Context Navigation

NDGSecurityInstallationGuide.html @ 3171

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html@3171

Revision 3171, 240.7 KB checked in by pjkersha, 13 years ago (diff)
Installation Guide updated to include instructions for MyProxy? config with SimpleCA and PAM callout.

Line
1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2	<HTML>
3	<HEAD>
4	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
5	<TITLE>NDG Security Installation Guide</TITLE>
6	<META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0 (Linux)">
7	<META NAME="AUTHOR" CONTENT="P J Kershaw">
8	<META NAME="CREATED" CONTENT="20071010;9350000">
9	<META NAME="CHANGED" CONTENT="20071221;14112900">
10	<STYLE TYPE="text/css">
11	<!--
12	@page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
13	@page:first { margin-top: 1.27cm; margin-bottom: 2.54cm }
14	P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
15	P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
16	P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
17	P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA }
18	H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always }
19	H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
20	H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
21	H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
22	H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
23	H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB }
24	H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt }
25	H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
26	H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
27	H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic }
28	H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic }
29	H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
30	H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
31	H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium }
32	H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium }
33	H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
34	A:link { color: #0000ff }
35	A:visited { color: #800080 }
36	-->
37	</STYLE>
38	</HEAD>
39	<BODY LANG="en-GB" TEXT="#000000" LINK="#0000ff" VLINK="#800080" DIR="LTR">
40	<DIV TYPE=HEADER>
41	<P ALIGN=JUSTIFY STYLE="margin-bottom: 1.17cm"><BR><BR>
42	</P>
43	</DIV>
44	<P ALIGN=LEFT><BR><BR>
45	</P>
46	<P ALIGN=LEFT><A NAME="_Ref179772410"></A><BR><BR>
47	</P>
48	<P ALIGN=LEFT><SPAN ID="Frame1" DIR="LTR" STYLE="float: left; width: 12.96cm; height: 4.77cm; border: none; padding: 0cm; background: #ffffff">
49	<P ALIGN=RIGHT><FONT SIZE=6 STYLE="font-size: 28pt"><B>NERC Data
50	Grid Security</B></FONT></P>
51	<P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P>
52	<P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P>
53	</SPAN><BR><BR>
54	</P>
55	<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Document
56	Log</B></FONT></P>
57	<TABLE WIDTH=627 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
58	<COL WIDTH=194>
59	<COL WIDTH=195>
60	<COL WIDTH=195>
61	<TR VALIGN=TOP>
62	<TD WIDTH=194 BGCOLOR="#d9d9d9">
63	<P ALIGN=JUSTIFY><B>Version Number</B></P>
64	</TD>
65	<TD WIDTH=195 BGCOLOR="#d9d9d9">
66	<P CLASS="western" ALIGN=JUSTIFY><B>Date</B></P>
67	</TD>
68	<TD WIDTH=195 BGCOLOR="#d9d9d9">
69	<P CLASS="western" ALIGN=JUSTIFY><B>Comment</B></P>
70	</TD>
71	</TR>
72	<TR VALIGN=TOP>
73	<TD WIDTH=194>
74	<P ALIGN=JUSTIFY>0.1</P>
75	</TD>
76	<TD WIDTH=195>
77	<P CLASS="western" ALIGN=JUSTIFY>04/11/05</P>
78	</TD>
79	<TD WIDTH=195>
80	<P CLASS="western" ALIGN=JUSTIFY>First Draft</P>
81	</TD>
82	</TR>
83	<TR VALIGN=TOP>
84	<TD WIDTH=194>
85	<P ALIGN=JUSTIFY>0.2</P>
86	</TD>
87	<TD WIDTH=195>
88	<P CLASS="western" ALIGN=JUSTIFY>21/02//06</P>
89	</TD>
90	<TD WIDTH=195>
91	<P CLASS="western" ALIGN=JUSTIFY>Draft for installation at NOCS</P>
92	</TD>
93	</TR>
94	<TR VALIGN=TOP>
95	<TD WIDTH=194>
96	<P ALIGN=JUSTIFY>0.3</P>
97	</TD>
98	<TD WIDTH=195>
99	<P CLASS="western" ALIGN=JUSTIFY>07/04/06</P>
100	</TD>
101	<TD WIDTH=195>
102	<P CLASS="western" ALIGN=JUSTIFY>Updates following installation at
103	NOCS</P>
104	</TD>
105	</TR>
106	<TR VALIGN=TOP>
107	<TD WIDTH=194>
108	<P ALIGN=JUSTIFY>0.4</P>
109	</TD>
110	<TD WIDTH=195>
111	<P CLASS="western" ALIGN=JUSTIFY>25/07/06</P>
112	</TD>
113	<TD WIDTH=195>
114	<P CLASS="western" ALIGN=JUSTIFY>Include deployment model and
115	details about SysV style init scripts for web services.</P>
116	</TD>
117	</TR>
118	<TR VALIGN=TOP>
119	<TD WIDTH=194>
120	<P ALIGN=JUSTIFY>0.5</P>
121	</TD>
122	<TD WIDTH=195>
123	<P CLASS="western" ALIGN=JUSTIFY>16/01/07</P>
124	</TD>
125	<TD WIDTH=195>
126	<P CLASS="western" ALIGN=JUSTIFY>Instructions for installation of
127	python packages and associated C library dependencies from source
128	and corrections for MyProxy installation.</P>
129	<P CLASS="western" ALIGN=JUSTIFY>Installation instructions apply
130	to NDG-Security Post Alpha release 0.72.</P>
131	</TD>
132	</TR>
133	<TR VALIGN=TOP>
134	<TD WIDTH=194>
135	<P ALIGN=JUSTIFY>0.6</P>
136	</TD>
137	<TD WIDTH=195>
138	<P CLASS="western" ALIGN=JUSTIFY>17/08/07</P>
139	</TD>
140	<TD WIDTH=195>
141	<P CLASS="western" ALIGN=JUSTIFY>Updated for NDG Beta release.
142	</P>
143	<UL>
144	<LI><P CLASS="western" ALIGN=JUSTIFY>Installation of python
145	packages is now via distutils eggs.
146	</P>
147	<LI><P CLASS="western" ALIGN=JUSTIFY>Python services use Twisted.</P>
148	</UL>
149	</TD>
150	</TR>
151	<TR VALIGN=TOP>
152	<TD WIDTH=194>
153	<P ALIGN=JUSTIFY>0.7</P>
154	</TD>
155	<TD WIDTH=195>
156	<P CLASS="western" ALIGN=JUSTIFY>03/10/07</P>
157	</TD>
158	<TD WIDTH=195>
159	<P CLASS="western" ALIGN=JUSTIFY>Tidied headers for creation of
160	HTML version</P>
161	</TD>
162	</TR>
163	<TR VALIGN=TOP>
164	<TD WIDTH=194>
165	<P ALIGN=JUSTIFY>0.8</P>
166	</TD>
167	<TD WIDTH=195>
168	<P CLASS="western" ALIGN=JUSTIFY>09/10/07</P>
169	</TD>
170	<TD WIDTH=195>
171	<UL>
172	<LI><P CLASS="western" ALIGN=LEFT>Updates for mapConfig.xml,
173	sessionMgrProperties.xml and attAuthorityProperties.xml config
174	files</P>
175	<LI><P CLASS="western" ALIGN=LEFT>Configuration for logging</P>
176	</UL>
177	</TD>
178	</TR>
179	<TR VALIGN=TOP>
180	<TD WIDTH=194>
181	<P ALIGN=JUSTIFY>0.9</P>
182	</TD>
183	<TD WIDTH=195>
184	<P CLASS="western" ALIGN=JUSTIFY>11//10/07</P>
185	</TD>
186	<TD WIDTH=195>
187	<UL>
188	<LI VALUE=1><P CLASS="western" ALIGN=LEFT>Use of MyProxy with a
189	SimpleCA and PAM callout for authentication</P>
190	<LI><P CLASS="western" ALIGN=LEFT>details for certificate
191	requests for Session Manager and Attribute Authority</P>
192	</UL>
193	</TD>
194	</TR>
195	</TABLE>
196	<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P>
197	<DIV ID="Table of Contents1" DIR="LTR">
198	<P ALIGN=JUSTIFY><A HREF="#1. References\|outline">1. References 6</A></P>
199	<P ALIGN=JUSTIFY><A HREF="#2.Introduction\|outline">2. Introduction 7</A></P>
200	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites \|outline">2.1
201	Pre-requisites 7</A></P>
202	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model\|outline">2.2
203	Deployment Model 7</A></P>
204	<P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components\|outline">3.
205	Software Installation Components 9</A></P>
206	<P ALIGN=JUSTIFY><A HREF="#4.Installation\|outline">4.
207	Installation 10</A></P>
208	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies\|outline">4.1
209	Dependencies 10</A></P>
210	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL\|outline">4.1.1
211	OpenSSL 10</A></P>
212	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG\|outline">4.1.2
213	SWIG 10</A></P>
214	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages\|outline">4.2
215	Python Packages 10</A></P>
216	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools\|outline">4.2.1
217	setuptools 10</A></P>
218	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages\|outline">4.2.2
219	NDG Security Packages 11</A></P>
220	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration\|outline">4.3
221	NDG Web Services Configuration 11</A></P>
222	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files\|outline">4.3.1
223	NDG Security System Configuration Files 11</A></P>
224	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation\|outline">4.3.2
225	Certificate Generation 12</A></P>
226	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration\|outline">4.4
227	Session Manager Configuration 14</A></P>
228	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository\|outline">4.4.1
229	Session Manager Credential Repository 14</A></P>
230	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings\|outline">4.4.2
231	Session Manager Properties File Settings 14</A></P>
232	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script\|outline">4.4.3
233	SysV-style Boot Script 18</A></P>
234	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration\|outline">4.5
235	Attribute Authority Configuration 18</A></P>
236	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings\|outline">4.5.1
237	Attribute Authority Properties File Settings 18</A></P>
238	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface\|outline">4.5.2
239	User Roles Interface 20</A></P>
240	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping\|outline">4.5.3
241	Role Mapping 20</A></P>
242	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file\|outline">4.5.4
243	Twisted Python server .tac file 21</A></P>
244	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script\|outline">4.5.5
245	SysV-style Boot Script 22</A></P>
246	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests\|outline">4.6
247	Python Unit Tests 22</A></P>
248	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy\|outline">4.7
249	MyProxy 22</A></P>
250	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background\|outline">4.7.1
251	MyProxy and NDG Security Background 22</A></P>
252	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations\|outline">4.7.2
253	MyProxy user account and the repository location considerations 23</A></P>
254	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation\|outline">4.7.3
255	Installation 23</A></P>
256	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation\|outline">4.7.4
257	SimpleCA Installation 24</A></P>
258	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation\|outline">4.7.5
259	Host Certificate Creation 27</A></P>
260	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File\|outline">4.7.6
261	MyProxy Configuration File 27</A></P>
262	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration\|outline">4.7.7
263	MyProxy SimpleCA Configuration 28</A></P>
264	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration\|outline">4.7.8
265	MyProxy PAM Configuration 29</A></P>
266	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy\|outline">4.7.9
267	Testing MyProxy 30</A></P>
268	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up\|outline">4.7.10
269	Adding MyProxy Server to the system start up 33</A></P>
270	<P ALIGN=JUSTIFY><A HREF="#5.Appendices\|outline">5. Appendices 35</A></P>
271	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy\|outline">5.1
272	Postgres PAM for MyProxy 35</A></P>
273	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration\|outline">5.1.1
274	Configuration 35</A></P>
275	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation\|outline">5.2
276	MySQL Installation 36</A></P>
277	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version\|outline">5.2.1
278	Version 36</A></P>
279	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries\|outline">5.2.2
280	Getting the Binaries 36</A></P>
281	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account\|outline">5.2.3
282	New mysql User Account 36</A></P>
283	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball\|outline">5.2.4
284	Unpacking the tarball 36</A></P>
285	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File\|outline">5.2.5
286	Configuration File 37</A></P>
287	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables\|outline">5.2.6
288	Create the Grant Tables 37</A></P>
289	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions\|outline">5.2.7
290	File and Directory Permissions 38</A></P>
291	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server\|outline">5.2.8
292	Starting the Server 38</A></P>
293	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts\|outline">5.2.9
294	Securing MySQL Accounts 38</A></P>
295	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up\|outline">5.2.10
296	Server Automated Start up 39</A></P>
297	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server\|outline">5.3
298	HTTPS set-up with Apache Web Server 39</A></P>
299	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation\|outline">5.3.1
300	Web Server Host Certificate Generation 39</A></P>
301	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings\|outline">5.3.2
302	Apache Configuration File Settings 40</A></P>
303	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services\|outline">5.4
304	Apache Web Server Proxy Settings Configuration for Web Services 40</A></P>
305	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class\|outline">5.5
306	An Example Attribute Authority AAUserRoles interface class 41</A></P>
307	<P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting\|outline">5.6
308	Troubleshooting 44</A></P>
309	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto \|outline">5.6.1
310	M2Crypto 44</A></P>
311	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML\|outline">5.6.2
312	PyXML 45</A></P>
313	<P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error\|outline">5.6.3
314	4Suite-XML Build error 45</A></P>
315	</DIV>
316	<H1 CLASS="western"><A NAME="1. References\|outline"></A>1. References</H1>
317	<OL>
318	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI">
319	- NCSA MyProxy site</SPAN></P>
320	<LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/ca/">http://grid.ncsa.uiuc.edu/myproxy/ca/</A>
321	- MyProxy Certificate Authority</P>
322	<LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>
323	â MyProxy PAM Support</P>
324	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT>
325	- Globus 4.0 and Security</P>
326	<LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://peak.telecommunity.com/DevCenter/setuptools">http://peak.telecommunity.com/DevCenter/setuptools</A></U></FONT>
327	- Python Eggs and Easy Install</P>
328	<LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://pywebsvcs.sourceforge.net/">http://pywebsvcs.sourceforge.net/</A></U></FONT>
329	- Python ZSI SOAP Web Services package</P>
330	<LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://chandlerproject.org/bin/view/Projects/MeTooCrypto">http://chandlerproject.org/bin/view/Projects/MeTooCrypto</A></U></FONT>
331	- Python M2Crypto OpenSSL wrapper</P>
332	<LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://twistedmatrix.com/trac/">http://twistedmatrix.com/trac/</A></U></FONT>
333	- Python Twisted Application Server</P>
334	<LI><P CLASS="western" ALIGN=LEFT><A NAME="_Ref132180158"></A>NDG
335	Security - Security Measures for Installation [v0.2, 7 September
336	2005],
337	<FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P>
338	</OL>
339	<H1 CLASS="western"><A NAME="2.Introduction\|outline"></A>2.Introduction</H1>
340	<P CLASS="western" ALIGN=JUSTIFY>This is a guide for system
341	administrators and developers deploying NDG security at a data
342	centre.</P>
343	<H2 CLASS="western"><A NAME="2.1.Pre-requisites \|outline"></A>2.1Pre-requisites
344	</H2>
345	<UL>
346	<LI><P CLASS="western" ALIGN=JUSTIFY>For NDG Security Web Services:
347	a host running RedHat Enterprise AS4 or later is recommended. Other
348	Linux distributions may also be suitable.</P>
349	<LI><P CLASS="western" ALIGN=JUSTIFY>For MyProxy: a separate host
350	machine (See MyProxy for details of operating systems supported).
351	The host must be secure: if possible a dedicated machine with
352	minimal other services running on it. It should be kept up to date
353	with patches and system logs monitored regularly.</P>
354	<LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy and Security web
355	services hosts must be configured to link with an NTP server to
356	enable clocks to be synchronised with security services running at
357	other NDG sites.</P>
358	<LI><P CLASS="western" ALIGN=JUSTIFY>Access to a web server if
359	security for web based applications is required. The web server
360	must be able to be configured to support HTTPS.</P>
361	<LI><P CLASS="western" ALIGN=JUSTIFY>[MySQL 3.23 or greater or
362	Postgres â these are optional and are required for the NDG
363	CredentialRepository only]</P>
364	<LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P>
365	<LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P>
366	<LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version
367	0.9.8 or greater</P>
368	<LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for
369	M2Crypto Python OpenSSL wrapper)</P>
370	</UL>
371	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also
372	note document NDG <I>Security - Security Measures for Installation</I>
373	(see Ref 1 above).</P>
374	<H2 CLASS="western"><A NAME="2.2.Deployment Model\|outline"></A>2.2Deployment
375	Model</H2>
376	<P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an
377	example deployment configuration for NDG security services.</P>
378	<P CLASS="western" ALIGN=JUSTIFY><IMG SRC="NDGSecurityInstallationGuide_html_m1b1d83c.png" NAME="graphics1" ALIGN=BOTTOM WIDTH=611 HEIGHT=614 BORDER=0></P>
379	<P CLASS="western" ALIGN=JUSTIFY>All services are positioned behind
380	the firewall. MyProxy is installed on a dedicated machine in order
381	to make its repository as secure as possible. Connections to MyProxy
382	may be made from the Session Manager web service only from within the
383	internal network.</P>
384	<P CLASS="western" ALIGN=JUSTIFY>In the above, security web services
385	are run together on the same host but this does not have to be the
386	case. They can be run on separate servers. Similarly, the web
387	server is on a separate host but could be run on the same machine as
388	the web services if it was felt to be appropriate.</P>
389	<P CLASS="western" ALIGN=JUSTIFY>In the above diagram Attribute
390	Authority accesses a user database. It is assumed that the target
391	site has a database to store user and user role/access right
392	information. This information neednât be stored by means of a
393	database and could be represented in some other way. It is for the
394	data provider to decide. Similarly, the Session Manager web service
395	interfaces with a Credential Repository. This is a database in the
396	above but could be some other kind of permanent store.</P>
397	<P CLASS="western" ALIGN=JUSTIFY>Databases are on a separate server
398	to the web services host. Web services access the databases over the
399	internal network. Finally, the web services have ports exposed in
400	some way through the firewall to enable communication with other NDG
401	security web services at other sites.</P>
402	<H1 CLASS="western"><A NAME="3.Software Installation Components\|outline"></A>
403	3.Software Installation Components</H1>
404	<P CLASS="western" ALIGN=JUSTIFY>Python software is package using
405	distutils eggs. These are divided into separate components to suit
406	the particular installation required:</P>
407	<UL>
408	<LI VALUE=1><P CLASS="western" ALIGN=LEFT>ndg_security_server â
409	components required to run services</P>
410	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_common â components
411	required by both server and common eggs</P>
412	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_client â components
413	for building clients to NDG security services. For example, a data
414	providerâs web application server would these to enable the
415	securing of access to resources or an organisationâs Identity
416	provider would need these to authenticate and allocate authorisation
417	attributes to users.</P>
418	<LI><P CLASS="western" ALIGN=LEFT>ndg_security_test â unit tests
419	for all components</P>
420	<LI><P CLASS="western" ALIGN=LEFT>ndg_security â install all:
421	client, server and common components</P>
422	</UL>
423	<P CLASS="western" ALIGN=JUSTIFY>Eggs rely on the distutils
424	easy_install command to manage installation but NDG security uses an
425	additional script ndg_security_install.py to install eggs and carry
426	out the additional installation tasks to correctly configure the
427	software.</P>
428	<P CLASS="western" ALIGN=JUSTIFY>The following additional packages
429	are required:</P>
430	<UL>
431	<LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.5
432	(or later) â source installer tar ball may be downloaded from the
433	Globus site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
434	<LI><P CLASS="western" ALIGN=JUSTIFY>Globus SimpleCA to enable the
435	MyProxy Certificate Authority.</P>
436	</UL>
437	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These
438	two packages should be installed on the target host for MyProxy.</P>
439	<H1 CLASS="western"><A NAME="4.Installation\|outline"></A>4.Installation</H1>
440	<P CLASS="western" ALIGN=JUSTIFY>This section is divided into the
441	Python installation and MyProxy. Note that you will almost certainly
442	wish to install MyProxy on a separate secure server to the other
443	Python based security services.</P>
444	<H2 CLASS="western"><A NAME="4.1.Dependencies\|outline"></A>4.1Dependencies</H2>
445	<H3 CLASS="western"><A NAME="4.1.1.OpenSSL\|outline"></A>4.1.1 OpenSSL</H3>
446	<P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the
447	installation check that an up to date version of OpenSSL is
448	installed:</P>
449	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
450	<COL WIDTH=596>
451	<TR>
452	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
453	<P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
454	</P>
455	<P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
456	openssl version</FONT></P>
457	</TD>
458	</TR>
459	</TABLE>
460	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
461	</P>
462	<P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required.
