source: TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html @ 2942

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html@2942
Revision 2942, 203.9 KB checked in by pjkersha, 12 years ago (diff)

ndg.security.server/setup.py: added init-credrepos-db to list of scripts

ndg.security.server/ndg/security/server/share/ndg-*: simplified and switched to base on NDGSEC_DIR env var and .tac files in conf/

ndg.security.server/ndg/security/server/share/Makefile: this uses ndg-aa as a template for the other scripts

ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml,
ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml: more comments added

ndg.security.server/ndg/security/server/initCredReposDb.py: moved from bin/ and added main function to make compatible for setuptools console-script

Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2<HTML>
3<HEAD>
4        <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
5        <TITLE>NDG Security Installation Guide</TITLE>
6        <META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0  (Linux)">
7        <META NAME="AUTHOR" CONTENT="P J Kershaw">
8        <META NAME="CREATED" CONTENT="20071010;9350000">
9        <META NAME="CHANGED" CONTENT="20071010;15023700">
10        <STYLE TYPE="text/css">
11        <!--
12                @page { size: 21cm 29.7cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
13                @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm }
14                P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
15                P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
16                P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
17                P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA }
18                H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always }
19                H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
20                H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
21                H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
22                H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
23                H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
24                H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
25                H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
26                H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
27                H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic }
28                H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic }
29                H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
30                H4 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
31                H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium }
32                H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium }
33                H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
34                A:link { color: #0000ff }
35                A:visited { color: #800080 }
36        -->
37        </STYLE>
38</HEAD>
39<BODY LANG="en-GB" TEXT="#000000" LINK="#0000ff" VLINK="#800080" DIR="LTR">
40<DIV TYPE=HEADER>
41        <P ALIGN=JUSTIFY STYLE="margin-bottom: 1.17cm"><BR><BR>
42        </P>
43</DIV>
44<P ALIGN=LEFT><BR><BR>
45</P>
46<P ALIGN=LEFT><A NAME="_Ref179772410"></A><BR><BR>
47</P>
48<P ALIGN=LEFT><SPAN ID="Frame1" DIR="LTR" STYLE="float: left; width: 12.96cm; height: 4.77cm; border: none; padding: 0cm; background: #ffffff">
49        <P ALIGN=RIGHT><FONT SIZE=6 STYLE="font-size: 28pt"><B>NERC Data
50        Grid Security</B></FONT></P>
51        <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P>
52        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.8</B></FONT></P>
53</SPAN><BR><BR>
54</P>
55<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Document
56Log</B></FONT></P>
57<TABLE WIDTH=627 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
58        <COL WIDTH=194>
59        <COL WIDTH=195>
60        <COL WIDTH=195>
61        <TR VALIGN=TOP>
62                <TD WIDTH=194 BGCOLOR="#d9d9d9">
63                        <P ALIGN=JUSTIFY><B>Version Number</B></P>
64                </TD>
65                <TD WIDTH=195 BGCOLOR="#d9d9d9">
66                        <P CLASS="western" ALIGN=JUSTIFY><B>Date</B></P>
67                </TD>
68                <TD WIDTH=195 BGCOLOR="#d9d9d9">
69                        <P CLASS="western" ALIGN=JUSTIFY><B>Comment</B></P>
70                </TD>
71        </TR>
72        <TR VALIGN=TOP>
73                <TD WIDTH=194>
74                        <P ALIGN=JUSTIFY>0.1</P>
75                </TD>
76                <TD WIDTH=195>
77                        <P CLASS="western" ALIGN=JUSTIFY>04/11/05</P>
78                </TD>
79                <TD WIDTH=195>
80                        <P CLASS="western" ALIGN=JUSTIFY>First Draft</P>
81                </TD>
82        </TR>
83        <TR VALIGN=TOP>
84                <TD WIDTH=194>
85                        <P ALIGN=JUSTIFY>0.2</P>
86                </TD>
87                <TD WIDTH=195>
88                        <P CLASS="western" ALIGN=JUSTIFY>21/02//06</P>
89                </TD>
90                <TD WIDTH=195>
91                        <P CLASS="western" ALIGN=JUSTIFY>Draft for installation at NOCS</P>
92                </TD>
93        </TR>
94        <TR VALIGN=TOP>
95                <TD WIDTH=194>
96                        <P ALIGN=JUSTIFY>0.3</P>
97                </TD>
98                <TD WIDTH=195>
99                        <P CLASS="western" ALIGN=JUSTIFY>07/04/06</P>
100                </TD>
101                <TD WIDTH=195>
102                        <P CLASS="western" ALIGN=JUSTIFY>Updates following installation at
103                        NOCS</P>
104                </TD>
105        </TR>
106        <TR VALIGN=TOP>
107                <TD WIDTH=194>
108                        <P ALIGN=JUSTIFY>0.4</P>
109                </TD>
110                <TD WIDTH=195>
111                        <P CLASS="western" ALIGN=JUSTIFY>25/07/06</P>
112                </TD>
113                <TD WIDTH=195>
114                        <P CLASS="western" ALIGN=JUSTIFY>Include deployment model and
115                        details about SysV style init scripts for web services.</P>
116                </TD>
117        </TR>
118        <TR VALIGN=TOP>
119                <TD WIDTH=194>
120                        <P ALIGN=JUSTIFY>0.5</P>
121                </TD>
122                <TD WIDTH=195>
123                        <P CLASS="western" ALIGN=JUSTIFY>16/01/07</P>
124                </TD>
125                <TD WIDTH=195>
126                        <P CLASS="western" ALIGN=JUSTIFY>Instructions for installation of
127                        python packages and associated C library dependencies from source
128                        and corrections for MyProxy installation.</P>
129                        <P CLASS="western" ALIGN=JUSTIFY>Installation instructions apply
130                        to NDG-Security Post Alpha release 0.72.</P>
131                </TD>
132        </TR>
133        <TR VALIGN=TOP>
134                <TD WIDTH=194>
135                        <P ALIGN=JUSTIFY>0.6</P>
136                </TD>
137                <TD WIDTH=195>
138                        <P CLASS="western" ALIGN=JUSTIFY>17/08/07</P>
139                </TD>
140                <TD WIDTH=195>
141                        <P CLASS="western" ALIGN=JUSTIFY>Updated for NDG Beta release. 
142                        </P>
143                        <UL>
144                                <LI><P CLASS="western" ALIGN=JUSTIFY>Installation of python
145                                packages is now via distutils eggs. 
146                                </P>
147                                <LI><P CLASS="western" ALIGN=JUSTIFY>Python services use Twisted.</P>
148                        </UL>
149                </TD>
150        </TR>
151        <TR VALIGN=TOP>
152                <TD WIDTH=194>
153                        <P ALIGN=JUSTIFY>0.7</P>
154                </TD>
155                <TD WIDTH=195>
156                        <P CLASS="western" ALIGN=JUSTIFY>03/10/07</P>
157                </TD>
158                <TD WIDTH=195>
159                        <P CLASS="western" ALIGN=JUSTIFY>Tidied headers for creation of
160                        HTML version</P>
161                </TD>
162        </TR>
163        <TR VALIGN=TOP>
164                <TD WIDTH=194>
165                        <P ALIGN=JUSTIFY>0.8</P>
166                </TD>
167                <TD WIDTH=195>
168                        <P CLASS="western" ALIGN=JUSTIFY>09/10/07</P>
169                </TD>
170                <TD WIDTH=195>
171                        <UL>
172                                <LI><P CLASS="western" ALIGN=LEFT>Updates for mapConfig.xml,
173                                sessionMgrProperties.xml and attAuthorityProperties.xml config
174                                files</P>
175                                <LI><P CLASS="western" ALIGN=LEFT>Configuration for logging</P>
176                        </UL>
177                </TD>
178        </TR>
179</TABLE>
180<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P>
181<DIV ID="Table of Contents1" DIR="LTR">
182        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        5</A></P>
183        <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      5</A></P>
184        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1
185        Pre-requisites  5</A></P>
186        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2
187        Deployment Model        5</A></P>
188        <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3.
189        Software Installation Components        8</A></P>
190        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. Installation      9</A></P>
191        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Python Packages|outline">4.1
192        Python Packages 9</A></P>
193        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.distutils|outline">4.1.1
194        distutils       9</A></P>
195        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.NDG Security Packages|outline">4.1.2
196        NDG Security Packages   9</A></P>
197        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.NDG Web Services Configuration|outline">4.2
198        NDG Web Services Configuration  10</A></P>
199        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.NDG Security System Configuration Files|outline">4.2.1
200        NDG Security System Configuration Files 10</A></P>
201        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.Certificate Generation|outline">4.2.2
202        Certificate Generation  11</A></P>
203        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.Session Manager Configuration|outline">4.3
204        Session Manager Configuration   12</A></P>
205        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.Session Manager Credential Repository|outline">4.3.1
206        Session Manager Credential Repository   12</A></P>
207        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2.Session Manager Properties File Settings|outline">4.3.2
208        Session Manager Properties File Settings        12</A></P>
209        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.3.SysV-style Boot Script|outline">4.3.3
210        SysV-style Boot Script  15</A></P>
211        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Attribute Authority Configuration|outline">4.4
212        Attribute Authority Configuration       16</A></P>
213        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Attribute Authority Properties File Settings|outline">4.4.1
214        Attribute Authority Properties File Settings    16</A></P>
215        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.User Roles Interface|outline">4.4.2
216        User Roles Interface    17</A></P>
217        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.Role Mapping|outline">4.4.3
218        Role Mapping    18</A></P>
219        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.4.Twisted Python server .tac file|outline">4.4.4
220        Twisted Python server .tac file 19</A></P>
221        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.5.SysV-style Boot Script|outline">4.4.5
222        SysV-style Boot Script  19</A></P>
223        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Python Unit Tests|outline">4.5
224        Python Unit Tests       20</A></P>
225        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Globus MyProxy|outline">4.6
226        Globus MyProxy  20</A></P>
227        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.1.MyProxy and NDG Security Background|outline">4.6.1
228        MyProxy and NDG Security Background     20</A></P>
229        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.2.MyProxy user account and the repository location considerations|outline">4.6.2
230        MyProxy user account and the repository location considerations 20</A></P>
231        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.3.Build Process|outline">4.6.3
232        Build Process   21</A></P>
233        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.4.NDG SimpleCA Client Package |outline">4.6.4
234        NDG SimpleCA Client Package     22</A></P>
235        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.5.Host Certificate Creation|outline">4.6.5
236        Host Certificate Creation       24</A></P>
237        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.6.MyProxy Configuration File|outline">4.6.6
238        MyProxy Configuration File      24</A></P>
239        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.7.Repository Directory|outline">4.6.7
240        Repository Directory    25</A></P>
241        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.8.Adding MyProxy Server to the system start up|outline">4.6.8
242        Adding MyProxy Server to the system start up    25</A></P>
243        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  27</A></P>
244        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1.MySQL Installation|outline">5.1
245        MySQL Installation      27</A></P>
246        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1.Version|outline">5.1.1
247        Version 27</A></P>
248        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.2.Getting the Binaries|outline">5.1.2
249        Getting the Binaries    27</A></P>
250        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.3.New mysql User Account|outline">5.1.3
251        New mysql User Account  27</A></P>
252        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.4.Unpacking the tarball|outline">5.1.4
253        Unpacking the tarball   27</A></P>
254        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.5.Configuration File|outline">5.1.5
255        Configuration File      28</A></P>
256        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.6.Create the Grant Tables|outline">5.1.6
257        Create the Grant Tables 28</A></P>
258        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.7.File and Directory Permissions|outline">5.1.7
259        File and Directory Permissions  29</A></P>
260        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.8.Starting the Server|outline">5.1.8
261        Starting the Server     29</A></P>
262        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.9.Securing MySQL Accounts|outline">5.1.9
263        Securing MySQL Accounts 29</A></P>
264        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.10.Server Automated Start up|outline">5.1.10
265        Server Automated Start up       30</A></P>
266        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2.HTTPS set-up with Apache Web Server|outline">5.2
267        HTTPS set-up with Apache Web Server     30</A></P>
268        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Web Server Host Certificate Generation|outline">5.2.1
269        Web Server Host Certificate Generation  30</A></P>
270        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2.Apache Configuration File Settings|outline">5.2.2
271        Apache Configuration File Settings      30</A></P>
272        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline">5.3
273        Apache Web Server Proxy Settings Configuration for Web Services 31</A></P>
274        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4.An Example Attribute Authority AAUserRoles interface class|outline">5.4
275        An Example Attribute Authority AAUserRoles interface class      32</A></P>
276        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.Troubleshooting|outline">5.5
277        Troubleshooting 35</A></P>
278        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.1.M2Crypto SWIG Build Error|outline">5.5.1
279        M2Crypto SWIG Build Error       35</A></P>
280        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.2.PyXML|outline">5.5.2
281        PyXML   36</A></P>
282        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.3.4Suite-XML Build error|outline">5.5.3
283        4Suite-XML Build error  36</A></P>
284</DIV>
285<H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1>
286<OL>
287        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI">
288        - NCSA MyProxy site</SPAN></P>
289        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html"><SPAN LANG="fr-FR">http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html</SPAN></A></U></FONT><SPAN LANG="fr-FR">
290        - NCSA MyProxy installation instructions</SPAN></P>
291        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT>
292        - Globus 4.0 and Security</P>
293        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://peak.telecommunity.com/DevCenter/setuptools">http://peak.telecommunity.com/DevCenter/setuptools</A></U></FONT>
294        - Python Eggs and Easy Install</P>
295        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://pywebsvcs.sourceforge.net/">http://pywebsvcs.sourceforge.net/</A></U></FONT>
296        - Python ZSI SOAP Web Services package</P>
297        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://chandlerproject.org/bin/view/Projects/MeTooCrypto">http://chandlerproject.org/bin/view/Projects/MeTooCrypto</A></U></FONT>
298        - Python M2Crypto OpenSSL wrapper</P>
299        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://twistedmatrix.com/trac/">http://twistedmatrix.com/trac/</A></U></FONT>
300        - Python Twisted Application Server</P>
301        <LI><P CLASS="western" ALIGN=LEFT><A NAME="_Ref132180158"></A>NDG
302        Security - Security Measures for Installation [v0.2, 7 September
303        2005],
304        <FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P>
305</OL>
306<H1 CLASS="western"><A NAME="2.Introduction|outline"></A>2.Introduction</H1>
307<P CLASS="western" ALIGN=JUSTIFY>This is a guide for system
308administrators and developers deploying NDG security at a data
309centre.</P>
310<H2 CLASS="western"><A NAME="2.1.Pre-requisites |outline"></A>2.1Pre-requisites
311</H2>
312<UL>
313        <LI><P CLASS="western" ALIGN=JUSTIFY>For NDG Security Web Services:
314        a host running RedHat Enterprise AS4 or later is recommended.  Other
315        Linux distributions may also be suitable.</P>
316        <LI><P CLASS="western" ALIGN=JUSTIFY>For MyProxy: a separate host
317        machine (See MyProxy for details of operating systems supported).
