mapping file --></FONT></FONT></P>
1237	<P STYLE="margin-bottom: 0cm">
1238	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><mapConfigFile>$NDGSEC_DIR/conf/mapConfig.xml</mapConfigFile></FONT></FONT></FONT></P>
1239	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1240	All Attribute Certificates are recorded in this dir before
1241	dispatch</FONT></FONT></P>
1242	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">to
1243	SOAP requestor</FONT></FONT></P>
1244	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1245	<P STYLE="margin-bottom: 0cm">
1246	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertDir>$NDGSEC_DIR/conf/attCert</attCertDir></FONT></FONT></P>
1247	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><!--
1248	</FONT></FONT></FONT>
1249	</P>
1250	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">File
1251	prefix and suffix for files stored in attCertDir </FONT></FONT>
1252	</P>
1253	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1254	<P STYLE="margin-bottom: 0cm">
1255	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFilePfx>ac-</attCertFilePfx></FONT></FONT></P>
1256	<P STYLE="margin-bottom: 0cm">
1257	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFileSfx>.xml</attCertFileSfx></FONT></FONT></P>
1258	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><dnSeparator>/</dnSeparator></FONT></FONT></P>
1259	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1260	</FONT></FONT>
1261	</P>
1262	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings
1263	for custom AAUserRoles derived class to get user roles for</FONT></FONT></P>
1264	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given
1265	user ID</FONT></FONT></P>
1266	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1267	<P STYLE="margin-bottom: 0cm">
1268	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModFilePath></userRolesModFilePath></FONT></FONT></P>
1269	<P STYLE="margin-bottom: 0cm">
1270	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModName></userRolesModName></FONT></FONT></P>
1271	<P STYLE="margin-bottom: 0cm">
1272	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesClassName></userRolesClassName></FONT></FONT></P>
1273	<P STYLE="margin-bottom: 0cm">
1274	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesPropFile></userRolesPropFile></FONT></FONT></P>
1275	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></AAprop></FONT></FONT></P>
1276	<P>
1277	</P>
1278	</TD>
1279	</TR>
1280	</TABLE>
1281	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1282	</P>
1283	<H3 CLASS="western"><A NAME="4.4.2.User Roles Interface\|outline"></A>4.4.2User
1284	Roles Interface</H3>
1285	<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a
1286	valid user proxy certificate serves an attribute certificate
1287	containing authorisation roles for that user. It is for the data
1288	centre to determine how these roles map to the users identity as
1289	given by their Distinguished Name given in the proxy certificate.
1290	Typically, a data centre might have a user database which relates
1291	user id to authorisation roles.</P>
1292	<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a
1293	programmatic interface to determine the roles to user id
1294	relationship. A custom python class may be written to perform this
1295	task. See the Appendices section 5.4.</P>
1296	<H3 CLASS="western"><A NAME="4.4.3.Role Mapping\|outline"></A>4.4.3Role
1297	Mapping</H3>
1298	<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in
1299	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1300	directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>.
1301	This is an XML file which relates local roles at the target data
1302	centre to roles of other trusted data centres. These role mapping
1303	are made by agreement between data centres.</P>
1304	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1305	<COL WIDTH=610>
1306	<TR>
1307	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1308	<P STYLE="margin-bottom: 0cm"><BR>
1309	</P>
1310	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><?xml
1311	version="1.0" encoding="utf-8"?></FONT></P>
1312	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><AAmap></FONT></P>
1313	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><thisHost
1314	name="yourSiteIdentifier"></FONT></P>
1315	<P STYLE="margin-bottom: 0cm">
1316	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><wsdl>yourSiteAttAuthorityURI</wsdl></FONT></P>
1317	<P STYLE="margin-bottom: 0cm">
1318	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>yourSiteLoginPageURI</loginURI></FONT></P>
1319	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></thisHost></FONT></P>
1320	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted
1321	name="BODC"></FONT></P>
1322	<P STYLE="margin-bottom: 0cm">
1323	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>bodcAttAuthorityURI</aaURI></FONT></P>
1324	<P STYLE="margin-bottom: 0cm">
1325	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>bodcLoginPageURI</loginURI></FONT></P>
1326	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role
1327	remote="aBODCrole" local="aLocalRole"/></FONT></P>
1328	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P>
1329	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted
1330	name="NOCS"></FONT></P>
1331	<P STYLE="margin-bottom: 0cm">
1332	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>nocsAttAuthorityURI</aaURI></FONT></P>
1333	<P STYLE="margin-bottom: 0cm">
1334	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>nocsLoginPageURI</loginURI></FONT></P>
1335	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role
1336	remote="aNOCSrole" local="anotherLocalRole"/></FONT></P>
1337	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P>
1338	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted
1339	name="PML"></FONT></P>
1340	<P STYLE="margin-bottom: 0cm">
1341	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>pmlAttAuthorityURI</aaURI></FONT></P>
1342	<P STYLE="margin-bottom: 0cm">
1343	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>pmlLoginPageURI</loginURI></FONT></P>
1344	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role
1345	remote="aPMLrole" local="yetAnotherLocalRole"/></FONT></P>
1346	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P>
1347	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></AAmap></FONT></P>
1348	<P STYLE="margin-bottom: 0cm"><BR>
1349	</P>
1350	<P><BR>
1351	</P>
1352	</TD>
1353	</TR>
1354	</TABLE>
1355	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1356	</P>
1357	<P CLASS="western" ALIGN=JUSTIFY><todo: ></P>
1358	<H3 CLASS="western"><A NAME="4.4.4.Twisted Python server .tac file\|outline"></A>
1359	4.4.4Twisted Python server .tac file</H3>
1360	<P CLASS="western" ALIGN=JUSTIFY>Python security services use the
1361	Python Twisted package application server. A special .tac
1362	configuration file is loaded by the Twisted server. Copy this from
1363	the ndg_security_server to the NDG security conf/ area:</P>
1364	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1365	<COL WIDTH=602>
1366	<TR>
1367	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1368	<P STYLE="margin-bottom: 0cm"><BR>
1369	</P>
1370	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1371	cp /usr/local/lib/python<python version
1372	num>/site-packages/ndg_security_server-<version
1373	info>.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1374	$NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1375	<P><BR>
1376	</P>
1377	</TD>
1378	</TR>
1379	</TABLE>
1380	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1381	</P>
1382	<H3 CLASS="western"><A NAME="4.4.5.SysV-style Boot Script\|outline"></A>
1383	4.4.5SysV-style Boot Script</H3>
1384	<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the
1385	Attribute Authority can be configured to start up at system boot of
1386	the host machine. A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT>
1387	is provided in the installation in:</P>
1388	<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python<python
1389	version num>/site-packages/ndg_security_server-<version
1390	info>.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1391
1392	</P>
1393	<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1394	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1395	<COL WIDTH=602>
1396	<TR>
1397	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1398	<P STYLE="margin-bottom: 0cm"><BR>
1399	</P>
1400	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1401	cp /usr/local/lib/python<python version
1402	num>/site-packages/ndg_security_server-<version
1403	info>.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1404	/share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1405	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1406	chkconfig --add ndg-aa</SPAN></FONT></FONT></P>
1407	<P><BR>
1408	</P>
1409	</TD>
1410	</TR>
1411	</TABLE>
1412	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1413	</P>
1414	<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the
1415	NDGSEC_DIR environment variable to point to the correct location of
1416	the .tac file in the conf/ directory. User and group ID settings can
1417	be made to run under alternative account to root. If used ensure
1418	that $NDGSEC_DIR is set with the necessary permissions to enable
1419	access.
1420	</P>
1421	<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional
1422	environment settings required to connect to a user database.</P>
1423	<H2 CLASS="western"><A NAME="4.5.Python Unit Tests\|outline"></A>4.5Python
1424	Unit Tests</H2>
1425	<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are
1426	provided to enable the system to be checked to confirm that it is
1427	running correctly. These are located in the ndg_security_test egg
1428	in the site-packages/ directory of the python installation.</P>
1429	<P CLASS="western" ALIGN=JUSTIFY><todo: ></P>
1430	<H2 CLASS="western"><A NAME="4.6.Globus MyProxy\|outline"></A>4.6Globus
1431	MyProxy</H2>
1432	<H3 CLASS="western"><A NAME="4.6.1.MyProxy and NDG Security Background\|outline"></A>
1433	4.6.1MyProxy and NDG Security Background</H3>
1434	<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
1435	from the Globus toolkit to store userâs authentication credentials.
1436	If a participating data centre supports user accounts then it will
1437	need to deploy its MyProxy repository.