463	Should you need to upgrade, OpenSSL is available from
464	<A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>.
465	Once downloaded, unpack the tarball and follow the installation
466	intstructions.</P>
467	<H3 CLASS="western"><A NAME="4.1.2.SWIG\|outline"></A>4.1.2 SWIG</H3>
468	<P CLASS="western">SWIG is a tool to help with bindings from C/C++ to
469	interpreted languages such as Python. The Python OpenSSL wrapper
470	M2Crypto uses it and version 1.3.24 or later is required. Downloads
471	are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P>
472	<H2 CLASS="western"><A NAME="4.2.Python Packages\|outline"></A>4.2
473	Python Packages</H2>
474	<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.
475	Change to a suitable directory to hold temporary installation files.
476
477	</P>
478	<H3 CLASS="western"><A NAME="4.2.1.setuptools\|outline"></A>4.2.1
479	setuptools</H3>
480	<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python
481	setuptools, the package that enables the use of Python eggs.
482	Download the setuptools bootstrap script:</P>
483	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
484	<COL WIDTH=596>
485	<TR>
486	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
487	<P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
488	</P>
489	<P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
490	wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P>
491	</TD>
492	</TR>
493	</TABLE>
494	<P CLASS="western" ALIGN=LEFT><BR><BR>
495	</P>
496	<P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment
497	for a http proxy at your site. For example,</P>
498	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
499	<COL WIDTH=596>
500	<TR>
501	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
502	<P STYLE="margin-bottom: 0cm"><BR>
503	</P>
504	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
505	export http_proxy=http://yourproxyurl.com:8080</FONT></P>
506	</TD>
507	</TR>
508	</TABLE>
509	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
510	</P>
511	<P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script. Make sure
512	to use the correct version of python in your system path. Some
513	systems may have multiple python versions installed:</P>
514	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
515	<COL WIDTH=596>
516	<TR>
517	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
518	<P STYLE="margin-bottom: 0cm"><BR>
519	</P>
520	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
521	python ez_setup.py</FONT></P>
522	</TD>
523	</TR>
524	</TABLE>
525	<P CLASS="western"><BR><BR>
526	</P>
527	<P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P>
528	<H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages\|outline"></A>
529	4.2.2 NDG Security Packages</H3>
530	<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to
531	distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT>
532	to enable custom installation steps to be correctly carried out.
533	Download the script from the NDG distribution site:</P>
534	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
535	<COL WIDTH=596>
536	<TR>
537	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
538	<P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
539	</P>
540	<P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
541	wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P>
542	</TD>
543	</TR>
544	</TABLE>
545	<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
546	</P>
547	<P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of
548	the NDG security python packages:</P>
549	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
550	<COL WIDTH=596>
551	<TR>
552	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
553	<P STYLE="margin-bottom: 0cm"><BR>
554	</P>
555	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
556	python ./ndg-security-install.py -a</FONT></P>
557	</TD>
558	</TR>
559	</TABLE>
560	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
561	</P>
562	<P CLASS="western" ALIGN=JUSTIFY>The script options can be checked
563	using the âh option. âa selects all packages for installation.
564	If there are problems with the installation, see the Troubleshooting
565	Guide in the Appendices section 5.6.</P>
566	<H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration\|outline"></A>
567	4.3 NDG Web Services Configuration</H2>
568	<H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files\|outline"></A>
569	4.3.1 NDG Security System Configuration Files</H3>
570	<P CLASS="western" ALIGN=JUSTIFY>Properties files set the
571	configuration settings for NDG security <I>server side</I> settings.
572	Templates for these are contained within the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
573	installed in your python distributionâs site-packages directory.
574	A future version of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-security-install.py</SPAN></FONT>
575	script will extract these and install at a suitable location on the
576	file system. For the moment though, this is a manual process.</P>
577	<P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under
578	your servers <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc</SPAN></FONT>
579	directory:</P>
580	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
581	<COL WIDTH=596>
582	<TR>
583	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
584	<P STYLE="margin-bottom: 0cm"><BR>
585	</P>
586	<P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
587	mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P>
588	</TD>
589	</TR>
590	</TABLE>
591	<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR>
592	</P>
593	<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/ndg/security</SPAN></FONT>
594	is recognised by the Python security software by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR
595	</SPAN></FONT>environment variable. This variable can be set in the
596	environment of the user account used to run the security services or
597	can be set in the init scripts used to automatically start up the
598	services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P>
599	<P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
600	egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
601	directory into the configuration area. For example if you are using
602	python installed in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local</SPAN></FONT>
603	then the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
604	directory will be in:</P>
605	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
606	<COL WIDTH=596>
607	<TR>
608	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
609	<P STYLE="margin-bottom: 0cm"><BR>
610	</P>
611	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python<python
612	version num>/site-packages/ndg_security_server-<version
613	info>.egg/ndg/security/server/conf</FONT></P>
614	</TD>
615	</TR>
616	</TABLE>
617	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
618	</P>
619	<P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P>
620	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
621	<COL WIDTH=596>
622	<TR>
623	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
624	<P STYLE="margin-bottom: 0cm"><BR>
625	</P>
626	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ cp
627	/usr/local/lib/python<python version
628	num>/site-packages/ndg_security_server-<version
629	info>.egg/ndg/security/server/conf /etc/ndg/security</FONT></P>
630	</TD>
631	</TR>
632	</TABLE>
633	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
634	</P>
635	<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
636	directory will contain these important files:</P>
637	<UL>
638	<LI><P CLASS="western" ALIGN=JUSTIFY>Session Manager and Attribute
639	Authority properties XML files</P>
640	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT>
641	â used by the Session Manager to configure client connections to
642	MyProxy</P>
643	<LI><P CLASS="western" ALIGN=JUSTIFY>Special <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT>
644	configuration files loaded by the <I>Twisted</I> application server
645	used to run Session Manager and Attribute Authority services</P>
646	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">certs/</SPAN></FONT>
647	directory for storing X.509 certificates</P>
648	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>
649	for role mapping and other trust configuration parameters to enable
650	the Attribute Authority to operate with other trusted organisations
651	within NDG</P>
652	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attCertLog/</SPAN></FONT>
653	directory for storing Attribute Certificates issued by the Attribute
654	Authority.</P>
655	<LI><P CLASS="western" ALIGN=JUSTIFY>Logging configuration files:
656	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg
657	</SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT></P>
658	</UL>
659	<P CLASS="western" ALIGN=JUSTIFY>The default location for log files
660	set in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg</SPAN></FONT>
661	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT>
662	is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/log</SPAN></FONT>.
663	Create this directory as follows:</P>
664	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
665	<COL WIDTH=596>
666	<TR>
667	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
668	<P STYLE="margin-bottom: 0cm"><BR>
669	</P>
670	<P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
671	mkdir /etc/ndg/security/log</FONT></P>
672	</TD>
673	</TR>
674	</TABLE>
675	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
676	</P>
677	<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run
678	security web services under any specified system account and group.
679	Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT>
680	e.g.</SPAN></P>
681	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
682	<COL WIDTH=596>
683	<TR>
684	<TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
685	<P STYLE="margin-bottom: 0cm"><BR>
686	</P>
687	<P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
688	chmod ndg:ndggroup -R /etc/ndg/security</FONT></P>
689	</TD>
690	</TR>
691	</TABLE>
692	<P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR>
693	</P>
694	<H3 CLASS="western"><A NAME="4.3.2. Certificate Generation\|outline"></A>
695	4.3.2 Certificate Generation</H3>
696	<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute
697	Authority web services require individual X.509 certificates as a
698	means to identify them in the various interactions required for user
699	registration, authentication and authorisation. These may be created
700	by similar means to the host certificate creation.</P>
701	<P CLASS="western" ALIGN=JUSTIFY>Change directory to
702	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>.
703	The certificates will be stored here. Make a new private key and
704	certificate request for the Session Manager:</P>
705	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
706	<COL WIDTH=610>
707	<TR>
708	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
709	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
710	</P>
711	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
712	openssl genrsa âout sm-key.pem 2048</FONT></P>
713	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
714	chmod 400 sm-key.pem</FONT></P>
715	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
716	openssl req ânew âkey sm-key.pem âout sm.csr</FONT></P>
717	<P CLASS="western" ALIGN=LEFT><BR>
718	</P>
719	</TD>
720	</TR>
721	</TABLE>
722	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
723	</P>
724	<P CLASS="western" ALIGN=JUSTIFY>The private key may be password
725	protected if required by adding the âdes3 option to the genrsa
726	command. Type in a password when prompted. The req command will
727	prompt you for the components of the Distinguished Name for the new
728	certificate. When prompted for the Common Name, enter
729	âSessionManagerâ. The other fields can be set as required but by
730	convention for NDG, the Organisation field has been set to NDG and
731	the Organisation Unit to the individual data provider name e.g. BADC.
732	All other fields have been omitted. You can skip individual fields
733	by enter â.â When prompted.</P>
734	<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the
735	appropriate CA. This could be your SimpleCA created for use with
736	MyProxy â see MyProxy installation. The CA will issue a
737	certificate file. Copy this file as
738	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
739	</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
740	</FONT>file can be deleted once a certificate has been obtained from
741	the CA.</P>
742	<P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the
743	Attribute Authority, selecting âAttributeAuthorityâ for the
744	Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P>
745	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
746	<COL WIDTH=610>
747	<TR>
748	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
749	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
750	</P>
751	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
752	openssl genrsa âout aa-key.pem 2048</FONT></P>
753	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
754	chmod 400 aa-key.pem</FONT></P>
755	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
756	openssl req ânew âkey aa-key.pem âout aa.csr</FONT></P>
757	<P CLASS="western" ALIGN=LEFT><BR>
758	</P>
759	</TD>
760	</TR>
761	</TABLE>
762	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
763	</P>
764	<P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session
765	Manager is run over https to keep user login credentials secured. A
766	server certificate and key will be required in addition to enable
767	this.
768	</P>
769	<P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be
770	issued from your SimpleCA. Follow the same procedure as used for the
771	Session Manager and Attirbute Authority above creating a private key
772	and certificate request. The private key should be generated without
773	a password. When generating the certificate request ensure that the
774	Common Name is set to the fully qualified name of the server host.</P>
775	<P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and
776	private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
777	<FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced
778	by the Session Managerâs properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif">
779	and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif">
780	elements respectively.</FONT></SPAN></FONT></P>
781	<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate
782	Authorityâs X.509 certificate is also required. Obtain this from
783	the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
784	</SPAN></FONT>directory.</P>
785	<P CLASS="western" STYLE="background: #cccccc">Note that all other
786	trusted NDG partner organisations MUST have copies of your CA
787	certificate. If they don't, partner organisations NDG Security
788	infrastructures will reject requests from your security services.
789	CA certificates are referenced in the Attribute Authority and Session
790	Manager properties file settings <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt">
791	</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and
792	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">
793	Configuration for Gatekeepers may also need to reference your CA
794	certificate.</FONT></FONT></P>
795	<H2 CLASS="western"><A NAME="4.4.Session Manager Configuration\|outline"></A>
796	4.4 Session Manager Configuration</H2>
797	<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set
798	via a properties file. In addition, the Session Manager can
799	optionally make use of a Credential Repository database. This
800	enables the credentials that users acquire during a session to be
801	stored so that they may be retrieved. When installed, the default
802	configuration set in the Session Manager Properties file is to <I>not</I>
803	use a Credential Repository. If this is the case, skip this
804	section.</P>
805	<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository\|outline"></A>
806	4.4.1 Session Manager Credential Repository</H3>
807	<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository
808	database. In the example below a MySQL database is assumed. Notes
809	on installing MySQL are given in the Appendices section 5.2.