318        The host must be secure: if possible a dedicated machine with
319        minimal other services running on it.  It should be kept up to date
320        with patches and system logs monitored regularly.</P>
321        <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy and Security web
322        services hosts must be configured to link with an NTP server to
323        enable clocks to be synchronised with security services running at
324        other NDG sites.</P>
325        <LI><P CLASS="western" ALIGN=JUSTIFY>Access to a web server if
326        security for web based applications is required.  The web server
327        must be able to be configured to support HTTPS.</P>
328        <LI><P CLASS="western" ALIGN=JUSTIFY>[MySQL 3.23 or greater or
329        Postgres – these are optional and are required for the NDG
330        CredentialRepository only]</P>
331        <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P>
332        <LI><P CLASS="western" ALIGN=JUSTIFY>Python distutils utility</P>
333        <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version
334        0.9.8 or greater</P>
335</UL>
336<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also
337note document NDG <I>Security - Security Measures for Installation</I>
338 (see Ref 1 above).</P>
339<H2 CLASS="western"><A NAME="2.2.Deployment Model|outline"></A>2.2Deployment
340Model</H2>
341<P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an
342example deployment configuration for NDG security services.</P>
343<P CLASS="western" ALIGN=JUSTIFY><IMG SRC="NDGSecurityInstallationGuide_html_m1b1d83c.png" NAME="graphics1" ALIGN=BOTTOM WIDTH=611 HEIGHT=614 BORDER=0></P>
344<P CLASS="western" ALIGN=JUSTIFY>All services are positioned behind
345the firewall.  MyProxy is installed on a dedicated machine in order
346to make its repository as secure as possible.  Connections to MyProxy
347may be made from the Session Manager web service only from within the
348internal network.</P>
349<P CLASS="western" ALIGN=JUSTIFY>In the above, security web services
350are run together on the same host but this does not have to be the
351case.  They can be run on separate servers.  Similarly, the web
352server is on a separate host but could be run on the same machine as
353the web services if it was felt to be appropriate.</P>
354<P CLASS="western" ALIGN=JUSTIFY>In the above diagram Attribute
355Authority accesses a user database.  It is assumed that the target
356site has a database to store user and user role/access right
357information.  This information needn’t be stored by means of a
358database and could be represented in some other way.  It is for the
359data provider to decide.  Similarly, the Session Manager web service
360interfaces with a Credential Repository.   This is a database in the
361above but could be some other kind of permanent store.</P>
362<P CLASS="western" ALIGN=JUSTIFY>Databases are on a separate server
363to the web services host.  Web services access the databases over the
364internal network.  Finally, the web services have ports exposed in
365some way through the firewall to enable communication with other NDG
366security web services at other sites.</P>
367<H1 CLASS="western"><A NAME="3.Software Installation Components|outline"></A>
3683.Software Installation Components</H1>
369<P CLASS="western" ALIGN=JUSTIFY>Python software is package using
370distutils eggs.   These are divided into separate components to suit
371the particular installation required:</P>
372<UL>
373        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_server – components
374        required to run services</P>
375        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common – components
376        required by both server and common eggs</P>
377        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_client – components
378        for building clients to NDG security services.  For example, a data
379        provider’s web application server would these to enable the
380        securing of access to resources or an organisation’s Identity
381        provider would need these to authenticate and allocate authorisation
382        attributes to users.</P>
383        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_test – unit tests
384        for all components</P>
385        <LI><P CLASS="western" ALIGN=LEFT>ndg_security – install all:
386        client, server and common components</P>
387</UL>
388<P CLASS="western" ALIGN=JUSTIFY>Eggs rely on the distutils
389easy_install command to manage installation but NDG security uses an
390additional script ndg_security_install.py to install eggs and carry
391out the additional installation tasks to correctly configure the
392software.</P>
393<P CLASS="western" ALIGN=JUSTIFY>The following additional packages
394are required:</P>
395<UL>
396        <LI><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.1 (or later)
397        – source installer tar ball  may be downloaded from the Globus
398        site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
399        <LI><P CLASS="western" ALIGN=JUSTIFY>NDG SimpleCA client package tar
400        ball – configures target machine to trust the NDG CA.</P>
401</UL>
402<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These
403two packages should be installed on the target host for MyProxy.</P>
404<H1 CLASS="western"><A NAME="4.Installation|outline"></A>4.Installation</H1>
405<P CLASS="western" ALIGN=JUSTIFY>This section is divided into the
406Python installation and MyProxy.  Note that you will almost certainly
407wish to install MyProxy on a separate secure server to the other
408Python based security services.</P>
409<H2 CLASS="western"><A NAME="4.1.Python Packages|outline"></A>4.1Python
410Packages</H2>
411<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.
412 Change to a suitable directory to hold temporary installation files.
413 
414</P>
415<H3 CLASS="western"><A NAME="4.1.1.distutils|outline"></A>4.1.1distutils</H3>
416<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python
417distutils, the package that enables the use of Python eggs.  Download
418the distutils bootstrap script:</P>
419<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
420        <COL WIDTH=596>
421        <TR>
422                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
423                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
424                        </P>
425                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
426                        wget http://peak.telecommunity.com/dist/ez_setup.py</SPAN></FONT></P>
427                </TD>
428        </TR>
429</TABLE>
430<P CLASS="western" ALIGN=LEFT><BR><BR>
431</P>
432<P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment
433for a http proxy at your site.  For example,</P>
434<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
435        <COL WIDTH=596>
436        <TR>
437                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
438                        <P STYLE="margin-bottom: 0cm"><BR>
439                        </P>
440                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
441                        export http_proxy=http://yourproxyurl.com:8080</FONT></P>
442                </TD>
443        </TR>
444</TABLE>
445<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
446</P>
447<P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script.  Make sure
448to use the correct version of python in your system path.  Some
449systems may have multiple python versions installed:</P>
450<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
451        <COL WIDTH=596>
452        <TR>
453                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
454                        <P STYLE="margin-bottom: 0cm"><BR>
455                        </P>
456                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
457                        python ez_setup.py</FONT></P>
458                </TD>
459        </TR>
460</TABLE>
461<H3 CLASS="western"></H3>
462<P CLASS="western" ALIGN=JUSTIFY>Once completed, you can delete
463<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P>
464<H3 CLASS="western"><A NAME="4.1.2.NDG Security Packages|outline"></A>
4654.1.2NDG Security Packages</H3>
466<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to
467distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT>
468to enable custom installation steps to be correctly carried out.
469Download the script from the NDG distribution site:</P>
470<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
471        <COL WIDTH=596>
472        <TR>
473                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
474                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
475                        </P>
476                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
477                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</SPAN></FONT></P>
478                </TD>
479        </TR>
480</TABLE>
481<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
482</P>
483<P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of
484the NDG security python packages:</P>
485<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
486        <COL WIDTH=596>
487        <TR>
488                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
489                        <P STYLE="margin-bottom: 0cm"><BR>
490                        </P>
491                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
492                        python ./ndg-security-install.py -a</FONT></P>
493                </TD>
494        </TR>
495</TABLE>
496<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
497</P>
498<P CLASS="western" ALIGN=JUSTIFY>The script options can be checked
499using the –h option.  –a selects all packages for installation. 
500If there are problems with the installation, see the Troubleshooting
501Guide in the Appendices section 5.5.</P>
502<H2 CLASS="western"><A NAME="4.2.NDG Web Services Configuration|outline"></A>
5034.2NDG Web Services Configuration</H2>
504<H3 CLASS="western"><A NAME="4.2.1.NDG Security System Configuration Files|outline"></A>
5054.2.1NDG Security System Configuration Files</H3>
506<P CLASS="western" ALIGN=JUSTIFY>Properties files set the
507configuration settings for NDG security <I>server side</I> settings.
508Templates for these are contained within the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
509installed in your python distribution’s site-packages directory. 
510A future version of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-security-install.py</SPAN></FONT>
511script will extract these and install at a suitable location on the
512file system.  For the moment though, this is a manual process.</P>
513<P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under
514your servers <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc</SPAN></FONT>
515directory:</P>
516<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
517        <COL WIDTH=596>
518        <TR>
519                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
520                        <P STYLE="margin-bottom: 0cm"><BR>
521                        </P>
522                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
523                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</SPAN></FONT></P>
524                </TD>
525        </TR>
526</TABLE>
527<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
528</P>
529<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/ndg/security</SPAN></FONT>
530is recognised by the Python security software by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR
531</SPAN></FONT>environment variable.  This variable can be set in the
532environment of the user account used to run the security services or
533can be set in the init scripts used to automatically start up the
534services from server boot up (See sections 4.3.24.3.3 and 4.4.5).</P>
535<P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
536egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
537directory into the configuration area.  For example if you are using
538python installed in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local</SPAN></FONT>
539then the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
540directory will be in:</P>
541<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
542        <COL WIDTH=596>
543        <TR>
544                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
545                        <P STYLE="margin-bottom: 0cm"><BR>
546                        </P>
547                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python&lt;python
548                        version num&gt;/site-packages/ndg_security_server-&lt;version
549                        info&gt;.egg/ndg/security/server/conf</FONT></P>
550                </TD>
551        </TR>
552</TABLE>
553<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
554</P>
555<P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P>
556<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
557        <COL WIDTH=596>
558        <TR>
559                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
560                        <P STYLE="margin-bottom: 0cm"><BR>
561                        </P>
562                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ cp
563                        /usr/local/lib/python&lt;python version
564                        num&gt;/site-packages/ndg_security_server-&lt;version
565                        info&gt;.egg/ndg/security/server/conf /etc/ndg/security</FONT></P>
566                </TD>
567        </TR>
568</TABLE>
569<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
570</P>
571<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
572directory will contain these important files:</P>
573<UL>
574        <LI><P CLASS="western" ALIGN=JUSTIFY>Session Manager and Attribute
575        Authority properties XML files</P>
576        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT>
577        – used by the Session Manager to configure client connections to
578        MyProxy</P>
579        <LI><P CLASS="western" ALIGN=JUSTIFY>Special <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT>
580        configuration files loaded by the <I>Twisted</I> application server
581        used to run Session Manager and Attribute Authority services</P>
582        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">certs/</SPAN></FONT>
583        directory for storing X.509 certificates</P>
584        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>
585        for role mapping and other trust configuration parameters to enable
586        the Attribute Authority to operate with other trusted organisations
587        within NDG</P>
588        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attCertLog/</SPAN></FONT>
589        directory for storing Attribute Certificates issued by the Attribute
590        Authority.</P>
591        <LI><P CLASS="western" ALIGN=JUSTIFY>Logging configuration files:
592        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg
593        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT></P>
594</UL>
595<P CLASS="western" ALIGN=JUSTIFY>The default location for log files
596set in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg</SPAN></FONT>
597and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT>
598is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/log</SPAN></FONT>.
599 Create this directory as follows:</P>
600<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
601        <COL WIDTH=596>
602        <TR>
603                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
604                        <P STYLE="margin-bottom: 0cm"><BR>
605                        </P>
606                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
607                        mkdir /etc/ndg/security/log</FONT></P>
608                </TD>
609        </TR>
610</TABLE>
611<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
612</P>
613<H3 CLASS="western"><A NAME="4.2.2.Certificate Generation|outline"></A>
6144.2.2Certificate Generation</H3>
615<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute
616Authority web services require individual X.509 certificates as a
617means to identify them in the various interactions required for user
618registration, authentication and authorisation.  These may be created
619by similar means to the host certificate creation.</P>
620<P CLASS="western" ALIGN=JUSTIFY>Change directory to
621<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>.
622 The certificates will be stored here.  Make a new private key and
623certificate request for the Session Manager:</P>
624<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
625        <COL WIDTH=610>
626        <TR>
627                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
628                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
629                        </P>
630                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
631                        openssl genrsa –out sm-key.pem 2048</FONT></P>
632                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
633                        openssl req –new –key sm-key.pem –out sm.csr</FONT></P>
634                        <P CLASS="western" ALIGN=LEFT><BR>
635                        </P>
636                </TD>
637        </TR>
638</TABLE>
639<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
640</P>
641<P CLASS="western" ALIGN=JUSTIFY>The private key may be password
642protected if required by adding the –des3 option to the genrsa
643command.   Type in a password when prompted.   The req command will
644prompt you for the components of the Distinguished Name for the new
645certificate.  When prompted for the Common Name, enter
646‘SessionManager’.  The other fields can be set as required but by
647convention for NDG, the Organisation field has been set to NDG and
648the Organisation Unit to the individual data provider name e.g. BADC.
649 All other fields have been omitted.  You can skip individual fields
650by enter ‘.’ When prompted.</P>
651<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the NDG
652CA.  The CA will issue a certificate file.  Copy this file as
653<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
654</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
655</FONT>file can be deleted once a certificate has been obtained from
656the CA.</P>
657<P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the
658Attribute Authority, selecting ‘AttributeAuthority’ for the
659Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P>
660<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
661        <COL WIDTH=610>
662        <TR>
663                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
664                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
665                        </P>
666                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
667                        openssl genrsa –out aa-key.pem 2048</FONT></P>
668                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
669                        openssl req –new –key aa-key.pem –out aa.csr</FONT></P>
670                        <P CLASS="western" ALIGN=LEFT><BR>
671                        </P>
672                </TD>
673        </TR>
674</TABLE>
675<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
676</P>
677<P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session
678Manager is run over https to keep user login credentials secured.   A
679server certificate and key will be required in addition to enable
680this.  These can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
681directory and can be <FONT FACE="Helvetica, sans-serif">referenced by
682the Session Manager’s properties file.</FONT></SPAN></FONT></P>
683<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate
684Authority’s X.509 certificate is also required.  Obtain this from
685the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
686</SPAN></FONT>directory.</P>
687<H2 CLASS="western"><A NAME="4.3.Session Manager Configuration|outline"></A>
6884.3Session Manager Configuration</H2>
689<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set
690via a properties file.  In addition, the Session Manager can
691optionally make use of a Credential Repository database.  This
692enables the credentials that users acquire during a session to be
693stored so that they may be retrieved.   When installed, the default
694configuration set in the Session Manager Properties file is to <I>not</I>
695use a Credential Repository.   If this is the case, skip this
696section.</P>
697<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.3.1.Session Manager Credential Repository|outline"></A>
6984.3.1Session Manager Credential Repository</H3>
699<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository
700database.  In the example below a MySQL database is assumed.   Notes
701on installing MySQL are given in the Appendices section 5.1.
702</P>
703<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
704        <COL WIDTH=610>
705        <TR>
706                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
707                        <P STYLE="margin-bottom: 0cm"><BR>
708                        </P>
709                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
710                        mysql –u root –p</FONT></P>
711                        <P CLASS="western" ALIGN=JUSTIFY>mysql&gt; create database
712                        ndgCredRepos;</P>
713                        <P><BR>
714                        </P>
715                </TD>
716        </TR>
717</TABLE>
718<P CLASS="western" ALIGN=JUSTIFY><BR>Use the script
719init-credrepos-db to create the tables.  As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
720user, run the script.  Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
721account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT>
722to confirm creation of the tables:</P>
723<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
724        <COL WIDTH=610>
725        <TR>
726                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
727                        <P STYLE="margin-bottom: 0cm"><BR>
728                        </P>
729                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
730                        init-credrepos-db –u root</FONT></P>
731                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database
732                        password:</FONT></P>
733                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are
734                        you sure you want to initialise the database tables? (yes/no) yes</FONT></P>
735                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables
736                        created</FONT></P>
737                        <P STYLE="margin-bottom: 0cm"><BR>
738                        </P>
739                        <P><BR>
740                        </P>
741                </TD>
742        </TR>
743</TABLE>
744<P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have
745been created, restart the database client:</P>
746<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
747        <COL WIDTH=610>
748        <TR>
749                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
750                        <P STYLE="margin-bottom: 0cm"><BR>
751                        </P>
752                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$
753                        mysql –u root –p –D ndgCredRepos</P>
754                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql&gt;
755                        show tables;</P>
756                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
757                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
758                        Tables_in_ndgCredRepos |</FONT></FONT></P>
759                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
760                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
761                        UserCredential         |</FONT></FONT></P>
762                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
763                        UserID                 |</FONT></FONT></P>
764                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
765                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2
766                        rows in set (0.00 sec)</FONT></FONT></P>
767                        <P><BR>
768                        </P>
769                </TD>
770        </TR>
771</TABLE>
772<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
773</P>
774<P CLASS="western" ALIGN=JUSTIFY>A separate account should be created
775for the Session Manager to access the database.  It should have
776sufficient permissions to be able to read and write records.  For
777details of how to create an account in MySQL see the Appendices
778section 5.1.9.</P>
779<H3 CLASS="western"><A NAME="4.3.2.Session Manager Properties File Settings|outline"></A>
7804.3.2Session Manager Properties File Settings</H3>
781<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT>
782in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
783and modify the default settings:</P>
784<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
785        <COL WIDTH=610>
786        <TR>
787                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
788                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml
789                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
790                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrProp&gt;</FONT></FONT></P>
791                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;&lt;/portNum&gt;</FONT></FONT></P>
792                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;Yes&lt;/useSSL&gt;
793                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P>
794                        <P STYLE="margin-bottom: 0cm">   
795                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;$NDGSEC_DIR/conf/certs/server-cert.pem&lt;/sslCertFile&gt;</FONT></FONT></P>
796                        <P STYLE="margin-bottom: 0cm">   
797                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem
798                        &lt;/sslKeyFile&gt;</FONT></FONT></P>
799                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
800                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
801                        settings for signature of outbound SOAP messages</FONT></FONT></P>
802                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
803                        <P STYLE="margin-bottom: 0cm">   
804                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
805                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
806                        <P STYLE="margin-bottom: 0cm">   
807                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;certFile&gt;&gt;$NDGSEC_DIR/conf/certs/sm-cert.pem&lt;/certFile&gt;</FONT></FONT></P>
808                        <P STYLE="margin-bottom: 0cm">   
809                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P>
810                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
811                        <P STYLE="margin-bottom: 0cm">   
812                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</FONT></FONT></P>
813                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
814                        </FONT></FONT>
815                        </P>
816                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
817                        the certificate used to verify the signature of messages from the </FONT></FONT>
818                        </P>
819                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
820                         This can usually be left blank since the client is expected to </FONT></FONT>
821                        </P>
822                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
823                        the cert with the signature in the inbound SOAP message</FONT></FONT></P>
824                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
825                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt;
826                           </FONT></FONT>
827                        </P>
828                        <P STYLE="margin-bottom: 0cm">   
829                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrEncrKey&gt;&lt;/sessMgrEncrKey&gt;</FONT></FONT></P>
830                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrURI&gt;&lt;/sessMgrURI&gt;</FONT></FONT></P>
831                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;cookieDomain&gt;&lt;/cookieDomain&gt;</FONT></FONT></P>
832                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;myProxyProp&gt;</FONT></FONT></P>
833                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
834                        </FONT></FONT>
835                        </P>
836                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete
837                        this element and take setting from MYPROXY_SERVER environment </FONT></FONT>
838                        </P>
839                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">variable
840                        if required</FONT></FONT></P>
841                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
842                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;hostname&gt;ENTER
843                        THE FULLY QUALIFIED HOSTNAME OF THE SERVER&lt;/hostname&gt;</FONT></FONT></P>
844                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
845                        </FONT></FONT>
846                        </P>
847                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete
848                        this element to take default setting 7512 or read </FONT></FONT>
849                        </P>
850                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT
851                        setting</SPAN></FONT></FONT></P>
852                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></SPAN></FONT></P>
853                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></SPAN></FONT></P>
854                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
855                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful
856                        if hostname and certificate CN don't match correctly.  Globus </FONT></FONT>
857                        </P>
858                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">host
859                        DN is set to &quot;host/&lt;fqdn&gt;&quot;.  Delete this element
860                        and set from </FONT></FONT>
861                        </P>
862                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">MYPROXY_SERVER_DN
863                        environment variable if prefered</FONT></FONT></P>
864                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverDN&gt;&lt;/serverDN&gt;</FONT></FONT></P>
865                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
866                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
867                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
868                        &quot;host/&quot; prefix to host cert CN as is default with globus</FONT></FONT></P>
869                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
870                        <P STYLE="margin-bottom: 0cm">         
871                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverCNprefix&gt;host/&lt;/serverCNprefix&gt; </FONT></FONT></P>
872                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
873                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">This
874                        directory path is used to locate the OpenSSL configuration file</FONT></FONT></P>
875                        <P STYLE="margin-bottom: 0cm">           
876                        </P>
877                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">The
878                        settings are used to set up the defaults for the Distinguished
879                        Name of</FONT></FONT></P>
880                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">the
881                        new proxy cert. issued </FONT></FONT>
882                        </P>
883                        <P STYLE="margin-bottom: 0cm">           
884                        </P>
885                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">GLOBUS_LOCATION
886                        or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P>
887                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">but
888                        the settings can be independent of any Globus installation</FONT></FONT></P>
889                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR>
890                                  --&gt;</FONT></FONT></P>
891                        <P STYLE="margin-bottom: 0cm">         
892                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;openSSLConfFilePath&gt;$NDGSEC_DIR/conf/openssl.conf&lt;/openSSLConfFilePath&gt;</FONT></FONT></P>
893                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;tmpDir&gt;/tmp&lt;/tmpDir&gt;</FONT></FONT></P>
894                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
895                        </FONT></FONT>
896                        </P>
897                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
898                                  Limit on maximum lifetime any proxy certificate can have
899                        - </FONT></FONT>
900                        </P>
901                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
902                                  specified when a certificate is first created by store()
903                        method</FONT></FONT></P>
904                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
905                        <P STYLE="margin-bottom: 0cm">         
906                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertMaxLifetime&gt;24&lt;/proxyCertMaxLifetime&gt;
907                        &lt;!-- in hours --&gt;</FONT></FONT></P>
908                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
909                        </FONT></FONT>
910                        </P>
911                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
912                                  Life time of a proxy certificate when issued from the
913                        Proxy Server </FONT></FONT>
914                        </P>
915                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
916                                  with getDelegation() method</FONT></FONT></P>
917                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
918                                  --&gt;</FONT></FONT></P>
919                        <P STYLE="margin-bottom: 0cm">         
920                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertLifetime&gt;8&lt;/proxyCertLifetime&gt;
921                        &lt;!-- in hours --&gt;</FONT></FONT></P>
922                        <P STYLE="margin-bottom: 0cm">         
923                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P>
924                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;/myProxyProp&gt;</FONT></SPAN></FONT></P>
925                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;simpleCACltProp&gt;
926                        </FONT></SPAN></FONT>
927                        </P>
928                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
929                           &lt;uri&gt;&lt;/uri&gt;</FONT></FONT></P>
930                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
931                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigKeyFile&gt;&lt;/xmlSigKeyFile&gt;</FONT></FONT></P>
932                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
933                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertFile&gt;&lt;/xmlSigCertFile&gt;</FONT></FONT></P>
934                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
935                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertPwd&gt;&lt;/xmlSigCertPwd&gt;</FONT></FONT></P>
936                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/simpleCACltProp&gt;</FONT></FONT></P>
937                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;!--</FONT></FONT></P>
938                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCASrvProp&gt;</FONT></FONT></P>
939                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
940                           &lt;certExpiryDate&gt;&lt;/certExpiryDate&gt;</FONT></FONT></P>
941                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
942                           &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P>
943                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"> 
944                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></SPAN></FONT></P>
945                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
946                           &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P>
947                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
948                           &lt;signExe&gt;&lt;/signExe&gt;</FONT></FONT></P>
949                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
950                           &lt;path&gt;&lt;/path&gt;</FONT></FONT></P>
951                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/simpleCASrvProp&gt;</FONT></FONT></P>
952                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        --&gt;</FONT></FONT></P>
953                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;credReposProp&gt;</FONT></FONT></P>
954                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
955                           &lt;modFilePath&gt;&lt;/modFilePath&gt;</FONT></FONT></P>
956                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
957                           &lt;modName&gt;ndg.security.common.CredWallet&lt;/modName&gt;</FONT></FONT></P>
958                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
959                           &lt;className&gt;NullCredRepos&lt;/className&gt;</FONT></FONT></P>
960                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
961                           &lt;propFile&gt;&lt;/propFile&gt;</FONT></FONT></P>
962                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/credReposProp&gt;</FONT></FONT></P>
963                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/sessMgrProp&gt;</FONT></FONT></P>
964                        <P> 
965                        </P>
966                </TD>
967        </TR>
968</TABLE>
969<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
970</P>
971<P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P>
972<UL>
973        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The
974        property file reading software will expand any environment variables
975        included in the file.</FONT></SPAN></FONT></P>
976        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf<FONT FACE="Helvetica, sans-serif">
977        file uses the standard OpenSSL configuration file format.  It is
978        used by the Session Manager MyProxy client to formulate a
979        certificate request for a proxy certificate generated for a users
980        session when they login.  An example is given below.  The important
981        section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P>
982</UL>
983<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
984</P>
985<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
986        <COL WIDTH=610>
987        <TR>
988                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
989                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
990                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
991                        SSLeay example configuration file.</FONT></FONT></P>
992                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
993                        This is mostly being used for generation of certificate requests.</FONT></FONT></P>
994                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
995                        <P STYLE="margin-bottom: 0cm"><BR>
996                        </P>
997                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
998                                       = $ENV::HOME/.rnd</FONT></FONT></P>
999                        <P STYLE="margin-bottom: 0cm"><BR>
1000                        </P>
1001                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1002                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1003                        ca ]</FONT></FONT></P>
1004                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca
1005                             = CA_default            # The default ca section</FONT></FONT></P>
1006                        <P STYLE="margin-bottom: 0cm"><BR>
1007                        </P>
1008                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1009                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1010                        CA_default ]</FONT></FONT></P>
1011                        <P STYLE="margin-bottom: 0cm"><BR>
1012                        </P>
1013                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir
1014                                    = ./demoCA              # Where everything is kept</FONT></FONT></P>
1015                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs
1016                                  = $dir/certs            # Where the issued certs are
1017                        kept</FONT></FONT></P>
1018                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir
1019                                = $dir/crl              # Where the issued crl are kept</FONT></FONT></P>
1020                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database
1021                               = $dir/index.txt        # database index file.</FONT></FONT></P>
1022                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir
1023                          = $dir/newcerts         # default place for new certs.</FONT></FONT></P>
1024                        <P STYLE="margin-bottom: 0cm"><BR>
1025                        </P>
1026                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate
1027                            = $dir/cacert.pem       # The CA certificate</FONT></FONT></P>
1028                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial
1029                                 = $dir/serial           # The current serial number</FONT></FONT></P>
1030                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl
1031                                    = $dir/crl.pem          # The current CRL</FONT></FONT></P>
1032                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key
1033                            = $dir/private/cakey.pem# The private key</FONT></FONT></P>
1034                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
1035                               = $dir/private/.rand    # private random number file</FONT></FONT></P>
1036                        <P STYLE="margin-bottom: 0cm"><BR>
1037                        </P>
1038                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions
1039                        = x509v3_extensions     # The extentions to add to the cert</FONT></FONT></P>
1040                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days
1041                           = 365                   # how long to certify for</FONT></FONT></P>
1042                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days=
1043                        365 # DEE 30  # how long before next CRL</FONT></FONT></P>
1044                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md
1045                             = md5                   # which md to use.</FONT></FONT></P>
1046                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve
1047                               = no                    # keep passed DN ordering</FONT></FONT></P>
1048                        <P STYLE="margin-bottom: 0cm"><BR>
1049                        </P>
1050                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1051                        A few difference way of specifying how similar the request should
1052                        look</FONT></FONT></P>
1053                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1054                        For type CA, the listed attributes must be the same, and the
1055                        optional</FONT></FONT></P>
1056                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1057                        and supplied fields are just that :-)</FONT></FONT></P>
1058                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy
1059                                 = policy_match</FONT></FONT></P>
1060                        <P STYLE="margin-bottom: 0cm"><BR>
1061                        </P>
1062                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1063                        For the CA policy</FONT></FONT></P>
1064                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1065                        policy_match ]</FONT></FONT></P>
1066                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1067                                    = optional</FONT></FONT></P>
1068                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1069                            = optional</FONT></FONT></P>
1070                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1071                               = match</FONT></FONT></P>
1072                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1073                         = optional</FONT></FONT></P>
1074                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1075                                     = supplied</FONT></FONT></P>
1076                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1077                                   = optional</FONT></FONT></P>
1078                        <P STYLE="margin-bottom: 0cm"><BR>
1079                        </P>
1080                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1081                        For the 'anything' policy</FONT></FONT></P>
1082                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1083                        At this point in time, you must list all acceptable 'object'</FONT></FONT></P>
1084                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1085                        types.</FONT></FONT></P>
1086                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1087                        policy_anything ]</FONT></FONT></P>
1088                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1089                                    = optional</FONT></FONT></P>
1090                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1091                            = optional</FONT></FONT></P>
1092                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName
1093                                   = optional</FONT></FONT></P>
1094                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1095                               = optional</FONT></FONT></P>
1096                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1097                         = optional</FONT></FONT></P>
1098                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1099                                     = supplied</FONT></FONT></P>
1100                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1101                                   = optional</FONT></FONT></P>
1102                        <P STYLE="margin-bottom: 0cm"><BR>
1103                        </P>
1104                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1105                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1106                        req ]</FONT></FONT></P>
1107                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits
1108                                   = 1024</FONT></FONT></P>
1109                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile
1110                                = privkey.pem</FONT></FONT></P>
1111                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name
1112                             = req_distinguished_name</FONT></FONT></P>
1113                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions
1114                                 = v3_req</FONT></FONT></P>
1115                        <P STYLE="margin-bottom: 0cm"><BR>
1116                        </P>
1117                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1118                        req_distinguished_name ]</FONT></FONT></P>
1119                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1120                        BEGIN CONFIG</FONT></FONT></P>
1121                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName
1122                                      = Level 0 Organization</FONT></FONT></P>
1123                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default
1124                              = NDG</FONT></FONT></P>
1125                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName
1126                                 = Level 0 Organizational Unit</FONT></FONT></P>
1127                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default
1128                        = BADC</FONT></FONT></P>
1129                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName
1130                                 = Level 1 Organizational Unit</FONT></FONT></P>
1131                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default
1132                        = localdomain</FONT></FONT></P>
1133                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1134                                             = Name (e.g., John M. Smith)</FONT></FONT></P>
1135                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max
1136                                         = 64</FONT></FONT></P>
1137                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1138                        END CONFIG</FONT></FONT></P>
1139                        <P STYLE="margin-bottom: 0cm"><BR>
1140                        </P>
1141                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1142                        v3_req ]</FONT></FONT></P>
1143                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType
1144                                             = objsign,email,server,client</FONT></FONT></P>
1145                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints
1146                                       = critical,CA:false</FONT></FONT></P>
1147                        <P><BR>
1148                        </P>
1149                </TD>
1150        </TR>
1151</TABLE>
1152<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1153</P>
1154<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.3.3.SysV-style Boot Script|outline"></A>
11554.3.3SysV-style Boot Script</H3>
1156<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be
1157configured to start up at system boot of the host machine.  A SysV
1158style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1159is provided in the installation in:</P>
1160<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/lib/python</SPAN></FONT>&lt;python
1161version num&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/site-packages/ndg_security_server</SPAN></FONT>-&lt;version
1162info&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.egg/ndg/security/server/share
1163 </SPAN></FONT>
1164</P>
1165<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1166<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1167        <COL WIDTH=602>
1168        <TR>
1169                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1170                        <P STYLE="margin-bottom: 0cm"><BR>
1171                        </P>
1172                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1173                        cp /usr/local/lib/python&lt;python version
1174                        num&gt;/site-packages/ndg_security_server-&lt;version
1175                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1176                        /share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1177                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1178                        chkconfig --add ndg-sm</SPAN></FONT></FONT></P>
1179                        <P><BR>
1180                        </P>
1181                </TD>
1182        </TR>
1183</TABLE>
1184<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1185</P>
1186<P CLASS="western" ALIGN=JUSTIFY>Edit the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1187so that it uses the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR</SPAN></FONT>
1188environment variable to point to the correct location of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT>
1189file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
1190directory. User and group ID settings can be made to run under
1191alternative account to root.  If used ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR</SPAN></FONT>
1192is set with the necessary permissions to enable access. 