1438	</P>
1439	<P CLASS="western" ALIGN=JUSTIFY>The NDG SessionManager web service
1440	acts as a client to MyProxy. When a user is registered at a site, it
1441	generates a new public/private key for the user and an X.509
1442	certificate request. It sends the latter to the NDG Simple CA
1443	(Certificate Authority) for signing. A new X.509 certificate is
1444	issued and returned. The SessionManager uploads the public and
1445	private key into the MyProxy repository and associates a username and
1446	pass-phrase with these credentials.</P>
1447	<P CLASS="western" ALIGN=JUSTIFY>When a user subsequently logs in at
1448	their site, again the SessionManager is called. It passes the
1449	username and pass-phrase provided to MyProxy. MyProxy matches these
1450	with the X.509 certificate it holds and issues a <I>proxy</I> to that
1451	certificate. The proxy certificate represents the userâs ID
1452	internally in the interactions between the various NDG components.
1453	</P>
1454	<P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service
1455	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1456	on its host machine and user credentials are held in a directory on
1457	the file system. It is important to secure the host to ensure the
1458	credentials are not compromised. (Also see Ref 1above.)</P>
1459	<H3 CLASS="western"><A NAME="4.6.2.MyProxy user account and the repository location considerations\|outline"></A>
1460	4.6.2MyProxy user account and the repository location considerations</H3>
1461	<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or
1462	using a separate user account. The latter is preferable as it
1463	provides an extra level of security. Note that the MyProxy
1464	repository will be in a standard location.
1465	</P>
1466	<UL>
1467	<LI><P CLASS="western" ALIGN=JUSTIFY>If MyProxy is installed as
1468	root, this is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/var/myproxy</SPAN></FONT>.
1469
1470	</P>
1471	<LI><P CLASS="western" ALIGN=JUSTIFY>If installed as under an
1472	alternative user account, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var/myproxy</SPAN></FONT>.
1473
1474	</P>
1475	</UL>
1476	<P CLASS="western" ALIGN=JUSTIFY>It is possible to explicitly define
1477	an alternate location but this can only be done by providing a
1478	command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1479	Note that this might be visible in the process list of the host
1480	machine as output from<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1481	ps</SPAN></FONT>. This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1482	with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd
1483	</SPAN></FONT>(See 4.6.8.1).</P>
1484	<P CLASS="western" ALIGN=LEFT>Another factor to take into
1485	consideration is the available space on the file system for the
1486	repository location. There should be sufficient disk space on the
1487	partition where the directory is located to store credentials for all
1488	the users of the system at the target site.</P>
1489	<P CLASS="western" ALIGN=JUSTIFY>This guide assumes installation
1490	under a dedicated user account. The username <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1491	is used in the examples for convenience only. An alternative
1492	username is recommended.</P>
1493	<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
1494	user set up a local user account.</P>
1495	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1496	<COL WIDTH=596>
1497	<TR>
1498	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
1499	<P STYLE="margin-bottom: 0cm"><BR>
1500	</P>
1501	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1502	groupadd globus</FONT></P>
1503	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1504	useradd globus âg globus</FONT></P>
1505	</TD>
1506	</TR>
1507	</TABLE>
1508	<P CLASS="western" ALIGN=LEFT><BR><BR>
1509	</P>
1510	<P CLASS="western" ALIGN=JUSTIFY>Note that for security purposes, the
1511	globus user account is set up as a local rather NIS account so that
1512	access is restricted. Set the default home directory as necessary
1513	and default shell to bash. Set the password for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>:</P>
1514	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1515	<COL WIDTH=596>
1516	<TR>
1517	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1518	<P STYLE="margin-bottom: 0cm"><BR>
1519	</P>
1520	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1521	passwd globus</FONT></P>
1522	</TD>
1523	</TR>
1524	</TABLE>
1525	<P CLASS="western" ALIGN=LEFT><BR><BR>
1526	</P>
1527	<P CLASS="western" ALIGN=JUSTIFY>Modify the relevant files and
1528	directories in the NDG installation area to be owned by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1529	account:</P>
1530	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1531	<COL WIDTH=596>
1532	<TR>
1533	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1534	<P STYLE="margin-bottom: 0cm"><BR>
1535	</P>
1536	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1537	chown -R globus:globus $NDGSEC_DIR/conf/ $NDGSEC_DIR/ndgSetup.sh</FONT></P>
1538	</TD>
1539	</TR>
1540	</TABLE>
1541	<P CLASS="western" ALIGN=LEFT><BR><BR>
1542	</P>
1543	<P CLASS="western" ALIGN=LEFT>For convenience, the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>
1544	file may be called from the globus accountâs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.bashrc</SPAN></FONT>
1545	file so that the NDG environment is automatically initialised when a
1546	new globus shell is invoked.</P>
1547	<P CLASS="western" ALIGN=LEFT>Change to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1548	account and edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">~/.bashrc</SPAN></FONT>
1549	adding the following lines at the end:</P>
1550	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1551	<COL WIDTH=596>
1552	<TR>
1553	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1554	<P STYLE="margin-bottom: 0cm"><BR>
1555	</P>
1556	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1557	NDG set-up</FONT></P>
1558	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">.
1559	/usr/local/NDG/ndgSetup.sh</FONT></P>
1560	</TD>
1561	</TR>
1562	</TABLE>
1563	<P CLASS="western" ALIGN=LEFT><BR><BR>
1564	</P>
1565	<H3 CLASS="western"><A NAME="4.6.3.Build Process\|outline"></A>4.6.3Build
1566	Process</H3>
1567	<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1568	create an installation directory for Globus within the NDG
1569	installation:</P>
1570	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1571	<COL WIDTH=596>
1572	<TR>
1573	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1574	<P STYLE="margin-bottom: 0cm"><BR>
1575	</P>
1576	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1577	mkdir $NDGSEC_DIR/globus-4.0.1</FONT></P>
1578	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1579	chown globus:globus $NDGSEC_DIR/globus-4.0.1</FONT></P>
1580	<P><BR>
1581	</P>
1582	</TD>
1583	</TR>
1584	</TABLE>
1585	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1586	</P>
1587	<P CLASS="western" ALIGN=JUSTIFY>Ensure that the setting for
1588	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">GLOBUS_LOCATION</FONT>
1589	in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/ndgSetup.sh</FONT>
1590	points to the new directory created <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/globus-4.0.1</FONT>.</P>
1591	<P CLASS="western" ALIGN=JUSTIFY>Switch to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
1592	user account ready to download the globus installation.</P>
1593	<P CLASS="western" ALIGN=JUSTIFY>Globus 4.0.1 distribution is
1594	recommended for use with the NDG Security software. This is
1595	available from <FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT></P>
1596	<P CLASS="western" ALIGN=JUSTIFY>A binary version is available but it
1597	is recommended to install the source code version and build from
1598	scratch on the target machine. Note that it is possible to set a
1599	target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
1600	</SPAN></FONT>so that only the MyProxy components of Globus are
1601	built. Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer</FONT>
1602	tarball. Extract the files and change to the
1603	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer/</FONT>
1604	directory created.</P>
1605	<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings compile
1606	and install MyProxy:</P>
1607	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1608	<COL WIDTH=596>
1609	<TR>
1610	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1611	<P STYLE="margin-bottom: 0cm"><BR>
1612	</P>
1613	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1614	./configure âprefix=$GLOBUS_LOCATION</FONT></P>
1615	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1616	make gsi-myproxy postinstall</FONT></P>
1617	<P><BR>
1618	</P>
1619	</TD>
1620	</TR>
1621	</TABLE>
1622	<P STYLE="margin-bottom: 0cm"><BR>
1623	</P>
1624	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">When
1625	running</SPAN></FONT> ./configure <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">you
1626	may see an error if the </SPAN></FONT>JAVA_HOME<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">
1627	environment variable is not set. This can be ignored because Java is
1628	not required for the MyProxy build.</SPAN></FONT></FONT></P>
1629	<P STYLE="margin-bottom: 0cm"><BR>
1630	</P>
1631	<H3 CLASS="western"><A NAME="4.6.4.NDG SimpleCA Client Package \|outline"></A>
1632	4.6.4NDG SimpleCA Client Package
1633	</H3>
1634	<P CLASS="western" ALIGN=JUSTIFY>This configures the target machine
1635	to trust the NDG CA.
1636	</P>
1637	<P CLASS="western" ALIGN=JUSTIFY>Login as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1638	user. To install first initialise the environment settings (The
1639	following line should be included in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>.
1640	Check and amend as necessary).</P>
1641	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1642	<COL WIDTH=596>
1643	<TR>
1644	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1645	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1646	</P>
1647	<P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1648	. $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
1649	</TD>
1650	</TR>
1651	</TABLE>
1652	<P><BR><BR>
1653	</P>
1654	<P CLASS="western" ALIGN=LEFT>Install the client package. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><CA
1655	Hash></SPAN></FONT> below is a unique identifier for the CA. Note
1656	that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ânonroot</SPAN></FONT>
1657	option ensures that the configuration files are installed in
1658	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>
1659	rather than the default location used with the root user:
1660	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>.
