source: TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html @ 3171

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html@3171
Revision 3171, 240.7 KB checked in by pjkersha, 12 years ago (diff)

Installation Guide updated to include instructions for MyProxy? config with SimpleCA and PAM callout.

Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2<HTML>
3<HEAD>
4        <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
5        <TITLE>NDG Security Installation Guide</TITLE>
6        <META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0  (Linux)">
7        <META NAME="AUTHOR" CONTENT="P J Kershaw">
8        <META NAME="CREATED" CONTENT="20071010;9350000">
9        <META NAME="CHANGED" CONTENT="20071221;14112900">
10        <STYLE TYPE="text/css">
11        <!--
12                @page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
13                @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm }
14                P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
15                P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
16                P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
17                P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA }
18                H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always }
19                H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
20                H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
21                H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
22                H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
23                H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
24                H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
25                H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
26                H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
27                H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic }
28                H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic }
29                H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
30                H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
31                H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium }
32                H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium }
33                H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
34                A:link { color: #0000ff }
35                A:visited { color: #800080 }
36        -->
37        </STYLE>
38</HEAD>
39<BODY LANG="en-GB" TEXT="#000000" LINK="#0000ff" VLINK="#800080" DIR="LTR">
40<DIV TYPE=HEADER>
41        <P ALIGN=JUSTIFY STYLE="margin-bottom: 1.17cm"><BR><BR>
42        </P>
43</DIV>
44<P ALIGN=LEFT><BR><BR>
45</P>
46<P ALIGN=LEFT><A NAME="_Ref179772410"></A><BR><BR>
47</P>
48<P ALIGN=LEFT><SPAN ID="Frame1" DIR="LTR" STYLE="float: left; width: 12.96cm; height: 4.77cm; border: none; padding: 0cm; background: #ffffff">
49        <P ALIGN=RIGHT><FONT SIZE=6 STYLE="font-size: 28pt"><B>NERC Data
50        Grid Security</B></FONT></P>
51        <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P>
52        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P>
53</SPAN><BR><BR>
54</P>
55<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Document
56Log</B></FONT></P>
57<TABLE WIDTH=627 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
58        <COL WIDTH=194>
59        <COL WIDTH=195>
60        <COL WIDTH=195>
61        <TR VALIGN=TOP>
62                <TD WIDTH=194 BGCOLOR="#d9d9d9">
63                        <P ALIGN=JUSTIFY><B>Version Number</B></P>
64                </TD>
65                <TD WIDTH=195 BGCOLOR="#d9d9d9">
66                        <P CLASS="western" ALIGN=JUSTIFY><B>Date</B></P>
67                </TD>
68                <TD WIDTH=195 BGCOLOR="#d9d9d9">
69                        <P CLASS="western" ALIGN=JUSTIFY><B>Comment</B></P>
70                </TD>
71        </TR>
72        <TR VALIGN=TOP>
73                <TD WIDTH=194>
74                        <P ALIGN=JUSTIFY>0.1</P>
75                </TD>
76                <TD WIDTH=195>
77                        <P CLASS="western" ALIGN=JUSTIFY>04/11/05</P>
78                </TD>
79                <TD WIDTH=195>
80                        <P CLASS="western" ALIGN=JUSTIFY>First Draft</P>
81                </TD>
82        </TR>
83        <TR VALIGN=TOP>
84                <TD WIDTH=194>
85                        <P ALIGN=JUSTIFY>0.2</P>
86                </TD>
87                <TD WIDTH=195>
88                        <P CLASS="western" ALIGN=JUSTIFY>21/02//06</P>
89                </TD>
90                <TD WIDTH=195>
91                        <P CLASS="western" ALIGN=JUSTIFY>Draft for installation at NOCS</P>
92                </TD>
93        </TR>
94        <TR VALIGN=TOP>
95                <TD WIDTH=194>
96                        <P ALIGN=JUSTIFY>0.3</P>
97                </TD>
98                <TD WIDTH=195>
99                        <P CLASS="western" ALIGN=JUSTIFY>07/04/06</P>
100                </TD>
101                <TD WIDTH=195>
102                        <P CLASS="western" ALIGN=JUSTIFY>Updates following installation at
103                        NOCS</P>
104                </TD>
105        </TR>
106        <TR VALIGN=TOP>
107                <TD WIDTH=194>
108                        <P ALIGN=JUSTIFY>0.4</P>
109                </TD>
110                <TD WIDTH=195>
111                        <P CLASS="western" ALIGN=JUSTIFY>25/07/06</P>
112                </TD>
113                <TD WIDTH=195>
114                        <P CLASS="western" ALIGN=JUSTIFY>Include deployment model and
115                        details about SysV style init scripts for web services.</P>
116                </TD>
117        </TR>
118        <TR VALIGN=TOP>
119                <TD WIDTH=194>
120                        <P ALIGN=JUSTIFY>0.5</P>
121                </TD>
122                <TD WIDTH=195>
123                        <P CLASS="western" ALIGN=JUSTIFY>16/01/07</P>
124                </TD>
125                <TD WIDTH=195>
126                        <P CLASS="western" ALIGN=JUSTIFY>Instructions for installation of
127                        python packages and associated C library dependencies from source
128                        and corrections for MyProxy installation.</P>
129                        <P CLASS="western" ALIGN=JUSTIFY>Installation instructions apply
130                        to NDG-Security Post Alpha release 0.72.</P>
131                </TD>
132        </TR>
133        <TR VALIGN=TOP>
134                <TD WIDTH=194>
135                        <P ALIGN=JUSTIFY>0.6</P>
136                </TD>
137                <TD WIDTH=195>
138                        <P CLASS="western" ALIGN=JUSTIFY>17/08/07</P>
139                </TD>
140                <TD WIDTH=195>
141                        <P CLASS="western" ALIGN=JUSTIFY>Updated for NDG Beta release. 
142                        </P>
143                        <UL>
144                                <LI><P CLASS="western" ALIGN=JUSTIFY>Installation of python
145                                packages is now via distutils eggs. 
146                                </P>
147                                <LI><P CLASS="western" ALIGN=JUSTIFY>Python services use Twisted.</P>
148                        </UL>
149                </TD>
150        </TR>
151        <TR VALIGN=TOP>
152                <TD WIDTH=194>
153                        <P ALIGN=JUSTIFY>0.7</P>
154                </TD>
155                <TD WIDTH=195>
156                        <P CLASS="western" ALIGN=JUSTIFY>03/10/07</P>
157                </TD>
158                <TD WIDTH=195>
159                        <P CLASS="western" ALIGN=JUSTIFY>Tidied headers for creation of
160                        HTML version</P>
161                </TD>
162        </TR>
163        <TR VALIGN=TOP>
164                <TD WIDTH=194>
165                        <P ALIGN=JUSTIFY>0.8</P>
166                </TD>
167                <TD WIDTH=195>
168                        <P CLASS="western" ALIGN=JUSTIFY>09/10/07</P>
169                </TD>
170                <TD WIDTH=195>
171                        <UL>
172                                <LI><P CLASS="western" ALIGN=LEFT>Updates for mapConfig.xml,
173                                sessionMgrProperties.xml and attAuthorityProperties.xml config
174                                files</P>
175                                <LI><P CLASS="western" ALIGN=LEFT>Configuration for logging</P>
176                        </UL>
177                </TD>
178        </TR>
179        <TR VALIGN=TOP>
180                <TD WIDTH=194>
181                        <P ALIGN=JUSTIFY>0.9</P>
182                </TD>
183                <TD WIDTH=195>
184                        <P CLASS="western" ALIGN=JUSTIFY>11//10/07</P>
185                </TD>
186                <TD WIDTH=195>
187                        <UL>
188                                <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Use of MyProxy with a
189                                SimpleCA and PAM callout for authentication</P>
190                                <LI><P CLASS="western" ALIGN=LEFT>details for certificate
191                                requests for Session Manager and Attribute Authority</P>
192                        </UL>
193                </TD>
194        </TR>
195</TABLE>
196<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P>
197<DIV ID="Table of Contents1" DIR="LTR">
198        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        6</A></P>
199        <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      7</A></P>
200        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1
201        Pre-requisites  7</A></P>
202        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2
203        Deployment Model        7</A></P>
204        <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3.
205        Software Installation Components        9</A></P>
206        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4.
207        Installation    10</A></P>
208        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies|outline">4.1
209        Dependencies    10</A></P>
210        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL|outline">4.1.1
211        OpenSSL 10</A></P>
212        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG|outline">4.1.2
213        SWIG    10</A></P>
214        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages|outline">4.2
215        Python Packages 10</A></P>
216        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools|outline">4.2.1
217        setuptools      10</A></P>
218        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages|outline">4.2.2
219        NDG Security Packages   11</A></P>
220        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration|outline">4.3
221        NDG Web Services Configuration  11</A></P>
222        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files|outline">4.3.1
223        NDG Security System Configuration Files 11</A></P>
224        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation|outline">4.3.2
225         Certificate Generation 12</A></P>
226        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration|outline">4.4
227        Session Manager Configuration   14</A></P>
228        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository|outline">4.4.1
229        Session Manager Credential Repository   14</A></P>
230        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings|outline">4.4.2
231        Session Manager Properties File Settings        14</A></P>
232        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script|outline">4.4.3
233        SysV-style Boot Script  18</A></P>
234        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration|outline">4.5
235        Attribute Authority Configuration       18</A></P>
236        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings|outline">4.5.1
237        Attribute Authority Properties File Settings    18</A></P>
238        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface|outline">4.5.2
239        User Roles Interface    20</A></P>
240        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping|outline">4.5.3
241        Role Mapping    20</A></P>
242        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file|outline">4.5.4
243        Twisted Python server .tac file 21</A></P>
244        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script|outline">4.5.5
245        SysV-style Boot Script  22</A></P>
246        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests|outline">4.6
247        Python Unit Tests       22</A></P>
248        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy|outline">4.7
249         MyProxy        22</A></P>
250        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background|outline">4.7.1
251         MyProxy and NDG Security Background    22</A></P>
252        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations|outline">4.7.2
253         MyProxy user account and the repository location considerations        23</A></P>
254        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation|outline">4.7.3
255         Installation   23</A></P>
256        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation|outline">4.7.4
257         SimpleCA Installation  24</A></P>
258        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation|outline">4.7.5
259         Host Certificate Creation      27</A></P>
260        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File|outline">4.7.6
261         MyProxy Configuration File     27</A></P>
262        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration|outline">4.7.7
263         MyProxy SimpleCA Configuration 28</A></P>
264        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration|outline">4.7.8
265         MyProxy PAM Configuration      29</A></P>
266        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy|outline">4.7.9
267         Testing MyProxy        30</A></P>
268        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up|outline">4.7.10
269         Adding MyProxy Server to the system start up   33</A></P>
270        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  35</A></P>
271        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy|outline">5.1
272         Postgres PAM for MyProxy       35</A></P>
273        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration|outline">5.1.1
274         Configuration  35</A></P>
275        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation|outline">5.2
276         MySQL Installation     36</A></P>
277        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version|outline">5.2.1
278        Version 36</A></P>
279        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries|outline">5.2.2
280         Getting the Binaries   36</A></P>
281        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account|outline">5.2.3
282         New mysql User Account 36</A></P>
283        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball|outline">5.2.4
284         Unpacking the tarball  36</A></P>
285        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File|outline">5.2.5
286         Configuration File     37</A></P>
287        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables|outline">5.2.6
288         Create the Grant Tables        37</A></P>
289        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions|outline">5.2.7
290         File and Directory Permissions 38</A></P>
291        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server|outline">5.2.8
292         Starting the Server    38</A></P>
293        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts|outline">5.2.9
294         Securing MySQL Accounts        38</A></P>
295        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up|outline">5.2.10
296         Server Automated Start up      39</A></P>
297        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server|outline">5.3
298         HTTPS set-up with Apache Web Server    39</A></P>
299        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation|outline">5.3.1
300         Web Server Host Certificate Generation 39</A></P>
301        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings|outline">5.3.2
302        Apache Configuration File Settings      40</A></P>
303        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline">5.4
304         Apache Web Server Proxy Settings Configuration for Web Services        40</A></P>
305        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class|outline">5.5
306        An Example Attribute Authority AAUserRoles interface class      41</A></P>
307        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting|outline">5.6
308        Troubleshooting 44</A></P>
309        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto |outline">5.6.1
310        M2Crypto        44</A></P>
311        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML|outline">5.6.2
312         PyXML  45</A></P>
313        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error|outline">5.6.3
314         4Suite-XML Build error 45</A></P>
315</DIV>
316<H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1>
317<OL>
318        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI">
319        - NCSA MyProxy site</SPAN></P>
320        <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/ca/">http://grid.ncsa.uiuc.edu/myproxy/ca/</A>
321        - MyProxy Certificate Authority</P>
322        <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>
323        – MyProxy PAM Support</P>
324        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT>
325        - Globus 4.0 and Security</P>
326        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://peak.telecommunity.com/DevCenter/setuptools">http://peak.telecommunity.com/DevCenter/setuptools</A></U></FONT>
327        - Python Eggs and Easy Install</P>
328        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://pywebsvcs.sourceforge.net/">http://pywebsvcs.sourceforge.net/</A></U></FONT>
329        - Python ZSI SOAP Web Services package</P>
330        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://chandlerproject.org/bin/view/Projects/MeTooCrypto">http://chandlerproject.org/bin/view/Projects/MeTooCrypto</A></U></FONT>
331        - Python M2Crypto OpenSSL wrapper</P>
332        <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://twistedmatrix.com/trac/">http://twistedmatrix.com/trac/</A></U></FONT>
333        - Python Twisted Application Server</P>
334        <LI><P CLASS="western" ALIGN=LEFT><A NAME="_Ref132180158"></A>NDG
335        Security - Security Measures for Installation [v0.2, 7 September
336        2005],
337        <FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P>
338</OL>
339<H1 CLASS="western"><A NAME="2.Introduction|outline"></A>2.Introduction</H1>
340<P CLASS="western" ALIGN=JUSTIFY>This is a guide for system
341administrators and developers deploying NDG security at a data
342centre.</P>
343<H2 CLASS="western"><A NAME="2.1.Pre-requisites |outline"></A>2.1Pre-requisites
344</H2>
345<UL>
346        <LI><P CLASS="western" ALIGN=JUSTIFY>For NDG Security Web Services:
347        a host running RedHat Enterprise AS4 or later is recommended.  Other
348        Linux distributions may also be suitable.</P>
349        <LI><P CLASS="western" ALIGN=JUSTIFY>For MyProxy: a separate host
350        machine (See MyProxy for details of operating systems supported).
351        The host must be secure: if possible a dedicated machine with
352        minimal other services running on it.  It should be kept up to date
353        with patches and system logs monitored regularly.</P>
354        <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy and Security web
355        services hosts must be configured to link with an NTP server to
356        enable clocks to be synchronised with security services running at
357        other NDG sites.</P>
358        <LI><P CLASS="western" ALIGN=JUSTIFY>Access to a web server if
359        security for web based applications is required.  The web server
360        must be able to be configured to support HTTPS.</P>
361        <LI><P CLASS="western" ALIGN=JUSTIFY>[MySQL 3.23 or greater or
362        Postgres – these are optional and are required for the NDG
363        CredentialRepository only]</P>
364        <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P>
365        <LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P>
366        <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version
367        0.9.8 or greater</P>
368        <LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for
369        M2Crypto Python OpenSSL wrapper)</P>
370</UL>
371<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also
372note document NDG <I>Security - Security Measures for Installation</I>
373 (see Ref 1 above).</P>
374<H2 CLASS="western"><A NAME="2.2.Deployment Model|outline"></A>2.2Deployment
375Model</H2>
376<P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an
377example deployment configuration for NDG security services.</P>
378<P CLASS="western" ALIGN=JUSTIFY><IMG SRC="NDGSecurityInstallationGuide_html_m1b1d83c.png" NAME="graphics1" ALIGN=BOTTOM WIDTH=611 HEIGHT=614 BORDER=0></P>
379<P CLASS="western" ALIGN=JUSTIFY>All services are positioned behind
380the firewall.  MyProxy is installed on a dedicated machine in order
381to make its repository as secure as possible.  Connections to MyProxy
382may be made from the Session Manager web service only from within the
383internal network.</P>
384<P CLASS="western" ALIGN=JUSTIFY>In the above, security web services
385are run together on the same host but this does not have to be the
386case.  They can be run on separate servers.  Similarly, the web
387server is on a separate host but could be run on the same machine as
388the web services if it was felt to be appropriate.</P>
389<P CLASS="western" ALIGN=JUSTIFY>In the above diagram Attribute
390Authority accesses a user database.  It is assumed that the target
391site has a database to store user and user role/access right
392information.  This information needn’t be stored by means of a
393database and could be represented in some other way.  It is for the
394data provider to decide.  Similarly, the Session Manager web service
395interfaces with a Credential Repository.   This is a database in the
396above but could be some other kind of permanent store.</P>
397<P CLASS="western" ALIGN=JUSTIFY>Databases are on a separate server
398to the web services host.  Web services access the databases over the
399internal network.  Finally, the web services have ports exposed in
400some way through the firewall to enable communication with other NDG
401security web services at other sites.</P>
402<H1 CLASS="western"><A NAME="3.Software Installation Components|outline"></A>
4033.Software Installation Components</H1>
404<P CLASS="western" ALIGN=JUSTIFY>Python software is package using
405distutils eggs.   These are divided into separate components to suit
406the particular installation required:</P>
407<UL>
408        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>ndg_security_server –
409        components required to run services</P>
410        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common – components
411        required by both server and common eggs</P>
412        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_client – components
413        for building clients to NDG security services.  For example, a data
414        provider’s web application server would these to enable the
415        securing of access to resources or an organisation’s Identity
416        provider would need these to authenticate and allocate authorisation
417        attributes to users.</P>
418        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_test – unit tests
419        for all components</P>
420        <LI><P CLASS="western" ALIGN=LEFT>ndg_security – install all:
421        client, server and common components</P>
422</UL>
423<P CLASS="western" ALIGN=JUSTIFY>Eggs rely on the distutils
424easy_install command to manage installation but NDG security uses an
425additional script ndg_security_install.py to install eggs and carry
426out the additional installation tasks to correctly configure the
427software.</P>
428<P CLASS="western" ALIGN=JUSTIFY>The following additional packages
429are required:</P>
430<UL>
431        <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.5
432        (or later) – source installer tar ball  may be downloaded from the
433        Globus site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
434        <LI><P CLASS="western" ALIGN=JUSTIFY>Globus SimpleCA to enable the
435        MyProxy Certificate Authority.</P>
436</UL>
437<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These
438two packages should be installed on the target host for MyProxy.</P>
439<H1 CLASS="western"><A NAME="4.Installation|outline"></A>4.Installation</H1>
440<P CLASS="western" ALIGN=JUSTIFY>This section is divided into the
441Python installation and MyProxy.  Note that you will almost certainly
442wish to install MyProxy on a separate secure server to the other
443Python based security services.</P>
444<H2 CLASS="western"><A NAME="4.1.Dependencies|outline"></A>4.1Dependencies</H2>
445<H3 CLASS="western"><A NAME="4.1.1.OpenSSL|outline"></A>4.1.1 OpenSSL</H3>
446<P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the
447installation check that an up to date version of OpenSSL is
448installed:</P>
449<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
450        <COL WIDTH=596>
451        <TR>
452                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
453                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
454                        </P>
455                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
456                        openssl version</FONT></P>
457                </TD>
458        </TR>
459</TABLE>
460<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
461</P>
462<P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required.
