source: TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html @ 2921

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html@2921
Revision 2921, 179.0 KB checked in by pjkersha, 13 years ago (diff)

HTML version of installation guide.

Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2<HTML>
3<HEAD>
4        <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
5        <TITLE>NDG Security Installation Guide</TITLE>
6        <META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0  (Linux)">
7        <META NAME="AUTHOR" CONTENT="P J Kershaw">
8        <META NAME="CREATED" CONTENT="20071003;15320000">
9        <META NAME="CHANGEDBY" CONTENT="Authorised User">
10        <META NAME="CHANGED" CONTENT="20071003;15480000">
11        <STYLE TYPE="text/css">
12        <!--
13                @page { size: 21cm 29.7cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
14                @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm }
15                P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
16                P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
17                P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
18                P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA }
19                H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always }
20                H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
21                H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
22                H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
23                H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
24                H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
25                H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
26                H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
27                H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
28                H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic }
29                H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic }
30                H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
31                H4 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
32                H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium }
33                H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium }
34                H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
35                A:link { color: #0000ff }
36                A:visited { color: #800080 }
37        -->
38        </STYLE>
39</HEAD>
40<BODY LANG="en-GB" TEXT="#000000" LINK="#0000ff" VLINK="#800080" DIR="LTR">
41<DIV TYPE=HEADER>
42        <P ALIGN=JUSTIFY STYLE="margin-bottom: 1.17cm"><BR><BR>
43        </P>
44</DIV>
45<P ALIGN=LEFT><BR><BR>
46</P>
47<P ALIGN=LEFT><BR><BR>
48</P>
49<P ALIGN=LEFT><SPAN ID="Frame1" DIR="LTR" STYLE="float: left; width: 12.96cm; height: 4.77cm; border: none; padding: 0cm; background: #ffffff">
50        <P ALIGN=RIGHT><FONT SIZE=6 STYLE="font-size: 28pt"><B>NERC Data
51        Grid Security</B></FONT></P>
52        <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P>
53        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.7</B></FONT></P>
54</SPAN><BR><BR>
55</P>
56<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Document
57Log</B></FONT></P>
58<TABLE WIDTH=627 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
59        <COL WIDTH=194>
60        <COL WIDTH=195>
61        <COL WIDTH=195>
62        <TR VALIGN=TOP>
63                <TD WIDTH=194 BGCOLOR="#d9d9d9">
64                        <P ALIGN=JUSTIFY><B>Version Number</B></P>
65                </TD>
66                <TD WIDTH=195 BGCOLOR="#d9d9d9">
67                        <P CLASS="western" ALIGN=JUSTIFY><B>Date</B></P>
68                </TD>
69                <TD WIDTH=195 BGCOLOR="#d9d9d9">
70                        <P CLASS="western" ALIGN=JUSTIFY><B>Comment</B></P>
71                </TD>
72        </TR>
73        <TR VALIGN=TOP>
74                <TD WIDTH=194>
75                        <P ALIGN=JUSTIFY>0.1</P>
76                </TD>
77                <TD WIDTH=195>
78                        <P CLASS="western" ALIGN=JUSTIFY>04/11/05</P>
79                </TD>
80                <TD WIDTH=195>
81                        <P CLASS="western" ALIGN=JUSTIFY>First Draft</P>
82                </TD>
83        </TR>
84        <TR VALIGN=TOP>
85                <TD WIDTH=194>
86                        <P ALIGN=JUSTIFY>0.2</P>
87                </TD>
88                <TD WIDTH=195>
89                        <P CLASS="western" ALIGN=JUSTIFY>21/02//06</P>
90                </TD>
91                <TD WIDTH=195>
92                        <P CLASS="western" ALIGN=JUSTIFY>Draft for installation at NOCS</P>
93                </TD>
94        </TR>
95        <TR VALIGN=TOP>
96                <TD WIDTH=194>
97                        <P ALIGN=JUSTIFY>0.3</P>
98                </TD>
99                <TD WIDTH=195>
100                        <P CLASS="western" ALIGN=JUSTIFY>07/04/06</P>
101                </TD>
102                <TD WIDTH=195>
103                        <P CLASS="western" ALIGN=JUSTIFY>Updates following installation at
104                        NOCS</P>
105                </TD>
106        </TR>
107        <TR VALIGN=TOP>
108                <TD WIDTH=194>
109                        <P ALIGN=JUSTIFY>0.4</P>
110                </TD>
111                <TD WIDTH=195>
112                        <P CLASS="western" ALIGN=JUSTIFY>25/07/06</P>
113                </TD>
114                <TD WIDTH=195>
115                        <P CLASS="western" ALIGN=JUSTIFY>Include deployment model and
116                        details about SysV style init scripts for web services.</P>
117                </TD>
118        </TR>
119        <TR VALIGN=TOP>
120                <TD WIDTH=194>
121                        <P ALIGN=JUSTIFY>0.5</P>
122                </TD>
123                <TD WIDTH=195>
124                        <P CLASS="western" ALIGN=JUSTIFY>16/01/07</P>
125                </TD>
126                <TD WIDTH=195>
127                        <P CLASS="western" ALIGN=JUSTIFY>Instructions for installation of
128                        python packages and associated C library dependencies from source
129                        and corrections for MyProxy installation.</P>
130                        <P CLASS="western" ALIGN=JUSTIFY>Installation instructions apply
131                        to NDG-Security Post Alpha release 0.72.</P>
132                </TD>
133        </TR>
134        <TR VALIGN=TOP>
135                <TD WIDTH=194>
136                        <P ALIGN=JUSTIFY>0.6</P>
137                </TD>
138                <TD WIDTH=195>
139                        <P CLASS="western" ALIGN=JUSTIFY>17/08/07</P>
140                </TD>
141                <TD WIDTH=195>
142                        <P CLASS="western" ALIGN=JUSTIFY>Updated for NDG Beta release. 
143                        </P>
144                        <UL>
145                                <LI><P CLASS="western" ALIGN=JUSTIFY>Installation of python
146                                packages is now via distutils eggs. 
147                                </P>
148                                <LI><P CLASS="western" ALIGN=JUSTIFY>Python services use Twisted.</P>
149                        </UL>
150                </TD>
151        </TR>
152        <TR VALIGN=TOP>
153                <TD WIDTH=194>
154                        <P ALIGN=JUSTIFY>0.7</P>
155                </TD>
156                <TD WIDTH=195>
157                        <P CLASS="western" ALIGN=JUSTIFY>03/10/07</P>
158                </TD>
159                <TD WIDTH=195>
160                        <P CLASS="western" ALIGN=JUSTIFY>Tidied headers for creation of
161                        HTML version</P>
162                </TD>
163        </TR>
164</TABLE>
165<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P>
166<DIV ID="Table of Contents1" DIR="LTR">
167        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        5</A></P>
168        <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      5</A></P>
169        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1
170        Pre-requisites  5</A></P>
171        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2
172        Deployment Model        5</A></P>
173        <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3.
174        Software Installation Components        8</A></P>
175        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. Installation      9</A></P>
176        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Python Packages|outline">4.1
177        Python Packages 9</A></P>
178        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.distutils|outline">4.1.1
179        distutils       9</A></P>
180        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.NDG Security Packages|outline">4.1.2
181        NDG Security Packages   9</A></P>
182        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.NDG Web Services Configuration|outline">4.2
183        NDG Web Services Configuration  10</A></P>
184        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.NDG Security System Configuration Directory|outline">4.2.1
185        NDG Security System Configuration Directory     10</A></P>
186        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.Certificate Generation|outline">4.2.2
187        Certificate Generation  10</A></P>
188        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.Session Manager Configuration|outline">4.3
189        Session Manager Configuration   11</A></P>
190        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.Session Manager Credential Repository|outline">4.3.1
191        Session Manager Credential Repository   11</A></P>
192        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2.Session Manager Properties File Settings|outline">4.3.2
193        Session Manager Properties File Settings        12</A></P>
194        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.3.Twisted Python server .tac file|outline">4.3.3
195        Twisted Python server .tac file 15</A></P>
196        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.4.SysV-style Boot Script|outline">4.3.4
197        SysV-style Boot Script  15</A></P>
198        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Attribute Authority Configuration|outline">4.4
199        Attribute Authority Configuration       16</A></P>
200        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Attribute Authority Properties File Settings|outline">4.4.1
201        Attribute Authority Properties File Settings    16</A></P>
202        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.User Roles Interface|outline">4.4.2
203        User Roles Interface    17</A></P>
204        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.Role Mapping|outline">4.4.3
205        Role Mapping    18</A></P>
206        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.4.Twisted Python server .tac file|outline">4.4.4
207        Twisted Python server .tac file 18</A></P>
208        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.5.SysV-style Boot Script|outline">4.4.5
209        SysV-style Boot Script  18</A></P>
210        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Python Unit Tests|outline">4.5
211        Python Unit Tests       19</A></P>
212        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Globus MyProxy|outline">4.6
213        Globus MyProxy  19</A></P>
214        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.1.MyProxy and NDG Security Background|outline">4.6.1
215        MyProxy and NDG Security Background     19</A></P>
216        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.2.MyProxy user account and the repository location considerations|outline">4.6.2
217        MyProxy user account and the repository location considerations 19</A></P>
218        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.3.Build Process|outline">4.6.3
219        Build Process   20</A></P>
220        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.4.NDG SimpleCA Client Package |outline">4.6.4
221        NDG SimpleCA Client Package     21</A></P>
222        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.5.Host Certificate Creation|outline">4.6.5
223        Host Certificate Creation       23</A></P>
224        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.6.MyProxy Configuration File|outline">4.6.6
225        MyProxy Configuration File      23</A></P>
226        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.7.Repository Directory|outline">4.6.7
227        Repository Directory    24</A></P>
228        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.8.Adding MyProxy Server to the system start up|outline">4.6.8
229        Adding MyProxy Server to the system start up    24</A></P>
230        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  26</A></P>
231        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1.MySQL Installation|outline">5.1
232        MySQL Installation      26</A></P>
233        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1.Version|outline">5.1.1
234        Version 26</A></P>
235        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.2.Getting the Binaries|outline">5.1.2
236        Getting the Binaries    26</A></P>
237        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.3.New mysql User Account|outline">5.1.3
238        New mysql User Account  26</A></P>
239        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.4.Unpacking the tarball|outline">5.1.4
240        Unpacking the tarball   26</A></P>
241        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.5.Configuration File|outline">5.1.5
242        Configuration File      27</A></P>
243        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.6.Create the Grant Tables|outline">5.1.6
244        Create the Grant Tables 27</A></P>
245        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.7.File and Directory Permissions|outline">5.1.7
246        File and Directory Permissions  28</A></P>
247        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.8.Starting the Server|outline">5.1.8
248        Starting the Server     28</A></P>
249        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.9.Securing MySQL Accounts|outline">5.1.9
250        Securing MySQL Accounts 28</A></P>
251        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.10.Server Automated Start up|outline">5.1.10
252        Server Automated Start up       29</A></P>
253        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2.HTTPS set-up with Apache Web Server|outline">5.2
254        HTTPS set-up with Apache Web Server     29</A></P>
255        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Web Server Host Certificate Generation|outline">5.2.1
256        Web Server Host Certificate Generation  29</A></P>
257        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2.Apache Configuration File Settings|outline">5.2.2
258        Apache Configuration File Settings      29</A></P>
259        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline">5.3
260        Apache Web Server Proxy Settings Configuration for Web Services 30</A></P>
261        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4.An Example Attribute Authority AAUserRoles interface class|outline">5.4
262        An Example Attribute Authority AAUserRoles interface class      31</A></P>
263        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.Troubleshooting|outline">5.5
264        Troubleshooting 34</A></P>
265        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.1.M2Crypto SWIG Build Error|outline">5.5.1
266        M2Crypto SWIG Build Error       34</A></P>
267        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.2.PyXML|outline">5.5.2
268        PyXML   35</A></P>
269        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.3.4Suite-XML Build error|outline">5.5.3
270        4Suite-XML Build error  35</A></P>
271</DIV>
272<H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1>
273<OL>
274        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI">
275        - NCSA MyProxy site</SPAN></P>
276        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html"><SPAN LANG="fr-FR">http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html</SPAN></A></U></FONT><SPAN LANG="fr-FR">
277        - NCSA MyProxy installation instructions</SPAN></P>
278        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT>
279        - Globus 4.0 and Security</P>
280        <LI><P CLASS="western" ALIGN=LEFT><A NAME="_Ref132180158"></A>NDG
281        Security - Security Measures for Installation [v0.2, 7 September
282        2005],
283        <FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P>
284</OL>
285<H1 CLASS="western" STYLE="page-break-before: auto; page-break-after: auto"><A NAME="2.Introduction|outline"></A>
2862.Introduction</H1>
287<P CLASS="western" ALIGN=JUSTIFY>This is a guide for system
288administrators and developers deploying NDG security at a data
289centre.</P>
290<H2 CLASS="western"><A NAME="2.1.Pre-requisites |outline"></A>2.1Pre-requisites
291</H2>
292<UL>
293        <LI><P CLASS="western" ALIGN=JUSTIFY>For NDG Security Web Services:
294        a host running RedHat Enterprise AS4 or later is recommended.  Other
295        Linux distributions may also be suitable.</P>
296        <LI><P CLASS="western" ALIGN=JUSTIFY>For MyProxy: a separate host
297        machine (See MyProxy for details of operating systems supported).