1661	If you are installing as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1662	this option may be omitted if required.</P>
1663	<P CLASS="western" ALIGN=LEFT>Also note that for 64 bit architectures
1664	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc32dbg</SPAN></FONT>
1665	argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-build</SPAN></FONT>
1666	should be substituted with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc64dbg</SPAN></FONT>.</P>
1667	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1668	<COL WIDTH=596>
1669	<TR>
1670	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1671	<P STYLE="margin-bottom: 0cm"><BR>
1672	</P>
1673	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1674	gpt-build globus_simple_ca_<CA hash>_setup-0.18.tar.gz
1675	gcc32dbg</FONT></P>
1676	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1677	gpt-postinstall</FONT></P>
1678	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1679	$GLOBUS_LOCATION/setup/globus_simple_ca_<CA
1680	hash>_setup/setup-gsi </FONT>
1681	</P>
1682	<P>â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
1683	ânonroot</FONT></P>
1684	</TD>
1685	</TR>
1686	</TABLE>
1687	<P STYLE="margin-bottom: 0cm"><BR>
1688	</P>
1689	<P CLASS="western" ALIGN=LEFT>When running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-postinstall</SPAN></FONT>,
1690	you may see a warning:</P>
1691	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1692	<COL WIDTH=596>
1693	<TR>
1694	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1695	<P STYLE="margin-bottom: 0cm"><BR>
1696	</P>
1697	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">WARNING:
1698	The following packages were not set up correctly:</FONT></P>
1699	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus_simple_ca_<CA
1700	hash>_setup-noflavor-pgm</FONT></P>
1701	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Check
1702	the package documentation or run postinstall -verbose to see what
1703	happened</FONT></P>
1704	</TD>
1705	</TR>
1706	</TABLE>
1707	<P CLASS="western" ALIGN=LEFT><BR><BR>
1708	</P>
1709	<P CLASS="western" ALIGN=LEFT>This can be ignored.</P>
1710	<H4 CLASS="western">4.6.4.1Modifications to Configuration File
1711	Settings</H4>
1712	<P CLASS="western" ALIGN=LEFT>The configuration files installed
1713	require some minor modifications before proceeding:</P>
1714	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Under the
1715	directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>,
1716	edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-host-ssl.conf</SPAN></FONT>
1717	and under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[
1718	req_distinguished_name ]</SPAN></FONT>, edit the setting for
1719	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
1720	and change the default <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">BADC</SPAN></FONT>
1721	to the name of the organisation where this NDG security software is
1722	being installed. This name will be used as the default for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">OU</SPAN></FONT>
1723	field of certificates held in the MyProxy server.</P>
1724	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1725	</P>
1726	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1727	<COL WIDTH=610>
1728	<TR>
1729	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1730	<P STYLE="margin-bottom: 0cm"><BR>
1731	</P>
1732	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
1733	req_distinguished_name ]</FONT></P>
1734	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1735	BEGIN CONFIG</FONT></P>
1736	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
1737	= Level 0 Organization</FONT></P>
1738	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
1739	= NDG</FONT></P>
1740	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
1741	= Level 0 Organizational Unit</FONT></P>
1742	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
1743	= BADC</FONT></P>
1744	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
1745	= Name (e.g., John M. Smith)</FONT></P>
1746	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
1747	= 64</FONT></P>
1748	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1749	END CONFIG</FONT></P>
1750	<P><BR>
1751	</P>
1752	</TD>
1753	</TR>
1754	</TABLE>
1755	<P CLASS="western" ALIGN=LEFT><BR><BR>
1756	</P>
1757	<P CLASS="western" ALIGN=LEFT>Under the same directory, edit the file
1758	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-user-ssl.conf</SPAN></FONT>
1759	and carry out the same modification as above but also comment out the
1760	two lines below <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName</SPAN></FONT>
1761	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName_default</SPAN></FONT>:</P>
1762	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1763	</P>
1764	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1765	<COL WIDTH=610>
1766	<TR>
1767	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1768	<P STYLE="margin-bottom: 0cm"><BR>
1769	</P>
1770	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
1771	req_distinguished_name ]</FONT></P>
1772	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1773	BEGIN CONFIG</FONT></P>
1774	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
1775	= Level 0 Organization</FONT></P>
1776	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
1777	= NDG</FONT></P>
1778	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
1779	= Level 0 Organizational Unit</FONT></P>
1780	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
1781	= BADC</FONT></P>
1782	<P STYLE="margin-bottom: 0cm"><BR>
1783	</P>
1784	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName
1785	= Level 1 Organizational Unit</FONT></P>
1786	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName_default
1787	= badc.rl.ac.uk</FONT></P>
1788	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
1789	= Name (e.g., John M. Smith)</FONT></P>
1790	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
1791	= 64</FONT></P>
1792	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1793	END CONFIG</FONT></P>
1794	<P><BR>
1795	</P>
1796	</TD>
1797	</TR>
1798	</TABLE>
1799	<P CLASS="western" ALIGN=LEFT><BR><BR>
1800	</P>
1801	<P CLASS="western" ALIGN=LEFT>Edit
1802	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/certificates/<CA
1803	Hash>.signing_policy</SPAN></FONT> and change the setting of <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">OU</FONT>
1804	in the line:</P>
1805	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1806	</P>
1807	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1808	<COL WIDTH=610>
1809	<TR>
1810	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1811	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1812	</P>
1813	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cond_subjects
1814	globus '"/O=NDG/OU=BADC/*"'</FONT></P>
1815	<P CLASS="western" ALIGN=LEFT><BR>
1816	</P>
1817	</TD>
1818	</TR>
1819	</TABLE>
1820	<P CLASS="western" ALIGN=LEFT><BR><BR>
1821	</P>
1822	<P CLASS="western" ALIGN=LEFT>Replacing âBADCâ with the name of
1823	the Organisational Unit for your organisation. This should be the
1824	same as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
1825	set above for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-host-ssl.conf</FONT>
1826	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-user-ssl.conf</FONT>.</P>
1827	<P CLASS="western" ALIGN=LEFT>Having completed these steps, a host
1828	certificate for the target machine can be made in order to identify
1829	it.</P>
1830	<H3 CLASS="western"><A NAME="4.6.5.Host Certificate Creation\|outline"></A>
1831	4.6.5Host Certificate Creation</H3>
1832	<P CLASS="western" ALIGN=LEFT>Login as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1833	user to carry out these steps. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ndgSetup.sh
1834	</FONT>should configure the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">PATH</FONT>
1835	variable to have included the Globus executable directories
1836	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/bin</FONT>
1837	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin</FONT>.
1838	Check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
1839	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1840	</P>
1841	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1842	<COL WIDTH=610>
1843	<TR>
1844	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1845	<P STYLE="margin-bottom: 0cm"><BR>
1846	</P>
1847	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1848	which grid-cert-request</FONT></P>
1849	<P CLASS="western" ALIGN=LEFT><BR>
1850	</P>
1851	</TD>
1852	</TR>
1853	</TABLE>
1854	<P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like:
1855	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/NDG/globus-4.0.1/bin/grid-cert-request</FONT></P>
1856	<P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate
1857	request, change to the certificates directory:</P>
1858	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1859	</P>
1860	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1861	<COL WIDTH=610>
1862	<TR>
1863	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1864	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1865	</P>
1866	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1867	cd $GLOBUS_LOCATION/etc</FONT></P>
1868	<P CLASS="western" ALIGN=LEFT><BR>
1869	</P>
1870	</TD>
1871	</TR>
1872	</TABLE>
1873	<P CLASS="western" ALIGN=JUSTIFY><BR>Nb. If you installed MyProxy as
1874	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1875	as root user change to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>
1876	where the certificates should be held.</P>
1877	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1878	<COL WIDTH=610>
1879	<TR>
1880	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1881	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1882	</P>
1883	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1884	grid-cert-request âhost <machine hostname> -dir .</FONT></P>
1885	<P CLASS="western" ALIGN=LEFT><BR>
1886	</P>
1887	</TD>
1888	</TR>
1889	</TABLE>
1890	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1891	</P>
1892	<P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>,
1893	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT>
1894	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
1895	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
1896	is empty.
1897	</P>
1898	<P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate
1899	it must be signed by the NDG CA. Contact the NDG CA forwarding
1900	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
1901	The CA will issue a <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
1902	file. Copy this file into this directory i.e. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc</FONT>.