810	</P>
811	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
812	<COL WIDTH=610>
813	<TR>
814	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
815	<P STYLE="margin-bottom: 0cm"><BR>
816	</P>
817	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
818	mysql âu root âp</FONT></P>
819	<P CLASS="western" ALIGN=JUSTIFY>mysql> create database
820	ndgCredRepos;</P>
821	<P><BR>
822	</P>
823	</TD>
824	</TR>
825	</TABLE>
826	<P CLASS="western" ALIGN=JUSTIFY><BR>Use the script
827	init-credrepos-db to create the tables. As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
828	user, run the script. Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
829	account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT>
830	to confirm creation of the tables:</P>
831	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
832	<COL WIDTH=610>
833	<TR>
834	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
835	<P STYLE="margin-bottom: 0cm"><BR>
836	</P>
837	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
838	init-credrepos-db âu root</FONT></P>
839	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database
840	password:</FONT></P>
841	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are
842	you sure you want to initialise the database tables? (yes/no) yes</FONT></P>
843	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables
844	created</FONT></P>
845	<P STYLE="margin-bottom: 0cm"><BR>
846	</P>
847	<P><BR>
848	</P>
849	</TD>
850	</TR>
851	</TABLE>
852	<P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have
853	been created, restart the database client:</P>
854	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
855	<COL WIDTH=610>
856	<TR>
857	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
858	<P STYLE="margin-bottom: 0cm"><BR>
859	</P>
860	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$
861	mysql âu root âp âD ndgCredRepos</P>
862	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql>
863	show tables;</P>
864	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
865	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">\|
866	Tables_in_ndgCredRepos \|</FONT></FONT></P>
867	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
868	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">\|
869	UserCredential \|</FONT></FONT></P>
870	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">\|
871	UserID \|</FONT></FONT></P>
872	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P>
873	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2
874	rows in set (0.00 sec)</FONT></FONT></P>
875	<P><BR>
876	</P>
877	</TD>
878	</TR>
879	</TABLE>
880	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
881	</P>
882	<P CLASS="western" ALIGN=JUSTIFY>A separate account should be created
883	for the Session Manager to access the database. It should have
884	sufficient permissions to be able to read and write records. For
885	details of how to create an account in MySQL see the Appendices
886	section 5.2.9.</P>
887	<H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings\|outline"></A>
888	4.4.2 Session Manager Properties File Settings</H3>
889	<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT>
890	in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
891	and modify the default settings:</P>
892	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
893	<COL WIDTH=610>
894	<TR>
895	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
896	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><?xml
897	version="1.0" encoding="utf-8"?></FONT></FONT></P>
898	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrProp></FONT></FONT></P>
899	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><portNum></portNum></FONT></FONT></P>
900	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSSL>Yes</useSSL>
901	<!-- leave blank to use http --></FONT></FONT></P>
902	<P STYLE="margin-bottom: 0cm">
903	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslCertFile>$NDGSEC_DIR/conf/certs/server-cert.pem</sslCertFile></FONT></FONT></P>
904	<P STYLE="margin-bottom: 0cm">
905	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile>>$NDGSEC_DIR/conf/certs/server-key.pem
906	</sslKeyFile></FONT></FONT></P>
907	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><!--
908	<BR> Directory containing CA cert.s to verify SSL peer cert
909	against - ignored if useSSL is blank --><BR>
910	<sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir><BR>
911	</FONT><!--</FONT></FONT></P>
912	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
913	settings for signature of outbound SOAP messages</FONT></FONT></P>
914	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
915	<P STYLE="margin-bottom: 0cm">
916	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler>
917	<!-- leave blank for no signature --></FONT></FONT></P>
918	<P STYLE="margin-bottom: 0cm">
919	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><certFile>>$NDGSEC_DIR/conf/certs/sm-cert.pem</certFile></FONT></FONT></P>
920	<P STYLE="margin-bottom: 0cm">
921	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyFile>>$NDGSEC_DIR/conf/certs/server-key.pem</keyFile></FONT></FONT></P>
922	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P>
923	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
924	</FONT></FONT>
925	</P>
926	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA
927	Certificates used to verify X.509 certs used in peer SOAP
928	messages,<BR> SSL connections and Attribute Certificates<BR>
929	--><BR> <caCertFileList><BR>
930	<caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile><BR>
931	</caCertFileList><BR></FONT> <!-- </FONT></FONT>
932	</P>
933	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
934	the certificate used to verify the signature of messages from the </FONT></FONT>
935	</P>
936	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
937	This can usually be left blank since the client is expected to </FONT></FONT>
938	</P>
939	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
940	the cert with the signature in the inbound SOAP message</FONT></FONT></P>
941	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
942	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><clntCertFile></clntCertFile>
943	</FONT></FONT>
944	</P>
945	<P STYLE="margin-bottom: 0cm">
946	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrEncrKey></sessMgrEncrKey></FONT></FONT></P>
947	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrURI></sessMgrURI></FONT></FONT></P>
948	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><cookieDomain></cookieDomain></FONT></FONT></P>
949	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><myProxyProp></FONT></FONT></P>
950	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
951	</FONT></FONT>
952	</P>
953	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete
954	this element and take setting from MYPROXY_SERVER environment </FONT></FONT>
955	</P>
956	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">variable
957	if required</FONT></FONT></P>
958	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
959	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><hostname>ENTER
960	THE FULLY QUALIFIED HOSTNAME OF THE SERVER</hostname></FONT></FONT></P>
961	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
962	</FONT></FONT>
963	</P>
964	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete
965	this element to take default setting 7512 or read </FONT></FONT>
966	</P>
967	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT
968	setting</SPAN></FONT></FONT></P>
969	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
970	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
971	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><port>7512</port></FONT></FONT></P>
972	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
973	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful
974	if hostname and certificate CN don't match correctly. Globus </FONT></FONT>
975	</P>
976	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">host
977	DN is set to "host/<fqdn>". Delete this element
978	and set from </FONT></FONT>
979	</P>
980	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">MYPROXY_SERVER_DN
981	environment variable if prefered</FONT></FONT></P>
982	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><serverDN></serverDN></FONT></FONT></P>
983	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
984	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
985	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
986	"host/" prefix to host cert CN as is default with globus</FONT></FONT></P>
987	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
988	<P STYLE="margin-bottom: 0cm">
989	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><serverCNprefix>host/</serverCNprefix> </FONT></FONT></P>
990	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
991	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">This
992	directory path is used to locate the OpenSSL configuration file</FONT></FONT></P>
993	<P STYLE="margin-bottom: 0cm">
994	</P>
995	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">The
996	settings are used to set up the defaults for the Distinguished
997	Name of</FONT></FONT></P>
998	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">the
999	new proxy cert. issued </FONT></FONT>
1000	</P>
1001	<P STYLE="margin-bottom: 0cm">
1002	</P>
1003	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">GLOBUS_LOCATION
1004	or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P>
1005	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">but
1006	the settings can be independent of any Globus installation</FONT></FONT></P>
1007	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR>
1008	--></FONT></FONT></P>
1009	<P STYLE="margin-bottom: 0cm">
1010	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><openSSLConfFilePath>$NDGSEC_DIR/conf/openssl.conf</openSSLConfFilePath></FONT></FONT></P>
1011	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><tmpDir>/tmp</tmpDir></FONT></FONT></P>
1012	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1013	</FONT></FONT>
1014	</P>
1015	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1016	Limit on maximum lifetime any proxy certificate can have
1017	- </FONT></FONT>
1018	</P>
1019	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1020	specified when a certificate is first created by store()
1021	method</FONT></FONT></P>
1022	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1023	<P STYLE="margin-bottom: 0cm">
1024	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><proxyCertMaxLifetime>24</proxyCertMaxLifetime>
1025	<!-- in hours --></FONT></FONT></P>
1026	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1027	</FONT></FONT>
1028	</P>
1029	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1030	Life time of a proxy certificate when issued from the
1031	Proxy Server </FONT></FONT>
1032	</P>
1033	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1034	with getDelegation() method</FONT></FONT></P>
1035	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1036	--></FONT></FONT></P>
1037	<P STYLE="margin-bottom: 0cm">
1038	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><proxyCertLifetime>8</proxyCertLifetime>
1039	<!-- in hours --></FONT></FONT></P>
1040	<P STYLE="margin-bottom: 0cm">
1041	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile></SPAN></FONT></FONT></P>
1042	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </myProxyProp></FONT></FONT></P>
1043	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCACltProp>
1044	</FONT></FONT>
1045	</P>
1046	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1047	<uri></uri></FONT></FONT></P>
1048	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
1049	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigKeyFile></xmlSigKeyFile></FONT></FONT></P>
1050	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
1051	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigCertFile></xmlSigCertFile></FONT></FONT></P>
1052	<P LANG="fr-FR" STYLE="margin-bottom: 0cm">
1053	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigCertPwd></xmlSigCertPwd></FONT></FONT></P>
1054	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></simpleCACltProp></FONT></FONT></P>
1055	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--</FONT></FONT></P>
1056	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCASrvProp></FONT></FONT></P>
1057	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1058	<certExpiryDate></certExpiryDate></FONT></FONT></P>
1059	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1060	<certLifetimeDays></certLifetimeDays></FONT></FONT></P>
1061	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1062	<certTmpDir></certTmpDir></FONT></FONT></P>
1063	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1064	<caCertFile></caCertFile></FONT></FONT></P>
1065	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1066	<signExe></signExe></FONT></FONT></P>
1067	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1068	<path></path></FONT></FONT></P>
1069	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </simpleCASrvProp></FONT></FONT></P>
1070	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P>
1071	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><credReposProp></FONT></FONT></P>
1072	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1073	<modFilePath></modFilePath></FONT></FONT></P>
1074	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1075	<modName>ndg.security.common.CredWallet</modName></FONT></FONT></P>
1076	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1077	<className>NullCredRepos</className></FONT></FONT></P>
1078	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">
1079	<propFile></propFile></FONT></FONT></P>
1080	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></credReposProp></FONT></FONT></P>
1081	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></sessMgrProp></FONT></FONT></P>
1082	<P>
1083	</P>
1084	</TD>
1085	</TR>
1086	</TABLE>
1087	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1088	</P>
1089	<P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P>
1090	<UL>
1091	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The
1092	property file reading software will expand any environment variables
1093	included in the file.</FONT></SPAN></FONT></P>
1094	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf<FONT FACE="Helvetica, sans-serif">
1095	file uses the standard OpenSSL configuration file format. It is
1096	used by the Session Manager MyProxy client to formulate a
1097	certificate request for a proxy certificate generated for a users
1098	session when they login. An example is given below. The important
1099	section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P>
1100	</UL>
1101	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1102	</P>
1103	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1104	<COL WIDTH=610>
1105	<TR>
1106	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1107	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
1108	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1109	SSLeay example configuration file.</FONT></FONT></P>
1110	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1111	This is mostly being used for generation of certificate requests.</FONT></FONT></P>
1112	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P>
1113	<P STYLE="margin-bottom: 0cm"><BR>
1114	</P>
1115	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
1116	= $ENV::HOME/.rnd</FONT></FONT></P>
1117	<P STYLE="margin-bottom: 0cm"><BR>
1118	</P>
1119	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1120	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1121	ca ]</FONT></FONT></P>
1122	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca
1123	= CA_default # The default ca section</FONT></FONT></P>
1124	<P STYLE="margin-bottom: 0cm"><BR>
1125	</P>
1126	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1127	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1128	CA_default ]</FONT></FONT></P>
1129	<P STYLE="margin-bottom: 0cm"><BR>
1130	</P>
1131	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir
1132	= ./demoCA # Where everything is kept</FONT></FONT></P>
1133	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs
1134	= $dir/certs # Where the issued certs are
1135	kept</FONT></FONT></P>
1136	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir
1137	= $dir/crl # Where the issued crl are kept</FONT></FONT></P>
1138	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database
1139	= $dir/index.txt # database index file.</FONT></FONT></P>
1140	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir
1141	= $dir/newcerts # default place for new certs.</FONT></FONT></P>
1142	<P STYLE="margin-bottom: 0cm"><BR>
1143	</P>
1144	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate
1145	= $dir/cacert.pem # The CA certificate</FONT></FONT></P>
1146	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial
1147	= $dir/serial # The current serial number</FONT></FONT></P>
1148	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl
1149	= $dir/crl.pem # The current CRL</FONT></FONT></P>
1150	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key
1151	= $dir/private/cakey.pem# The private key</FONT></FONT></P>
1152	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE
1153	= $dir/private/.rand # private random number file</FONT></FONT></P>
1154	<P STYLE="margin-bottom: 0cm"><BR>
1155	</P>
1156	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions
1157	= x509v3_extensions # The extentions to add to the cert</FONT></FONT></P>
1158	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days
1159	= 365 # how long to certify for</FONT></FONT></P>
1160	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days=
1161	365 # DEE 30 # how long before next CRL</FONT></FONT></P>
1162	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md
1163	= md5 # which md to use.</FONT></FONT></P>
1164	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve
1165	= no # keep passed DN ordering</FONT></FONT></P>
1166	<P STYLE="margin-bottom: 0cm"><BR>
1167	</P>
1168	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1169	A few difference way of specifying how similar the request should
1170	look</FONT></FONT></P>
1171	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1172	For type CA, the listed attributes must be the same, and the
1173	optional</FONT></FONT></P>
1174	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1175	and supplied fields are just that :-)</FONT></FONT></P>
1176	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy
1177	= policy_match</FONT></FONT></P>
1178	<P STYLE="margin-bottom: 0cm"><BR>
1179	</P>
1180	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1181	For the CA policy</FONT></FONT></P>
1182	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1183	policy_match ]</FONT></FONT></P>
1184	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1185	= optional</FONT></FONT></P>
1186	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1187	= optional</FONT></FONT></P>
1188	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1189	= match</FONT></FONT></P>
1190	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1191	= optional</FONT></FONT></P>
1192	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1193	= supplied</FONT></FONT></P>
1194	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1195	= optional</FONT></FONT></P>
1196	<P STYLE="margin-bottom: 0cm"><BR>
1197	</P>
1198	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1199	For the 'anything' policy</FONT></FONT></P>
1200	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1201	At this point in time, you must list all acceptable 'object'</FONT></FONT></P>
1202	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1203	types.</FONT></FONT></P>
1204	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1205	policy_anything ]</FONT></FONT></P>
1206	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName
1207	= optional</FONT></FONT></P>
1208	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName
1209	= optional</FONT></FONT></P>
1210	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName
1211	= optional</FONT></FONT></P>
1212	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName
1213	= optional</FONT></FONT></P>
1214	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName
1215	= optional</FONT></FONT></P>
1216	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1217	= supplied</FONT></FONT></P>
1218	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress
1219	= optional</FONT></FONT></P>
1220	<P STYLE="margin-bottom: 0cm"><BR>
1221	</P>
1222	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P>
1223	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1224	req ]</FONT></FONT></P>
1225	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits
1226	= 1024</FONT></FONT></P>
1227	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile
1228	= privkey.pem</FONT></FONT></P>
1229	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name
1230	= req_distinguished_name</FONT></FONT></P>
1231	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions
1232	= v3_req</FONT></FONT></P>
1233	<P STYLE="margin-bottom: 0cm"><BR>
1234	</P>
1235	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1236	req_distinguished_name ]</FONT></FONT></P>
1237	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1238	BEGIN CONFIG</FONT></FONT></P>
1239	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName
1240	= Level 0 Organization</FONT></FONT></P>
1241	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default
1242	= NDG</FONT></FONT></P>
1243	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName
1244	= Level 0 Organizational Unit</FONT></FONT></P>
1245	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default
1246	= BADC</FONT></FONT></P>
1247	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName
1248	= Level 1 Organizational Unit</FONT></FONT></P>
1249	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default
1250	= localdomain</FONT></FONT></P>
1251	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName
1252	= Name (e.g., John M. Smith)</FONT></FONT></P>
1253	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max
1254	= 64</FONT></FONT></P>
1255	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#
1256	END CONFIG</FONT></FONT></P>
1257	<P STYLE="margin-bottom: 0cm"><BR>
1258	</P>
1259	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[
1260	v3_req ]</FONT></FONT></P>
1261	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType
1262	= objsign,email,server,client</FONT></FONT></P>
1263	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints
1264	= critical,CA:false</FONT></FONT></P>
1265	<P><BR>
1266	</P>
1267	</TD>
1268	</TR>
1269	</TABLE>
1270	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1271	</P>
1272	<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script\|outline"></A>
1273	4.4.3 SysV-style Boot Script</H3>
1274	<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be
1275	configured to start up at system boot of the host machine. A SysV
1276	style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1277	is provided in the installation in:</P>
1278	<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/lib/python</SPAN></FONT><python
1279	version num><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/site-packages/ndg_security_server</SPAN></FONT>-<version
1280	info><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.egg/ndg/security/server/share
1281	</SPAN></FONT>
1282	</P>
1283	<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1284	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1285	<COL WIDTH=602>
1286	<TR>
1287	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1288	<P STYLE="margin-bottom: 0cm"><BR>
1289	</P>
1290	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1291	cp /usr/local/lib/python<python version
1292	num>/site-packages/ndg_security_server-<version
1293	info>.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1294	/share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1295	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1296	chkconfig --add ndg-sm</SPAN></FONT></FONT></P>
1297	<P><BR>
1298	</P>
1299	</TD>
1300	</TR>
1301	</TABLE>
1302	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1303	</P>
1304	<P CLASS="western" ALIGN=JUSTIFY>Edit the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT>
1305	so that it uses the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR</SPAN></FONT>
1306	environment variable to point to the correct location of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT>
1307	file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
1308	directory. User and group ID settings can be made to run under
1309	alternative account to root. If used ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR</SPAN></FONT>
1310	is set with the necessary permissions to enable access.
1311	</P>
1312	<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chkconfig</SPAN></FONT>
1313	command may not be available on your target machine. Please refer to
1314	instructions for your particular Linux distribution.</P>
1315	<H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration\|outline"></A>
1316	4.5 Attribute Authority Configuration</H2>
1317	<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a
1318	properties file for the setting of configuration parameters.</P>
1319	<H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings\|outline"></A>
1320	4.5.1Attribute Authority Properties File Settings</H3>
1321	<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1322	in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1323	and modify the default settings:</P>
1324	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1325	<COL WIDTH=610>
1326	<TR>
1327	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1328	<P STYLE="margin-bottom: 0cm"><BR>
1329	</P>
1330	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><?xml
1331	version="1.0" encoding="utf-8"?></FONT></FONT></P>
1332	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><AAprop></FONT></FONT></P>
1333	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1334	</FONT></FONT>
1335	</P>
1336	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name'
1337	setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P>
1338	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1339	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><name>Organisation
1340	Identifier</name> </FONT></FONT>
1341	</P>
1342	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><portNum>SELECT
1343	A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE</portNum></FONT></FONT></P>
1344	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P>
1345	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1346	settings for transport level encryption</FONT></FONT></P>
1347	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1348	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSSL></useSSL>
1349	<!-- leave blank to use http --></FONT></FONT></P>
1350	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslCertFile></sslCertFile></FONT></FONT></P>
1351	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile></sslKeyFile></FONT></FONT></P>
1352	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyPwd></sslKeyPwd></FONT></FONT></P>
1353	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><!--
1354	<BR> Directory containing CA cert.s to verify SSL peer cert
1355	against - ignored if useSSL is blank --><BR>
1356	<sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir><BR></FONT>
1357	<!--</FONT></FONT></P>
1358	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
1359	settings for signature of outbound SOAP messages</FONT></FONT></P>
1360	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1361	<P STYLE="margin-bottom: 0cm">
1362	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler>
1363	<!-- leave blank for no signature --></FONT></FONT></P>
1364	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1365	</FONT></FONT>
1366	</P>
1367	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA
1368	Certificates used to verify X.509 certs used in peer SOAP
1369	messages,<BR> SSL connections and Attribute Certificates<BR>
1370	--><BR> <caCertFileList><BR>
1371	<caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile><BR>
1372	</caCertFileList><BR></FONT>
1373	<keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem </keyFile></FONT></FONT></P>
1374	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P>
1375	<P STYLE="margin-bottom: 0cm">
1376	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem
1377	</caCertFile></FONT></FONT></P>
1378	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1379	</FONT></FONT>
1380	</P>
1381	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
1382	the certificate used to verify the signature of messages from the </FONT></FONT>
1383	</P>
1384	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client.
1385	This can usually be left blank since the client is expected to </FONT></FONT>
1386	</P>
1387	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include
1388	the cert with the signature in the inbound SOAP message</FONT></FONT></P>
1389	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1390	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><clntCertFile></clntCertFile>
1391	</FONT></FONT>
1392	</P>
1393	<P STYLE="margin-bottom: 0cm">
1394	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertLifetime>86400</attCertLifetime>
1395	<!-- Measured in seconds --></FONT></FONT></P>
1396	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1397	</FONT></FONT>
1398	</P>
1399	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow
1400	an offset for clock skew between servers running </FONT></FONT>
1401	</P>
1402	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security
1403	services. - Use minus sign for time in the past</FONT></FONT></P>
1404	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1405	<P STYLE="margin-bottom: 0cm">
1406	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertNotBeforeOff>0</attCertNotBeforeOff></FONT></FONT></P>
1407	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1408	Location of role mapping file --></FONT></FONT></P>
1409	<P STYLE="margin-bottom: 0cm">
1410	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><mapConfigFile>$NDGSEC_DIR/conf/mapConfig.xml</mapConfigFile></FONT></FONT></P>
1411	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1412	All Attribute Certificates issued are recorded in this dir --></FONT></FONT></P>
1413	<P STYLE="margin-bottom: 0cm">
1414	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertDir>$NDGSEC_DIR/conf/attCertLog</attCertDir></FONT></FONT></P>
1415	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1416	</FONT></FONT>
1417	</P>
1418	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files
1419	in attCertDir are stored using a rotating file handler</FONT></FONT></P>
1420	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt
1421	sets the max number of files created before the first is</FONT></FONT></P>
1422	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P>
1423	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1424	<P STYLE="margin-bottom: 0cm">
1425	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFileName>ac.xml</attCertFileName></FONT></FONT></P>
1426	<P STYLE="margin-bottom: 0cm">
1427	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFileLogCnt>1024</attCertFileLogCnt></FONT></FONT></P>
1428	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><dnSeparator>/</dnSeparator></FONT></FONT></P>
1429	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--
1430	</FONT></FONT>
1431	</P>
1432	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings
1433	for custom AAUserRoles derived class to get user roles for</FONT></FONT></P>
1434	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given
1435	user ID</FONT></FONT></P>
1436	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P>
1437	<P STYLE="margin-bottom: 0cm">
1438	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModFilePath>$NDGSEC_DIR/conf</userRolesModFilePath></FONT></FONT></P>
1439	<P STYLE="margin-bottom: 0cm">
1440	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModName>userRoles</userRolesModName></FONT></FONT></P>
1441	<P STYLE="margin-bottom: 0cm">
1442	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesClassName>UserRoles</userRolesClassName></FONT></FONT></P>
1443	<P STYLE="margin-bottom: 0cm">
1444	<FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesPropFile>$NDGSEC_DIR/conf/userRoles.cfg</userRolesPropFile></FONT></FONT></P>
1445	<P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></AAprop></FONT></FONT></P>
1446	<P>
1447	</P>
1448	</TD>
1449	</TR>
1450	</TABLE>
1451	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1452	</P>
1453	<H3 CLASS="western"><A NAME="4.5.2.User Roles Interface\|outline"></A>4.5.2
1454	User Roles Interface</H3>
1455	<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a
1456	valid user proxy certificate serves an attribute certificate
1457	containing authorisation roles for that user. It is for the data
1458	centre to determine how these roles map to the users identity as
1459	given by their Distinguished Name given in the proxy certificate.
1460	Typically, a data centre might have a user database which relates
1461	user id to authorisation roles.</P>
1462	<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a
1463	programmatic interface to determine the roles to user id
1464	relationship. A custom python class may be written to perform this
1465	task. See the Appendices section 5.5.</P>
1466	<H3 CLASS="western"><A NAME="4.5.3.Role Mapping\|outline"></A>4.5.3
1467	Role Mapping</H3>
1468	<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in
1469	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
1470	directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>.
1471	This is an XML file which relates local roles at the target data
1472	centre to roles of other trusted data centres. These role mapping
1473	are made by agreement between data centres.</P>
1474	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1475	<COL WIDTH=610>
1476	<TR>
1477	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
1478	<P STYLE="margin-bottom: 0cm"><BR>
1479	</P>
1480	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><?xml
1481	version="1.0" encoding="utf-8"?></FONT></P>
1482	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><AAmap></FONT></P>
1483	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><thisHost
1484	name="yourSiteIdentifier"></FONT></P>
1485	<P STYLE="margin-bottom: 0cm">
1486	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>yourSiteAttAuthorityURI</aaURI></FONT></P>
1487	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the
1488	DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P>
1489	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>Your
1490	Site Login Page URI (https expected)</loginURI></FONT></P>
1491	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The
1492	DN of loginURIâs SSL cert.</loginServerDN></FONT></P>
1493	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P>
1494	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1495	cert. DN for SSL server making a request to loginURI</FONT></P>
1496	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P>
1497	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></thisHost></FONT></P>
1498	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted
1499	name="BODC"></FONT></P>
1500	<P STYLE="margin-bottom: 0cm">
1501	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>bodcAttAuthorityURI</aaURI></FONT></P>
1502	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the
1503	DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P>
1504	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>BODCâs
1505	Login Page URI</loginURI></FONT></P>
1506	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The
1507	DN of loginURIâs SSL cert.</loginServerDN></FONT></P>
1508	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P>
1509	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1510	cert. DN for SSL server making a request to loginURI</FONT></P>
1511	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P>
1512	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role
1513	remote="aBODCrole" local="aLocalRole"/></FONT></P>
1514	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P>
1515	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted
1516	name="NOCS"></FONT></P>
1517	<P STYLE="margin-bottom: 0cm">
1518	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>nocsAttAuthorityURI</aaURI></FONT></P>
1519	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the
1520	DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P>
1521	<P STYLE="margin-bottom: 0cm">
1522	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>nocsLoginPageURI</loginURI></FONT></P>
1523	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The
1524	DN of loginURIâs SSL cert.</loginServerDN></FONT></P>
1525	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P>
1526	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1527	cert. DN for SSL server making a request to loginURI</FONT></P>
1528	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P>
1529	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role
1530	remote="aNOCSrole" local="anotherLocalRole"/></FONT></P>
1531	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P>
1532	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted
1533	name="NEODAAS"></FONT></P>
1534	<P STYLE="margin-bottom: 0cm">
1535	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>neodaasAttAuthorityURI</aaURI></FONT></P>
1536	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the
1537	DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P>
1538	<P STYLE="margin-bottom: 0cm">
1539	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>neodaasLoginPageURI</loginURI></FONT></P>
1540	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The
1541	DN of loginURIâs SSL cert.</loginServerDN></FONT></P>
1542	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P>
1543	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1544	cert. DN for SSL server making a request to loginURI</FONT></P>
1545	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P>
1546	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role
1547	remote="neodaasRole" local="yetAnotherLocalRole"/></FONT></P>
1548	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P>
1549	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></AAmap></FONT></P>
1550	<P STYLE="margin-bottom: 0cm"><BR>
1551	</P>
1552	<P><BR>
1553	</P>
1554	</TD>
1555	</TR>
1556	</TABLE>
1557	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1558	</P>
1559	<P CLASS="western" ALIGN=JUSTIFY>The map file contains an entry for
1560	each site that the Attribute Authority trusts. These are listed
1561	using the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">trusted</SPAN></FONT>
1562	element name. The Attribute Authority identifies itself with the
1563	similar <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1564	element. Each uses a name attribute to uniquely identify the
1565	organisation. The example above shows a BADC map file which trusts
1566	the organisations BODC, NOCS and NEODAAS.</P>
1567	<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost
1568	name </SPAN></FONT>attribute should match the name element in the
1569	corresponding <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
1570	file. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">name</SPAN></FONT>
1571	is copied as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">issuerName</SPAN></FONT>
1572	used in Attribute Certificates issued by the Attribute Authority.</P>
1573	<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1574	and trusted elements share all the same sub-elements barring role.
1575	</P>
1576	<UL>
1577	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaURI</SPAN></FONT>
1578	â this is the address of the Attribute Authority</P>
1579	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaDN</SPAN></FONT>
1580	â the Distinguished Name of the Attribute Authorityâs X.509
1581	certificate (not currently used)</P>
1582	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginURI</SPAN></FONT>
1583	â the address of the Login Service
1584	</P>
1585	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginServerDN</SPAN></FONT>
1586	â the Distinguished Name of the X.509 certificate held by the
1587	Login Service for SSL connections. It is expected that the Login
1588	Service is run over https to protect the privacy of login
1589	credentials. This field is not currently used.</P>
1590	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT>
1591	â on request for secured credentials a service provider enables
1592	the user to redirect to their chosen Login Service at another
1593	trusted site. The on successful authentication the Login Service
1594	can return the user back to the service provider to enable them to
1595	continue with their request. This return to address must be over
1596	https to enable credentials to be encrypted for the transit but also
1597	to validate service provider host making the request. The Login
1598	Service carries this out by checking the SSL certificate of the
1599	service provider host and checking its Distinguished Name against
1600	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT>
1601	entries for the organisations it trusts.</P>
1602	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">role</SPAN></FONT>
1603	â this element is used to express an individual role mapping. The
1604	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">local</SPAN></FONT>
1605	attribute refers to a role <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT>
1606	supports. The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">remote</SPAN></FONT>
1607	attribute is assigned to the role of the trusted organisation it
1608	maps to. It is possible to have multiple role entries. One local
1609	role may map to many remote roles and vice versa: one remote role
1610	may map to many local roles.</P>
1611	</UL>
1612	<H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file\|outline"></A>
1613	4.5.4 Twisted Python server .tac file</H3>
1614	<P CLASS="western" ALIGN=JUSTIFY>Copy this from the
1615	ndg_security_server to the NDG security conf/ area:</P>
1616	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1617	<COL WIDTH=602>
1618	<TR>
1619	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1620	<P STYLE="margin-bottom: 0cm"><BR>
1621	</P>
1622	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1623	cp /usr/local/lib/python<python version
1624	num>/site-packages/ndg_security_server-<version
1625	info>.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1626	$NDGSEC_DIR/conf</SPAN></FONT></FONT></P>
1627	<P><BR>
1628	</P>
1629	</TD>
1630	</TR>
1631	</TABLE>
1632	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1633	</P>
1634	<H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script\|outline"></A>
1635	4.5.5 SysV-style Boot Script</H3>
1636	<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the
1637	Attribute Authority can be configured to start up at system boot of
1638	the host machine. A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT>
1639	is provided in the installation in:</P>
1640	<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python<python
1641	version num>/site-packages/ndg_security_server-<version
1642	info>.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT>
1643
1644	</P>
1645	<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P>
1646	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1647	<COL WIDTH=602>
1648	<TR>
1649	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
1650	<P STYLE="margin-bottom: 0cm"><BR>
1651	</P>
1652	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1653	cp /usr/local/lib/python<python version
1654	num>/site-packages/ndg_security_server-<version
1655	info>.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1656	/share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P>
1657	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
1658	chkconfig --add ndg-aa</SPAN></FONT></FONT></P>
1659	<P><BR>
1660	</P>
1661	</TD>
1662	</TR>
1663	</TABLE>
1664	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1665	</P>
1666	<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the
1667	NDGSEC_DIR environment variable to point to the correct location of
1668	the .tac file in the conf/ directory. User and group ID settings can
1669	be made to run under alternative account to root. If used ensure
1670	that $NDGSEC_DIR is set with the necessary permissions to enable
1671	access.
1672	</P>
1673	<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional
1674	environment settings required to connect to a user database.</P>
1675	<H2 CLASS="western"><A NAME="4.6.Python Unit Tests\|outline"></A>4.6
1676	Python Unit Tests</H2>
1677	<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are
1678	provided to enable the system to be checked to confirm that it is
1679	running correctly. These are located in the ndg_security_test egg
1680	in the site-packages/ directory of the python installation.</P>
1681	<P CLASS="western" ALIGN=JUSTIFY><todo: ></P>
1682	<H2 CLASS="western"><A NAME="4.7. MyProxy\|outline"></A>4.7 MyProxy</H2>
1683	<H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background\|outline"></A>
1684	4.7.1 MyProxy and NDG Security Background</H3>
1685	<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
1686	from the Globus toolkit to enable the use of individual user X.509
1687	certificates to secure messages in transactions. For example, to
1688	request an Attribute Certificate from an Attribute Authority the
1689	request can be signed using the user's certificate to enable the
1690	Attribute Authority to authenticate it.</P>
1691	<P CLASS="western" ALIGN=JUSTIFY>MyProxy is a flexible and can be
1692	configured to run in a number of different modes or combination of
1693	modes:</P>
1694	<OL>
1695	<LI><P CLASS="western" ALIGN=JUSTIFY>users can upload a proxy to
1696	their personal user certificate for storage in the MyProxy
1697	repository for later use in delegation
1698	</P>
1699	<LI><P CLASS="western" ALIGN=JUSTIFY>Personal user certificates
1700	issued by a CA can by stored in the repository.</P>
1701	<LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy can be run with the
1702	Globus SimpleCA package issuing certificates dynamically based on a
1703	callout to some external authentication system. MyProxy has basic
1704	support for PAM (Pluggable Authentication Module) and SASL (<SPAN STYLE="font-style: normal">Simple
1705	Authentication and Security Layer).</SPAN></P>
1706	</OL>
1707	<P CLASS="western" ALIGN=JUSTIFY>3) is the preferred mode for NDG
1708	deployments as typically NDG partners have existing user databases
1709	against which their users authenticate. MyProxy can be configured
1710	to query the database with username/password via PAM/SASL.
1711	</P>
1712	<P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service
1713	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1714	on its host machine and user credentials are held in a directory on
1715	the file system. It is important to secure the host to ensure the
1716	credentials are not compromised.
1717	</P>
1718	<H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations\|outline"></A>
1719	4.7.2 MyProxy user account and the repository location considerations</H3>
1720	<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or
1721	using a separate user account. The latter provides an extra degree
1722	of security but for use with PAM, the MyProxy must be installed and
1723	run as root. Note that the MyProxy repository will be in a standard
1724	location.
1725	</P>
1726	<UL>
1727	<LI><P CLASS="western" ALIGN=JUSTIFY>If MyProxy is installed as
1728	root, this is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/var/myproxy</SPAN></FONT>.
1729
1730	</P>
1731	<LI><P CLASS="western" ALIGN=JUSTIFY>If installed as under an
1732	alternative user account, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var/myproxy</SPAN></FONT>.
1733
1734	</P>
1735	</UL>
1736	<P CLASS="western" ALIGN=JUSTIFY>When run in mode 3) the repository
1737	is not used since all credentials are generated dynamically on a
1738	successful MyProxy logon request. It is possible to explicitly define
1739	an alternate location but this can only be done by providing a
1740	command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
1741	Note that this might be visible in the process list of the host
1742	machine as output from<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
1743	ps</SPAN></FONT>. This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
1744	with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd
1745	</SPAN></FONT>(See 4.7.10.1).</P>
1746	<P CLASS="western" ALIGN=LEFT>This guide assumes installation as
1747	root.
1748	</P>
1749	<H3 CLASS="western"><A NAME="4.7.3. Installation\|outline"></A>4.7.3
1750	Installation</H3>
1751	<P CLASS="western">MyProxy is available with Globus. Version 4.0.5
1752	distribution is recommended for use with the NDG Security software.
1753	<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++
1754	development packages are needed for the build.</SPAN></FONT></P>
1755	<H4 CLASS="western">4.7.3.1 PAM Dependencies</H4>
1756	<P CLASS="western">A binary version is available but it is
1757	recommended to build and install from the source code to include PAM
1758	dependencies (<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>).
1759	To check, there should be a <CODE><FONT FACE="Helvetica, sans-serif">pam_appl.h
1760	header file either in /usr/include/security or /usr/include/pam.</FONT></CODE></P>
1761	<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">If they
1762	are not present, they can be installed with the PAM development
1763	package for your Linux distribution â e.g. pam-devel (Redhat) or
1764	libpam*-dev (Debian based).</FONT></CODE></P>
1765	<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">Due to a
1766	limitation in PAM, MyProxy must be built and installed under the
1767	system root account.</FONT></CODE></P>
1768	<H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif">
1769	Build</FONT></CODE></H4>
1770	<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code
1771	can be downloaded from </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P>
1772	<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a
1773	target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
1774	</SPAN></FONT>so that only the MyProxy components of Globus are
1775	built. Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer</FONT>
1776	tarball. Extract the files and change to the
1777	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer/</FONT>
1778	directory created.</P>
1779	<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings. The
1780	default installation location is /usr/local/globus-4.0.5. Use
1781	âprefix=<dir path> command line option to specify an
1782	alternative location for the installation.</P>
1783	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1784	<COL WIDTH=596>
1785	<TR>
1786	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1787	<P STYLE="margin-bottom: 0cm"><BR>
1788	</P>
1789	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1790	./configure </FONT>
1791	</P>
1792	<P><BR>
1793	</P>
1794	</TD>
1795	</TR>
1796	</TABLE>
1797	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
1798	</P>
1799	<P CLASS="western" ALIGN=JUSTIFY>Compile and install MyProxy:</P>
1800	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1801	<COL WIDTH=596>
1802	<TR>
1803	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1804	<P STYLE="margin-bottom: 0cm"><BR>
1805	</P>
1806	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1807	make gsi-myproxy postinstall</FONT></P>
1808	<P><BR>
1809	</P>
1810	</TD>
1811	</TR>
1812	</TABLE>
1813	<P STYLE="margin-bottom: 0cm"><BR>
1814	</P>
1815	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">When
1816	running</SPAN></FONT> ./configure <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">you
1817	may see an error if the </SPAN></FONT>JAVA_HOME<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">
1818	environment variable is not set. This can be ignored because Java is
1819	not required for the MyProxy build.</SPAN></FONT></FONT></P>
1820	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">
1821	</P>
1822	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If
1823	you encounter errors with the build you can trobuleshoot by checking
1824	config.log in the BUILD/globus_core-* or source-trees/core/source
1825	directories.</SPAN></FONT></P>
1826	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1827	</P>
1828	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">Verify
1829	myproxy has built with PAM support by running the command:</SPAN></FONT></P>
1830	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1831	</P>
1832	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1833	</P>
1834	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1835	<COL WIDTH=596>
1836	<TR>
1837	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1838	<P STYLE="margin-bottom: 0cm"><BR>
1839	</P>
1840	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1841	/usr/local/globus-4.0.5/sbin/myproxy-server -V</FONT></P>
1842	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
1843	version MYPROXYv2 (v3.7 12 Dec 2006 PAM)</FONT></P>
1844	<P><BR>
1845	</P>
1846	</TD>
1847	</TR>
1848	</TABLE>
1849	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1850	</P>
1851	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If
1852	'PAM' is included in the output as above then the executable has
1853	built correctly to include PAM support.</SPAN></FONT></P>
1854	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
1855	</P>
1856	<H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation\|outline"></A>
1857	4.7.4 SimpleCA Installation</H3>
1858	<P CLASS="western" ALIGN=JUSTIFY>Reference:
1859	</P>
1860	<P CLASS="western" ALIGN=JUSTIFY><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing">http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing</A></P>
1861	<P CLASS="western" ALIGN=JUSTIFY>The SimpleCA can be set up under a
1862	dedicated user account but this user must have read/write permissions
1863	to the Globus MyProxy installation location. For simplicity, this
1864	guide assumes installation for MyProxy and the SimpleCA under root.</P>
1865	<P CLASS="western" ALIGN=JUSTIFY>To install first initialise the
1866	environment settings (These may be added to the appropriate start-up
1867	file e.g. .bashrc):</P>
1868	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1869	<COL WIDTH=596>
1870	<TR>
1871	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1872	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1873	</P>
1874	<P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1875	export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
1876	GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
1877	$GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
1878	</TD>
1879	</TR>
1880	</TABLE>
1881	<P><BR><BR>
1882	</P>
1883	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Installation
1884	script:</FONT></P>
1885	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1886	<COL WIDTH=596>
1887	<TR>
1888	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1889	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
1890	</P>
1891	<P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1892	$GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P>
1893	</TD>
1894	</TR>
1895	</TABLE>
1896	<P CLASS="western" ALIGN=LEFT><BR><BR>
1897	</P>
1898	<P CLASS="western" ALIGN=LEFT>You will be prompted for the following
1899	information:</P>
1900	<OL>
1901	<LI><P CLASS="western" ALIGN=LEFT>Subject Name: When prompted, type
1902	'n' to override the default and set an appropriate subject name for
1903	the CA for your organisation. O = Organisation Name, OU =
1904	Organisational Unit (you can set more than one), CN = the Common
1905	Name i.e. the name of the Certificate Authority. For
1906	example,<BR><BR>/O=STFC/OU=Rutherford Appleton
1907	Laboratory/OU=Testing/CN=CA<BR><BR>could be the Certificate
1908	Authorityâs subject for a CA for the Space Science and Technology
1909	Department at Rutherford Appleton Laboratory which is part of the
1910	Science and Technology Facilities Council.</P>
1911	<LI><P CLASS="western" ALIGN=LEFT>e-mail Address: the contact
1912	address for certificate requests. If you are using the CA for
1913	MyProxy only you will probably not need this facility. You could
1914	enter globus@<target host> or some suitable administrative
1915	contact</P>
1916	<LI><P CLASS="western" ALIGN=LEFT>CA Certificate Expiry Date: Press
1917	enter to accept the default of five years, otherwise override and
1918	enter your required period.</P>
1919	<LI><P CLASS="western" ALIGN=LEFT>PEM Pass phrase: this is the
1920	password that will protect the CA's private key file. It will need
1921	to be entered in MyProxy's configuration file to enable MyProxy to
1922	dynamically issue certificates.</P>
1923	</OL>
1924	<P CLASS="western" ALIGN=LEFT>A message will appear indicating that
1925	the set-up has completed and confirming the subject chosen for your
1926	certificate and the location of certificate and private key:</P>
1927	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
1928	<COL WIDTH=596>
1929	<TR>
1930	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
1931	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
1932	$GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P>
1933	<P STYLE="margin-bottom: 0cm"><BR>
1934	</P>
1935	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">C
1936	e r t i f i c a t e A u t h o r i t y S e t u p</FONT></P>
1937	<P STYLE="margin-bottom: 0cm"><BR>
1938	</P>
1939	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
1940	script will setup a Certificate Authority for signing Globus</FONT></P>
1941	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">users
1942	certificates. It will also generate a simple CA package</FONT></P>
1943	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">that
1944	can be distributed to the users of the CA.</FONT></P>
1945	<P STYLE="margin-bottom: 0cm"><BR>
1946	</P>
1947	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1948	CA information about the certificates it distributes will</FONT></P>
1949	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">be
1950	kept in:</FONT></P>
1951	<P STYLE="margin-bottom: 0cm"><BR>
1952	</P>
1953	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA/</FONT></P>
1954	<P STYLE="margin-bottom: 0cm"><BR>
1955	</P>
1956	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1957	unique subject name for this CA is:</FONT></P>
1958	<P STYLE="margin-bottom: 0cm"><BR>
1959	</P>
1960	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cn=Globus
1961	Simple CA, ou=simpleCA-gabriel, ou=GlobusTest, o=Grid</FONT></P>
1962	<P STYLE="margin-bottom: 0cm"><BR>
1963	</P>
1964	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Do
1965	you want to keep this as the CA subject (y/n) [y]:n</FONT></P>
1966	<P STYLE="margin-bottom: 0cm"><BR>
1967	</P>
1968	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
1969	a unique subject name for this CA:cn=CA, ou=BADC, ou=Gabriel,
1970	o=NDG</FONT></P>
1971	<P STYLE="margin-bottom: 0cm"><BR>
1972	</P>
1973	<P STYLE="margin-bottom: 0cm"><BR>
1974	</P>
1975	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
1976	the email of the CA (this is the email where certificate</FONT></P>
1977	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">requests
1978	will be sent to be signed by the CA):p.j.kershaw@rl.ac.uk</FONT></P>
1979	<P STYLE="margin-bottom: 0cm"><BR>
1980	</P>
1981	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
1982	CA certificate has an expiration date. Keep in mind that</FONT></P>
1983	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">once
1984	the CA certificate has expired, all the certificates</FONT></P>
1985	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">signed
1986	by that CA become invalid. A CA should regenerate</FONT></P>
1987	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
1988	CA certificate and start re-issuing ca-setup packages</FONT></P>
1989	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">before
1990	the actual CA certificate expires. This can be done</FONT></P>
1991	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">by
1992	re-running this setup script. Enter the number of DAYS</FONT></P>
1993	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
1994	CA certificate should last before it expires.</FONT></P>
1995	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[default:
1996	5 years (1825 days)]:</FONT></P>
1997	<P STYLE="margin-bottom: 0cm"><BR>
1998	</P>
1999	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
2000	PEM pass phrase:</FONT></P>
2001	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Verifying
2002	- Enter PEM pass phrase:</FONT></P>
2003	<P STYLE="margin-bottom: 0cm"><BR>
2004	</P>
2005	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">creating
2006	CA config package...done.</FONT></P>
2007	<P STYLE="margin-bottom: 0cm"><BR>
2008	</P>
2009	<P STYLE="margin-bottom: 0cm"><BR>
2010	</P>
2011	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">A
2012	self-signed certificate has been generated</FONT></P>
2013	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">for
2014	the Certificate Authority with the subject:</FONT></P>
2015	<P STYLE="margin-bottom: 0cm"><BR>
2016	</P>
2017	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/O=NDG/OU=Gabriel/OU=BADC/CN=CA</FONT></P>
2018	<P STYLE="margin-bottom: 0cm"><BR>
2019	</P>
2020	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If
2021	this is invalid, rerun this script</FONT></P>
2022	<P STYLE="margin-bottom: 0cm"><BR>
2023	</P>
2024	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus/setup-simple-ca</FONT></P>
2025	<P STYLE="margin-bottom: 0cm"><BR>
2026	</P>
2027	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">and
2028	enter the appropriate fields.</FONT></P>
2029	<P STYLE="margin-bottom: 0cm"><BR>
2030	</P>
2031	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P>
2032	<P STYLE="margin-bottom: 0cm"><BR>
2033	</P>
2034	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2035	private key of the CA is stored in
2036	/root/.globus/simpleCA//private/cakey.pem</FONT></P>
2037	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2038	public CA certificate is stored in
2039	/root/.globus/simpleCA//cacert.pem</FONT></P>
2040	<P STYLE="margin-bottom: 0cm"><BR>
2041	</P>
2042	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2043	distribution package built for this CA is stored in</FONT></P>
2044	<P STYLE="margin-bottom: 0cm"><BR>
2045	</P>
2046	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P>
2047	<P STYLE="margin-bottom: 0cm"><BR>
2048	</P>
2049	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
2050	file must be distributed to any host wishing to request</FONT></P>
2051	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificates
2052	from this CA.</FONT></P>
2053	<P STYLE="margin-bottom: 0cm"><BR>
2054	</P>
2055	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">CA
2056	setup complete.</FONT></P>
2057	<P STYLE="margin-bottom: 0cm"><BR>
2058	</P>
2059	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
2060	following commands will now be run to setup the security</FONT></P>
2061	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">configuration
2062	files for this CA:</FONT></P>
2063	<P STYLE="margin-bottom: 0cm"><BR>
2064	</P>
2065	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-build
2066	/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P>
2067	<P STYLE="margin-bottom: 0cm"><BR>
2068	</P>
2069	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-postinstall</FONT></P>
2070	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P>
2071	<P STYLE="margin-bottom: 0cm"><BR>
2072	</P>
2073	<P STYLE="margin-bottom: 0cm"><BR>
2074	</P>
2075	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils:
2076	Configuring ssl-utils package</FONT></P>
2077	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Running
2078	setup-ssl-utils-sh-scripts...</FONT></P>
2079	<P STYLE="margin-bottom: 0cm"><BR>
2080	</P>
2081	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P>
2082	<P STYLE="margin-bottom: 0cm"><BR>
2083	</P>
2084	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Note:
2085	To complete setup of the GSI software you need to run the</FONT></P>
2086	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">following
2087	script as root to configure your security configuration</FONT></P>
2088	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">directory:</FONT></P>
2089	<P STYLE="margin-bottom: 0cm"><BR>
2090	</P>
2091	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus_simple_ca_2cba3376_setup/setup-gsi</FONT></P>
2092	<P STYLE="margin-bottom: 0cm"><BR>
2093	</P>
2094	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">For
2095	further information on using the setup-gsi script, use the -help</FONT></P>
2096	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">option.
2097	The -default option sets this security configuration to be</FONT></P>
2098	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
2099	default, and -nonroot can be used on systems where root access is</FONT></P>
2100	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">not
2101	available.</FONT></P>
2102	<P STYLE="margin-bottom: 0cm"><BR>
2103	</P>
2104	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P>
2105	<P STYLE="margin-bottom: 0cm"><BR>
2106	</P>
2107	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils:
2108	Complete</FONT></P>
2109	<P STYLE="margin-bottom: 0cm"><BR>
2110	</P>
2111	<P><BR>
2112	</P>
2113	</TD>
2114	</TR>
2115	</TABLE>
2116	<P CLASS="western" ALIGN=LEFT><BR><BR>
2117	</P>
2118	<P CLASS="western" ALIGN=LEFT>The number in the file names â
2119	2cba3376â is a unique h<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ash</SPAN></FONT>
2120	identifier for the CA. It will be different for for your
2121	installation when you run the setup. To complete the set-up run the
2122	setup-gsi script:</P>
2123	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2124	<COL WIDTH=596>
2125	<TR>
2126	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
2127	<P STYLE="margin-bottom: 0cm"><BR>
2128	</P>
2129	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2130	$GLOBUS_LOCATION/setup/globus_simple_ca_2cba3376_setup/setup-gsi </FONT>
2131	</P>
2132	<P>â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
2133	</FONT>
2134	</P>
2135	</TD>
2136	</TR>
2137	</TABLE>
2138	<P STYLE="margin-bottom: 0cm"><BR>
2139	</P>
2140	<H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation\|outline"></A>
2141	4.7.5 Host Certificate Creation</H3>
2142	<P CLASS="western">As root user to carry out these steps. First
2143	check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
2144	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2145	</P>
2146	<TABLE WIDTH=609 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2147	<COL WIDTH=593>
2148	<TR>
2149	<TD WIDTH=593 VALIGN=TOP BGCOLOR="#e0e0e0">
2150	<P STYLE="margin-bottom: 0cm"><BR>
2151	</P>
2152	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2153	which grid-cert-request</FONT></P>
2154	<P CLASS="western" ALIGN=LEFT><BR>
2155	</P>
2156	</TD>
2157	</TR>
2158	</TABLE>
2159	<P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like:
2160	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/globus-4.0.5/bin/grid-cert-request</FONT></P>
2161	<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If
2162	not check the settings as made earlier for the SimpleCA:</FONT></P>
2163	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2164	</P>
2165	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2166	<COL WIDTH=596>
2167	<TR>
2168	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
2169	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
2170	</P>
2171	<P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2172	export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
2173	GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
2174	$GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
2175	</TD>
2176	</TR>
2177	</TABLE>
2178	<P><BR><BR>
2179	</P>
2180	<P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate
2181	request:</P>
2182	<TABLE WIDTH=608 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2183	<COL WIDTH=592>
2184	<TR>
2185	<TD WIDTH=592 VALIGN=TOP BGCOLOR="#e0e0e0">
2186	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2187	</P>
2188	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2189	grid-cert-request âhost <fully qualified hostname> </FONT>
2190	</P>
2191	<P CLASS="western" ALIGN=LEFT><BR>
2192	</P>
2193	</TD>
2194	</TR>
2195	</TABLE>
2196	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2197	</P>
2198	<P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>,
2199	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT>
2200	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
2201	in /etc/grid-security directory</FONT>. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
2202	is empty.
2203	</P>
2204	<P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate
2205	it must be signed by the CA:
2206	</P>
2207	<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2208	<COL WIDTH=596>
2209	<TR>
2210	<TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
2211	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
2212	</P>
2213	<P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2214	grid-ca-sign -in /<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">etc/grid-security/hostcert_request.pem
2215	-out /etc/grid-security/hostcert.pem </FONT></FONT>
2216	</P>
2217	</TD>
2218	</TR>
2219	</TABLE>
2220	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2221	</P>
2222	<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
2223	</FONT>is no longer needed and can be deleted.</P>
2224	<H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File\|outline"></A>
2225	4.7.6 MyProxy Configuration File</H3>
2226	<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is
2227	normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT>
2228	directory. If this file is not already present, copy the sample
2229	file:</P>
2230	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2231	<COL WIDTH=610>
2232	<TR>
2233	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2234	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2235	</P>
2236	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2237	cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config
2238	$GLOBUS_LOCATION/etc</FONT></P>
2239	<P CLASS="western" ALIGN=LEFT><BR>
2240	</P>
2241	</TD>
2242	</TR>
2243	</TABLE>
2244	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2245	</P>
2246	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Edit
2247	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config
2248	m</FONT>odifying the entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
2249	Sample Policy</SPAN></FONT> so that they are all uncommented (remove
2250	leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">#
2251	</SPAN></FONT>character):</P>
2252	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2253	</P>
2254	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2255	<COL WIDTH=610>
2256	<TR>
2257	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
2258	<P STYLE="margin-bottom: 0cm"><BR>
2259	</P>
2260	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
2261	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2262	Complete Sample Policy</FONT></P>
2263	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P>
2264	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2265	The following lines define a sample policy that enables all</FONT></P>
2266	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
2267	myproxy-server features. See below for more examples.</FONT></P>
2268	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials
2269	"*"</FONT></P>
2270	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
2271	"*"</FONT></P>
2272	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers
2273	"*"</FONT></P>
2274	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers
2275	"*"</FONT></P>
2276	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers
2277	"none"</FONT></P>
2278	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers
2279	"*"</FONT></P>
2280	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers
2281	"none"</FONT></P>
2282	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">trusted_retrievers
2283	â*â</FONT></P>
2284	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_trusted_retrievers
2285	ânoneâ</FONT></P>
2286	<P><BR>
2287	</P>
2288	</TD>
2289	</TR>
2290	</TABLE>
2291	<P CLASS="western" ALIGN=LEFT><BR><BR>
2292	</P>
2293	<P CLASS="western" ALIGN=LEFT>Note that the wildcards for these
2294	fields may be modified such that only Distinguished Names of a given
2295	format are accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">"/O=NDG/OU=BADC/*"</SPAN></FONT></P>
2296	<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod
2297	</SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
2298	user has read/write access for the directory. Note also that the
2299	directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P>
2300	<H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration\|outline"></A>
2301	4.7.7 MyProxy SimpleCA Configuration</H3>
2302	<P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to
2303	dynamically generate user certificates on user login. For this,
2304	MyProxy requires configuration details from the SimpleCA. Make these
2305	settings in $GLOBUS_LOCATION/etc/myproxy-server.config (Note that the
2306	sensitivity of this information and the need to secure this file
2307	carefully!)</P>
2308	<OL>
2309	<LI><P CLASS="western" ALIGN=JUSTIFY>enable any retriever â
2310	retrieval is based on the retrievers login credentials:</P>
2311	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2312	<COL WIDTH=577>
2313	<TR>
2314	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2315	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2316	</P>
2317	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
2318	"*"</FONT></P>
2319	</TD>
2320	</TR>
2321	</TABLE>
2322	<P CLASS="western" ALIGN=JUSTIFY></P>
2323	<LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA
2324	certificate. In this example the CA is installed in the root user's
2325	home directory:</P>
2326	</OL>
2327	<DL>
2328	<DD>
2329	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2330	<COL WIDTH=577>
2331	<TR>
2332	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2333	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2334	</P>
2335	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_cert
2336	/root/.globus/simpleCA/cacert.pem</FONT></P>
2337	</TD>
2338	</TR>
2339	</TABLE>
2340	</DL>
2341	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2342	</P>
2343	<OL START=3>
2344	<LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA private
2345	key:
2346	</P>
2347	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2348	<COL WIDTH=577>
2349	<TR>
2350	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2351	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2352	</P>
2353	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key
2354	/root/.globus/simpleCA/private/cakey.pem</FONT></P>
2355	</TD>
2356	</TR>
2357	</TABLE>
2358	<P CLASS="western" ALIGN=JUSTIFY></P>
2359	<LI><P CLASS="western" ALIGN=LEFT>Provide the password to the CA's
2360	private key. (This was set when you created the SimpleCA with
2361	$GLOBUS_LOCATION/setup/globus/setup-simple-ca):</P>
2362	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2363	<COL WIDTH=577>
2364	<TR>
2365	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2366	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2367	</P>
2368	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key_passphrase
2369	"password"</FONT></P>
2370	</TD>
2371	</TR>
2372	</TABLE>
2373	<P CLASS="western" ALIGN=JUSTIFY></P>
2374	<LI><P CLASS="western" ALIGN=JUSTIFY>Set the path to the certificate
2375	serial file</P>
2376	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2377	<COL WIDTH=577>
2378	<TR>
2379	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2380	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_serialfile
2381	/root/.globus/simpleCA/serial </FONT>
2382	</P>
2383	</TD>
2384	</TR>
2385	</TABLE>
2386	<P CLASS="western" ALIGN=JUSTIFY></P>
2387	<LI><P CLASS="western" ALIGN=JUSTIFY>Configure how MyProxy maps
2388	usernames to Distinguished Names in generated certificates. This can
2389	be done either with a grid mapfile or a script. A script is more
2390	flexible as you can use a wildcard match rather requiring a map
2391	entry for every single user. An example script is:</P>
2392	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2393	<COL WIDTH=577>
2394	<TR>
2395	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2396	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2397	</P>
2398	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#!/bin/sh<BR>username=$1<BR>if
2399	[ X"$username" = X ]; then<BR> # no username given<BR>
2400	exit 1<BR>fi<BR>echo
2401	"/O=NDG/OU=Gabriel/OU=BADC/CN=${username}"</FONT></P>
2402	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">exit
2403	0</FONT></P>
2404	</TD>
2405	</TR>
2406	</TABLE>
2407	<P CLASS="western" ALIGN=LEFT><BR>In the example above, if a user
2408	logs in as pjkershaw, they will be issued with a certificate with
2409	the Distinguished Name /O=NDG/OU=Gabriel/OU=BADC/CN=pjkershaw. Copy
2410	the file above file into $GLOBUS_LOCATION/sbin/mapper.sh replacing
2411	â/O=NDG/OU=Gabriel/OU=BADC/CN=â with the form of the
2412	Distinguished Name that you require for users for your site. Ensure
2413	that the file has execute permissions set e.g.<BR><BR><BR>
2414	</P>
2415	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2416	<COL WIDTH=577>
2417	<TR>
2418	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2419	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
2420	</P>
2421	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2422	chmod 700 $GLOBUS_LOCATION/sbin/mapper.sh</FONT></P>
2423	<P CLASS="western" ALIGN=LEFT><BR>
2424	</P>
2425	</TD>
2426	</TR>
2427	</TABLE>
2428	<P CLASS="western" ALIGN=LEFT><BR>Refer to the script in
2429	$GLOBUS_LOCATION/etc/myproxy-server.config with this setting:</P>
2430	<TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2431	<COL WIDTH=577>
2432	<TR>
2433	<TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
2434	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_mapapp
2435	/usr/local/globus-4.0.5/sbin/mapper.sh</FONT></P>
2436	</TD>
2437	</TR>
2438	</TABLE>
2439	<P CLASS="western" ALIGN=LEFT></P>
2440	</OL>
2441	<H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration\|outline"></A>
2442	4.7.8 MyProxy PAM Configuration</H3>
2443	<P CLASS="western" ALIGN=JUSTIFY>Reference:
2444	<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P>
2445	<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
2446	with PAM to enable MyProxy logon requests to be authenticated against
2447	a site's existing security infrastructure, for example a user
2448	database or LDAP repository. Linux systems have PAMs for login, ssh
2449	and other services. PAMs can be obtained for the major database
2450	varieties such as MySQL, Postgres and Oracle.</P>
2451	<P CLASS="western">To configure MyProxy for PAM, settings are made
2452	via myproxy-server.config to two different fields:</P>
2453	<UL>
2454	<LI><P CLASS="western">pam: may be set to disabled, ârequiredâ
2455	or âsufficientâ. Set to ârequiredâ. With this setting,
2456	all MyProxy logon requests will be authenticated via PAM. The
2457	âsufficientâ setting may be useful in some circumstances. It
2458	enables authentication via PAM and via credentials held in the
2459	MyProxy repository.</P>
2460	<LI><P CLASS="western">pam_id: name that MyProxy uses to identify
2461	itself to PAM. This can correspond either to a file of the same
2462	name in /etc/pam.d or entries prefixed with that name in
2463	/etc/pam.conf. This setting determines the PAM used by MyProxy to
2464	authenticate.
2465	</P>
2466	</UL>
2467	<P CLASS="western">The most straightforward way to set-up MyProxy
2468	with PAM is to try one of the existing PAMs such as login. If the
2469	pam_id is set to login, a myproxy-logon request will link to that
2470	user's Linux login.</P>
2471	<P CLASS="western">Appendices are provided at the end of this
2472	document for some of the more common configurations.</P>
2473	<H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy\|outline"></A>4.7.9
2474	Testing MyProxy</H3>
2475	<P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy
2476	configuration to run the myproxy-logon client command. For initial
2477	testing set the pam_id in $GLOBUS_LOCATION/etc/myproxy-server.config
2478	to âlogonâ so that it uses the Linux user accounts for
2479	authentication.</P>
2480	<P CLASS="western" ALIGN=JUSTIFY>Client error messages can be
2481	difficult to interpret but a -v verbose option is provided to give
2482	more information. In addition, MyProxy server can be run in debug
2483	mode using the -d command line switch. MyProxy should be run under
2484	the user account in which it was installed - root. Ensure that the
2485	environment is set correctly i.e. GLOBUS_LOCATION variable set and
2486	$GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P>
2487	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2488	<COL WIDTH=602>
2489	<TR>
2490	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2491	<P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
2492	</P>
2493	<P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2494	export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
2495	GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
2496	$GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
2497	</TD>
2498	</TR>
2499	</TABLE>
2500	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2501	</P>
2502	<P CLASS="western" ALIGN=JUSTIFY>If you already have MyProxy running
2503	via xinetd or as a process started from a SysV init script, it is
2504	possible to run a separate MyProxy server process on a different port
2505	with the -p flag.</P>
2506	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2507	<COL WIDTH=602>
2508	<TR>
2509	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2510	<P STYLE="margin-bottom: 0cm"><BR>
2511	</P>
2512	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2513	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server
2514	-d -v -p 60000</SPAN></FONT></FONT></P>
2515	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server
2516	v3.7 12 Dec 2006 PAM starting at Fri Dec 21 12:45:59 2007</SPAN></FONT></FONT></P>
2517	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">reading
2518	configuration file
2519	/usr/local/globus-4.0.5/etc/myproxy-server.config</SPAN></FONT></FONT></P>
2520	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CA
2521	enabled</SPAN></FONT></FONT></P>
2522	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2523	storage directory /var/myproxy</SPAN></FONT></FONT></P>
2524	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Starting
2525	myproxy-server on localhost: 60000...</SPAN></FONT></FONT></P>
2526	<P><BR>
2527	</P>
2528	</TD>
2529	</TR>
2530	</TABLE>
2531	<P CLASS="western" ALIGN=LEFT><BR><BR>
2532	</P>
2533	<P CLASS="western" ALIGN=LEFT>Note that in debug mode, myproxy-server
2534	will exit after the first request made to it.</P>
2535	<P CLASS="western" ALIGN=LEFT>Run myproxy-logon in a separate window
2536	under a user account for which you know the Linux password. Provide
2537	the port number if myproxy-server was started on a different port to
2538	the default and give the full name of the server as set in the host
2539	certificate (/etc/grid-security/hostcert.pem)</P>
2540	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2541	<COL WIDTH=602>
2542	<TR>
2543	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2544	<P STYLE="margin-bottom: 0cm"><BR>
2545	</P>
2546	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2547	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-logon
2548	-v -s <fully qualified server hostname> -p 60000</SPAN></FONT></FONT></P>
2549	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">MyProxy
2550	v3.7 12 Dec 2006 PAM</SPAN></FONT></FONT></P>
2551	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Attempting
2552	to connect to 127.0.0.1:60000</SPAN></FONT></FONT></P>
2553	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Enter
2554	MyProxy pass phrase:</SPAN></FONT></FONT></P>
2555	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2556	trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P>
2557	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">no
2558	valid credentials found -- performing anonymous authentication</SPAN></FONT></FONT></P>
2559	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
2560	name: /O=NDG/OU=Gabriel/OU=BADC/CN=gabriel<></SPAN></FONT></FONT></P>
2561	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">checking
2562	that server name is acceptable...</SPAN></FONT></FONT></P>
2563	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
2564	name does not match "myproxy@gabriel<>"</SPAN></FONT></FONT></P>
2565	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
2566	name matches "host@gabriel<>"</SPAN></FONT></FONT></P>
2567	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">authenticated
2568	server name is acceptable</SPAN></FONT></FONT></P>
2569	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">A
2570	credential has been received for user pjkershaw in
2571	/tmp/x509up_u1000.</SPAN></FONT></FONT></P>
2572	<P><BR>
2573	</P>
2574	</TD>
2575	</TR>
2576	</TABLE>
2577	<P CLASS="western" ALIGN=LEFT><BR><BR>
2578	</P>
2579	<P CLASS="western" ALIGN=LEFT>The equivalent output from the server
2580	will be something like:</P>
2581	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2582	<COL WIDTH=602>
2583	<TR>
2584	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2585	<P STYLE="margin-bottom: 0cm"><BR>
2586	</P>
2587	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Connection
2588	from 127.0.0.1</SPAN></FONT></FONT></P>
2589	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2590	trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P>
2591	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Authenticated
2592	client <anonymous></SPAN></FONT></FONT></P>
2593	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
2594	trusted_retrievers policy</SPAN></FONT></FONT></P>
2595	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
2596	authorized_retrievers policy</SPAN></FONT></FONT></P>
2597	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
2598	authorized_renewers policy</SPAN></FONT></FONT></P>
2599	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P>
2600	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">resolve_via_mapapp(/usr/local/globus-4.0.5/sbin/mapper.sh,
2601	pjkershaw)</SPAN></FONT></FONT></P>
2602	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Checking
2603	passphrase via PAM. PAM policy: "sufficient"; PAM ID:
2604	"logon"</SPAN></FONT></FONT></P>
2605	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PAM
2606	authentication succeeded for pjkershaw</SPAN></FONT></FONT></P>
2607	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Received
2608	GET request from <anonymous></SPAN></FONT></FONT></P>
2609	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending
2610	OK response to client <anonymous></SPAN></FONT></FONT></P>
2611	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2612	CA callout</SPAN></FONT></FONT></P>
2613	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Calling
2614	CA Extensions</SPAN></FONT></FONT></P>
2615	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">handle_certificate()</SPAN></FONT></FONT></P>
2616	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Cert
2617	request loaded.</SPAN></FONT></FONT></P>
2618	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Got
2619	a cert request for user "pjkershaw", with pubkey hash
2620	"282944311", and lifetime "43200"</SPAN></FONT></FONT></P>
2621	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Using
2622	internal openssl/generate_certificate() code</SPAN></FONT></FONT></P>
2623	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Generating
2624	certificate internally.</SPAN></FONT></FONT></P>
2625	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P>
2626	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
2627	cached value</SPAN></FONT></FONT></P>
2628	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">tokenizing:
2629	/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw</SPAN></FONT></FONT></P>
2630	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2631	O = NDG</SPAN></FONT></FONT></P>
2632	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2633	OU = BADC</SPAN></FONT></FONT></P>
2634	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2635	OU = Gabriel</SPAN></FONT></FONT></P>
2636	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
2637	CN = pjkershaw</SPAN></FONT></FONT></P>
2638	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Assigning
2639	serial number</SPAN></FONT></FONT></P>
2640	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Loaded
2641	serial number F6 from /root/.globus/simpleCA/serial</SPAN></FONT></FONT></P>
2642	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">serial
2643	number assigned</SPAN></FONT></FONT></P>
2644	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cert
2645	lifetime: 43200</SPAN></FONT></FONT></P>
2646	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CAkey:
2647	/root/.globus/simpleCA/private/cakey.pem</SPAN></FONT></FONT></P>
2648	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Signing
2649	internally generated certificate.</SPAN></FONT></FONT></P>
2650	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Issued
2651	certificate for user "pjkershaw", with DN
2652	"/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw", lifetime
2653	"43200", and serial number "246"</SPAN></FONT></FONT></P>
2654	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending
2655	OK response to client <anonymous></SPAN></FONT></FONT></P>
2656	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Client
2657	<anonymous> disconnected</SPAN></FONT></FONT></P>
2658	<P><BR>
2659	</P>
2660	</TD>
2661	</TR>
2662	</TABLE>
2663	<P CLASS="western" ALIGN=LEFT><BR><BR>
2664	</P>
2665	<P CLASS="western" ALIGN=LEFT>The certificate and private key are
2666	written to file in /tmp by myproxy-logon. This takes the form
2667	x509up_<uid>. It's possible to check the certificate
2668	generated using openssl e.g.:</P>
2669	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2670	<COL WIDTH=602>
2671	<TR>
2672	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2673	<P STYLE="margin-bottom: 0cm"><BR>
2674	</P>
2675	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2676	openssl -in /tmp/x509up_1001 -text</SPAN></FONT></FONT></P>
2677	<P><BR>
2678	</P>
2679	</TD>
2680	</TR>
2681	</TABLE>
2682	<P CLASS="western" ALIGN=LEFT><BR>The output includes details
2683	including the certificate's DN, issuer and expiry time. If you wish
2684	to run the test again delete or move this file as myproxy-logon will
2685	try to use it to authenticate to the MyProxy server.</P>
2686	<P CLASS="western" ALIGN=LEFT>If you encounter problems check the
2687	output from the client and server. commands. The system logs may
2688	contain useful additional information from the PAM used.</P>
2689	<P CLASS="western" ALIGN=LEFT>The Python MyProxy client unit tests
2690	can be used to test the server from a separate client machine where
2691	Python NDG services are installed but not MyProxy itself. The
2692	MyProxy unit tests are in the package ndg.security.test.myProxy.</P>
2693	<H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up\|outline"></A>
2694	4.7.10 Adding MyProxy Server to the system start up</H3>
2695	<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may
2696	be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2697	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2698	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2699	are preferred:</P>
2700	<UL>
2701	<LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2702	process will not show on <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ps</SPAN></FONT>
2703	command listing
2704	</P>
2705	<LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">Itâs
2706	more efficient since itâs only invoked when a request from a
2707	MyProxy client is received.</P>
2708	<LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">Itâs
2709	easy to configure so that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2710	runs as an alternative user to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.</P>
2711	</UL>
2712	<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.63cm; margin-bottom: 0cm">
2713	<BR>
2714	</P>
2715	<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd /
2716	xinetd</H4>
2717	<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd
2718	</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2719	as root user:
2720	</P>
2721	<UL>
2722	<LI><P CLASS="western" ALIGN=LEFT>Add the entries in
2723	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.services.modifications</SPAN></FONT>
2724	to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/services</SPAN></FONT>
2725	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/services</SPAN></FONT>
2726	file:
2727	</P>
2728	</UL>
2729	<DL>
2730	<DD>
2731	<TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2732	<COL WIDTH=558>
2733	<TR>
2734	<TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2735	<P STYLE="margin-bottom: 0cm"><BR>
2736	</P>
2737	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
2738	7512/tcp # MyProxy server</FONT></P>
2739	<P><BR>
2740	</P>
2741	</TD>
2742	</TR>
2743	</TABLE>
2744	</DL>
2745	<P CLASS="western" ALIGN=LEFT STYLE="margin-left: 0.64cm"><BR><BR>
2746	</P>
2747	<UL>
2748	<LI VALUE=1><P CLASS="western" ALIGN=LEFT>Add the entries from
2749	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P>
2750	<UL>
2751	<LI><P CLASS="western" ALIGN=LEFT>For inetd add to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inetd.conf
2752	</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/inetd.conf</SPAN></FONT>,
2753	or âŠ</P>
2754	<LI><P CLASS="western" ALIGN=LEFT>for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
2755	copy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy</SPAN></FONT>
2756	to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/xinetd.d/myproxy</SPAN></FONT>.
2757	Modify the paths in the file according to your installation and set
2758	the user to the correct user name for running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
2759	e.g.</P>
2760	</UL>
2761	</UL>
2762	<DL>
2763	<DD>
2764	<TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2765	<COL WIDTH=558>
2766	<TR>
2767	<TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0">
2768	<P STYLE="margin-bottom: 0cm"><BR>
2769	</P>
2770	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">service
2771	myproxy-server</FONT></FONT></P>
2772	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">{</FONT></FONT></P>
2773	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">socket_type
2774	= stream</FONT></FONT></P>
2775	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="pt-PT">protocol
2776	= tcp</SPAN></FONT></FONT></P>
2777	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">wait
2778	= no</FONT></FONT></P>
2779	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">user
2780	= globus</FONT></FONT></P>
2781	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">server
2782	= /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P>
2783	<P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env
2784	= GLOBUS_LOCATION=/usr/local/globus-4.0.5
2785	LD_LIBRARY_PATH=/usr/local/globus-4.0.5/lib</FONT></FONT></P>
2786	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable
2787	= no</FONT></FONT></P>
2788	<P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">only_from
2789	= localhost.localdomain <hostAddress1> <hostAddress2></FONT></FONT></P>
2790	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">}</FONT></FONT></P>
2791	</TD>
2792	</TR>
2793	</TABLE>
2794	</DL>
2795	<P STYLE="margin-bottom: 0cm"><BR>
2796	</P>
2797	<UL>
2798	<LI VALUE=1><P CLASS="western" ALIGN=LEFT>Note also, the additional
2799	setting in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
2800	This a limit to be placed on which hosts clients can connect from
2801	to the server. In the above, clients can connect from the local
2802	machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>)
2803	and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress1>
2804	</SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress2></SPAN></FONT>.
2805	Care must be taken with these settings. Client requests will exit
2806	with an SSL error if set incorrectly.</P>
2807	<LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2808	/ <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
2809	This is typically accomplished by sending the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">SIGHUP</SPAN></FONT>
2810	signal to the server process. Redhat Linux machines include the GUI
2811	tool <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
2812	to allow convenient management of services. Refer to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
2813	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>
2814	man page for your system.</P>
2815	</UL>
2816	<H4 CLASS="western">4.7.10.2 SysV-style boot script
2817	</H4>
2818	<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is
2819	available in the Globus installation at,
2820	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy</SPAN></FONT>.
2821	</P>
2822	<P CLASS="western" ALIGN=LEFT>To install:
2823	</P>
2824	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2825	<COL WIDTH=602>
2826	<TR>
2827	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2828	<P STYLE="margin-bottom: 0cm"><BR>
2829	</P>
2830	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
2831	cp <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy
2832	/etc/rc.d/init.d/myproxy</SPAN></FONT></FONT></P>
2833	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2834	chkconfig --add myproxy</SPAN></FONT></FONT></P>
2835	<P><BR>
2836	</P>
2837	</TD>
2838	</TR>
2839	</TABLE>
2840	<P CLASS="western" ALIGN=LEFT><BR><BR>
2841	</P>
2842	<P CLASS="western" ALIGN=LEFT>Edit the file to set the
2843	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GLOBUS_LOCATION
2844	</SPAN></FONT>environment variable correctly.
2845	</P>
2846	<P CLASS="western" ALIGN=LEFT><BR><BR>
2847	</P>
2848	<H1 CLASS="western"><A NAME="5.Appendices\|outline"></A>5.Appendices</H1>
2849	<H2 CLASS="western"><A NAME="5.1. Postgres PAM for MyProxy\|outline"></A>
2850	5.1 Postgres PAM for MyProxy</H2>
2851	<P CLASS="western" ALIGN=JUSTIFY>This section is intended to provide
2852	the information needed to enable MyProxy to authenticate against
2853	tables in a Postgres database. Before, making these settings ensure
2854	that MyProxy is fully installed following the steps outlined in the
2855	MyProxy section. It's recommended to try out MyProxy with an
2856	existing PAM such as âlogonâ first to ensure it is working. See
2857	the section <I>Testing MyProxy</I>.</P>
2858	<P CLASS="western" ALIGN=JUSTIFY>Obtain and install the latest
2859	libpam_pgsql. This can be installed from Debian or RPM packages or
2860	from source. For NDG Security, version 0.5.2-9 Debian and 0.6.3
2861	source distributions have been tested. Check the documentation in
2862	the source tar ball for details of Postgres version requirements.
2863	</P>
2864	<H3 CLASS="western"><A NAME="5.1.1. Configuration\|outline"></A>5.1.1
2865	Configuration</H3>
2866	<P CLASS="western" ALIGN=JUSTIFY>Depending on your native system
2867	create either a /etc/pam.d/myproxy file or the relevant entry in
2868	/etc/pam.conf
2869	</P>
2870	<P CLASS="western" ALIGN=JUSTIFY>For /etc/pam.d/myproxy:</P>
2871	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2872	<COL WIDTH=602>
2873	<TR>
2874	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2875	<P STYLE="margin-bottom: 0cm"><BR>
2876	</P>
2877	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">auth
2878	required pam_pgsql.so <BR>account required
2879	pam_pgsql.so<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password
2880	required pam_pgsql.so</SPAN></FONT></FONT></P>
2881	</TD>
2882	</TR>
2883	</TABLE>
2884	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2885	</P>
2886	<P CLASS="western" ALIGN=JUSTIFY>or /etc/pam.conf:</P>
2887	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2888	<COL WIDTH=602>
2889	<TR>
2890	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2891	<P STYLE="margin-bottom: 0cm"><BR>
2892	</P>
2893	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy
2894	auth required pam_pgsql.so <BR>myproxy account
2895	required pam_pgsql.so<BR>myproxy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password
2896	required pam_pgsql.so</SPAN></FONT></FONT></P>
2897	</TD>
2898	</TR>
2899	</TABLE>
2900	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2901	</P>
2902	<P CLASS="western" ALIGN=JUSTIFY>Configure the database, and table
2903	the module should use with the configuration file
2904	/etc/pam_pgsql.conf. e.g.</P>
2905	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2906	<COL WIDTH=602>
2907	<TR>
2908	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2909	<P STYLE="margin-bottom: 0cm"><BR>
2910	</P>
2911	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">database
2912	= userdb<BR>user = admin<BR>password = adminpassword<BR>table =
2913	account<BR>user_column = username<BR>pwd_column = password<BR>pw_type
2914	= md5<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">debug</SPAN></FONT></FONT></P>
2915	</TD>
2916	</TR>
2917	</TABLE>
2918	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2919	</P>
2920	<P CLASS="western" ALIGN=JUSTIFY>In the above example, password in
2921	the database table âaccountâ are MD5 encrypted. This field can
2922	also be set to Crypt or left out altogether if passwords are
2923	unencrypted.</P>
2924	<P CLASS="western" ALIGN=JUSTIFY>Restart MyProxy and test it using
2925	the myproxy-logon client command as outlined in the section <I>Testing
2926	MyProxy.</I><SPAN STYLE="font-style: normal"> To specify a database
2927	account name use the -l flag. If this omitted then the Linux account
2928	name is assumed e.g.</SPAN></P>
2929	<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2930	<COL WIDTH=602>
2931	<TR>
2932	<TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
2933	<P STYLE="margin-bottom: 0cm"><BR>
2934	</P>
2935	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
2936	myproxy-logon -v -p 60000 -l mydbaccountid</SPAN></FONT></FONT></P>
2937	</TD>
2938	</TR>
2939	</TABLE>
2940	<P CLASS="western"><BR>Consult the myproxy-logon and myproxy-server
2941	output and the system logs to trouble shoot errors.</P>
2942	<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.2. MySQL Installation\|outline"></A>
2943	5.2 MySQL Installation</H2>
2944	<P CLASS="western" ALIGN=JUSTIFY>MySQL can be used to implement a
2945	Credential Repository for the SessionManager to stored user
2946	credentials as cached in their Credential Wallet held in their
2947	session.</P>
2948	<P CLASS="western" ALIGN=JUSTIFY>This section describes how to make
2949	an installation from the MySQL binary package tarball. System
2950	administrators may wish to use an existing installation of MySQL or
2951	use an alternative installation method such as rpm. Installing from
2952	the binary package has the advantage that it doesnât interfere with
2953	any existing MySQL installation on the target machine. The
2954	instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT>
2955	provided in the tarball.</P>
2956	<H3 CLASS="western"><A NAME="5.2.1.Version\|outline"></A>5.2.1Version</H3>
2957	<P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended.
2958	These instructions are for version 5.0.20a, the latest stable release
2959	at time of writing.</P>
2960	<H3 CLASS="western"><A NAME="5.2.2. Getting the Binaries\|outline"></A>
2961	5.2.2 Getting the Binaries</H3>
2962	<P CLASS="western" ALIGN=LEFT>The package can be obtained from the
2963	MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>).
2964	Scroll to the correct version - Linux (non RPM, Intel C/C++
2965	compiled, glibc-X.X) downloads. The version of glibc on the target
2966	machine can be checked using same machine as the web server.</P>
2967	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2968	<COL WIDTH=605>
2969	<TR>
2970	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2971	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2972	ls /lib/libc-*</FONT></P>
2973	</TD>
2974	</TR>
2975	</TABLE>
2976	<P CLASS="western" ALIGN=LEFT><BR><BR>
2977	</P>
2978	<H3 CLASS="western"><A NAME="5.2.3. New mysql User Account\|outline"></A>
2979	5.2.3 New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
2980	User Account</H3>
2981	<P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if
2982	it doesnât already exist:</P>
2983	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2984	<COL WIDTH=605>
2985	<TR>
2986	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
2987	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
2988	groupadd mysql<BR>$ useradd -g mysql mysql</FONT></P>
2989	</TD>
2990	</TR>
2991	</TABLE>
2992	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
2993	</P>
2994	<H3 CLASS="western"><A NAME="5.2.4. Unpacking the tarball\|outline"></A>
2995	5.2.4 Unpacking the tarball</H3>
2996	<P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target
2997	directory for installation e.g. /usr/local, unpack the file:</P>
2998	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
2999	<COL WIDTH=605>
3000	<TR>
3001	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3002	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3003	cd /usr/local<BR>$ tar zxvf
3004	mysql-standard-5.0.20a-linux-i686-icc-glibc23.tar.gz</FONT></P>
3005	</TD>
3006	</TR>
3007	</TABLE>
3008	<P CLASS="western" ALIGN=LEFT><BR><BR>
3009	</P>
3010	<P CLASS="western" ALIGN=LEFT>Make a symbolic link to the new
3011	directory and â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cd</SPAN></FONT>â
3012	to it:
3013	</P>
3014	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3015	<COL WIDTH=605>
3016	<TR>
3017	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3018	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3019	ln -s /usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23
3020	mysql<BR>$ cd mysql</FONT></P>
3021	</TD>
3022	</TR>
3023	</TABLE>
3024	<P CLASS="western" ALIGN=LEFT><BR><BR>
3025	</P>
3026	<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin</SPAN></FONT>
3027	directory contains client programs and the server. You should add
3028	the full pathname of this directory to your <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PATH</SPAN></FONT>
3029	environment variable so that your shell finds the MySQL programs
3030	properly.
3031	</P>
3032	<H3 CLASS="western"><A NAME="5.2.5. Configuration File\|outline"></A>5.2.5
3033	Configuration File</H3>
3034	<P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called
3035	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT>
3036	in the target directory (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>
3037	in this example) to enable custom settings to be made for this
3038	installation. Note that if there is an existing installation of
3039	MySQL, there may be settings existing settings in a file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/my.cnf</SPAN></FONT>.
3040	To use the settings from this file, <I>ignore</I> this step.</P>
3041	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3042	<COL WIDTH=605>
3043	<TR>
3044	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3045	<P STYLE="margin-bottom: 0cm"><BR>
3046	</P>
3047	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld]</FONT></P>
3048	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">datadir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23/data</FONT></P>
3049	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">socket=/tmp/mysql.sock</FONT></P>
3050	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
3051	Default to using old password format for compatibility with mysql
3052	3.x</FONT></P>
3053	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
3054	clients (those using the mysqlclient10 compatibility package).</FONT></P>
3055	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">old_passwords=1</FONT></P>
3056	<P STYLE="margin-bottom: 0cm"><BR>
3057	</P>
3058	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysql.server]</FONT></P>
3059	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">user=mysql</FONT></P>
3060	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">basedir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23</FONT></P>
3061	<P STYLE="margin-bottom: 0cm"><BR>
3062	</P>
3063	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld_safe]</FONT></P>
3064	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">err-log=/var/log/mysqld.log</FONT></P>
3065	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">pid-file=/tmp/mysql.pid</FONT></P>
3066	<P><BR>
3067	</P>
3068	</TD>
3069	</TR>
3070	</TABLE>
3071	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3072	</P>
3073	<P CLASS="western" ALIGN=JUSTIFY>The settings above will mean that
3074	MySQLâs tables and the Credential Repository database will be
3075	stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P>
3076	<H3 CLASS="western"><A NAME="5.2.6. Create the Grant Tables\|outline"></A>
3077	5.2.6 Create the Grant Tables</H3>
3078	<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT>
3079	directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT>
3080	script used to initialize the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
3081	database containing the grant tables that store the server access
3082	permissions. If you have not installed MySQL before, you must create
3083	the MySQL grant tables:</P>
3084	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3085	<COL WIDTH=605>
3086	<TR>
3087	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3088	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3089	scripts/mysql_install_db --user=mysql</FONT></P>
3090	</TD>
3091	</TR>
3092	</TABLE>
3093	<P CLASS="western" ALIGN=LEFT><BR><BR>
3094	</P>
3095	<P CLASS="western" ALIGN=LEFT>If you run the command as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
3096	you must use the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">--user</SPAN></FONT>
3097	option as shown. The value of the option should be the name of the
3098	login account that you created in the first step to use for running
3099	the server. If you run the command while logged in as that user, you
3100	can omit the -user option. After creating or updating the grant
3101	tables, you need to restart the server manually.</P>
3102	<H3 CLASS="western"><A NAME="5.2.7. File and Directory Permissions\|outline"></A>
3103	5.2.7 File and Directory Permissions</H3>
3104	<P CLASS="western" ALIGN=LEFT>Change the ownership of program
3105	binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
3106	and ownership of the data directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>.
3107	Assuming that you are located in the installation directory
3108	(<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>),
3109	the commands look like this:</P>
3110	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3111	<COL WIDTH=605>
3112	<TR>
3113	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3114	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$
3115	chown -R root .<BR>$ chown -R mysql data<BR>$ chgrp -R mysql .</FONT></P>
3116	</TD>
3117	</TR>
3118	</TABLE>
3119	<P CLASS="western" ALIGN=LEFT><BR><BR>
3120	</P>
3121	<P CLASS="western" ALIGN=LEFT>The first command changes the owner
3122	attribute of the files to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
3123	user. The second changes the owner attribute of the data directory to
3124	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
3125	user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
3126	group.</P>
3127	<H3 CLASS="western"><A NAME="5.2.8. Starting the Server\|outline"></A>5.2.8
3128	Starting the Server</H3>
3129	<P CLASS="western" ALIGN=LEFT>If you want MySQL to start
3130	automatically when you boot your machine, you can copy
3131	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
3132	to the location where your system has its startup files. More
3133	information can be found in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT>
3134	script itself.</P>
3135	<P CLASS="western" ALIGN=LEFT>To start the MySQL server, use the
3136	following command:</P>
3137	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3138	<COL WIDTH=605>
3139	<TR>
3140	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3141	<P><BR><BR>
3142	</P>
3143	<P LANG="nb-NO"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3144	bin/mysqld_safe --user=mysql &</FONT></P>
3145	</TD>
3146	</TR>
3147	</TABLE>
3148	<P LANG="nb-NO" CLASS="western" ALIGN=LEFT><BR><BR>
3149	</P>
3150	<P CLASS="western" ALIGN=LEFT>If that command fails immediately and
3151	prints <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysqld
3152	ended</SPAN></FONT>, you can find some information in the
3153	<hostname><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.err</SPAN></FONT>
3154	file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT>
3155	directory.</P>
3156	<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.2.9. Securing MySQL Accounts\|outline"></A>
3157	5.2.9 Securing MySQL Accounts</H3>
3158	<P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P>
3159	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3160	<COL WIDTH=605>
3161	<TR>
3162	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3163	<P STYLE="margin-bottom: 0cm"><BR>
3164	</P>
3165	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3166	mysql -u root</FONT></P>
3167	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
3168	DELETE FROM mysql.user WHERE User = '';</FONT></P>
3169	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
3170	FLUSH PRIVILEGES;</FONT></P>
3171	<P><BR>
3172	</P>
3173	</TD>
3174	</TR>
3175	</TABLE>
3176	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3177	</P>
3178	<P CLASS="western" ALIGN=JUSTIFY>Set the password for the root
3179	account:</P>
3180	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3181	<COL WIDTH=605>
3182	<TR>
3183	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3184	<P STYLE="margin-bottom: 0cm"><BR>
3185	</P>
3186	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
3187	SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');</FONT></P>
3188	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql>
3189	SET PASSWORD FOR 'root'@'<I>hostname</I>' = PASSWORD('newpwd');</FONT></P>
3190	<P><BR>
3191	</P>
3192	</TD>
3193	</TR>
3194	</TABLE>
3195	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3196	</P>
3197	<P CLASS="western" ALIGN=JUSTIFY>The hostname can be checked using
3198	the query:</P>
3199	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3200	<COL WIDTH=605>
3201	<TR>
3202	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3203	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql>
3204	SELECT Host, User FROM mysql.user;</FONT></P>
3205	</TD>
3206	</TR>
3207	</TABLE>
3208	<P CLASS="western" ALIGN=LEFT><BR><BR>
3209	</P>
3210	<P CLASS="western" ALIGN=LEFT>Add a new account for use with the
3211	Credential Repository database e.g.</P>
3212	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3213	<COL WIDTH=605>
3214	<TR>
3215	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3216	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql>
3217	GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
3218	'ndgUser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
3219	</TD>
3220	</TR>
3221	</TABLE>
3222	<P CLASS="western" ALIGN=LEFT><BR>The above statement grants the
3223	user, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT>
3224	with password, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password</SPAN></FONT>,
3225	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">select</SPAN></FONT>,
3226	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">update</SPAN></FONT>
3227	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">insert</SPAN></FONT>
3228	privileges on the tables of database <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgCredRepos</SPAN></FONT>.
3229	The user may only connect from the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localhost</SPAN></FONT>.
3230	Hence, in this case the Session Manager and Credential Repository
3231	must be installed on the same machine. To allow the Credential
3232	Repository to run on a separate machine to the Session Manager, the
3233	account must have permission to connect remotely. This can be
3234	achieved by altering the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GRANT</SPAN></FONT>
3235	statement above to:</P>
3236	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3237	<COL WIDTH=605>
3238	<TR>
3239	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3240	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql>
3241	GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO
3242	'ndgUser'@â%â IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P>
3243	</TD>
3244	</TR>
3245	</TABLE>
3246	<P CLASS="western" ALIGN=LEFT><BR><BR>
3247	</P>
3248	<P CLASS="western" ALIGN=LEFT>You also can set up new accounts using
3249	the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT>
3250	script if you install the `DBI' and `DBD::mysql' Perl modules.</P>
3251	<P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about
3252	creation of the Credential Repository database.</P>
3253	<H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up\|outline"></A>
3254	5.2.10 Server Automated Start up</H3>
3255	<P CLASS="western" ALIGN=JUSTIFY><todo: ></P>
3256	<P CLASS="western" ALIGN=LEFT><BR><BR>
3257	</P>
3258	<H2 CLASS="western"><A NAME="5.3. HTTPS set-up with Apache Web Server\|outline"></A>
3259	5.3 HTTPS set-up with Apache Web Server</H2>
3260	<P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the
3261	transfer of user credentials across cookie domains between a data
3262	provider web page requesting user credentials and a userâs NDG home
3263	login page.</P>
3264	<P CLASS="western" ALIGN=JUSTIFY><todo: full explanation - incl.
3265	mod_ssl must be installed></P>
3266	<H3 CLASS="western"><A NAME="5.3.1. Web Server Host Certificate Generation\|outline"></A>
3267	5.3.1 Web Server Host Certificate Generation</H3>
3268	<P CLASS="western" ALIGN=JUSTIFY>Generate a new private key and
3269	certificate request.</P>
3270	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3271	<COL WIDTH=605>
3272	<TR>
3273	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3274	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3275	</P>
3276	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3277	openssl genrsa âout server.key 2048</FONT></P>
3278	<P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3279	openssl req ânew âkey server.key âout server.csr</FONT></P>
3280	<P><BR>
3281	</P>
3282	</TD>
3283	</TR>
3284	</TABLE>
3285	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3286	</P>
3287	<P CLASS="western" ALIGN=JUSTIFY>Send the certificate request to the
3288	relevant CA (NDG if appropriate) for signing.</P>
3289	<H3 CLASS="western"><A NAME="5.3.2.Apache Configuration File Settings\|outline"></A>
3290	5.3.2Apache Configuration File Settings</H3>
3291	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3292	</P>
3293	<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.4. Apache Web Server Proxy Settings Configuration for Web Services\|outline"></A>
3294	5.4 Apache Web Server Proxy Settings Configuration for Web Services</H2>
3295	<P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient
3296	mechanism to re-route web service ports through port 80 and so make
3297	them available to the outside world. This may be helpful if when
3298	deploying NDG Security you do not wish to open additional ports in
3299	your site firewall settings.</P>
3300	<P CLASS="western" ALIGN=JUSTIFY>Edit the Apache configuration file.
3301	This should be located at <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/httpd/conf</SPAN></FONT></P>
3302	<P CLASS="western" ALIGN=JUSTIFY>Add <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPass</SPAN></FONT>
3303	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPassReverse</SPAN></FONT>
3304	entries for the Session Manager and Attribute Authority web services.
3305	The first argument after the directive name itself is the directory
3306	that the service will be served from relative to the web server URL.
3307	So below, if the URL of the web server is <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/">http://www.badc.rl.ac.uk</A></U></FONT>,
3308	then the Session Manager would be available at
3309	<FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/sessionMgr">https://www.badc.rl.ac.uk/sessionMgr</A></U></FONT>.