298        The host must be secure: if possible a dedicated machine with
299        minimal other services running on it.  It should be kept up to date
300        with patches and system logs monitored regularly.</P>
301        <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy and Security web
302        services hosts must be configured to link with an NTP server to
303        enable clocks to be synchronised with security services running at
304        other NDG sites.</P>
305        <LI><P CLASS="western" ALIGN=JUSTIFY>Access to a web server if
306        security for web based applications is required.  The web server
307        must be able to be configured to support HTTPS.</P>
308        <LI><P CLASS="western" ALIGN=JUSTIFY>[MySQL 3.23 or greater or
309        Postgres – these are optional and are required for the NDG
310        CredentialRepository only]</P>
311        <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P>
312        <LI><P CLASS="western" ALIGN=JUSTIFY>Python distutils utility</P>
313        <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version
314        0.9.8 or greater</P>
315</UL>
316<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also
317note document NDG <I>Security - Security Measures for Installation</I>
318 (see Ref 1above).</P>
319<H2 CLASS="western"><A NAME="2.2.Deployment Model|outline"></A>2.2Deployment
320Model</H2>
321<P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an
322example deployment configuration for NDG security services.</P>
323<P CLASS="western" ALIGN=JUSTIFY><IMG SRC="NDGSecurityInstallationGuide_html_m1b1d83c.png" NAME="graphics1" ALIGN=BOTTOM WIDTH=611 HEIGHT=614 BORDER=0></P>
324<P CLASS="western" ALIGN=JUSTIFY>All services are positioned behind
325the firewall.  MyProxy is installed on a dedicated machine in order
326to make its repository as secure as possible.  Connections to MyProxy
327may be made from the Session Manager web service only from within the
328internal network.</P>
329<P CLASS="western" ALIGN=JUSTIFY>In the above, security web services
330are run together on the same host but this does not have to be the
331case.  They can be run on separate servers.  Similarly, the web
332server is on a separate host but could be run on the same machine as
333the web services if it was felt to be appropriate.</P>
334<P CLASS="western" ALIGN=JUSTIFY>In the above diagram Attribute
335Authority accesses a user database.  It is assumed that the target
336site has a database to store user and user role/access right
337information.  This information needn’t be stored by means of a
338database and could be represented in some other way.  It is for the
339data provider to decide.  Similarly, the Session Manager web service
340interfaces with a Credential Repository.   This is a database in the
341above but could be some other kind of permanent store.</P>
342<P CLASS="western" ALIGN=JUSTIFY>Databases are on a separate server
343to the web services host.  Web services access the databases over the
344internal network.</P>
345<P CLASS="western" ALIGN=JUSTIFY>Finally, the web services have ports
346exposed in some way through the firewall to enable communication with
347other NDG security web services at other sites.</P>
348<H1 CLASS="western"><A NAME="3.Software Installation Components|outline"></A>
3493.Software Installation Components</H1>
350<P CLASS="western" ALIGN=JUSTIFY>Python software is package using
351distutils eggs.   These are divided into separate components to suit
352the particular installation required:</P>
353<UL>
354        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_server – components
355        required to run services</P>
356        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common – components
357        required by both server and common eggs</P>
358        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_client – components
359        for building clients to NDG security services.  For example, a data
360        provider’s web application server would these to enable the
361        securing of access to resources or an organisation’s Identity
362        provider would need these to authenticate and allocate authorisation
363        attributes to users.</P>
364        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_test – unit tests
365        for all components</P>
366        <LI><P CLASS="western" ALIGN=LEFT>ndg_security – install all:
367        client, server and common components</P>
368</UL>
369<P CLASS="western" ALIGN=JUSTIFY>Eggs rely on the distutils
370easy_install command to manage installation but NDG security uses an
371additional script ndg_security_install.py to install eggs and carry
372out the additional installation tasks to correctly configure the
373software.</P>
374<P CLASS="western" ALIGN=JUSTIFY>The following additional packages
375are required:</P>
376<UL>
377        <LI><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.1 (or later)
378        – source installer tar ball  may be downloaded from the Globus
379        site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
380        <LI><P CLASS="western" ALIGN=JUSTIFY>NDG SimpleCA client package tar
381        ball – configures target machine to trust the NDG CA.</P>
382</UL>
383<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These
384two packages should be installed on the target host for MyProxy.</P>
385<H1 CLASS="western"><A NAME="4.Installation|outline"></A>4.Installation</H1>
386<P CLASS="western" ALIGN=JUSTIFY>This section is divided into the
387Python installation and MyProxy.  Note that you will almost certainly
388wish to install MyProxy on a separate secure server to the other
389Python based security services.</P>
390<H2 CLASS="western"><A NAME="4.1.Python Packages|outline"></A>4.1Python
391Packages</H2>
392<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.
393 Change to a suitable directory to hold temporary installation files.
394 
395</P>
396<H3 CLASS="western"><A NAME="4.1.1.distutils|outline"></A>4.1.1distutils</H3>
397<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python
398distutils, the package that enables the use of Python eggs.  Download
399the distutils bootstrap script:</P>
400<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
401        <COL WIDTH=596>
402        <TR>
403                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
404                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
405                        </P>
406                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
407                        wget http://peak.telecommunity.com/dist/ez_setup.py</SPAN></FONT></P>
408                </TD>
409        </TR>
410</TABLE>
411<P CLASS="western" ALIGN=LEFT><BR><BR>
412</P>
413<P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment
414for a http proxy at your site.  For example,</P>
415<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
416        <COL WIDTH=596>
417        <TR>
418                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
419                        <P STYLE="margin-bottom: 0cm"><BR>
420                        </P>
421                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
422                        export http_proxy=http://yourproxyurl.com:8080</FONT></P>
423                </TD>
424        </TR>
425</TABLE>
426<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
427</P>
428<P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script.  Make sure
429to use the correct version of python in your system path.  Some
430systems may have multiple python versions installed:</P>
431<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
432        <COL WIDTH=596>
433        <TR>
434                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
435                        <P STYLE="margin-bottom: 0cm"><BR>
436                        </P>
437                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
438                        python ez_setup.py</FONT></P>
439                </TD>
440        </TR>
441</TABLE>
442<H3 CLASS="western"></H3>
443<P CLASS="western" ALIGN=JUSTIFY>Once completed, you can delete
444ez_setup.py.</P>
445<H3 CLASS="western"><A NAME="4.1.2.NDG Security Packages|outline"></A>
4464.1.2NDG Security Packages</H3>
447<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to
448distutils easy_install to enable custom installation steps to be
449correctly carried out.  Download the script from the NDG distribution
450site:</P>
451<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
452        <COL WIDTH=596>
453        <TR>
454                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
455                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
456                        </P>
457                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
458                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</SPAN></FONT></P>
459                </TD>
460        </TR>
461</TABLE>
462<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
463</P>
464<P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of
465the NDG security python packages:</P>
466<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
467        <COL WIDTH=596>
468        <TR>
469                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
470                        <P STYLE="margin-bottom: 0cm"><BR>
471                        </P>
472                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
473                        python ./ndg-security-install.py -a</FONT></P>
474                </TD>
475        </TR>
476</TABLE>
477<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
478</P>
479<P CLASS="western" ALIGN=JUSTIFY>The script options can be checked
480using the –h option.  –a selects all packages for installation. 
481If there are problems with the installation, see the Troubleshooting
482Guide in the Appendices section 5.5.</P>
483<H2 CLASS="western"><A NAME="4.2.NDG Web Services Configuration|outline"></A>
4844.2NDG Web Services Configuration</H2>
485<H3 CLASS="western"><A NAME="4.2.1.NDG Security System Configuration Directory|outline"></A>
4864.2.1NDG Security System Configuration Directory</H3>
487<P CLASS="western" ALIGN=JUSTIFY>Properties files set the
488configuration settings for NDG security <I>server side</I> settings.
489Templates for these are contained within the ndg_security_server
490installed in your python distribution’s site-packages directory. 
491A future version of the ndg-security-install.py script will extract
492these and install at a suitable location on the file system.  For the
493moment though, this is a manual process.</P>
494<P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under
495your servers /etc directory:</P>
496<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
497        <COL WIDTH=596>
498        <TR>
499                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
500                        <P STYLE="margin-bottom: 0cm"><BR>
501                        </P>
502                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
503                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</SPAN></FONT></P>
504                </TD>
505        </TR>
506</TABLE>
507<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
508</P>
509<P CLASS="western" ALIGN=JUSTIFY>/etc/ndg/security is recognised by
510the Python security software by the NDGSEC_DIR environment variable.
511This variable can be set in the environment of the user account used
512to run the security services or can be set in the init scripts used
513to automatically start up the services from server boot up (See
514sections 4.3.3).</P>
515<P CLASS="western" ALIGN=JUSTIFY>Locate the ndg_security_server egg
516and copy its conf/ directory into the configuration area.  For
517example if you are using python installed in /usr/local then the
518conf/ directory will be in:</P>
519<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
520        <COL WIDTH=596>
521        <TR>
522                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
523                        <P STYLE="margin-bottom: 0cm"><BR>
524                        </P>
525                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python&lt;python
526                        version num&gt;/site-packages/ndg_security_server-&lt;version
527                        info&gt;.egg/ndg/security/server/conf</FONT></P>
528                </TD>
529        </TR>
530</TABLE>
531<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
532</P>
533<P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P>
534<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
535        <COL WIDTH=596>
536        <TR>
537                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
538                        <P STYLE="margin-bottom: 0cm"><BR>
539                        </P>
540                        <P CLASS="western" ALIGN=LEFT>$ cp /usr/local/lib/python&lt;python
541                        version num&gt;/site-packages/ndg_security_server-&lt;version
542                        info&gt;.egg/ndg/security/server/conf /etc/ndg/security</P>
543                </TD>
544        </TR>
545</TABLE>
546<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
547</P>
548<P CLASS="western" ALIGN=JUSTIFY>The conf/ directory will containing
549Session Manager and Attribute Authority properties XML files, certs/
550directory for storing certificates and attCert/ directory for storing
551Attribute Certificates issued by the Attribute Authority.</P>
552<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
553</P>
554<H3 CLASS="western"><A NAME="4.2.2.Certificate Generation|outline"></A>
5554.2.2Certificate Generation</H3>
556<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute
557Authority web services require individual X.509 certificates as a
558means to identify them in the various interactions required for user
559registration, authentication and authorisation.  These may be created
560by similar means to the host certificate creation.</P>
561<P CLASS="western" ALIGN=JUSTIFY>Change directory to
562<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>.
563 The certificates will be stored here.  Make a new private key and
564certificate request for the Session Manager:</P>
565<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
566        <COL WIDTH=610>
567        <TR>
568                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
569                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
570                        </P>
571                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
572                        openssl genrsa –out sm-key.pem 2048</FONT></P>
573                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
574                        openssl req –new –key sm-key.pem –out sm.csr</FONT></P>
575                        <P CLASS="western" ALIGN=LEFT><BR>
576                        </P>
577                </TD>
578        </TR>
579</TABLE>
580<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
581</P>
582<P CLASS="western" ALIGN=JUSTIFY>The private key may be password
583protected if required by adding the –des3 option to the genrsa
584command.   Type in a password when prompted.   The req command will
585prompt you for the components of the Distinguished Name for the new
586certificate.  When prompted for the Common Name, enter
587‘SessionManager’.  The other fields can be set as required but by
588convention for NDG, the Organisation field has been set to NDG and
589the Organisation Unit to the individual data provider name e.g. BADC.
590 All other fields have been omitted.  You can skip individual fields
591by enter ‘.’ When prompted.</P>
592<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the NDG
593CA.  The CA will issue a certificate file.  Copy this file as
594<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
595</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
596</FONT>file can be deleted once a certificate has been obtained from
597the CA.</P>
598<P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the
599Attribute Authority, selecting ‘AttributeAuthority’ for the
600Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P>
601<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
602        <COL WIDTH=610>
603        <TR>
604                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
605                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
606                        </P>
607                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
608                        openssl genrsa –out aa-key.pem 2048</FONT></P>
609                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
610                        openssl req –new –key aa-key.pem –out aa.csr</FONT></P>
611                        <P CLASS="western" ALIGN=LEFT><BR>
612                        </P>
613                </TD>
614        </TR>
615</TABLE>
616<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
617</P>
618<P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session
619Manager is run over https to keep user login credentials secured.   A
620server certificate and key will be required in addition to enable
621this.  These can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
622directory and can be referenced by the Session Manager’s properties
623file.</SPAN></FONT></P>
624<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate
625Authority’s X.509 certificate is also required.  Obtain this from
626the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
627</SPAN></FONT>directory.</P>
628<H2 CLASS="western"><A NAME="4.3.Session Manager Configuration|outline"></A>
6294.3Session Manager Configuration</H2>
630<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set
631via a properties file.  In addition, the SessionManager can
632optionally make use of a Credential Repository database.  This
633enables the credentials that users acquire during a session to be
634stored so that they may be retrieved.   When installed, the default
635configuration set in the Session Manager properties file is to <I>not</I>
636use a Credential Repository.   If this is the case, skip this
637section.</P>
638<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.3.1.Session Manager Credential Repository|outline"></A>
6394.3.1Session Manager Credential Repository</H3>
640<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository
641database.  In the example below a MySQL database is assumed.   Notes
642on installing MySQL are given in the Appendices section 5.1.
643</P>
644<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
645        <COL WIDTH=610>
646        <TR>
647                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
648                        <P STYLE="margin-bottom: 0cm"><BR>
649                        </P>
650                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
651                        mysql –u root –p</FONT></P>
652                        <P CLASS="western" ALIGN=JUSTIFY>mysql&gt; create database
653                        ndgCredRepos;</P>
654                        <P><BR>
655                        </P>
656                </TD>
657        </TR>
658</TABLE>
659<P CLASS="western" ALIGN=JUSTIFY><BR>Make use of the script
660<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">initCredReposDb.py</SPAN></FONT>
661to create the tables.  As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
662user, run the script.  Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
663account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT>
664to confirm creation of the tables:</P>
665<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
666        <COL WIDTH=610>
667        <TR>
668                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
669                        <P STYLE="margin-bottom: 0cm"><BR>
670                        </P>
671                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
672                        cd $NDGSEC_DIR/bin</FONT></P>
673                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
674                        ./initCredReposDb.py –u root</FONT></P>
675                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database
676                        password:</FONT></P>
677                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are
678                        you sure you want to initialise the database tables? (yes/no) yes</FONT></P>
679                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables
680                        created</FONT></P>
681                        <P STYLE="margin-bottom: 0cm"><BR>
682                        </P>
683                        <P><BR>
684                        </P>
685                </TD>
686        </TR>
687</TABLE>
688<P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have
689been created, restart the database client:</P>
690<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
691        <COL WIDTH=610>
692        <TR>
693                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
694                        <P STYLE="margin-bottom: 0cm"><BR>
695                        </P>
696                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$
697                        mysql –u root –p –D ndgCredRepos</P>
698                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql&gt;
699                        show tables;</P>
700                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
701                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
702                        Tables_in_ndgCredRepos |</FONT></FONT></P>
703                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
704                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
705                        UserCredential         |</FONT></FONT></P>
706                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
707                        UserID                 |</FONT></FONT></P>
708                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
709                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2
710                        rows in set (0.00 sec)</FONT></FONT></P>
711                        <P><BR>
712                        </P>
713                </TD>
714        </TR>
715</TABLE>
716<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
717</P>
718<P CLASS="western" ALIGN=JUSTIFY>A separate account should be created
719for the Session Manager to access the database.  It should have
720sufficient permissions to be able to read and write records.  For
721details of how to create an account in MySQL see the Appendices
722section 5.1.9.</P>
723<H3 CLASS="western"><A NAME="4.3.2.Session Manager Properties File Settings|outline"></A>
7244.3.2Session Manager Properties File Settings</H3>
725<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT>
726in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
727and modify the default settings:</P>
728<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
729        <COL WIDTH=610>
730        <TR>
731                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
732                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml
733                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
734                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrProp&gt;</FONT></FONT></P>
735                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;&lt;/portNum&gt;</FONT></FONT></P>
736                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;Yes&lt;/useSSL&gt;
737                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P>
738                        <P STYLE="margin-bottom: 0cm">   
739                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;$NDGSEC_DIR/conf/certs/server-cert.pem&lt;/sslCertFile&gt;</FONT></FONT></P>
740                        <P STYLE="margin-bottom: 0cm">   
741                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem
742                        &lt;/sslKeyFile&gt;</FONT></FONT></P>
743                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
744                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
745                        settings for signature of outbound SOAP messages</FONT></FONT></P>
746                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
747                        <P STYLE="margin-bottom: 0cm">   
748                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
749                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
750                        <P STYLE="margin-bottom: 0cm">   
751                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;certFile&gt;&gt;$NDGSEC_DIR/conf/certs/sm-cert.pem&lt;/certFile&gt;</FONT></FONT></P>
752                        <P STYLE="margin-bottom: 0cm">   
753                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P>
754                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
755                        <P STYLE="margin-bottom: 0cm">   
756                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</FONT></FONT></P>
757                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
758                        </FONT></FONT>
759                        </P>
760                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
761                        the certificate used to verify the signature of messages from the </FONT></FONT>
762                        </P>
763                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
764                         This can usually be left blank since the client is expected to </FONT></FONT>
765                        </P>
766                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
767                        the cert with the signature in the inbound SOAP message</FONT></FONT></P>
768                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
769                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt;
770                           </FONT></FONT>
771                        </P>
772                        <P STYLE="margin-bottom: 0cm">   
773                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrEncrKey&gt;&lt;/sessMgrEncrKey&gt;</FONT></FONT></P>
774                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrURI&gt;&lt;/sessMgrURI&gt;</FONT></FONT></P>
775                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;cookieDomain&gt;&lt;/cookieDomain&gt;</FONT></FONT></P>
776                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;myProxyProp&gt;</FONT></FONT></P>
777                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;!--
778                        </FONT></FONT>
779                        </P>
780                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             Delete
781                        this element and take setting from MYPROXY_SERVER environment </FONT></FONT>
782                        </P>
783                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             variable
784                        if required</FONT></FONT></P>
785                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             --&gt;</FONT></FONT></P>
786                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;hostname&gt;ENTER
787                        THE FULLY QUALIFIED HOSTNAME OF THE SERVER&lt;/hostname&gt;</FONT></FONT></P>
788                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;!--
789                        </FONT></FONT>
790                        </P>
791                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             Delete
792                        this element to take default setting 7512 or read </FONT></FONT>
793                        </P>
794                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             <SPAN LANG="fr-FR">MYPROXY_SERVER_PORT
795                        setting</SPAN></FONT></FONT></P>
796                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                --&gt;</FONT></FONT></P>
797                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                &lt;port&gt;7512&lt;/port&gt;</FONT></FONT></P>
798                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">          </SPAN>&lt;!--</FONT></FONT></P>
799                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             Useful
800                        if hostname and certificate CN don't match correctly.  Globus </FONT></FONT>
801                        </P>
802                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             host
803                        DN is set to &quot;host/&lt;fqdn&gt;&quot;.  Delete this element
804                        and set from </FONT></FONT>
805                        </P>
806                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             MYPROXY_SERVER_DN
807                        environment variable if prefered</FONT></FONT></P>
808                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;serverDN&gt;&lt;/serverDN&gt;</FONT></FONT></P>
809                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             --&gt;</FONT></FONT></P>
810                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;!--</FONT></FONT></P>
811                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             Set
812                        &quot;host/&quot; prefix to host cert CN as is default with globus</FONT></FONT></P>
813                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             --&gt;</FONT></FONT></P>
814                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;serverCNprefix&gt;host/&lt;/serverCNprefix&gt;      </FONT></FONT></P>
815                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;!--</FONT></FONT></P>
816                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             This
817                        directory path is used to locate the OpenSSL configuration file</FONT></FONT></P>
818                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             </FONT></FONT></P>
819                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             The
820                        settings are used to set up the defaults for the Distinguished
821                        Name of</FONT></FONT></P>
822                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             the
823                        new proxy cert. issued </FONT></FONT>
824                        </P>
825                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             </FONT></FONT></P>
826                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             GLOBUS_LOCATION
827                        or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P>
828                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             but
829                        the settings can be independent of any Globus installation</FONT></FONT></P>
830                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR>         --&gt;</FONT></FONT></P>
831                        <P STYLE="margin-bottom: 0cm">           
832                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;girdSecurityDir&gt;$NDGSEC_DIR/conf&lt;/gridSecurityDir&gt;</FONT></FONT></P>
833                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;openSSLConfFileName&gt;openssl.conf&lt;/openSSLConfFileName&gt;</FONT></FONT></P>
834                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;tmpDir&gt;/tmp&lt;/tmpDir&gt;</FONT></FONT></P>
835                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;!--
836                        </FONT></FONT>
837                        </P>
838                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                     Limit
839                        on maximum lifetime any proxy certificate can have - </FONT></FONT>
840                        </P>
841                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                     specified
842                        when a certificate is first created by store() method</FONT></FONT></P>
843                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             --&gt;</FONT></FONT></P>
844                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;proxyCertMaxLifetime&gt;24&lt;/proxyCertMaxLifetime&gt;
845                        &lt;!-- in hours --&gt;</FONT></FONT></P>
846                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;!--
847                        </FONT></FONT>
848                        </P>
849                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                     Life
850                        time of a proxy certificate when issued from the Proxy Server </FONT></FONT>
851                        </P>
852                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                     with
853                        getDelegation() method</FONT></FONT></P>
854                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">                     --&gt;</FONT></FONT></P>
855                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             &lt;proxyCertLifetime&gt;8&lt;/proxyCertLifetime&gt;
856                        &lt;!-- in hours --&gt;</FONT></FONT></P>
857                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">             <SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P>
858                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;/myProxyProp&gt;</FONT></SPAN></FONT></P>
859                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;simpleCACltProp&gt;
860                        </FONT></SPAN></FONT>
861                        </P>
862                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
863                           &lt;uri&gt;&lt;/uri&gt;</FONT></FONT></P>
864                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
865                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigKeyFile&gt;&lt;/xmlSigKeyFile&gt;</FONT></FONT></P>
866                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
867                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertFile&gt;&lt;/xmlSigCertFile&gt;</FONT></FONT></P>
868                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
869                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertPwd&gt;&lt;/xmlSigCertPwd&gt;</FONT></FONT></P>
870                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/simpleCACltProp&gt;</FONT></FONT></P>
871                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;!--</FONT></FONT></P>
872                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCASrvProp&gt;</FONT></FONT></P>
873                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
874                           &lt;certExpiryDate&gt;&lt;/certExpiryDate&gt;</FONT></FONT></P>
875                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
876                           &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P>
877                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"> 
878                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></SPAN></FONT></P>
879                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
880                           &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P>
881                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
882                           &lt;signExe&gt;&lt;/signExe&gt;</FONT></FONT></P>
883                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
884                           &lt;path&gt;&lt;/path&gt;</FONT></FONT></P>
885                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/simpleCASrvProp&gt;</FONT></FONT></P>
886                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        --&gt;</FONT></FONT></P>
887                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;credReposProp&gt;</FONT></FONT></P>
888                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
889                           &lt;modFilePath&gt;&lt;/modFilePath&gt;</FONT></FONT></P>
890                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
891                           &lt;modName&gt;ndg.security.common.CredWallet&lt;/modName&gt;</FONT></FONT></P>
892                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
893                           &lt;className&gt;NullCredRepos&lt;/className&gt;</FONT></FONT></P>
894                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
895                           &lt;propFile&gt;&lt;/propFile&gt;</FONT></FONT></P>
896                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/credReposProp&gt;</FONT></FONT></P>
897                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/sessMgrProp&gt;</FONT></FONT></P>
898                        <P> 
899                        </P>
900                </TD>
901        </TR>
902</TABLE>
903<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
904</P>
905<P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P>
906<UL>
907        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The
908        property file reading software will expand any environment variables
909        included in the file.</FONT></SPAN></FONT></P>
910        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">Openssl.conf
911        file uses the standard OpenSSL configuration file format.  It is
912        used by the Session Manager MyProxy client to formulate a
913        certificate request for a proxy certificate generated for a users
914        session when they login.  An example is given below.  The important
915        section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P>
916</UL>
917<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
918</P>
919<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
920        <COL WIDTH=610>
921        <TR>
922                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
923                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
924                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
925                        SSLeay example configuration file.</FONT></FONT></P>
926                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
927                        This is mostly being used for generation of certificate requests.</FONT></FONT></P>
928                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
929                        <P STYLE="margin-bottom: 0cm"><BR>
930                        </P>
931                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
932                                       = $ENV::HOME/.rnd</FONT></FONT></P>
933                        <P STYLE="margin-bottom: 0cm"><BR>
934                        </P>
935                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
936                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
937                        ca ]</FONT></FONT></P>
938                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca
939                             = CA_default            # The default ca section</FONT></FONT></P>
940                        <P STYLE="margin-bottom: 0cm"><BR>
941                        </P>
942                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
943                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
944                        CA_default ]</FONT></FONT></P>
945                        <P STYLE="margin-bottom: 0cm"><BR>
946                        </P>
947                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir
948                                    = ./demoCA              # Where everything is kept</FONT></FONT></P>
949                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs
950                                  = $dir/certs            # Where the issued certs are
951                        kept</FONT></FONT></P>
952                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir
953                                = $dir/crl              # Where the issued crl are kept</FONT></FONT></P>
954                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database
955                               = $dir/index.txt        # database index file.</FONT></FONT></P>
956                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir
957                          = $dir/newcerts         # default place for new certs.</FONT></FONT></P>
958                        <P STYLE="margin-bottom: 0cm"><BR>
959                        </P>
960                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate
961                            = $dir/cacert.pem       # The CA certificate</FONT></FONT></P>
962                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial
963                                 = $dir/serial           # The current serial number</FONT></FONT></P>
964                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl
965                                    = $dir/crl.pem          # The current CRL</FONT></FONT></P>
966                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key
967                            = $dir/private/cakey.pem# The private key</FONT></FONT></P>
968                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
969                               = $dir/private/.rand    # private random number file</FONT></FONT></P>
970                        <P STYLE="margin-bottom: 0cm"><BR>
971                        </P>
972                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions
973                        = x509v3_extensions     # The extentions to add to the cert</FONT></FONT></P>
974                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days
975                           = 365                   # how long to certify for</FONT></FONT></P>
976                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days=
977                        365 # DEE 30  # how long before next CRL</FONT></FONT></P>
978                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md
979                             = md5                   # which md to use.</FONT></FONT></P>
980                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve
981                               = no                    # keep passed DN ordering</FONT></FONT></P>
982                        <P STYLE="margin-bottom: 0cm"><BR>
983                        </P>
984                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
985                        A few difference way of specifying how similar the request should
986                        look</FONT></FONT></P>
987                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
988                        For type CA, the listed attributes must be the same, and the
989                        optional</FONT></FONT></P>
990                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
991                        and supplied fields are just that :-)</FONT></FONT></P>
992                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy
993                                 = policy_match</FONT></FONT></P>
994                        <P STYLE="margin-bottom: 0cm"><BR>
995                        </P>
996                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
997                        For the CA policy</FONT></FONT></P>
998                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
999                        policy_match ]</FONT></FONT></P>
1000                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1001                                    = optional</FONT></FONT></P>
1002                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1003                            = optional</FONT></FONT></P>
1004                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1005                               = match</FONT></FONT></P>
1006                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1007                         = optional</FONT></FONT></P>
1008                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1009                                     = supplied</FONT></FONT></P>
1010                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1011                                   = optional</FONT></FONT></P>
1012                        <P STYLE="margin-bottom: 0cm"><BR>
1013                        </P>
1014                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1015                        For the 'anything' policy</FONT></FONT></P>
1016                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1017                        At this point in time, you must list all acceptable 'object'</FONT></FONT></P>
1018                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1019                        types.</FONT></FONT></P>
1020                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1021                        policy_anything ]</FONT></FONT></P>
1022                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1023                                    = optional</FONT></FONT></P>
1024                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1025                            = optional</FONT></FONT></P>
1026                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName
1027                                   = optional</FONT></FONT></P>
1028                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1029                               = optional</FONT></FONT></P>
1030                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1031                         = optional</FONT></FONT></P>
1032                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1033                                     = supplied</FONT></FONT></P>
1034                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1035                                   = optional</FONT></FONT></P>
1036                        <P STYLE="margin-bottom: 0cm"><BR>
1037                        </P>
1038                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1039                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1040                        req ]</FONT></FONT></P>
1041                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits
1042                                   = 1024</FONT></FONT></P>
1043                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile
1044                                = privkey.pem</FONT></FONT></P>
1045                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name
1046                             = req_distinguished_name</FONT></FONT></P>
1047                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions
1048                                 = v3_req</FONT></FONT></P>
1049                        <P STYLE="margin-bottom: 0cm"><BR>
1050                        </P>
1051                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1052                        req_distinguished_name ]</FONT></FONT></P>
1053                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1054                        BEGIN CONFIG</FONT></FONT></P>
1055                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName
1056                                      = Level 0 Organization</FONT></FONT></P>
1057                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default
1058                              = NDG</FONT></FONT></P>
1059                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName
1060                                 = Level 0 Organizational Unit</FONT></FONT></P>
1061                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default
1062                        = BADC</FONT></FONT></P>
1063                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName
1064                                 = Level 1 Organizational Unit</FONT></FONT></P>
1065                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default
1066                        = localdomain</FONT></FONT></P>
1067                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1068                                             = Name (e.g., John M. Smith)</FONT></FONT></P>
1069                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max
1070                                         = 64</FONT></FONT></P>
1071                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1072                        END CONFIG</FONT></FONT></P>
1073                        <P STYLE="margin-bottom: 0cm"><BR>
1074                        </P>
1075                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1076                        v3_req ]</FONT></FONT></P>
1077                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType
1078                                             = objsign,email,server,client</FONT></FONT></P>
1079                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints
1080                                       = critical,CA:false</FONT></FONT></P>
1081                        <P><BR>
1082                        </P>
1083                </TD>
1084        </TR>
1085</TABLE>
1086<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1087</P>
1088<H3 CLASS="western"><A NAME="4.3.3.Twisted Python server .tac file|outline"></A>
10894.3.3Twisted Python server .tac file</H3>
1090<P CLASS="western" ALIGN=JUSTIFY>Python security services use the
1091Python Twisted package application server.  A special .tac
1092configuration file is loaded by the Twisted server.  Copy this from
1093the ndg_security_server to the NDG security conf/ area:</P>
1094<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1095        <COL WIDTH=602>
1096        <TR>
1097                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1098                        <P STYLE="margin-bottom: 0cm"><BR>
1099                        </P>
1100                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1101                        cp /usr/local/lib/python&lt;python version
1102                        num&gt;/site-packages/ndg_security_server-&lt;version
1103                        info&gt;.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1104                        $NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1105                        <P><BR>
1106                        </P>
1107                </TD>
1108        </TR>
1109</TABLE>
1110<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1111</P>
1112<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="4.3.4.SysV-style Boot Script|outline"></A>
11134.3.4SysV-style Boot Script</H3>
1114<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be
1115configured to start up at system boot of the host machine.  A SysV
1116style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1117is provided in the installation in:</P>
1118<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python&lt;python
1119version num&gt;/site-packages/ndg_security_server-&lt;version
1120info&gt;.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1121 
1122</P>
1123<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1124<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1125        <COL WIDTH=602>
1126        <TR>
1127                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1128                        <P STYLE="margin-bottom: 0cm"><BR>
1129                        </P>
1130                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1131                        cp /usr/local/lib/python&lt;python version
1132                        num&gt;/site-packages/ndg_security_server-&lt;version
1133                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1134                        /share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1135                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1136                        chkconfig --add ndg-sm</SPAN></FONT></FONT></P>
1137                        <P><BR>
1138                        </P>
1139                </TD>
1140        </TR>
1141</TABLE>
1142<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1143</P>
1144<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-sm so that it uses the
1145NDGSEC_DIR environment variable to point to the correct location of
1146the .tac file in the conf/ directory. User and group ID settings can
1147be made to run under alternative account to root.  If used ensure
1148that $NDGSEC_DIR is set with the necessary permissions to enable
1149access. 
1150</P>
1151<H2 CLASS="western"><A NAME="4.4.Attribute Authority Configuration|outline"></A>
11524.4Attribute Authority Configuration</H2>
1153<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a
1154properties file for the setting of configuration parameters.</P>
1155<H3 CLASS="western"><A NAME="4.4.1.Attribute Authority Properties File Settings|outline"></A>
11564.4.1Attribute Authority Properties File Settings</H3>
1157<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1158in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1159and modify the default settings:</P>
1160<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1161        <COL WIDTH=610>
1162        <TR>
1163                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1164                        <P STYLE="margin-bottom: 0cm"><BR>
1165                        </P>
1166                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml
1167                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
1168                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P>
1169                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       &lt;!--
1170                        </FONT></FONT>
1171                        </P>
1172                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       'name'
1173                        setting MUST agree with map config file 'thisHost' name</FONT></FONT></P>
1174                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       attribute</FONT></FONT></P>
1175                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       --&gt;</FONT></FONT></P>
1176                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;name&gt;BADC&lt;/name&gt;
1177                        </FONT></FONT>
1178                        </P>
1179                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;portNum&gt;SELECT
1180                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></FONT></P>
1181                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
1182                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1183                        settings for transport level encryption</FONT></FONT></P>
1184                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1185                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;&lt;/useSSL&gt;
1186                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P>
1187                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;&lt;/sslCertFile&gt;</FONT></FONT></P>
1188                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P>
1189                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P>
1190                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
1191                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1192                        settings for signature of outbound SOAP messages</FONT></FONT></P>
1193                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1194                        <P STYLE="margin-bottom: 0cm">   
1195                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
1196                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
1197                        <P STYLE="margin-bottom: 0cm">   
1198                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;certFile&gt;$NDGSEC_DIR/conf/certs/aa-cert.pem&lt;/certFile&gt;</FONT></FONT></FONT></P>
1199                        <P STYLE="margin-bottom: 0cm">   
1200                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem
1201                        &lt;/keyFile&gt;</FONT></FONT></FONT></P>
1202                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
1203                        <P STYLE="margin-bottom: 0cm">   
1204                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem
1205                        &lt;/caCertFile&gt;</FONT></FONT></P>
1206                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
1207                        </FONT></FONT></FONT>
1208                        </P>
1209                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
1210                        the certificate used to verify the signature of messages from the </FONT></FONT>
1211                        </P>
1212                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
1213                         This can usually be left blank since the client is expected to </FONT></FONT>
1214                        </P>
1215                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
1216                        the cert with the signature in the inbound SOAP message</FONT></FONT></P>
1217                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1218                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt;
1219                           </FONT></FONT>
1220                        </P>
1221                        <P STYLE="margin-bottom: 0cm">   
1222                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt;
1223                        &lt;!-- Measured in seconds --&gt;</FONT></FONT></P>
1224                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       &lt;!--
1225                        </FONT></FONT>
1226                        </P>
1227                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       Allow
1228                        an offset for clock skew between servers running </FONT></FONT>
1229                        </P>
1230                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       security
1231                        services.  - Use minus sign for time in the past</FONT></FONT></P>
1232                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       --&gt;</FONT></FONT></P>
1233                        <P STYLE="margin-bottom: 0cm">   
1234                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P>
1235                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1236                        Location of role mapping file --&gt;</FONT></FONT></P>
1237                        <P STYLE="margin-bottom: 0cm">   
1238                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></FONT></P>
1239                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1240                        All Attribute Certificates are recorded in this dir before
1241                        dispatch</FONT></FONT></P>
1242                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">to
1243                        SOAP requestor</FONT></FONT></P>
1244                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1245                        <P STYLE="margin-bottom: 0cm">   
1246                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCert&lt;/attCertDir&gt;</FONT></FONT></P>
1247                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
1248                        </FONT></FONT></FONT>
1249                        </P>
1250                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">File
1251                        prefix and suffix for files stored in attCertDir </FONT></FONT>
1252                        </P>
1253                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1254                        <P STYLE="margin-bottom: 0cm">   
1255                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFilePfx&gt;ac-&lt;/attCertFilePfx&gt;</FONT></FONT></P>
1256                        <P STYLE="margin-bottom: 0cm">   
1257                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileSfx&gt;.xml&lt;/attCertFileSfx&gt;</FONT></FONT></P>
1258                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;dnSeparator&gt;/&lt;/dnSeparator&gt;</FONT></FONT></P>
1259                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1260                        </FONT></FONT>
1261                        </P>
1262                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings
1263                        for custom AAUserRoles derived class to get user roles for</FONT></FONT></P>
1264                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given
1265                        user ID</FONT></FONT></P>
1266                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1267                        <P STYLE="margin-bottom: 0cm">   
1268                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModFilePath&gt;&lt;/userRolesModFilePath&gt;</FONT></FONT></P>
1269                        <P STYLE="margin-bottom: 0cm">   
1270                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModName&gt;&lt;/userRolesModName&gt;</FONT></FONT></P>
1271                        <P STYLE="margin-bottom: 0cm">   
1272                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesClassName&gt;&lt;/userRolesClassName&gt;</FONT></FONT></P>
1273                        <P STYLE="margin-bottom: 0cm">   
1274                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesPropFile&gt;&lt;/userRolesPropFile&gt;</FONT></FONT></P>
1275                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P>
1276                        <P> 
1277                        </P>
1278                </TD>
1279        </TR>
1280</TABLE>
1281<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1282</P>
1283<H3 CLASS="western"><A NAME="4.4.2.User Roles Interface|outline"></A>4.4.2User
1284Roles Interface</H3>
1285<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a
1286valid user proxy certificate serves an attribute certificate
1287containing authorisation roles for that user.  It is for the data
1288centre to determine how these roles map to the users identity as
1289given by their Distinguished Name given in the proxy certificate.
1290Typically, a data centre might have a user database which relates
1291user id to authorisation roles.</P>
1292<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a
1293programmatic interface to determine the roles to user id
1294relationship.   A custom python class may be written to perform this
1295task.   See the Appendices section 5.4.</P>
1296<H3 CLASS="western"><A NAME="4.4.3.Role Mapping|outline"></A>4.4.3Role
1297Mapping</H3>
1298<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in
1299the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1300directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>.
1301 This is an XML file which relates local roles at the target data
1302centre to roles of other trusted data centres.  These role mapping
1303are made by agreement between data centres.</P>
1304<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1305        <COL WIDTH=610>
1306        <TR>
1307                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1308                        <P STYLE="margin-bottom: 0cm"><BR>
1309                        </P>
1310                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;?xml
1311                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></P>
1312                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;AAmap&gt;</FONT></P>
1313                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;thisHost
1314                        name=&quot;yourSiteIdentifier&quot;&gt;</FONT></P>
1315                        <P STYLE="margin-bottom: 0cm">         
1316                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;wsdl&gt;yourSiteAttAuthorityURI&lt;/wsdl&gt;</FONT></P>
1317                        <P STYLE="margin-bottom: 0cm">         
1318                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;yourSiteLoginPageURI&lt;/loginURI&gt;</FONT></P>
1319                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/thisHost&gt;</FONT></P>
1320                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1321                        name=&quot;BODC&quot;&gt;</FONT></P>
1322                        <P STYLE="margin-bottom: 0cm">         
1323                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;bodcAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1324                        <P STYLE="margin-bottom: 0cm">         
1325                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;bodcLoginPageURI&lt;/loginURI&gt;</FONT></P>
1326                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1327                        remote=&quot;aBODCrole&quot; local=&quot;aLocalRole&quot;/&gt;</FONT></P>
1328                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1329                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1330                        name=&quot;NOCS&quot;&gt;</FONT></P>
1331                        <P STYLE="margin-bottom: 0cm">         
1332                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;nocsAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1333                        <P STYLE="margin-bottom: 0cm">         
1334                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;nocsLoginPageURI&lt;/loginURI&gt;</FONT></P>
1335                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1336                        remote=&quot;aNOCSrole&quot; local=&quot;anotherLocalRole&quot;/&gt;</FONT></P>
1337                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1338                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1339                        name=&quot;PML&quot;&gt;</FONT></P>
1340                        <P STYLE="margin-bottom: 0cm">         
1341                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;pmlAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1342                        <P STYLE="margin-bottom: 0cm">         
1343                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;pmlLoginPageURI&lt;/loginURI&gt;</FONT></P>
1344                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1345                        remote=&quot;aPMLrole&quot; local=&quot;yetAnotherLocalRole&quot;/&gt;</FONT></P>
1346                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1347                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/AAmap&gt;</FONT></P>
1348                        <P STYLE="margin-bottom: 0cm"><BR>
1349                        </P>
1350                        <P><BR>
1351                        </P>
1352                </TD>
1353        </TR>
1354</TABLE>
1355<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1356</P>
1357<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
1358<H3 CLASS="western"><A NAME="4.4.4.Twisted Python server .tac file|outline"></A>
13594.4.4Twisted Python server .tac file</H3>
1360<P CLASS="western" ALIGN=JUSTIFY>Python security services use the
1361Python Twisted package application server.  A special .tac
1362configuration file is loaded by the Twisted server.  Copy this from
1363the ndg_security_server to the NDG security conf/ area:</P>
1364<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1365        <COL WIDTH=602>
1366        <TR>
1367                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1368                        <P STYLE="margin-bottom: 0cm"><BR>
1369                        </P>
1370                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1371                        cp /usr/local/lib/python&lt;python version
1372                        num&gt;/site-packages/ndg_security_server-&lt;version
1373                        info&gt;.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1374                        $NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1375                        <P><BR>
1376                        </P>
1377                </TD>
1378        </TR>
1379</TABLE>
1380<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1381</P>
1382<H3 CLASS="western"><A NAME="4.4.5.SysV-style Boot Script|outline"></A>
13834.4.5SysV-style Boot Script</H3>
1384<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the
1385Attribute Authority can be configured to start up at system boot of
1386the host machine.  A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT>
1387is provided in the installation in:</P>
1388<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python&lt;python
1389version num&gt;/site-packages/ndg_security_server-&lt;version
1390info&gt;.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1391 
1392</P>
1393<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1394<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1395        <COL WIDTH=602>
1396        <TR>
1397                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1398                        <P STYLE="margin-bottom: 0cm"><BR>
1399                        </P>
1400                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1401                        cp /usr/local/lib/python&lt;python version
1402                        num&gt;/site-packages/ndg_security_server-&lt;version
1403                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1404                        /share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1405                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1406                        chkconfig --add ndg-aa</SPAN></FONT></FONT></P>
1407                        <P><BR>
1408                        </P>
1409                </TD>
1410        </TR>
1411</TABLE>
1412<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1413</P>
1414<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the
1415NDGSEC_DIR environment variable to point to the correct location of
1416the .tac file in the conf/ directory.  User and group ID settings can
1417be made to run under alternative account to root.  If used ensure
1418that $NDGSEC_DIR is set with the necessary permissions to enable
1419access. 
1420</P>
1421<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional
1422environment settings required to connect to a user database.</P>
1423<H2 CLASS="western"><A NAME="4.5.Python Unit Tests|outline"></A>4.5Python
1424Unit Tests</H2>
1425<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are
1426provided to enable the system to be checked to confirm that it is
1427running correctly.   These are located in the ndg_security_test egg
1428in the site-packages/ directory of the python installation.</P>
1429<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
1430<H2 CLASS="western"><A NAME="4.6.Globus MyProxy|outline"></A>4.6Globus
1431MyProxy</H2>
1432<H3 CLASS="western"><A NAME="4.6.1.MyProxy and NDG Security Background|outline"></A>
14334.6.1MyProxy and NDG Security Background</H3>
1434<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
1435from the Globus toolkit to store user’s authentication credentials.
1436 If a participating data centre supports user accounts then it will
1437need to deploy its MyProxy repository. 
1438</P>
1439<P CLASS="western" ALIGN=JUSTIFY>The NDG SessionManager web service
1440acts as a client to MyProxy.  When a user is registered at a site, it
1441generates a new public/private key for the user and an X.509
1442certificate request.  It sends the latter to the NDG Simple CA
1443(Certificate Authority) for signing.  A new X.509 certificate is
1444issued and returned.  The SessionManager uploads the public and
1445private key into the MyProxy repository and associates a username and
1446pass-phrase with these credentials.</P>
1447<P CLASS="western" ALIGN=JUSTIFY>When a user subsequently logs in at
1448their site, again the SessionManager is called.  It passes the
1449username and pass-phrase provided to MyProxy.  MyProxy matches these
1450with the X.509 certificate it holds and issues a <I>proxy</I> to that
1451certificate.  The proxy certificate represents the user’s ID
1452internally in the interactions between the various NDG components.
1453</P>
1454<P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service
1455<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1456on its host machine and user credentials are held in a directory on
1457the file system.  It is important to secure the host to ensure the
1458credentials are not compromised. (Also see Ref 1above.)</P>
1459<H3 CLASS="western"><A NAME="4.6.2.MyProxy user account and the repository location considerations|outline"></A>
14604.6.2MyProxy user account and the repository location considerations</H3>
1461<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or
1462using a separate user account.  The latter is preferable as it
1463provides an extra level of security.  Note that the MyProxy
1464repository will be in a standard location. 
1465</P>
1466<UL>
1467        <LI><P CLASS="western" ALIGN=JUSTIFY>If MyProxy is installed as
1468        root, this is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/var/myproxy</SPAN></FONT>.
1469         
1470        </P>
1471        <LI><P CLASS="western" ALIGN=JUSTIFY>If installed as under an
1472        alternative user account, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var/myproxy</SPAN></FONT>.
1473         
1474        </P>
1475</UL>
1476<P CLASS="western" ALIGN=JUSTIFY>It is possible to explicitly define
1477an alternate location but this can only be done by providing a
1478command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1479 Note that this might be visible in the process list of the host
1480machine as output from<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1481ps</SPAN></FONT>.  This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1482with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd
1483</SPAN></FONT>(See 4.6.8.1).</P>
1484<P CLASS="western" ALIGN=LEFT>Another factor to take into
1485consideration is the available space on the file system for the
1486repository location.  There should be sufficient disk space on the
1487partition where the directory is located to store credentials for all
1488the users of the system at the target site.</P>
1489<P CLASS="western" ALIGN=JUSTIFY>This guide assumes installation
1490under a dedicated user account.  The username <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1491is used in the examples for convenience only.  An alternative
1492username is recommended.</P>
1493<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
1494user set up a local user account.</P>
1495<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1496        <COL WIDTH=596>
1497        <TR>
1498                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
1499                        <P STYLE="margin-bottom: 0cm"><BR>
1500                        </P>
1501                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1502                        groupadd globus</FONT></P>
1503                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1504                        useradd globus –g globus</FONT></P>
1505                </TD>
1506        </TR>
1507</TABLE>
1508<P CLASS="western" ALIGN=LEFT><BR><BR>
1509</P>
1510<P CLASS="western" ALIGN=JUSTIFY>Note that for security purposes, the
1511globus user account is set up as a local rather NIS account so that
1512access is restricted.  Set the default home directory as necessary
1513and default shell to bash.  Set the password for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>:</P>
1514<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1515        <COL WIDTH=596>
1516        <TR>
1517                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1518                        <P STYLE="margin-bottom: 0cm"><BR>
1519                        </P>
1520                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1521                        passwd globus</FONT></P>
1522                </TD>
1523        </TR>
1524</TABLE>
1525<P CLASS="western" ALIGN=LEFT><BR><BR>
1526</P>
1527<P CLASS="western" ALIGN=JUSTIFY>Modify the relevant files and
1528directories in the NDG installation area to be owned by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1529account:</P>
1530<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1531        <COL WIDTH=596>
1532        <TR>
1533                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1534                        <P STYLE="margin-bottom: 0cm"><BR>
1535                        </P>
1536                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1537                        chown -R globus:globus $NDGSEC_DIR/conf/ $NDGSEC_DIR/ndgSetup.sh</FONT></P>
1538                </TD>
1539        </TR>
1540</TABLE>
1541<P CLASS="western" ALIGN=LEFT><BR><BR>
1542</P>
1543<P CLASS="western" ALIGN=LEFT>For convenience, the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>
1544file may be called from the globus account’s <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.bashrc</SPAN></FONT>
1545file so that the NDG environment is automatically initialised when a
1546new globus shell is invoked.</P>
1547<P CLASS="western" ALIGN=LEFT>Change to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1548account and edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">~/.bashrc</SPAN></FONT>
1549adding the following lines at the end:</P>
1550<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1551        <COL WIDTH=596>
1552        <TR>
1553                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1554                        <P STYLE="margin-bottom: 0cm"><BR>
1555                        </P>
1556                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1557                        NDG set-up</FONT></P>
1558                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">.
1559                        /usr/local/NDG/ndgSetup.sh</FONT></P>
1560                </TD>
1561        </TR>
1562</TABLE>
1563<P CLASS="western" ALIGN=LEFT><BR><BR>
1564</P>
1565<H3 CLASS="western"><A NAME="4.6.3.Build Process|outline"></A>4.6.3Build
1566Process</H3>
1567<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1568create an installation directory for Globus within the NDG
1569installation:</P>
1570<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1571        <COL WIDTH=596>
1572        <TR>
1573                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1574                        <P STYLE="margin-bottom: 0cm"><BR>
1575                        </P>
1576                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1577                        mkdir $NDGSEC_DIR/globus-4.0.1</FONT></P>
1578                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1579                        chown globus:globus $NDGSEC_DIR/globus-4.0.1</FONT></P>
1580                        <P><BR>
1581                        </P>
1582                </TD>
1583        </TR>
1584</TABLE>
1585<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1586</P>
1587<P CLASS="western" ALIGN=JUSTIFY>Ensure that the setting for
1588<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">GLOBUS_LOCATION</FONT>
1589in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/ndgSetup.sh</FONT>
1590points to the new directory created <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/globus-4.0.1</FONT>.</P>
1591<P CLASS="western" ALIGN=JUSTIFY>Switch to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
1592user account ready to download the globus installation.</P>
1593<P CLASS="western" ALIGN=JUSTIFY>Globus 4.0.1 distribution is
1594recommended for use with the NDG Security software.  This is
1595available from <FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT></P>
1596<P CLASS="western" ALIGN=JUSTIFY>A binary version is available but it
1597is recommended to install the source code version and build from
1598scratch on the target machine.  Note that it is possible to set a
1599target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
1600</SPAN></FONT>so that only the MyProxy components of Globus are
1601built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer</FONT>
1602tarball.  Extract the files and change to the
1603<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer/</FONT>
1604directory created.</P>
1605<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings compile
1606and install MyProxy:</P>
1607<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1608        <COL WIDTH=596>
1609        <TR>
1610                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1611                        <P STYLE="margin-bottom: 0cm"><BR>
1612                        </P>
1613                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1614                        ./configure –prefix=$GLOBUS_LOCATION</FONT></P>
1615                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1616                        make gsi-myproxy postinstall</FONT></P>
1617                        <P><BR>
1618                        </P>
1619                </TD>
1620        </TR>
1621</TABLE>
1622<P STYLE="margin-bottom: 0cm"><BR>
1623</P>
1624<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">When
1625running</SPAN></FONT> ./configure <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">you
1626may see an error if the </SPAN></FONT>JAVA_HOME<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">
1627environment variable is not set.  This can be ignored because Java is
1628not required for the MyProxy build.</SPAN></FONT></FONT></P>
1629<P STYLE="margin-bottom: 0cm"><BR>
1630</P>
1631<H3 CLASS="western"><A NAME="4.6.4.NDG SimpleCA Client Package |outline"></A>
16324.6.4NDG SimpleCA Client Package
1633</H3>
1634<P CLASS="western" ALIGN=JUSTIFY>This configures the target machine
1635to trust the NDG CA. 
1636</P>
1637<P CLASS="western" ALIGN=JUSTIFY>Login as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1638user. To install first initialise the environment settings (The
1639following line should be included in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>.
1640 Check and amend as necessary).</P>
1641<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1642        <COL WIDTH=596>
1643        <TR>
1644                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1645                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1646                        </P>
1647                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1648                        . $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
1649                </TD>
1650        </TR>
1651</TABLE>
1652<P><BR><BR>
1653</P>
1654<P CLASS="western" ALIGN=LEFT>Install the client package.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;CA
1655Hash&gt;</SPAN></FONT> below is a unique identifier for the CA.  Note
1656that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">–nonroot</SPAN></FONT>
1657option ensures that the configuration files are installed in
1658<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>
1659rather than the default location used with the root user:
1660<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>.
1661 If you are installing as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1662this option may be omitted if required.</P>
1663<P CLASS="western" ALIGN=LEFT>Also note that for 64 bit architectures
1664the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc32dbg</SPAN></FONT>
1665argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-build</SPAN></FONT>
1666should be substituted with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc64dbg</SPAN></FONT>.</P>
1667<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1668        <COL WIDTH=596>
1669        <TR>
1670                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1671                        <P STYLE="margin-bottom: 0cm"><BR>
1672                        </P>
1673                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1674                        gpt-build globus_simple_ca_&lt;CA hash&gt;_setup-0.18.tar.gz
1675                        gcc32dbg</FONT></P>
1676                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1677                        gpt-postinstall</FONT></P>
1678                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1679                        $GLOBUS_LOCATION/setup/globus_simple_ca_&lt;CA
1680                        hash&gt;_setup/setup-gsi </FONT>
1681                        </P>
1682                        <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
1683                        –nonroot</FONT></P>
1684                </TD>
1685        </TR>
1686</TABLE>
1687<P STYLE="margin-bottom: 0cm"><BR>
1688</P>
1689<P CLASS="western" ALIGN=LEFT>When running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-postinstall</SPAN></FONT>,
1690you may see a warning:</P>
1691<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1692        <COL WIDTH=596>
1693        <TR>
1694                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1695                        <P STYLE="margin-bottom: 0cm"><BR>
1696                        </P>
1697                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">WARNING:
1698                        The following packages were not set up correctly:</FONT></P>
1699                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus_simple_ca_&lt;CA
1700                        hash&gt;_setup-noflavor-pgm</FONT></P>
1701                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Check
1702                        the package documentation or run postinstall -verbose to see what
1703                        happened</FONT></P>
1704                </TD>
1705        </TR>
1706</TABLE>
1707<P CLASS="western" ALIGN=LEFT><BR><BR>
1708</P>
1709<P CLASS="western" ALIGN=LEFT>This can be ignored.</P>
1710<H4 CLASS="western">4.6.4.1Modifications to Configuration File
1711Settings</H4>
1712<P CLASS="western" ALIGN=LEFT>The configuration files installed
1713require some minor modifications before proceeding:</P>
1714<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Under the
1715directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>,
1716edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-host-ssl.conf</SPAN></FONT>
1717and under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[
1718req_distinguished_name ]</SPAN></FONT>, edit the setting for
1719<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
1720and change the default <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">BADC</SPAN></FONT>
1721to the name of the organisation where this NDG security software is
1722being installed.  This name will be used as the default for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">OU</SPAN></FONT>
1723field of certificates held in the MyProxy server.</P>
1724<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1725</P>
1726<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1727        <COL WIDTH=610>
1728        <TR>
1729                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1730                        <P STYLE="margin-bottom: 0cm"><BR>
1731                        </P>
1732                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
1733                        req_distinguished_name ]</FONT></P>
1734                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1735                        BEGIN CONFIG</FONT></P>
1736                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
1737                                      = Level 0 Organization</FONT></P>
1738                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
1739                              = NDG</FONT></P>
1740                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
1741                                 = Level 0 Organizational Unit</FONT></P>
1742                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
1743                        = BADC</FONT></P>
1744                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
1745                                             = Name (e.g., John M. Smith)</FONT></P>
1746                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
1747                                         = 64</FONT></P>
1748                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1749                        END CONFIG</FONT></P>
1750                        <P><BR>
1751                        </P>
1752                </TD>
1753        </TR>
1754</TABLE>
1755<P CLASS="western" ALIGN=LEFT><BR><BR>
1756</P>
1757<P CLASS="western" ALIGN=LEFT>Under the same directory, edit the file
1758<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-user-ssl.conf</SPAN></FONT>
1759and carry out the same modification as above but also comment out the
1760two lines below <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName</SPAN></FONT>
1761and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName_default</SPAN></FONT>:</P>
1762<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1763</P>
1764<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1765        <COL WIDTH=610>
1766        <TR>
1767                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1768                        <P STYLE="margin-bottom: 0cm"><BR>
1769                        </P>
1770                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
1771                        req_distinguished_name ]</FONT></P>
1772                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1773                        BEGIN CONFIG</FONT></P>
1774                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
1775                                      = Level 0 Organization</FONT></P>
1776                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
1777                              = NDG</FONT></P>
1778                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
1779                                 = Level 0 Organizational Unit</FONT></P>
1780                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
1781                        = BADC</FONT></P>
1782                        <P STYLE="margin-bottom: 0cm"><BR>
1783                        </P>
1784                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName
1785                                 = Level 1 Organizational Unit</FONT></P>
1786                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName_default
1787                        = badc.rl.ac.uk</FONT></P>
1788                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
1789                                             = Name (e.g., John M. Smith)</FONT></P>
1790                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
1791                                         = 64</FONT></P>
1792                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1793                        END CONFIG</FONT></P>
1794                        <P><BR>
1795                        </P>
1796                </TD>
1797        </TR>
1798</TABLE>
1799<P CLASS="western" ALIGN=LEFT><BR><BR>
1800</P>
1801<P CLASS="western" ALIGN=LEFT>Edit
1802<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/certificates/&lt;CA
1803Hash&gt;.signing_policy</SPAN></FONT> and change the setting of <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">OU</FONT>
1804in the line:</P>
1805<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1806</P>
1807<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1808        <COL WIDTH=610>
1809        <TR>
1810                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1811                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1812                        </P>
1813                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cond_subjects
1814                            globus       '&quot;/O=NDG/OU=BADC/*&quot;'</FONT></P>
1815                        <P CLASS="western" ALIGN=LEFT><BR>
1816                        </P>
1817                </TD>
1818        </TR>
1819</TABLE>
1820<P CLASS="western" ALIGN=LEFT><BR><BR>
1821</P>
1822<P CLASS="western" ALIGN=LEFT>Replacing ‘BADC’ with the name of
1823the Organisational Unit for your organisation.  This should be the
1824same as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
1825set above for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-host-ssl.conf</FONT>
1826and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-user-ssl.conf</FONT>.</P>
1827<P CLASS="western" ALIGN=LEFT>Having completed these steps, a host
1828certificate for the target machine can be made in order to identify
1829it.</P>
1830<H3 CLASS="western"><A NAME="4.6.5.Host Certificate Creation|outline"></A>
18314.6.5Host Certificate Creation</H3>
1832<P CLASS="western" ALIGN=LEFT>Login as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1833user to carry out these steps.   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ndgSetup.sh
1834</FONT>should configure the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">PATH</FONT>
1835variable to have included the Globus executable directories
1836<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/bin</FONT>
1837and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin</FONT>.
1838 Check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
1839<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1840</P>
1841<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1842        <COL WIDTH=610>
1843        <TR>
1844                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1845                        <P STYLE="margin-bottom: 0cm"><BR>
1846                        </P>
1847                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1848                        which grid-cert-request</FONT></P>
1849                        <P CLASS="western" ALIGN=LEFT><BR>
1850                        </P>
1851                </TD>
1852        </TR>
1853</TABLE>
1854<P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like:
1855<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/NDG/globus-4.0.1/bin/grid-cert-request</FONT></P>
1856<P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate
1857request, change to the certificates directory:</P>
1858<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1859</P>
1860<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1861        <COL WIDTH=610>
1862        <TR>
1863                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1864                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1865                        </P>
1866                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1867                        cd $GLOBUS_LOCATION/etc</FONT></P>
1868                        <P CLASS="western" ALIGN=LEFT><BR>
1869                        </P>
1870                </TD>
1871        </TR>
1872</TABLE>
1873<P CLASS="western" ALIGN=JUSTIFY><BR>Nb. If you installed MyProxy as
1874<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1875as root user change to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>
1876where the certificates should be held.</P>
1877<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1878        <COL WIDTH=610>
1879        <TR>
1880                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1881                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1882                        </P>
1883                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1884                        grid-cert-request –host &lt;machine hostname&gt; -dir .</FONT></P>
1885                        <P CLASS="western" ALIGN=LEFT><BR>
1886                        </P>
1887                </TD>
1888        </TR>
1889</TABLE>
1890<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1891</P>
1892<P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>,
1893<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT>
1894and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
1895 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
1896is empty. 
1897</P>
1898<P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate
1899it must be signed by the NDG CA.  Contact the NDG CA forwarding
1900<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
1901 The CA will issue a <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
1902file.  Copy this file into this directory i.e. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc</FONT>.
1903  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
1904</FONT>is no longer needed and may be deleted if desired.</P>
1905<H3 CLASS="western"><A NAME="4.6.6.MyProxy Configuration File|outline"></A>
19064.6.6MyProxy Configuration File</H3>
1907<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is
1908normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT>
1909directory.   If this file is not already present, copy the sample
1910file:</P>
1911<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1912        <COL WIDTH=610>
1913        <TR>
1914                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1915                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1916                        </P>
1917                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1918                        cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config
1919                        $GLOBUS_LOCATION/etc</FONT></P>
1920                        <P CLASS="western" ALIGN=LEFT><BR>
1921                        </P>
1922                </TD>
1923        </TR>
1924</TABLE>
1925<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1926</P>
1927<P CLASS="western" ALIGN=JUSTIFY>As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
1928user edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config</FONT></P>
1929<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Modify the
1930entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
1931Sample Policy</SPAN></FONT> so that they are all uncommented (remove
1932leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">#
1933</SPAN></FONT>character):</P>
1934<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1935</P>
1936<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1937        <COL WIDTH=610>
1938        <TR>
1939                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1940                        <P STYLE="margin-bottom: 0cm"><BR>
1941                        </P>
1942                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
1943                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1944                        Complete Sample Policy</FONT></P>
1945                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
1946                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1947                        The following lines define a sample policy that enables all</FONT></P>
1948                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1949                        myproxy-server features.  See below for more examples.</FONT></P>
1950                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials
1951                         &quot;*&quot;</FONT></P>
1952                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
1953                        &quot;*&quot;</FONT></P>
1954                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers
1955                           &quot;*&quot;</FONT></P>
1956                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers
1957                          &quot;*&quot;</FONT></P>
1958                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers
1959                             &quot;none&quot;</FONT></P>
1960                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers
1961                        &quot;*&quot;</FONT></P>
1962                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers
1963                        &quot;none&quot;</FONT></P>
1964                        <P><BR>
1965                        </P>
1966                </TD>
1967        </TR>
1968</TABLE>
1969<P CLASS="western" ALIGN=LEFT><BR><BR>
1970</P>
1971<P CLASS="western" ALIGN=LEFT>Note that the wildcards for these
1972fields may be modified such that only Distinguished Names of a given
1973format may be accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P>
1974<H3 CLASS="western"><A NAME="4.6.7.Repository Directory|outline"></A>4.6.7Repository
1975Directory</H3>
1976<P CLASS="western" ALIGN=LEFT>A directory needs to be specified on
1977the file system to store the user credentials generated by MyProxy.
1978This should be owned by the account that runs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1979 In the examples given this would be the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">globus</FONT></SPAN></FONT>
1980user and the expected location, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var</SPAN></FONT>.
1981  See section 2.3.2 <I>MyProxy user account and repository location</I>.</P>
1982<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Login as the
1983<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1984user and change directory to the location for the repository:</P>
1985<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1986</P>
1987<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1988        <COL WIDTH=610>
1989        <TR>
1990                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1991                        <P STYLE="margin-bottom: 0cm"><BR>
1992                        </P>
1993                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1994                        cd $GLOBUS_LOCATION/var</FONT></P>
1995                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1996                        mkdir myproxy</FONT></P>
1997                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1998                        chmod 700 myproxy</FONT></P>
1999                        <P><BR>
2000                        </P>
2001                </TD>
2002        </TR>
2003</TABLE>
2004<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2005</P>
2006<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod
2007</SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
2008user has read/write access for the directory.  Note also that the
2009directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P>
2010<H3 CLASS="western"><A NAME="4.6.8.Adding MyProxy Server to the system start up|outline"></A>
20114.6.8Adding MyProxy Server to the system start up</H3>
2012<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may
2013be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2014or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2015 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2016are preferred:</P>
2017<UL>
2018        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2019        process will not show on <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ps</SPAN></FONT>
2020        command listing
2021        </P>
2022        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">It’s
2023        more efficient since it’s only invoked when a request from a
2024        MyProxy client is received.</P>
2025        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">It’s
2026        easy to configure so that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2027        runs as an alternative user to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.</P>
2028</UL>
2029<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.63cm; margin-bottom: 0cm">
2030<BR>
2031</P>
2032<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.6.8.1inetd / xinetd</H4>
2033<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd
2034</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2035as root user:
2036</P>
2037<UL>
2038        <LI><P CLASS="western" ALIGN=LEFT>Add the entries in
2039        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.services.modifications</SPAN></FONT>
2040        to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/services</SPAN></FONT>
2041        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/services</SPAN></FONT>
2042        file:
2043        </P>
2044</UL>
2045<DL>
2046        <DD>
2047        <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2048                <COL WIDTH=558>
2049                <TR>
2050                        <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2051                                <P STYLE="margin-bottom: 0cm"><BR>
2052                                </P>
2053                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
2054                                 7512/tcp                        # Myproxy server</FONT></P>
2055                                <P><BR>
2056                                </P>
2057                        </TD>
2058                </TR>
2059        </TABLE>
2060</DL>
2061<P CLASS="western" ALIGN=LEFT STYLE="margin-left: 0.64cm"><BR><BR>
2062</P>
2063<UL>
2064        <LI><P CLASS="western" ALIGN=LEFT>Add the entries from
2065        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P>
2066        <UL>
2067                <LI><P CLASS="western" ALIGN=LEFT>For inetd add to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inetd.conf
2068                </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/inetd.conf</SPAN></FONT>,
2069                or 
</P>
2070                <LI><P CLASS="western" ALIGN=LEFT>for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2071                copy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy</SPAN></FONT>
2072                to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/xinetd.d/myproxy</SPAN></FONT>.
2073                Modify the paths in the file according to your installation and set
2074                the user to the correct user name for running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2075                e.g.</P>
2076        </UL>
2077</UL>
2078<DL>
2079        <DD>
2080        <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2081                <COL WIDTH=558>
2082                <TR>
2083                        <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2084                                <P STYLE="margin-bottom: 0cm"><BR>
2085                                </P>
2086                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">service
2087                                myproxy-server</FONT></FONT></P>
2088                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">{</FONT></FONT></P>
2089                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">socket_type
2090                                 = stream</FONT></FONT></P>
2091                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="pt-PT">protocol
2092                                    = tcp</SPAN></FONT></FONT></P>
2093                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">wait
2094                                        = no</FONT></FONT></P>
2095                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">user
2096                                        = globus</FONT></FONT></P>
2097                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">server
2098                                      = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P>
2099                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env   
2100                                        = GLOBUS_LOCATION=/usr/local/NDG/globus-4.0.1
2101                                LD_LIBRARY_PATH=/usr/local/NDG/globus-4.0.1/lib</FONT></FONT></P>
2102                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable
2103                                     = no</FONT></FONT></P>
2104                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">only_from
2105                                   = localhost.localdomain &lt;hostAddress1&gt; &lt;hostAddress2&gt;</FONT></FONT></P>
2106                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">}</FONT></FONT></P>
2107                        </TD>
2108                </TR>
2109        </TABLE>
2110</DL>
2111<P STYLE="margin-bottom: 0cm"><BR>
2112</P>
2113<UL>
2114        <LI><P CLASS="western" ALIGN=LEFT>Note also, the additional setting
2115        in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
2116         This a limit to be placed on which hosts clients can connect from
2117        to the server.  In the above, clients can connect from the local
2118        machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>)
2119        and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress1&gt;
2120        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>.</P>
2121        <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2122        / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2123        This is typically accomplished by sending the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">SIGHUP</SPAN></FONT>
2124        signal to the server process.  Redhat Linux machines include the GUI
2125        tool <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2126        to allow convenient management of services.  Refer to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2127        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2128        man page for your system.</P>
2129</UL>
2130<H4 CLASS="western">4.6.8.2SysV-style boot script
2131</H4>
2132<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is
2133available in the Globus installation at,
2134<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy</SPAN></FONT>.
2135</P>
2136<P CLASS="western" ALIGN=LEFT>To install:
2137</P>
2138<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2139        <COL WIDTH=602>
2140        <TR>
2141                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2142                        <P STYLE="margin-bottom: 0cm"><BR>
2143                        </P>
2144                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2145                        cp <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy
2146                        /etc/rc.d/init.d/myproxy</SPAN></FONT></FONT></P>
2147                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2148                        chkconfig --add myproxy</SPAN></FONT></FONT></P>
2149                        <P><BR>
2150                        </P>
2151                </TD>
2152        </TR>
2153</TABLE>
2154<P CLASS="western" ALIGN=LEFT><BR><BR>
2155</P>
2156<P CLASS="western" ALIGN=LEFT>Edit the file to set the
2157<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GLOBUS_LOCATION
2158</SPAN></FONT>environment variable correctly. 
2159</P>
2160<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2161</P>
2162<H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1>
2163<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.1.MySQL Installation|outline"></A>
21645.1MySQL Installation</H2>
2165<P CLASS="western" ALIGN=JUSTIFY>MySQL is required for the Credential
2166Repository used by the SessionManager to stored user credentials as
2167cached in their Credential Wallet held in their session.</P>
2168<P CLASS="western" ALIGN=JUSTIFY>This section describes how to make
2169an installation from the MySQL binary package tarball.   System
2170administrators may wish to use an existing installation of MySQL or
2171use an alternative installation method such as rpm.  Installing from
2172the binary package has the advantage that it doesn’t interfere with
2173any existing MySQL installation on the target machine.   The
2174instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT>
2175provided in the tarball.</P>
2176<H3 CLASS="western"><A NAME="5.1.1.Version|outline"></A>5.1.1Version</H3>
2177<P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended.
2178These instructions are for version 5.0.20a, the latest stable release
2179at time of writing.</P>
2180<H3 CLASS="western"><A NAME="5.1.2.Getting the Binaries|outline"></A>5.1.2Getting
2181the Binaries</H3>
2182<P CLASS="western" ALIGN=LEFT>The package can be obtained from the
2183MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>).
2184 Scroll to the correct version - Linux (non RPM, Intel C/C++
2185compiled, glibc-X.X) downloads.  The version of glibc on the target
2186machine can be checked using same machine as the web server.</P>
2187<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2188        <COL WIDTH=605>
2189        <TR>
2190                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2191                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2192                        ls /lib/libc-*</FONT></P>
2193                </TD>
2194        </TR>
2195</TABLE>
2196<P CLASS="western" ALIGN=LEFT><BR><BR>
2197</P>
2198<H3 CLASS="western"><A NAME="5.1.3.New mysql User Account|outline"></A>
21995.1.3New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
2200User Account</H3>
2201<P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if
2202it doesn’t already exist:</P>
2203<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2204        <COL WIDTH=605>
2205        <TR>
2206                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2207                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2208                        groupadd mysql<BR>$ useradd -g mysql mysql</FONT></P>
2209                </TD>
2210        </TR>
2211</TABLE>
2212<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2213</P>
2214<H3 CLASS="western"><A NAME="5.1.4.Unpacking the tarball|outline"></A>
22155.1.4Unpacking the tarball</H3>
2216<P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target
2217directory for installation e.g. /usr/local, unpack the file:</P>
2218<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2219        <COL WIDTH=605>
2220        <TR>
2221                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2222                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2223                        cd /usr/local<BR>$ tar zxvf
2224                        mysql-standard-5.0.20a-linux-i686-icc-glibc23.tar.gz</FONT></P>
2225                </TD>
2226        </TR>
2227</TABLE>
2228<P CLASS="western" ALIGN=LEFT><BR><BR>
2229</P>
2230<P CLASS="western" ALIGN=LEFT>Make a symbolic link to the new
2231directory and ‘<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cd</SPAN></FONT>’
2232to it:
2233</P>
2234<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2235        <COL WIDTH=605>
2236        <TR>
2237                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2238                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2239                        ln -s /usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23
2240                        mysql<BR>$ cd mysql</FONT></P>
2241                </TD>
2242        </TR>
2243</TABLE>
2244<P CLASS="western" ALIGN=LEFT><BR><BR>
2245</P>
2246<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin</SPAN></FONT>
2247directory contains client programs and the server.  You should add
2248the full pathname of this directory to your <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PATH</SPAN></FONT>
2249environment variable so that your shell finds the MySQL programs
2250properly.
2251</P>
2252<H3 CLASS="western"><A NAME="5.1.5.Configuration File|outline"></A>5.1.5Configuration
2253File</H3>
2254<P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called
2255<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT>
2256in the target directory (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>
2257in this example) to enable custom settings to be made for this
2258installation.  Note that if there is an existing installation of
2259MySQL, there may be settings existing settings in a file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/my.cnf</SPAN></FONT>.
2260 To use the settings from this file, <I>ignore</I> this step.</P>
2261<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2262        <COL WIDTH=605>
2263        <TR>
2264                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2265                        <P STYLE="margin-bottom: 0cm"><BR>
2266                        </P>
2267                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld]</FONT></P>
2268                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">datadir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23/data</FONT></P>
2269                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">socket=/tmp/mysql.sock</FONT></P>
2270                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2271                        Default to using old password format for compatibility with mysql
2272                        3.x</FONT></P>
2273                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2274                        clients (those using the mysqlclient10 compatibility package).</FONT></P>
2275                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">old_passwords=1</FONT></P>
2276                        <P STYLE="margin-bottom: 0cm"><BR>
2277                        </P>
2278                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysql.server]</FONT></P>
2279                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">user=mysql</FONT></P>
2280                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">basedir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23</FONT></P>
2281                        <P STYLE="margin-bottom: 0cm"><BR>
2282                        </P>
2283                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld_safe]</FONT></P>
2284                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">err-log=/var/log/mysqld.log</FONT></P>
2285                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">pid-file=/tmp/mysql.pid</FONT></P>
2286                        <P><BR>
2287                        </P>
2288                </TD>
2289        </TR>
2290</TABLE>
2291<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2292</P>
2293<P CLASS="western" ALIGN=JUSTIFY>The settings above will mean that
2294MySQL’s tables and the Credential Repository database will be
2295stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P>
2296<H3 CLASS="western"><A NAME="5.1.6.Create the Grant Tables|outline"></A>
22975.1.6Create the Grant Tables</H3>
2298<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT>
2299directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT>
2300script used to initialize the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2301database containing the grant tables that store the server access
2302permissions.  If you have not installed MySQL before, you must create
2303the MySQL grant tables:</P>
2304<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2305        <COL WIDTH=605>
2306        <TR>
2307                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2308                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2309                        scripts/mysql_install_db --user=mysql</FONT></P>
2310                </TD>
2311        </TR>
2312</TABLE>
2313<P CLASS="western" ALIGN=LEFT><BR><BR>
2314</P>
2315<P CLASS="western" ALIGN=LEFT>If you run the command as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
2316you must use the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">--user</SPAN></FONT>
2317option as shown. The value of the option should be the name of the
2318login account that you created in the first step to use for running
2319the server. If you run the command while logged in as that user, you
2320can omit the -user option.  After creating or updating the grant
2321tables, you need to restart the server manually.</P>
2322<H3 CLASS="western"><A NAME="5.1.7.File and Directory Permissions|outline"></A>
23235.1.7File and Directory Permissions</H3>
2324<P CLASS="western" ALIGN=LEFT>Change the ownership of program
2325binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
2326and ownership of the data directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>.
2327   Assuming that you are located in the installation directory
2328(<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>),
2329the commands look like this:</P>
2330<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2331        <COL WIDTH=605>
2332        <TR>
2333                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2334                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2335                        chown -R root  .<BR>$ chown -R mysql data<BR>$ chgrp -R mysql .</FONT></P>
2336                </TD>
2337        </TR>
2338</TABLE>
2339<P CLASS="western" ALIGN=LEFT><BR><BR>
2340</P>
2341<P CLASS="western" ALIGN=LEFT>The first command changes the owner
2342attribute of the files to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
2343user. The second changes the owner attribute of the data directory to
2344the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2345user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2346group.</P>
2347<H3 CLASS="western"><A NAME="5.1.8.Starting the Server|outline"></A>5.1.8Starting
2348the Server</H3>
2349<P CLASS="western" ALIGN=LEFT>If you want MySQL to start
2350automatically when you boot your machine, you can copy
2351<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
2352to the location where your system has its startup files. More
2353information can be found in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
2354script itself.</P>
2355<P CLASS="western" ALIGN=LEFT>To start the MySQL server, use the
2356following command:</P>
2357<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2358        <COL WIDTH=605>
2359        <TR>
2360                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2361                        <P><BR><BR>
2362                        </P>
2363                        <P LANG="nb-NO"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2364                        bin/mysqld_safe --user=mysql &amp;</FONT></P>
2365                </TD>
2366        </TR>
2367</TABLE>
2368<P LANG="nb-NO" CLASS="western" ALIGN=LEFT><BR><BR>
2369</P>
2370<P CLASS="western" ALIGN=LEFT>If that command fails immediately and
2371prints <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysqld
2372ended</SPAN></FONT>, you can find some information in the
2373&lt;hostname&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.err</SPAN></FONT>
2374file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT>
2375directory.</P>
2376<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.1.9.Securing MySQL Accounts|outline"></A>
23775.1.9Securing MySQL Accounts</H3>
2378<P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P>
2379<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2380        <COL WIDTH=605>
2381        <TR>
2382                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2383                        <P STYLE="margin-bottom: 0cm"><BR>
2384                        </P>
2385                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2386                        mysql -u root</FONT></P>
2387                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2388                        DELETE FROM mysql.user WHERE User = '';</FONT></P>
2389                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2390                        FLUSH PRIVILEGES;</FONT></P>
2391                        <P><BR>
2392                        </P>
2393                </TD>
2394        </TR>
2395</TABLE>
2396<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2397</P>
2398<P CLASS="western" ALIGN=JUSTIFY>Set the password for the root
2399account:</P>
2400<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2401        <COL WIDTH=605>
2402        <TR>
2403                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2404                        <P STYLE="margin-bottom: 0cm"><BR>
2405                        </P>
2406                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2407                        SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');</FONT></P>
2408                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2409                        SET PASSWORD FOR 'root'@'<I>hostname</I>' = PASSWORD('newpwd');</FONT></P>
2410                        <P><BR>
2411                        </P>
2412                </TD>
2413        </TR>
2414</TABLE>
2415<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2416</P>
2417<P CLASS="western" ALIGN=JUSTIFY>The hostname can be checked using
2418the query:</P>
2419<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2420        <COL WIDTH=605>
2421        <TR>
2422                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2423                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
2424                        SELECT Host, User FROM mysql.user;</FONT></P>
2425                </TD>
2426        </TR>
2427</TABLE>
2428<P CLASS="western" ALIGN=LEFT><BR><BR>
2429</P>
2430<P CLASS="western" ALIGN=LEFT>Add a new account for use with the
2431Credential Repository database e.g.</P>
2432<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2433        <COL WIDTH=605>
2434        <TR>
2435                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2436                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
2437                        GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
2438                        'ndgUser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
2439                </TD>
2440        </TR>
2441</TABLE>
2442<P CLASS="western" ALIGN=LEFT><BR>The above statement grants the
2443user, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
2444with password, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password</SPAN></FONT>,
2445<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">select</SPAN></FONT>,
2446<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">update</SPAN></FONT>
2447and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">insert</SPAN></FONT>
2448privileges on the tables of database <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgCredRepos</SPAN></FONT>.
2449 The user may only connect from the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localhost</SPAN></FONT>.
2450 Hence, in this case the Session Manager and Credential Repository
2451must be installed on the same machine.  To allow the Credential
2452Repository to run on a separate machine to the Session Manager, the
2453account must have permission to connect remotely.  This can be
2454achieved by altering the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GRANT</SPAN></FONT>
2455statement above to:</P>
2456<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2457        <COL WIDTH=605>
2458        <TR>
2459                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2460                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
2461                        GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
2462                        'ndgUser'@’%’ IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
2463                </TD>
2464        </TR>
2465</TABLE>
2466<P CLASS="western" ALIGN=LEFT><BR><BR>
2467</P>
2468<P CLASS="western" ALIGN=LEFT>You also can set up new accounts using
2469the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT>
2470script if you install the `DBI' and `DBD::mysql' Perl modules.</P>
2471<P CLASS="western" ALIGN=LEFT>See section 4.3.1 for details about
2472creation of the Credential Repository database.</P>
2473<H3 CLASS="western"><A NAME="5.1.10.Server Automated Start up|outline"></A>
24745.1.10Server Automated Start up</H3>
2475<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
2476<P CLASS="western" ALIGN=LEFT><BR><BR>
2477</P>
2478<H2 CLASS="western"><A NAME="5.2.HTTPS set-up with Apache Web Server|outline"></A>
24795.2HTTPS set-up with Apache Web Server</H2>
2480<P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the
2481transfer of user credentials across cookie domains between a data
2482provider web page requesting user credentials and a user’s NDG home
2483login page.</P>
2484<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: full explanation - incl.
2485mod_ssl must be installed&gt;</P>
2486<H3 CLASS="western"><A NAME="5.2.1.Web Server Host Certificate Generation|outline"></A>
24875.2.1Web Server Host Certificate Generation</H3>
2488<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2489        <COL WIDTH=605>
2490        <TR>
2491                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2492                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2493                        </P>
2494                        <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2495                        grid-cert-request -prefix <I>&lt;hostname&gt;</I> -dir . -cn
2496                        <I>&lt;hostname&gt;</I> -nopw </FONT>
2497                        </P>
2498                        <P><BR>
2499                        </P>
2500                </TD>
2501        </TR>
2502</TABLE>
2503<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2504</P>
2505<H3 CLASS="western"><A NAME="5.2.2.Apache Configuration File Settings|outline"></A>
25065.2.2Apache Configuration File Settings</H3>
2507<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2508</P>
2509<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline"></A>
25105.3Apache Web Server Proxy Settings Configuration for Web Services</H2>
2511<P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient
2512mechanism to re-route web service ports through port 80 and so make
2513them available to the outside world.   This may be helpful if when
2514deploying NDG Security you do not wish to open additional ports in
2515your site firewall settings.</P>
2516<P CLASS="western" ALIGN=JUSTIFY>Edit the Apache configuration file.
2517This should be located at <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/httpd/conf</SPAN></FONT></P>
2518<P CLASS="western" ALIGN=JUSTIFY>Add <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPass</SPAN></FONT>
2519and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPassReverse</SPAN></FONT>
2520entries for the Session Manager and Attribute Authority web services.
2521  The first argument after the directive name itself is the directory
2522that the service will be served from relative to the web server URL.
2523So below, if the URL of the web server is <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/">http://www.badc.rl.ac.uk</A></U></FONT>,
2524then the Session Manager would be available at
2525<FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/sessionMgr">https://www.badc.rl.ac.uk/sessionMgr</A></U></FONT>.
2526 The second argument is the actual location where the web service is
2527running locally.  In the example below, the Session Manager is
2528running on port 5700 on the same machine as the web server.</P>
2529<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2530        <COL WIDTH=605>
2531        <TR>
2532                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2533                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2534                        </P>
2535                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2536                        Session Manager and Attribute Authority settings</FONT></P>
2537                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
2538                               /sessionMgr    https://localhost:5700/</FONT></P>
2539                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
2540                        /sessionMgr    https://localhost:5700/</FONT></P>
2541                        <P STYLE="margin-bottom: 0cm"><BR>
2542                        </P>
2543                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
2544                               /attAuthority  http://localhost:5000/</FONT></P>
2545                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
2546                        /attAuthority  http://localhost:5000/</FONT></P>
2547                        <P CLASS="western" ALIGN=LEFT><BR>
2548                        </P>
2549                </TD>
2550        </TR>
2551</TABLE>
2552<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2553</P>
2554<P CLASS="western" ALIGN=JUSTIFY>Restart the Apache web server.  This
2555can be done in a variety of ways.  As root user:</P>
2556<OL>
2557        <LI><P CLASS="western" ALIGN=LEFT>On Redhat machines, using the
2558        command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2559        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">system-config-services</SPAN></FONT>
2560         In the GUI, click on httpd in the list and press the Restart button</P>
2561</OL>
2562<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2563        <COL WIDTH=605>
2564        <TR>
2565                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2566                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2567                        </P>
2568                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2569                        redhat-config-services</FONT></P>
2570                        <P CLASS="western" ALIGN=LEFT><BR>
2571                        </P>
2572                </TD>
2573        </TR>
2574</TABLE>
2575<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2576</P>
2577<OL START=2>
2578        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">service
2579        </SPAN></FONT>command</P>
2580</OL>
2581<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2582        <COL WIDTH=605>
2583        <TR>
2584                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2585                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2586                        </P>
2587                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2588                        /sbin/service httpd restart</FONT></P>
2589                        <P CLASS="western" ALIGN=LEFT><BR>
2590                        </P>
2591                </TD>
2592        </TR>
2593</TABLE>
2594<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2595</P>
2596<OL START=3>
2597        <LI><P CLASS="western" ALIGN=JUSTIFY>apache command</P>
2598</OL>
2599<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2600        <COL WIDTH=605>
2601        <TR>
2602                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2603                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2604                        </P>
2605                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2606                        apachectl restart</FONT></P>
2607                        <P CLASS="western" ALIGN=LEFT><BR>
2608                        </P>
2609                </TD>
2610        </TR>
2611</TABLE>
2612<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2613</P>
2614<OL START=4>
2615        <LI><P CLASS="western" ALIGN=JUSTIFY>Using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">kill</FONT></SPAN></FONT></P>
2616</OL>
2617<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2618        <COL WIDTH=605>
2619        <TR>
2620                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2621                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2622                        </P>
2623                        <P LANG="sv-SE" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2624                        kill -HUP `cat /etc/httpd/run/httpd.pid`</FONT></P>
2625                        <P LANG="sv-SE" CLASS="western" ALIGN=LEFT><BR>
2626                        </P>
2627                </TD>
2628        </TR>
2629</TABLE>
2630<P LANG="sv-SE" CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">
2631<BR><BR>
2632</P>
2633<P CLASS="western" ALIGN=JUSTIFY>Note in the last case that the
2634location of the pid file will depend on your installation.</P>
2635<P CLASS="western" ALIGN=JUSTIFY>Once the changes have been made,
2636ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgr.wsdl</SPAN></FONT>
2637and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthority.wsdl</SPAN></FONT>
2638contain the new locations for the web services in the tag
2639<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;soap:address
2640location=”
”&gt;</SPAN></FONT> 
2641</P>
2642<H2 CLASS="western"><A NAME="5.4.An Example Attribute Authority AAUserRoles interface class|outline"></A>
26435.4An Example Attribute Authority AAUserRoles interface class</H2>
2644<P CLASS="western" ALIGN=JUSTIFY>This interface is required in order
2645to link the Attribute Authority to the data centre’s system for
2646identifying registered users and managing their roles.  The
2647installation comes with a simple test class which illustrates this:</P>
2648<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2649        <COL WIDTH=610>
2650        <TR>
2651                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2652                        <P STYLE="margin-bottom: 0cm"><BR>
2653                        </P>
2654                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;NDG
2655                        Attribute Authority User Roles class - acts as an interface
2656                        between</FONT></P>
2657                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
2658                        data centre's user roles configuration and the Attribute Authority</FONT></P>
2659                        <P STYLE="margin-bottom: 0cm">                                   
2660                                                                   
2661                        </P>
2662                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">NERC
2663                        Data Grid Project</FONT></P>
2664                        <P STYLE="margin-bottom: 0cm">                                   
2665                                                                   
2666                        </P>
2667                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">P
2668                        J Kershaw 29/07/05</FONT></P>
2669                        <P STYLE="margin-bottom: 0cm">                                   
2670                                                                   
2671                        </P>
2672                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Copyright
2673                        (C) 2005 CCLRC &amp; NERC</FONT></P>
2674                        <P STYLE="margin-bottom: 0cm">                                   
2675                                                                   
2676                        </P>
2677                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2678                        software may be distributed under the terms of the Q Public
2679                        License,</FONT></P>
2680                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">version
2681                        1.0 or later.</FONT></P>
2682                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;</FONT></P>
2683                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cvsID
2684                        = '$Id'</FONT></P>
2685                        <P STYLE="margin-bottom: 0cm"><BR>
2686                        </P>
2687                        <P STYLE="margin-bottom: 0cm"><BR>
2688                        </P>
2689                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2690                        AttAuthority import AAUserRoles</FONT></P>
2691                        <P STYLE="margin-bottom: 0cm"><BR>
2692                        </P>
2693                        <P STYLE="margin-bottom: 0cm"><BR>
2694                        </P>
2695                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">class
2696                        TestUserRoles(AAUserRoles):</FONT></P>
2697                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;Test
2698                        User Roles class dynamic import for Attribute Authority&quot;&quot;&quot;</FONT></P>
2699                        <P STYLE="margin-bottom: 0cm"><BR>
2700                        </P>
2701                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2702                        __init__(self, propertiesFilePath=None):</FONT></P>
2703                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="nb-NO">pass</SPAN></FONT></P>
2704                        <P LANG="nb-NO" STYLE="margin-bottom: 0cm"><BR>
2705                        </P>
2706                        <P LANG="nb-NO" STYLE="margin-bottom: 0cm"><BR>
2707                        </P>
2708                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="nb-NO">def
2709                        userIsRegistered(self, dn):</SPAN></FONT></P>
2710                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">return
2711                        True</FONT></P>
2712                        <P STYLE="margin-bottom: 0cm"><BR>
2713                        </P>
2714                        <P STYLE="margin-bottom: 0cm"><BR>
2715                        </P>
2716                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2717                        getRoles(self, dn):</FONT></P>
2718                        <P>        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">return
2719                        ['staff', 'postdoc', 'undergrad'] </FONT>
2720                        </P>
2721                        <P><BR>
2722                        </P>
2723                </TD>
2724        </TR>
2725</TABLE>
2726<P STYLE="margin-bottom: 0cm"><BR>
2727</P>
2728<P CLASS="western" ALIGN=JUSTIFY>The class must inherit from the
2729<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">AAUserRoles</SPAN></FONT>
2730interface class.  It must override the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
2731and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
2732methods:</P>
2733<UL>
2734        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
2735        – returns True if the user with the given input Distinguished Name
2736        is registered at the site.  This method might contain an SQL query
2737        to the site’s user database for example.  This method is <I>optional</I>.</P>
2738        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles()</SPAN></FONT>
2739        – returns a list of roles to which the user with the given input
2740        Distinguished Name is enrolled.  Again, this method could be
2741        implemented with an SQL query to retrieve the roles for a given
2742        user.  Note, that if not roles are found, the method should return
2743        [].</P>
2744        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">__init__()</SPAN></FONT>
2745        – optionally, the initialisation method may be overridden to
2746        enable for example the setting up of a database connection.   The
2747        path to a properties file may be passed in.  This could contain
2748        database connection settings.</P>
2749</UL>
2750<P CLASS="western" ALIGN=JUSTIFY>The custom class used by the BODC is
2751a more detailed example:</P>
2752<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2753        <COL WIDTH=610>
2754        <TR>
2755                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2756                        <P STYLE="margin-bottom: 0cm"><BR>
2757                        </P>
2758                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;NDG
2759                        Attribute Authority User Roles class for the BODC - acts as an
2760                        interface</FONT></P>
2761                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">between
2762                        BODC user database and the Attribute Authority</FONT></P>
2763                        <P STYLE="margin-bottom: 0cm"><BR>
2764                        </P>
2765                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">NERC
2766                        Data Grid Project</FONT></P>
2767                        <P STYLE="margin-bottom: 0cm"><BR>
2768                        </P>
2769                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">P
2770                        J Kershaw 09/09/05</FONT></P>
2771                        <P STYLE="margin-bottom: 0cm"><BR>
2772                        </P>
2773                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Copyright
2774                        (C) 2005 CCLRC &amp; NERC</FONT></P>
2775                        <P STYLE="margin-bottom: 0cm"><BR>
2776                        </P>
2777                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2778                        software may be distributed under the terms of the Q Public
2779                        License,</FONT></P>
2780                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">version
2781                        1.0 or later.</FONT></P>
2782                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;</FONT></P>
2783                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2784                        DCOracle2 import *</FONT></P>
2785                        <P STYLE="margin-bottom: 0cm"><BR>
2786                        </P>
2787                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2788                        For parsing of properties file</FONT></P>
2789                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">import
2790                        cElementTree as ElementTree</FONT></P>
2791                        <P STYLE="margin-bottom: 0cm"><BR>
2792                        </P>
2793                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2794                        NDG.X509 import *</FONT></P>
2795                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2796                        NDG.AttAuthority import AAUserRoles</FONT></P>
2797                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">from
2798                        NDG.AttAuthority import AAUserRolesError</FONT></P>
2799                        <P STYLE="margin-bottom: 0cm"><BR>
2800                        </P>
2801                        <P STYLE="margin-bottom: 0cm"><BR>
2802                        </P>
2803                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">class
2804                        BODCUserRoles(AAUserRoles):</FONT></P>
2805                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;User
2806                        Roles class dynamic import for BODC Attribute Authority&quot;&quot;&quot;</FONT></P>
2807                        <P STYLE="margin-bottom: 0cm"><BR>
2808                        </P>
2809                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2810                        valid configuration property keywords</FONT></P>
2811                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">__validKeys
2812                        = [ 'userName', 'dbAddr']</FONT></P>
2813                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         
2814                           </FONT>
2815                        </P>
2816                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         
2817                           </FONT>
2818                        </P>
2819                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2820                        __init__(self, propFilePath=None):</FONT></P>
2821                        <P STYLE="margin-bottom: 0cm">   
2822                        </P>
2823                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">     self.__db
2824                        = None</FONT></P>
2825                        <P STYLE="margin-bottom: 0cm"><BR>
2826                        </P>
2827                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> if
2828                        propFilePath:</FONT></P>
2829                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2830                           prop = self.readProperties(propFilePath)</FONT></P>
2831                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2832                           self.connect(prop['userName'], prop['dbAddr'])</FONT></P>
2833                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2834                        <P STYLE="margin-bottom: 0cm"><BR>
2835                        </P>
2836                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2837                        readProperties(self, propFilePath):</FONT></P>
2838                        <P STYLE="margin-bottom: 0cm"><BR>
2839                        </P>
2840                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;Read
2841                        the configuration properties for the Attribute Authority</FONT></P>
2842                        <P STYLE="margin-bottom: 0cm"><BR>
2843                        </P>
2844                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">propFilePath:
2845                        file path to properties file</FONT></P>
2846                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;</FONT></P>
2847                        <P STYLE="margin-bottom: 0cm">       
2848                        </P>
2849                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">try:</FONT></P>
2850                        <P STYLE="margin-bottom: 0cm">            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">tree
2851                        = ElementTree.parse(propFilePath)</FONT></P>
2852                        <P STYLE="margin-bottom: 0cm">           
2853                        </P>
2854                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">except
2855                        IOError, ioErr:</FONT></P>
2856                        <P STYLE="margin-bottom: 0cm">            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">raise
2857                        AAUserRolesError(\</FONT></P>
2858                        <P STYLE="margin-bottom: 0cm">                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;Error
2859                        parsing properties file \&quot;%s\&quot;: %s&quot; % \</FONT></P>
2860                        <P STYLE="margin-bottom: 0cm">                           
2861                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">(ioErr.filename,
2862                        ioErr.strerror))</FONT></P>
2863                        <P STYLE="margin-bottom: 0cm"><BR>
2864                        </P>
2865                        <P STYLE="margin-bottom: 0cm">       
2866                        </P>
2867                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">prop
2868                        = tree.getroot()</FONT></P>
2869                        <P STYLE="margin-bottom: 0cm"><BR>
2870                        </P>
2871                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2872                        Copy properties from file as member variables</FONT></P>
2873                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">userRolesProp
2874                        = \</FONT></P>
2875                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         dict([(elem.tag,
2876                        elem.text.strip()) for elem in prop])</FONT></P>
2877                        <P STYLE="margin-bottom: 0cm"><BR>
2878                        </P>
2879                        <P STYLE="margin-bottom: 0cm"><BR>
2880                        </P>
2881                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2882                        Check for missing properties</FONT></P>
2883                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">propKeys
2884                        = userRolesProp.keys()</FONT></P>
2885                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">missingKeys
2886                        = [key for key in BODCUserRoles.__validKeys \</FONT></P>
2887                        <P STYLE="margin-bottom: 0cm">                       <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">if
2888                        key not in propKeys]</FONT></P>
2889                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">if
2890                        missingKeys != []:</FONT></P>
2891                        <P STYLE="margin-bottom: 0cm">            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">raise
2892                        AAUserRolesError(&quot;The following properties are &quot; + \</FONT></P>
2893                        <P STYLE="margin-bottom: 0cm">                                   
2894                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;missing
2895                        from the properties file: &quot; + \</FONT></P>
2896                        <P STYLE="margin-bottom: 0cm">                                   
2897                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">',
2898                        '.join(missingKeys))</FONT></P>
2899                        <P STYLE="margin-bottom: 0cm"><BR>
2900                        </P>
2901                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> return
2902                        userRolesProp</FONT></P>
2903                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2904                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2905                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2906                        <P STYLE="margin-bottom: 0cm"><BR>
2907                        </P>
2908                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2909                        connect(self, </FONT>
2910                        </P>
2911                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         userName,</FONT></P>
2912                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         dbAddr,
2913                        </FONT>
2914                        </P>
2915                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         passPhrase=None,</FONT></P>
2916                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         prompt=None):</FONT></P>
2917                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">     &quot;&quot;&quot;Connect
2918                        to database</FONT></P>
2919                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2920                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> If
2921                        no passphrase is given prompt from stdin&quot;&quot;&quot;</FONT></P>
2922                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2923                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2924                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> if
2925                        not passPhrase:</FONT></P>
2926                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2927                           if not prompt:</FONT></P>
2928                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2929                                prompt = &quot;Database Passphrase: &quot;</FONT></P>
2930                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         </FONT></P>
2931                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2932                           import getpass</FONT></P>
2933                        <P STYLE="margin-bottom: 0cm">            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">passPhrase
2934                        = getpass.getpass(prompt=prompt)</FONT></P>
2935                        <P STYLE="margin-bottom: 0cm"><BR>
2936                        </P>
2937                        <P STYLE="margin-bottom: 0cm"><BR>
2938                        </P>
2939                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">try:</FONT></P>
2940                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2941                           self.__db = connect(&quot;%s/%s@%s&quot; % (userName,
2942                        passPhrase, dbAddr))</FONT></P>
2943                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2944                           self.__cursor = self.__db.cursor()</FONT></P>
2945                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2946                           </FONT>
2947                        </P>
2948                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> except
2949                        Exception, e:</FONT></P>
2950                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2951                           raise AAUserRolesError(\</FONT></P>
2952                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2953                                &quot;Error connecting to database \&quot;%s\&quot;: %s&quot;
2954                        % (dbAddr, e))</FONT></P>
2955                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         </FONT></P>
2956                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2957                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2958                        userIsRegistered(self, dn):</FONT></P>
2959                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">     &quot;&quot;&quot;Check
2960                        user with given Distinguished Name is registered with </FONT>
2961                        </P>
2962                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> BODC
2963                        database&quot;&quot;&quot;</FONT></P>
2964                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> </FONT></P>
2965                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">     try:</FONT></P>
2966                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2967                           emailAddr = X500DN(dn)['CN']</FONT></P>
2968                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2969                           query = &quot;&lt;BODC Database query&gt;&quot;</FONT></P>
2970                        <P STYLE="margin-bottom: 0cm">           
2971                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">self.__cursor.execute(query,
2972                        emailAddr)</FONT></P>
2973                        <P STYLE="margin-bottom: 0cm"><BR>
2974                        </P>
2975                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2976                           if self.__cursor.fetchall():</FONT></P>
2977                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2978                                return True</FONT></P>
2979                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2980                           else:</FONT></P>
2981                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2982                               return False</FONT></P>
2983                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">         </FONT></P>
2984                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> except
2985                        Exception, e:</FONT></P>
2986                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2987                           raise AAUserRolesError(\</FONT></P>
2988                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
2989                                &quot;Error checking user \&quot;%s\&quot; is registered: %s&quot;
2990                        % (dn, e))</FONT></P>
2991                        <P STYLE="margin-bottom: 0cm"><BR>
2992                        </P>
2993                        <P STYLE="margin-bottom: 0cm"><BR>
2994                        </P>
2995                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">def
2996                        getRoles(self, dn):</FONT></P>
2997                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&quot;&quot;&quot;Retrieve
2998                        roles from user with given Distinguished Name&quot;&quot;&quot;</FONT></P>
2999                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> try:</FONT></P>
3000                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
3001                           emailAddr = X500DN(dn)['CN']</FONT></P>
3002                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
3003                           query = &quot;&lt;BODC Database query&gt;&quot;</FONT></P>
3004                        <P STYLE="margin-bottom: 0cm">           
3005                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">self.__cursor.execute(query,
3006                        emailAddr)</FONT></P>
3007                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
3008                           roles = self.__cursor.fetchall()</FONT></P>
3009                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
3010                           return [i[0] for i in roles]</FONT></P>
3011                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
3012                           </FONT>
3013                        </P>
3014                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> <SPAN LANG="fr-FR">except
3015                        Exception, e:</SPAN></FONT></P>
3016                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">   
3017                           raise AAUserRolesError(\</FONT></P>
3018                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR">     
3019                           </SPAN>&quot;Error getting roles for user \&quot;%s\&quot; is
3020                        registered: %s&quot; % (dn, e))</FONT></P>
3021                        <P><BR>
3022                        </P>
3023                </TD>
3024        </TR>
3025</TABLE>
3026<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3027</P>
3028<P CLASS="western" ALIGN=JUSTIFY>Note:</P>
3029<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3030</P>
3031<UL>
3032        <LI><P CLASS="western" ALIGN=JUSTIFY>It use the Python library
3033        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">DCOracle2</SPAN></FONT>
3034        to connect to an Oracle database.</P>
3035        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ElementTree</SPAN></FONT>
3036        Python library is used to parse an XML properties file.</P>
3037</UL>
3038<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDG.X509</SPAN></FONT>
3039security python library is used to parse the user Distinguished Name
3040passed into <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3041and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3042methods.</P>
3043<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3044</P>
3045<H2 CLASS="western"><A NAME="5.5.Troubleshooting|outline"></A>5.5Troubleshooting</H2>
3046<H3 CLASS="western"><A NAME="5.5.1.M2Crypto SWIG Build Error|outline"></A>
30475.5.1M2Crypto SWIG Build Error</H3>
3048<P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL
3049library code to the Python interface.  Compilation errors with swig
3050<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.i</SPAN></FONT>
3051files in the M2Crypto tar bundle can be caused by using an earlier
3052version of swig.  This has been seen with the default swig on Redhat
3053EL4.  This comes with swig version 1.1.  To check the SWIG version
3054number type:</P>
3055<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3056        <COL WIDTH=610>
3057        <TR>
3058                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3059                        <P STYLE="margin-bottom: 0cm"><BR>
3060                        </P>
3061                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ swig
3062                        -version</FONT></P>
3063                        <P><BR>
3064                        </P>
3065                </TD>
3066        </TR>
3067</TABLE>
3068<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3069</P>
3070<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt; 1.1
3071and re-run the installation script.  SWIG is available from
3072<FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P>
3073<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3074</P>
3075<H3 CLASS="western"><A NAME="5.5.2.PyXML|outline"></A>5.5.2PyXML</H3>
3076<P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable
3077distribution for Requirement.parse('PyXML&gt;=0.8.3')</P>
3078<P CLASS="western" ALIGN=JUSTIFY>$ easy_install –f
3079<FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT>
3080PyXML</P>
3081<P CLASS="western" ALIGN=JUSTIFY>or –f option with
3082ndg-security-install.py</P>
3083<H3 CLASS="western"><A NAME="5.5.3.4Suite-XML Build error|outline"></A>
30845.5.34Suite-XML Build error</H3>
3085<P CLASS="western" ALIGN=JUSTIFY>Ft/Xml/src/expat/lib/xmlparse.c:89:2:
3086#error memmove does not exist on this platform, nor is a substitute
3087available</P>
3088<P CLASS="western" ALIGN=JUSTIFY>4Suite-XML 1.0.2</P>
3089<P CLASS="western" ALIGN=JUSTIFY>$ cat /proc/version</P>
3090<P CLASS="western" ALIGN=JUSTIFY>Linux version 2.4.21-32.0.1.ELsmp
3091(bhcompile@bugs.build.redhat.com) (gcc version</P>
3092<P CLASS="western" ALIGN=JUSTIFY> 3.2.3 20030502 (Red Hat Linux
30933.2.3-52)) #1 SMP Tue May 17 17:52:23 EDT 2005</P>
3094<P CLASS="western" ALIGN=JUSTIFY>$ uname –a
3095</P>
3096<P CLASS="western" ALIGN=JUSTIFY>Linux glue.badc.rl.ac.uk
30972.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686
3098i386 GNU/Linux</P>
3099<P CLASS="western" ALIGN=JUSTIFY>Solution</P>
3100<P CLASS="western" ALIGN=JUSTIFY>$ echo -e
3101&quot;[build_ext]\ndefine=HAVE_MMEMOVE&quot; &gt; ~/.pydistutils.cfg</P>
3102<P CLASS="western" ALIGN=JUSTIFY>$ easy_install 4Suite-XML</P>
3103<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3104</P>
3105</BODY>
3106</HTML>
Note: See TracBrowser for help on using the repository browser.