1903	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
1904	</FONT>is no longer needed and may be deleted if desired.</P>
1905	<H3 CLASS="western"><A NAME="4.6.6.MyProxy Configuration File\|outline"></A>
1906	4.6.6MyProxy Configuration File</H3>
1907	<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is
1908	normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT>
1909	directory. If this file is not already present, copy the sample
1910	file:</P>
1911	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1912	<COL WIDTH=610>
1913	<TR>
1914	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1915	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1916	</P>
1917	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1918	cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config
1919	$GLOBUS_LOCATION/etc</FONT></P>
1920	<P CLASS="western" ALIGN=LEFT><BR>
1921	</P>
1922	</TD>
1923	</TR>
1924	</TABLE>
1925	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1926	</P>
1927	<P CLASS="western" ALIGN=JUSTIFY>As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
1928	user edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config</FONT></P>
1929	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Modify the
1930	entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
1931	Sample Policy</SPAN></FONT> so that they are all uncommented (remove
1932	leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">#
1933	</SPAN></FONT>character):</P>
1934	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1935	</P>
1936	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1937	<COL WIDTH=610>
1938	<TR>
1939	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1940	<P STYLE="margin-bottom: 0cm"><BR>
1941	</P>
1942	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
1943	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1944	Complete Sample Policy</FONT></P>
1945	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
1946	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1947	The following lines define a sample policy that enables all</FONT></P>
1948	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1949	myproxy-server features. See below for more examples.</FONT></P>
1950	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials
1951	"*"</FONT></P>
1952	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
1953	"*"</FONT></P>
1954	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers
1955	"*"</FONT></P>
1956	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers
1957	"*"</FONT></P>
1958	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers
1959	"none"</FONT></P>
1960	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers
1961	"*"</FONT></P>
1962	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers
1963	"none"</FONT></P>
1964	<P><BR>
1965	</P>
1966	</TD>
1967	</TR>
1968	</TABLE>
1969	<P CLASS="western" ALIGN=LEFT><BR><BR>
1970	</P>
1971	<P CLASS="western" ALIGN=LEFT>Note that the wildcards for these
1972	fields may be modified such that only Distinguished Names of a given
1973	format may be accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">"/O=NDG/OU=BADC/*"</SPAN></FONT></P>
1974	<H3 CLASS="western"><A NAME="4.6.7.Repository Directory\|outline"></A>4.6.7Repository
1975	Directory</H3>
1976	<P CLASS="western" ALIGN=LEFT>A directory needs to be specified on
1977	the file system to store the user credentials generated by MyProxy.
1978	This should be owned by the account that runs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1979	In the examples given this would be the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">globus</FONT></SPAN></FONT>
1980	user and the expected location, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var</SPAN></FONT>.
1981	See section 2.3.2 <I>MyProxy user account and repository location</I>.</P>
1982	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Login as the
1983	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1984	user and change directory to the location for the repository:</P>
1985	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1986	</P>
1987	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1988	<COL WIDTH=610>
1989	<TR>
1990	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1991	<P STYLE="margin-bottom: 0cm"><BR>
1992	</P>
1993	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1994	cd $GLOBUS_LOCATION/var</FONT></P>
1995	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1996	mkdir myproxy</FONT></P>
1997	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1998	chmod 700 myproxy</FONT></P>
1999	<P><BR>
2000	</P>
2001	</TD>
2002	</TR>
2003	</TABLE>
2004	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2005	</P>
2006	<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod
2007	</SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
2008	user has read/write access for the directory. Note also that the
2009	directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P>
2010	<H3 CLASS="western"><A NAME="4.6.8.Adding MyProxy Server to the system start up\|outline"></A>
2011	4.6.8Adding MyProxy Server to the system start up</H3>
2012	<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may
2013	be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2014	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2015	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2016	are preferred:</P>
2017	<UL>
2018	<LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2019	process will not show on <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ps</SPAN></FONT>
2020	command listing
2021	</P>
2022	<LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">Itâs
2023	more efficient since itâs only invoked when a request from a
2024	MyProxy client is received.</P>
2025	<LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">Itâs
2026	easy to configure so that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2027	runs as an alternative user to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.</P>
2028	</UL>
2029	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.63cm; margin-bottom: 0cm">
2030	<BR>
2031	</P>
2032	<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.6.8.1inetd / xinetd</H4>
2033	<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd
2034	</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2035	as root user:
2036	</P>
2037	<UL>
2038	<LI><P CLASS="western" ALIGN=LEFT>Add the entries in
2039	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.services.modifications</SPAN></FONT>
2040	to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/services</SPAN></FONT>
2041	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/services</SPAN></FONT>
2042	file:
2043	</P>
2044	</UL>
2045	<DL>
2046	<DD>
2047	<TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2048	<COL WIDTH=558>
2049	<TR>
2050	<TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2051	<P STYLE="margin-bottom: 0cm"><BR>
2052	</P>
2053	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
2054	7512/tcp # Myproxy server</FONT></P>
2055	<P><BR>
2056	</P>
2057	</TD>
2058	</TR>
2059	</TABLE>
2060	</DL>
2061	<P CLASS="western" ALIGN=LEFT STYLE="margin-left: 0.64cm"><BR><BR>
2062	</P>
2063	<UL>
2064	<LI><P CLASS="western" ALIGN=LEFT>Add the entries from
2065	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P>
2066	<UL>
2067	<LI><P CLASS="western" ALIGN=LEFT>For inetd add to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inetd.conf
2068	</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/inetd.conf</SPAN></FONT>,
2069	or âŠ</P>
2070	<LI><P CLASS="western" ALIGN=LEFT>for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2071	copy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy</SPAN></FONT>
2072	to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/xinetd.d/myproxy</SPAN></FONT>.
2073	Modify the paths in the file according to your installation and set
2074	the user to the correct user name for running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2075	e.g.</P>
2076	</UL>
2077	</UL>
2078	<DL>
2079	<DD>
2080	<TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2081	<COL WIDTH=558>
2082	<TR>
2083	<TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2084	<P STYLE="margin-bottom: 0cm"><BR>
2085	</P>
2086	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">service
2087	myproxy-server</FONT></FONT></P>
2088	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">{</FONT></FONT></P>
2089	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">socket_type
2090	= stream</FONT></FONT></P>
2091	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="pt-PT">protocol
2092	= tcp</SPAN></FONT></FONT></P>
2093	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">wait
2094	= no</FONT></FONT></P>
2095	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">user
2096	= globus</FONT></FONT></P>
2097	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">server
2098	= /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P>
2099	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env
2100	= GLOBUS_LOCATION=/usr/local/NDG/globus-4.0.1
2101	LD_LIBRARY_PATH=/usr/local/NDG/globus-4.0.1/lib</FONT></FONT></P>
2102	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable
2103	= no</FONT></FONT></P>
2104	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">only_from
2105	= localhost.localdomain <hostAddress1> <hostAddress2></FONT></FONT></P>
2106	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">}</FONT></FONT></P>
2107	</TD>
2108	</TR>
2109	</TABLE>
2110	</DL>
2111	<P STYLE="margin-bottom: 0cm"><BR>
2112	</P>
2113	<UL>
2114	<LI><P CLASS="western" ALIGN=LEFT>Note also, the additional setting
2115	in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
2116	This a limit to be placed on which hosts clients can connect from
2117	to the server. In the above, clients can connect from the local
2118	machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>)
2119	and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress1>
2120	</SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress2></SPAN></FONT>.</P>
2121	<LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2122	/ <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2123	This is typically accomplished by sending the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">SIGHUP</SPAN></FONT>
2124	signal to the server process. Redhat Linux machines include the GUI
2125	tool <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2126	to allow convenient management of services. Refer to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2127	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2128	man page for your system.</P>
2129	</UL>
2130	<H4 CLASS="western">4.6.8.2SysV-style boot script
2131	</H4>
2132	<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is
2133	available in the Globus installation at,
2134	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy</SPAN></FONT>.
2135	</P>
2136	<P CLASS="western" ALIGN=LEFT>To install:
2137	</P>
2138	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2139	<COL WIDTH=602>
2140	<TR>
2141	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2142	<P STYLE="margin-bottom: 0cm"><BR>
2143	</P>
2144	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2145	cp <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy
2146	/etc/rc.d/init.d/myproxy</SPAN></FONT></FONT></P>
2147	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2148	chkconfig --add myproxy</SPAN></FONT></FONT></P>
2149	<P><BR>
2150	</P>
2151	</TD>
2152	</TR>
2153	</TABLE>
2154	<P CLASS="western" ALIGN=LEFT><BR><BR>
2155	</P>
2156	<P CLASS="western" ALIGN=LEFT>Edit the file to set the
2157	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GLOBUS_LOCATION
2158	</SPAN></FONT>environment variable correctly.
2159	</P>
2160	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2161	</P>
2162	<H1 CLASS="western"><A NAME="5.Appendices\|outline"></A>5.Appendices</H1>
2163	<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.1.MySQL Installation\|outline"></A>
2164	5.1MySQL Installation</H2>
2165	<P CLASS="western" ALIGN=JUSTIFY>MySQL is required for the Credential
2166	Repository used by the SessionManager to stored user credentials as
2167	cached in their Credential Wallet held in their session.</P>
2168	<P CLASS="western" ALIGN=JUSTIFY>This section describes how to make
2169	an installation from the MySQL binary package tarball. System
2170	administrators may wish to use an existing installation of MySQL or
2171	use an alternative installation method such as rpm. Installing from
2172	the binary package has the advantage that it doesnât interfere with
2173	any existing MySQL installation on the target machine. The
2174	instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT>
2175	provided in the tarball.</P>
2176	<H3 CLASS="western"><A NAME="5.1.1.Version\|outline"></A>5.1.1Version</H3>
2177	<P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended.