463Should you need to upgrade, OpenSSL is available from
464<A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>.
465 Once downloaded, unpack the tarball and follow the installation
466intstructions.</P>
467<H3 CLASS="western"><A NAME="4.1.2.SWIG|outline"></A>4.1.2 SWIG</H3>
468<P CLASS="western">SWIG is a tool to help with bindings from C/C++ to
469interpreted languages such as Python.  The Python OpenSSL wrapper
470M2Crypto uses it and version 1.3.24 or later is required.  Downloads
471are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P>
472<H2 CLASS="western"><A NAME="4.2.Python Packages|outline"></A>4.2
473Python Packages</H2>
474<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.
475 Change to a suitable directory to hold temporary installation files.
476 
477</P>
478<H3 CLASS="western"><A NAME="4.2.1.setuptools|outline"></A>4.2.1
479setuptools</H3>
480<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python
481setuptools, the package that enables the use of Python eggs.
482Download the setuptools bootstrap script:</P>
483<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
484        <COL WIDTH=596>
485        <TR>
486                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
487                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
488                        </P>
489                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
490                        wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P>
491                </TD>
492        </TR>
493</TABLE>
494<P CLASS="western" ALIGN=LEFT><BR><BR>
495</P>
496<P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment
497for a http proxy at your site.  For example,</P>
498<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
499        <COL WIDTH=596>
500        <TR>
501                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
502                        <P STYLE="margin-bottom: 0cm"><BR>
503                        </P>
504                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
505                        export http_proxy=http://yourproxyurl.com:8080</FONT></P>
506                </TD>
507        </TR>
508</TABLE>
509<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
510</P>
511<P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script.  Make sure
512to use the correct version of python in your system path.  Some
513systems may have multiple python versions installed:</P>
514<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
515        <COL WIDTH=596>
516        <TR>
517                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
518                        <P STYLE="margin-bottom: 0cm"><BR>
519                        </P>
520                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
521                        python ez_setup.py</FONT></P>
522                </TD>
523        </TR>
524</TABLE>
525<P CLASS="western"><BR><BR>
526</P>
527<P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P>
528<H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages|outline"></A>
5294.2.2 NDG Security Packages</H3>
530<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to
531distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT>
532to enable custom installation steps to be correctly carried out.
533Download the script from the NDG distribution site:</P>
534<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
535        <COL WIDTH=596>
536        <TR>
537                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
538                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
539                        </P>
540                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
541                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P>
542                </TD>
543        </TR>
544</TABLE>
545<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
546</P>
547<P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of
548the NDG security python packages:</P>
549<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
550        <COL WIDTH=596>
551        <TR>
552                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
553                        <P STYLE="margin-bottom: 0cm"><BR>
554                        </P>
555                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
556                        python ./ndg-security-install.py -a</FONT></P>
557                </TD>
558        </TR>
559</TABLE>
560<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
561</P>
562<P CLASS="western" ALIGN=JUSTIFY>The script options can be checked
563using the –h option.  –a selects all packages for installation. 
564If there are problems with the installation, see the Troubleshooting
565Guide in the Appendices section 5.6.</P>
566<H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration|outline"></A>
5674.3 NDG Web Services Configuration</H2>
568<H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files|outline"></A>
5694.3.1 NDG Security System Configuration Files</H3>
570<P CLASS="western" ALIGN=JUSTIFY>Properties files set the
571configuration settings for NDG security <I>server side</I> settings.
572Templates for these are contained within the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
573installed in your python distribution’s site-packages directory. 
574A future version of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-security-install.py</SPAN></FONT>
575script will extract these and install at a suitable location on the
576file system.  For the moment though, this is a manual process.</P>
577<P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under
578your servers <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc</SPAN></FONT>
579directory:</P>
580<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
581        <COL WIDTH=596>
582        <TR>
583                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
584                        <P STYLE="margin-bottom: 0cm"><BR>
585                        </P>
586                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
587                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P>
588                </TD>
589        </TR>
590</TABLE>
591<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
592</P>
593<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/ndg/security</SPAN></FONT>
594is recognised by the Python security software by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR
595</SPAN></FONT>environment variable.  This variable can be set in the
596environment of the user account used to run the security services or
597can be set in the init scripts used to automatically start up the
598services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P>
599<P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
600egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
601directory into the configuration area.  For example if you are using
602python installed in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local</SPAN></FONT>
603then the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
604directory will be in:</P>
605<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
606        <COL WIDTH=596>
607        <TR>
608                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
609                        <P STYLE="margin-bottom: 0cm"><BR>
610                        </P>
611                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python&lt;python
612                        version num&gt;/site-packages/ndg_security_server-&lt;version
613                        info&gt;.egg/ndg/security/server/conf</FONT></P>
614                </TD>
615        </TR>
616</TABLE>
617<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
618</P>
619<P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P>
620<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
621        <COL WIDTH=596>
622        <TR>
623                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
624                        <P STYLE="margin-bottom: 0cm"><BR>
625                        </P>
626                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ cp
627                        /usr/local/lib/python&lt;python version
628                        num&gt;/site-packages/ndg_security_server-&lt;version
629                        info&gt;.egg/ndg/security/server/conf /etc/ndg/security</FONT></P>
630                </TD>
631        </TR>
632</TABLE>
633<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
634</P>
635<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
636directory will contain these important files:</P>
637<UL>
638        <LI><P CLASS="western" ALIGN=JUSTIFY>Session Manager and Attribute
639        Authority properties XML files</P>
640        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT>
641        – used by the Session Manager to configure client connections to
642        MyProxy</P>
643        <LI><P CLASS="western" ALIGN=JUSTIFY>Special <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT>
644        configuration files loaded by the <I>Twisted</I> application server
645        used to run Session Manager and Attribute Authority services</P>
646        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">certs/</SPAN></FONT>
647        directory for storing X.509 certificates</P>
648        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>
649        for role mapping and other trust configuration parameters to enable
650        the Attribute Authority to operate with other trusted organisations
651        within NDG</P>
652        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attCertLog/</SPAN></FONT>
653        directory for storing Attribute Certificates issued by the Attribute
654        Authority.</P>
655        <LI><P CLASS="western" ALIGN=JUSTIFY>Logging configuration files:
656        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg
657        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT></P>
658</UL>
659<P CLASS="western" ALIGN=JUSTIFY>The default location for log files
660set in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg</SPAN></FONT>
661and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT>
662is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/log</SPAN></FONT>.
663 Create this directory as follows:</P>
664<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
665        <COL WIDTH=596>
666        <TR>
667                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
668                        <P STYLE="margin-bottom: 0cm"><BR>
669                        </P>
670                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
671                        mkdir /etc/ndg/security/log</FONT></P>
672                </TD>
673        </TR>
674</TABLE>
675<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
676</P>
677<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run
678security web services under any specified system account and group.
679Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT>
680e.g.</SPAN></P>
681<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
682        <COL WIDTH=596>
683        <TR>
684                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
685                        <P STYLE="margin-bottom: 0cm"><BR>
686                        </P>
687                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
688                        chmod ndg:ndggroup -R /etc/ndg/security</FONT></P>
689                </TD>
690        </TR>
691</TABLE>
692<P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR>
693</P>
694<H3 CLASS="western"><A NAME="4.3.2. Certificate Generation|outline"></A>
6954.3.2 Certificate Generation</H3>
696<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute
697Authority web services require individual X.509 certificates as a
698means to identify them in the various interactions required for user
699registration, authentication and authorisation.  These may be created
700by similar means to the host certificate creation.</P>
701<P CLASS="western" ALIGN=JUSTIFY>Change directory to
702<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>.
703 The certificates will be stored here.  Make a new private key and
704certificate request for the Session Manager:</P>
705<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
706        <COL WIDTH=610>
707        <TR>
708                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
709                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
710                        </P>
711                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
712                        openssl genrsa –out sm-key.pem 2048</FONT></P>
713                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
714                        chmod 400 sm-key.pem</FONT></P>
715                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
716                        openssl req –new –key sm-key.pem –out sm.csr</FONT></P>
717                        <P CLASS="western" ALIGN=LEFT><BR>
718                        </P>
719                </TD>
720        </TR>
721</TABLE>
722<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
723</P>
724<P CLASS="western" ALIGN=JUSTIFY>The private key may be password
725protected if required by adding the –des3 option to the genrsa
726command.   Type in a password when prompted.   The req command will
727prompt you for the components of the Distinguished Name for the new
728certificate.  When prompted for the Common Name, enter
729‘SessionManager’.  The other fields can be set as required but by
730convention for NDG, the Organisation field has been set to NDG and
731the Organisation Unit to the individual data provider name e.g. BADC.
732 All other fields have been omitted.  You can skip individual fields
733by enter ‘.’ When prompted.</P>
734<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the
735appropriate CA.  This could be your SimpleCA created for use with
736MyProxy – see MyProxy installation.  The CA will issue a
737certificate file.  Copy this file as
738<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
739</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
740</FONT>file can be deleted once a certificate has been obtained from
741the CA.</P>
742<P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the
743Attribute Authority, selecting ‘AttributeAuthority’ for the
744Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P>
745<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
746        <COL WIDTH=610>
747        <TR>
748                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
749                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
750                        </P>
751                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
752                        openssl genrsa –out aa-key.pem 2048</FONT></P>
753                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
754                        chmod 400 aa-key.pem</FONT></P>
755                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
756                        openssl req –new –key aa-key.pem –out aa.csr</FONT></P>
757                        <P CLASS="western" ALIGN=LEFT><BR>
758                        </P>
759                </TD>
760        </TR>
761</TABLE>
762<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
763</P>
764<P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session
765Manager is run over https to keep user login credentials secured.   A
766server certificate and key will be required in addition to enable
767this. 
768</P>
769<P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be
770issued from your SimpleCA.  Follow the same procedure as used for the
771Session Manager and Attirbute Authority above creating a private key
772and certificate request.  The private key should be generated without
773a password.  When generating the certificate request ensure that the
774Common Name is set to the fully qualified name of the server host.</P>
775<P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and
776private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
777<FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced
778by the Session Manager’s properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif">
779and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif">
780elements respectively.</FONT></SPAN></FONT></P>
781<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate
782Authority’s X.509 certificate is also required.  Obtain this from
783the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
784</SPAN></FONT>directory.</P>
785<P CLASS="western" STYLE="background: #cccccc">Note that all other
786trusted NDG partner organisations MUST have copies of your CA
787certificate.  If they don't, partner organisations NDG Security
788infrastructures will reject requests from your security services. 
789CA certificates are referenced in the Attribute Authority and Session
790Manager properties file settings  <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt">
791</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and
792</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">
793 Configuration for Gatekeepers may also need to reference your CA
794certificate.</FONT></FONT></P>
795<H2 CLASS="western"><A NAME="4.4.Session Manager Configuration|outline"></A>
7964.4 Session Manager Configuration</H2>
797<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set
798via a properties file.  In addition, the Session Manager can
799optionally make use of a Credential Repository database.  This
800enables the credentials that users acquire during a session to be
801stored so that they may be retrieved.   When installed, the default
802configuration set in the Session Manager Properties file is to <I>not</I>
803use a Credential Repository.   If this is the case, skip this
804section.</P>
805<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository|outline"></A>
8064.4.1 Session Manager Credential Repository</H3>
807<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository
808database.  In the example below a MySQL database is assumed.   Notes
809on installing MySQL are given in the Appendices section 5.2.
810</P>
811<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
812        <COL WIDTH=610>
813        <TR>
814                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
815                        <P STYLE="margin-bottom: 0cm"><BR>
816                        </P>
817                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
818                        mysql –u root –p</FONT></P>
819                        <P CLASS="western" ALIGN=JUSTIFY>mysql&gt; create database
820                        ndgCredRepos;</P>
821                        <P><BR>
822                        </P>
823                </TD>
824        </TR>
825</TABLE>
826<P CLASS="western" ALIGN=JUSTIFY><BR>Use the script
827init-credrepos-db to create the tables.  As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
828user, run the script.  Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
829account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT>
830to confirm creation of the tables:</P>
831<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
832        <COL WIDTH=610>
833        <TR>
834                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
835                        <P STYLE="margin-bottom: 0cm"><BR>
836                        </P>
837                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
838                        init-credrepos-db –u root</FONT></P>
839                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database
840                        password:</FONT></P>
841                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are
842                        you sure you want to initialise the database tables? (yes/no) yes</FONT></P>
843                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables
844                        created</FONT></P>
845                        <P STYLE="margin-bottom: 0cm"><BR>
846                        </P>
847                        <P><BR>
848                        </P>
849                </TD>
850        </TR>
851</TABLE>
852<P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have
853been created, restart the database client:</P>
854<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
855        <COL WIDTH=610>
856        <TR>
857                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
858                        <P STYLE="margin-bottom: 0cm"><BR>
859                        </P>
860                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$
861                        mysql –u root –p –D ndgCredRepos</P>
862                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql&gt;
863                        show tables;</P>
864                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
865                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
866                        Tables_in_ndgCredRepos |</FONT></FONT></P>
867                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
868                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
869                        UserCredential         |</FONT></FONT></P>
870                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">|
871                        UserID                 |</FONT></FONT></P>
872                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
873                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2
874                        rows in set (0.00 sec)</FONT></FONT></P>
875                        <P><BR>
876                        </P>
877                </TD>
878        </TR>
879</TABLE>
880<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
881</P>
882<P CLASS="western" ALIGN=JUSTIFY>A separate account should be created
883for the Session Manager to access the database.  It should have
884sufficient permissions to be able to read and write records.  For
885details of how to create an account in MySQL see the Appendices
886section 5.2.9.</P>
887<H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings|outline"></A>
8884.4.2 Session Manager Properties File Settings</H3>
889<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT>
890in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
891and modify the default settings:</P>
892<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
893        <COL WIDTH=610>
894        <TR>
895                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
896                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml
897                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
898                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrProp&gt;</FONT></FONT></P>
899                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;&lt;/portNum&gt;</FONT></FONT></P>
900                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;Yes&lt;/useSSL&gt;
901                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P>
902                        <P STYLE="margin-bottom: 0cm">   
903                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;$NDGSEC_DIR/conf/certs/server-cert.pem&lt;/sslCertFile&gt;</FONT></FONT></P>
904                        <P STYLE="margin-bottom: 0cm">   
905                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem
906                        &lt;/sslKeyFile&gt;</FONT></FONT></P>
907                        <P STYLE="margin-bottom: 0cm">   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!--
908                        <BR>    Directory containing CA cert.s to verify SSL peer cert
909                        against - ignored if useSSL is blank --&gt;<BR>   
910                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR>
911                           </FONT>&lt;!--</FONT></FONT></P>
912                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
913                        settings for signature of outbound SOAP messages</FONT></FONT></P>
914                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
915                        <P STYLE="margin-bottom: 0cm">   
916                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
917                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
918                        <P STYLE="margin-bottom: 0cm">   
919                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;certFile&gt;&gt;$NDGSEC_DIR/conf/certs/sm-cert.pem&lt;/certFile&gt;</FONT></FONT></P>
920                        <P STYLE="margin-bottom: 0cm">   
921                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P>
922                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
923                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
924                        </FONT></FONT>
925                        </P>
926                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA
927                        Certificates used to verify X.509 certs used in peer SOAP
928                        messages,<BR>    SSL connections and Attribute Certificates<BR>   
929                        --&gt;<BR>    &lt;caCertFileList&gt;<BR>       
930                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR>
931                           &lt;/caCertFileList&gt;<BR></FONT>    &lt;!-- </FONT></FONT>
932                        </P>
933                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
934                        the certificate used to verify the signature of messages from the </FONT></FONT>
935                        </P>
936                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
937                         This can usually be left blank since the client is expected to </FONT></FONT>
938                        </P>
939                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
940                        the cert with the signature in the inbound SOAP message</FONT></FONT></P>
941                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
942                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt;
943                           </FONT></FONT>
944                        </P>
945                        <P STYLE="margin-bottom: 0cm">   
946                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrEncrKey&gt;&lt;/sessMgrEncrKey&gt;</FONT></FONT></P>
947                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrURI&gt;&lt;/sessMgrURI&gt;</FONT></FONT></P>
948                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;cookieDomain&gt;&lt;/cookieDomain&gt;</FONT></FONT></P>
949                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;myProxyProp&gt;</FONT></FONT></P>
950                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
951                        </FONT></FONT>
952                        </P>
953                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete
954                        this element and take setting from MYPROXY_SERVER environment </FONT></FONT>
955                        </P>
956                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">variable
957                        if required</FONT></FONT></P>
958                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
959                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;hostname&gt;ENTER
960                        THE FULLY QUALIFIED HOSTNAME OF THE SERVER&lt;/hostname&gt;</FONT></FONT></P>
961                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
962                        </FONT></FONT>
963                        </P>
964                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete
965                        this element to take default setting 7512 or read </FONT></FONT>
966                        </P>
967                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT
968                        setting</SPAN></FONT></FONT></P>
969                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
970                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">         
971                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></FONT></P>
972                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
973                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful
974                        if hostname and certificate CN don't match correctly.  Globus </FONT></FONT>
975                        </P>
976                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">host
977                        DN is set to &quot;host/&lt;fqdn&gt;&quot;.  Delete this element
978                        and set from </FONT></FONT>
979                        </P>
980                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">MYPROXY_SERVER_DN
981                        environment variable if prefered</FONT></FONT></P>
982                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverDN&gt;&lt;/serverDN&gt;</FONT></FONT></P>
983                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
984                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
985                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
986                        &quot;host/&quot; prefix to host cert CN as is default with globus</FONT></FONT></P>
987                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
988                        <P STYLE="margin-bottom: 0cm">         
989                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverCNprefix&gt;host/&lt;/serverCNprefix&gt; </FONT></FONT></P>
990                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
991                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">This
992                        directory path is used to locate the OpenSSL configuration file</FONT></FONT></P>
993                        <P STYLE="margin-bottom: 0cm">           
994                        </P>
995                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">The
996                        settings are used to set up the defaults for the Distinguished
997                        Name of</FONT></FONT></P>
998                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">the
999                        new proxy cert. issued </FONT></FONT>
1000                        </P>
1001                        <P STYLE="margin-bottom: 0cm">           
1002                        </P>
1003                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">GLOBUS_LOCATION
1004                        or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P>
1005                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">but
1006                        the settings can be independent of any Globus installation</FONT></FONT></P>
1007                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR>
1008                                  --&gt;</FONT></FONT></P>
1009                        <P STYLE="margin-bottom: 0cm">         
1010                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;openSSLConfFilePath&gt;$NDGSEC_DIR/conf/openssl.conf&lt;/openSSLConfFilePath&gt;</FONT></FONT></P>
1011                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;tmpDir&gt;/tmp&lt;/tmpDir&gt;</FONT></FONT></P>
1012                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1013                        </FONT></FONT>
1014                        </P>
1015                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
1016                                  Limit on maximum lifetime any proxy certificate can have
1017                        - </FONT></FONT>
1018                        </P>
1019                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
1020                                  specified when a certificate is first created by store()
1021                        method</FONT></FONT></P>
1022                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1023                        <P STYLE="margin-bottom: 0cm">         
1024                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertMaxLifetime&gt;24&lt;/proxyCertMaxLifetime&gt;
1025                        &lt;!-- in hours --&gt;</FONT></FONT></P>
1026                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1027                        </FONT></FONT>
1028                        </P>
1029                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
1030                                  Life time of a proxy certificate when issued from the
1031                        Proxy Server </FONT></FONT>
1032                        </P>
1033                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
1034                                  with getDelegation() method</FONT></FONT></P>
1035                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">     
1036                                  --&gt;</FONT></FONT></P>
1037                        <P STYLE="margin-bottom: 0cm">         
1038                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertLifetime&gt;8&lt;/proxyCertLifetime&gt;
1039                        &lt;!-- in hours --&gt;</FONT></FONT></P>
1040                        <P STYLE="margin-bottom: 0cm">         
1041                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P>
1042                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/myProxyProp&gt;</FONT></FONT></P>
1043                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCACltProp&gt;
1044                        </FONT></FONT>
1045                        </P>
1046                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1047                           &lt;uri&gt;&lt;/uri&gt;</FONT></FONT></P>
1048                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
1049                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigKeyFile&gt;&lt;/xmlSigKeyFile&gt;</FONT></FONT></P>
1050                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
1051                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertFile&gt;&lt;/xmlSigCertFile&gt;</FONT></FONT></P>
1052                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">       
1053                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertPwd&gt;&lt;/xmlSigCertPwd&gt;</FONT></FONT></P>
1054                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/simpleCACltProp&gt;</FONT></FONT></P>
1055                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;!--</FONT></FONT></P>
1056                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCASrvProp&gt;</FONT></FONT></P>
1057                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1058                           &lt;certExpiryDate&gt;&lt;/certExpiryDate&gt;</FONT></FONT></P>
1059                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1060                           &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P>
1061                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1062                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></FONT></P>
1063                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1064                           &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P>
1065                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1066                           &lt;signExe&gt;&lt;/signExe&gt;</FONT></FONT></P>
1067                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1068                           &lt;path&gt;&lt;/path&gt;</FONT></FONT></P>
1069                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/simpleCASrvProp&gt;</FONT></FONT></P>
1070                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        --&gt;</FONT></FONT></P>
1071                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;credReposProp&gt;</FONT></FONT></P>
1072                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1073                           &lt;modFilePath&gt;&lt;/modFilePath&gt;</FONT></FONT></P>
1074                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1075                           &lt;modName&gt;ndg.security.common.CredWallet&lt;/modName&gt;</FONT></FONT></P>
1076                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1077                           &lt;className&gt;NullCredRepos&lt;/className&gt;</FONT></FONT></P>
1078                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">       
1079                           &lt;propFile&gt;&lt;/propFile&gt;</FONT></FONT></P>
1080                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/credReposProp&gt;</FONT></FONT></P>
1081                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/sessMgrProp&gt;</FONT></FONT></P>
1082                        <P> 
1083                        </P>
1084                </TD>
1085        </TR>
1086</TABLE>
1087<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1088</P>
1089<P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P>
1090<UL>
1091        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The
1092        property file reading software will expand any environment variables
1093        included in the file.</FONT></SPAN></FONT></P>
1094        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf<FONT FACE="Helvetica, sans-serif">
1095        file uses the standard OpenSSL configuration file format.  It is
1096        used by the Session Manager MyProxy client to formulate a
1097        certificate request for a proxy certificate generated for a users
1098        session when they login.  An example is given below.  The important
1099        section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P>
1100</UL>
1101<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1102</P>
1103<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1104        <COL WIDTH=610>
1105        <TR>
1106                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1107                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
1108                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1109                        SSLeay example configuration file.</FONT></FONT></P>
1110                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1111                        This is mostly being used for generation of certificate requests.</FONT></FONT></P>
1112                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
1113                        <P STYLE="margin-bottom: 0cm"><BR>
1114                        </P>
1115                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
1116                                       = $ENV::HOME/.rnd</FONT></FONT></P>
1117                        <P STYLE="margin-bottom: 0cm"><BR>
1118                        </P>
1119                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1120                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1121                        ca ]</FONT></FONT></P>
1122                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca
1123                             = CA_default            # The default ca section</FONT></FONT></P>
1124                        <P STYLE="margin-bottom: 0cm"><BR>
1125                        </P>
1126                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1127                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1128                        CA_default ]</FONT></FONT></P>
1129                        <P STYLE="margin-bottom: 0cm"><BR>
1130                        </P>
1131                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir
1132                                    = ./demoCA              # Where everything is kept</FONT></FONT></P>
1133                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs
1134                                  = $dir/certs            # Where the issued certs are
1135                        kept</FONT></FONT></P>
1136                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir
1137                                = $dir/crl              # Where the issued crl are kept</FONT></FONT></P>
1138                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database
1139                               = $dir/index.txt        # database index file.</FONT></FONT></P>
1140                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir
1141                          = $dir/newcerts         # default place for new certs.</FONT></FONT></P>
1142                        <P STYLE="margin-bottom: 0cm"><BR>
1143                        </P>
1144                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate
1145                            = $dir/cacert.pem       # The CA certificate</FONT></FONT></P>
1146                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial
1147                                 = $dir/serial           # The current serial number</FONT></FONT></P>
1148                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl
1149                                    = $dir/crl.pem          # The current CRL</FONT></FONT></P>
1150                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key
1151                            = $dir/private/cakey.pem# The private key</FONT></FONT></P>
1152                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
1153                               = $dir/private/.rand    # private random number file</FONT></FONT></P>
1154                        <P STYLE="margin-bottom: 0cm"><BR>
1155                        </P>
1156                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions
1157                        = x509v3_extensions     # The extentions to add to the cert</FONT></FONT></P>
1158                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days
1159                           = 365                   # how long to certify for</FONT></FONT></P>
1160                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days=
1161                        365 # DEE 30  # how long before next CRL</FONT></FONT></P>
1162                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md
1163                             = md5                   # which md to use.</FONT></FONT></P>
1164                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve
1165                               = no                    # keep passed DN ordering</FONT></FONT></P>
1166                        <P STYLE="margin-bottom: 0cm"><BR>
1167                        </P>
1168                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1169                        A few difference way of specifying how similar the request should
1170                        look</FONT></FONT></P>
1171                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1172                        For type CA, the listed attributes must be the same, and the
1173                        optional</FONT></FONT></P>
1174                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1175                        and supplied fields are just that :-)</FONT></FONT></P>
1176                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy
1177                                 = policy_match</FONT></FONT></P>
1178                        <P STYLE="margin-bottom: 0cm"><BR>
1179                        </P>
1180                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1181                        For the CA policy</FONT></FONT></P>
1182                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1183                        policy_match ]</FONT></FONT></P>
1184                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1185                                    = optional</FONT></FONT></P>
1186                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1187                            = optional</FONT></FONT></P>
1188                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1189                               = match</FONT></FONT></P>
1190                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1191                         = optional</FONT></FONT></P>
1192                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1193                                     = supplied</FONT></FONT></P>
1194                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1195                                   = optional</FONT></FONT></P>
1196                        <P STYLE="margin-bottom: 0cm"><BR>
1197                        </P>
1198                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1199                        For the 'anything' policy</FONT></FONT></P>
1200                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1201                        At this point in time, you must list all acceptable 'object'</FONT></FONT></P>
1202                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1203                        types.</FONT></FONT></P>
1204                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1205                        policy_anything ]</FONT></FONT></P>
1206                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1207                                    = optional</FONT></FONT></P>
1208                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1209                            = optional</FONT></FONT></P>
1210                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName
1211                                   = optional</FONT></FONT></P>
1212                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1213                               = optional</FONT></FONT></P>
1214                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1215                         = optional</FONT></FONT></P>
1216                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1217                                     = supplied</FONT></FONT></P>
1218                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1219                                   = optional</FONT></FONT></P>
1220                        <P STYLE="margin-bottom: 0cm"><BR>
1221                        </P>
1222                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1223                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1224                        req ]</FONT></FONT></P>
1225                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits
1226                                   = 1024</FONT></FONT></P>
1227                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile
1228                                = privkey.pem</FONT></FONT></P>
1229                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name
1230                             = req_distinguished_name</FONT></FONT></P>
1231                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions
1232                                 = v3_req</FONT></FONT></P>
1233                        <P STYLE="margin-bottom: 0cm"><BR>
1234                        </P>
1235                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1236                        req_distinguished_name ]</FONT></FONT></P>
1237                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1238                        BEGIN CONFIG</FONT></FONT></P>
1239                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName
1240                                      = Level 0 Organization</FONT></FONT></P>
1241                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default
1242                              = NDG</FONT></FONT></P>
1243                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName
1244                                 = Level 0 Organizational Unit</FONT></FONT></P>
1245                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default
1246                        = BADC</FONT></FONT></P>
1247                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName
1248                                 = Level 1 Organizational Unit</FONT></FONT></P>
1249                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default
1250                        = localdomain</FONT></FONT></P>
1251                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1252                                             = Name (e.g., John M. Smith)</FONT></FONT></P>
1253                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max
1254                                         = 64</FONT></FONT></P>
1255                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1256                        END CONFIG</FONT></FONT></P>
1257                        <P STYLE="margin-bottom: 0cm"><BR>
1258                        </P>
1259                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1260                        v3_req ]</FONT></FONT></P>
1261                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType
1262                                             = objsign,email,server,client</FONT></FONT></P>
1263                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints
1264                                       = critical,CA:false</FONT></FONT></P>
1265                        <P><BR>
1266                        </P>
1267                </TD>
1268        </TR>
1269</TABLE>
1270<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1271</P>
1272<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script|outline"></A>
12734.4.3 SysV-style Boot Script</H3>
1274<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be
1275configured to start up at system boot of the host machine.  A SysV
1276style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1277is provided in the installation in:</P>
1278<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/lib/python</SPAN></FONT>&lt;python
1279version num&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/site-packages/ndg_security_server</SPAN></FONT>-&lt;version
1280info&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.egg/ndg/security/server/share
1281 </SPAN></FONT>
1282</P>
1283<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1284<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1285        <COL WIDTH=602>
1286        <TR>
1287                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1288                        <P STYLE="margin-bottom: 0cm"><BR>
1289                        </P>
1290                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1291                        cp /usr/local/lib/python&lt;python version
1292                        num&gt;/site-packages/ndg_security_server-&lt;version
1293                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1294                        /share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1295                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1296                        chkconfig --add ndg-sm</SPAN></FONT></FONT></P>
1297                        <P><BR>
1298                        </P>
1299                </TD>
1300        </TR>
1301</TABLE>
1302<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1303</P>
1304<P CLASS="western" ALIGN=JUSTIFY>Edit the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1305so that it uses the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR</SPAN></FONT>
1306environment variable to point to the correct location of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT>
1307file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
1308directory. User and group ID settings can be made to run under
1309alternative account to root.  If used ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR</SPAN></FONT>
1310is set with the necessary permissions to enable access. 
1311</P>
1312<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chkconfig</SPAN></FONT>
1313command may not be available on your target machine.  Please refer to
1314instructions for your particular Linux distribution.</P>
1315<H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration|outline"></A>
13164.5 Attribute Authority Configuration</H2>
1317<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a
1318properties file for the setting of configuration parameters.</P>
1319<H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings|outline"></A>
13204.5.1Attribute Authority Properties File Settings</H3>
1321<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1322in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1323and modify the default settings:</P>
1324<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1325        <COL WIDTH=610>
1326        <TR>
1327                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1328                        <P STYLE="margin-bottom: 0cm"><BR>
1329                        </P>
1330                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml
1331                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
1332                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P>
1333                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1334                        </FONT></FONT>
1335                        </P>
1336                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name'
1337                        setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P>
1338                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1339                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;name&gt;Organisation
1340                        Identifier&lt;/name&gt; </FONT></FONT>
1341                        </P>
1342                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;SELECT
1343                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></P>
1344                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
1345                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1346                        settings for transport level encryption</FONT></FONT></P>
1347                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1348                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;&lt;/useSSL&gt;
1349                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P>
1350                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;&lt;/sslCertFile&gt;</FONT></FONT></P>
1351                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P>
1352                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P>
1353                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!--
1354                        <BR>       Directory containing CA cert.s to verify SSL peer cert
1355                        against - ignored if useSSL is blank --&gt;<BR>     
1356                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR></FONT>
1357                           &lt;!--</FONT></FONT></P>
1358                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1359                        settings for signature of outbound SOAP messages</FONT></FONT></P>
1360                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1361                        <P STYLE="margin-bottom: 0cm">   
1362                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
1363                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
1364                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1365                        </FONT></FONT>
1366                        </P>
1367                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA
1368                        Certificates used to verify X.509 certs used in peer SOAP
1369                        messages,<BR>         SSL connections and Attribute Certificates<BR>
1370                                --&gt;<BR>        &lt;caCertFileList&gt;<BR>           
1371                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR>
1372                               &lt;/caCertFileList&gt;<BR></FONT>   
1373                        &lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem &lt;/keyFile&gt;</FONT></FONT></P>
1374                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
1375                        <P STYLE="margin-bottom: 0cm">   
1376                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem
1377                        &lt;/caCertFile&gt;</FONT></FONT></P>
1378                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1379                        </FONT></FONT>
1380                        </P>
1381                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
1382                        the certificate used to verify the signature of messages from the </FONT></FONT>
1383                        </P>
1384                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
1385                         This can usually be left blank since the client is expected to </FONT></FONT>
1386                        </P>
1387                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
1388                        the cert with the signature in the inbound SOAP message</FONT></FONT></P>
1389                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1390                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt;
1391                           </FONT></FONT>
1392                        </P>
1393                        <P STYLE="margin-bottom: 0cm">   
1394                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt;
1395                        &lt;!-- Measured in seconds --&gt;</FONT></FONT></P>
1396                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1397                        </FONT></FONT>
1398                        </P>
1399                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow
1400                        an offset for clock skew between servers running </FONT></FONT>
1401                        </P>
1402                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security
1403                        services.  - Use minus sign for time in the past</FONT></FONT></P>
1404                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1405                        <P STYLE="margin-bottom: 0cm">   
1406                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P>
1407                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1408                        Location of role mapping file --&gt;</FONT></FONT></P>
1409                        <P STYLE="margin-bottom: 0cm">   
1410                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></P>
1411                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1412                        All Attribute Certificates issued are recorded in this dir --&gt;</FONT></FONT></P>
1413                        <P STYLE="margin-bottom: 0cm">   
1414                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></P>
1415                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1416                        </FONT></FONT>
1417                        </P>
1418                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files
1419                        in attCertDir are stored using a rotating file handler</FONT></FONT></P>
1420                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt
1421                        sets the max number of files created before the first is</FONT></FONT></P>
1422                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P>
1423                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1424                        <P STYLE="margin-bottom: 0cm">   
1425                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileName&gt;ac.xml&lt;/attCertFileName&gt;</FONT></FONT></P>
1426                        <P STYLE="margin-bottom: 0cm">   
1427                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileLogCnt&gt;1024&lt;/attCertFileLogCnt&gt;</FONT></FONT></P>
1428                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;dnSeparator&gt;/&lt;/dnSeparator&gt;</FONT></FONT></P>
1429                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
1430                        </FONT></FONT>
1431                        </P>
1432                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings
1433                        for custom AAUserRoles derived class to get user roles for</FONT></FONT></P>
1434                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given
1435                        user ID</FONT></FONT></P>
1436                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
1437                        <P STYLE="margin-bottom: 0cm">   
1438                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></P>
1439                        <P STYLE="margin-bottom: 0cm">   
1440                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></P>
1441                        <P STYLE="margin-bottom: 0cm">   
1442                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></P>
1443                        <P STYLE="margin-bottom: 0cm">   
1444                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></P>
1445                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P>
1446                        <P> 
1447                        </P>
1448                </TD>
1449        </TR>
1450</TABLE>
1451<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1452</P>
1453<H3 CLASS="western"><A NAME="4.5.2.User Roles Interface|outline"></A>4.5.2
1454User Roles Interface</H3>
1455<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a
1456valid user proxy certificate serves an attribute certificate
1457containing authorisation roles for that user.  It is for the data
1458centre to determine how these roles map to the users identity as
1459given by their Distinguished Name given in the proxy certificate.
1460Typically, a data centre might have a user database which relates
1461user id to authorisation roles.</P>
1462<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a
1463programmatic interface to determine the roles to user id
1464relationship.   A custom python class may be written to perform this
1465task.   See the Appendices section 5.5.</P>
1466<H3 CLASS="western"><A NAME="4.5.3.Role Mapping|outline"></A>4.5.3
1467Role Mapping</H3>
1468<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in
1469the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1470directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>.
1471 This is an XML file which relates local roles at the target data
1472centre to roles of other trusted data centres.  These role mapping
1473are made by agreement between data centres.</P>
1474<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1475        <COL WIDTH=610>
1476        <TR>
1477                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1478                        <P STYLE="margin-bottom: 0cm"><BR>
1479                        </P>
1480                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;?xml
1481                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></P>
1482                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;AAmap&gt;</FONT></P>
1483                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;thisHost
1484                        name=&quot;yourSiteIdentifier&quot;&gt;</FONT></P>
1485                        <P STYLE="margin-bottom: 0cm">         
1486                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;yourSiteAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1487                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1488                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1489                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;Your
1490                        Site Login Page URI (https expected)&lt;/loginURI&gt;</FONT></P>
1491                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1492                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1493                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1494                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1495                        cert. DN for SSL server making a request to loginURI</FONT></P>
1496                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1497                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/thisHost&gt;</FONT></P>
1498                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1499                        name=&quot;BODC&quot;&gt;</FONT></P>
1500                        <P STYLE="margin-bottom: 0cm">         
1501                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;bodcAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1502                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1503                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1504                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;BODC’s
1505                        Login Page URI&lt;/loginURI&gt;</FONT></P>
1506                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1507                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1508                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1509                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1510                        cert. DN for SSL server making a request to loginURI</FONT></P>
1511                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1512                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1513                        remote=&quot;aBODCrole&quot; local=&quot;aLocalRole&quot;/&gt;</FONT></P>
1514                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1515                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1516                        name=&quot;NOCS&quot;&gt;</FONT></P>
1517                        <P STYLE="margin-bottom: 0cm">         
1518                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;nocsAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1519                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1520                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1521                        <P STYLE="margin-bottom: 0cm">         
1522                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;nocsLoginPageURI&lt;/loginURI&gt;</FONT></P>
1523                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1524                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1525                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1526                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1527                        cert. DN for SSL server making a request to loginURI</FONT></P>
1528                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1529                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1530                        remote=&quot;aNOCSrole&quot; local=&quot;anotherLocalRole&quot;/&gt;</FONT></P>
1531                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1532                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted
1533                        name=&quot;NEODAAS&quot;&gt;</FONT></P>
1534                        <P STYLE="margin-bottom: 0cm">         
1535                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;neodaasAttAuthorityURI&lt;/aaURI&gt;</FONT></P>
1536                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the
1537                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P>
1538                        <P STYLE="margin-bottom: 0cm">         
1539                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;neodaasLoginPageURI&lt;/loginURI&gt;</FONT></P>
1540                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The
1541                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P>
1542                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P>
1543                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1544                        cert. DN for SSL server making a request to loginURI</FONT></P>
1545                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P>
1546                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role
1547                        remote=&quot;neodaasRole&quot; local=&quot;yetAnotherLocalRole&quot;/&gt;</FONT></P>
1548                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P>
1549                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/AAmap&gt;</FONT></P>
1550                        <P STYLE="margin-bottom: 0cm"><BR>
1551                        </P>
1552                        <P><BR>
1553                        </P>
1554                </TD>
1555        </TR>
1556</TABLE>
1557<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1558</P>
1559<P CLASS="western" ALIGN=JUSTIFY>The map file contains an entry for
1560each site that the Attribute Authority trusts.  These are listed
1561using the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">trusted</SPAN></FONT>
1562element name.  The Attribute Authority identifies itself with the
1563similar <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1564element.  Each uses a name attribute to uniquely identify the
1565organisation.  The example above shows a BADC map file which trusts
1566the organisations BODC, NOCS and NEODAAS.</P>
1567<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost
1568name </SPAN></FONT>attribute should match the name element in the
1569corresponding <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1570file.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">name</SPAN></FONT>
1571is copied as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">issuerName</SPAN></FONT>
1572used in Attribute Certificates issued by the Attribute Authority.</P>
1573<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1574and trusted elements share all the same sub-elements barring role.
1575</P>
1576<UL>
1577        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaURI</SPAN></FONT>
1578        – this is the address of the Attribute Authority</P>
1579        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaDN</SPAN></FONT>
1580        – the Distinguished Name of the Attribute Authority’s X.509
1581        certificate (not currently used)</P>
1582        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginURI</SPAN></FONT>
1583        – the address of the Login Service
1584        </P>
1585        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginServerDN</SPAN></FONT>
1586        – the Distinguished Name of the X.509 certificate held by the
1587        Login Service for SSL connections.  It is expected that the Login
1588        Service is run over https to protect the privacy of login
1589        credentials.  This field is not currently used.</P>
1590        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT>
1591        – on request for secured credentials a service provider enables
1592        the user to redirect to their chosen Login Service at another
1593        trusted site.   The on successful authentication the Login Service
1594        can return the user back to the service provider to enable them to
1595        continue with their request.  This return to address must be over
1596        https to enable credentials to be encrypted for the transit but also
1597        to validate service provider host making the request.   The Login
1598        Service carries this out by checking the SSL certificate of the
1599        service provider host and checking its Distinguished Name against
1600        the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT>
1601        entries for the organisations it trusts.</P>
1602        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">role</SPAN></FONT>
1603        – this element is used to express an individual role mapping.  The
1604        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">local</SPAN></FONT>
1605        attribute refers to a role <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1606        supports.  The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">remote</SPAN></FONT>
1607        attribute is assigned to the role of the trusted organisation it
1608        maps to.  It is possible to have multiple role entries.  One local
1609        role may map to many remote roles and vice versa: one remote role
1610        may map to many local roles.</P>
1611</UL>
1612<H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file|outline"></A>
16134.5.4 Twisted Python server .tac file</H3>
1614<P CLASS="western" ALIGN=JUSTIFY>Copy this from the
1615ndg_security_server to the NDG security conf/ area:</P>
1616<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1617        <COL WIDTH=602>
1618        <TR>
1619                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1620                        <P STYLE="margin-bottom: 0cm"><BR>
1621                        </P>
1622                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1623                        cp /usr/local/lib/python&lt;python version
1624                        num&gt;/site-packages/ndg_security_server-&lt;version
1625                        info&gt;.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1626                        $NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1627                        <P><BR>
1628                        </P>
1629                </TD>
1630        </TR>
1631</TABLE>
1632<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1633</P>
1634<H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script|outline"></A>
16354.5.5 SysV-style Boot Script</H3>
1636<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the
1637Attribute Authority can be configured to start up at system boot of
1638the host machine.  A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT>
1639is provided in the installation in:</P>
1640<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python&lt;python
1641version num&gt;/site-packages/ndg_security_server-&lt;version
1642info&gt;.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1643 
1644</P>
1645<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1646<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1647        <COL WIDTH=602>
1648        <TR>
1649                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1650                        <P STYLE="margin-bottom: 0cm"><BR>
1651                        </P>
1652                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1653                        cp /usr/local/lib/python&lt;python version
1654                        num&gt;/site-packages/ndg_security_server-&lt;version
1655                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1656                        /share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1657                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1658                        chkconfig --add ndg-aa</SPAN></FONT></FONT></P>
1659                        <P><BR>
1660                        </P>
1661                </TD>
1662        </TR>
1663</TABLE>
1664<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1665</P>
1666<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the
1667NDGSEC_DIR environment variable to point to the correct location of
1668the .tac file in the conf/ directory.  User and group ID settings can
1669be made to run under alternative account to root.  If used ensure
1670that $NDGSEC_DIR is set with the necessary permissions to enable
1671access. 
1672</P>
1673<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional
1674environment settings required to connect to a user database.</P>
1675<H2 CLASS="western"><A NAME="4.6.Python Unit Tests|outline"></A>4.6
1676Python Unit Tests</H2>
1677<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are
1678provided to enable the system to be checked to confirm that it is
1679running correctly.   These are located in the ndg_security_test egg
1680in the site-packages/ directory of the python installation.</P>
1681<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
1682<H2 CLASS="western"><A NAME="4.7. MyProxy|outline"></A>4.7 MyProxy</H2>
1683<H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background|outline"></A>
16844.7.1 MyProxy and NDG Security Background</H3>
1685<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
1686from the Globus toolkit to enable the use of individual user X.509
1687certificates to secure messages in transactions.  For example, to
1688request an Attribute Certificate from an Attribute Authority the
1689request can be signed using the user's certificate to enable the
1690Attribute Authority to authenticate it.</P>
1691<P CLASS="western" ALIGN=JUSTIFY>MyProxy is a flexible and can be
1692configured to run in a number of different modes or combination of
1693modes:</P>
1694<OL>
1695        <LI><P CLASS="western" ALIGN=JUSTIFY>users can upload a proxy to
1696        their personal user certificate for storage in the MyProxy
1697        repository for later use in delegation   
1698        </P>
1699        <LI><P CLASS="western" ALIGN=JUSTIFY>Personal user certificates
1700        issued by a CA can by stored in the repository.</P>
1701        <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy can be run with the
1702        Globus SimpleCA package issuing certificates dynamically based on a
1703        callout to some external authentication system.  MyProxy has basic
1704        support for PAM (Pluggable Authentication Module) and SASL (<SPAN STYLE="font-style: normal">Simple
1705        Authentication and Security Layer).</SPAN></P>
1706</OL>
1707<P CLASS="western" ALIGN=JUSTIFY>3) is the preferred mode for NDG
1708deployments as typically NDG partners have existing user databases
1709against which their users authenticate.   MyProxy can be configured
1710to query the database with username/password via PAM/SASL. 
1711</P>
1712<P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service
1713<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1714on its host machine and user credentials are held in a directory on
1715the file system.  It is important to secure the host to ensure the
1716credentials are not compromised.
1717</P>
1718<H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations|outline"></A>
17194.7.2 MyProxy user account and the repository location considerations</H3>
1720<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or
1721using a separate user account.  The latter provides an extra degree
1722of security but for use with PAM, the MyProxy must be installed and
1723run as root.  Note that the MyProxy repository will be in a standard
1724location. 
1725</P>
1726<UL>
1727        <LI><P CLASS="western" ALIGN=JUSTIFY>If MyProxy is installed as
1728        root, this is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/var/myproxy</SPAN></FONT>.
1729         
1730        </P>
1731        <LI><P CLASS="western" ALIGN=JUSTIFY>If installed as under an
1732        alternative user account, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var/myproxy</SPAN></FONT>.
1733         
1734        </P>
1735</UL>
1736<P CLASS="western" ALIGN=JUSTIFY>When run in mode 3) the repository
1737is not used since all credentials are generated dynamically on a
1738successful MyProxy logon request. It is possible to explicitly define
1739an alternate location but this can only be done by providing a
1740command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1741 Note that this might be visible in the process list of the host
1742machine as output from<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1743ps</SPAN></FONT>.  This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1744with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd
1745</SPAN></FONT>(See 4.7.10.1).</P>
1746<P CLASS="western" ALIGN=LEFT>This guide assumes installation as
1747root. 
1748</P>
1749<H3 CLASS="western"><A NAME="4.7.3. Installation|outline"></A>4.7.3
1750Installation</H3>
1751<P CLASS="western">MyProxy is available with Globus.  Version 4.0.5
1752distribution is recommended for use with the NDG Security software. 
1753<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++
1754development packages are needed for the build.</SPAN></FONT></P>
1755<H4 CLASS="western">4.7.3.1 PAM Dependencies</H4>
1756<P CLASS="western">A binary version is available but it is
1757recommended to build and install from the source code to include PAM
1758dependencies (<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>).
1759  To check, there should be a <CODE><FONT FACE="Helvetica, sans-serif">pam_appl.h
1760header file either in /usr/include/security or /usr/include/pam.</FONT></CODE></P>
1761<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">If they
1762are not present, they can be installed with the PAM development
1763package for your Linux distribution – e.g. pam-devel (Redhat) or
1764libpam*-dev (Debian based).</FONT></CODE></P>
1765<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">Due to a
1766limitation in PAM, MyProxy must be built and installed under the
1767system root account.</FONT></CODE></P>
1768<H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif">
1769Build</FONT></CODE></H4>
1770<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code
1771can be downloaded from  </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P>
1772<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a
1773target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
1774</SPAN></FONT>so that only the MyProxy components of Globus are
1775built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer</FONT>
1776tarball.  Extract the files and change to the
1777<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer/</FONT>
1778directory created.</P>
1779<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings.  The
1780default installation location is /usr/local/globus-4.0.5.  Use
1781–prefix=&lt;dir path&gt; command line option to specify an
1782alternative location for the installation.</P>
1783<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1784        <COL WIDTH=596>
1785        <TR>
1786                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1787                        <P STYLE="margin-bottom: 0cm"><BR>
1788                        </P>
1789                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1790                        ./configure </FONT>
1791                        </P>
1792                        <P><BR>
1793                        </P>
1794                </TD>
1795        </TR>
1796</TABLE>
1797<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1798</P>
1799<P CLASS="western" ALIGN=JUSTIFY>Compile and install MyProxy:</P>
1800<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1801        <COL WIDTH=596>
1802        <TR>
1803                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1804                        <P STYLE="margin-bottom: 0cm"><BR>
1805                        </P>
1806                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1807                        make gsi-myproxy postinstall</FONT></P>
1808                        <P><BR>
1809                        </P>
1810                </TD>
1811        </TR>
1812</TABLE>
1813<P STYLE="margin-bottom: 0cm"><BR>
1814</P>
1815<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">When
1816running</SPAN></FONT> ./configure <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">you
1817may see an error if the </SPAN></FONT>JAVA_HOME<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">
1818environment variable is not set.  This can be ignored because Java is
1819not required for the MyProxy build.</SPAN></FONT></FONT></P>
1820<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"> 
1821</P>
1822<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If
1823you encounter errors with the build you can trobuleshoot by checking
1824config.log in the BUILD/globus_core-* or source-trees/core/source
1825directories.</SPAN></FONT></P>
1826<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1827</P>
1828<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">Verify
1829myproxy has built with PAM support by running the command:</SPAN></FONT></P>
1830<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1831</P>
1832<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1833</P>
1834<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1835        <COL WIDTH=596>
1836        <TR>
1837                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1838                        <P STYLE="margin-bottom: 0cm"><BR>
1839                        </P>
1840                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1841                        /usr/local/globus-4.0.5/sbin/myproxy-server -V</FONT></P>
1842                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
1843                        version MYPROXYv2 (v3.7 12 Dec 2006 PAM)</FONT></P>
1844                        <P><BR>
1845                        </P>
1846                </TD>
1847        </TR>
1848</TABLE>
1849<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1850</P>
1851<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If
1852'PAM' is included in the output as above then the executable has
1853built correctly to include PAM support.</SPAN></FONT></P>
1854<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1855</P>
1856<H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation|outline"></A>
18574.7.4 SimpleCA Installation</H3>
1858<P CLASS="western" ALIGN=JUSTIFY>Reference:
1859</P>
1860<P CLASS="western" ALIGN=JUSTIFY><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing">http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing</A></P>
1861<P CLASS="western" ALIGN=JUSTIFY>The SimpleCA can be set up under a
1862dedicated user account but this user must have read/write permissions
1863to the Globus MyProxy installation location.   For simplicity, this
1864guide assumes installation for MyProxy and the SimpleCA under root.</P>
1865<P CLASS="western" ALIGN=JUSTIFY>To install first initialise the
1866environment settings (These may be added to the appropriate start-up
1867file e.g. .bashrc):</P>
1868<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1869        <COL WIDTH=596>
1870        <TR>
1871                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1872                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1873                        </P>
1874                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1875                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
1876                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
1877                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
1878                </TD>
1879        </TR>
1880</TABLE>
1881<P><BR><BR>
1882</P>
1883<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Installation
1884script:</FONT></P>
1885<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1886        <COL WIDTH=596>
1887        <TR>
1888                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1889                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1890                        </P>
1891                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1892                        $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P>
1893                </TD>
1894        </TR>
1895</TABLE>
1896<P CLASS="western" ALIGN=LEFT><BR><BR>
1897</P>
1898<P CLASS="western" ALIGN=LEFT>You will be prompted for the following
1899information:</P>
1900<OL>
1901        <LI><P CLASS="western" ALIGN=LEFT>Subject Name: When prompted, type
1902        'n' to override the default and set an appropriate subject name for
1903        the CA for your organisation.  O = Organisation Name, OU =
1904        Organisational Unit (you can set more than one), CN = the Common
1905        Name i.e. the name of the Certificate Authority.  For
1906        example,<BR><BR>/O=STFC/OU=Rutherford Appleton
1907        Laboratory/OU=Testing/CN=CA<BR><BR>could be the Certificate
1908        Authority’s subject for a CA for the Space Science and Technology
1909        Department at Rutherford Appleton Laboratory which is part of the
1910        Science and Technology Facilities Council.</P>
1911        <LI><P CLASS="western" ALIGN=LEFT>e-mail Address: the contact
1912        address for certificate requests.   If you are using the CA for
1913        MyProxy only you will probably not need this facility.  You could
1914        enter globus@&lt;target host&gt; or some suitable administrative
1915        contact</P>
1916        <LI><P CLASS="western" ALIGN=LEFT>CA Certificate Expiry Date: Press
1917        enter to accept the default of five years, otherwise override and
1918        enter your required period.</P>
1919        <LI><P CLASS="western" ALIGN=LEFT>PEM Pass phrase: this is the
1920        password that will protect the CA's private key file.  It will need
1921        to be entered in MyProxy's configuration file to enable MyProxy to
1922        dynamically issue certificates.</P>
1923</OL>
1924<P CLASS="western" ALIGN=LEFT>A message will appear indicating that
1925the set-up has completed and confirming the subject chosen for your
1926certificate and the location of certificate and private key:</P>
1927<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1928        <COL WIDTH=596>
1929        <TR>
1930                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1931                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1932                        $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P>
1933                        <P STYLE="margin-bottom: 0cm"><BR>
1934                        </P>
1935                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">C
1936                        e r t i f i c a t e    A u t h o r i t y    S e t u p</FONT></P>
1937                        <P STYLE="margin-bottom: 0cm"><BR>
1938                        </P>
1939                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
1940                        script will setup a Certificate Authority for signing Globus</FONT></P>
1941                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">users
1942                        certificates.  It will also generate a simple CA package</FONT></P>
1943                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">that
1944                        can be distributed to the users of the CA.</FONT></P>
1945                        <P STYLE="margin-bottom: 0cm"><BR>
1946                        </P>
1947                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1948                        CA information about the certificates it distributes will</FONT></P>
1949                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">be
1950                        kept in:</FONT></P>
1951                        <P STYLE="margin-bottom: 0cm"><BR>
1952                        </P>
1953                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA/</FONT></P>
1954                        <P STYLE="margin-bottom: 0cm"><BR>
1955                        </P>
1956                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1957                        unique subject name for this CA is:</FONT></P>
1958                        <P STYLE="margin-bottom: 0cm"><BR>
1959                        </P>
1960                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cn=Globus
1961                        Simple CA, ou=simpleCA-gabriel, ou=GlobusTest, o=Grid</FONT></P>
1962                        <P STYLE="margin-bottom: 0cm"><BR>
1963                        </P>
1964                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Do
1965                        you want to keep this as the CA subject (y/n) [y]:n</FONT></P>
1966                        <P STYLE="margin-bottom: 0cm"><BR>
1967                        </P>
1968                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
1969                        a unique subject name for this CA:cn=CA, ou=BADC, ou=Gabriel,
1970                        o=NDG</FONT></P>
1971                        <P STYLE="margin-bottom: 0cm"><BR>
1972                        </P>
1973                        <P STYLE="margin-bottom: 0cm"><BR>
1974                        </P>
1975                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
1976                        the email of the CA (this is the email where certificate</FONT></P>
1977                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">requests
1978                        will be sent to be signed by the CA):p.j.kershaw@rl.ac.uk</FONT></P>
1979                        <P STYLE="margin-bottom: 0cm"><BR>
1980                        </P>
1981                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1982                        CA certificate has an expiration date. Keep in mind that</FONT></P>
1983                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">once
1984                        the CA certificate has expired, all the certificates</FONT></P>
1985                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">signed
1986                        by that CA become invalid.  A CA should regenerate</FONT></P>
1987                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
1988                        CA certificate and start re-issuing ca-setup packages</FONT></P>
1989                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">before
1990                        the actual CA certificate expires.  This can be done</FONT></P>
1991                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">by
1992                        re-running this setup script.  Enter the number of DAYS</FONT></P>
1993                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
1994                        CA certificate should last before it expires.</FONT></P>
1995                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[default:
1996                        5 years (1825 days)]:</FONT></P>
1997                        <P STYLE="margin-bottom: 0cm"><BR>
1998                        </P>
1999                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
2000                        PEM pass phrase:</FONT></P>
2001                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Verifying
2002                        - Enter PEM pass phrase:</FONT></P>
2003                        <P STYLE="margin-bottom: 0cm"><BR>
2004                        </P>
2005                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">creating
2006                        CA config package...done.</FONT></P>
2007                        <P STYLE="margin-bottom: 0cm"><BR>
2008                        </P>
2009                        <P STYLE="margin-bottom: 0cm"><BR>
2010                        </P>
2011                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">A
2012                        self-signed certificate has been generated</FONT></P>
2013                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">for
2014                        the Certificate Authority with the subject:</FONT></P>
2015                        <P STYLE="margin-bottom: 0cm"><BR>
2016                        </P>
2017                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/O=NDG/OU=Gabriel/OU=BADC/CN=CA</FONT></P>
2018                        <P STYLE="margin-bottom: 0cm"><BR>
2019                        </P>
2020                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If
2021                        this is invalid, rerun this script</FONT></P>
2022                        <P STYLE="margin-bottom: 0cm"><BR>
2023                        </P>
2024                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus/setup-simple-ca</FONT></P>
2025                        <P STYLE="margin-bottom: 0cm"><BR>
2026                        </P>
2027                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">and
2028                        enter the appropriate fields.</FONT></P>
2029                        <P STYLE="margin-bottom: 0cm"><BR>
2030                        </P>
2031                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P>
2032                        <P STYLE="margin-bottom: 0cm"><BR>
2033                        </P>
2034                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2035                        private key of the CA is stored in
2036                        /root/.globus/simpleCA//private/cakey.pem</FONT></P>
2037                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2038                        public CA certificate is stored in
2039                        /root/.globus/simpleCA//cacert.pem</FONT></P>
2040                        <P STYLE="margin-bottom: 0cm"><BR>
2041                        </P>
2042                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2043                        distribution package built for this CA is stored in</FONT></P>
2044                        <P STYLE="margin-bottom: 0cm"><BR>
2045                        </P>
2046                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P>
2047                        <P STYLE="margin-bottom: 0cm"><BR>
2048                        </P>
2049                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2050                        file must be distributed to any host wishing to request</FONT></P>
2051                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificates
2052                        from this CA.</FONT></P>
2053                        <P STYLE="margin-bottom: 0cm"><BR>
2054                        </P>
2055                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">CA
2056                        setup complete.</FONT></P>
2057                        <P STYLE="margin-bottom: 0cm"><BR>
2058                        </P>
2059                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2060                        following commands will now be run to setup the security</FONT></P>
2061                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">configuration
2062                        files for this CA:</FONT></P>
2063                        <P STYLE="margin-bottom: 0cm"><BR>
2064                        </P>
2065                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-build
2066                        /root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P>
2067                        <P STYLE="margin-bottom: 0cm"><BR>
2068                        </P>
2069                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-postinstall</FONT></P>
2070                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P>
2071                        <P STYLE="margin-bottom: 0cm"><BR>
2072                        </P>
2073                        <P STYLE="margin-bottom: 0cm"><BR>
2074                        </P>
2075                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils:
2076                        Configuring ssl-utils package</FONT></P>
2077                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Running
2078                        setup-ssl-utils-sh-scripts...</FONT></P>
2079                        <P STYLE="margin-bottom: 0cm"><BR>
2080                        </P>
2081                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P>
2082                        <P STYLE="margin-bottom: 0cm"><BR>
2083                        </P>
2084                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Note:
2085                        To complete setup of the GSI software you need to run the</FONT></P>
2086                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">following
2087                        script as root to configure your security configuration</FONT></P>
2088                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">directory:</FONT></P>
2089                        <P STYLE="margin-bottom: 0cm"><BR>
2090                        </P>
2091                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus_simple_ca_2cba3376_setup/setup-gsi</FONT></P>
2092                        <P STYLE="margin-bottom: 0cm"><BR>
2093                        </P>
2094                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">For
2095                        further information on using the setup-gsi script, use the -help</FONT></P>
2096                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">option.
2097                         The -default option sets this security configuration to be</FONT></P>
2098                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
2099                        default, and -nonroot can be used on systems where root access is</FONT></P>
2100                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">not
2101                        available.</FONT></P>
2102                        <P STYLE="margin-bottom: 0cm"><BR>
2103                        </P>
2104                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P>
2105                        <P STYLE="margin-bottom: 0cm"><BR>
2106                        </P>
2107                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils:
2108                        Complete</FONT></P>
2109                        <P STYLE="margin-bottom: 0cm"><BR>
2110                        </P>
2111                        <P><BR>
2112                        </P>
2113                </TD>
2114        </TR>
2115</TABLE>
2116<P CLASS="western" ALIGN=LEFT><BR><BR>
2117</P>
2118<P CLASS="western" ALIGN=LEFT>The number in the file names “
21192cba3376” is a unique h<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ash</SPAN></FONT>
2120identifier for the CA.  It will be different for for your
2121installation when you run the setup.  To complete the set-up run the
2122setup-gsi script:</P>
2123<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2124        <COL WIDTH=596>
2125        <TR>
2126                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
2127                        <P STYLE="margin-bottom: 0cm"><BR>
2128                        </P>
2129                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2130                        $GLOBUS_LOCATION/setup/globus_simple_ca_2cba3376_setup/setup-gsi </FONT>
2131                        </P>
2132                        <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
2133                        </FONT>
2134                        </P>
2135                </TD>
2136        </TR>
2137</TABLE>
2138<P STYLE="margin-bottom: 0cm"><BR>
2139</P>
2140<H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation|outline"></A>
21414.7.5 Host Certificate Creation</H3>
2142<P CLASS="western">As root user to carry out these steps.   First
2143check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
2144<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2145</P>
2146<TABLE WIDTH=609 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2147        <COL WIDTH=593>
2148        <TR>
2149                <TD WIDTH=593 VALIGN=TOP BGCOLOR="#e0e0e0">
2150                        <P STYLE="margin-bottom: 0cm"><BR>
2151                        </P>
2152                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2153                        which grid-cert-request</FONT></P>
2154                        <P CLASS="western" ALIGN=LEFT><BR>
2155                        </P>
2156                </TD>
2157        </TR>
2158</TABLE>
2159<P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like:
2160<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/globus-4.0.5/bin/grid-cert-request</FONT></P>
2161<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If
2162not check the settings as made earlier for the SimpleCA:</FONT></P>
2163<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2164</P>
2165<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2166        <COL WIDTH=596>
2167        <TR>
2168                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
2169                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
2170                        </P>
2171                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2172                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
2173                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
2174                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
2175                </TD>
2176        </TR>
2177</TABLE>
2178<P><BR><BR>
2179</P>
2180<P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate
2181request:</P>
2182<TABLE WIDTH=608 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2183        <COL WIDTH=592>
2184        <TR>
2185                <TD WIDTH=592 VALIGN=TOP BGCOLOR="#e0e0e0">
2186                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2187                        </P>
2188                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2189                        grid-cert-request –host &lt;fully qualified hostname&gt; </FONT>
2190                        </P>
2191                        <P CLASS="western" ALIGN=LEFT><BR>
2192                        </P>
2193                </TD>
2194        </TR>
2195</TABLE>
2196<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2197</P>
2198<P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>,
2199<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT>
2200and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
2201in /etc/grid-security directory</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
2202is empty. 
2203</P>
2204<P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate
2205it must be signed by the CA: 
2206</P>
2207<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2208        <COL WIDTH=596>
2209        <TR>
2210                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
2211                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
2212                        </P>
2213                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2214                        grid-ca-sign -in  /<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">etc/grid-security/hostcert_request.pem
2215                         -out  /etc/grid-security/hostcert.pem </FONT></FONT>
2216                        </P>
2217                </TD>
2218        </TR>
2219</TABLE>
2220<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2221</P>
2222<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
2223</FONT>is no longer needed and can be deleted.</P>
2224<H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File|outline"></A>
22254.7.6 MyProxy Configuration File</H3>
2226<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is
2227normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT>
2228directory.   If this file is not already present, copy the sample
2229file:</P>
2230<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2231        <COL WIDTH=610>
2232        <TR>
2233                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2234                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2235                        </P>
2236                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2237                        cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config
2238                        $GLOBUS_LOCATION/etc</FONT></P>
2239                        <P CLASS="western" ALIGN=LEFT><BR>
2240                        </P>
2241                </TD>
2242        </TR>
2243</TABLE>
2244<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2245</P>
2246<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Edit
2247<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config
2248 m</FONT>odifying the entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
2249Sample Policy</SPAN></FONT> so that they are all uncommented (remove
2250leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">#
2251</SPAN></FONT>character):</P>
2252<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2253</P>
2254<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2255        <COL WIDTH=610>
2256        <TR>
2257                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2258                        <P STYLE="margin-bottom: 0cm"><BR>
2259                        </P>
2260                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
2261                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2262                        Complete Sample Policy</FONT></P>
2263                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
2264                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2265                        The following lines define a sample policy that enables all</FONT></P>
2266                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2267                        myproxy-server features.  See below for more examples.</FONT></P>
2268                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials
2269                               &quot;*&quot;</FONT></P>
2270                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
2271                               &quot;*&quot;</FONT></P>
2272                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers
2273                                     &quot;*&quot;</FONT></P>
2274                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers
2275                                &quot;*&quot;</FONT></P>
2276                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers
2277                                      &quot;none&quot;</FONT></P>
2278                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers
2279                        &quot;*&quot;</FONT></P>
2280                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers
2281                              &quot;none&quot;</FONT></P>
2282                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">trusted_retrievers
2283                                     â€œ*”</FONT></P>
2284                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_trusted_retrievers
2285                        “none”</FONT></P>
2286                        <P><BR>
2287                        </P>
2288                </TD>
2289        </TR>
2290</TABLE>
2291<P CLASS="western" ALIGN=LEFT><BR><BR>
2292</P>
2293<P CLASS="western" ALIGN=LEFT>Note that the wildcards for these
2294fields may be modified such that only Distinguished Names of a given
2295format are accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P>
2296<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod
2297</SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
2298user has read/write access for the directory.  Note also that the
2299directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P>
2300<H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration|outline"></A>
23014.7.7 MyProxy SimpleCA Configuration</H3>
2302<P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to
2303dynamically generate user certificates on user login.  For this,
2304MyProxy requires configuration details from the SimpleCA.  Make these
2305settings in $GLOBUS_LOCATION/etc/myproxy-server.config (Note that the
2306sensitivity of this information and the need to secure this file
2307carefully!)</P>
2308<OL>
2309        <LI><P CLASS="western" ALIGN=JUSTIFY>enable any retriever –
2310        retrieval is based on the retrievers login credentials:</P>
2311        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2312                <COL WIDTH=577>
2313                <TR>
2314                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2315                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2316                                </P>
2317                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
2318                                &quot;*&quot;</FONT></P>
2319                        </TD>
2320                </TR>
2321        </TABLE>
2322        <P CLASS="western" ALIGN=JUSTIFY></P>
2323        <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA
2324        certificate.  In this example the CA is installed in the root user's
2325        home directory:</P>
2326</OL>
2327<DL>
2328        <DD>
2329        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2330                <COL WIDTH=577>
2331                <TR>
2332                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2333                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2334                                </P>
2335                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_cert
2336                                /root/.globus/simpleCA/cacert.pem</FONT></P>
2337                        </TD>
2338                </TR>
2339        </TABLE>
2340</DL>
2341<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2342</P>
2343<OL START=3>
2344        <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA private
2345        key:
2346        </P>
2347        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2348                <COL WIDTH=577>
2349                <TR>
2350                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2351                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2352                                </P>
2353                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key
2354                                /root/.globus/simpleCA/private/cakey.pem</FONT></P>
2355                        </TD>
2356                </TR>
2357        </TABLE>
2358        <P CLASS="western" ALIGN=JUSTIFY></P>
2359        <LI><P CLASS="western" ALIGN=LEFT>Provide the password to the CA's
2360        private key.  (This was set when you created the SimpleCA with
2361        $GLOBUS_LOCATION/setup/globus/setup-simple-ca):</P>
2362        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2363                <COL WIDTH=577>
2364                <TR>
2365                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2366                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2367                                </P>
2368                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key_passphrase
2369                                &quot;password&quot;</FONT></P>
2370                        </TD>
2371                </TR>
2372        </TABLE>
2373        <P CLASS="western" ALIGN=JUSTIFY></P>
2374        <LI><P CLASS="western" ALIGN=JUSTIFY>Set the path to the certificate
2375        serial file</P>
2376        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2377                <COL WIDTH=577>
2378                <TR>
2379                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2380                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_serialfile
2381                                /root/.globus/simpleCA/serial </FONT>
2382                                </P>
2383                        </TD>
2384                </TR>
2385        </TABLE>
2386        <P CLASS="western" ALIGN=JUSTIFY></P>
2387        <LI><P CLASS="western" ALIGN=JUSTIFY>Configure how MyProxy maps
2388        usernames to Distinguished Names in generated certificates. This can
2389        be done either with a grid mapfile or a script.  A script is more
2390        flexible as you can use a wildcard match rather requiring a map
2391        entry for every single user.  An example script is:</P>
2392        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2393                <COL WIDTH=577>
2394                <TR>
2395                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2396                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2397                                </P>
2398                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#!/bin/sh<BR>username=$1<BR>if
2399                                [ X&quot;$username&quot; = X ]; then<BR>    # no username given<BR>
2400                                   exit 1<BR>fi<BR>echo
2401                                &quot;/O=NDG/OU=Gabriel/OU=BADC/CN=${username}&quot;</FONT></P>
2402                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">exit
2403                                0</FONT></P>
2404                        </TD>
2405                </TR>
2406        </TABLE>
2407        <P CLASS="western" ALIGN=LEFT><BR>In the example above, if a user
2408        logs in as pjkershaw, they will be issued with a certificate with
2409        the Distinguished Name /O=NDG/OU=Gabriel/OU=BADC/CN=pjkershaw. Copy
2410        the file above file into $GLOBUS_LOCATION/sbin/mapper.sh replacing
2411        “/O=NDG/OU=Gabriel/OU=BADC/CN=” with the form of the
2412        Distinguished Name that you require for users for your site.  Ensure
2413        that the file has execute permissions set e.g.<BR><BR><BR>
2414        </P>
2415        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2416                <COL WIDTH=577>
2417                <TR>
2418                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2419                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2420                                </P>
2421                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2422                                chmod 700 $GLOBUS_LOCATION/sbin/mapper.sh</FONT></P>
2423                                <P CLASS="western" ALIGN=LEFT><BR>
2424                                </P>
2425                        </TD>
2426                </TR>
2427        </TABLE>
2428        <P CLASS="western" ALIGN=LEFT><BR>Refer to the script in
2429        $GLOBUS_LOCATION/etc/myproxy-server.config with this setting:</P>
2430        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2431                <COL WIDTH=577>
2432                <TR>
2433                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2434                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_mapapp
2435                                /usr/local/globus-4.0.5/sbin/mapper.sh</FONT></P>
2436                        </TD>
2437                </TR>
2438        </TABLE>
2439        <P CLASS="western" ALIGN=LEFT></P>
2440</OL>
2441<H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration|outline"></A>
24424.7.8 MyProxy PAM Configuration</H3>
2443<P CLASS="western" ALIGN=JUSTIFY>Reference:
2444<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P>
2445<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
2446with PAM to enable MyProxy logon requests to be authenticated against
2447a site's existing security infrastructure, for example a user
2448database or LDAP repository.   Linux systems have PAMs for login, ssh
2449and other services.   PAMs can be obtained for the major database
2450varieties such as MySQL, Postgres and Oracle.</P>
2451<P CLASS="western">To configure MyProxy for PAM, settings are made
2452via myproxy-server.config to two different fields:</P>
2453<UL>
2454        <LI><P CLASS="western">pam: may be set to disabled, “required”
2455        or “sufficient”.   Set to “required”.  With this setting,
2456        all MyProxy logon requests will be authenticated via PAM.   The
2457        “sufficient” setting may be useful in some circumstances.  It
2458        enables authentication via PAM and via credentials held in the
2459        MyProxy repository.</P>
2460        <LI><P CLASS="western">pam_id: name that MyProxy uses to identify
2461        itself to PAM.   This can correspond either to a file of the same
2462        name in /etc/pam.d or entries prefixed with that name in
2463        /etc/pam.conf.  This setting determines the PAM used by MyProxy to
2464        authenticate. 
2465        </P>
2466</UL>
2467<P CLASS="western">The most straightforward way to set-up MyProxy
2468with PAM is to try one of the existing PAMs such as login.  If the
2469pam_id is set to login, a myproxy-logon request will link to that
2470user's Linux login.</P>
2471<P CLASS="western">Appendices are provided at the end of this
2472document for some of the more common configurations.</P>
2473<H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy|outline"></A>4.7.9
2474Testing MyProxy</H3>
2475<P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy
2476configuration to run the myproxy-logon client command.  For initial
2477testing set the pam_id in $GLOBUS_LOCATION/etc/myproxy-server.config
2478to “logon” so that it uses the Linux user accounts for
2479authentication.</P>
2480<P CLASS="western" ALIGN=JUSTIFY>Client error messages can be
2481difficult to interpret but a -v verbose option is provided to give
2482more information.   In addition, MyProxy server can be run in debug
2483mode using the -d command line switch.   MyProxy should be run under
2484the user account in which it was installed - root.   Ensure that the
2485environment is set correctly i.e. GLOBUS_LOCATION variable set and
2486$GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P>
2487<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2488        <COL WIDTH=602>
2489        <TR>
2490                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2491                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
2492                        </P>
2493                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2494                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
2495                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
2496                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
2497                </TD>
2498        </TR>
2499</TABLE>
2500<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2501</P>
2502<P CLASS="western" ALIGN=JUSTIFY>If you already have MyProxy running
2503via xinetd or as a process started from a SysV init script, it is
2504possible to run a separate MyProxy server process on a different port
2505with the -p flag.</P>
2506<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2507        <COL WIDTH=602>
2508        <TR>
2509                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2510                        <P STYLE="margin-bottom: 0cm"><BR>
2511                        </P>
2512                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2513                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server
2514                        -d -v -p 60000</SPAN></FONT></FONT></P>
2515                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server
2516                        v3.7 12 Dec 2006 PAM starting at Fri Dec 21 12:45:59 2007</SPAN></FONT></FONT></P>
2517                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">reading
2518                        configuration file
2519                        /usr/local/globus-4.0.5/etc/myproxy-server.config</SPAN></FONT></FONT></P>
2520                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CA
2521                        enabled</SPAN></FONT></FONT></P>
2522                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2523                        storage directory /var/myproxy</SPAN></FONT></FONT></P>
2524                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Starting
2525                        myproxy-server on localhost: 60000...</SPAN></FONT></FONT></P>
2526                        <P><BR>
2527                        </P>
2528                </TD>
2529        </TR>
2530</TABLE>
2531<P CLASS="western" ALIGN=LEFT><BR><BR>
2532</P>
2533<P CLASS="western" ALIGN=LEFT>Note that in debug mode, myproxy-server
2534will exit after the first request made to it.</P>
2535<P CLASS="western" ALIGN=LEFT>Run myproxy-logon in a separate window
2536under a user account for which you know the Linux password.  Provide
2537the port number if myproxy-server was started on a different port to
2538the default and give the full name of the server as set in the host
2539certificate (/etc/grid-security/hostcert.pem)</P>
2540<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2541        <COL WIDTH=602>
2542        <TR>
2543                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2544                        <P STYLE="margin-bottom: 0cm"><BR>
2545                        </P>
2546                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2547                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-logon
2548                        -v -s &lt;fully qualified server hostname&gt; -p 60000</SPAN></FONT></FONT></P>
2549                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">MyProxy
2550                        v3.7 12 Dec 2006 PAM</SPAN></FONT></FONT></P>
2551                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Attempting
2552                        to connect to 127.0.0.1:60000</SPAN></FONT></FONT></P>
2553                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Enter
2554                        MyProxy pass phrase:</SPAN></FONT></FONT></P>
2555                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2556                        trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P>
2557                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">no
2558                        valid credentials found -- performing anonymous authentication</SPAN></FONT></FONT></P>
2559                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
2560                        name: /O=NDG/OU=Gabriel/OU=BADC/CN=gabriel&lt;&gt;</SPAN></FONT></FONT></P>
2561                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">checking
2562                        that server name is acceptable...</SPAN></FONT></FONT></P>
2563                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
2564                        name does not match &quot;myproxy@gabriel&lt;&gt;&quot;</SPAN></FONT></FONT></P>
2565                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
2566                        name matches &quot;host@gabriel&lt;&gt;&quot;</SPAN></FONT></FONT></P>
2567                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">authenticated
2568                        server name is acceptable</SPAN></FONT></FONT></P>
2569                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">A
2570                        credential has been received for user pjkershaw in
2571                        /tmp/x509up_u1000.</SPAN></FONT></FONT></P>
2572                        <P><BR>
2573                        </P>
2574                </TD>
2575        </TR>
2576</TABLE>
2577<P CLASS="western" ALIGN=LEFT><BR><BR>
2578</P>
2579<P CLASS="western" ALIGN=LEFT>The equivalent output from the server
2580will be something like:</P>
2581<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2582        <COL WIDTH=602>
2583        <TR>
2584                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2585                        <P STYLE="margin-bottom: 0cm"><BR>
2586                        </P>
2587                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Connection
2588                        from 127.0.0.1</SPAN></FONT></FONT></P>
2589                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2590                        trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P>
2591                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Authenticated
2592                        client &lt;anonymous&gt;</SPAN></FONT></FONT></P>
2593                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
2594                        trusted_retrievers policy</SPAN></FONT></FONT></P>
2595                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
2596                        authorized_retrievers policy</SPAN></FONT></FONT></P>
2597                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
2598                        authorized_renewers policy</SPAN></FONT></FONT></P>
2599                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P>
2600                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">resolve_via_mapapp(/usr/local/globus-4.0.5/sbin/mapper.sh,
2601                        pjkershaw)</SPAN></FONT></FONT></P>
2602                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Checking
2603                        passphrase via PAM.  PAM policy: &quot;sufficient&quot;; PAM ID:
2604                        &quot;logon&quot;</SPAN></FONT></FONT></P>
2605                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PAM
2606                        authentication succeeded for pjkershaw</SPAN></FONT></FONT></P>
2607                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Received
2608                        GET request from &lt;anonymous&gt;</SPAN></FONT></FONT></P>
2609                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending
2610                        OK response to client &lt;anonymous&gt;</SPAN></FONT></FONT></P>
2611                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2612                        CA callout</SPAN></FONT></FONT></P>
2613                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Calling
2614                        CA Extensions</SPAN></FONT></FONT></P>
2615                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">handle_certificate()</SPAN></FONT></FONT></P>
2616                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Cert
2617                        request loaded.</SPAN></FONT></FONT></P>
2618                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Got
2619                        a cert request for user &quot;pjkershaw&quot;, with pubkey hash
2620                        &quot;282944311&quot;, and lifetime &quot;43200&quot;</SPAN></FONT></FONT></P>
2621                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Using
2622                        internal openssl/generate_certificate() code</SPAN></FONT></FONT></P>
2623                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Generating
2624                        certificate internally.</SPAN></FONT></FONT></P>
2625                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P>
2626                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2627                        cached value</SPAN></FONT></FONT></P>
2628                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">tokenizing:
2629                        /O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw</SPAN></FONT></FONT></P>
2630                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2631                        O = NDG</SPAN></FONT></FONT></P>
2632                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2633                        OU = BADC</SPAN></FONT></FONT></P>
2634                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2635                        OU = Gabriel</SPAN></FONT></FONT></P>
2636                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2637                        CN = pjkershaw</SPAN></FONT></FONT></P>
2638                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Assigning
2639                        serial number</SPAN></FONT></FONT></P>
2640                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Loaded
2641                        serial number F6 from /root/.globus/simpleCA/serial</SPAN></FONT></FONT></P>
2642                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">serial
2643                        number assigned</SPAN></FONT></FONT></P>
2644                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cert
2645                        lifetime: 43200</SPAN></FONT></FONT></P>
2646                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CAkey:
2647                        /root/.globus/simpleCA/private/cakey.pem</SPAN></FONT></FONT></P>
2648                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Signing
2649                        internally generated certificate.</SPAN></FONT></FONT></P>
2650                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Issued
2651                        certificate for user &quot;pjkershaw&quot;, with DN
2652                        &quot;/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw&quot;, lifetime
2653                        &quot;43200&quot;, and serial number &quot;246&quot;</SPAN></FONT></FONT></P>
2654                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending
2655                        OK response to client &lt;anonymous&gt;</SPAN></FONT></FONT></P>
2656                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Client
2657                        &lt;anonymous&gt; disconnected</SPAN></FONT></FONT></P>
2658                        <P><BR>
2659                        </P>
2660                </TD>
2661        </TR>
2662</TABLE>
2663<P CLASS="western" ALIGN=LEFT><BR><BR>
2664</P>
2665<P CLASS="western" ALIGN=LEFT>The certificate and private key are
2666written to file in /tmp by myproxy-logon.   This takes the form
2667x509up_&lt;uid&gt;.   It's possible to check the certificate
2668generated using openssl e.g.:</P>
2669<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2670        <COL WIDTH=602>
2671        <TR>
2672                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2673                        <P STYLE="margin-bottom: 0cm"><BR>
2674                        </P>
2675                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2676                        openssl -in /tmp/x509up_1001 -text</SPAN></FONT></FONT></P>
2677                        <P><BR>
2678                        </P>
2679                </TD>
2680        </TR>
2681</TABLE>
2682<P CLASS="western" ALIGN=LEFT><BR>The output includes details
2683including the certificate's DN, issuer and expiry time.   If you wish
2684to run the test again delete or move this file as myproxy-logon will
2685try to use it to authenticate to the MyProxy server.</P>
2686<P CLASS="western" ALIGN=LEFT>If you encounter problems check the
2687output from the client and server. commands.  The system logs may
2688contain useful additional information from the PAM used.</P>
2689<P CLASS="western" ALIGN=LEFT>The Python MyProxy client unit tests
2690can be used to test the server from a separate client machine where
2691Python NDG services are installed but not MyProxy itself.   The
2692MyProxy unit tests are in the package ndg.security.test.myProxy.</P>
2693<H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up|outline"></A>
26944.7.10 Adding MyProxy Server to the system start up</H3>
2695<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may
2696be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2697or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2698 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2699are preferred:</P>
2700<UL>
2701        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2702        process will not show on <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ps</SPAN></FONT>
2703        command listing
2704        </P>
2705        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">It’s
2706        more efficient since it’s only invoked when a request from a
2707        MyProxy client is received.</P>
2708        <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">It’s
2709        easy to configure so that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2710        runs as an alternative user to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.</P>
2711</UL>
2712<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.63cm; margin-bottom: 0cm">
2713<BR>
2714</P>
2715<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd /
2716xinetd</H4>
2717<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd
2718</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2719as root user:
2720</P>
2721<UL>
2722        <LI><P CLASS="western" ALIGN=LEFT>Add the entries in
2723        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.services.modifications</SPAN></FONT>
2724        to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/services</SPAN></FONT>
2725        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/services</SPAN></FONT>
2726        file:
2727        </P>
2728</UL>
2729<DL>
2730        <DD>
2731        <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2732                <COL WIDTH=558>
2733                <TR>
2734                        <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2735                                <P STYLE="margin-bottom: 0cm"><BR>
2736                                </P>
2737                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
2738                                 7512/tcp                        # MyProxy server</FONT></P>
2739                                <P><BR>
2740                                </P>
2741                        </TD>
2742                </TR>
2743        </TABLE>
2744</DL>
2745<P CLASS="western" ALIGN=LEFT STYLE="margin-left: 0.64cm"><BR><BR>
2746</P>
2747<UL>
2748        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Add the entries from
2749        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P>
2750        <UL>
2751                <LI><P CLASS="western" ALIGN=LEFT>For inetd add to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inetd.conf
2752                </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/inetd.conf</SPAN></FONT>,
2753                or 
</P>
2754                <LI><P CLASS="western" ALIGN=LEFT>for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2755                copy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy</SPAN></FONT>
2756                to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/xinetd.d/myproxy</SPAN></FONT>.
2757                Modify the paths in the file according to your installation and set
2758                the user to the correct user name for running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2759                e.g.</P>
2760        </UL>
2761</UL>
2762<DL>
2763        <DD>
2764        <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2765                <COL WIDTH=558>
2766                <TR>
2767                        <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2768                                <P STYLE="margin-bottom: 0cm"><BR>
2769                                </P>
2770                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">service
2771                                myproxy-server</FONT></FONT></P>
2772                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">{</FONT></FONT></P>
2773                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">socket_type
2774                                 = stream</FONT></FONT></P>
2775                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="pt-PT">protocol
2776                                    = tcp</SPAN></FONT></FONT></P>
2777                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">wait
2778                                        = no</FONT></FONT></P>
2779                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">user
2780                                        = globus</FONT></FONT></P>
2781                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">server
2782                                      = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P>
2783                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env   
2784                                        = GLOBUS_LOCATION=/usr/local/globus-4.0.5
2785                                LD_LIBRARY_PATH=/usr/local/globus-4.0.5/lib</FONT></FONT></P>
2786                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable
2787                                     = no</FONT></FONT></P>
2788                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">only_from
2789                                   = localhost.localdomain &lt;hostAddress1&gt; &lt;hostAddress2&gt;</FONT></FONT></P>
2790                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">}</FONT></FONT></P>
2791                        </TD>
2792                </TR>
2793        </TABLE>
2794</DL>
2795<P STYLE="margin-bottom: 0cm"><BR>
2796</P>
2797<UL>
2798        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Note also, the additional
2799        setting in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
2800         This a limit to be placed on which hosts clients can connect from
2801        to the server.  In the above, clients can connect from the local
2802        machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>)
2803        and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress1&gt;
2804        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>.
2805          Care must be taken with these settings.  Client requests will exit
2806        with an SSL error if set incorrectly.</P>
2807        <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2808        / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2809        This is typically accomplished by sending the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">SIGHUP</SPAN></FONT>
2810        signal to the server process.  Redhat Linux machines include the GUI
2811        tool <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2812        to allow convenient management of services.  Refer to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2813        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2814        man page for your system.</P>
2815</UL>
2816<H4 CLASS="western">4.7.10.2 SysV-style boot script
2817</H4>
2818<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is
2819available in the Globus installation at,
2820<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy</SPAN></FONT>.
2821</P>
2822<P CLASS="western" ALIGN=LEFT>To install:
2823</P>
2824<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2825        <COL WIDTH=602>
2826        <TR>
2827                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2828                        <P STYLE="margin-bottom: 0cm"><BR>
2829                        </P>
2830                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2831                        cp <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy
2832                        /etc/rc.d/init.d/myproxy</SPAN></FONT></FONT></P>
2833                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2834                        chkconfig --add myproxy</SPAN></FONT></FONT></P>
2835                        <P><BR>
2836                        </P>
2837                </TD>
2838        </TR>
2839</TABLE>
2840<P CLASS="western" ALIGN=LEFT><BR><BR>
2841</P>
2842<P CLASS="western" ALIGN=LEFT>Edit the file to set the
2843<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GLOBUS_LOCATION
2844</SPAN></FONT>environment variable correctly. 
2845</P>
2846<P CLASS="western" ALIGN=LEFT><BR><BR>
2847</P>
2848<H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1>
2849<H2 CLASS="western"><A NAME="5.1. Postgres PAM for MyProxy|outline"></A>
28505.1 Postgres PAM for MyProxy</H2>
2851<P CLASS="western" ALIGN=JUSTIFY>This section is intended to provide
2852the information needed to enable MyProxy to authenticate against
2853tables in a Postgres database.  Before, making these settings ensure
2854that MyProxy is fully installed following the steps outlined in the
2855MyProxy section.  It's recommended to try out MyProxy with an
2856existing PAM such as “logon” first to ensure it is working.  See
2857the section <I>Testing MyProxy</I>.</P>
2858<P CLASS="western" ALIGN=JUSTIFY>Obtain and install the latest
2859libpam_pgsql.  This can be installed from Debian or RPM packages or
2860from source.   For NDG Security, version 0.5.2-9 Debian and 0.6.3
2861source distributions have been tested.  Check the documentation in
2862the source tar ball for details of Postgres version requirements. 
2863</P>
2864<H3 CLASS="western"><A NAME="5.1.1. Configuration|outline"></A>5.1.1
2865Configuration</H3>
2866<P CLASS="western" ALIGN=JUSTIFY>Depending on your native system
2867create either a /etc/pam.d/myproxy file or the relevant entry in
2868/etc/pam.conf
2869</P>
2870<P CLASS="western" ALIGN=JUSTIFY>For /etc/pam.d/myproxy:</P>
2871<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2872        <COL WIDTH=602>
2873        <TR>
2874                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2875                        <P STYLE="margin-bottom: 0cm"><BR>
2876                        </P>
2877                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">auth 
2878                              required   pam_pgsql.so <BR>account    required 
2879                        pam_pgsql.so<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password
2880                        required   pam_pgsql.so</SPAN></FONT></FONT></P>
2881                </TD>
2882        </TR>
2883</TABLE>
2884<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2885</P>
2886<P CLASS="western" ALIGN=JUSTIFY>or /etc/pam.conf:</P>
2887<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2888        <COL WIDTH=602>
2889        <TR>
2890                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2891                        <P STYLE="margin-bottom: 0cm"><BR>
2892                        </P>
2893                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy
2894                        auth         required   pam_pgsql.so <BR>myproxy account   
2895                        required   pam_pgsql.so<BR>myproxy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password
2896                        required   pam_pgsql.so</SPAN></FONT></FONT></P>
2897                </TD>
2898        </TR>
2899</TABLE>
2900<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2901</P>
2902<P CLASS="western" ALIGN=JUSTIFY>Configure the database, and table
2903the module should use with the configuration file
2904/etc/pam_pgsql.conf. e.g.</P>
2905<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2906        <COL WIDTH=602>
2907        <TR>
2908                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2909                        <P STYLE="margin-bottom: 0cm"><BR>
2910                        </P>
2911                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">database
2912                        = userdb<BR>user = admin<BR>password = adminpassword<BR>table =
2913                        account<BR>user_column = username<BR>pwd_column = password<BR>pw_type
2914                        = md5<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">debug</SPAN></FONT></FONT></P>
2915                </TD>
2916        </TR>
2917</TABLE>
2918<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2919</P>
2920<P CLASS="western" ALIGN=JUSTIFY>In the above example, password in
2921the database table “account” are MD5 encrypted.   This field can
2922also be set to Crypt or left out altogether if passwords are
2923unencrypted.</P>
2924<P CLASS="western" ALIGN=JUSTIFY>Restart MyProxy and test it using
2925the myproxy-logon client command as outlined in the section <I>Testing
2926MyProxy.</I><SPAN STYLE="font-style: normal">   To specify a database
2927account name use the -l flag.  If this omitted then the Linux account
2928name is assumed e.g.</SPAN></P>
2929<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2930        <COL WIDTH=602>
2931        <TR>
2932                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2933                        <P STYLE="margin-bottom: 0cm"><BR>
2934                        </P>
2935                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2936                        myproxy-logon -v -p 60000 -l mydbaccountid</SPAN></FONT></FONT></P>
2937                </TD>
2938        </TR>
2939</TABLE>
2940<P CLASS="western"><BR>Consult the myproxy-logon and myproxy-server
2941output and the system logs to trouble shoot errors.</P>
2942<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.2. MySQL Installation|outline"></A>
29435.2 MySQL Installation</H2>
2944<P CLASS="western" ALIGN=JUSTIFY>MySQL can be used to implement a
2945Credential Repository for the SessionManager to stored user
2946credentials as cached in their Credential Wallet held in their
2947session.</P>
2948<P CLASS="western" ALIGN=JUSTIFY>This section describes how to make
2949an installation from the MySQL binary package tarball.   System
2950administrators may wish to use an existing installation of MySQL or
2951use an alternative installation method such as rpm.  Installing from
2952the binary package has the advantage that it doesn’t interfere with
2953any existing MySQL installation on the target machine.   The
2954instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT>
2955provided in the tarball.</P>
2956<H3 CLASS="western"><A NAME="5.2.1.Version|outline"></A>5.2.1Version</H3>
2957<P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended.
2958These instructions are for version 5.0.20a, the latest stable release
2959at time of writing.</P>
2960<H3 CLASS="western"><A NAME="5.2.2. Getting the Binaries|outline"></A>
29615.2.2 Getting the Binaries</H3>
2962<P CLASS="western" ALIGN=LEFT>The package can be obtained from the
2963MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>).
2964 Scroll to the correct version - Linux (non RPM, Intel C/C++
2965compiled, glibc-X.X) downloads.  The version of glibc on the target
2966machine can be checked using same machine as the web server.</P>
2967<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2968        <COL WIDTH=605>
2969        <TR>
2970                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2971                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2972                        ls /lib/libc-*</FONT></P>
2973                </TD>
2974        </TR>
2975</TABLE>
2976<P CLASS="western" ALIGN=LEFT><BR><BR>
2977</P>
2978<H3 CLASS="western"><A NAME="5.2.3. New mysql User Account|outline"></A>
29795.2.3 New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
2980User Account</H3>
2981<P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if
2982it doesn’t already exist:</P>
2983<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2984        <COL WIDTH=605>
2985        <TR>
2986                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2987                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2988                        groupadd mysql<BR>$ useradd -g mysql mysql</FONT></P>
2989                </TD>
2990        </TR>
2991</TABLE>
2992<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2993</P>
2994<H3 CLASS="western"><A NAME="5.2.4. Unpacking the tarball|outline"></A>
29955.2.4 Unpacking the tarball</H3>
2996<P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target
2997directory for installation e.g. /usr/local, unpack the file:</P>
2998<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2999        <COL WIDTH=605>
3000        <TR>
3001                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3002                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3003                        cd /usr/local<BR>$ tar zxvf
3004                        mysql-standard-5.0.20a-linux-i686-icc-glibc23.tar.gz</FONT></P>
3005                </TD>
3006        </TR>
3007</TABLE>
3008<P CLASS="western" ALIGN=LEFT><BR><BR>
3009</P>
3010<P CLASS="western" ALIGN=LEFT>Make a symbolic link to the new
3011directory and ‘<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cd</SPAN></FONT>’
3012to it:
3013</P>
3014<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3015        <COL WIDTH=605>
3016        <TR>
3017                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3018                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3019                        ln -s /usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23
3020                        mysql<BR>$ cd mysql</FONT></P>
3021                </TD>
3022        </TR>
3023</TABLE>
3024<P CLASS="western" ALIGN=LEFT><BR><BR>
3025</P>
3026<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin</SPAN></FONT>
3027directory contains client programs and the server.  You should add
3028the full pathname of this directory to your <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PATH</SPAN></FONT>
3029environment variable so that your shell finds the MySQL programs
3030properly.
3031</P>
3032<H3 CLASS="western"><A NAME="5.2.5. Configuration File|outline"></A>5.2.5
3033Configuration File</H3>
3034<P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called
3035<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT>
3036in the target directory (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>
3037in this example) to enable custom settings to be made for this
3038installation.  Note that if there is an existing installation of
3039MySQL, there may be settings existing settings in a file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/my.cnf</SPAN></FONT>.
3040 To use the settings from this file, <I>ignore</I> this step.</P>
3041<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3042        <COL WIDTH=605>
3043        <TR>
3044                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3045                        <P STYLE="margin-bottom: 0cm"><BR>
3046                        </P>
3047                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld]</FONT></P>
3048                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">datadir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23/data</FONT></P>
3049                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">socket=/tmp/mysql.sock</FONT></P>
3050                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
3051                        Default to using old password format for compatibility with mysql
3052                        3.x</FONT></P>
3053                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
3054                        clients (those using the mysqlclient10 compatibility package).</FONT></P>
3055                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">old_passwords=1</FONT></P>
3056                        <P STYLE="margin-bottom: 0cm"><BR>
3057                        </P>
3058                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysql.server]</FONT></P>
3059                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">user=mysql</FONT></P>
3060                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">basedir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23</FONT></P>
3061                        <P STYLE="margin-bottom: 0cm"><BR>
3062                        </P>
3063                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld_safe]</FONT></P>
3064                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">err-log=/var/log/mysqld.log</FONT></P>
3065                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">pid-file=/tmp/mysql.pid</FONT></P>
3066                        <P><BR>
3067                        </P>
3068                </TD>
3069        </TR>
3070</TABLE>
3071<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3072</P>
3073<P CLASS="western" ALIGN=JUSTIFY>The settings above will mean that
3074MySQL’s tables and the Credential Repository database will be
3075stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P>
3076<H3 CLASS="western"><A NAME="5.2.6. Create the Grant Tables|outline"></A>
30775.2.6 Create the Grant Tables</H3>
3078<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT>
3079directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT>
3080script used to initialize the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
3081database containing the grant tables that store the server access
3082permissions.  If you have not installed MySQL before, you must create
3083the MySQL grant tables:</P>
3084<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3085        <COL WIDTH=605>
3086        <TR>
3087                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3088                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3089                        scripts/mysql_install_db --user=mysql</FONT></P>
3090                </TD>
3091        </TR>
3092</TABLE>
3093<P CLASS="western" ALIGN=LEFT><BR><BR>
3094</P>
3095<P CLASS="western" ALIGN=LEFT>If you run the command as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
3096you must use the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">--user</SPAN></FONT>
3097option as shown. The value of the option should be the name of the
3098login account that you created in the first step to use for running
3099the server. If you run the command while logged in as that user, you
3100can omit the -user option.  After creating or updating the grant
3101tables, you need to restart the server manually.</P>
3102<H3 CLASS="western"><A NAME="5.2.7. File and Directory Permissions|outline"></A>
31035.2.7 File and Directory Permissions</H3>
3104<P CLASS="western" ALIGN=LEFT>Change the ownership of program
3105binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
3106and ownership of the data directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>.
3107   Assuming that you are located in the installation directory
3108(<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>),
3109the commands look like this:</P>
3110<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3111        <COL WIDTH=605>
3112        <TR>
3113                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3114                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3115                        chown -R root  .<BR>$ chown -R mysql data<BR>$ chgrp -R mysql .</FONT></P>
3116                </TD>
3117        </TR>
3118</TABLE>
3119<P CLASS="western" ALIGN=LEFT><BR><BR>
3120</P>
3121<P CLASS="western" ALIGN=LEFT>The first command changes the owner
3122attribute of the files to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
3123user. The second changes the owner attribute of the data directory to
3124the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
3125user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
3126group.</P>
3127<H3 CLASS="western"><A NAME="5.2.8. Starting the Server|outline"></A>5.2.8
3128Starting the Server</H3>
3129<P CLASS="western" ALIGN=LEFT>If you want MySQL to start
3130automatically when you boot your machine, you can copy
3131<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
3132to the location where your system has its startup files. More
3133information can be found in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
3134script itself.</P>
3135<P CLASS="western" ALIGN=LEFT>To start the MySQL server, use the
3136following command:</P>
3137<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3138        <COL WIDTH=605>
3139        <TR>
3140                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3141                        <P><BR><BR>
3142                        </P>
3143                        <P LANG="nb-NO"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3144                        bin/mysqld_safe --user=mysql &amp;</FONT></P>
3145                </TD>
3146        </TR>
3147</TABLE>
3148<P LANG="nb-NO" CLASS="western" ALIGN=LEFT><BR><BR>
3149</P>
3150<P CLASS="western" ALIGN=LEFT>If that command fails immediately and
3151prints <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysqld
3152ended</SPAN></FONT>, you can find some information in the
3153&lt;hostname&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.err</SPAN></FONT>
3154file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT>
3155directory.</P>
3156<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.2.9. Securing MySQL Accounts|outline"></A>
31575.2.9 Securing MySQL Accounts</H3>
3158<P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P>
3159<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3160        <COL WIDTH=605>
3161        <TR>
3162                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3163                        <P STYLE="margin-bottom: 0cm"><BR>
3164                        </P>
3165                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3166                        mysql -u root</FONT></P>
3167                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
3168                        DELETE FROM mysql.user WHERE User = '';</FONT></P>
3169                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
3170                        FLUSH PRIVILEGES;</FONT></P>
3171                        <P><BR>
3172                        </P>
3173                </TD>
3174        </TR>
3175</TABLE>
3176<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3177</P>
3178<P CLASS="western" ALIGN=JUSTIFY>Set the password for the root
3179account:</P>
3180<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3181        <COL WIDTH=605>
3182        <TR>
3183                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3184                        <P STYLE="margin-bottom: 0cm"><BR>
3185                        </P>
3186                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
3187                        SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');</FONT></P>
3188                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql&gt;
3189                        SET PASSWORD FOR 'root'@'<I>hostname</I>' = PASSWORD('newpwd');</FONT></P>
3190                        <P><BR>
3191                        </P>
3192                </TD>
3193        </TR>
3194</TABLE>
3195<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3196</P>
3197<P CLASS="western" ALIGN=JUSTIFY>The hostname can be checked using
3198the query:</P>
3199<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3200        <COL WIDTH=605>
3201        <TR>
3202                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3203                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
3204                        SELECT Host, User FROM mysql.user;</FONT></P>
3205                </TD>
3206        </TR>
3207</TABLE>
3208<P CLASS="western" ALIGN=LEFT><BR><BR>
3209</P>
3210<P CLASS="western" ALIGN=LEFT>Add a new account for use with the
3211Credential Repository database e.g.</P>
3212<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3213        <COL WIDTH=605>
3214        <TR>
3215                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3216                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
3217                        GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
3218                        'ndgUser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
3219                </TD>
3220        </TR>
3221</TABLE>
3222<P CLASS="western" ALIGN=LEFT><BR>The above statement grants the
3223user, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
3224with password, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password</SPAN></FONT>,
3225<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">select</SPAN></FONT>,
3226<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">update</SPAN></FONT>
3227and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">insert</SPAN></FONT>
3228privileges on the tables of database <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgCredRepos</SPAN></FONT>.
3229 The user may only connect from the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localhost</SPAN></FONT>.
3230 Hence, in this case the Session Manager and Credential Repository
3231must be installed on the same machine.  To allow the Credential
3232Repository to run on a separate machine to the Session Manager, the
3233account must have permission to connect remotely.  This can be
3234achieved by altering the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GRANT</SPAN></FONT>
3235statement above to:</P>
3236<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3237        <COL WIDTH=605>
3238        <TR>
3239                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3240                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql&gt;
3241                        GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
3242                        'ndgUser'@’%’ IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
3243                </TD>
3244        </TR>
3245</TABLE>
3246<P CLASS="western" ALIGN=LEFT><BR><BR>
3247</P>
3248<P CLASS="western" ALIGN=LEFT>You also can set up new accounts using
3249the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT>
3250script if you install the `DBI' and `DBD::mysql' Perl modules.</P>
3251<P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about
3252creation of the Credential Repository database.</P>
3253<H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up|outline"></A>
32545.2.10 Server Automated Start up</H3>
3255<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
3256<P CLASS="western" ALIGN=LEFT><BR><BR>
3257</P>
3258<H2 CLASS="western"><A NAME="5.3. HTTPS set-up with Apache Web Server|outline"></A>
32595.3 HTTPS set-up with Apache Web Server</H2>
3260<P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the
3261transfer of user credentials across cookie domains between a data
3262provider web page requesting user credentials and a user’s NDG home
3263login page.</P>
3264<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: full explanation - incl.
3265mod_ssl must be installed&gt;</P>
3266<H3 CLASS="western"><A NAME="5.3.1. Web Server Host Certificate Generation|outline"></A>
32675.3.1 Web Server Host Certificate Generation</H3>
3268<P CLASS="western" ALIGN=JUSTIFY>Generate a new private key and
3269certificate request.</P>
3270<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3271        <COL WIDTH=605>
3272        <TR>
3273                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3274                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3275                        </P>
3276                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3277                        openssl genrsa –out server.key 2048</FONT></P>
3278                        <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3279                        openssl req –new –key server.key –out server.csr</FONT></P>
3280                        <P><BR>
3281                        </P>
3282                </TD>
3283        </TR>
3284</TABLE>
3285<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3286</P>
3287<P CLASS="western" ALIGN=JUSTIFY>Send the certificate request to the
3288relevant CA (NDG if appropriate) for signing.</P>
3289<H3 CLASS="western"><A NAME="5.3.2.Apache Configuration File Settings|outline"></A>
32905.3.2Apache Configuration File Settings</H3>
3291<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3292</P>
3293<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline"></A>
32945.4 Apache Web Server Proxy Settings Configuration for Web Services</H2>
3295<P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient
3296mechanism to re-route web service ports through port 80 and so make
3297them available to the outside world.   This may be helpful if when
3298deploying NDG Security you do not wish to open additional ports in
3299your site firewall settings.</P>
3300<P CLASS="western" ALIGN=JUSTIFY>Edit the Apache configuration file.
3301This should be located at <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/httpd/conf</SPAN></FONT></P>
3302<P CLASS="western" ALIGN=JUSTIFY>Add <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPass</SPAN></FONT>
3303and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPassReverse</SPAN></FONT>
3304entries for the Session Manager and Attribute Authority web services.
3305  The first argument after the directive name itself is the directory
3306that the service will be served from relative to the web server URL.
3307So below, if the URL of the web server is <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/">http://www.badc.rl.ac.uk</A></U></FONT>,
3308then the Session Manager would be available at
3309<FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/sessionMgr">https://www.badc.rl.ac.uk/sessionMgr</A></U></FONT>.
3310 The second argument is the actual location where the web service is
3311running locally.  In the example below, the Session Manager is
3312running on port 5700 on the same machine as the web server.</P>
3313<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3314        <COL WIDTH=605>
3315        <TR>
3316                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3317                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3318                        </P>
3319                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
3320                        Session Manager and Attribute Authority settings</FONT></P>
3321                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
3322                               /sessionMgr    https://localhost:5700</FONT></P>
3323                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
3324                        /sessionMgr    https://localhost:5700</FONT></P>
3325                        <P STYLE="margin-bottom: 0cm"><BR>
3326                        </P>
3327                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
3328                               /attAuthority  http://localhost:5000</FONT></P>
3329                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
3330                        /attAuthority  http://localhost:5000</FONT></P>
3331                        <P CLASS="western" ALIGN=LEFT><BR>
3332                        </P>
3333                </TD>
3334        </TR>
3335</TABLE>
3336<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3337</P>
3338<P CLASS="western" ALIGN=JUSTIFY>Restart the Apache web server.  This
3339can be done in a variety of ways.  As root user:</P>
3340<OL>
3341        <LI><P CLASS="western" ALIGN=LEFT>On Redhat machines, using the
3342        command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
3343        or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">system-config-services</SPAN></FONT>
3344         In the GUI, click on httpd in the list and press the Restart button</P>
3345</OL>
3346<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3347        <COL WIDTH=605>
3348        <TR>
3349                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3350                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3351                        </P>
3352                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3353                        redhat-config-services</FONT></P>
3354                        <P CLASS="western" ALIGN=LEFT><BR>
3355                        </P>
3356                </TD>
3357        </TR>
3358</TABLE>
3359<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3360</P>
3361<OL START=2>
3362        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">service
3363        </SPAN></FONT>command</P>
3364</OL>
3365<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3366        <COL WIDTH=605>
3367        <TR>
3368                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3369                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3370                        </P>
3371                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3372                        /sbin/service httpd restart</FONT></P>
3373                        <P CLASS="western" ALIGN=LEFT><BR>
3374                        </P>
3375                </TD>
3376        </TR>
3377</TABLE>
3378<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3379</P>
3380<OL START=3>
3381        <LI><P CLASS="western" ALIGN=JUSTIFY>apache command</P>
3382</OL>
3383<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3384        <COL WIDTH=605>
3385        <TR>
3386                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3387                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3388                        </P>
3389                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3390                        apachectl restart</FONT></P>
3391                        <P CLASS="western" ALIGN=LEFT><BR>
3392                        </P>
3393                </TD>
3394        </TR>
3395</TABLE>
3396<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3397</P>
3398<OL START=4>
3399        <LI><P CLASS="western" ALIGN=JUSTIFY>Using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">kill</FONT></SPAN></FONT></P>
3400</OL>
3401<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3402        <COL WIDTH=605>
3403        <TR>
3404                <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3405                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3406                        </P>
3407                        <P LANG="sv-SE" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3408                        kill -HUP `cat /etc/httpd/run/httpd.pid`</FONT></P>
3409                        <P LANG="sv-SE" CLASS="western" ALIGN=LEFT><BR>
3410                        </P>
3411                </TD>
3412        </TR>
3413</TABLE>
3414<P LANG="sv-SE" CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">
3415<BR><BR>
3416</P>
3417<P CLASS="western" ALIGN=JUSTIFY>Note in the last case that the
3418location of the pid file will depend on your installation.</P>
3419<P CLASS="western" ALIGN=JUSTIFY>Once the changes have been made,
3420ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgr.wsdl</SPAN></FONT>
3421and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthority.wsdl</SPAN></FONT>
3422contain the new locations for the web services in the tag
3423<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;soap:address
3424location=”
”&gt;</SPAN></FONT> 
3425</P>
3426<H2 CLASS="western"><A NAME="5.5.An Example Attribute Authority AAUserRoles interface class|outline"></A>
34275.5An Example Attribute Authority AAUserRoles interface class</H2>
3428<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
3429interface is required in order to link the Attribute Authority to the
3430data centre’s system for identifying registered users and managing
3431their roles.  The installation comes with a simple test class which
3432illustrates this.  See ndg.security.server.conf.userRoles.</FONT></P>
3433<P CLASS="western" ALIGN=JUSTIFY>The class must inherit from the
3434<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">AAUserRoles</SPAN></FONT>
3435interface class.  It must override the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3436and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3437methods:</P>
3438<UL>
3439        <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
3440        – returns True if the user with the given input Distinguished Name
3441        is registered at the site.  This method might contain an SQL query
3442        to the site’s user database for example.  This method is <I>optional
3443        </I><SPAN STYLE="font-style: normal">and is not part of the API to
3444        the Attribute Authority.</SPAN></P>
3445        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles()</SPAN></FONT>
3446        – returns a list of roles to which the user with the given input
3447        Distinguished Name is enrolled.  Again, this method could be
3448        implemented with an SQL query to retrieve the roles for a given
3449        user.  Note, that if not roles are found, the method should return
3450        [].</P>
3451        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">__init__()</SPAN></FONT>
3452        – optionally, the initialisation method may be overridden to
3453        enable for example the setting up of a database connection.   The
3454        path to a properties file may be passed in.  This could contain
3455        database connection settings.</P>
3456</UL>
3457<P CLASS="western" ALIGN=JUSTIFY>The custom class used by the BODC is
3458a more detailed example:</P>
3459<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto">
3460        <COL WIDTH=610>
3461        <TR>
3462                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3463                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>&quot;&quot;&quot;NDG
3464                        Attribute Authority User Roles class - acts as an interface
3465                        between</FONT></FONT></P>
3466                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>the
3467                        data centre's user roles configuration and the Attribute Authority</FONT></FONT></P>
3468                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3469                        </P>
3470                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>BODC
3471                        User Roles Interface to Oracle database</FONT></FONT></P>
3472                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3473                        </P>
3474                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@author:
3475                        P J Kershaw 09/08/07</FONT></FONT></P>
3476                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@copyright:
3477                        (C) 2007 STFC &amp; NERC</FONT></FONT></P>
3478                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@licence:
3479                        This software may be distributed under the terms of the Q Public</FONT></FONT></P>
3480                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>License,
3481                        version 1.0 or later.</FONT></FONT></P>
3482                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>&quot;&quot;&quot;</FONT></FONT></P>
3483                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">__revision__
3484                        = </FONT><I><FONT COLOR="#00aa00">'$Id:$'</FONT></I></FONT></FONT></P>
3485                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3486                        </P>
3487                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3488                        </P>
3489                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3490                        ConfigParser </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3491                        SafeConfigParser</FONT></FONT></FONT></P>
3492                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3493                        </P>
3494                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>#
3495                        Use a conditional import here because if the TestUserRoles class
3496                        is used,</FONT></FONT></P>
3497                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>#
3498                        cx_Oracle is not required</FONT></FONT></P>
3499                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3500                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3501                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3502                        cx_Oracle</FONT></FONT></FONT></P>
3503                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3504                        ImportError, e:</FONT></FONT></FONT></P>
3505                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3506                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3507                        warnings </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3508                        warn</FONT></FONT></FONT></P>
3509                        <P STYLE="margin-bottom: 0cm; background: transparent">   
3510                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>warn(str(e),
3511                        RuntimeWarning)</FONT></FONT></P>
3512                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3513                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P>
3514                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3515                        </P>
3516                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3517                        ndg.security.server.AttAuthority </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3518                        AAUserRoles, AAUserRolesError</FONT></FONT></FONT></P>
3519                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3520                        ndg.security.common.X509 </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3521                        X500DN</FONT></FONT></FONT></P>
3522                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3523                        </P>
3524                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3525                        </P>
3526                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000">
3527                        <B>TestUserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P>
3528                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3529                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;Test
3530                        User Roles class dynamic import for Attribute Authority</FONT></I></FONT></FONT></P>
3531                        <P STYLE="margin-bottom: 0cm; background: transparent">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>NOT
3532                        for use on production system&quot;&quot;&quot;</FONT></FONT></P>
3533                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3534                        </P>
3535                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3536                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3537                        <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P>
3538                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3539                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P>
3540                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3541                        </P>
3542                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3543                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3544                        <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P>
3545                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3546                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;Test
3547                        getRoles returns role attributes regardless of user Id!&quot;&quot;&quot;</FONT></I></FONT></FONT></P>
3548                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3549                        </P>
3550                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3551                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3552                        Parse username from DN string</FONT></FONT></FONT></P>
3553                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3554                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3555                        TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P>
3556                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3557                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3558                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3559                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn
3560                        = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3561                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3562                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3563                        len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3564                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3565                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3566                        Proxy cert has two common names set - assume extra common </FONT></FONT></FONT>
3567                        </P>
3568                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3569                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3570                        name will be 'proxy' or a number</FONT></FONT></FONT></P>
3571                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3572                                       <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n
3573                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3574                        cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3575                        n!=</FONT><I><FONT COLOR="#00aa00">&quot;proxy&quot;</FONT></I><FONT COLOR="#000000">
3576                        </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3577                        n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3578                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3579                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3580                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3581                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username
3582                        = cn</FONT></FONT></P>
3583                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3584                        </P>
3585                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3586                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3587                        Exception, e:</FONT></FONT></FONT></P>
3588                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3589                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3590                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Parsing
3591                        username from DN %s: %s&quot;</FONT></I><FONT COLOR="#000000"> %
3592                        (dn,e)</FONT></FONT></FONT></P>
3593                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3594                        </P>
3595                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3596                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">
3597                        [</FONT><I><FONT COLOR="#00aa00">'Public'</FONT></I><FONT COLOR="#000000">,
3598                        </FONT><I><FONT COLOR="#00aa00">'Researcher'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3599                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3600                        </P>
3601                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3602                        </P>
3603                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000">
3604                        <B>UserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P>
3605                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3606                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;User
3607                        Roles class dynamically imported for Attribute Authority</FONT></I></FONT></FONT></P>
3608                        <P STYLE="margin-bottom: 0cm; background: transparent">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>-
3609                        see the Attribute Authority Properties file to make the correct</FONT></FONT></P>
3610                        <P STYLE="margin-bottom: 0cm; background: transparent">   
3611                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>settings&quot;&quot;&quot;</FONT></FONT></P>
3612                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3613                        </P>
3614                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3615                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3616                        <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P>
3617                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3618                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3619                        </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3620                        propertiesFilePath:</FONT></FONT></FONT></P>
3621                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3622                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3623                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;No user
3624                        roles property file set&quot;</FONT></I></FONT></FONT></P>
3625                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3626                        </P>
3627                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">     
3628                           </FONT><FONT COLOR="#c0c0c0"># Retrieve database connection and
3629                        query settings from config file</FONT></FONT></FONT></P>
3630                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3631                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser
3632                        = SafeConfigParser()</FONT></FONT></P>
3633                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3634                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser.read(propertiesFilePath)</FONT></FONT></P>
3635                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3636                        </P>
3637                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3638                               <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__conxnStr
3639                        = configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">,
3640                        </FONT><I><FONT COLOR="#00aa00">'connection'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P>
3641                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3642                        </P>
3643                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3644                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3645                        The Oracle connection could be made HERE to make getRoles method</FONT></FONT></FONT></P>
3646                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3647                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3648                        more efficient but then AA would hog an Oracle connection as long
3649                        as</FONT></FONT></FONT></P>
3650                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3651                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3652                        it is running.  There may be away to avoid this using a connection</FONT></FONT></FONT></P>
3653                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">     
3654                           </FONT><FONT COLOR="#c0c0c0"># pool</FONT></FONT></FONT></P>
3655                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3656                               <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__query
3657                        =  configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">,
3658                        </FONT><I><FONT COLOR="#00aa00">'query'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P>
3659                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3660                        </P>
3661                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3662                        </P>
3663                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3664                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3665                        <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P>
3666                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3667                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">'''Roles
3668                        interface for BODC database'''</FONT></I></FONT></FONT></P>
3669                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3670                        </P>
3671                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3672                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3673                        Parse username from DN string</FONT></FONT></FONT></P>
3674                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3675                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3676                        TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P>
3677                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3678                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3679                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3680                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn
3681                        = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3682                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3683                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3684                        len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3685                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3686                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3687                        Proxy cert has two common names set - assume extra common </FONT></FONT></FONT>
3688                        </P>
3689                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3690                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3691                        name will be 'prixy' or a number</FONT></FONT></FONT></P>
3692                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3693                                       <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n
3694                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3695                        cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3696                        n!=</FONT><I><FONT COLOR="#00aa00">&quot;proxy&quot;</FONT></I><FONT COLOR="#000000">
3697                        </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3698                        n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3699                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3700                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3701                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3702                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username
3703                        = cn</FONT></FONT></P>
3704                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3705                        </P>
3706                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3707                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3708                        Exception, e:</FONT></FONT></FONT></P>
3709                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3710                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3711                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Parsing
3712                        username from DN %s: %s&quot;</FONT></I><FONT COLOR="#000000"> %
3713                        (dn,e)</FONT></FONT></FONT></P>
3714                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3715                        </P>
3716                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3717                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3718                        It may be possible to use a connection pool and move this</FONT></FONT></FONT></P>
3719                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3720                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3721                        connect call to __init__ see:</FONT></FONT></FONT></P>
3722                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3723                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3724                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3725                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3726                        http://www.python.net/crew/atuining/cx_Oracle/html/module.html</FONT></FONT></FONT></P>
3727                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3728                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3729                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3730                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3731                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3732                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>con
3733                        = cx_Oracle.connect(<I>self</I>.__conxnStr)</FONT></FONT></P>
3734                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3735                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor
3736                        = con.cursor()</FONT></FONT></P>
3737                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3738                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3739                        Exception, e:</FONT></FONT></FONT></P>
3740                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3741                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3742                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Error
3743                        connecting to Oracle database: &quot;</FONT></I><FONT COLOR="#000000">
3744                        +\</FONT></FONT></FONT></P>
3745                        <P STYLE="margin-bottom: 0cm; background: transparent">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>                   
3746                                       str(e)</FONT></FONT></P>
3747                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3748                        </P>
3749                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3750                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3751                        Substitute the username into the query - the query is expected to </FONT></FONT></FONT>
3752                        </P>
3753                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3754                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3755                        have a &quot;%s&quot; to allow this</FONT></FONT></FONT></P>
3756                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3757                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3758                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3759                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3760                        Convert username to string type explicitly as the execute method </FONT></FONT></FONT>
3761                        </P>
3762                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3763                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3764                        doesn't like unicode type</FONT></FONT></FONT></P>
3765                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3766                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3767                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3768                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3769                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3770                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>query
3771                        = <I>self</I>.__query % str(username)</FONT></FONT></P>
3772                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3773                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor.execute(query)</FONT></FONT></P>
3774                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3775                            <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>result
3776                        = cursor.fetchall()</FONT></FONT></P>
3777                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3778                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3779                        Exception, e:</FONT></FONT></FONT></P>
3780                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3781                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3782                        AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Error
3783                        executing query: &quot;</FONT></I><FONT COLOR="#000000"> + str(e)</FONT></FONT></FONT></P>
3784                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3785                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">finally</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3786                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3787                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>  cursor.close()</FONT></FONT></P>
3788                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3789                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>  con.close()</FONT></FONT></P>
3790                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3791                        </P>
3792                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3793                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3794                        Result is a list of tuples.  The first element of each tuple is a</FONT></FONT></FONT></P>
3795                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3796                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3797                        role name -&gt; Convert into a simple list of role names</FONT></FONT></FONT></P>
3798                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3799                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3800                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3801                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames
3802                        = [role[</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]
3803                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> role
3804                        </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3805                        result]</FONT></FONT></FONT></P>
3806                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3807                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3808                        TypeError:</FONT></FONT></FONT></P>
3809                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3810                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3811                        Catch non-iterable error with result var</FONT></FONT></FONT></P>
3812                        <P STYLE="margin-bottom: 0cm; background: transparent">           
3813                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames
3814                        = []</FONT></FONT></P>
3815                        <P STYLE="margin-bottom: 0cm; background: transparent">       
3816                        </P>
3817                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3818                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT FACE="Monospace"><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">
3819                        roleNames</FONT></FONT></FONT></FONT></P>
3820                        <P STYLE="background: transparent"><BR>
3821                        </P>
3822                </TD>
3823        </TR>
3824</TABLE>
3825<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3826</P>
3827<P CLASS="western" ALIGN=JUSTIFY>Note:</P>
3828<UL>
3829        <LI><P CLASS="western" ALIGN=JUSTIFY>It uses the Python library
3830        cx_<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Oracle</SPAN></FONT>
3831        to connect to an Oracle database.</P>
3832        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ElementTree</SPAN></FONT>
3833        Python library is used to parse an XML properties file.</P>
3834        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg.security.common.X509</SPAN></FONT>
3835        security python library is used to parse the user Distinguished Name
3836        passed into <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3837        and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3838        methods.</P>
3839        <LI><P CLASS="western" ALIGN=JUSTIFY>Database connection and query
3840        settings are taken from a config file:</P>
3841</UL>
3842<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto">
3843        <COL WIDTH=610>
3844        <TR>
3845                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3846                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3847                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3848                        BODC Attribute Authority - Oracle interface settings</FONT></FONT></FONT></P>
3849                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3850                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3851                        P J Kershaw 09/08/07</FONT></FONT></FONT></P>
3852                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3853                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2>[Oracle]</FONT></FONT></P>
3854                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3855                        Database connection string</FONT></FONT></FONT></P>
3856                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">connection
3857                        = </FONT><FONT COLOR="#2a00ff">user/password@dsn</FONT></FONT></FONT></P>
3858                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3859                        Query string &quot;%%s&quot; will be substituted by the username
3860                        specified by the code</FONT></FONT></FONT></P>
3861                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm; background: transparent">
3862                        <FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">query =
3863                        </FONT><FONT COLOR="#2a00ff">select</FONT><FONT COLOR="#000000">
3864                        </FONT><FONT COLOR="#2a00ff">something</FONT><FONT COLOR="#000000">
3865                        </FONT><FONT COLOR="#2a00ff">from</FONT><FONT COLOR="#000000">
3866                        </FONT><FONT COLOR="#2a00ff">atable</FONT><FONT COLOR="#000000">
3867                        </FONT><FONT COLOR="#2a00ff">where</FONT><FONT COLOR="#000000">
3868                        </FONT><FONT COLOR="#2a00ff">username</FONT><FONT COLOR="#000000">
3869                        </FONT><FONT COLOR="#2a00ff">=</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#2a00ff">'%%s'</FONT></FONT></FONT></P>
3870                        <P CLASS="western" ALIGN=LEFT STYLE="background: transparent"><BR>
3871                        </P>
3872                </TD>
3873        </TR>
3874</TABLE>
3875<P CLASS="western" ALIGN=LEFT&