1193</P>
1194<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chkconfig</SPAN></FONT>
1195command may not be available on your target machine.  Please refer to
1196instructions for your particular Linux distribution.</P>
1197<H2 CLASS="western"><A NAME="4.4.Attribute Authority Configuration|outline"></A>
11984.4Attribute Authority Configuration</H2>
1199<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a
1200properties file for the setting of configuration parameters.</P>
1201<H3 CLASS="western"><A NAME="4.4.1.Attribute Authority Properties File Settings|outline"></A>
12024.4.1Attribute Authority Properties File Settings</H3>
1203<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1204in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1205and modify the default settings:</P>
1206<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1207        <COL WIDTH=610>
1208        <TR>
1209                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1210                        <P STYLE="margin-bottom: 0cm"><BR>
1211                        </P>
1212                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml
1213                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
1214                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P>
1215                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
1216                        </FONT></FONT></FONT>
1217                        </P>
1218                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">'name'
1219                        setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></FONT></P>
1220                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P>
1221                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;name&gt;Organisation
1222                        Identifier&lt;/name&gt; </FONT></FONT></FONT>
1223                        </P>
1224                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;portNum&gt;SELECT
1225                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></FONT></P>
1226                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
1227                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1228                        settings for transport level encryption</FONT></FONT></P>
1229                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1230                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;&lt;/useSSL&gt;
1231                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P>
1232                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;&lt;/sslCertFile&gt;</FONT></FONT></P>
1233                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P>
1234                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P>
1235                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
1236                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1237                        settings for signature of outbound SOAP messages</FONT></FONT></P>
1238                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1239                        <P STYLE="margin-bottom: 0cm">   
1240                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
1241                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
1242                        <P STYLE="margin-bottom: 0cm">   
1243                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;certFile&gt;$NDGSEC_DIR/conf/certs/aa-cert.pem&lt;/certFile&gt;</FONT></FONT></FONT></P>
1244                        <P STYLE="margin-bottom: 0cm">   
1245                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem
1246                        &lt;/keyFile&gt;</FONT></FONT></FONT></P>
1247                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
1248                        <P STYLE="margin-bottom: 0cm">   
1249                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem
1250                        &lt;/caCertFile&gt;</FONT></FONT></P>
1251                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
1252                        </FONT></FONT></FONT>
1253                        </P>
1254                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
1255                        the certificate used to verify the signature of messages from the </FONT></FONT>
1256                        </P>
1257                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
1258                         This can usually be left blank since the client is expected to </FONT></FONT>
1259                        </P>
1260                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
1261                        the cert with the signature in the inbound SOAP message</FONT></FONT></P>
1262                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1263                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt;
1264                           </FONT></FONT>
1265                        </P>
1266                        <P STYLE="margin-bottom: 0cm">   
1267                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt;
1268                        &lt;!-- Measured in seconds --&gt;</FONT></FONT></P>
1269                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
1270                        </FONT></FONT></FONT>
1271                        </P>
1272                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Allow
1273                        an offset for clock skew between servers running </FONT></FONT></FONT>
1274                        </P>
1275                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">security
1276                        services.  - Use minus sign for time in the past</FONT></FONT></FONT></P>
1277                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P>
1278                        <P STYLE="margin-bottom: 0cm">   
1279                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P>
1280                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1281                        Location of role mapping file --&gt;</FONT></FONT></P>
1282                        <P STYLE="margin-bottom: 0cm">   
1283                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></FONT></P>
1284                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1285                        All Attribute Certificates issued are recorded in this dir --&gt;</FONT></FONT></P>
1286                        <P STYLE="margin-bottom: 0cm">   
1287                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></FONT></P>
1288                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
1289                        </FONT></FONT></FONT>
1290                        </P>
1291                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Files
1292                        in attCertDir are stored using a rotating file handler</FONT></FONT></FONT></P>
1293                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">attCertFileLogCnt
1294                        sets the max number of files created before the first is</FONT></FONT></FONT></P>
1295                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">overwritten</FONT></FONT></FONT></P>
1296                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P>
1297                        <P STYLE="margin-bottom: 0cm">   
1298                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileName&gt;ac.xml&lt;/attCertFileName&gt;</FONT></FONT></P>
1299                        <P STYLE="margin-bottom: 0cm">   
1300                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileLogCnt&gt;1024&lt;/attCertFileLogCnt&gt;</FONT></FONT></P>
1301                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;dnSeparator&gt;/&lt;/dnSeparator&gt;</FONT></FONT></P>
1302                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1303                        </FONT></FONT>
1304                        </P>
1305                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings
1306                        for custom AAUserRoles derived class to get user roles for</FONT></FONT></P>
1307                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given
1308                        user ID</FONT></FONT></P>
1309                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1310                        <P STYLE="margin-bottom: 0cm">   
1311                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></FONT></P>
1312                        <P STYLE="margin-bottom: 0cm">   
1313                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></FONT></P>
1314                        <P STYLE="margin-bottom: 0cm">   
1315                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></FONT></P>
1316                        <P STYLE="margin-bottom: 0cm">   
1317                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></FONT></P>
1318                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P>
1319                        <P> 
1320                        </P>
1321                </TD>
1322        </TR>
1323</TABLE>
1324<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1325</P>
1326<H3 CLASS="western"><A NAME="4.4.2.User Roles Interface|outline"></A>4.4.2User
1327Roles Interface</H3>
1328<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a
1329valid user proxy certificate serves an attribute certificate
1330containing authorisation roles for that user.  It is for the data
1331centre to determine how these roles map to the users identity as
1332given by their Distinguished Name given in the proxy certificate.
1333Typically, a data centre might have a user database which relates
1334user id to authorisation roles.</P>
1335<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a
1336programmatic interface to determine the roles to user id
1337relationship.   A custom python class may be written to perform this
1338task.   See the Appendices section 5.4.</P>
1339<H3 CLASS="western"><A NAME="4.4.3.Role Mapping|outline"></A>4.4.3Role
1340Mapping</H3>
1341<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in
1342the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1343directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>.
1344 This is an XML file which relates local roles at the target data
1345centre to roles of other trusted data centres.  These role mapping
1346are made by agreement between data centres.</P>
1347<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1348        <COL WIDTH=610>
1349        <TR>
1350                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1351                        <P STYLE="margin-bottom: 0cm"><BR>
1352                        </P>
1353                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;?xml
1354                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></P>
1355                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;AAmap&gt;</FONT></P>
1356                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;thisHost
1357                        name=&quot;yourSiteIdentifier&quot;&gt;</FONT></P>
1358                        <P STYLE="margin-bottom: 0cm">         
1359                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;yourSiteAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1360                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1361                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1362                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;Your
1363                        Site Login Page URI (https expected)&lt;/loginURI&gt;</FONT></P>
1364                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1365                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1366                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1367                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1368                        cert. DN for SSL server making a request to loginURI</FONT></P>
1369                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1370                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/thisHost&gt;</FONT></P>
1371                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1372                        name=&quot;BODC&quot;&gt;</FONT></P>
1373                        <P STYLE="margin-bottom: 0cm">         
1374                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;bodcAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1375                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1376                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1377                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;BODC’s
1378                        Login Page URI&lt;/loginURI&gt;</FONT></P>
1379                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1380                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1381                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1382                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1383                        cert. DN for SSL server making a request to loginURI</FONT></P>
1384                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1385                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1386                        remote=&quot;aBODCrole&quot; local=&quot;aLocalRole&quot;/&gt;</FONT></P>
1387                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1388                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1389                        name=&quot;NOCS&quot;&gt;</FONT></P>
1390                        <P STYLE="margin-bottom: 0cm">         
1391                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;nocsAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1392                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1393                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1394                        <P STYLE="margin-bottom: 0cm">         
1395                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;nocsLoginPageURI&lt;/loginURI&gt;</FONT></P>
1396                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1397                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1398                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1399                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1400                        cert. DN for SSL server making a request to loginURI</FONT></P>
1401                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1402                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1403                        remote=&quot;aNOCSrole&quot; local=&quot;anotherLocalRole&quot;/&gt;</FONT></P>
1404                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1405                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1406                        name=&quot;NEODAAS&quot;&gt;</FONT></P>
1407                        <P STYLE="margin-bottom: 0cm">         
1408                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;neodaasAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1409                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1410                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1411                        <P STYLE="margin-bottom: 0cm">         
1412                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;neodaasLoginPageURI&lt;/loginURI&gt;</FONT></P>
1413                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1414                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1415                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1416                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1417                        cert. DN for SSL server making a request to loginURI</FONT></P>
1418                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1419                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1420                        remote=&quot;neodaasRole&quot; local=&quot;yetAnotherLocalRole&quot;/&gt;</FONT></P>
1421                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1422                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/AAmap&gt;</FONT></P>
1423                        <P STYLE="margin-bottom: 0cm"><BR>
1424                        </P>
1425                        <P><BR>
1426                        </P>
1427                </TD>
1428        </TR>
1429</TABLE>
1430<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1431</P>
1432<P CLASS="western" ALIGN=JUSTIFY>The map file contains an entry for
1433each site that the Attribute Authority trusts.  These are listed
1434using the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">trusted</SPAN></FONT>
1435element name.  The Attribute Authority identifies itself with the
1436similar <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1437element.  Each uses a name attribute to uniquely identify the
1438organisation.  The example above shows a BADC map file which trusts
1439the organisations BODC, NOCS and NEODAAS.</P>
1440<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost
1441name </SPAN></FONT>attribute should match the name element in the
1442corresponding <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1443file.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">name</SPAN></FONT>
1444is copied as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">issuerName</SPAN></FONT>
1445used in Attribute Certificates issued by the Attribute Authority.</P>
1446<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1447and trusted elements share all the same sub-elements barring role.
1448</P>
1449<UL>
1450        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaURI</SPAN></FONT>
1451        – this is the address of the Attribute Authority</P>
1452        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaDN</SPAN></FONT>
1453        – the Distinguished Name of the Attribute Authority’s X.509
1454        certificate (not currently used)</P>
1455        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginURI</SPAN></FONT>
1456        – the address of the Login Service
1457        </P>
1458        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginServerDN</SPAN></FONT>
1459        – the Distinguished Name of the X.509 certificate held by the
1460        Login Service for SSL connections.  It is expected that the Login
1461        Service is run over https to protect the privacy of login
1462        credentials.  This field is not currently used.</P>
1463        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT>
1464        – on request for secured credentials a service provider enables
1465        the user to redirect to their chosen Login Service at another
1466        trusted site.   The on successful authentication the Login Service
1467        can return the user back to the service provider to enable them to
1468        continue with their request.  This return to address must be over
1469        https to enable credentials to be encrypted for the transit but also
1470        to validate service provider host making the request.   The Login
1471        Service carries this out by checking the SSL certificate of the
1472        service provider host and checking its Distinguished Name against
1473        the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT>
1474        entries for the organisations it trusts.</P>
1475        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">role</SPAN></FONT>
1476        – this element is used to express an individual role mapping.  The
1477        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">local</SPAN></FONT>
1478        attribute refers to a role <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1479        supports.  The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">remote</SPAN></FONT>
1480        attribute is assigned to the role of the trusted organisation it
1481        maps to.  It is possible to have multiple role entries.  One local
1482        role may map to many remote roles and vice versa: one remote role
1483        may map to many local roles.</P>
1484</UL>
1485<H3 CLASS="western"><A NAME="4.4.4.Twisted Python server .tac file|outline"></A>
14864.4.4Twisted Python server .tac file</H3>
1487<P CLASS="western" ALIGN=JUSTIFY>Copy this from the
1488ndg_security_server to the NDG security conf/ area:</P>
1489<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1490        <COL WIDTH=602>
1491        <TR>
1492                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1493                        <P STYLE="margin-bottom: 0cm"><BR>
1494                        </P>
1495                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1496                        cp /usr/local/lib/python&lt;python version
1497                        num&gt;/site-packages/ndg_security_server-&lt;version
1498                        info&gt;.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1499                        $NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1500                        <P><BR>
1501                        </P>
1502                </TD>
1503        </TR>
1504</TABLE>
1505<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1506</P>
1507<H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.4.5.SysV-style Boot Script|outline"></A>
15084.4.5SysV-style Boot Script</H3>
1509<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the
1510Attribute Authority can be configured to start up at system boot of
1511the host machine.  A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT>
1512is provided in the installation in:</P>
1513<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python&lt;python
1514version num&gt;/site-packages/ndg_security_server-&lt;version
1515info&gt;.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1516 
1517</P>
1518<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1519<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1520        <COL WIDTH=602>
1521        <TR>
1522                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1523                        <P STYLE="margin-bottom: 0cm"><BR>
1524                        </P>
1525                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1526                        cp /usr/local/lib/python&lt;python version
1527                        num&gt;/site-packages/ndg_security_server-&lt;version
1528                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1529                        /share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1530                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1531                        chkconfig --add ndg-aa</SPAN></FONT></FONT></P>
1532                        <P><BR>
1533                        </P>
1534                </TD>
1535        </TR>
1536</TABLE>
1537<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1538</P>
1539<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the
1540NDGSEC_DIR environment variable to point to the correct location of
1541the .tac file in the conf/ directory.  User and group ID settings can
1542be made to run under alternative account to root.  If used ensure
1543that $NDGSEC_DIR is set with the necessary permissions to enable
1544access. 
1545</P>
1546<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional
1547environment settings required to connect to a user database.</P>
1548<H2 CLASS="western"><A NAME="4.5.Python Unit Tests|outline"></A>4.5Python
1549Unit Tests</H2>
1550<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are
1551provided to enable the system to be checked to confirm that it is
1552running correctly.   These are located in the ndg_security_test egg
1553in the site-packages/ directory of the python installation.</P>
1554<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
1555<H2 CLASS="western"><A NAME="4.6.Globus MyProxy|outline"></A>4.6Globus
1556MyProxy</H2>
1557<H3 CLASS="western"><A NAME="4.6.1.MyProxy and NDG Security Background|outline"></A>
15584.6.1MyProxy and NDG Security Background</H3>
1559<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
1560from the Globus toolkit to store user’s authentication credentials.
1561 If a participating data centre supports user accounts then it will
1562need to deploy its MyProxy repository. 
1563</P>
1564<P CLASS="western" ALIGN=JUSTIFY>The NDG SessionManager web service
1565acts as a client to MyProxy.  When a user is registered at a site, it
1566generates a new public/private key for the user and an X.509
1567certificate request.  It sends the latter to the NDG Simple CA
1568(Certificate Authority) for signing.  A new X.509 certificate is
1569issued and returned.  The SessionManager uploads the public and
1570private key into the MyProxy repository and associates a username and
1571pass-phrase with these credentials.</P>
1572<P CLASS="western" ALIGN=JUSTIFY>When a user subsequently logs in at
1573their site, again the SessionManager is called.  It passes the
1574username and pass-phrase provided to MyProxy.  MyProxy matches these
1575with the X.509 certificate it holds and issues a <I>proxy</I> to that
1576certificate.  The proxy certificate represents the user’s ID
1577internally in the interactions between the various NDG components.
1578</P>
1579<P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service
1580<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1581on its host machine and user credentials are held in a directory on
1582the file system.  It is important to secure the host to ensure the
1583credentials are not compromised. (Also see Ref 1above.)</P>
1584<H3 CLASS="western"><A NAME="4.6.2.MyProxy user account and the repository location considerations|outline"></A>
15854.6.2MyProxy user account and the repository location considerations</H3>
1586<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or
1587using a separate user account.  The latter is preferable as it
1588provides an extra level of security.  Note that the MyProxy
1589repository will be in a standard location. 
1590</P>
1591<UL>
1592        <LI><P CLASS="western" ALIGN=JUSTIFY>If MyProxy is installed as
1593        root, this is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/var/myproxy</SPAN></FONT>.
1594         
1595        </P>
1596        <LI><P CLASS="western" ALIGN=JUSTIFY>If installed as under an
1597        alternative user account, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var/myproxy</SPAN></FONT>.
1598         
1599        </P>
1600</UL>
1601<P CLASS="western" ALIGN=JUSTIFY>It is possible to explicitly define
1602an alternate location but this can only be done by providing a
1603command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1604 Note that this might be visible in the process list of the host
1605machine as output from<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1606ps</SPAN></FONT>.  This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1607with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd
1608</SPAN></FONT>(See 4.6.8.1).</P>
1609<P CLASS="western" ALIGN=LEFT>Another factor to take into
1610consideration is the available space on the file system for the
1611repository location.  There should be sufficient disk space on the
1612partition where the directory is located to store credentials for all
1613the users of the system at the target site.</P>
1614<P CLASS="western" ALIGN=JUSTIFY>This guide assumes installation
1615under a dedicated user account.  The username <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1616is used in the examples for convenience only.  An alternative
1617username is recommended.</P>
1618<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
1619user set up a local user account.</P>
1620<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1621        <COL WIDTH=596>
1622        <TR>
1623                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
1624                        <P STYLE="margin-bottom: 0cm"><BR>
1625                        </P>
1626                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1627                        groupadd globus</FONT></P>
1628                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1629                        useradd globus –g globus</FONT></P>
1630                </TD>
1631        </TR>
1632</TABLE>
1633<P CLASS="western" ALIGN=LEFT><BR><BR>
1634</P>
1635<P CLASS="western" ALIGN=JUSTIFY>Note that for security purposes, the
1636globus user account is set up as a local rather NIS account so that
1637access is restricted.  Set the default home directory as necessary
1638and default shell to bash.  Set the password for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>:</P>
1639<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1640        <COL WIDTH=596>
1641        <TR>
1642                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1643                        <P STYLE="margin-bottom: 0cm"><BR>
1644                        </P>
1645                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1646                        passwd globus</FONT></P>
1647                </TD>
1648        </TR>
1649</TABLE>
1650<P CLASS="western" ALIGN=LEFT><BR><BR>
1651</P>
1652<P CLASS="western" ALIGN=JUSTIFY>Modify the relevant files and
1653directories in the NDG installation area to be owned by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1654account:</P>
1655<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1656        <COL WIDTH=596>
1657        <TR>
1658                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1659                        <P STYLE="margin-bottom: 0cm"><BR>
1660                        </P>
1661                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1662                        chown -R globus:globus $NDGSEC_DIR/conf/ $NDGSEC_DIR/ndgSetup.sh</FONT></P>
1663                </TD>
1664        </TR>
1665</TABLE>
1666<P CLASS="western" ALIGN=LEFT><BR><BR>
1667</P>
1668<P CLASS="western" ALIGN=LEFT>For convenience, the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>
1669file may be called from the globus account’s <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.bashrc</SPAN></FONT>
1670file so that the NDG environment is automatically initialised when a
1671new globus shell is invoked.</P>
1672<P CLASS="western" ALIGN=LEFT>Change to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1673account and edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">~/.bashrc</SPAN></FONT>
1674adding the following lines at the end:</P>
1675<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1676        <COL WIDTH=596>
1677        <TR>
1678                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1679                        <P STYLE="margin-bottom: 0cm"><BR>
1680                        </P>
1681                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1682                        NDG set-up</FONT></P>
1683                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">.
1684                        /usr/local/NDG/ndgSetup.sh</FONT></P>
1685                </TD>
1686        </TR>
1687</TABLE>
1688<P CLASS="western" ALIGN=LEFT><BR><BR>
1689</P>
1690<H3 CLASS="western"><A NAME="4.6.3.Build Process|outline"></A>4.6.3Build
1691Process</H3>
1692<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1693create an installation directory for Globus within the NDG
1694installation:</P>
1695<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1696        <COL WIDTH=596>
1697        <TR>
1698                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1699                        <P STYLE="margin-bottom: 0cm"><BR>
1700                        </P>
1701                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1702                        mkdir $NDGSEC_DIR/globus-4.0.1</FONT></P>
1703                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1704                        chown globus:globus $NDGSEC_DIR/globus-4.0.1</FONT></P>
1705                        <P><BR>
1706                        </P>
1707                </TD>
1708        </TR>
1709</TABLE>
1710<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1711</P>
1712<P CLASS="western" ALIGN=JUSTIFY>Ensure that the setting for
1713<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">GLOBUS_LOCATION</FONT>
1714in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/ndgSetup.sh</FONT>
1715points to the new directory created <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/globus-4.0.1</FONT>.</P>
1716<P CLASS="western" ALIGN=JUSTIFY>Switch to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
1717user account ready to download the globus installation.</P>
1718<P CLASS="western" ALIGN=JUSTIFY>Globus 4.0.1 distribution is
1719recommended for use with the NDG Security software.  This is
1720available from <FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT></P>
1721<P CLASS="western" ALIGN=JUSTIFY>A binary version is available but it
1722is recommended to install the source code version and build from
1723scratch on the target machine.  Note that it is possible to set a
1724target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
1725</SPAN></FONT>so that only the MyProxy components of Globus are
1726built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer</FONT>
1727tarball.  Extract the files and change to the
1728<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer/</FONT>
1729directory created.</P>
1730<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings compile
1731and install MyProxy:</P>
1732<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1733        <COL WIDTH=596>
1734        <TR>
1735                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1736                        <P STYLE="margin-bottom: 0cm"><BR>
1737                        </P>
1738                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1739                        ./configure –prefix=$GLOBUS_LOCATION</FONT></P>
1740                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1741                        make gsi-myproxy postinstall</FONT></P>
1742                        <P><BR>
1743                        </P>
1744                </TD>
1745        </TR>
1746</TABLE>
1747<P STYLE="margin-bottom: 0cm"><BR>
1748</P>
1749<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">When
1750running</SPAN></FONT> ./configure <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">you
1751may see an error if the </SPAN></FONT>JAVA_HOME<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">
1752environment variable is not set.  This can be ignored because Java is
1753not required for the MyProxy build.</SPAN></FONT></FONT></P>
1754<P STYLE="margin-bottom: 0cm"><BR>
1755</P>
1756<H3 CLASS="western"><A NAME="4.6.4.NDG SimpleCA Client Package |outline"></A>
17574.6.4NDG SimpleCA Client Package
1758</H3>
1759<P CLASS="western" ALIGN=JUSTIFY>This configures the target machine
1760to trust the NDG CA. 
1761</P>
1762<P CLASS="western" ALIGN=JUSTIFY>Login as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1763user. To install first initialise the environment settings (The
1764following line should be included in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>.
1765 Check and amend as necessary).</P>
1766<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1767        <COL WIDTH=596>
1768        <TR>
1769                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1770                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1771                        </P>
1772                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1773                        . $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
1774                </TD>
1775        </TR>
1776</TABLE>
1777<P><BR><BR>
1778</P>
1779<P CLASS="western" ALIGN=LEFT>Install the client package.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;CA
1780Hash&gt;</SPAN></FONT> below is a unique identifier for the CA.  Note
1781that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">–nonroot</SPAN></FONT>
1782option ensures that the configuration files are installed in
1783<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>
1784rather than the default location used with the root user:
1785<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>.
1786 If you are installing as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
1787this option may be omitted if required.</P>
1788<P CLASS="western" ALIGN=LEFT>Also note that for 64 bit architectures
1789the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc32dbg</SPAN></FONT>
1790argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-build</SPAN></FONT>
1791should be substituted with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc64dbg</SPAN></FONT>.</P>
1792<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1793        <COL WIDTH=596>
1794        <TR>
1795                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1796                        <P STYLE="margin-bottom: 0cm"><BR>
1797                        </P>
1798                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1799                        gpt-build globus_simple_ca_&lt;CA hash&gt;_setup-0.18.tar.gz
1800                        gcc32dbg</FONT></P>
1801                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1802                        gpt-postinstall</FONT></P>
1803                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1804                        $GLOBUS_LOCATION/setup/globus_simple_ca_&lt;CA
1805                        hash&gt;_setup/setup-gsi </FONT>
1806                        </P>
1807                        <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
1808                        –nonroot</FONT></P>
1809                </TD>
1810        </TR>
1811</TABLE>
1812<P STYLE="margin-bottom: 0cm"><BR>
1813</P>
1814<P CLASS="western" ALIGN=LEFT>When running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-postinstall</SPAN></FONT>,
1815you may see a warning:</P>
1816<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1817        <COL WIDTH=596>
1818        <TR>
1819                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1820                        <P STYLE="margin-bottom: 0cm"><BR>
1821                        </P>
1822                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">WARNING:
1823                        The following packages were not set up correctly:</FONT></P>
1824                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus_simple_ca_&lt;CA
1825                        hash&gt;_setup-noflavor-pgm</FONT></P>
1826                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Check
1827                        the package documentation or run postinstall -verbose to see what
1828                        happened</FONT></P>
1829                </TD>
1830        </TR>
1831</TABLE>
1832<P CLASS="western" ALIGN=LEFT><BR><BR>
1833</P>
1834<P CLASS="western" ALIGN=LEFT>This can be ignored.</P>
1835<H4 CLASS="western">4.6.4.1Modifications to Configuration File
1836Settings</H4>
1837<P CLASS="western" ALIGN=LEFT>The configuration files installed
1838require some minor modifications before proceeding:</P>
1839<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Under the
1840directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>,
1841edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-host-ssl.conf</SPAN></FONT>
1842and under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[
1843req_distinguished_name ]</SPAN></FONT>, edit the setting for
1844<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
1845and change the default <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">BADC</SPAN></FONT>
1846to the name of the organisation where this NDG security software is
1847being installed.  This name will be used as the default for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">OU</SPAN></FONT>
1848field of certificates held in the MyProxy server.</P>
1849<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1850</P>
1851<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1852        <COL WIDTH=610>
1853        <TR>
1854                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1855                        <P STYLE="margin-bottom: 0cm"><BR>
1856                        </P>
1857                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
1858                        req_distinguished_name ]</FONT></P>
1859                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1860                        BEGIN CONFIG</FONT></P>
1861                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
1862                                      = Level 0 Organization</FONT></P>
1863                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
1864                              = NDG</FONT></P>
1865                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
1866                                 = Level 0 Organizational Unit</FONT></P>
1867                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
1868                        = BADC</FONT></P>
1869                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
1870                                             = Name (e.g., John M. Smith)</FONT></P>
1871                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
1872                                         = 64</FONT></P>
1873                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1874                        END CONFIG</FONT></P>
1875                        <P><BR>
1876                        </P>
1877                </TD>
1878        </TR>
1879</TABLE>
1880<P CLASS="western" ALIGN=LEFT><BR><BR>
1881</P>
1882<P CLASS="western" ALIGN=LEFT>Under the same directory, edit the file
1883<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-user-ssl.conf</SPAN></FONT>
1884and carry out the same modification as above but also comment out the
1885two lines below <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName</SPAN></FONT>
1886and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName_default</SPAN></FONT>:</P>
1887<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1888</P>
1889<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1890        <COL WIDTH=610>
1891        <TR>
1892                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1893                        <P STYLE="margin-bottom: 0cm"><BR>
1894                        </P>
1895                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
1896                        req_distinguished_name ]</FONT></P>
1897                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1898                        BEGIN CONFIG</FONT></P>
1899                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
1900                                      = Level 0 Organization</FONT></P>
1901                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
1902                              = NDG</FONT></P>
1903                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
1904                                 = Level 0 Organizational Unit</FONT></P>
1905                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
1906                        = BADC</FONT></P>
1907                        <P STYLE="margin-bottom: 0cm"><BR>
1908                        </P>
1909                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName
1910                                 = Level 1 Organizational Unit</FONT></P>
1911                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName_default
1912                        = badc.rl.ac.uk</FONT></P>
1913                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
1914                                             = Name (e.g., John M. Smith)</FONT></P>
1915                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
1916                                         = 64</FONT></P>
1917                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
1918                        END CONFIG</FONT></P>
1919                        <P><BR>
1920                        </P>
1921                </TD>
1922        </TR>
1923</TABLE>
1924<P CLASS="western" ALIGN=LEFT><BR><BR>
1925</P>
1926<P CLASS="western" ALIGN=LEFT>Edit
1927<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/certificates/&lt;CA
1928Hash&gt;.signing_policy</SPAN></FONT> and change the setting of <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">OU</FONT>
1929in the line:</P>
1930<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1931</P>
1932<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1933        <COL WIDTH=610>
1934        <TR>
1935                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1936                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1937                        </P>
1938                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cond_subjects
1939                            globus       '&quot;/O=NDG/OU=BADC/*&quot;'</FONT></P>
1940                        <P CLASS="western" ALIGN=LEFT><BR>
1941                        </P>
1942                </TD>
1943        </TR>
1944</TABLE>
1945<P CLASS="western" ALIGN=LEFT><BR><BR>
1946</P>
1947<P CLASS="western" ALIGN=LEFT>Replacing ‘BADC’ with the name of
1948the Organisational Unit for your organisation.  This should be the
1949same as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
1950set above for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-host-ssl.conf</FONT>
1951and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-user-ssl.conf</FONT>.</P>
1952<P CLASS="western" ALIGN=LEFT>Having completed these steps, a host
1953certificate for the target machine can be made in order to identify
1954it.</P>
1955<H3 CLASS="western"><A NAME="4.6.5.Host Certificate Creation|outline"></A>
19564.6.5Host Certificate Creation</H3>
1957<P CLASS="western" ALIGN=LEFT>Login as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
1958user to carry out these steps.   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ndgSetup.sh
1959</FONT>should configure the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">PATH</FONT>
1960variable to have included the Globus executable directories
1961<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/bin</FONT>
1962and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin</FONT>.
1963 Check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
1964<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1965</P>
1966<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1967        <COL WIDTH=610>
1968        <TR>
1969                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1970                        <P STYLE="margin-bottom: 0cm"><BR>
1971                        </P>
1972                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1973                        which grid-cert-request</FONT></P>
1974                        <P CLASS="western" ALIGN=LEFT><BR>
1975                        </P>
1976                </TD>
1977        </TR>
1978</TABLE>
1979<P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like:
1980<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/NDG/globus-4.0.1/bin/grid-cert-request</FONT></P>
1981<P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate
1982request, change to the certificates directory:</P>
1983<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1984</P>
1985<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1986        <COL WIDTH=610>
1987        <TR>
1988                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1989                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
1990                        </P>
1991                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1992                        cd $GLOBUS_LOCATION/etc</FONT></P>
1993                        <P CLASS="western" ALIGN=LEFT><BR>
1994                        </P>
1995                </TD>
1996        </TR>
1997</TABLE>
1998<P CLASS="western" ALIGN=JUSTIFY><BR>Nb. If you installed MyProxy as
1999<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
2000as root user change to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>
2001where the certificates should be held.</P>
2002<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2003        <COL WIDTH=610>
2004        <TR>
2005                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2006                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2007                        </P>
2008                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2009                        grid-cert-request –host &lt;machine hostname&gt; -dir .</FONT></P>
2010                        <P CLASS="western" ALIGN=LEFT><BR>
2011                        </P>
2012                </TD>
2013        </TR>
2014</TABLE>
2015<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2016</P>
2017<P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>,
2018<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT>
2019and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
2020 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
2021is empty. 
2022</P>
2023<P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate
2024it must be signed by the NDG CA.  Contact the NDG CA forwarding
2025<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
2026 The CA will issue a <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
2027file.  Copy this file into this directory i.e. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc</FONT>.
2028  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
2029</FONT>is no longer needed and may be deleted if desired.</P>
2030<H3 CLASS="western"><A NAME="4.6.6.MyProxy Configuration File|outline"></A>
20314.6.6MyProxy Configuration File</H3>
2032<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is
2033normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT>
2034directory.   If this file is not already present, copy the sample
2035file:</P>
2036<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2037        <COL WIDTH=610>
2038        <TR>
2039                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2040                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2041                        </P>
2042                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2043                        cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config
2044                        $GLOBUS_LOCATION/etc</FONT></P>
2045                        <P CLASS="western" ALIGN=LEFT><BR>
2046                        </P>
2047                </TD>
2048        </TR>
2049</TABLE>
2050<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2051</P>
2052<P CLASS="western" ALIGN=JUSTIFY>As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
2053user edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config</FONT></P>
2054<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Modify the
2055entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
2056Sample Policy</SPAN></FONT> so that they are all uncommented (remove
2057leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">#
2058</SPAN></FONT>character):</P>
2059<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2060</P>
2061<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2062        <COL WIDTH=610>
2063        <TR>
2064                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2065                        <P STYLE="margin-bottom: 0cm"><BR>
2066                        </P>
2067                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
2068                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2069                        Complete Sample Policy</FONT></P>
2070                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
2071                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2072                        The following lines define a sample policy that enables all</FONT></P>
2073                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2074                        myproxy-server features.  See below for more examples.</FONT></P>
2075                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials
2076                         &quot;*&quot;</FONT></P>
2077                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
2078                        &quot;*&quot;</FONT></P>
2079                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers
2080                           &quot;*&quot;</FONT></P>
2081                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers
2082                          &quot;*&quot;</FONT></P>
2083                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers
2084                             &quot;none&quot;</FONT></P>
2085                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers
2086                        &quot;*&quot;</FONT></P>
2087                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers
2088                        &quot;none&quot;</FONT></P>
2089                        <P><BR>
2090                        </P>
2091                </TD>
2092        </TR>
2093</TABLE>
2094<P CLASS="western" ALIGN=LEFT><BR><BR>
2095</P>
2096<P CLASS="western" ALIGN=LEFT>Note that the wildcards for these
2097fields may be modified such that only Distinguished Names of a given
2098format may be accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P>
2099<H3 CLASS="western"><A NAME="4.6.7.Repository Directory|outline"></A>4.6.7Repository
2100Directory</H3>
2101<P CLASS="western" ALIGN=LEFT>A directory needs to be specified on
2102the file system to store the user credentials generated by MyProxy.
2103This should be owned by the account that runs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
2104 In the examples given this would be the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">globus</FONT></SPAN></FONT>
2105user and the expected location, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var</SPAN></FONT>.
2106  See section 2.3.2 <I>MyProxy user account and repository location</I>.</P>
2107<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Login as the
2108<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
2109user and change directory to the location for the repository:</P>
2110<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2111</P>
2112<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2113        <COL WIDTH=610>
2114        <TR>
2115                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2116                        <P STYLE="margin-bottom: 0cm"><BR>
2117                        </P>
2118                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2119                        cd $GLOBUS_LOCATION/var</FONT></P>
2120                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2121                        mkdir myproxy</FONT></P>
2122                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2123                        chmod 700 myproxy</FONT></P>
2124                        <P><BR>
2125                        </P>
2126                </TD>
2127        </TR>
2128</TABLE>
2129<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2130</P>
2131<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod
2132</SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
2133user has read/write access for the directory.  Note also that the
2134directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P>
2135<H3 CLASS="western"><A NAME="4.6.8.Adding MyProxy Server to the system start up|outline"></A>
21364.6.8Adding MyProxy Server to the system start up</H3>
2137<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may
2138be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2139or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2140 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2141are preferred:</P>
2142<UL>
2143        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2144        process will not show on <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ps</SPAN></FONT>
2145        command listing
2146        </P>
2147        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">It’s
2148        more efficient since it’s only invoked when a request from a
2149        MyProxy client is received.</P>
2150        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">It’s
2151        easy to configure so that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2152        runs as an alternative user to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.</P>
2153</UL>
2154<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.63cm; margin-bottom: 0cm">
2155<BR>
2156</P>
2157<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.6.8.1inetd / xinetd</H4>
2158<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd
2159</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2160as root user:
2161</P>
2162<UL>
2163        <LI><P CLASS="western" ALIGN=LEFT>Add the entries in
2164        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.services.modifications</SPAN></FONT>
2165        to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/services</SPAN></FONT>
2166        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/services</SPAN></FONT>
2167        file:
2168        </P>
2169</UL>
2170<DL>
2171        <DD>
2172        <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2173                <COL WIDTH=558>
2174                <TR>
2175                        <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2176                                <P STYLE="margin-bottom: 0cm"><BR>
2177                                </P>
2178                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
2179                                 7512/tcp                        # Myproxy server</FONT></P>
2180                                <P><BR>
2181                                </P>
2182                        </TD>
2183                </TR>
2184        </TABLE>
2185</DL>
2186<P CLASS="western" ALIGN=LEFT STYLE="margin-left: 0.64cm"><BR><BR>
2187</P>
2188<UL>
2189        <LI><P CLASS="western" ALIGN=LEFT>Add the entries from
2190        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P>
2191        <UL>
2192                <LI><P CLASS="western" ALIGN=LEFT>For inetd add to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inetd.conf
2193                </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/inetd.conf</SPAN></FONT>,
2194                or 
</P>
2195                <LI><P CLASS="western" ALIGN=LEFT>for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2196                copy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy</SPAN></FONT>
2197                to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/xinetd.d/myproxy</SPAN></FONT>.
2198                Modify the paths in the file according to your installation and set
2199                the user to the correct user name for running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2200                e.g.</P>
2201        </UL>
2202</UL>
2203<DL>
2204        <DD>
2205        <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2206                <COL WIDTH=558>
2207                <TR>
2208                        <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2209                                <P STYLE="margin-bottom: 0cm"><BR>
2210                                </P>
2211                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">service
2212                                myproxy-server</FONT></FONT></P>
2213                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">{</FONT></FONT></P>
2214                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">socket_type
2215                                 = stream</FONT></FONT></P>
2216                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="pt-PT">protocol
2217                                    = tcp</SPAN></FONT></FONT></P>
2218                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">wait
2219                                        = no</FONT></FONT></P>
2220                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">user
2221                                        = globus</FONT></FONT></P>
2222                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">server
2223                                      = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P>
2224                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env   
2225                                        = GLOBUS_LOCATION=/usr/local/NDG/globus-4.0.1
2226                                LD_LIBRARY_PATH=/usr/local/NDG/globus-4.0.1/lib</FONT></FONT></P>
2227                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable
2228                                     = no</FONT></FONT></P>
2229                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">only_from
2230                                   = localhost.localdomain &lt;hostAddress1&gt; &lt;hostAddress2&gt;</FONT></FONT></P>
2231                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">}</FONT></FONT></P>
2232                        </TD>
2233                </TR>
2234        </TABLE>
2235</DL>
2236<P STYLE="margin-bottom: 0cm"><BR>
2237</P>
2238<UL>
2239        <LI><P CLASS="western" ALIGN=LEFT>Note also, the additional setting
2240        in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
2241         This a limit to be placed on which hosts clients can connect from
2242        to the server.  In the above, clients can connect from the local
2243        machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>)
2244        and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress1&gt;
2245        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>.</P>
2246        <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2247        / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2248        This is typically accomplished by sending the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">SIGHUP</SPAN></FONT>
2249        signal to the server process.  Redhat Linux machines include the GUI
2250        tool <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2251        to allow convenient management of services.  Refer to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2252        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2253        man page for your system.</P>
2254</UL>
2255<H4 CLASS="western">4.6.8.2SysV-style boot script
2256</H4>
2257<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is
2258available in the Globus installation at,
2259<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy</SPAN></FONT>.
2260</P>
2261<P CLASS="western" ALIGN=LEFT>To install:
2262</P>
2263<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2264        <COL WIDTH=602>
2265        <TR>
2266                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2267                        <P STYLE="margin-bottom: 0cm"><BR>
2268                        </P>
2269                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2270                        cp <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy
2271                        /etc/rc.d/init.d/myproxy</SPAN></FONT></FONT></P>
2272                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2273                        chkconfig --add myproxy</SPAN></FONT></FONT></P>
2274                        <P><BR>
2275                        </P>
2276                </TD>
2277        </TR>
2278</TABLE>
2279<P CLASS="western" ALIGN=LEFT><BR><BR>
2280</P>
2281<P CLASS="western" ALIGN=LEFT>Edit the file to set the
2282<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GLOBUS_LOCATION
2283</SPAN></FONT>environment variable correctly. 
2284</P>
2285<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2286</P>
2287<H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1>
2288<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.1.MySQL Installation|outline"></A>
22895.1MySQL Installation</H2>
2290<P CLASS="western" ALIGN=JUSTIFY>MySQL is required for the Credential
2291Repository used by the SessionManager to stored user credentials as
2292cached in their Credential Wallet held in their session.</P>
2293<P CLASS="western" ALIGN=JUSTIFY>This section describes how to make
2294an installation from the MySQL binary package tarball.   System
2295administrators may wish to use an existing installation of MySQL or
2296use an alternative installation method such as rpm.  Installing from
2297the binary package has the advantage that it doesn’t interfere with
2298any existing MySQL installation on the target machine.   The
2299instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT>
2300provided in the tarball.</P>
2301<H3 CLASS="western"><A NAME="5.1.1.Version|outline"></A>5.1.1Version</H3>
2302<P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended.
2303These instructions are for version 5.0.20a, the latest stable release
2304at time of writing.</P>
2305<H3 CLASS="western"><A NAME="5.1.2.Getting the Binaries|outline"></A>5.1.2Getting
2306the Binaries</H3>
2307<P CLASS="western" ALIGN=LEFT>The package can be obtained from the
2308MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>).
2309 Scroll to the correct version - Linux (non RPM, Intel C/C++
2310compiled, glibc-X.X) downloads.  The version of glibc on the target
2311machine can be checked using same machine as the web server.</P>
2312<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2313        <COL WIDTH=605>
2314        <TR>
2315                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2316                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2317                        ls /lib/libc-*</FONT></P>
2318                </TD>
2319        </TR>
2320</TABLE>
2321<P CLASS="western" ALIGN=LEFT><BR><BR>
2322</P>
2323<H3 CLASS="western"><A NAME="5.1.3.New mysql User Account|outline"></A>
23245.1.3New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
2325User Account</H3>
2326<P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if
2327it doesn’t already exist:</P>
2328<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2329        <COL WIDTH=605>
2330        <TR>
2331                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2332                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2333                        groupadd mysql<BR>$ useradd -g mysql mysql</FONT></P>
2334                </TD>
2335        </TR>
2336</TABLE>
2337<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2338</P>
2339<H3 CLASS="western"><A NAME="5.1.4.Unpacking the tarball|outline"></A>
23405.1.4Unpacking the tarball</H3>
2341<P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target
2342directory for installation e.g. /usr/local, unpack the file:</P>
2343<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2344        <COL WIDTH=605>
2345        <TR>
2346                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2347                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2348                        cd /usr/local<BR>$ tar zxvf
2349                        mysql-standard-5.0.20a-linux-i686-icc-glibc23.tar.gz</FONT></P>
2350                </TD>
2351        </TR>
2352</TABLE>
2353<P CLASS="western" ALIGN=LEFT><BR><BR>
2354</P>
2355<P CLASS="western" ALIGN=LEFT>Make a symbolic link to the new
2356directory and ‘<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cd</SPAN></FONT>’
2357to it:
2358</P>
2359<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2360        <COL WIDTH=605>
2361        <TR>
2362                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2363                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2364                        ln -s /usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23
2365                        mysql<BR>$ cd mysql</FONT></P>
2366                </TD>
2367        </TR>
2368</TABLE>
2369<P CLASS="western" ALIGN=LEFT><BR><BR>
2370</P>
2371<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin</SPAN></FONT>
2372directory contains client programs and the server.  You should add
2373the full pathname of this directory to your <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PATH</SPAN></FONT>
2374environment variable so that your shell finds the MySQL programs
2375properly.
2376</P>
2377<H3 CLASS="western"><A NAME="5.1.5.Configuration File|outline"></A>5.1.5Configuration
2378File</H3>
2379<P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called
2380<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT>
2381in the target directory (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>
2382in this example) to enable custom settings to be made for this
2383installation.  Note that if there is an existing installation of
2384MySQL, there may be settings existing settings in a file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/my.cnf</SPAN></FONT>.
2385 To use the settings from this file, <I>ignore</I> this step.</P>
2386<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2387        <COL WIDTH=605>
2388        <TR>
2389                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2390                        <P STYLE="margin-bottom: 0cm"><BR>
2391                        </P>
2392                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld]</FONT></P>
2393                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">datadir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23/data</FONT></P>
2394                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">socket=/tmp/mysql.sock</FONT></P>
2395                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2396                        Default to using old password format for compatibility with mysql
2397                        3.x</FONT></P>
2398                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2399                        clients (those using the mysqlclient10 compatibility package).</FONT></P>
2400                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">old_passwords=1</FONT></P>
2401                        <P STYLE="margin-bottom: 0cm"><BR>
2402                        </P>
2403                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysql.server]</FONT></P>
2404                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">user=mysql</FONT></P>
2405                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">basedir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23</FONT></P>
2406                        <P STYLE="margin-bottom: 0cm"><BR>
2407                        </P>
2408                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld_safe]</FONT></P>
2409                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">err-log=/var/log/mysqld.log</FONT></P>
2410                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">pid-file=/tmp/mysql.pid</FONT></P>
2411                        <P><BR>
2412                        </P>
2413                </TD>
2414        </TR>
2415</TABLE>
2416<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2417</P>
2418<P CLASS="western" ALIGN=JUSTIFY>The settings above will mean that
2419MySQL’s tables and the Credential Repository database will be
2420stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P>
2421<H3 CLASS="western"><A NAME="5.1.6.Create the Grant Tables|outline"></A>
24225.1.6Create the Grant Tables</H3>
2423<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT>
2424directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT>
2425script used to initialize the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2426database containing the grant tables that store the server access
2427permissions.  If you have not installed MySQL before, you must create
2428the MySQL grant tables:</P>
2429<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2430        <COL WIDTH=605>
2431        <TR>
2432                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2433                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2434                        scripts/mysql_install_db --user=mysql</FONT></P>
2435                </TD>
2436        </TR>
2437</TABLE>
2438<P CLASS="western" ALIGN=LEFT><BR><BR>
2439</P>
2440<P CLASS="western" ALIGN=LEFT>If you run the command as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
2441you must use the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">--user</SPAN></FONT>
2442option as shown. The value of the option should be the name of the
2443login account that you created in the first step to use for running
2444the server. If you run the command while logged in as that user, you
2445can omit the -user option.  After creating or updating the grant
2446tables, you need to restart the server manually.</P>
2447<H3 CLASS="western"><A NAME="5.1.7.File and Directory Permissions|outline"></A>
24485.1.7File and Directory Permissions</H3>
2449<P CLASS="western" ALIGN=LEFT>Change the ownership of program
2450binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
2451and ownership of the data directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>.
2452   Assuming that you are located in the installation directory
2453(<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>),
2454the commands look like this:</P>
2455<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2456        <COL WIDTH=605>
2457        <TR>
2458                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2459                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2460                        chown -R root  .<BR>$ chown -R mysql data<BR>$ chgrp -R mysql .</FONT></P>
2461                </TD>
2462        </TR>
2463</TABLE>
2464<P CLASS="western" ALIGN=LEFT><BR><BR>
2465</P>
2466<P CLASS="western" ALIGN=LEFT>The first command changes the owner
2467attribute of the files to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
2468user. The second changes the owner attribute of the data directory to
2469the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2470user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
2471group.</P>
2472<H3 CLASS="western"><A NAME="5.1.8.Starting the Server|outline"></A>5.1.8Starting
2473the Server</H3>
2474<P CLASS="western" ALIGN=LEFT>If you want MySQL to start
2475automatically when you boot your machine, you can copy
2476<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
2477to the location where your system has its startup files. More
2478information can be found in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
2479script itself.</P>
2480<P CLASS="western" ALIGN=LEFT>To start the MySQL server, use the
2481following command:</P>
2482<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2483        <COL WIDTH=605>
2484        <TR>
2485                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2486                        <P><BR><BR>
2487                        </P>
2488                        <P LANG="nb-NO"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2489                        bin/mysqld_safe --user=mysql &amp;</FONT></P>
2490                </TD>
2491        </TR>
2492</TABLE>
2493<P LANG="nb-NO" CLASS="western" ALIGN=LEFT><BR><BR>
2494</P>
2495<P CLASS="western" ALIGN=LEFT>If that command fails immediately and
2496prints <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysqld
2497ended</SPAN></FONT>, you can find some information in the
2498&lt;hostname&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.err</SPAN></FONT>
2499file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT>
2500directory.</P>
2501<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.1.9.Securing MySQL Accounts|outline"></A>
25025.1.9Securing MySQL Accounts</H3>
2503<P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P>
2504<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2505        <COL WIDTH=605>
2506        <TR>
2507                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2508                        <P STYLE="margin-bottom: 0cm"><BR>
2509                        </P>
2510                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2511                        mysql -u root</FONT></P>
2512                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2513                        DELETE FROM mysql.user WHERE User = '';</FONT></P>
2514                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2515                        FLUSH PRIVILEGES;</FONT></P>
2516                        <P><BR>
2517                        </P>
2518                </TD>
2519        </TR>
2520</TABLE>
2521<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2522</P>
2523<P CLASS="western" ALIGN=JUSTIFY>Set the password for the root
2524account:</P>
2525<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2526        <COL WIDTH=605>
2527        <TR>
2528                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2529                        <P STYLE="margin-bottom: 0cm"><BR>
2530                        </P>
2531                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2532                        SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');</FONT></P>
2533                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
2534                        SET PASSWORD FOR 'root'@'<I>hostname</I>' = PASSWORD('newpwd');</FONT></P>
2535                        <P><BR>
2536                        </P>
2537                </TD>
2538        </TR>
2539</TABLE>
2540<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2541</P>
2542<P CLASS="western" ALIGN=JUSTIFY>The hostname can be checked using
2543the query:</P>
2544<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2545        <COL WIDTH=605>
2546        <TR>
2547                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2548                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
2549                        SELECT Host, User FROM mysql.user;</FONT></P>
2550                </TD>
2551        </TR>
2552</TABLE>
2553<P CLASS="western" ALIGN=LEFT><BR><BR>
2554</P>
2555<P CLASS="western" ALIGN=LEFT>Add a new account for use with the
2556Credential Repository database e.g.</P>
2557<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2558        <COL WIDTH=605>
2559        <TR>
2560                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2561                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
2562                        GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
2563                        'ndgUser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
2564                </TD>
2565        </TR>
2566</TABLE>
2567<P CLASS="western" ALIGN=LEFT><BR>The above statement grants the
2568user, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
2569with password, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password</SPAN></FONT>,
2570<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">select</SPAN></FONT>,
2571<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">update</SPAN></FONT>
2572and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">insert</SPAN></FONT>
2573privileges on the tables of database <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgCredRepos</SPAN></FONT>.
2574 The user may only connect from the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localhost</SPAN></FONT>.
2575 Hence, in this case the Session Manager and Credential Repository
2576must be installed on the same machine.  To allow the Credential
2577Repository to run on a separate machine to the Session Manager, the
2578account must have permission to connect remotely.  This can be
2579achieved by altering the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GRANT</SPAN></FONT>
2580statement above to:</P>
2581<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2582        <COL WIDTH=605>
2583        <TR>
2584                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2585                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
2586                        GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
2587                        'ndgUser'@’%’ IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
2588                </TD>
2589        </TR>
2590</TABLE>
2591<P CLASS="western" ALIGN=LEFT><BR><BR>
2592</P>
2593<P CLASS="western" ALIGN=LEFT>You also can set up new accounts using
2594the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT>
2595script if you install the `DBI' and `DBD::mysql' Perl modules.</P>
2596<P CLASS="western" ALIGN=LEFT>See section 4.3.1 for details about
2597creation of the Credential Repository database.</P>
2598<H3 CLASS="western"><A NAME="5.1.10.Server Automated Start up|outline"></A>
25995.1.10Server Automated Start up</H3>
2600<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
2601<P CLASS="western" ALIGN=LEFT><BR><BR>
2602</P>
2603<H2 CLASS="western"><A NAME="5.2.HTTPS set-up with Apache Web Server|outline"></A>
26045.2HTTPS set-up with Apache Web Server</H2>
2605<P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the
2606transfer of user credentials across cookie domains between a data
2607provider web page requesting user credentials and a user’s NDG home
2608login page.</P>
2609<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: full explanation - incl.
2610mod_ssl must be installed&gt;</P>
2611<H3 CLASS="western"><A NAME="5.2.1.Web Server Host Certificate Generation|outline"></A>
26125.2.1Web Server Host Certificate Generation</H3>
2613<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2614        <COL WIDTH=605>
2615        <TR>
2616                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2617                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2618                        </P>
2619                        <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2620                        grid-cert-request -prefix <I>&lt;hostname&gt;</I> -dir . -cn
2621                        <I>&lt;hostname&gt;</I> -nopw </FONT>
2622                        </P>
2623                        <P><BR>
2624                        </P>
2625                </TD>
2626        </TR>
2627</TABLE>
2628<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2629</P>
2630<H3 CLASS="western"><A NAME="5.2.2.Apache Configuration File Settings|outline"></A>
26315.2.2Apache Configuration File Settings</H3>
2632<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2633</P>
2634<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline"></A>
26355.3Apache Web Server Proxy Settings Configuration for Web Services</H2>
2636<P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient
2637mechanism to re-route web service ports through port 80 and so make
2638them available to the outside world.   This may be helpful if when
2639deploying NDG Security you do not wish to open additional ports in
2640your site firewall settings.</P>
2641<P CLASS="western" ALIGN=JUSTIFY>Edit the Apache configuration file.
2642This should be located at <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/httpd/conf</SPAN></FONT></P>
2643<P CLASS="western" ALIGN=JUSTIFY>Add <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPass</SPAN></FONT>
2644and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPassReverse</SPAN></FONT>
2645entries for the Session Manager and Attribute Authority web services.
2646  The first argument after the directive name itself is the directory
2647that the service will be served from relative to the web server URL.
2648So below, if the URL of the web server is <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/">http://www.badc.rl.ac.uk</A></U></FONT>,
2649then the Session Manager would be available at
2650<FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/sessionMgr">https://www.badc.rl.ac.uk/sessionMgr</A></U></FONT>.
2651 The second argument is the actual location where the web service is
2652running locally.  In the example below, the Session Manager is
2653running on port 5700 on the same machine as the web server.</P>
2654<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2655        <COL WIDTH=605>
2656        <TR>
2657                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2658                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2659                        </P>
2660                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2661                        Session Manager and Attribute Authority settings</FONT></P>
2662                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
2663                               /sessionMgr    https://localhost:5700/</FONT></P>
2664                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
2665                        /sessionMgr    https://localhost:5700/</FONT></P>
2666                        <P STYLE="margin-bottom: 0cm"><BR>
2667                        </P>
2668                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
2669                               /attAuthority  http://localhost:5000/</FONT></P>
2670                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
2671                        /attAuthority  http://localhost:5000/</FONT></P>
2672                        <P CLASS="western" ALIGN=LEFT><BR>
2673                        </P>
2674                </TD>
2675        </TR>
2676</TABLE>
2677<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2678</P>
2679<P CLASS="western" ALIGN=JUSTIFY>Restart the Apache web server.  This
2680can be done in a variety of ways.  As root user:</P>
2681<OL>
2682        <LI><P CLASS="western" ALIGN=LEFT>On Redhat machines, using the
2683        command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2684        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">system-config-services</SPAN></FONT>
2685         In the GUI, click on httpd in the list and press the Restart button</P>
2686</OL>
2687<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2688        <COL WIDTH=605>
2689        <TR>
2690                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2691                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2692                        </P>
2693                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2694                        redhat-config-services</FONT></P>
2695                        <P CLASS="western" ALIGN=LEFT><BR>
2696                        </P>
2697                </TD>
2698        </TR>
2699</TABLE>
2700<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2701</P>
2702<OL START=2>
2703        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">service
2704        </SPAN></FONT>command</P>
2705</OL>
2706<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2707        <COL WIDTH=605>
2708        <TR>
2709                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2710                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2711                        </P>
2712                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2713                        /sbin/service httpd restart</FONT></P>
2714                        <P CLASS="western" ALIGN=LEFT><BR>
2715                        </P>
2716                </TD>
2717        </TR>
2718</TABLE>
2719<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2720</P>
2721<OL START=3>
2722        <LI><P CLASS="western" ALIGN=JUSTIFY>apache command</P>
2723</OL>
2724<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2725        <COL WIDTH=605>
2726        <TR>
2727                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2728                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2729                        </P>
2730                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2731                        apachectl restart</FONT></P>
2732                        <P CLASS="western" ALIGN=LEFT><BR>
2733                        </P>
2734                </TD>
2735        </TR>
2736</TABLE>
2737<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2738</P>
2739<OL START=4>
2740        <LI><P CLASS="western" ALIGN=JUSTIFY>Using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">kill</FONT></SPAN></FONT></P>
2741</OL>
2742<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2743        <COL WIDTH=605>
2744        <TR>
2745                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2746                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2747                        </P>
2748                        <P LANG="sv-SE" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2749                        kill -HUP `cat /etc/httpd/run/httpd.pid`</FONT></P>
2750                        <P LANG="sv-SE" CLASS="western" ALIGN=LEFT><BR>
2751                        </P>
2752                </TD>
2753        </TR>
2754</TABLE>
2755<P LANG="sv-SE" CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">
2756<BR><BR>
2757</P>
2758<P CLASS="western" ALIGN=JUSTIFY>Note in the last case that the
2759location of the pid file will depend on your installation.</P>
2760<P CLASS="western" ALIGN=JUSTIFY>Once the changes have been made,
2761ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgr.wsdl</SPAN></FONT>
2762and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthority.wsdl</SPAN></FONT>
2763contain the new locations for the web services in the tag
2764<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;soap:address
2765location=”
”&gt;</SPAN></FONT> 
2766</P>
2767<H2 CLASS="western"><A NAME="5.4.An Example Attribute Authority AAUserRoles interface class|outline"></A>
27685.4An Example Attribute Authority AAUserRoles interface class</H2>
2769<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2770interface is required in order to link the Attribute Authority to the
2771data centre’s system for identifying registered users and managing
2772their roles.  The installation comes with a simple test class which
2773illustrates this.  See ndg.security.server.conf.userRoles.</FONT></P>
2774<P CLASS="western" ALIGN=JUSTIFY>The class must inherit from the
2775<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">AAUserRoles</SPAN></FONT>
2776interface class.  It must override the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
2777and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
2778methods:</P>
2779<UL>
2780        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
2781        – returns True if the user with the given input Distinguished Name
2782        is registered at the site.  This method might contain an SQL query
2783        to the site’s user database for example.  This method is <I>optional
2784        </I><SPAN STYLE="font-style: normal">and is not part of the API to
2785        the Attribute Authority.</SPAN></P>
2786        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles()</SPAN></FONT>
2787        – returns a list of roles to which the user with the given input
2788        Distinguished Name is enrolled.  Again, this method could be
2789        implemented with an SQL query to retrieve the roles for a given
2790        user.  Note, that if not roles are found, the method should return
2791        [].</P>
2792        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">__init__()</SPAN></FONT>
2793        – optionally, the initialisation method may be overridden to
2794        enable for example the setting up of a database connection.   The
2795        path to a properties file may be passed in.  This could contain
2796        database connection settings.</P>
2797</UL>
2798<P CLASS="western" ALIGN=JUSTIFY>The custom class used by the BODC is
2799a more detailed example:</P>
2800<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto">
2801        <COL WIDTH=610>
2802        <TR>
2803                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2804                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>&quot;&quot;&quot;NDG
2805                        Attribute Authority User Roles class - acts as an interface
2806                        between</FONT></FONT></P>
2807                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>the
2808                        data centre's user roles configuration and the Attribute Authority</FONT></FONT></P>
2809                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2810                        </P>
2811                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>BODC
2812                        User Roles Interface to Oracle database</FONT></FONT></P>
2813                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2814                        </P>
2815                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@author:
2816                        P J Kershaw 09/08/07</FONT></FONT></P>
2817                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@copyright:
2818                        (C) 2007 STFC &amp; NERC</FONT></FONT></P>
2819                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@licence:
2820                        This software may be distributed under the terms of the Q Public</FONT></FONT></P>
2821                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>License,
2822                        version 1.0 or later.</FONT></FONT></P>
2823                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>&quot;&quot;&quot;</FONT></FONT></P>
2824                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">__revision__
2825                        = </FONT><I><FONT COLOR="#00aa00">'$Id:$'</FONT></I></FONT></FONT></P>
2826                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2827                        </P>
2828                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2829                        </P>
2830                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
2831                        ConfigParser </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
2832                        SafeConfigParser</FONT></FONT></FONT></P>
2833                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2834                        </P>
2835                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>#
2836                        Use a conditional import here because if the TestUserRoles class
2837                        is used,</FONT></FONT></P>
2838                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>#
2839                        cx_Oracle is not required</FONT></FONT></P>
2840                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
2841                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2842                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
2843                        cx_Oracle</FONT></FONT></FONT></P>
2844                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
2845                        ImportError, e:</FONT></FONT></FONT></P>
2846                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2847                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
2848                        warnings </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
2849                        warn</FONT></FONT></FONT></P>
2850                        <P STYLE="margin-bottom: 0cm; background: transparent">   
2851                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>warn(str(e),
2852                        RuntimeWarning)</FONT></FONT></P>
2853                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2854                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P>
2855                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2856                        </P>
2857                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
2858                        ndg.security.server.AttAuthority </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
2859                        AAUserRoles, AAUserRolesError</FONT></FONT></FONT></P>
2860                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
2861                        ndg.security.common.X509 </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
2862                        X500DN</FONT></FONT></FONT></P>
2863                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2864                        </P>
2865                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2866                        </P>
2867                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000">
2868                        <B>TestUserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P>
2869                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2870                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;Test
2871                        User Roles class dynamic import for Attribute Authority</FONT></I></FONT></FONT></P>
2872                        <P STYLE="margin-bottom: 0cm; background: transparent">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>NOT
2873                        for use on production system&quot;&quot;&quot;</FONT></FONT></P>
2874                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2875                        </P>
2876                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2877                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
2878                        <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P>
2879                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2880                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P>
2881                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2882                        </P>
2883                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2884                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
2885                        <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P>
2886                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2887                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;Test
2888                        getRoles returns role attributes regardless of user Id!&quot;&quot;&quot;</FONT></I></FONT></FONT></P>
2889                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2890                        </P>
2891                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2892                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2893                        Parse username from DN string</FONT></FONT></FONT></P>
2894                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2895                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2896                        TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P>
2897                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2898                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
2899                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2900                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn
2901                        = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
2902                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2903                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
2904                        len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
2905                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2906                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2907                        Proxy cert has two common names set - assume extra common </FONT></FONT></FONT>
2908                        </P>
2909                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2910                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2911                        name will be 'proxy' or a number</FONT></FONT></FONT></P>
2912                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2913                                       <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n
2914                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
2915                        cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
2916                        n!=</FONT><I><FONT COLOR="#00aa00">&quot;proxy&quot;</FONT></I><FONT COLOR="#000000">
2917                        </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
2918                        n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
2919                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2920                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
2921                        <P STYLE="margin-bottom: 0cm; background: transparent">           
2922                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username
2923                        = cn</FONT></FONT></P>
2924                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2925                        </P>
2926                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2927                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
2928                        Exception, e:</FONT></FONT></FONT></P>
2929                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2930                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
2931                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Parsing
2932                        username from DN %s: %s&quot;</FONT></I><FONT COLOR="#000000"> %
2933                        (dn,e)</FONT></FONT></FONT></P>
2934                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2935                        </P>
2936                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2937                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">
2938                        [</FONT><I><FONT COLOR="#00aa00">'Public'</FONT></I><FONT COLOR="#000000">,
2939                        </FONT><I><FONT COLOR="#00aa00">'Researcher'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
2940                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2941                        </P>
2942                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2943                        </P>
2944                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000">
2945                        <B>UserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P>
2946                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2947                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;User
2948                        Roles class dynamically imported for Attribute Authority</FONT></I></FONT></FONT></P>
2949                        <P STYLE="margin-bottom: 0cm; background: transparent">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>-
2950                        see the Attribute Authority Properties file to make the correct</FONT></FONT></P>
2951                        <P STYLE="margin-bottom: 0cm; background: transparent">   
2952                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>settings&quot;&quot;&quot;</FONT></FONT></P>
2953                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2954                        </P>
2955                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2956                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
2957                        <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P>
2958                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2959                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
2960                        </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
2961                        propertiesFilePath:</FONT></FONT></FONT></P>
2962                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2963                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
2964                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;No user
2965                        roles property file set&quot;</FONT></I></FONT></FONT></P>
2966                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2967                        </P>
2968                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">     
2969                           </FONT><FONT COLOR="#c0c0c0"># Retrieve database connection and
2970                        query settings from config file</FONT></FONT></FONT></P>
2971                        <P STYLE="margin-bottom: 0cm; background: transparent">       
2972                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser
2973                        = SafeConfigParser()</FONT></FONT></P>
2974                        <P STYLE="margin-bottom: 0cm; background: transparent">       
2975                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser.read(propertiesFilePath)</FONT></FONT></P>
2976                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2977                        </P>
2978                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2979                               <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__conxnStr
2980                        = configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">,
2981                        </FONT><I><FONT COLOR="#00aa00">'connection'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P>
2982                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
2983                        </P>
2984                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2985                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2986                        The Oracle connection could be made HERE to make getRoles method</FONT></FONT></FONT></P>
2987                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2988                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2989                        more efficient but then AA would hog an Oracle connection as long
2990                        as</FONT></FONT></FONT></P>
2991                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2992                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
2993                        it is running.  There may be away to avoid this using a connection</FONT></FONT></FONT></P>
2994                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">     
2995                           </FONT><FONT COLOR="#c0c0c0"># pool</FONT></FONT></FONT></P>
2996                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
2997                               <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__query
2998                        =  configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">,
2999                        </FONT><I><FONT COLOR="#00aa00">'query'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P>
3000                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3001                        </P>
3002                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3003                        </P>
3004                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3005                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3006                        <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P>
3007                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3008                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">'''Roles
3009                        interface for BODC database'''</FONT></I></FONT></FONT></P>
3010                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3011                        </P>
3012                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3013                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3014                        Parse username from DN string</FONT></FONT></FONT></P>
3015                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3016                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3017                        TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P>
3018                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3019                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3020                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3021                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn
3022                        = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3023                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3024                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3025                        len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3026                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3027                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3028                        Proxy cert has two common names set - assume extra common </FONT></FONT></FONT>
3029                        </P>
3030                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3031                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3032                        name will be 'prixy' or a number</FONT></FONT></FONT></P>
3033                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3034                                       <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n
3035                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3036                        cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3037                        n!=</FONT><I><FONT COLOR="#00aa00">&quot;proxy&quot;</FONT></I><FONT COLOR="#000000">
3038                        </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3039                        n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3040                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3041                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3042                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3043                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username
3044                        = cn</FONT></FONT></P>
3045                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3046                        </P>
3047                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3048                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3049                        Exception, e:</FONT></FONT></FONT></P>
3050                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3051                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3052                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Parsing
3053                        username from DN %s: %s&quot;</FONT></I><FONT COLOR="#000000"> %
3054                        (dn,e)</FONT></FONT></FONT></P>
3055                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3056                        </P>
3057                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3058                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3059                        It may be possible to use a connection pool and move this</FONT></FONT></FONT></P>
3060                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3061                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3062                        connect call to __init__ see:</FONT></FONT></FONT></P>
3063                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3064                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3065                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3066                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3067                        http://www.python.net/crew/atuining/cx_Oracle/html/module.html</FONT></FONT></FONT></P>
3068                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3069                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3070                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3071                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3072                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3073                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>con
3074                        = cx_Oracle.connect(<I>self</I>.__conxnStr)</FONT></FONT></P>
3075                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3076                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor
3077                        = con.cursor()</FONT></FONT></P>
3078                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3079                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3080                        Exception, e:</FONT></FONT></FONT></P>
3081                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3082                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3083                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Error
3084                        connecting to Oracle database: &quot;</FONT></I><FONT COLOR="#000000">
3085                        +\</FONT></FONT></FONT></P>
3086                        <P STYLE="margin-bottom: 0cm; background: transparent">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>                   
3087                                       str(e)</FONT></FONT></P>
3088                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3089                        </P>
3090                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3091                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3092                        Substitute the username into the query - the query is expected to </FONT></FONT></FONT>
3093                        </P>
3094                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3095                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3096                        have a &quot;%s&quot; to allow this</FONT></FONT></FONT></P>
3097                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3098                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3099                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3100                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3101                        Convert username to string type explicitly as the execute method </FONT></FONT></FONT>
3102                        </P>
3103                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3104                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3105                        doesn't like unicode type</FONT></FONT></FONT></P>
3106                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3107                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3108                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3109                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3110                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3111                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>query
3112                        = <I>self</I>.__query % str(username)</FONT></FONT></P>
3113                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3114                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor.execute(query)</FONT></FONT></P>
3115                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3116                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>result
3117                        = cursor.fetchall()</FONT></FONT></P>
3118                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3119                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3120                        Exception, e:</FONT></FONT></FONT></P>
3121                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3122                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3123                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Error
3124                        executing query: &quot;</FONT></I><FONT COLOR="#000000"> + str(e)</FONT></FONT></FONT></P>
3125                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3126                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">finally</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3127                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3128                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>  cursor.close()</FONT></FONT></P>
3129                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3130                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>  con.close()</FONT></FONT></P>
3131                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3132                        </P>
3133                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3134                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3135                        Result is a list of tuples.  The first element of each tuple is a</FONT></FONT></FONT></P>
3136                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3137                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3138                        role name -&gt; Convert into a simple list of role names</FONT></FONT></FONT></P>
3139                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3140                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3141                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3142                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames
3143                        = [role[</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]
3144                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> role
3145                        </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3146                        result]</FONT></FONT></FONT></P>
3147                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3148                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3149                        TypeError:</FONT></FONT></FONT></P>
3150                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3151                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3152                        Catch non-iterable error with result var</FONT></FONT></FONT></P>
3153                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3154                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames
3155                        = []</FONT></FONT></P>
3156                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3157                        </P>
3158                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3159                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT FACE="Monospace"><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">
3160                        roleNames</FONT></FONT></FONT></FONT></P>
3161                        <P STYLE="background: transparent"><BR>
3162                        </P>
3163                </TD>
3164        </TR>
3165</TABLE>
3166<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3167</P>
3168<P CLASS="western" ALIGN=JUSTIFY>Note:</P>
3169<UL>
3170        <LI><P CLASS="western" ALIGN=JUSTIFY>It uses the Python library
3171        cx_<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Oracle</SPAN></FONT>
3172        to connect to an Oracle database.</P>
3173        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ElementTree</SPAN></FONT>
3174        Python library is used to parse an XML properties file.</P>
3175        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg.security.common.X509</SPAN></FONT>
3176        security python library is used to parse the user Distinguished Name
3177        passed into <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3178        and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3179        methods.</P>
3180        <LI><P CLASS="western" ALIGN=JUSTIFY>Database connection and query
3181        settings are taken from a config file:</P>
3182</UL>
3183<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto">
3184        <COL WIDTH=610>
3185        <TR>
3186                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3187                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3188                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3189                        BODC Attribute Authority - Oracle interface settings</FONT></FONT></FONT></P>
3190                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3191                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3192                        P J Kershaw 09/08/07</FONT></FONT></FONT></P>
3193                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3194                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2>[Oracle]</FONT></FONT></P>
3195                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3196                        Database connection string</FONT></FONT></FONT></P>
3197                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">connection
3198                        = </FONT><FONT COLOR="#2a00ff">user/password@dsn</FONT></FONT></FONT></P>
3199                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3200                        Query string &quot;%%s&quot; will be substituted by the username
3201                        specified by the code</FONT></FONT></FONT></P>
3202                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm; background: transparent">
3203                        <FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">query =
3204                        </FONT><FONT COLOR="#2a00ff">select</FONT><FONT COLOR="#000000">
3205                        </FONT><FONT COLOR="#2a00ff">something</FONT><FONT COLOR="#000000">
3206                        </FONT><FONT COLOR="#2a00ff">from</FONT><FONT COLOR="#000000">
3207                        </FONT><FONT COLOR="#2a00ff">atable</FONT><FONT COLOR="#000000">
3208                        </FONT><FONT COLOR="#2a00ff">where</FONT><FONT COLOR="#000000">
3209                        </FONT><FONT COLOR="#2a00ff">username</FONT><FONT COLOR="#000000">
3210                        </FONT><FONT COLOR="#2a00ff">=</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#2a00ff">'%%s'</FONT></FONT></FONT></P>
3211                        <P CLASS="western" ALIGN=LEFT STYLE="background: transparent"><BR>
3212                        </P>
3213                </TD>
3214        </TR>
3215</TABLE>
3216<P CLASS="western" ALIGN=LEFT><BR><BR>
3217</P>
3218<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3219</P>
3220<H2 CLASS="western"><A NAME="5.5.Troubleshooting|outline"></A>5.5Troubleshooting</H2>
3221<H3 CLASS="western"><A NAME="5.5.1.M2Crypto SWIG Build Error|outline"></A>
32225.5.1M2Crypto SWIG Build Error</H3>
3223<P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL
3224library code to the Python interface.  Compilation errors with swig
3225<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.i</SPAN></FONT>
3226files in the M2Crypto tar bundle can be caused by using an earlier
3227version of swig.  This has been seen with the default swig on Redhat
3228EL4.  This comes with swig version 1.1.  To check the SWIG version
3229number type:</P>
3230<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3231        <COL WIDTH=610>
3232        <TR>
3233                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3234                        <P STYLE="margin-bottom: 0cm"><BR>
3235                        </P>
3236                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ swig
3237                        -version</FONT></P>
3238                        <P><BR>
3239                        </P>
3240                </TD>
3241        </TR>
3242</TABLE>
3243<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3244</P>
3245<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt; 1.1
3246and re-run the installation script.  SWIG is available from
3247<FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P>
3248<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3249</P>
3250<H3 CLASS="western"><A NAME="5.5.2.PyXML|outline"></A>5.5.2PyXML</H3>
3251<P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable
3252distribution for Requirement.parse('PyXML&gt;=0.8.3')</P>
3253<P CLASS="western" ALIGN=JUSTIFY>$ easy_install –f
3254<FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT>
3255PyXML</P>
3256<P CLASS="western" ALIGN=JUSTIFY>or –f option with
3257ndg-security-install.py</P>
3258<H3 CLASS="western"><A NAME="5.5.3.4Suite-XML Build error|outline"></A>
32595.5.34Suite-XML Build error</H3>
3260<P CLASS="western" ALIGN=JUSTIFY>Ft/Xml/src/expat/lib/xmlparse.c:89:2:
3261#error memmove does not exist on this platform, nor is a substitute
3262available</P>
3263<P CLASS="western" ALIGN=JUSTIFY>4Suite-XML 1.0.2</P>
3264<P CLASS="western" ALIGN=JUSTIFY>$ cat /proc/version</P>
3265<P CLASS="western" ALIGN=JUSTIFY>Linux version 2.4.21-32.0.1.ELsmp
3266(bhcompile@bugs.build.redhat.com) (gcc version</P>
3267<P CLASS="western" ALIGN=JUSTIFY> 3.2.3 20030502 (Red Hat Linux
32683.2.3-52)) #1 SMP Tue May 17 17:52:23 EDT 2005</P>
3269<P CLASS="western" ALIGN=JUSTIFY>$ uname –a
3270</P>
3271<P CLASS="western" ALIGN=JUSTIFY>Linux glue.badc.rl.ac.uk
32722.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686
3273i386 GNU/Linux</P>
3274<P CLASS="western" ALIGN=JUSTIFY>Solution</P>
3275<P CLASS="western" ALIGN=JUSTIFY>$ echo -e
3276&quot;[build_ext]\ndefine=HAVE_MMEMOVE&quot; &gt; ~/.pydistutils.cfg</P>
3277<P CLASS="western" ALIGN=JUSTIFY>$ easy_install 4Suite-XML</P>
3278<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3279</P>
3280</BODY>
3281</HTML>
Note: See TracBrowser for help on using the repository browser.