2178	These instructions are for version 5.0.20a, the latest stable release
2179	at time of writing.</P>
2180	<H3 CLASS="western"><A NAME="5.1.2.Getting the Binaries\|outline"></A>5.1.2Getting
2181	the Binaries</H3>
2182	<P CLASS="western" ALIGN=LEFT>The package can be obtained from the
2183	MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>).
2184	Scroll to the correct version - Linux (non RPM, Intel C/C++
2185	compiled, glibc-X.X) downloads. The version of glibc on the target
2186	machine can be checked using same machine as the web server.</P>
2187	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2188	<COL WIDTH=605>
2189	<TR>
2190	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2191	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2192	ls /lib/libc-*</FONT></P>
2193	</TD>
2194	</TR>
2195	</TABLE>
2196	<P CLASS="western" ALIGN=LEFT><BR><BR>
2197	</P>
2198	<H3 CLASS="western"><A NAME="5.1.3.New mysql User Account\|outline"></A>
2199	5.1.3New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
2200	User Account</H3>
2201	<P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if
2202	it doesnât already exist:</P>
2203	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2204	<COL WIDTH=605>
2205	<TR>
2206	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2207	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2208	groupadd mysql<BR>$ useradd -g mysql mysql</FONT></P>
2209	</TD>
2210	</TR>
2211	</TABLE>
2212	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2213	</P>
2214	<H3 CLASS="western"><A NAME="5.1.4.Unpacking the tarball\|outline"></A>
2215	5.1.4Unpacking the tarball</H3>
2216	<P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target
2217	directory for installation e.g. /usr/local, unpack the file:</P>
2218	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2219	<COL WIDTH=605>
2220	<TR>
2221	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2222	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2223	cd /usr/local<BR>$ tar zxvf
2224	mysql-standard-5.0.20a-linux-i686-icc-glibc23.tar.gz</FONT></P>
2225	</TD>
2226	</TR>
2227	</TABLE>
2228	<P CLASS="western" ALIGN=LEFT><BR><BR>
2229	</P>
2230	<P CLASS="western" ALIGN=LEFT>Make a symbolic link to the new
2231	directory and â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cd</SPAN></FONT>â
2232	to it:
2233	</P>
2234	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2235	<COL WIDTH=605>
2236	<TR>
2237	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2238	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2239	ln -s /usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23
2240	mysql<BR>$ cd mysql</FONT></P>
2241	</TD>
2242	</TR>
2243	</TABLE>
2244	<P CLASS="western" ALIGN=LEFT><BR><BR>
2245	</P>
2246	<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin</SPAN></FONT>
2247	directory contains client programs and the server. You should add
2248	the full pathname of this directory to your <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PATH</SPAN></FONT>
2249	environment variable so that your shell finds the MySQL programs
2250	properly.
2251	</P>
2252	<H3 CLASS="western"><A NAME="5.1.5.Configuration File\|outline"></A>5.1.5Configuration
2253	File</H3>
2254	<P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called
2255	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT>
2256	in the target directory (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>
2257	in this example) to enable custom settings to be made for this
2258	installation. Note that if there is an existing installation of
2259	MySQL, there may be settings existing settings in a file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/my.cnf</SPAN></FONT>.
2260	To use the settings from this file, <I>ignore</I> this step.</P>
2261	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2262	<COL WIDTH=605>
2263	<TR>
2264	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2265	<P STYLE="margin-bottom: 0cm"><BR>
2266	</P>
2267	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld]</FONT></P>
2268	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">datadir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23/data</FONT></P>
2269	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">socket=/tmp/mysql.sock</FONT></P>
2270	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2271	Default to using old password format for compatibility with mysql
2272	3.x</FONT></P>
2273	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2274	clients (those using the mysqlclient10 compatibility package).</FONT></P>
2275	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">old_passwords=1</FONT></P>
2276	<P STYLE="margin-bottom: 0cm"><BR>
2277	</P>
2278	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysql.server]</FONT></P>
2279	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">user=mysql</FONT></P>
2280	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">basedir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23</FONT></P>
2281	<P STYLE="margin-bottom: 0cm"><BR>
2282	</P>
2283	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld_safe]</FONT></P>
2284	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">err-log=/var/log/mysqld.log</FONT></P>
2285	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">pid-file=/tmp/mysql.pid</FONT></P>
2286	<P><BR>
2287	</P>
2288	</TD>
2289	</TR>
2290	</TABLE>
2291	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2292	</P>
2293	<P CLASS="western" ALIGN=JUSTIFY>The settings above will mean that
2294	MySQLâs tables and the Credential Repository database will be
2295	stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P>
2296	<H3 CLASS="western"><A NAME="5.1.6.Create the Grant Tables\|outline"></A>
2297	5.1.6Create the Grant Tables</H3>
2298	<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT>
2299	directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT>
2300	script used to initialize the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2301	database containing the grant tables that store the server access
2302	permissions. If you have not installed MySQL before, you must create
2303	the MySQL grant tables:</P>
2304	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2305	<COL WIDTH=605>
2306	<TR>
2307	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2308	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2309	scripts/mysql_install_db --user=mysql</FONT></P>
2310	</TD>
2311	</TR>
2312	</TABLE>
2313	<P CLASS="western" ALIGN=LEFT><BR><BR>
2314	</P>
2315	<P CLASS="western" ALIGN=LEFT>If you run the command as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
2316	you must use the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">--user</SPAN></FONT>
2317	option as shown. The value of the option should be the name of the
2318	login account that you created in the first step to use for running
2319	the server. If you run the command while logged in as that user, you
2320	can omit the -user option. After creating or updating the grant
2321	tables, you need to restart the server manually.</P>
2322	<H3 CLASS="western"><A NAME="5.1.7.File and Directory Permissions\|outline"></A>
2323	5.1.7File and Directory Permissions</H3>
2324	<P CLASS="western" ALIGN=LEFT>Change the ownership of program
2325	binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
2326	and ownership of the data directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>.
2327	Assuming that you are located in the installation directory
2328	(<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>),
2329	the commands look like this:</P>
2330	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2331	<COL WIDTH=605>
2332	<TR>
2333	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2334	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2335	chown -R root .<BR>$ chown -R mysql data<BR>$ chgrp -R mysql .</FONT></P>
2336	</TD>
2337	</TR>
2338	</TABLE>
2339	<P CLASS="western" ALIGN=LEFT><BR><BR>
2340	</P>
2341	<P CLASS="western" ALIGN=LEFT>The first command changes the owner
2342	attribute of the files to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
2343	user. The second changes the owner attribute of the data directory to
2344	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2345	user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2346	group.</P>
2347	<H3 CLASS="western"><A NAME="5.1.8.Starting the Server\|outline"></A>5.1.8Starting
2348	the Server</H3>
2349	<P CLASS="western" ALIGN=LEFT>If you want MySQL to start
2350	automatically when you boot your machine, you can copy
2351	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
2352	to the location where your system has its startup files. More
2353	information can be found in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
2354	script itself.</P>
2355	<P CLASS="western" ALIGN=LEFT>To start the MySQL server, use the
2356	following command:</P>
2357	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2358	<COL WIDTH=605>
2359	<TR>
2360	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2361	<P><BR><BR>
2362	</P>
2363	<P LANG="nb-NO"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2364	bin/mysqld_safe --user=mysql &</FONT></P>
2365	</TD>
2366	</TR>
2367	</TABLE>
2368	<P LANG="nb-NO" CLASS="western" ALIGN=LEFT><BR><BR>
2369	</P>
2370	<P CLASS="western" ALIGN=LEFT>If that command fails immediately and
2371	prints <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysqld
2372	ended</SPAN></FONT>, you can find some information in the
2373	<hostname><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.err</SPAN></FONT>
2374	file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT>
2375	directory.</P>
2376	<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.1.9.Securing MySQL Accounts\|outline"></A>
2377	5.1.9Securing MySQL Accounts</H3>
2378	<P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P>
2379	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2380	<COL WIDTH=605>
2381	<TR>
2382	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2383	<P STYLE="margin-bottom: 0cm"><BR>
2384	</P>
2385	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2386	mysql -u root</FONT></P>
2387	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
2388	DELETE FROM mysql.user WHERE User = '';</FONT></P>
2389	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
2390	FLUSH PRIVILEGES;</FONT></P>
2391	<P><BR>
2392	</P>
2393	</TD>
2394	</TR>
2395	</TABLE>
2396	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2397	</P>
2398	<P CLASS="western" ALIGN=JUSTIFY>Set the password for the root
2399	account:</P>
2400	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2401	<COL WIDTH=605>
2402	<TR>
2403	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2404	<P STYLE="margin-bottom: 0cm"><BR>
2405	</P>
2406	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
2407	SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');</FONT></P>
2408	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
2409	SET PASSWORD FOR 'root'@'<I>hostname</I>' = PASSWORD('newpwd');</FONT></P>
2410	<P><BR>
2411	</P>
2412	</TD>
2413	</TR>
2414	</TABLE>
2415	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2416	</P>
2417	<P CLASS="western" ALIGN=JUSTIFY>The hostname can be checked using
2418	the query:</P>
2419	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2420	<COL WIDTH=605>
2421	<TR>
2422	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2423	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql>
2424	SELECT Host, User FROM mysql.user;</FONT></P>
2425	</TD>
2426	</TR>
2427	</TABLE>
2428	<P CLASS="western" ALIGN=LEFT><BR><BR>
2429	</P>
2430	<P CLASS="western" ALIGN=LEFT>Add a new account for use with the
2431	Credential Repository database e.g.</P>
2432	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2433	<COL WIDTH=605>
2434	<TR>
2435	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2436	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql>
2437	GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
2438	'ndgUser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
2439	</TD>
2440	</TR>
2441	</TABLE>
2442	<P CLASS="western" ALIGN=LEFT><BR>The above statement grants the
2443	user, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
2444	with password, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password</SPAN></FONT>,
2445	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">select</SPAN></FONT>,
2446	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">update</SPAN></FONT>
2447	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">insert</SPAN></FONT>
2448	privileges on the tables of database <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgCredRepos</SPAN></FONT>.