3310	The second argument is the actual location where the web service is
3311	running locally. In the example below, the Session Manager is
3312	running on port 5700 on the same machine as the web server.</P>
3313	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3314	<COL WIDTH=605>
3315	<TR>
3316	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3317	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3318	</P>
3319	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
3320	Session Manager and Attribute Authority settings</FONT></P>
3321	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
3322	/sessionMgr https://localhost:5700</FONT></P>
3323	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
3324	/sessionMgr https://localhost:5700</FONT></P>
3325	<P STYLE="margin-bottom: 0cm"><BR>
3326	</P>
3327	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
3328	/attAuthority http://localhost:5000</FONT></P>
3329	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
3330	/attAuthority http://localhost:5000</FONT></P>
3331	<P CLASS="western" ALIGN=LEFT><BR>
3332	</P>
3333	</TD>
3334	</TR>
3335	</TABLE>
3336	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3337	</P>
3338	<P CLASS="western" ALIGN=JUSTIFY>Restart the Apache web server. This
3339	can be done in a variety of ways. As root user:</P>
3340	<OL>
3341	<LI><P CLASS="western" ALIGN=LEFT>On Redhat machines, using the
3342	command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT>
3343	or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">system-config-services</SPAN></FONT>
3344	In the GUI, click on httpd in the list and press the Restart button</P>
3345	</OL>
3346	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3347	<COL WIDTH=605>
3348	<TR>
3349	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3350	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3351	</P>
3352	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3353	redhat-config-services</FONT></P>
3354	<P CLASS="western" ALIGN=LEFT><BR>
3355	</P>
3356	</TD>
3357	</TR>
3358	</TABLE>
3359	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3360	</P>
3361	<OL START=2>
3362	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">service
3363	</SPAN></FONT>command</P>
3364	</OL>
3365	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3366	<COL WIDTH=605>
3367	<TR>
3368	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3369	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3370	</P>
3371	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3372	/sbin/service httpd restart</FONT></P>
3373	<P CLASS="western" ALIGN=LEFT><BR>
3374	</P>
3375	</TD>
3376	</TR>
3377	</TABLE>
3378	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3379	</P>
3380	<OL START=3>
3381	<LI><P CLASS="western" ALIGN=JUSTIFY>apache command</P>
3382	</OL>
3383	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3384	<COL WIDTH=605>
3385	<TR>
3386	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3387	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3388	</P>
3389	<P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3390	apachectl restart</FONT></P>
3391	<P CLASS="western" ALIGN=LEFT><BR>
3392	</P>
3393	</TD>
3394	</TR>
3395	</TABLE>
3396	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3397	</P>
3398	<OL START=4>
3399	<LI><P CLASS="western" ALIGN=JUSTIFY>Using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">kill</FONT></SPAN></FONT></P>
3400	</OL>
3401	<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
3402	<COL WIDTH=605>
3403	<TR>
3404	<TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0">
3405	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
3406	</P>
3407	<P LANG="sv-SE" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
3408	kill -HUP `cat /etc/httpd/run/httpd.pid`</FONT></P>
3409	<P LANG="sv-SE" CLASS="western" ALIGN=LEFT><BR>
3410	</P>
3411	</TD>
3412	</TR>
3413	</TABLE>
3414	<P LANG="sv-SE" CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">
3415	<BR><BR>
3416	</P>
3417	<P CLASS="western" ALIGN=JUSTIFY>Note in the last case that the
3418	location of the pid file will depend on your installation.</P>
3419	<P CLASS="western" ALIGN=JUSTIFY>Once the changes have been made,
3420	ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgr.wsdl</SPAN></FONT>
3421	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthority.wsdl</SPAN></FONT>
3422	contain the new locations for the web services in the tag
3423	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><soap:address
3424	location=ââŠâ></SPAN></FONT>
3425	</P>
3426	<H2 CLASS="western"><A NAME="5.5.An Example Attribute Authority AAUserRoles interface class\|outline"></A>
3427	5.5An Example Attribute Authority AAUserRoles interface class</H2>
3428	<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
3429	interface is required in order to link the Attribute Authority to the
3430	data centreâs system for identifying registered users and managing
3431	their roles. The installation comes with a simple test class which
3432	illustrates this. See ndg.security.server.conf.userRoles.</FONT></P>
3433	<P CLASS="western" ALIGN=JUSTIFY>The class must inherit from the
3434	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">AAUserRoles</SPAN></FONT>
3435	interface class. It must override the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3436	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3437	methods:</P>
3438	<UL>
3439	<LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
3440	â returns True if the user with the given input Distinguished Name
3441	is registered at the site. This method might contain an SQL query
3442	to the siteâs user database for example. This method is <I>optional
3443	</I><SPAN STYLE="font-style: normal">and is not part of the API to
3444	the Attribute Authority.</SPAN></P>
3445	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles()</SPAN></FONT>
3446	â returns a list of roles to which the user with the given input
3447	Distinguished Name is enrolled. Again, this method could be
3448	implemented with an SQL query to retrieve the roles for a given
3449	user. Note, that if not roles are found, the method should return
3450	[].</P>
3451	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">__init__()</SPAN></FONT>
3452	â optionally, the initialisation method may be overridden to
3453	enable for example the setting up of a database connection. The
3454	path to a properties file may be passed in. This could contain
3455	database connection settings.</P>
3456	</UL>
3457	<P CLASS="western" ALIGN=JUSTIFY>The custom class used by the BODC is
3458	a more detailed example:</P>
3459	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto">
3460	<COL WIDTH=610>
3461	<TR>
3462	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3463	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>"""NDG
3464	Attribute Authority User Roles class - acts as an interface
3465	between</FONT></FONT></P>
3466	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>the
3467	data centre's user roles configuration and the Attribute Authority</FONT></FONT></P>
3468	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3469	</P>
3470	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>BODC
3471	User Roles Interface to Oracle database</FONT></FONT></P>
3472	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3473	</P>
3474	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@author:
3475	P J Kershaw 09/08/07</FONT></FONT></P>
3476	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@copyright:
3477	(C) 2007 STFC & NERC</FONT></FONT></P>
3478	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@licence:
3479	This software may be distributed under the terms of the Q Public</FONT></FONT></P>
3480	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>License,
3481	version 1.0 or later.</FONT></FONT></P>
3482	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>"""</FONT></FONT></P>
3483	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">__revision__
3484	= </FONT><I><FONT COLOR="#00aa00">'$Id:$'</FONT></I></FONT></FONT></P>
3485	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3486	</P>
3487	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3488	</P>
3489	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3490	ConfigParser </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3491	SafeConfigParser</FONT></FONT></FONT></P>
3492	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3493	</P>
3494	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>#
3495	Use a conditional import here because if the TestUserRoles class
3496	is used,</FONT></FONT></P>
3497	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>#
3498	cx_Oracle is not required</FONT></FONT></P>
3499	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3500	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3501	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3502	cx_Oracle</FONT></FONT></FONT></P>
3503	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3504	ImportError, e:</FONT></FONT></FONT></P>
3505	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3506	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3507	warnings </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3508	warn</FONT></FONT></FONT></P>
3509	<P STYLE="margin-bottom: 0cm; background: transparent">
3510	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>warn(str(e),
3511	RuntimeWarning)</FONT></FONT></P>
3512	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3513	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P>
3514	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3515	</P>
3516	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3517	ndg.security.server.AttAuthority </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3518	AAUserRoles, AAUserRolesError</FONT></FONT></FONT></P>
3519	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000">
3520	ndg.security.common.X509 </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000">
3521	X500DN</FONT></FONT></FONT></P>
3522	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3523	</P>
3524	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3525	</P>
3526	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000">
3527	<B>TestUserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P>
3528	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3529	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">"""Test
3530	User Roles class dynamic import for Attribute Authority</FONT></I></FONT></FONT></P>
3531	<P STYLE="margin-bottom: 0cm; background: transparent"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>NOT
3532	for use on production system"""</FONT></FONT></P>
3533	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3534	</P>
3535	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3536	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3537	<B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P>
3538	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3539	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P>
3540	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3541	</P>
3542	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3543	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3544	<B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P>
3545	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3546	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">"""Test
3547	getRoles returns role attributes regardless of user Id!"""</FONT></I></FONT></FONT></P>
3548	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3549	</P>
3550	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3551	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3552	Parse username from DN string</FONT></FONT></FONT></P>
3553	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3554	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3555	TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P>
3556	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3557	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3558	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3559	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn
3560	= X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3561	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3562	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3563	len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3564	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3565	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3566	Proxy cert has two common names set - assume extra common </FONT></FONT></FONT>
3567	</P>
3568	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3569	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3570	name will be 'proxy' or a number</FONT></FONT></FONT></P>
3571	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3572	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n
3573	</FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3574	cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3575	n!=</FONT><I><FONT COLOR="#00aa00">"proxy"</FONT></I><FONT COLOR="#000000">
3576	</FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3577	n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3578	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3579	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3580	<P STYLE="margin-bottom: 0cm; background: transparent">
3581	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username
3582	= cn</FONT></FONT></P>
3583	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3584	</P>
3585	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3586	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3587	Exception, e:</FONT></FONT></FONT></P>
3588	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3589	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3590	AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Parsing
3591	username from DN %s: %s"</FONT></I><FONT COLOR="#000000"> %
3592	(dn,e)</FONT></FONT></FONT></P>
3593	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3594	</P>
3595	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3596	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">
3597	[</FONT><I><FONT COLOR="#00aa00">'Public'</FONT></I><FONT COLOR="#000000">,
3598	</FONT><I><FONT COLOR="#00aa00">'Researcher'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3599	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3600	</P>
3601	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3602	</P>
3603	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000">
3604	<B>UserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P>
3605	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3606	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">"""User
3607	Roles class dynamically imported for Attribute Authority</FONT></I></FONT></FONT></P>
3608	<P STYLE="margin-bottom: 0cm; background: transparent"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>-
3609	see the Attribute Authority Properties file to make the correct</FONT></FONT></P>
3610	<P STYLE="margin-bottom: 0cm; background: transparent">
3611	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>settings"""</FONT></FONT></P>
3612	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3613	</P>
3614	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3615	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3616	<B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P>
3617	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3618	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3619	</FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3620	propertiesFilePath:</FONT></FONT></FONT></P>
3621	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3622	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3623	AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"No user
3624	roles property file set"</FONT></I></FONT></FONT></P>
3625	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3626	</P>
3627	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">
3628	</FONT><FONT COLOR="#c0c0c0"># Retrieve database connection and
3629	query settings from config file</FONT></FONT></FONT></P>
3630	<P STYLE="margin-bottom: 0cm; background: transparent">
3631	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser
3632	= SafeConfigParser()</FONT></FONT></P>
3633	<P STYLE="margin-bottom: 0cm; background: transparent">
3634	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser.read(propertiesFilePath)</FONT></FONT></P>
3635	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3636	</P>
3637	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3638	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__conxnStr
3639	= configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">,
3640	</FONT><I><FONT COLOR="#00aa00">'connection'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P>
3641	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3642	</P>
3643	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3644	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3645	The Oracle connection could be made HERE to make getRoles method</FONT></FONT></FONT></P>
3646	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3647	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3648	more efficient but then AA would hog an Oracle connection as long
3649	as</FONT></FONT></FONT></P>
3650	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3651	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3652	it is running. There may be away to avoid this using a connection</FONT></FONT></FONT></P>
3653	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">
3654	</FONT><FONT COLOR="#c0c0c0"># pool</FONT></FONT></FONT></P>
3655	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3656	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__query
3657	= configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">,
3658	</FONT><I><FONT COLOR="#00aa00">'query'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P>
3659	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3660	</P>
3661	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3662	</P>
3663	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3664	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000">
3665	<B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P>
3666	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3667	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">'''Roles
3668	interface for BODC database'''</FONT></I></FONT></FONT></P>
3669	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3670	</P>
3671	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3672	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3673	Parse username from DN string</FONT></FONT></FONT></P>
3674	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3675	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3676	TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P>
3677	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3678	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3679	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3680	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn
3681	= X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3682	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3683	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3684	len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3685	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3686	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3687	Proxy cert has two common names set - assume extra common </FONT></FONT></FONT>
3688	</P>
3689	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3690	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3691	name will be 'prixy' or a number</FONT></FONT></FONT></P>
3692	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3693	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n
3694	</FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3695	cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000">
3696	n!=</FONT><I><FONT COLOR="#00aa00">"proxy"</FONT></I><FONT COLOR="#000000">
3697	</FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000">
3698	n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P>
3699	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3700	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3701	<P STYLE="margin-bottom: 0cm; background: transparent">
3702	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username
3703	= cn</FONT></FONT></P>
3704	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3705	</P>
3706	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3707	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3708	Exception, e:</FONT></FONT></FONT></P>
3709	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3710	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3711	AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Parsing
3712	username from DN %s: %s"</FONT></I><FONT COLOR="#000000"> %
3713	(dn,e)</FONT></FONT></FONT></P>
3714	<P STYLE="margin-bottom: 0cm; background: transparent"><BR>
3715	</P>
3716	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3717	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3718	It may be possible to use a connection pool and move this</FONT></FONT></FONT></P>
3719	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3720	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3721	connect call to __init__ see:</FONT></FONT></FONT></P>
3722	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3723	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3724	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3725	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3726	http://www.python.net/crew/atuining/cx_Oracle/html/module.html</FONT></FONT></FONT></P>
3727	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3728	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3729	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3730	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3731	<P STYLE="margin-bottom: 0cm; background: transparent">
3732	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>con
3733	= cx_Oracle.connect(<I>self</I>.__conxnStr)</FONT></FONT></P>
3734	<P STYLE="margin-bottom: 0cm; background: transparent">
3735	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor
3736	= con.cursor()</FONT></FONT></P>
3737	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3738	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3739	Exception, e:</FONT></FONT></FONT></P>
3740	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3741	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3742	AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Error
3743	connecting to Oracle database: "</FONT></I><FONT COLOR="#000000">
3744	+\</FONT></FONT></FONT></P>
3745	<P STYLE="margin-bottom: 0cm; background: transparent"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>
3746	str(e)</FONT></FONT></P>
3747	<P STYLE="margin-bottom: 0cm; background: transparent">
3748	</P>
3749	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3750	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3751	Substitute the username into the query - the query is expected to </FONT></FONT></FONT>
3752	</P>
3753	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3754	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3755	have a "%s" to allow this</FONT></FONT></FONT></P>
3756	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3757	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P>
3758	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3759	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3760	Convert username to string type explicitly as the execute method </FONT></FONT></FONT>
3761	</P>
3762	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3763	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3764	doesn't like unicode type</FONT></FONT></FONT></P>
3765	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3766	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3767	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3768	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3769	<P STYLE="margin-bottom: 0cm; background: transparent">
3770	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>query
3771	= <I>self</I>.__query % str(username)</FONT></FONT></P>
3772	<P STYLE="margin-bottom: 0cm; background: transparent">
3773	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor.execute(query)</FONT></FONT></P>
3774	<P STYLE="margin-bottom: 0cm; background: transparent">
3775	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>result
3776	= cursor.fetchall()</FONT></FONT></P>
3777	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3778	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3779	Exception, e:</FONT></FONT></FONT></P>
3780	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3781	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000">
3782	AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Error
3783	executing query: "</FONT></I><FONT COLOR="#000000"> + str(e)</FONT></FONT></FONT></P>
3784	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3785	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">finally</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3786	<P STYLE="margin-bottom: 0cm; background: transparent">
3787	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2> cursor.close()</FONT></FONT></P>
3788	<P STYLE="margin-bottom: 0cm; background: transparent">
3789	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2> con.close()</FONT></FONT></P>
3790	<P STYLE="margin-bottom: 0cm; background: transparent">
3791	</P>
3792	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3793	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3794	Result is a list of tuples. The first element of each tuple is a</FONT></FONT></FONT></P>
3795	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3796	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3797	role name -> Convert into a simple list of role names</FONT></FONT></FONT></P>
3798	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3799	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P>
3800	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3801	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames
3802	= [role[</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]
3803	</FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> role
3804	</FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000">
3805	result]</FONT></FONT></FONT></P>
3806	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3807	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000">
3808	TypeError:</FONT></FONT></FONT></P>
3809	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3810	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#
3811	Catch non-iterable error with result var</FONT></FONT></FONT></P>
3812	<P STYLE="margin-bottom: 0cm; background: transparent">
3813	<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames
3814	= []</FONT></FONT></P>
3815	<P STYLE="margin-bottom: 0cm; background: transparent">
3816	</P>
3817	<P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000">
3818	</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT FACE="Monospace"><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000">
3819	roleNames</FONT></FONT></FONT></FONT></P>
3820	<P STYLE="background: transparent"><BR>
3821	</P>
3822	</TD>
3823	</TR>
3824	</TABLE>
3825	<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
3826	</P>
3827	<P CLASS="western" ALIGN=JUSTIFY>Note:</P>
3828	<UL>
3829	<LI><P CLASS="western" ALIGN=JUSTIFY>It uses the Python library
3830	cx_<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Oracle</SPAN></FONT>
3831	to connect to an Oracle database.</P>
3832	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ElementTree</SPAN></FONT>
3833	Python library is used to parse an XML properties file.</P>
3834	<LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg.security.common.X509</SPAN></FONT>
3835	security python library is used to parse the user Distinguished Name
3836	passed into <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT>
3837	and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT>
3838	methods.</P>
3839	<LI><P CLASS="western" ALIGN=JUSTIFY>Database connection and query
3840	settings are taken from a config file:</P>
3841	</UL>
3842	<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto">
3843	<COL WIDTH=610>
3844	<TR>
3845	<TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
3846	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3847	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3848	BODC Attribute Authority - Oracle interface settings</FONT></FONT></FONT></P>
3849	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3850	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3851	P J Kershaw 09/08/07</FONT></FONT></FONT></P>
3852	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P>
3853	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2>[Oracle]</FONT></FONT></P>
3854	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3855	Database connection string</FONT></FONT></FONT></P>
3856	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">connection
3857	= </FONT><FONT COLOR="#2a00ff">user/password@dsn</FONT></FONT></FONT></P>
3858	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#
3859	Query string "%%s" will be substituted by the username
3860	specified by the code</FONT></FONT></FONT></P>
3861	<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm; background: transparent">
3862	<FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">query =
3863	</FONT><FONT COLOR="#2a00ff">select</FONT><FONT COLOR="#000000">
3864	</FONT><FONT COLOR="#2a00ff">something</FONT><FONT COLOR="#000000">
3865	</FONT><FONT COLOR="#2a00ff">from</FONT><FONT COLOR="#000000">
3866	</FONT><FONT COLOR="#2a00ff">atable</FONT><FONT COLOR="#000000">
3867	</FONT><FONT COLOR="#2a00ff">where</FONT><FONT COLOR="#000000">
3868	</FONT><FONT COLOR="#2a00ff">username</FONT><FONT COLOR="#000000">
3869	</FONT><FONT COLOR="#2a00ff">=</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#2a00ff">'%%s'</FONT></FONT></FONT></P>
3870	<P CLASS="western" ALIGN=LEFT STYLE="background: transparent"><BR>
3871	</P>
3872	</TD>
3873	</TR>
3874	</TABLE>
3875	<P CLASS="western" ALIGN=LEFT&