2449	The user may only connect from the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localhost</SPAN></FONT>.
2450	Hence, in this case the Session Manager and Credential Repository
2451	must be installed on the same machine. To allow the Credential
2452	Repository to run on a separate machine to the Session Manager, the
2453	account must have permission to connect remotely. This can be
2454	achieved by altering the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GRANT</SPAN></FONT>
2455	statement above to:</P>
2456	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2457	<COL WIDTH=605>
2458	<TR>
2459	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2460	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql>
2461	GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
2462	'ndgUser'@â%â IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
2463	</TD>
2464	</TR>
2465	</TABLE>
2466	<P CLASS="western" ALIGN=LEFT><BR><BR>
2467	</P>
2468	<P CLASS="western" ALIGN=LEFT>You also can set up new accounts using
2469	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT>
2470	script if you install the `DBI' and `DBD::mysql' Perl modules.</P>
2471	<P CLASS="western" ALIGN=LEFT>See section 4.3.1 for details about
2472	creation of the Credential Repository database.</P>
2473	<H3 CLASS="western"><A NAME="5.1.10.Server Automated Start up\|outline"></A>
2474	5.1.10Server Automated Start up</H3>
2475	<P CLASS="western" ALIGN=JUSTIFY><todo: ></P>
2476	<P CLASS="western" ALIGN=LEFT><BR><BR>
2477	</P>
2478	<H2 CLASS="western"><A NAME="5.2.HTTPS set-up with Apache Web Server\|outline"></A>
2479	5.2HTTPS set-up with Apache Web Server</H2>
2480	<P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the
2481	transfer of user credentials across cookie domains between a data
2482	provider web page requesting user credentials and a userâs NDG home
2483	login page.</P>
2484	<P CLASS="western" ALIGN=JUSTIFY><todo: full explanation - incl.
2485	mod_ssl must be installed></P>
2486	<H3 CLASS="western"><A NAME="5.2.1.Web Server Host Certificate Generation\|outline"></A>
2487	5.2.1Web Server Host Certificate Generation</H3>
2488	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2489	<COL WIDTH=605>
2490	<TR>
2491	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2492	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2493	</P>
2494	<P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2495	grid-cert-request -prefix <I><hostname></I> -dir . -cn
2496	<I><hostname></I> -nopw </FONT>
2497	</P>
2498	<P><BR>
2499	</P>
2500	</TD>
2501	</TR>
2502	</TABLE>
2503	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2504	</P>
2505	<H3 CLASS="western"><A NAME="5.2.2.Apache Configuration File Settings\|outline"></A>
2506	5.2.2Apache Configuration File Settings</H3>
2507	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2508	</P>
2509	<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.3.Apache Web Server Proxy Settings Configuration for Web Services\|outline"></A>
2510	5.3Apache Web Server Proxy Settings Configuration for Web Services</H2>
2511	<P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient
2512	mechanism to re-route web service ports through port 80 and so make
2513	them available to the outside world. This may be helpful if when
2514	deploying NDG Security you do not wish to open additional ports in
2515	your site firewall settings.</P>
2516	<P CLASS="western" ALIGN=JUSTIFY>Edit the Apache configuration file.
2517	This should be located at <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/httpd/conf</SPAN></FONT></P>
2518	<P CLASS="western" ALIGN=JUSTIFY>Add <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPass</SPAN></FONT>
2519	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPassReverse</SPAN></FONT>
2520	entries for the Session Manager and Attribute Authority web services.
2521	The first argument after the directive name itself is the directory
2522	that the service will be served from relative to the web server URL.
2523	So below, if the URL of the web server is <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/">http://www.badc.rl.ac.uk</A></U></FONT>,
2524	then the Session Manager would be available at
2525	<FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/sessionMgr">https://www.badc.rl.ac.uk/sessionMgr</A></U></FONT>.
2526	The second argument is the actual location where the web service is
2527	running locally. In the example below, the Session Manager is
2528	running on port 5700 on the same machine as the web server.</P>
2529	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2530	<COL WIDTH=605>
2531	<TR>
2532	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2533	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2534	</P>
2535	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2536	Session Manager and Attribute Authority settings</FONT></P>
2537	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
2538	/sessionMgr https://localhost:5700/</FONT></P>
2539	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
2540	/sessionMgr https://localhost:5700/</FONT></P>
2541	<P STYLE="margin-bottom: 0cm"><BR>
2542	</P>
2543	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
2544	/attAuthority http://localhost:5000/</FONT></P>
2545	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
2546	/attAuthority http://localhost:5000/</FONT></P>
2547	<P CLASS="western" ALIGN=LEFT><BR>
2548	</P>
2549	</TD>
2550	</TR>
2551	</TABLE>
2552	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2553	</P>
2554	<P CLASS="western" ALIGN=JUSTIFY>Restart the Apache web server. This
2555	can be done in a variety of ways. As root user:</P>
2556	<OL>
2557	<LI><P CLASS="western" ALIGN=LEFT>On Redhat machines, using the
2558	command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2559	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">system-config-services</SPAN></FONT>
2560	In the GUI, click on httpd in the list and press the Restart button</P>
2561	</OL>
2562	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2563	<COL WIDTH=605>
2564	<TR>
2565	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2566	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2567	</P>
2568	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2569	redhat-config-services</FONT></P>
2570	<P CLASS="western" ALIGN=LEFT><BR>
2571	</P>
2572	</TD>
2573	</TR>
2574	</TABLE>
2575	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2576	</P>
2577	<OL START=2>
2578	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">service
2579	</SPAN></FONT>command</P>
2580	</OL>
2581	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2582	<COL WIDTH=605>
2583	<TR>
2584	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2585	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2586	</P>
2587	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2588	/sbin/service httpd restart</FONT></P>
2589	<P CLASS="western" ALIGN=LEFT><BR>
2590	</P>
2591	</TD>
2592	</TR>
2593	</TABLE>
2594	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2595	</P>
2596	<OL START=3>
2597	<LI><P CLASS="western" ALIGN=JUSTIFY>apache command</P>
2598	</OL>
2599	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2600	<COL WIDTH=605>
2601	<TR>
2602	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2603	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2604	</P>
2605	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2606	apachectl restart</FONT></P>
2607	<P CLASS="western" ALIGN=LEFT><BR>
2608	</P>
2609	</TD>
2610	</TR>
2611	</TABLE>
2612	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2613	</P>
2614	<OL START=4>
2615	<LI><P CLASS="western" ALIGN=JUSTIFY>Using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">kill</FONT></SPAN></FONT></P>
2616	</OL>
2617	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2618	<COL WIDTH=605>
2619	<TR>
2620	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2621	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2622	</P>
2623	<P LANG="sv-SE" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2624	kill -HUP `cat /etc/httpd/run/httpd.pid`</FONT></P>
2625	<P LANG="sv-SE" CLASS="western" ALIGN=LEFT><BR>
2626	</P>
2627	</TD>
2628	</TR>
2629	</TABLE>
2630	<P LANG="sv-SE" CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">
2631	<BR><BR>
2632	</P>
2633	<P CLASS="western" ALIGN=JUSTIFY>Note in the last case that the
2634	location of the pid file will depend on your installation.</P>
2635	<P CLASS="western" ALIGN=JUSTIFY>Once the changes have been made,
2636	ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgr.wsdl</SPAN></FONT>
2637	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthority.wsdl</SPAN></FONT>
2638	contain the new locations for the web services in the tag
2639	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><soap:address
2640	location=ââŠâ></SPAN></FONT>
2641	</P>
2642	<H2 CLASS="western"><A NAME="5.4.An Example Attribute Authority AAUserRoles interface class\|outline"></A>
2643	5.4An Example Attribute Authority AAUserRoles interface class</H2>
2644	<P CLASS="western" ALIGN=JUSTIFY>This interface is required in order
2645	to link the Attribute Authority to the data centreâs system for
2646	identifying registered users and managing their roles. The
2647	installation comes with a simple test class which illustrates this:</P>
2648	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2649	<COL WIDTH=610>
2650	<TR>
2651	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2652	<P STYLE="margin-bottom: 0cm"><BR>
2653	</P>
2654	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""NDG
2655	Attribute Authority User Roles class - acts as an interface
2656	between</FONT></P>
2657	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
2658	data centre's user roles configuration and the Attribute Authority</FONT></P>
2659	<P STYLE="margin-bottom: 0cm">
2660
2661	</P>
2662	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">NERC
2663	Data Grid Project</FONT></P>
2664	<P STYLE="margin-bottom: 0cm">
2665
2666	</P>
2667	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">P
2668	J Kershaw 29/07/05</FONT></P>
2669	<P STYLE="margin-bottom: 0cm">
2670
2671	</P>
2672	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Copyright
2673	(C) 2005 CCLRC & NERC</FONT></P>
2674	<P STYLE="margin-bottom: 0cm">
2675
2676	</P>
2677	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2678	software may be distributed under the terms of the Q Public
2679	License,</FONT></P>
2680	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">version
2681	1.0 or later.</FONT></P>
2682	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""</FONT></P>
2683	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cvsID
2684	= '$Id'</FONT></P>
2685	<P STYLE="margin-bottom: 0cm"><BR>
2686	</P>
2687	<P STYLE="margin-bottom: 0cm"><BR>
2688	</P>
2689	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2690	AttAuthority import AAUserRoles</FONT></P>
2691	<P STYLE="margin-bottom: 0cm"><BR>
2692	</P>
2693	<P STYLE="margin-bottom: 0cm"><BR>
2694	</P>
2695	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">class
2696	TestUserRoles(AAUserRoles):</FONT></P>
2697	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""Test
2698	User Roles class dynamic import for Attribute Authority"""</FONT></P>
2699	<P STYLE="margin-bottom: 0cm"><BR>
2700	</P>
2701	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2702	__init__(self, propertiesFilePath=None):</FONT></P>
2703	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="nb-NO">pass</SPAN></FONT></P>
2704	<P LANG="nb-NO" STYLE="margin-bottom: 0cm"><BR>
2705	</P>
2706	<P LANG="nb-NO" STYLE="margin-bottom: 0cm"><BR>
2707	</P>
2708	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="nb-NO">def
2709	userIsRegistered(self, dn):</SPAN></FONT></P>
2710	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">return
2711	True</FONT></P>
2712	<P STYLE="margin-bottom: 0cm"><BR>
2713	</P>
2714	<P STYLE="margin-bottom: 0cm"><BR>
2715	</P>
2716	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2717	getRoles(self, dn):</FONT></P>
2718	<P> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">return
2719	['staff', 'postdoc', 'undergrad'] </FONT>
2720	</P>
2721	<P><BR>
2722	</P>
2723	</TD>
2724	</TR>
2725	</TABLE>
2726	<P STYLE="margin-bottom: 0cm"><BR>
2727	</P>
2728	<P CLASS="western" ALIGN=JUSTIFY>The class must inherit from the
2729	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">AAUserRoles</SPAN></FONT>
2730	interface class. It must override the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
2731	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
2732	methods:</P>
2733	<UL>
2734	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
2735	â returns True if the user with the given input Distinguished Name
2736	is registered at the site. This method might contain an SQL query
2737	to the siteâs user database for example. This method is <I>optional</I>.</P>
2738	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles()</SPAN></FONT>
2739	â returns a list of roles to which the user with the given input
2740	Distinguished Name is enrolled. Again, this method could be
2741	implemented with an SQL query to retrieve the roles for a given
2742	user. Note, that if not roles are found, the method should return
2743	[].</P>
2744	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">__init__()</SPAN></FONT>
2745	â optionally, the initialisation method may be overridden to
2746	enable for example the setting up of a database connection. The
2747	path to a properties file may be passed in. This could contain
2748	database connection settings.</P>
2749	</UL>
2750	<P CLASS="western" ALIGN=JUSTIFY>The custom class used by the BODC is
2751	a more detailed example:</P>
2752	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2753	<COL WIDTH=610>
2754	<TR>
2755	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2756	<P STYLE="margin-bottom: 0cm"><BR>
2757	</P>
2758	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""NDG
2759	Attribute Authority User Roles class for the BODC - acts as an
2760	interface</FONT></P>
2761	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">between
2762	BODC user database and the Attribute Authority</FONT></P>
2763	<P STYLE="margin-bottom: 0cm"><BR>
2764	</P>
2765	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">NERC
2766	Data Grid Project</FONT></P>
2767	<P STYLE="margin-bottom: 0cm"><BR>
2768	</P>
2769	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">P
2770	J Kershaw 09/09/05</FONT></P>
2771	<P STYLE="margin-bottom: 0cm"><BR>
2772	</P>
2773	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Copyright
2774	(C) 2005 CCLRC & NERC</FONT></P>
2775	<P STYLE="margin-bottom: 0cm"><BR>
2776	</P>
2777	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2778	software may be distributed under the terms of the Q Public
2779	License,</FONT></P>
2780	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">version
2781	1.0 or later.</FONT></P>
2782	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""</FONT></P>
2783	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2784	DCOracle2 import *</FONT></P>
2785	<P STYLE="margin-bottom: 0cm"><BR>
2786	</P>
2787	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2788	For parsing of properties file</FONT></P>
2789	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">import
2790	cElementTree as ElementTree</FONT></P>
2791	<P STYLE="margin-bottom: 0cm"><BR>
2792	</P>
2793	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2794	NDG.X509 import *</FONT></P>
2795	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2796	NDG.AttAuthority import AAUserRoles</FONT></P>
2797	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2798	NDG.AttAuthority import AAUserRolesError</FONT></P>
2799	<P STYLE="margin-bottom: 0cm"><BR>
2800	</P>
2801	<P STYLE="margin-bottom: 0cm"><BR>
2802	</P>
2803	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">class
2804	BODCUserRoles(AAUserRoles):</FONT></P>
2805	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""User
2806	Roles class dynamic import for BODC Attribute Authority"""</FONT></P>
2807	<P STYLE="margin-bottom: 0cm"><BR>
2808	</P>
2809	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2810	valid configuration property keywords</FONT></P>
2811	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">__validKeys
2812	= [ 'userName', 'dbAddr']</FONT></P>
2813	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2814	</FONT>
2815	</P>
2816	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2817	</FONT>
2818	</P>
2819	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2820	__init__(self, propFilePath=None):</FONT></P>
2821	<P STYLE="margin-bottom: 0cm">
2822	</P>
2823	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> self.__db
2824	= None</FONT></P>
2825	<P STYLE="margin-bottom: 0cm"><BR>
2826	</P>
2827	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> if
2828	propFilePath:</FONT></P>
2829	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2830	prop = self.readProperties(propFilePath)</FONT></P>
2831	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2832	self.connect(prop['userName'], prop['dbAddr'])</FONT></P>
2833	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2834	<P STYLE="margin-bottom: 0cm"><BR>
2835	</P>
2836	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2837	readProperties(self, propFilePath):</FONT></P>
2838	<P STYLE="margin-bottom: 0cm"><BR>
2839	</P>
2840	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""Read
2841	the configuration properties for the Attribute Authority</FONT></P>
2842	<P STYLE="margin-bottom: 0cm"><BR>
2843	</P>
2844	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">propFilePath:
2845	file path to properties file</FONT></P>
2846	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""</FONT></P>
2847	<P STYLE="margin-bottom: 0cm">
2848	</P>
2849	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">try:</FONT></P>
2850	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">tree
2851	= ElementTree.parse(propFilePath)</FONT></P>
2852	<P STYLE="margin-bottom: 0cm">
2853	</P>
2854	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">except
2855	IOError, ioErr:</FONT></P>
2856	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">raise
2857	AAUserRolesError(\</FONT></P>
2858	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"Error
2859	parsing properties file \"%s\": %s" % \</FONT></P>
2860	<P STYLE="margin-bottom: 0cm">
2861	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">(ioErr.filename,
2862	ioErr.strerror))</FONT></P>
2863	<P STYLE="margin-bottom: 0cm"><BR>
2864	</P>
2865	<P STYLE="margin-bottom: 0cm">
2866	</P>
2867	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">prop
2868	= tree.getroot()</FONT></P>
2869	<P STYLE="margin-bottom: 0cm"><BR>
2870	</P>
2871	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2872	Copy properties from file as member variables</FONT></P>
2873	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">userRolesProp
2874	= \</FONT></P>
2875	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> dict([(elem.tag,
2876	elem.text.strip()) for elem in prop])</FONT></P>
2877	<P STYLE="margin-bottom: 0cm"><BR>
2878	</P>
2879	<P STYLE="margin-bottom: 0cm"><BR>
2880	</P>
2881	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2882	Check for missing properties</FONT></P>
2883	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">propKeys
2884	= userRolesProp.keys()</FONT></P>
2885	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">missingKeys
2886	= [key for key in BODCUserRoles.__validKeys \</FONT></P>
2887	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">if
2888	key not in propKeys]</FONT></P>
2889	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">if
2890	missingKeys != []:</FONT></P>
2891	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">raise
2892	AAUserRolesError("The following properties are " + \</FONT></P>
2893	<P STYLE="margin-bottom: 0cm">
2894	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"missing
2895	from the properties file: " + \</FONT></P>
2896	<P STYLE="margin-bottom: 0cm">
2897	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">',
2898	'.join(missingKeys))</FONT></P>
2899	<P STYLE="margin-bottom: 0cm"><BR>
2900	</P>
2901	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> return
2902	userRolesProp</FONT></P>
2903	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2904	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2905	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2906	<P STYLE="margin-bottom: 0cm"><BR>
2907	</P>
2908	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2909	connect(self, </FONT>
2910	</P>
2911	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> userName,</FONT></P>
2912	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> dbAddr,
2913	</FONT>
2914	</P>
2915	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> passPhrase=None,</FONT></P>
2916	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> prompt=None):</FONT></P>
2917	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> """Connect
2918	to database</FONT></P>
2919	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2920	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> If
2921	no passphrase is given prompt from stdin"""</FONT></P>
2922	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2923	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2924	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> if
2925	not passPhrase:</FONT></P>
2926	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2927	if not prompt:</FONT></P>
2928	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2929	prompt = "Database Passphrase: "</FONT></P>
2930	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2931	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2932	import getpass</FONT></P>
2933	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">passPhrase
2934	= getpass.getpass(prompt=prompt)</FONT></P>
2935	<P STYLE="margin-bottom: 0cm"><BR>
2936	</P>
2937	<P STYLE="margin-bottom: 0cm"><BR>
2938	</P>
2939	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">try:</FONT></P>
2940	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2941	self.__db = connect("%s/%s@%s" % (userName,
2942	passPhrase, dbAddr))</FONT></P>
2943	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2944	self.__cursor = self.__db.cursor()</FONT></P>
2945	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2946	</FONT>
2947	</P>
2948	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> except
2949	Exception, e:</FONT></P>
2950	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2951	raise AAUserRolesError(\</FONT></P>
2952	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2953	"Error connecting to database \"%s\": %s"
2954	% (dbAddr, e))</FONT></P>
2955	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2956	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2957	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2958	userIsRegistered(self, dn):</FONT></P>
2959	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> """Check
2960	user with given Distinguished Name is registered with </FONT>
2961	</P>
2962	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> BODC
2963	database"""</FONT></P>
2964	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2965	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> try:</FONT></P>
2966	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2967	emailAddr = X500DN(dn)['CN']</FONT></P>
2968	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2969	query = "<BODC Database query>"</FONT></P>
2970	<P STYLE="margin-bottom: 0cm">
2971	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">self.__cursor.execute(query,
2972	emailAddr)</FONT></P>
2973	<P STYLE="margin-bottom: 0cm"><BR>
2974	</P>
2975	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2976	if self.__cursor.fetchall():</FONT></P>
2977	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2978	return True</FONT></P>
2979	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2980	else:</FONT></P>
2981	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2982	return False</FONT></P>
2983	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2984	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> except
2985	Exception, e:</FONT></P>
2986	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2987	raise AAUserRolesError(\</FONT></P>
2988	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
2989	"Error checking user \"%s\" is registered: %s"
2990	% (dn, e))</FONT></P>
2991	<P STYLE="margin-bottom: 0cm"><BR>
2992	</P>
2993	<P STYLE="margin-bottom: 0cm"><BR>
2994	</P>
2995	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2996	getRoles(self, dn):</FONT></P>
2997	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">"""Retrieve
2998	roles from user with given Distinguished Name"""</FONT></P>
2999	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> try:</FONT></P>
3000	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
3001	emailAddr = X500DN(dn)['CN']</FONT></P>
3002	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
3003	query = "<BODC Database query>"</FONT></P>
3004	<P STYLE="margin-bottom: 0cm">
3005	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">self.__cursor.execute(query,
3006	emailAddr)</FONT></P>
3007	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
3008	roles = self.__cursor.fetchall()</FONT></P>
3009	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
3010	return [i[0] for i in roles]</FONT></P>
3011	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
3012	</FONT>
3013	</P>
3014	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> <SPAN LANG="fr-FR">except
3015	Exception, e:</SPAN></FONT></P>
3016	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
3017	raise AAUserRolesError(\</FONT></P>
3018	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR">
3019	</SPAN>"Error getting roles for user \"%s\" is
3020	registered: %s" % (dn, e))</FONT></P>
3021	<P><BR>
3022	</P>
3023	</TD>
3024	</TR>
3025	</TABLE>
3026	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3027	</P>
3028	<P CLASS="western" ALIGN=JUSTIFY>Note:</P>
3029	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3030	</P>
3031	<UL>
3032	<LI><P CLASS="western" ALIGN=JUSTIFY>It use the Python library
3033	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">DCOracle2</SPAN></FONT>
3034	to connect to an Oracle database.</P>
3035	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ElementTree</SPAN></FONT>
3036	Python library is used to parse an XML properties file.</P>
3037	</UL>
3038	<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDG.X509</SPAN></FONT>
3039	security python library is used to parse the user Distinguished Name
3040	passed into <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3041	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3042	methods.</P>
3043	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3044	</P>
3045	<H2 CLASS="western"><A NAME="5.5.Troubleshooting\|outline"></A>5.5Troubleshooting</H2>
3046	<H3 CLASS="western"><A NAME="5.5.1.M2Crypto SWIG Build Error\|outline"></A>
3047	5.5.1M2Crypto SWIG Build Error</H3>
3048	<P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL
3049	library code to the Python interface. Compilation errors with swig
3050	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.i</SPAN></FONT>
3051	files in the M2Crypto tar bundle can be caused by using an earlier
3052	version of swig. This has been seen with the default swig on Redhat
3053	EL4. This comes with swig version 1.1. To check the SWIG version
3054	number type:</P>
3055	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3056	<COL WIDTH=610>
3057	<TR>
3058	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3059	<P STYLE="margin-bottom: 0cm"><BR>
3060	</P>
3061	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ swig
3062	-version</FONT></P>
3063	<P><BR>
3064	</P>
3065	</TD>
3066	</TR>
3067	</TABLE>
3068	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3069	</P>
3070	<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version > 1.1
3071	and re-run the installation script. SWIG is available from
3072	<FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P>
3073	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3074	</P>
3075	<H3 CLASS="western"><A NAME="5.5.2.PyXML\|outline"></A>5.5.2PyXML</H3>
3076	<P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable
3077	distribution for Requirement.parse('PyXML>=0.8.3')</P>
3078	<P CLASS="western" ALIGN=JUSTIFY>$ easy_install âf
3079	<FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT>
3080	PyXML</P>
3081	<P CLASS="western" ALIGN=JUSTIFY>or âf option with
3082	ndg-security-install.py</P>
3083	<H3 CLASS="western"><A NAME="5.5.3.4Suite-XML Build error\|outline"></A>
3084	5.5.34Suite-XML Build error</H3>
3085	<P CLASS="western" ALIGN=JUSTIFY>Ft/Xml/src/expat/lib/xmlparse.c:89:2:
3086	#error memmove does not exist on this platform, nor is a substitute
3087	available</P>
3088	<P CLASS="western" ALIGN=JUSTIFY>4Suite-XML 1.0.2</P>
3089	<P CLASS="western" ALIGN=JUSTIFY>$ cat /proc/version</P>
3090	<P CLASS="western" ALIGN=JUSTIFY>Linux version 2.4.21-32.0.1.ELsmp
3091	(bhcompile@bugs.build.redhat.com) (gcc version</P>
3092	<P CLASS="western" ALIGN=JUSTIFY> 3.2.3 20030502 (Red Hat Linux
3093	3.2.3-52)) #1 SMP Tue May 17 17:52:23 EDT 2005</P>
3094	<P CLASS="western" ALIGN=JUSTIFY>$ uname âa
3095	</P>
3096	<P CLASS="western" ALIGN=JUSTIFY>Linux glue.badc.rl.ac.uk
3097	2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686
3098	i386 GNU/Linux</P>
3099	<P CLASS="western" ALIGN=JUSTIFY>Solution</P>
3100	<P CLASS="western" ALIGN=JUSTIFY>$ echo -e
3101	"[build_ext]\ndefine=HAVE_MMEMOVE" > ~/.pydistutils.cfg</P>
3102	<P CLASS="western" ALIGN=JUSTIFY>$ easy_install 4Suite-XML</P>
3103	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3104	</P>
3105	</BODY>
3106	</HTML>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: