Changeset 3171 for TI12-security


Ignore:
Timestamp:
21/12/07 14:16:10 (12 years ago)
Author:
pjkersha
Message:

Installation Guide updated to include instructions for MyProxy? config with SimpleCA and PAM callout.

Location:
TI12-security/trunk/documentation/InstallationGuide
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html

    r2942 r3171  
    77        <META NAME="AUTHOR" CONTENT="P J Kershaw"> 
    88        <META NAME="CREATED" CONTENT="20071010;9350000"> 
    9         <META NAME="CHANGED" CONTENT="20071010;15023700"> 
     9        <META NAME="CHANGED" CONTENT="20071221;14112900"> 
    1010        <STYLE TYPE="text/css"> 
    1111        <!-- 
    12                 @page { size: 21cm 29.7cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm } 
     12                @page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm } 
    1313                @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm } 
    1414                P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 } 
     
    2828                H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic } 
    2929                H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } 
    30                 H4 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } 
     30                H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } 
    3131                H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium } 
    3232                H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium } 
     
    5050        Grid Security</B></FONT></P> 
    5151        <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P> 
    52         <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.8</B></FONT></P> 
     52        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P> 
    5353</SPAN><BR><BR> 
    5454</P> 
     
    177177                </TD> 
    178178        </TR> 
     179        <TR VALIGN=TOP> 
     180                <TD WIDTH=194> 
     181                        <P ALIGN=JUSTIFY>0.9</P> 
     182                </TD> 
     183                <TD WIDTH=195> 
     184                        <P CLASS="western" ALIGN=JUSTIFY>11//10/07</P> 
     185                </TD> 
     186                <TD WIDTH=195> 
     187                        <UL> 
     188                                <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Use of MyProxy with a 
     189                                SimpleCA and PAM callout for authentication</P> 
     190                                <LI><P CLASS="western" ALIGN=LEFT>details for certificate 
     191                                requests for Session Manager and Attribute Authority</P> 
     192                        </UL> 
     193                </TD> 
     194        </TR> 
    179195</TABLE> 
    180196<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P> 
    181197<DIV ID="Table of Contents1" DIR="LTR"> 
    182         <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        5</A></P> 
    183         <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      5</A></P> 
     198        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        6</A></P> 
     199        <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      7</A></P> 
    184200        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1 
    185         Pre-requisites  5</A></P> 
     201        Pre-requisites  7</A></P> 
    186202        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2 
    187         Deployment Model        5</A></P> 
     203        Deployment Model        7</A></P> 
    188204        <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3. 
    189         Software Installation Components        8</A></P> 
    190         <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. Installation      9</A></P> 
    191         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Python Packages|outline">4.1 
    192         Python Packages 9</A></P> 
    193         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.distutils|outline">4.1.1 
    194         distutils       9</A></P> 
    195         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.NDG Security Packages|outline">4.1.2 
    196         NDG Security Packages   9</A></P> 
    197         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.NDG Web Services Configuration|outline">4.2 
    198         NDG Web Services Configuration  10</A></P> 
    199         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.NDG Security System Configuration Files|outline">4.2.1 
    200         NDG Security System Configuration Files 10</A></P> 
    201         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.Certificate Generation|outline">4.2.2 
    202         Certificate Generation  11</A></P> 
    203         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.Session Manager Configuration|outline">4.3 
    204         Session Manager Configuration   12</A></P> 
    205         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.Session Manager Credential Repository|outline">4.3.1 
    206         Session Manager Credential Repository   12</A></P> 
    207         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2.Session Manager Properties File Settings|outline">4.3.2 
    208         Session Manager Properties File Settings        12</A></P> 
    209         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.3.SysV-style Boot Script|outline">4.3.3 
    210         SysV-style Boot Script  15</A></P> 
    211         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Attribute Authority Configuration|outline">4.4 
    212         Attribute Authority Configuration       16</A></P> 
    213         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Attribute Authority Properties File Settings|outline">4.4.1 
    214         Attribute Authority Properties File Settings    16</A></P> 
    215         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.User Roles Interface|outline">4.4.2 
    216         User Roles Interface    17</A></P> 
    217         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.Role Mapping|outline">4.4.3 
    218         Role Mapping    18</A></P> 
    219         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.4.Twisted Python server .tac file|outline">4.4.4 
    220         Twisted Python server .tac file 19</A></P> 
    221         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.5.SysV-style Boot Script|outline">4.4.5 
    222         SysV-style Boot Script  19</A></P> 
    223         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Python Unit Tests|outline">4.5 
    224         Python Unit Tests       20</A></P> 
    225         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Globus MyProxy|outline">4.6 
    226         Globus MyProxy  20</A></P> 
    227         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.1.MyProxy and NDG Security Background|outline">4.6.1 
    228         MyProxy and NDG Security Background     20</A></P> 
    229         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.2.MyProxy user account and the repository location considerations|outline">4.6.2 
    230         MyProxy user account and the repository location considerations 20</A></P> 
    231         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.3.Build Process|outline">4.6.3 
    232         Build Process   21</A></P> 
    233         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.4.NDG SimpleCA Client Package |outline">4.6.4 
    234         NDG SimpleCA Client Package     22</A></P> 
    235         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.5.Host Certificate Creation|outline">4.6.5 
    236         Host Certificate Creation       24</A></P> 
    237         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.6.MyProxy Configuration File|outline">4.6.6 
    238         MyProxy Configuration File      24</A></P> 
    239         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.7.Repository Directory|outline">4.6.7 
    240         Repository Directory    25</A></P> 
    241         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.8.Adding MyProxy Server to the system start up|outline">4.6.8 
    242         Adding MyProxy Server to the system start up    25</A></P> 
    243         <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  27</A></P> 
    244         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1.MySQL Installation|outline">5.1 
    245         MySQL Installation      27</A></P> 
    246         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1.Version|outline">5.1.1 
    247         Version 27</A></P> 
    248         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.2.Getting the Binaries|outline">5.1.2 
    249         Getting the Binaries    27</A></P> 
    250         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.3.New mysql User Account|outline">5.1.3 
    251         New mysql User Account  27</A></P> 
    252         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.4.Unpacking the tarball|outline">5.1.4 
    253         Unpacking the tarball   27</A></P> 
    254         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.5.Configuration File|outline">5.1.5 
    255         Configuration File      28</A></P> 
    256         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.6.Create the Grant Tables|outline">5.1.6 
    257         Create the Grant Tables 28</A></P> 
    258         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.7.File and Directory Permissions|outline">5.1.7 
    259         File and Directory Permissions  29</A></P> 
    260         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.8.Starting the Server|outline">5.1.8 
    261         Starting the Server     29</A></P> 
    262         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.9.Securing MySQL Accounts|outline">5.1.9 
    263         Securing MySQL Accounts 29</A></P> 
    264         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.10.Server Automated Start up|outline">5.1.10 
    265         Server Automated Start up       30</A></P> 
    266         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2.HTTPS set-up with Apache Web Server|outline">5.2 
    267         HTTPS set-up with Apache Web Server     30</A></P> 
    268         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Web Server Host Certificate Generation|outline">5.2.1 
    269         Web Server Host Certificate Generation  30</A></P> 
    270         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2.Apache Configuration File Settings|outline">5.2.2 
    271         Apache Configuration File Settings      30</A></P> 
    272         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline">5.3 
    273         Apache Web Server Proxy Settings Configuration for Web Services 31</A></P> 
    274         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4.An Example Attribute Authority AAUserRoles interface class|outline">5.4 
    275         An Example Attribute Authority AAUserRoles interface class      32</A></P> 
    276         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.Troubleshooting|outline">5.5 
    277         Troubleshooting 35</A></P> 
    278         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.1.M2Crypto SWIG Build Error|outline">5.5.1 
    279         M2Crypto SWIG Build Error       35</A></P> 
    280         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.2.PyXML|outline">5.5.2 
    281         PyXML   36</A></P> 
    282         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.3.4Suite-XML Build error|outline">5.5.3 
    283         4Suite-XML Build error  36</A></P> 
     205        Software Installation Components        9</A></P> 
     206        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. 
     207        Installation    10</A></P> 
     208        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies|outline">4.1 
     209        Dependencies    10</A></P> 
     210        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL|outline">4.1.1 
     211        OpenSSL 10</A></P> 
     212        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG|outline">4.1.2 
     213        SWIG    10</A></P> 
     214        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages|outline">4.2 
     215        Python Packages 10</A></P> 
     216        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools|outline">4.2.1 
     217        setuptools      10</A></P> 
     218        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages|outline">4.2.2 
     219        NDG Security Packages   11</A></P> 
     220        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration|outline">4.3 
     221        NDG Web Services Configuration  11</A></P> 
     222        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files|outline">4.3.1 
     223        NDG Security System Configuration Files 11</A></P> 
     224        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation|outline">4.3.2 
     225         Certificate Generation 12</A></P> 
     226        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration|outline">4.4 
     227        Session Manager Configuration   14</A></P> 
     228        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository|outline">4.4.1 
     229        Session Manager Credential Repository   14</A></P> 
     230        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings|outline">4.4.2 
     231        Session Manager Properties File Settings        14</A></P> 
     232        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script|outline">4.4.3 
     233        SysV-style Boot Script  18</A></P> 
     234        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration|outline">4.5 
     235        Attribute Authority Configuration       18</A></P> 
     236        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings|outline">4.5.1 
     237        Attribute Authority Properties File Settings    18</A></P> 
     238        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface|outline">4.5.2 
     239        User Roles Interface    20</A></P> 
     240        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping|outline">4.5.3 
     241        Role Mapping    20</A></P> 
     242        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file|outline">4.5.4 
     243        Twisted Python server .tac file 21</A></P> 
     244        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script|outline">4.5.5 
     245        SysV-style Boot Script  22</A></P> 
     246        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests|outline">4.6 
     247        Python Unit Tests       22</A></P> 
     248        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy|outline">4.7 
     249         MyProxy        22</A></P> 
     250        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background|outline">4.7.1 
     251         MyProxy and NDG Security Background    22</A></P> 
     252        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations|outline">4.7.2 
     253         MyProxy user account and the repository location considerations        23</A></P> 
     254        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation|outline">4.7.3 
     255         Installation   23</A></P> 
     256        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation|outline">4.7.4 
     257         SimpleCA Installation  24</A></P> 
     258        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation|outline">4.7.5 
     259         Host Certificate Creation      27</A></P> 
     260        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File|outline">4.7.6 
     261         MyProxy Configuration File     27</A></P> 
     262        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration|outline">4.7.7 
     263         MyProxy SimpleCA Configuration 28</A></P> 
     264        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration|outline">4.7.8 
     265         MyProxy PAM Configuration      29</A></P> 
     266        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy|outline">4.7.9 
     267         Testing MyProxy        30</A></P> 
     268        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up|outline">4.7.10 
     269         Adding MyProxy Server to the system start up   33</A></P> 
     270        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  35</A></P> 
     271        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy|outline">5.1 
     272         Postgres PAM for MyProxy       35</A></P> 
     273        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration|outline">5.1.1 
     274         Configuration  35</A></P> 
     275        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation|outline">5.2 
     276         MySQL Installation     36</A></P> 
     277        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version|outline">5.2.1 
     278        Version 36</A></P> 
     279        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries|outline">5.2.2 
     280         Getting the Binaries   36</A></P> 
     281        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account|outline">5.2.3 
     282         New mysql User Account 36</A></P> 
     283        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball|outline">5.2.4 
     284         Unpacking the tarball  36</A></P> 
     285        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File|outline">5.2.5 
     286         Configuration File     37</A></P> 
     287        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables|outline">5.2.6 
     288         Create the Grant Tables        37</A></P> 
     289        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions|outline">5.2.7 
     290         File and Directory Permissions 38</A></P> 
     291        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server|outline">5.2.8 
     292         Starting the Server    38</A></P> 
     293        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts|outline">5.2.9 
     294         Securing MySQL Accounts        38</A></P> 
     295        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up|outline">5.2.10 
     296         Server Automated Start up      39</A></P> 
     297        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server|outline">5.3 
     298         HTTPS set-up with Apache Web Server    39</A></P> 
     299        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation|outline">5.3.1 
     300         Web Server Host Certificate Generation 39</A></P> 
     301        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings|outline">5.3.2 
     302        Apache Configuration File Settings      40</A></P> 
     303        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline">5.4 
     304         Apache Web Server Proxy Settings Configuration for Web Services        40</A></P> 
     305        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class|outline">5.5 
     306        An Example Attribute Authority AAUserRoles interface class      41</A></P> 
     307        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting|outline">5.6 
     308        Troubleshooting 44</A></P> 
     309        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto |outline">5.6.1 
     310        M2Crypto        44</A></P> 
     311        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML|outline">5.6.2 
     312         PyXML  45</A></P> 
     313        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error|outline">5.6.3 
     314         4Suite-XML Build error 45</A></P> 
    284315</DIV> 
    285316<H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1> 
     
    287318        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI"> 
    288319        - NCSA MyProxy site</SPAN></P> 
    289         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html"><SPAN LANG="fr-FR">http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html</SPAN></A></U></FONT><SPAN LANG="fr-FR"> 
    290         - NCSA MyProxy installation instructions</SPAN></P> 
     320        <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/ca/">http://grid.ncsa.uiuc.edu/myproxy/ca/</A> 
     321        - MyProxy Certificate Authority</P> 
     322        <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A> 
     323        – MyProxy PAM Support</P> 
    291324        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT> 
    292325        - Globus 4.0 and Security</P> 
     
    330363        CredentialRepository only]</P> 
    331364        <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P> 
    332         <LI><P CLASS="western" ALIGN=JUSTIFY>Python distutils utility</P> 
     365        <LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P> 
    333366        <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version 
    334367        0.9.8 or greater</P> 
     368        <LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for 
     369        M2Crypto Python OpenSSL wrapper)</P> 
    335370</UL> 
    336371<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also 
     
    371406the particular installation required:</P> 
    372407<UL> 
    373         <LI><P CLASS="western" ALIGN=LEFT>ndg_security_server – components 
    374         required to run services</P> 
     408        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>ndg_security_server – 
     409        components required to run services</P> 
    375410        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common – components 
    376411        required by both server and common eggs</P> 
     
    394429are required:</P> 
    395430<UL> 
    396         <LI><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.1 (or later) 
    397         – source installer tar ball  may be downloaded from the Globus 
    398         site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P> 
    399         <LI><P CLASS="western" ALIGN=JUSTIFY>NDG SimpleCA client package tar 
    400         ball – configures target machine to trust the NDG CA.</P> 
     431        <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.5 
     432        (or later) – source installer tar ball  may be downloaded from the 
     433        Globus site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P> 
     434        <LI><P CLASS="western" ALIGN=JUSTIFY>Globus SimpleCA to enable the 
     435        MyProxy Certificate Authority.</P> 
    401436</UL> 
    402437<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These 
     
    407442wish to install MyProxy on a separate secure server to the other 
    408443Python based security services.</P> 
    409 <H2 CLASS="western"><A NAME="4.1.Python Packages|outline"></A>4.1Python 
    410 Packages</H2> 
     444<H2 CLASS="western"><A NAME="4.1.Dependencies|outline"></A>4.1Dependencies</H2> 
     445<H3 CLASS="western"><A NAME="4.1.1.OpenSSL|outline"></A>4.1.1 OpenSSL</H3> 
     446<P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the 
     447installation check that an up to date version of OpenSSL is 
     448installed:</P> 
     449<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     450        <COL WIDTH=596> 
     451        <TR> 
     452                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     453                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
     454                        </P> 
     455                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     456                        openssl version</FONT></P> 
     457                </TD> 
     458        </TR> 
     459</TABLE> 
     460<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     461</P> 
     462<P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required.  
     463Should you need to upgrade, OpenSSL is available from 
     464<A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>. 
     465 Once downloaded, unpack the tarball and follow the installation 
     466intstructions.</P> 
     467<H3 CLASS="western"><A NAME="4.1.2.SWIG|outline"></A>4.1.2 SWIG</H3> 
     468<P CLASS="western">SWIG is a tool to help with bindings from C/C++ to 
     469interpreted languages such as Python.  The Python OpenSSL wrapper 
     470M2Crypto uses it and version 1.3.24 or later is required.  Downloads 
     471are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P> 
     472<H2 CLASS="western"><A NAME="4.2.Python Packages|outline"></A>4.2 
     473Python Packages</H2> 
    411474<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>. 
    412475 Change to a suitable directory to hold temporary installation files. 
    413476  
    414477</P> 
    415 <H3 CLASS="western"><A NAME="4.1.1.distutils|outline"></A>4.1.1distutils</H3> 
     478<H3 CLASS="western"><A NAME="4.2.1.setuptools|outline"></A>4.2.1 
     479setuptools</H3> 
    416480<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python 
    417 distutils, the package that enables the use of Python eggs.  Download 
    418 the distutils bootstrap script:</P> 
     481setuptools, the package that enables the use of Python eggs.  
     482Download the setuptools bootstrap script:</P> 
    419483<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    420484        <COL WIDTH=596> 
     
    423487                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
    424488                        </P> 
    425                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$ 
    426                         wget http://peak.telecommunity.com/dist/ez_setup.py</SPAN></FONT></P> 
     489                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     490                        wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P> 
    427491                </TD> 
    428492        </TR> 
     
    459523        </TR> 
    460524</TABLE> 
    461 <H3 CLASS="western"></H3> 
    462 <P CLASS="western" ALIGN=JUSTIFY>Once completed, you can delete 
    463 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P> 
    464 <H3 CLASS="western"><A NAME="4.1.2.NDG Security Packages|outline"></A> 
    465 4.1.2NDG Security Packages</H3> 
     525<P CLASS="western"><BR><BR> 
     526</P> 
     527<P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P> 
     528<H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages|outline"></A> 
     5294.2.2 NDG Security Packages</H3> 
    466530<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to 
    467531distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT> 
     
    474538                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
    475539                        </P> 
    476                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$ 
    477                         wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</SPAN></FONT></P> 
     540                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     541                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P> 
    478542                </TD> 
    479543        </TR> 
     
    499563using the –h option.  –a selects all packages for installation.   
    500564If there are problems with the installation, see the Troubleshooting 
    501 Guide in the Appendices section 5.5.</P> 
    502 <H2 CLASS="western"><A NAME="4.2.NDG Web Services Configuration|outline"></A> 
    503 4.2NDG Web Services Configuration</H2> 
    504 <H3 CLASS="western"><A NAME="4.2.1.NDG Security System Configuration Files|outline"></A> 
    505 4.2.1NDG Security System Configuration Files</H3> 
     565Guide in the Appendices section 5.6.</P> 
     566<H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration|outline"></A> 
     5674.3 NDG Web Services Configuration</H2> 
     568<H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files|outline"></A> 
     5694.3.1 NDG Security System Configuration Files</H3> 
    506570<P CLASS="western" ALIGN=JUSTIFY>Properties files set the 
    507571configuration settings for NDG security <I>server side</I> settings.  
     
    520584                        <P STYLE="margin-bottom: 0cm"><BR> 
    521585                        </P> 
    522                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$ 
    523                         mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</SPAN></FONT></P> 
     586                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     587                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P> 
    524588                </TD> 
    525589        </TR> 
     
    532596environment of the user account used to run the security services or 
    533597can be set in the init scripts used to automatically start up the 
    534 services from server boot up (See sections 4.3.24.3.3 and 4.4.5).</P> 
     598services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P> 
    535599<P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> 
    536600egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
     
    611675<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    612676</P> 
    613 <H3 CLASS="western"><A NAME="4.2.2.Certificate Generation|outline"></A> 
    614 4.2.2Certificate Generation</H3> 
     677<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run 
     678security web services under any specified system account and group.  
     679Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT> 
     680e.g.</SPAN></P> 
     681<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     682        <COL WIDTH=596> 
     683        <TR> 
     684                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     685                        <P STYLE="margin-bottom: 0cm"><BR> 
     686                        </P> 
     687                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     688                        chmod ndg:ndggroup -R /etc/ndg/security</FONT></P> 
     689                </TD> 
     690        </TR> 
     691</TABLE> 
     692<P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     693</P> 
     694<H3 CLASS="western"><A NAME="4.3.2. Certificate Generation|outline"></A> 
     6954.3.2 Certificate Generation</H3> 
    615696<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute 
    616697Authority web services require individual X.509 certificates as a 
     
    631712                        openssl genrsa –out sm-key.pem 2048</FONT></P> 
    632713                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     714                        chmod 400 sm-key.pem</FONT></P> 
     715                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    633716                        openssl req –new –key sm-key.pem –out sm.csr</FONT></P> 
    634717                        <P CLASS="western" ALIGN=LEFT><BR> 
     
    649732 All other fields have been omitted.  You can skip individual fields 
    650733by enter ‘.’ When prompted.</P> 
    651 <P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the NDG 
    652 CA.  The CA will issue a certificate file.  Copy this file as 
     734<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the 
     735appropriate CA.  This could be your SimpleCA created for use with 
     736MyProxy – see MyProxy installation.  The CA will issue a 
     737certificate file.  Copy this file as 
    653738<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
    654739</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
     
    667752                        openssl genrsa –out aa-key.pem 2048</FONT></P> 
    668753                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     754                        chmod 400 aa-key.pem</FONT></P> 
     755                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    669756                        openssl req –new –key aa-key.pem –out aa.csr</FONT></P> 
    670757                        <P CLASS="western" ALIGN=LEFT><BR> 
     
    678765Manager is run over https to keep user login credentials secured.   A 
    679766server certificate and key will be required in addition to enable 
    680 this.  These can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
    681 directory and can be <FONT FACE="Helvetica, sans-serif">referenced by 
    682 the Session Manager’s properties file.</FONT></SPAN></FONT></P> 
     767this.   
     768</P> 
     769<P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be 
     770issued from your SimpleCA.  Follow the same procedure as used for the 
     771Session Manager and Attirbute Authority above creating a private key 
     772and certificate request.  The private key should be generated without 
     773a password.  When generating the certificate request ensure that the 
     774Common Name is set to the fully qualified name of the server host.</P> 
     775<P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and 
     776private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
     777<FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced 
     778by the Session Manager’s properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif"> 
     779and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif"> 
     780elements respectively.</FONT></SPAN></FONT></P> 
    683781<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate 
    684782Authority’s X.509 certificate is also required.  Obtain this from 
    685783the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
    686784</SPAN></FONT>directory.</P> 
    687 <H2 CLASS="western"><A NAME="4.3.Session Manager Configuration|outline"></A> 
    688 4.3Session Manager Configuration</H2> 
     785<P CLASS="western" STYLE="background: #cccccc">Note that all other 
     786trusted NDG partner organisations MUST have copies of your CA 
     787certificate.  If they don't, partner organisations NDG Security 
     788infrastructures will reject requests from your security services.   
     789CA certificates are referenced in the Attribute Authority and Session 
     790Manager properties file settings  <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt"> 
     791</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and 
     792</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif"> 
     793 Configuration for Gatekeepers may also need to reference your CA 
     794certificate.</FONT></FONT></P> 
     795<H2 CLASS="western"><A NAME="4.4.Session Manager Configuration|outline"></A> 
     7964.4 Session Manager Configuration</H2> 
    689797<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set 
    690798via a properties file.  In addition, the Session Manager can 
     
    695803use a Credential Repository.   If this is the case, skip this 
    696804section.</P> 
    697 <H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.3.1.Session Manager Credential Repository|outline"></A> 
    698 4.3.1Session Manager Credential Repository</H3> 
     805<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository|outline"></A> 
     8064.4.1 Session Manager Credential Repository</H3> 
    699807<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository 
    700808database.  In the example below a MySQL database is assumed.   Notes 
    701 on installing MySQL are given in the Appendices section 5.1.  
     809on installing MySQL are given in the Appendices section 5.2.  
    702810</P> 
    703811<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     
    776884sufficient permissions to be able to read and write records.  For 
    777885details of how to create an account in MySQL see the Appendices 
    778 section 5.1.9.</P> 
    779 <H3 CLASS="western"><A NAME="4.3.2.Session Manager Properties File Settings|outline"></A> 
    780 4.3.2Session Manager Properties File Settings</H3> 
     886section 5.2.9.</P> 
     887<H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings|outline"></A> 
     8884.4.2 Session Manager Properties File Settings</H3> 
    781889<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT> 
    782890in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
     
    797905                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem 
    798906                        &lt;/sslKeyFile&gt;</FONT></FONT></P> 
    799                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     907                        <P STYLE="margin-bottom: 0cm">   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!-- 
     908                        <BR>    Directory containing CA cert.s to verify SSL peer cert 
     909                        against - ignored if useSSL is blank --&gt;<BR>    
     910                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR> 
     911                           </FONT>&lt;!--</FONT></FONT></P> 
    800912                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
    801913                        settings for signature of outbound SOAP messages</FONT></FONT></P> 
     
    809921                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P> 
    810922                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P> 
    811                         <P STYLE="margin-bottom: 0cm">    
    812                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</FONT></FONT></P> 
    813                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     923                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    814924                        </FONT></FONT> 
     925                        </P> 
     926                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 
     927                        Certificates used to verify X.509 certs used in peer SOAP 
     928                        messages,<BR>    SSL connections and Attribute Certificates<BR>    
     929                        --&gt;<BR>    &lt;caCertFileList&gt;<BR>         
     930                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR> 
     931                           &lt;/caCertFileList&gt;<BR></FONT>    &lt;!-- </FONT></FONT> 
    815932                        </P> 
    816933                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
     
    850967                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT 
    851968                        setting</SPAN></FONT></FONT></P> 
    852                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></SPAN></FONT></P> 
    853                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></SPAN></FONT></P> 
     969                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     970                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           
     971                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></FONT></P> 
    854972                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
    855973                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful 
     
    9221040                        <P STYLE="margin-bottom: 0cm">           
    9231041                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P> 
    924                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;/myProxyProp&gt;</FONT></SPAN></FONT></P> 
    925                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;simpleCACltProp&gt; 
    926                         </FONT></SPAN></FONT> 
     1042                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/myProxyProp&gt;</FONT></FONT></P> 
     1043                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCACltProp&gt; 
     1044                        </FONT></FONT> 
    9271045                        </P> 
    9281046                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     
    9411059                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    9421060                           &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P> 
    943                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">   
    944                            &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></SPAN></FONT></P> 
     1061                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     1062                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></FONT></P> 
    9451063                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    9461064                           &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P> 
     
    11521270<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    11531271</P> 
    1154 <H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.3.3.SysV-style Boot Script|outline"></A> 
    1155 4.3.3SysV-style Boot Script</H3> 
     1272<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script|outline"></A> 
     12734.4.3 SysV-style Boot Script</H3> 
    11561274<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be 
    11571275configured to start up at system boot of the host machine.  A SysV 
     
    11951313command may not be available on your target machine.  Please refer to 
    11961314instructions for your particular Linux distribution.</P> 
    1197 <H2 CLASS="western"><A NAME="4.4.Attribute Authority Configuration|outline"></A> 
    1198 4.4Attribute Authority Configuration</H2> 
     1315<H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration|outline"></A> 
     13164.5 Attribute Authority Configuration</H2> 
    11991317<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a 
    12001318properties file for the setting of configuration parameters.</P> 
    1201 <H3 CLASS="western"><A NAME="4.4.1.Attribute Authority Properties File Settings|outline"></A> 
    1202 4.4.1Attribute Authority Properties File Settings</H3> 
     1319<H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings|outline"></A> 
     13204.5.1Attribute Authority Properties File Settings</H3> 
    12031321<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> 
    12041322in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
     
    12131331                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P> 
    12141332                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P> 
    1215                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!-- 
    1216                         </FONT></FONT></FONT> 
    1217                         </P> 
    1218                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">'name' 
    1219                         setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></FONT></P> 
    1220                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P> 
    1221                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;name&gt;Organisation 
    1222                         Identifier&lt;/name&gt; </FONT></FONT></FONT> 
    1223                         </P> 
    1224                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;portNum&gt;SELECT 
    1225                         A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></FONT></P> 
     1333                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     1334                        </FONT></FONT> 
     1335                        </P> 
     1336                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name' 
     1337                        setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P> 
     1338                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     1339                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;name&gt;Organisation 
     1340                        Identifier&lt;/name&gt; </FONT></FONT> 
     1341                        </P> 
     1342                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;SELECT 
     1343                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></P> 
    12261344                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
    12271345                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
     
    12331351                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P> 
    12341352                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P> 
    1235                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     1353                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!-- 
     1354                        <BR>       Directory containing CA cert.s to verify SSL peer cert 
     1355                        against - ignored if useSSL is blank --&gt;<BR>       
     1356                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR></FONT> 
     1357                           &lt;!--</FONT></FONT></P> 
    12361358                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
    12371359                        settings for signature of outbound SOAP messages</FONT></FONT></P> 
     
    12401362                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt; 
    12411363                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P> 
    1242                         <P STYLE="margin-bottom: 0cm">    
    1243                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;certFile&gt;$NDGSEC_DIR/conf/certs/aa-cert.pem&lt;/certFile&gt;</FONT></FONT></FONT></P> 
    1244                         <P STYLE="margin-bottom: 0cm">    
    1245                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem 
    1246                         &lt;/keyFile&gt;</FONT></FONT></FONT></P> 
     1364                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     1365                        </FONT></FONT> 
     1366                        </P> 
     1367                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 
     1368                        Certificates used to verify X.509 certs used in peer SOAP 
     1369                        messages,<BR>         SSL connections and Attribute Certificates<BR> 
     1370                                --&gt;<BR>        &lt;caCertFileList&gt;<BR>             
     1371                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR> 
     1372                               &lt;/caCertFileList&gt;<BR></FONT>    
     1373                        &lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem &lt;/keyFile&gt;</FONT></FONT></P> 
    12471374                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P> 
    12481375                        <P STYLE="margin-bottom: 0cm">    
    12491376                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem 
    12501377                        &lt;/caCertFile&gt;</FONT></FONT></P> 
    1251                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!-- 
    1252                         </FONT></FONT></FONT> 
     1378                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     1379                        </FONT></FONT> 
    12531380                        </P> 
    12541381                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
     
    12671394                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt; 
    12681395                        &lt;!-- Measured in seconds --&gt;</FONT></FONT></P> 
    1269                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!-- 
    1270                         </FONT></FONT></FONT> 
    1271                         </P> 
    1272                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Allow 
    1273                         an offset for clock skew between servers running </FONT></FONT></FONT> 
    1274                         </P> 
    1275                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">security 
    1276                         services.  - Use minus sign for time in the past</FONT></FONT></FONT></P> 
    1277                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P> 
     1396                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     1397                        </FONT></FONT> 
     1398                        </P> 
     1399                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow 
     1400                        an offset for clock skew between servers running </FONT></FONT> 
     1401                        </P> 
     1402                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security 
     1403                        services.  - Use minus sign for time in the past</FONT></FONT></P> 
     1404                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    12781405                        <P STYLE="margin-bottom: 0cm">    
    12791406                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P> 
     
    12811408                        Location of role mapping file --&gt;</FONT></FONT></P> 
    12821409                        <P STYLE="margin-bottom: 0cm">    
    1283                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></FONT></P> 
     1410                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></P> 
    12841411                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    12851412                        All Attribute Certificates issued are recorded in this dir --&gt;</FONT></FONT></P> 
    12861413                        <P STYLE="margin-bottom: 0cm">    
    1287                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></FONT></P> 
    1288                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!-- 
    1289                         </FONT></FONT></FONT> 
    1290                         </P> 
    1291                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Files 
    1292                         in attCertDir are stored using a rotating file handler</FONT></FONT></FONT></P> 
    1293                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">attCertFileLogCnt 
    1294                         sets the max number of files created before the first is</FONT></FONT></FONT></P> 
    1295                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">overwritten</FONT></FONT></FONT></P> 
    1296                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P> 
     1414                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></P> 
     1415                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     1416                        </FONT></FONT> 
     1417                        </P> 
     1418                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files 
     1419                        in attCertDir are stored using a rotating file handler</FONT></FONT></P> 
     1420                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt 
     1421                        sets the max number of files created before the first is</FONT></FONT></P> 
     1422                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P> 
     1423                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    12971424                        <P STYLE="margin-bottom: 0cm">    
    12981425                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileName&gt;ac.xml&lt;/attCertFileName&gt;</FONT></FONT></P> 
     
    13091436                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    13101437                        <P STYLE="margin-bottom: 0cm">    
    1311                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></FONT></P> 
     1438                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></P> 
    13121439                        <P STYLE="margin-bottom: 0cm">    
    1313                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></FONT></P> 
     1440                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></P> 
    13141441                        <P STYLE="margin-bottom: 0cm">    
    1315                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></FONT></P> 
     1442                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></P> 
    13161443                        <P STYLE="margin-bottom: 0cm">    
    1317                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></FONT></P> 
     1444                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></P> 
    13181445                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P> 
    13191446                        <P>  
     
    13241451<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    13251452</P> 
    1326 <H3 CLASS="western"><A NAME="4.4.2.User Roles Interface|outline"></A>4.4.2User 
    1327 Roles Interface</H3> 
     1453<H3 CLASS="western"><A NAME="4.5.2.User Roles Interface|outline"></A>4.5.2 
     1454User Roles Interface</H3> 
    13281455<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a 
    13291456valid user proxy certificate serves an attribute certificate 
     
    13361463programmatic interface to determine the roles to user id 
    13371464relationship.   A custom python class may be written to perform this 
    1338 task.   See the Appendices section 5.4.</P> 
    1339 <H3 CLASS="western"><A NAME="4.4.3.Role Mapping|outline"></A>4.4.3Role 
    1340 Mapping</H3> 
     1465task.   See the Appendices section 5.5.</P> 
     1466<H3 CLASS="western"><A NAME="4.5.3.Role Mapping|outline"></A>4.5.3 
     1467Role Mapping</H3> 
    13411468<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in 
    13421469the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
     
    14831610        may map to many local roles.</P> 
    14841611</UL> 
    1485 <H3 CLASS="western"><A NAME="4.4.4.Twisted Python server .tac file|outline"></A> 
    1486 4.4.4Twisted Python server .tac file</H3> 
     1612<H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file|outline"></A> 
     16134.5.4 Twisted Python server .tac file</H3> 
    14871614<P CLASS="western" ALIGN=JUSTIFY>Copy this from the 
    14881615ndg_security_server to the NDG security conf/ area:</P> 
     
    15051632<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    15061633</P> 
    1507 <H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.4.5.SysV-style Boot Script|outline"></A> 
    1508 4.4.5SysV-style Boot Script</H3> 
     1634<H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script|outline"></A> 
     16354.5.5 SysV-style Boot Script</H3> 
    15091636<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the 
    15101637Attribute Authority can be configured to start up at system boot of 
     
    15461673<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional 
    15471674environment settings required to connect to a user database.</P> 
    1548 <H2 CLASS="western"><A NAME="4.5.Python Unit Tests|outline"></A>4.5Python 
    1549 Unit Tests</H2> 
     1675<H2 CLASS="western"><A NAME="4.6.Python Unit Tests|outline"></A>4.6 
     1676Python Unit Tests</H2> 
    15501677<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are 
    15511678provided to enable the system to be checked to confirm that it is 
     
    15531680in the site-packages/ directory of the python installation.</P> 
    15541681<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P> 
    1555 <H2 CLASS="western"><A NAME="4.6.Globus MyProxy|outline"></A>4.6Globus 
    1556 MyProxy</H2> 
    1557 <H3 CLASS="western"><A NAME="4.6.1.MyProxy and NDG Security Background|outline"></A> 
    1558 4.6.1MyProxy and NDG Security Background</H3> 
     1682<H2 CLASS="western"><A NAME="4.7. MyProxy|outline"></A>4.7 MyProxy</H2> 
     1683<H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background|outline"></A> 
     16844.7.1 MyProxy and NDG Security Background</H3> 
    15591685<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy 
    1560 from the Globus toolkit to store user’s authentication credentials. 
    1561  If a participating data centre supports user accounts then it will 
    1562 need to deploy its MyProxy repository.   
    1563 </P> 
    1564 <P CLASS="western" ALIGN=JUSTIFY>The NDG SessionManager web service 
    1565 acts as a client to MyProxy.  When a user is registered at a site, it 
    1566 generates a new public/private key for the user and an X.509 
    1567 certificate request.  It sends the latter to the NDG Simple CA 
    1568 (Certificate Authority) for signing.  A new X.509 certificate is 
    1569 issued and returned.  The SessionManager uploads the public and 
    1570 private key into the MyProxy repository and associates a username and 
    1571 pass-phrase with these credentials.</P> 
    1572 <P CLASS="western" ALIGN=JUSTIFY>When a user subsequently logs in at 
    1573 their site, again the SessionManager is called.  It passes the 
    1574 username and pass-phrase provided to MyProxy.  MyProxy matches these 
    1575 with the X.509 certificate it holds and issues a <I>proxy</I> to that 
    1576 certificate.  The proxy certificate represents the user’s ID 
    1577 internally in the interactions between the various NDG components.  
     1686from the Globus toolkit to enable the use of individual user X.509 
     1687certificates to secure messages in transactions.  For example, to 
     1688request an Attribute Certificate from an Attribute Authority the 
     1689request can be signed using the user's certificate to enable the  
     1690Attribute Authority to authenticate it.</P> 
     1691<P CLASS="western" ALIGN=JUSTIFY>MyProxy is a flexible and can be 
     1692configured to run in a number of different modes or combination of 
     1693modes:</P> 
     1694<OL> 
     1695        <LI><P CLASS="western" ALIGN=JUSTIFY>users can upload a proxy to 
     1696        their personal user certificate for storage in the MyProxy 
     1697        repository for later use in delegation    
     1698        </P> 
     1699        <LI><P CLASS="western" ALIGN=JUSTIFY>Personal user certificates 
     1700        issued by a CA can by stored in the repository.</P> 
     1701        <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy can be run with the 
     1702        Globus SimpleCA package issuing certificates dynamically based on a 
     1703        callout to some external authentication system.  MyProxy has basic 
     1704        support for PAM (Pluggable Authentication Module) and SASL (<SPAN STYLE="font-style: normal">Simple 
     1705        Authentication and Security Layer).</SPAN></P> 
     1706</OL> 
     1707<P CLASS="western" ALIGN=JUSTIFY>3) is the preferred mode for NDG 
     1708deployments as typically NDG partners have existing user databases 
     1709against which their users authenticate.   MyProxy can be configured 
     1710to query the database with username/password via PAM/SASL.   
    15781711</P> 
    15791712<P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service 
     
    15811714on its host machine and user credentials are held in a directory on 
    15821715the file system.  It is important to secure the host to ensure the 
    1583 credentials are not compromised. (Also see Ref 1above.)</P> 
    1584 <H3 CLASS="western"><A NAME="4.6.2.MyProxy user account and the repository location considerations|outline"></A> 
    1585 4.6.2MyProxy user account and the repository location considerations</H3> 
     1716credentials are not compromised.  
     1717</P> 
     1718<H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations|outline"></A> 
     17194.7.2 MyProxy user account and the repository location considerations</H3> 
    15861720<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or 
    1587 using a separate user account.  The latter is preferable as it 
    1588 provides an extra level of security.  Note that the MyProxy 
    1589 repository will be in a standard location.   
     1721using a separate user account.  The latter provides an extra degree 
     1722of security but for use with PAM, the MyProxy must be installed and 
     1723run as root.  Note that the MyProxy repository will be in a standard 
     1724location.   
    15901725</P> 
    15911726<UL> 
     
    15991734        </P> 
    16001735</UL> 
    1601 <P CLASS="western" ALIGN=JUSTIFY>It is possible to explicitly define 
     1736<P CLASS="western" ALIGN=JUSTIFY>When run in mode 3) the repository 
     1737is not used since all credentials are generated dynamically on a 
     1738successful MyProxy logon request. It is possible to explicitly define 
    16021739an alternate location but this can only be done by providing a 
    16031740command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>. 
     
    16061743ps</SPAN></FONT>.  This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> 
    16071744with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd 
    1608 </SPAN></FONT>(See 4.6.8.1).</P> 
    1609 <P CLASS="western" ALIGN=LEFT>Another factor to take into 
    1610 consideration is the available space on the file system for the 
    1611 repository location.  There should be sufficient disk space on the 
    1612 partition where the directory is located to store credentials for all 
    1613 the users of the system at the target site.</P> 
    1614 <P CLASS="western" ALIGN=JUSTIFY>This guide assumes installation 
    1615 under a dedicated user account.  The username <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    1616 is used in the examples for convenience only.  An alternative 
    1617 username is recommended.</P> 
    1618 <P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT> 
    1619 user set up a local user account.</P> 
     1745</SPAN></FONT>(See 4.7.10.1).</P> 
     1746<P CLASS="western" ALIGN=LEFT>This guide assumes installation as 
     1747root.   
     1748</P> 
     1749<H3 CLASS="western"><A NAME="4.7.3. Installation|outline"></A>4.7.3 
     1750Installation</H3> 
     1751<P CLASS="western">MyProxy is available with Globus.  Version 4.0.5 
     1752distribution is recommended for use with the NDG Security software.   
     1753<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++ 
     1754development packages are needed for the build.</SPAN></FONT></P> 
     1755<H4 CLASS="western">4.7.3.1 PAM Dependencies</H4> 
     1756<P CLASS="western">A binary version is available but it is 
     1757recommended to build and install from the source code to include PAM 
     1758dependencies (<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>). 
     1759  To check, there should be a <CODE><FONT FACE="Helvetica, sans-serif">pam_appl.h 
     1760header file either in /usr/include/security or /usr/include/pam.</FONT></CODE></P> 
     1761<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">If they 
     1762are not present, they can be installed with the PAM development 
     1763package for your Linux distribution – e.g. pam-devel (Redhat) or 
     1764libpam*-dev (Debian based).</FONT></CODE></P> 
     1765<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">Due to a 
     1766limitation in PAM, MyProxy must be built and installed under the 
     1767system root account.</FONT></CODE></P> 
     1768<H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif"> 
     1769Build</FONT></CODE></H4> 
     1770<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code 
     1771can be downloaded from  </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P> 
     1772<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a 
     1773target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make 
     1774</SPAN></FONT>so that only the MyProxy components of Globus are 
     1775built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer</FONT> 
     1776tarball.  Extract the files and change to the 
     1777<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer/</FONT> 
     1778directory created.</P> 
     1779<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings.  The 
     1780default installation location is /usr/local/globus-4.0.5.  Use 
     1781–prefix=&lt;dir path&gt; command line option to specify an 
     1782alternative location for the installation.</P> 
    16201783<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    16211784        <COL WIDTH=596> 
    16221785        <TR> 
    1623                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1786                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    16241787                        <P STYLE="margin-bottom: 0cm"><BR> 
    16251788                        </P> 
    16261789                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1627                         groupadd globus</FONT></P> 
    1628                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1629                         useradd globus –g globus</FONT></P> 
    1630                 </TD> 
    1631         </TR> 
    1632 </TABLE> 
    1633 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1634 </P> 
    1635 <P CLASS="western" ALIGN=JUSTIFY>Note that for security purposes, the 
    1636 globus user account is set up as a local rather NIS account so that 
    1637 access is restricted.  Set the default home directory as necessary 
    1638 and default shell to bash.  Set the password for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>:</P> 
     1790                        ./configure </FONT> 
     1791                        </P> 
     1792                        <P><BR> 
     1793                        </P> 
     1794                </TD> 
     1795        </TR> 
     1796</TABLE> 
     1797<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1798</P> 
     1799<P CLASS="western" ALIGN=JUSTIFY>Compile and install MyProxy:</P> 
    16391800<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    16401801        <COL WIDTH=596> 
     
    16431804                        <P STYLE="margin-bottom: 0cm"><BR> 
    16441805                        </P> 
    1645                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1646                         passwd globus</FONT></P> 
    1647                 </TD> 
    1648         </TR> 
    1649 </TABLE> 
    1650 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1651 </P> 
    1652 <P CLASS="western" ALIGN=JUSTIFY>Modify the relevant files and 
    1653 directories in the NDG installation area to be owned by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    1654 account:</P> 
    1655 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1656         <COL WIDTH=596> 
    1657         <TR> 
    1658                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1659                         <P STYLE="margin-bottom: 0cm"><BR> 
    1660                         </P> 
    1661                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1662                         chown -R globus:globus $NDGSEC_DIR/conf/ $NDGSEC_DIR/ndgSetup.sh</FONT></P> 
    1663                 </TD> 
    1664         </TR> 
    1665 </TABLE> 
    1666 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1667 </P> 
    1668 <P CLASS="western" ALIGN=LEFT>For convenience, the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT> 
    1669 file may be called from the globus account’s <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.bashrc</SPAN></FONT> 
    1670 file so that the NDG environment is automatically initialised when a 
    1671 new globus shell is invoked.</P> 
    1672 <P CLASS="western" ALIGN=LEFT>Change to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    1673 account and edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">~/.bashrc</SPAN></FONT> 
    1674 adding the following lines at the end:</P> 
    1675 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1676         <COL WIDTH=596> 
    1677         <TR> 
    1678                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1679                         <P STYLE="margin-bottom: 0cm"><BR> 
    1680                         </P> 
    1681                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 
    1682                         NDG set-up</FONT></P> 
    1683                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">. 
    1684                         /usr/local/NDG/ndgSetup.sh</FONT></P> 
    1685                 </TD> 
    1686         </TR> 
    1687 </TABLE> 
    1688 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1689 </P> 
    1690 <H3 CLASS="western"><A NAME="4.6.3.Build Process|outline"></A>4.6.3Build 
    1691 Process</H3> 
    1692 <P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>, 
    1693 create an installation directory for Globus within the NDG 
    1694 installation:</P> 
    1695 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1696         <COL WIDTH=596> 
    1697         <TR> 
    1698                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1699                         <P STYLE="margin-bottom: 0cm"><BR> 
    1700                         </P> 
    1701                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1702                         mkdir $NDGSEC_DIR/globus-4.0.1</FONT></P> 
    1703                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1704                         chown globus:globus $NDGSEC_DIR/globus-4.0.1</FONT></P> 
    1705                         <P><BR> 
    1706                         </P> 
    1707                 </TD> 
    1708         </TR> 
    1709 </TABLE> 
    1710 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1711 </P> 
    1712 <P CLASS="western" ALIGN=JUSTIFY>Ensure that the setting for 
    1713 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">GLOBUS_LOCATION</FONT> 
    1714 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/ndgSetup.sh</FONT> 
    1715 points to the new directory created <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/globus-4.0.1</FONT>.</P> 
    1716 <P CLASS="western" ALIGN=JUSTIFY>Switch to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT> 
    1717 user account ready to download the globus installation.</P> 
    1718 <P CLASS="western" ALIGN=JUSTIFY>Globus 4.0.1 distribution is 
    1719 recommended for use with the NDG Security software.  This is 
    1720 available from <FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT></P> 
    1721 <P CLASS="western" ALIGN=JUSTIFY>A binary version is available but it 
    1722 is recommended to install the source code version and build from 
    1723 scratch on the target machine.  Note that it is possible to set a 
    1724 target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make 
    1725 </SPAN></FONT>so that only the MyProxy components of Globus are 
    1726 built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer</FONT> 
    1727 tarball.  Extract the files and change to the 
    1728 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer/</FONT> 
    1729 directory created.</P> 
    1730 <P CLASS="western" ALIGN=JUSTIFY>Configure the build settings compile 
    1731 and install MyProxy:</P> 
    1732 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1733         <COL WIDTH=596> 
    1734         <TR> 
    1735                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1736                         <P STYLE="margin-bottom: 0cm"><BR> 
    1737                         </P> 
    1738                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1739                         ./configure –prefix=$GLOBUS_LOCATION</FONT></P> 
    17401806                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    17411807                        make gsi-myproxy postinstall</FONT></P> 
     
    17521818environment variable is not set.  This can be ignored because Java is 
    17531819not required for the MyProxy build.</SPAN></FONT></FONT></P> 
    1754 <P STYLE="margin-bottom: 0cm"><BR> 
    1755 </P> 
    1756 <H3 CLASS="western"><A NAME="4.6.4.NDG SimpleCA Client Package |outline"></A> 
    1757 4.6.4NDG SimpleCA Client Package  
    1758 </H3> 
    1759 <P CLASS="western" ALIGN=JUSTIFY>This configures the target machine 
    1760 to trust the NDG CA.   
    1761 </P> 
    1762 <P CLASS="western" ALIGN=JUSTIFY>Login as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    1763 user. To install first initialise the environment settings (The 
    1764 following line should be included in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>. 
    1765  Check and amend as necessary).</P> 
     1820<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">   
     1821</P> 
     1822<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If 
     1823you encounter errors with the build you can trobuleshoot by checking 
     1824config.log in the BUILD/globus_core-* or source-trees/core/source 
     1825directories.</SPAN></FONT></P> 
     1826<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 
     1827</P> 
     1828<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">Verify 
     1829myproxy has built with PAM support by running the command:</SPAN></FONT></P> 
     1830<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 
     1831</P> 
     1832<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 
     1833</P> 
    17661834<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    17671835        <COL WIDTH=596> 
    17681836        <TR> 
    17691837                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1770                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 
    1771                         </P> 
    1772                         <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1773                         . $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 
    1774                 </TD> 
    1775         </TR> 
    1776 </TABLE> 
    1777 <P><BR><BR> 
    1778 </P> 
    1779 <P CLASS="western" ALIGN=LEFT>Install the client package.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;CA 
    1780 Hash&gt;</SPAN></FONT> below is a unique identifier for the CA.  Note 
    1781 that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">–nonroot</SPAN></FONT> 
    1782 option ensures that the configuration files are installed in 
    1783 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT> 
    1784 rather than the default location used with the root user: 
    1785 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>. 
    1786  If you are installing as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>, 
    1787 this option may be omitted if required.</P> 
    1788 <P CLASS="western" ALIGN=LEFT>Also note that for 64 bit architectures 
    1789 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc32dbg</SPAN></FONT> 
    1790 argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-build</SPAN></FONT> 
    1791 should be substituted with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc64dbg</SPAN></FONT>.</P> 
     1838                        <P STYLE="margin-bottom: 0cm"><BR> 
     1839                        </P> 
     1840                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1841                        /usr/local/globus-4.0.5/sbin/myproxy-server -V</FONT></P> 
     1842                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server 
     1843                        version MYPROXYv2 (v3.7 12 Dec 2006 PAM)</FONT></P> 
     1844                        <P><BR> 
     1845                        </P> 
     1846                </TD> 
     1847        </TR> 
     1848</TABLE> 
     1849<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 
     1850</P> 
     1851<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If 
     1852'PAM' is included in the output as above then the executable has 
     1853built correctly to include PAM support.</SPAN></FONT></P> 
     1854<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 
     1855</P> 
     1856<H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation|outline"></A> 
     18574.7.4 SimpleCA Installation</H3> 
     1858<P CLASS="western" ALIGN=JUSTIFY>Reference:  
     1859</P> 
     1860<P CLASS="western" ALIGN=JUSTIFY><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing">http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing</A></P> 
     1861<P CLASS="western" ALIGN=JUSTIFY>The SimpleCA can be set up under a 
     1862dedicated user account but this user must have read/write permissions 
     1863to the Globus MyProxy installation location.   For simplicity, this 
     1864guide assumes installation for MyProxy and the SimpleCA under root.</P> 
     1865<P CLASS="western" ALIGN=JUSTIFY>To install first initialise the 
     1866environment settings (These may be added to the appropriate start-up 
     1867file e.g. .bashrc):</P> 
    17921868<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    17931869        <COL WIDTH=596> 
    17941870        <TR> 
    17951871                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1796                         <P STYLE="margin-bottom: 0cm"><BR> 
    1797                         </P> 
    1798                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1799                         gpt-build globus_simple_ca_&lt;CA hash&gt;_setup-0.18.tar.gz 
    1800                         gcc32dbg</FONT></P> 
    1801                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1802                         gpt-postinstall</FONT></P> 
    1803                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1804                         $GLOBUS_LOCATION/setup/globus_simple_ca_&lt;CA 
    1805                         hash&gt;_setup/setup-gsi </FONT> 
    1806                         </P> 
    1807                         <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default 
    1808                         –nonroot</FONT></P> 
    1809                 </TD> 
    1810         </TR> 
    1811 </TABLE> 
    1812 <P STYLE="margin-bottom: 0cm"><BR> 
    1813 </P> 
    1814 <P CLASS="western" ALIGN=LEFT>When running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-postinstall</SPAN></FONT>, 
    1815 you may see a warning:</P> 
     1872                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 
     1873                        </P> 
     1874                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1875                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export 
     1876                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . 
     1877                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 
     1878                </TD> 
     1879        </TR> 
     1880</TABLE> 
     1881<P><BR><BR> 
     1882</P> 
     1883<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Installation 
     1884script:</FONT></P> 
    18161885<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    18171886        <COL WIDTH=596> 
    18181887        <TR> 
    18191888                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    1820                         <P STYLE="margin-bottom: 0cm"><BR> 
    1821                         </P> 
    1822                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">WARNING: 
    1823                         The following packages were not set up correctly:</FONT></P> 
    1824                         <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus_simple_ca_&lt;CA 
    1825                         hash&gt;_setup-noflavor-pgm</FONT></P> 
    1826                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Check 
    1827                         the package documentation or run postinstall -verbose to see what 
    1828                         happened</FONT></P> 
     1889                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 
     1890                        </P> 
     1891                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1892                        $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P> 
    18291893                </TD> 
    18301894        </TR> 
     
    18321896<P CLASS="western" ALIGN=LEFT><BR><BR> 
    18331897</P> 
    1834 <P CLASS="western" ALIGN=LEFT>This can be ignored.</P> 
    1835 <H4 CLASS="western">4.6.4.1Modifications to Configuration File 
    1836 Settings</H4> 
    1837 <P CLASS="western" ALIGN=LEFT>The configuration files installed 
    1838 require some minor modifications before proceeding:</P> 
    1839 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Under the 
    1840 directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>, 
    1841 edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-host-ssl.conf</SPAN></FONT> 
    1842 and under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[ 
    1843 req_distinguished_name ]</SPAN></FONT>, edit the setting for 
    1844 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT> 
    1845 and change the default <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">BADC</SPAN></FONT> 
    1846 to the name of the organisation where this NDG security software is 
    1847 being installed.  This name will be used as the default for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">OU</SPAN></FONT> 
    1848 field of certificates held in the MyProxy server.</P> 
     1898<P CLASS="western" ALIGN=LEFT>You will be prompted for the following 
     1899information:</P> 
     1900<OL> 
     1901        <LI><P CLASS="western" ALIGN=LEFT>Subject Name: When prompted, type 
     1902        'n' to override the default and set an appropriate subject name for 
     1903        the CA for your organisation.  O = Organisation Name, OU = 
     1904        Organisational Unit (you can set more than one), CN = the Common 
     1905        Name i.e. the name of the Certificate Authority.  For 
     1906        example,<BR><BR>/O=STFC/OU=Rutherford Appleton 
     1907        Laboratory/OU=Testing/CN=CA<BR><BR>could be the Certificate 
     1908        Authority’s subject for a CA for the Space Science and Technology 
     1909        Department at Rutherford Appleton Laboratory which is part of the 
     1910        Science and Technology Facilities Council.</P> 
     1911        <LI><P CLASS="western" ALIGN=LEFT>e-mail Address: the contact 
     1912        address for certificate requests.   If you are using the CA for 
     1913        MyProxy only you will probably not need this facility.  You could 
     1914        enter globus@&lt;target host&gt; or some suitable administrative 
     1915        contact</P> 
     1916        <LI><P CLASS="western" ALIGN=LEFT>CA Certificate Expiry Date: Press 
     1917        enter to accept the default of five years, otherwise override and 
     1918        enter your required period.</P> 
     1919        <LI><P CLASS="western" ALIGN=LEFT>PEM Pass phrase: this is the 
     1920        password that will protect the CA's private key file.  It will need 
     1921        to be entered in MyProxy's configuration file to enable MyProxy to 
     1922        dynamically issue certificates.</P> 
     1923</OL> 
     1924<P CLASS="western" ALIGN=LEFT>A message will appear indicating that 
     1925the set-up has completed and confirming the subject chosen for your 
     1926certificate and the location of certificate and private key:</P> 
     1927<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1928        <COL WIDTH=596> 
     1929        <TR> 
     1930                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1931                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1932                        $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P> 
     1933                        <P STYLE="margin-bottom: 0cm"><BR> 
     1934                        </P> 
     1935                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">C 
     1936                        e r t i f i c a t e    A u t h o r i t y    S e t u p</FONT></P> 
     1937                        <P STYLE="margin-bottom: 0cm"><BR> 
     1938                        </P> 
     1939                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This 
     1940                        script will setup a Certificate Authority for signing Globus</FONT></P> 
     1941                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">users 
     1942                        certificates.  It will also generate a simple CA package</FONT></P> 
     1943                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">that 
     1944                        can be distributed to the users of the CA.</FONT></P> 
     1945                        <P STYLE="margin-bottom: 0cm"><BR> 
     1946                        </P> 
     1947                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     1948                        CA information about the certificates it distributes will</FONT></P> 
     1949                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">be 
     1950                        kept in:</FONT></P> 
     1951                        <P STYLE="margin-bottom: 0cm"><BR> 
     1952                        </P> 
     1953                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA/</FONT></P> 
     1954                        <P STYLE="margin-bottom: 0cm"><BR> 
     1955                        </P> 
     1956                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     1957                        unique subject name for this CA is:</FONT></P> 
     1958                        <P STYLE="margin-bottom: 0cm"><BR> 
     1959                        </P> 
     1960                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cn=Globus 
     1961                        Simple CA, ou=simpleCA-gabriel, ou=GlobusTest, o=Grid</FONT></P> 
     1962                        <P STYLE="margin-bottom: 0cm"><BR> 
     1963                        </P> 
     1964                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Do 
     1965                        you want to keep this as the CA subject (y/n) [y]:n</FONT></P> 
     1966                        <P STYLE="margin-bottom: 0cm"><BR> 
     1967                        </P> 
     1968                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter 
     1969                        a unique subject name for this CA:cn=CA, ou=BADC, ou=Gabriel, 
     1970                        o=NDG</FONT></P> 
     1971                        <P STYLE="margin-bottom: 0cm"><BR> 
     1972                        </P> 
     1973                        <P STYLE="margin-bottom: 0cm"><BR> 
     1974                        </P> 
     1975                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter 
     1976                        the email of the CA (this is the email where certificate</FONT></P> 
     1977                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">requests 
     1978                        will be sent to be signed by the CA):p.j.kershaw@rl.ac.uk</FONT></P> 
     1979                        <P STYLE="margin-bottom: 0cm"><BR> 
     1980                        </P> 
     1981                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     1982                        CA certificate has an expiration date. Keep in mind that</FONT></P> 
     1983                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">once 
     1984                        the CA certificate has expired, all the certificates</FONT></P> 
     1985                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">signed 
     1986                        by that CA become invalid.  A CA should regenerate</FONT></P> 
     1987                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the 
     1988                        CA certificate and start re-issuing ca-setup packages</FONT></P> 
     1989                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">before 
     1990                        the actual CA certificate expires.  This can be done</FONT></P> 
     1991                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">by 
     1992                        re-running this setup script.  Enter the number of DAYS</FONT></P> 
     1993                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the 
     1994                        CA certificate should last before it expires.</FONT></P> 
     1995                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[default: 
     1996                        5 years (1825 days)]:</FONT></P> 
     1997                        <P STYLE="margin-bottom: 0cm"><BR> 
     1998                        </P> 
     1999                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter 
     2000                        PEM pass phrase:</FONT></P> 
     2001                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Verifying 
     2002                        - Enter PEM pass phrase:</FONT></P> 
     2003                        <P STYLE="margin-bottom: 0cm"><BR> 
     2004                        </P> 
     2005                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">creating 
     2006                        CA config package...done.</FONT></P> 
     2007                        <P STYLE="margin-bottom: 0cm"><BR> 
     2008                        </P> 
     2009                        <P STYLE="margin-bottom: 0cm"><BR> 
     2010                        </P> 
     2011                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">A 
     2012                        self-signed certificate has been generated</FONT></P> 
     2013                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">for 
     2014                        the Certificate Authority with the subject:</FONT></P> 
     2015                        <P STYLE="margin-bottom: 0cm"><BR> 
     2016                        </P> 
     2017                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/O=NDG/OU=Gabriel/OU=BADC/CN=CA</FONT></P> 
     2018                        <P STYLE="margin-bottom: 0cm"><BR> 
     2019                        </P> 
     2020                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If 
     2021                        this is invalid, rerun this script</FONT></P> 
     2022                        <P STYLE="margin-bottom: 0cm"><BR> 
     2023                        </P> 
     2024                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus/setup-simple-ca</FONT></P> 
     2025                        <P STYLE="margin-bottom: 0cm"><BR> 
     2026                        </P> 
     2027                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">and 
     2028                        enter the appropriate fields.</FONT></P> 
     2029                        <P STYLE="margin-bottom: 0cm"><BR> 
     2030                        </P> 
     2031                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P> 
     2032                        <P STYLE="margin-bottom: 0cm"><BR> 
     2033                        </P> 
     2034                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2035                        private key of the CA is stored in 
     2036                        /root/.globus/simpleCA//private/cakey.pem</FONT></P> 
     2037                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2038                        public CA certificate is stored in 
     2039                        /root/.globus/simpleCA//cacert.pem</FONT></P> 
     2040                        <P STYLE="margin-bottom: 0cm"><BR> 
     2041                        </P> 
     2042                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2043                        distribution package built for this CA is stored in</FONT></P> 
     2044                        <P STYLE="margin-bottom: 0cm"><BR> 
     2045                        </P> 
     2046                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P> 
     2047                        <P STYLE="margin-bottom: 0cm"><BR> 
     2048                        </P> 
     2049                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This 
     2050                        file must be distributed to any host wishing to request</FONT></P> 
     2051                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificates 
     2052                        from this CA.</FONT></P> 
     2053                        <P STYLE="margin-bottom: 0cm"><BR> 
     2054                        </P> 
     2055                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">CA 
     2056                        setup complete.</FONT></P> 
     2057                        <P STYLE="margin-bottom: 0cm"><BR> 
     2058                        </P> 
     2059                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2060                        following commands will now be run to setup the security</FONT></P> 
     2061                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">configuration 
     2062                        files for this CA:</FONT></P> 
     2063                        <P STYLE="margin-bottom: 0cm"><BR> 
     2064                        </P> 
     2065                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-build 
     2066                        /root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P> 
     2067                        <P STYLE="margin-bottom: 0cm"><BR> 
     2068                        </P> 
     2069                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-postinstall</FONT></P> 
     2070                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P> 
     2071                        <P STYLE="margin-bottom: 0cm"><BR> 
     2072                        </P> 
     2073                        <P STYLE="margin-bottom: 0cm"><BR> 
     2074                        </P> 
     2075                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils: 
     2076                        Configuring ssl-utils package</FONT></P> 
     2077                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Running 
     2078                        setup-ssl-utils-sh-scripts...</FONT></P> 
     2079                        <P STYLE="margin-bottom: 0cm"><BR> 
     2080                        </P> 
     2081                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P> 
     2082                        <P STYLE="margin-bottom: 0cm"><BR> 
     2083                        </P> 
     2084                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Note: 
     2085                        To complete setup of the GSI software you need to run the</FONT></P> 
     2086                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">following 
     2087                        script as root to configure your security configuration</FONT></P> 
     2088                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">directory:</FONT></P> 
     2089                        <P STYLE="margin-bottom: 0cm"><BR> 
     2090                        </P> 
     2091                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus_simple_ca_2cba3376_setup/setup-gsi</FONT></P> 
     2092                        <P STYLE="margin-bottom: 0cm"><BR> 
     2093                        </P> 
     2094                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">For 
     2095                        further information on using the setup-gsi script, use the -help</FONT></P> 
     2096                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">option. 
     2097                         The -default option sets this security configuration to be</FONT></P> 
     2098                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the 
     2099                        default, and -nonroot can be used on systems where root access is</FONT></P> 
     2100                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">not 
     2101                        available.</FONT></P> 
     2102                        <P STYLE="margin-bottom: 0cm"><BR> 
     2103                        </P> 
     2104                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P> 
     2105                        <P STYLE="margin-bottom: 0cm"><BR> 
     2106                        </P> 
     2107                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils: 
     2108                        Complete</FONT></P> 
     2109                        <P STYLE="margin-bottom: 0cm"><BR> 
     2110                        </P> 
     2111                        <P><BR> 
     2112                        </P> 
     2113                </TD> 
     2114        </TR> 
     2115</TABLE> 
     2116<P CLASS="western" ALIGN=LEFT><BR><BR> 
     2117</P> 
     2118<P CLASS="western" ALIGN=LEFT>The number in the file names “ 
     21192cba3376” is a unique h<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ash</SPAN></FONT> 
     2120identifier for the CA.  It will be different for for your 
     2121installation when you run the setup.  To complete the set-up run the 
     2122setup-gsi script:</P> 
     2123<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2124        <COL WIDTH=596> 
     2125        <TR> 
     2126                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     2127                        <P STYLE="margin-bottom: 0cm"><BR> 
     2128                        </P> 
     2129                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2130                        $GLOBUS_LOCATION/setup/globus_simple_ca_2cba3376_setup/setup-gsi </FONT> 
     2131                        </P> 
     2132                        <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default 
     2133                        </FONT> 
     2134                        </P> 
     2135                </TD> 
     2136        </TR> 
     2137</TABLE> 
     2138<P STYLE="margin-bottom: 0cm"><BR> 
     2139</P> 
     2140<H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation|outline"></A> 
     21414.7.5 Host Certificate Creation</H3> 
     2142<P CLASS="western">As root user to carry out these steps.   First 
     2143check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P> 
    18492144<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    18502145</P> 
    1851 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1852         <COL WIDTH=610> 
    1853         <TR> 
    1854                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1855                         <P STYLE="margin-bottom: 0cm"><BR> 
    1856                         </P> 
    1857                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[ 
    1858                         req_distinguished_name ]</FONT></P> 
    1859                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 
    1860                         BEGIN CONFIG</FONT></P> 
    1861                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName 
    1862                                       = Level 0 Organization</FONT></P> 
    1863                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default 
    1864                               = NDG</FONT></P> 
    1865                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName 
    1866                                  = Level 0 Organizational Unit</FONT></P> 
    1867                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default 
    1868                         = BADC</FONT></P> 
    1869                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName 
    1870                                              = Name (e.g., John M. Smith)</FONT></P> 
    1871                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max 
    1872                                          = 64</FONT></P> 
    1873                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 
    1874                         END CONFIG</FONT></P> 
    1875                         <P><BR> 
    1876                         </P> 
    1877                 </TD> 
    1878         </TR> 
    1879 </TABLE> 
    1880 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1881 </P> 
    1882 <P CLASS="western" ALIGN=LEFT>Under the same directory, edit the file 
    1883 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-user-ssl.conf</SPAN></FONT> 
    1884 and carry out the same modification as above but also comment out the 
    1885 two lines below <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName</SPAN></FONT> 
    1886 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName_default</SPAN></FONT>:</P> 
    1887 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    1888 </P> 
    1889 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1890         <COL WIDTH=610> 
    1891         <TR> 
    1892                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1893                         <P STYLE="margin-bottom: 0cm"><BR> 
    1894                         </P> 
    1895                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[ 
    1896                         req_distinguished_name ]</FONT></P> 
    1897                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 
    1898                         BEGIN CONFIG</FONT></P> 
    1899                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName 
    1900                                       = Level 0 Organization</FONT></P> 
    1901                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default 
    1902                               = NDG</FONT></P> 
    1903                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName 
    1904                                  = Level 0 Organizational Unit</FONT></P> 
    1905                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default 
    1906                         = BADC</FONT></P> 
    1907                         <P STYLE="margin-bottom: 0cm"><BR> 
    1908                         </P> 
    1909                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName 
    1910                                  = Level 1 Organizational Unit</FONT></P> 
    1911                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName_default 
    1912                         = badc.rl.ac.uk</FONT></P> 
    1913                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName 
    1914                                              = Name (e.g., John M. Smith)</FONT></P> 
    1915                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max 
    1916                                          = 64</FONT></P> 
    1917                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 
    1918                         END CONFIG</FONT></P> 
    1919                         <P><BR> 
    1920                         </P> 
    1921                 </TD> 
    1922         </TR> 
    1923 </TABLE> 
    1924 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1925 </P> 
    1926 <P CLASS="western" ALIGN=LEFT>Edit 
    1927 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/certificates/&lt;CA 
    1928 Hash&gt;.signing_policy</SPAN></FONT> and change the setting of <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">OU</FONT> 
    1929 in the line:</P> 
    1930 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    1931 </P> 
    1932 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1933         <COL WIDTH=610> 
    1934         <TR> 
    1935                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1936                         <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    1937                         </P> 
    1938                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cond_subjects 
    1939                             globus       '&quot;/O=NDG/OU=BADC/*&quot;'</FONT></P> 
    1940                         <P CLASS="western" ALIGN=LEFT><BR> 
    1941                         </P> 
    1942                 </TD> 
    1943         </TR> 
    1944 </TABLE> 
    1945 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    1946 </P> 
    1947 <P CLASS="western" ALIGN=LEFT>Replacing ‘BADC’ with the name of 
    1948 the Organisational Unit for your organisation.  This should be the 
    1949 same as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT> 
    1950 set above for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-host-ssl.conf</FONT> 
    1951 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-user-ssl.conf</FONT>.</P> 
    1952 <P CLASS="western" ALIGN=LEFT>Having completed these steps, a host 
    1953 certificate for the target machine can be made in order to identify 
    1954 it.</P> 
    1955 <H3 CLASS="western"><A NAME="4.6.5.Host Certificate Creation|outline"></A> 
    1956 4.6.5Host Certificate Creation</H3> 
    1957 <P CLASS="western" ALIGN=LEFT>Login as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    1958 user to carry out these steps.   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ndgSetup.sh 
    1959 </FONT>should configure the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">PATH</FONT> 
    1960 variable to have included the Globus executable directories 
    1961 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/bin</FONT> 
    1962 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin</FONT>. 
    1963  Check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P> 
    1964 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    1965 </P> 
    1966 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1967         <COL WIDTH=610> 
    1968         <TR> 
    1969                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2146<TABLE WIDTH=609 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2147        <COL WIDTH=593> 
     2148        <TR> 
     2149                <TD WIDTH=593 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    19702150                        <P STYLE="margin-bottom: 0cm"><BR> 
    19712151                        </P> 
     
    19782158</TABLE> 
    19792159<P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like: 
    1980 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/NDG/globus-4.0.1/bin/grid-cert-request</FONT></P> 
     2160<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/globus-4.0.5/bin/grid-cert-request</FONT></P> 
     2161<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If 
     2162not check the settings as made earlier for the SimpleCA:</FONT></P> 
     2163<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2164</P> 
     2165<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2166        <COL WIDTH=596> 
     2167        <TR> 
     2168                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     2169                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 
     2170                        </P> 
     2171                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2172                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export 
     2173                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . 
     2174                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 
     2175                </TD> 
     2176        </TR> 
     2177</TABLE> 
     2178<P><BR><BR> 
     2179</P> 
    19812180<P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate 
    1982 request, change to the certificates directory:</P> 
    1983 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    1984 </P> 
    1985 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1986         <COL WIDTH=610> 
    1987         <TR> 
    1988                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2181request:</P> 
     2182<TABLE WIDTH=608 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2183        <COL WIDTH=592> 
     2184        <TR> 
     2185                <TD WIDTH=592 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    19892186                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    19902187                        </P> 
    19912188                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1992                         cd $GLOBUS_LOCATION/etc</FONT></P> 
    1993                         <P CLASS="western" ALIGN=LEFT><BR> 
    1994                         </P> 
    1995                 </TD> 
    1996         </TR> 
    1997 </TABLE> 
    1998 <P CLASS="western" ALIGN=JUSTIFY><BR>Nb. If you installed MyProxy as 
    1999 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>, 
    2000 as root user change to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT> 
    2001 where the certificates should be held.</P> 
    2002 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    2003         <COL WIDTH=610> 
    2004         <TR> 
    2005                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    2006                         <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    2007                         </P> 
    2008                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    2009                         grid-cert-request –host &lt;machine hostname&gt; -dir .</FONT></P> 
     2189                        grid-cert-request –host &lt;fully qualified hostname&gt; </FONT> 
     2190                        </P> 
    20102191                        <P CLASS="western" ALIGN=LEFT><BR> 
    20112192                        </P> 
     
    20172198<P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>, 
    20182199<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT> 
    2019 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>. 
    2020  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT> 
     2200and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 
     2201in /etc/grid-security directory</FONT>. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT> 
    20212202is empty.   
    20222203</P> 
    20232204<P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate 
    2024 it must be signed by the NDG CA.  Contact the NDG CA forwarding 
    2025 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>. 
    2026  The CA will issue a <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT> 
    2027 file.  Copy this file into this directory i.e. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc</FONT>. 
    2028   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 
    2029 </FONT>is no longer needed and may be deleted if desired.</P> 
    2030 <H3 CLASS="western"><A NAME="4.6.6.MyProxy Configuration File|outline"></A> 
    2031 4.6.6MyProxy Configuration File</H3> 
     2205it must be signed by the CA:   
     2206</P> 
     2207<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2208        <COL WIDTH=596> 
     2209        <TR> 
     2210                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     2211                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 
     2212                        </P> 
     2213                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2214                        grid-ca-sign -in  /<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">etc/grid-security/hostcert_request.pem 
     2215                         -out  /etc/grid-security/hostcert.pem </FONT></FONT> 
     2216                        </P> 
     2217                </TD> 
     2218        </TR> 
     2219</TABLE> 
     2220<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2221</P> 
     2222<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 
     2223</FONT>is no longer needed and can be deleted.</P> 
     2224<H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File|outline"></A> 
     22254.7.6 MyProxy Configuration File</H3> 
    20322226<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is 
    20332227normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT> 
     
    20502244<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    20512245</P> 
    2052 <P CLASS="western" ALIGN=JUSTIFY>As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT> 
    2053 user edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config</FONT></P> 
    2054 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Modify the 
    2055 entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete 
     2246<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Edit 
     2247<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config 
     2248 m</FONT>odifying the entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete 
    20562249Sample Policy</SPAN></FONT> so that they are all uncommented (remove 
    20572250leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"># 
     
    20742267                        myproxy-server features.  See below for more examples.</FONT></P> 
    20752268                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials 
    2076                          &quot;*&quot;</FONT></P> 
     2269                               &quot;*&quot;</FONT></P> 
    20772270                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers 
    2078                         &quot;*&quot;</FONT></P> 
     2271                               &quot;*&quot;</FONT></P> 
    20792272                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers 
    2080                            &quot;*&quot;</FONT></P> 
     2273                                     &quot;*&quot;</FONT></P> 
    20812274                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers 
    2082                           &quot;*&quot;</FONT></P> 
     2275                                &quot;*&quot;</FONT></P> 
    20832276                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers 
    2084                              &quot;none&quot;</FONT></P> 
     2277                                      &quot;none&quot;</FONT></P> 
    20852278                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers 
    20862279                        &quot;*&quot;</FONT></P> 
    20872280                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers 
    2088                         &quot;none&quot;</FONT></P> 
     2281                              &quot;none&quot;</FONT></P> 
     2282                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">trusted_retrievers 
     2283                                     â€œ*”</FONT></P> 
     2284                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_trusted_retrievers 
     2285                        “none”</FONT></P> 
    20892286                        <P><BR> 
    20902287                        </P> 
     
    20962293<P CLASS="western" ALIGN=LEFT>Note that the wildcards for these 
    20972294fields may be modified such that only Distinguished Names of a given 
    2098 format may be accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P> 
    2099 <H3 CLASS="western"><A NAME="4.6.7.Repository Directory|outline"></A>4.6.7Repository 
    2100 Directory</H3> 
    2101 <P CLASS="western" ALIGN=LEFT>A directory needs to be specified on 
    2102 the file system to store the user credentials generated by MyProxy.  
    2103 This should be owned by the account that runs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>. 
    2104  In the examples given this would be the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">globus</FONT></SPAN></FONT> 
    2105 user and the expected location, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var</SPAN></FONT>. 
    2106   See section 2.3.2 <I>MyProxy user account and repository location</I>.</P> 
    2107 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Login as the 
    2108 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    2109 user and change directory to the location for the repository:</P> 
    2110 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    2111 </P> 
    2112 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    2113         <COL WIDTH=610> 
    2114         <TR> 
    2115                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    2116                         <P STYLE="margin-bottom: 0cm"><BR> 
    2117                         </P> 
    2118                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    2119                         cd $GLOBUS_LOCATION/var</FONT></P> 
    2120                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    2121                         mkdir myproxy</FONT></P> 
    2122                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    2123                         chmod 700 myproxy</FONT></P> 
    2124                         <P><BR> 
    2125                         </P> 
    2126                 </TD> 
    2127         </TR> 
    2128 </TABLE> 
    2129 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    2130 </P> 
     2295format are accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P> 
    21312296<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod 
    21322297</SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    21332298user has read/write access for the directory.  Note also that the 
    21342299directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P> 
    2135 <H3 CLASS="western"><A NAME="4.6.8.Adding MyProxy Server to the system start up|outline"></A> 
    2136 4.6.8Adding MyProxy Server to the system start up</H3> 
     2300<H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration|outline"></A> 
     23014.7.7 MyProxy SimpleCA Configuration</H3> 
     2302<P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to 
     2303dynamically generate user certificates on user login.  For this, 
     2304MyProxy requires configuration details from the SimpleCA.  Make these 
     2305settings in $GLOBUS_LOCATION/etc/myproxy-server.config (Note that the 
     2306sensitivity of this information and the need to secure this file 
     2307carefully!)</P> 
     2308<OL> 
     2309        <LI><P CLASS="western" ALIGN=JUSTIFY>enable any retriever – 
     2310        retrieval is based on the retrievers login credentials:</P> 
     2311        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2312                <COL WIDTH=577> 
     2313                <TR> 
     2314                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2315                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     2316                                </P> 
     2317                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers 
     2318                                &quot;*&quot;</FONT></P> 
     2319                        </TD> 
     2320                </TR> 
     2321        </TABLE> 
     2322        <P CLASS="western" ALIGN=JUSTIFY></P> 
     2323        <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA 
     2324        certificate.  In this example the CA is installed in the root user's 
     2325        home directory:</P> 
     2326</OL> 
     2327<DL> 
     2328        <DD> 
     2329        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2330                <COL WIDTH=577> 
     2331                <TR> 
     2332                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2333                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     2334                                </P> 
     2335                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_cert 
     2336                                /root/.globus/simpleCA/cacert.pem</FONT></P> 
     2337                        </TD> 
     2338                </TR> 
     2339        </TABLE> 
     2340</DL> 
     2341<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2342</P> 
     2343<OL START=3> 
     2344        <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA private 
     2345        key:  
     2346        </P> 
     2347        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2348                <COL WIDTH=577> 
     2349                <TR> 
     2350                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2351                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     2352                                </P> 
     2353                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key 
     2354                                /root/.globus/simpleCA/private/cakey.pem</FONT></P> 
     2355                        </TD> 
     2356                </TR> 
     2357        </TABLE> 
     2358        <P CLASS="western" ALIGN=JUSTIFY></P> 
     2359        <LI><P CLASS="western" ALIGN=LEFT>Provide the password to the CA's 
     2360        private key.  (This was set when you created the SimpleCA with 
     2361        $GLOBUS_LOCATION/setup/globus/setup-simple-ca):</P> 
     2362        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2363                <COL WIDTH=577> 
     2364                <TR> 
     2365                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2366                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     2367                                </P> 
     2368                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key_passphrase 
     2369                                &quot;password&quot;</FONT></P> 
     2370                        </TD> 
     2371                </TR> 
     2372        </TABLE> 
     2373        <P CLASS="western" ALIGN=JUSTIFY></P> 
     2374        <LI><P CLASS="western" ALIGN=JUSTIFY>Set the path to the certificate 
     2375        serial file</P> 
     2376        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2377                <COL WIDTH=577> 
     2378                <TR> 
     2379                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2380                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_serialfile 
     2381                                /root/.globus/simpleCA/serial </FONT> 
     2382                                </P> 
     2383                        </TD> 
     2384                </TR> 
     2385        </TABLE> 
     2386        <P CLASS="western" ALIGN=JUSTIFY></P> 
     2387        <LI><P CLASS="western" ALIGN=JUSTIFY>Configure how MyProxy maps 
     2388        usernames to Distinguished Names in generated certificates. This can 
     2389        be done either with a grid mapfile or a script.  A script is more 
     2390        flexible as you can use a wildcard match rather requiring a map 
     2391        entry for every single user.  An example script is:</P> 
     2392        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2393                <COL WIDTH=577> 
     2394                <TR> 
     2395                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2396                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     2397                                </P> 
     2398                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#!/bin/sh<BR>username=$1<BR>if 
     2399                                [ X&quot;$username&quot; = X ]; then<BR>    # no username given<BR> 
     2400                                   exit 1<BR>fi<BR>echo 
     2401                                &quot;/O=NDG/OU=Gabriel/OU=BADC/CN=${username}&quot;</FONT></P> 
     2402                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">exit 
     2403                                0</FONT></P> 
     2404                        </TD> 
     2405                </TR> 
     2406        </TABLE> 
     2407        <P CLASS="western" ALIGN=LEFT><BR>In the example above, if a user 
     2408        logs in as pjkershaw, they will be issued with a certificate with 
     2409        the Distinguished Name /O=NDG/OU=Gabriel/OU=BADC/CN=pjkershaw. Copy 
     2410        the file above file into $GLOBUS_LOCATION/sbin/mapper.sh replacing 
     2411        “/O=NDG/OU=Gabriel/OU=BADC/CN=” with the form of the 
     2412        Distinguished Name that you require for users for your site.  Ensure 
     2413        that the file has execute permissions set e.g.<BR><BR><BR> 
     2414        </P> 
     2415        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2416                <COL WIDTH=577> 
     2417                <TR> 
     2418                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2419                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     2420                                </P> 
     2421                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2422                                chmod 700 $GLOBUS_LOCATION/sbin/mapper.sh</FONT></P> 
     2423                                <P CLASS="western" ALIGN=LEFT><BR> 
     2424                                </P> 
     2425                        </TD> 
     2426                </TR> 
     2427        </TABLE> 
     2428        <P CLASS="western" ALIGN=LEFT><BR>Refer to the script in 
     2429        $GLOBUS_LOCATION/etc/myproxy-server.config with this setting:</P> 
     2430        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2431                <COL WIDTH=577> 
     2432                <TR> 
     2433                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2434                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_mapapp 
     2435                                /usr/local/globus-4.0.5/sbin/mapper.sh</FONT></P> 
     2436                        </TD> 
     2437                </TR> 
     2438        </TABLE> 
     2439        <P CLASS="western" ALIGN=LEFT></P> 
     2440</OL> 
     2441<H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration|outline"></A> 
     24424.7.8 MyProxy PAM Configuration</H3> 
     2443<P CLASS="western" ALIGN=JUSTIFY>Reference: 
     2444<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P> 
     2445<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy 
     2446with PAM to enable MyProxy logon requests to be authenticated against 
     2447a site's existing security infrastructure, for example a user 
     2448database or LDAP repository.   Linux systems have PAMs for login, ssh 
     2449and other services.   PAMs can be obtained for the major database 
     2450varieties such as MySQL, Postgres and Oracle.</P> 
     2451<P CLASS="western">To configure MyProxy for PAM, settings are made 
     2452via myproxy-server.config to two different fields:</P> 
     2453<UL> 
     2454        <LI><P CLASS="western">pam: may be set to disabled, “required” 
     2455        or “sufficient”.   Set to “required”.  With this setting, 
     2456        all MyProxy logon requests will be authenticated via PAM.   The 
     2457        “sufficient” setting may be useful in some circumstances.  It 
     2458        enables authentication via PAM and via credentials held in the 
     2459        MyProxy repository.</P> 
     2460        <LI><P CLASS="western">pam_id: name that MyProxy uses to identify 
     2461        itself to PAM.   This can correspond either to a file of the same 
     2462        name in /etc/pam.d or entries prefixed with that name in 
     2463        /etc/pam.conf.  This setting determines the PAM used by MyProxy to 
     2464        authenticate.   
     2465        </P> 
     2466</UL> 
     2467<P CLASS="western">The most straightforward way to set-up MyProxy 
     2468with PAM is to try one of the existing PAMs such as login.  If the 
     2469pam_id is set to login, a myproxy-logon request will link to that 
     2470user's Linux login.</P> 
     2471<P CLASS="western">Appendices are provided at the end of this 
     2472document for some of the more common configurations.</P> 
     2473<H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy|outline"></A>4.7.9 
     2474Testing MyProxy</H3> 
     2475<P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy 
     2476configuration to run the myproxy-logon client command.  For initial 
     2477testing set the pam_id in $GLOBUS_LOCATION/etc/myproxy-server.config 
     2478to “logon” so that it uses the Linux user accounts for 
     2479authentication.</P> 
     2480<P CLASS="western" ALIGN=JUSTIFY>Client error messages can be 
     2481difficult to interpret but a -v verbose option is provided to give 
     2482more information.   In addition, MyProxy server can be run in debug 
     2483mode using the -d command line switch.   MyProxy should be run under 
     2484the user account in which it was installed - root.   Ensure that the 
     2485environment is set correctly i.e. GLOBUS_LOCATION variable set and 
     2486$GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P> 
     2487<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2488        <COL WIDTH=602> 
     2489        <TR> 
     2490                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2491                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 
     2492                        </P> 
     2493                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2494                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export 
     2495                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . 
     2496                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 
     2497                </TD> 
     2498        </TR> 
     2499</TABLE> 
     2500<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2501</P> 
     2502<P CLASS="western" ALIGN=JUSTIFY>If you already have MyProxy running 
     2503via xinetd or as a process started from a SysV init script, it is 
     2504possible to run a separate MyProxy server process on a different port 
     2505with the -p flag.</P> 
     2506<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2507        <COL WIDTH=602> 
     2508        <TR> 
     2509                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2510                        <P STYLE="margin-bottom: 0cm"><BR> 
     2511                        </P> 
     2512                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2513                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server 
     2514                        -d -v -p 60000</SPAN></FONT></FONT></P> 
     2515                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server 
     2516                        v3.7 12 Dec 2006 PAM starting at Fri Dec 21 12:45:59 2007</SPAN></FONT></FONT></P> 
     2517                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">reading 
     2518                        configuration file 
     2519                        /usr/local/globus-4.0.5/etc/myproxy-server.config</SPAN></FONT></FONT></P> 
     2520                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CA 
     2521                        enabled</SPAN></FONT></FONT></P> 
     2522                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 
     2523                        storage directory /var/myproxy</SPAN></FONT></FONT></P> 
     2524                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Starting 
     2525                        myproxy-server on localhost: 60000...</SPAN></FONT></FONT></P> 
     2526                        <P><BR> 
     2527                        </P> 
     2528                </TD> 
     2529        </TR> 
     2530</TABLE> 
     2531<P CLASS="western" ALIGN=LEFT><BR><BR> 
     2532</P> 
     2533<P CLASS="western" ALIGN=LEFT>Note that in debug mode, myproxy-server 
     2534will exit after the first request made to it.</P> 
     2535<P CLASS="western" ALIGN=LEFT>Run myproxy-logon in a separate window 
     2536under a user account for which you know the Linux password.  Provide 
     2537the port number if myproxy-server was started on a different port to 
     2538the default and give the full name of the server as set in the host 
     2539certificate (/etc/grid-security/hostcert.pem)</P> 
     2540<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2541        <COL WIDTH=602> 
     2542        <TR> 
     2543                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2544                        <P STYLE="margin-bottom: 0cm"><BR> 
     2545                        </P> 
     2546                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2547                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-logon 
     2548                        -v -s &lt;fully qualified server hostname&gt; -p 60000</SPAN></FONT></FONT></P> 
     2549                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">MyProxy 
     2550                        v3.7 12 Dec 2006 PAM</SPAN></FONT></FONT></P> 
     2551                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Attempting 
     2552                        to connect to 127.0.0.1:60000</SPAN></FONT></FONT></P> 
     2553                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Enter 
     2554                        MyProxy pass phrase:</SPAN></FONT></FONT></P> 
     2555                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 
     2556                        trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P> 
     2557                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">no 
     2558                        valid credentials found -- performing anonymous authentication</SPAN></FONT></FONT></P> 
     2559                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server 
     2560                        name: /O=NDG/OU=Gabriel/OU=BADC/CN=gabriel&lt;&gt;</SPAN></FONT></FONT></P> 
     2561                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">checking 
     2562                        that server name is acceptable...</SPAN></FONT></FONT></P> 
     2563                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server 
     2564                        name does not match &quot;myproxy@gabriel&lt;&gt;&quot;</SPAN></FONT></FONT></P> 
     2565                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server 
     2566                        name matches &quot;host@gabriel&lt;&gt;&quot;</SPAN></FONT></FONT></P> 
     2567                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">authenticated 
     2568                        server name is acceptable</SPAN></FONT></FONT></P> 
     2569                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">A 
     2570                        credential has been received for user pjkershaw in 
     2571                        /tmp/x509up_u1000.</SPAN></FONT></FONT></P> 
     2572                        <P><BR> 
     2573                        </P> 
     2574                </TD> 
     2575        </TR> 
     2576</TABLE> 
     2577<P CLASS="western" ALIGN=LEFT><BR><BR> 
     2578</P> 
     2579<P CLASS="western" ALIGN=LEFT>The equivalent output from the server 
     2580will be something like:</P> 
     2581<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2582        <COL WIDTH=602> 
     2583        <TR> 
     2584                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2585                        <P STYLE="margin-bottom: 0cm"><BR> 
     2586                        </P> 
     2587                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Connection 
     2588                        from 127.0.0.1</SPAN></FONT></FONT></P> 
     2589                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 
     2590                        trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P> 
     2591                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Authenticated 
     2592                        client &lt;anonymous&gt;</SPAN></FONT></FONT></P> 
     2593                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying 
     2594                        trusted_retrievers policy</SPAN></FONT></FONT></P> 
     2595                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying 
     2596                        authorized_retrievers policy</SPAN></FONT></FONT></P> 
     2597                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying 
     2598                        authorized_renewers policy</SPAN></FONT></FONT></P> 
     2599                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P> 
     2600                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">resolve_via_mapapp(/usr/local/globus-4.0.5/sbin/mapper.sh, 
     2601                        pjkershaw)</SPAN></FONT></FONT></P> 
     2602                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Checking 
     2603                        passphrase via PAM.  PAM policy: &quot;sufficient&quot;; PAM ID: 
     2604                        &quot;logon&quot;</SPAN></FONT></FONT></P> 
     2605                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PAM 
     2606                        authentication succeeded for pjkershaw</SPAN></FONT></FONT></P> 
     2607                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Received 
     2608                        GET request from &lt;anonymous&gt;</SPAN></FONT></FONT></P> 
     2609                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending 
     2610                        OK response to client &lt;anonymous&gt;</SPAN></FONT></FONT></P> 
     2611                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 
     2612                        CA callout</SPAN></FONT></FONT></P> 
     2613                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Calling 
     2614                        CA Extensions</SPAN></FONT></FONT></P> 
     2615                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">handle_certificate()</SPAN></FONT></FONT></P> 
     2616                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Cert 
     2617                        request loaded.</SPAN></FONT></FONT></P> 
     2618                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Got 
     2619                        a cert request for user &quot;pjkershaw&quot;, with pubkey hash 
     2620                        &quot;282944311&quot;, and lifetime &quot;43200&quot;</SPAN></FONT></FONT></P> 
     2621                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Using 
     2622                        internal openssl/generate_certificate() code</SPAN></FONT></FONT></P> 
     2623                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Generating 
     2624                        certificate internally.</SPAN></FONT></FONT></P> 
     2625                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P> 
     2626                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 
     2627                        cached value</SPAN></FONT></FONT></P> 
     2628                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">tokenizing: 
     2629                        /O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw</SPAN></FONT></FONT></P> 
     2630                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 
     2631                        O = NDG</SPAN></FONT></FONT></P> 
     2632                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 
     2633                        OU = BADC</SPAN></FONT></FONT></P> 
     2634                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 
     2635                        OU = Gabriel</SPAN></FONT></FONT></P> 
     2636                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 
     2637                        CN = pjkershaw</SPAN></FONT></FONT></P> 
     2638                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Assigning 
     2639                        serial number</SPAN></FONT></FONT></P> 
     2640                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Loaded 
     2641                        serial number F6 from /root/.globus/simpleCA/serial</SPAN></FONT></FONT></P> 
     2642                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">serial 
     2643                        number assigned</SPAN></FONT></FONT></P> 
     2644                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cert 
     2645                        lifetime: 43200</SPAN></FONT></FONT></P> 
     2646                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CAkey: 
     2647                        /root/.globus/simpleCA/private/cakey.pem</SPAN></FONT></FONT></P> 
     2648                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Signing 
     2649                        internally generated certificate.</SPAN></FONT></FONT></P> 
     2650                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Issued 
     2651                        certificate for user &quot;pjkershaw&quot;, with DN 
     2652                        &quot;/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw&quot;, lifetime 
     2653                        &quot;43200&quot;, and serial number &quot;246&quot;</SPAN></FONT></FONT></P> 
     2654                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending 
     2655                        OK response to client &lt;anonymous&gt;</SPAN></FONT></FONT></P> 
     2656                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Client 
     2657                        &lt;anonymous&gt; disconnected</SPAN></FONT></FONT></P> 
     2658                        <P><BR> 
     2659                        </P> 
     2660                </TD> 
     2661        </TR> 
     2662</TABLE> 
     2663<P CLASS="western" ALIGN=LEFT><BR><BR> 
     2664</P> 
     2665<P CLASS="western" ALIGN=LEFT>The certificate and private key are 
     2666written to file in /tmp by myproxy-logon.   This takes the form 
     2667x509up_&lt;uid&gt;.   It's possible to check the certificate 
     2668generated using openssl e.g.:</P> 
     2669<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2670        <COL WIDTH=602> 
     2671        <TR> 
     2672                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2673                        <P STYLE="margin-bottom: 0cm"><BR> 
     2674                        </P> 
     2675                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 
     2676                        openssl -in /tmp/x509up_1001 -text</SPAN></FONT></FONT></P> 
     2677                        <P><BR> 
     2678                        </P> 
     2679                </TD> 
     2680        </TR> 
     2681</TABLE> 
     2682<P CLASS="western" ALIGN=LEFT><BR>The output includes details 
     2683including the certificate's DN, issuer and expiry time.   If you wish 
     2684to run the test again delete or move this file as myproxy-logon will 
     2685try to use it to authenticate to the MyProxy server.</P> 
     2686<P CLASS="western" ALIGN=LEFT>If you encounter problems check the 
     2687output from the client and server. commands.  The system logs may 
     2688contain useful additional information from the PAM used.</P> 
     2689<P CLASS="western" ALIGN=LEFT>The Python MyProxy client unit tests 
     2690can be used to test the server from a separate client machine where 
     2691Python NDG services are installed but not MyProxy itself.   The 
     2692MyProxy unit tests are in the package ndg.security.test.myProxy.</P> 
     2693<H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up|outline"></A> 
     26944.7.10 Adding MyProxy Server to the system start up</H3> 
    21372695<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may 
    21382696be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> 
     
    21552713<BR> 
    21562714</P> 
    2157 <H4 CLASS="western"><A NAME="_Ref143089522"></A>4.6.8.1inetd / xinetd</H4> 
     2715<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd / 
     2716xinetd</H4> 
    21582717<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd 
    21592718</SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>, 
     
    21772736                                </P> 
    21782737                                <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server 
    2179                                  7512/tcp                        # Myproxy server</FONT></P> 
     2738                                 7512/tcp                        # MyProxy server</FONT></P> 
    21802739                                <P><BR> 
    21812740                                </P> 
     
    21872746</P> 
    21882747<UL> 
    2189         <LI><P CLASS="western" ALIGN=LEFT>Add the entries from 
     2748        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Add the entries from 
    21902749        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P> 
    21912750        <UL> 
     
    22232782                                      = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P> 
    22242783                                <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env    
    2225                                         = GLOBUS_LOCATION=/usr/local/NDG/globus-4.0.1 
    2226                                 LD_LIBRARY_PATH=/usr/local/NDG/globus-4.0.1/lib</FONT></FONT></P> 
     2784                                        = GLOBUS_LOCATION=/usr/local/globus-4.0.5 
     2785                                LD_LIBRARY_PATH=/usr/local/globus-4.0.5/lib</FONT></FONT></P> 
    22272786                                <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable 
    22282787                                     = no</FONT></FONT></P> 
     
    22372796</P> 
    22382797<UL> 
    2239         <LI><P CLASS="western" ALIGN=LEFT>Note also, the additional setting 
    2240         in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>. 
     2798        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Note also, the additional 
     2799        setting in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>. 
    22412800         This a limit to be placed on which hosts clients can connect from 
    22422801        to the server.  In the above, clients can connect from the local 
    22432802        machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>) 
    22442803        and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress1&gt; 
    2245         </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>.</P> 
     2804        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>. 
     2805          Care must be taken with these settings.  Client requests will exit 
     2806        with an SSL error if set incorrectly.</P> 
    22462807        <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> 
    22472808        / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>. 
     
    22532814        man page for your system.</P> 
    22542815</UL> 
    2255 <H4 CLASS="western">4.6.8.2SysV-style boot script  
     2816<H4 CLASS="western">4.7.10.2 SysV-style boot script  
    22562817</H4> 
    22572818<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is 
     
    22832844</SPAN></FONT>environment variable correctly.   
    22842845</P> 
    2285 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2846<P CLASS="western" ALIGN=LEFT><BR><BR> 
    22862847</P> 
    22872848<H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1> 
    2288 <H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.1.MySQL Installation|outline"></A> 
    2289 5.1MySQL Installation</H2> 
    2290 <P CLASS="western" ALIGN=JUSTIFY>MySQL is required for the Credential 
    2291 Repository used by the SessionManager to stored user credentials as 
    2292 cached in their Credential Wallet held in their session.</P> 
     2849<H2 CLASS="western"><A NAME="5.1. Postgres PAM for MyProxy|outline"></A> 
     28505.1 Postgres PAM for MyProxy</H2> 
     2851<P CLASS="western" ALIGN=JUSTIFY>This section is intended to provide 
     2852the information needed to enable MyProxy to authenticate against 
     2853tables in a Postgres database.  Before, making these settings ensure 
     2854that MyProxy is fully installed following the steps outlined in the 
     2855MyProxy section.  It's recommended to try out MyProxy with an 
     2856existing PAM such as “logon” first to ensure it is working.  See 
     2857the section <I>Testing MyProxy</I>.</P> 
     2858<P CLASS="western" ALIGN=JUSTIFY>Obtain and install the latest 
     2859libpam_pgsql.  This can be installed from Debian or RPM packages or 
     2860from source.   For NDG Security, version 0.5.2-9 Debian and 0.6.3 
     2861source distributions have been tested.  Check the documentation in 
     2862the source tar ball for details of Postgres version requirements.   
     2863</P> 
     2864<H3 CLASS="western"><A NAME="5.1.1. Configuration|outline"></A>5.1.1 
     2865Configuration</H3> 
     2866<P CLASS="western" ALIGN=JUSTIFY>Depending on your native system 
     2867create either a /etc/pam.d/myproxy file or the relevant entry in 
     2868/etc/pam.conf  
     2869</P> 
     2870<P CLASS="western" ALIGN=JUSTIFY>For /etc/pam.d/myproxy:</P> 
     2871<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2872        <COL WIDTH=602> 
     2873        <TR> 
     2874                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2875                        <P STYLE="margin-bottom: 0cm"><BR> 
     2876                        </P> 
     2877                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">auth   
     2878                              required   pam_pgsql.so <BR>account    required   
     2879                        pam_pgsql.so<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password 
     2880                        required   pam_pgsql.so</SPAN></FONT></FONT></P> 
     2881                </TD> 
     2882        </TR> 
     2883</TABLE> 
     2884<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2885</P> 
     2886<P CLASS="western" ALIGN=JUSTIFY>or /etc/pam.conf:</P> 
     2887<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2888        <COL WIDTH=602> 
     2889        <TR> 
     2890                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2891                        <P STYLE="margin-bottom: 0cm"><BR> 
     2892                        </P> 
     2893                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy 
     2894                        auth         required   pam_pgsql.so <BR>myproxy account    
     2895                        required   pam_pgsql.so<BR>myproxy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password 
     2896                        required   pam_pgsql.so</SPAN></FONT></FONT></P> 
     2897                </TD> 
     2898        </TR> 
     2899</TABLE> 
     2900<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2901</P> 
     2902<P CLASS="western" ALIGN=JUSTIFY>Configure the database, and table 
     2903the module should use with the configuration file 
     2904/etc/pam_pgsql.conf. e.g.</P> 
     2905<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2906        <COL WIDTH=602> 
     2907        <TR> 
     2908                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2909                        <P STYLE="margin-bottom: 0cm"><BR> 
     2910                        </P> 
     2911                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">database 
     2912                        = userdb<BR>user = admin<BR>password = adminpassword<BR>table = 
     2913                        account<BR>user_column = username<BR>pwd_column = password<BR>pw_type 
     2914                        = md5<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">debug</SPAN></FONT></FONT></P> 
     2915                </TD> 
     2916        </TR> 
     2917</TABLE> 
     2918<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2919</P> 
     2920<P CLASS="western" ALIGN=JUSTIFY>In the above example, password in 
     2921the database table “account” are MD5 encrypted.   This field can 
     2922also be set to Crypt or left out altogether if passwords are 
     2923unencrypted.</P> 
     2924<P CLASS="western" ALIGN=JUSTIFY>Restart MyProxy and test it using 
     2925the myproxy-logon client command as outlined in the section <I>Testing 
     2926MyProxy.</I><SPAN STYLE="font-style: normal">   To specify a database 
     2927account name use the -l flag.  If this omitted then the Linux account 
     2928name is assumed e.g.</SPAN></P> 
     2929<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2930        <COL WIDTH=602> 
     2931        <TR> 
     2932                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2933                        <P STYLE="margin-bottom: 0cm"><BR> 
     2934                        </P> 
     2935                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 
     2936                        myproxy-logon -v -p 60000 -l mydbaccountid</SPAN></FONT></FONT></P> 
     2937                </TD> 
     2938        </TR> 
     2939</TABLE> 
     2940<P CLASS="western"><BR>Consult the myproxy-logon and myproxy-server 
     2941output and the system logs to trouble shoot errors.</P> 
     2942<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.2. MySQL Installation|outline"></A> 
     29435.2 MySQL Installation</H2> 
     2944<P CLASS="western" ALIGN=JUSTIFY>MySQL can be used to implement a 
     2945Credential Repository for the SessionManager to stored user 
     2946credentials as cached in their Credential Wallet held in their 
     2947session.</P> 
    22932948<P CLASS="western" ALIGN=JUSTIFY>This section describes how to make 
    22942949an installation from the MySQL binary package tarball.   System 
     
    22992954instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT> 
    23002955provided in the tarball.</P> 
    2301 <H3 CLASS="western"><A NAME="5.1.1.Version|outline"></A>5.1.1Version</H3> 
     2956<H3 CLASS="western"><A NAME="5.2.1.Version|outline"></A>5.2.1Version</H3> 
    23022957<P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended.  
    23032958These instructions are for version 5.0.20a, the latest stable release 
    23042959at time of writing.</P> 
    2305 <H3 CLASS="western"><A NAME="5.1.2.Getting the Binaries|outline"></A>5.1.2Getting 
    2306 the Binaries</H3> 
     2960<H3 CLASS="western"><A NAME="5.2.2. Getting the Binaries|outline"></A> 
     29615.2.2 Getting the Binaries</H3> 
    23072962<P CLASS="western" ALIGN=LEFT>The package can be obtained from the 
    23082963MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>). 
     
    23212976<P CLASS="western" ALIGN=LEFT><BR><BR> 
    23222977</P> 
    2323 <H3 CLASS="western"><A NAME="5.1.3.New mysql User Account|outline"></A> 
    2324 5.1.3New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT> 
     2978<H3 CLASS="western"><A NAME="5.2.3. New mysql User Account|outline"></A> 
     29795.2.3 New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT> 
    23252980User Account</H3> 
    23262981<P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if 
     
    23372992<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    23382993</P> 
    2339 <H3 CLASS="western"><A NAME="5.1.4.Unpacking the tarball|outline"></A> 
    2340 5.1.4Unpacking the tarball</H3> 
     2994<H3 CLASS="western"><A NAME="5.2.4. Unpacking the tarball|outline"></A> 
     29955.2.4 Unpacking the tarball</H3> 
    23412996<P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target 
    23422997directory for installation e.g. /usr/local, unpack the file:</P> 
     
    23753030properly.  
    23763031</P> 
    2377 <H3 CLASS="western"><A NAME="5.1.5.Configuration File|outline"></A>5.1.5Configuration 
    2378 File</H3> 
     3032<H3 CLASS="western"><A NAME="5.2.5. Configuration File|outline"></A>5.2.5 
     3033Configuration File</H3> 
    23793034<P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called 
    23803035<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT> 
     
    24193074MySQL’s tables and the Credential Repository database will be 
    24203075stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P> 
    2421 <H3 CLASS="western"><A NAME="5.1.6.Create the Grant Tables|outline"></A> 
    2422 5.1.6Create the Grant Tables</H3> 
     3076<H3 CLASS="western"><A NAME="5.2.6. Create the Grant Tables|outline"></A> 
     30775.2.6 Create the Grant Tables</H3> 
    24233078<P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT> 
    24243079directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT> 
     
    24453100can omit the -user option.  After creating or updating the grant 
    24463101tables, you need to restart the server manually.</P> 
    2447 <H3 CLASS="western"><A NAME="5.1.7.File and Directory Permissions|outline"></A> 
    2448 5.1.7File and Directory Permissions</H3> 
     3102<H3 CLASS="western"><A NAME="5.2.7. File and Directory Permissions|outline"></A> 
     31035.2.7 File and Directory Permissions</H3> 
    24493104<P CLASS="western" ALIGN=LEFT>Change the ownership of program 
    24503105binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT> 
     
    24703125user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT> 
    24713126group.</P> 
    2472 <H3 CLASS="western"><A NAME="5.1.8.Starting the Server|outline"></A>5.1.8Starting 
    2473 the Server</H3> 
     3127<H3 CLASS="western"><A NAME="5.2.8. Starting the Server|outline"></A>5.2.8 
     3128Starting the Server</H3> 
    24743129<P CLASS="western" ALIGN=LEFT>If you want MySQL to start 
    24753130automatically when you boot your machine, you can copy 
     
    24993154file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT> 
    25003155directory.</P> 
    2501 <H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.1.9.Securing MySQL Accounts|outline"></A> 
    2502 5.1.9Securing MySQL Accounts</H3> 
     3156<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.2.9. Securing MySQL Accounts|outline"></A> 
     31575.2.9 Securing MySQL Accounts</H3> 
    25033158<P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P> 
    25043159<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     
    25943249the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT> 
    25953250script if you install the `DBI' and `DBD::mysql' Perl modules.</P> 
    2596 <P CLASS="western" ALIGN=LEFT>See section 4.3.1 for details about 
     3251<P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about 
    25973252creation of the Credential Repository database.</P> 
    2598 <H3 CLASS="western"><A NAME="5.1.10.Server Automated Start up|outline"></A> 
    2599 5.1.10Server Automated Start up</H3> 
     3253<H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up|outline"></A> 
     32545.2.10 Server Automated Start up</H3> 
    26003255<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P> 
    26013256<P CLASS="western" ALIGN=LEFT><BR><BR> 
    26023257</P> 
    2603 <H2 CLASS="western"><A NAME="5.2.HTTPS set-up with Apache Web Server|outline"></A> 
    2604 5.2HTTPS set-up with Apache Web Server</H2> 
     3258<H2 CLASS="western"><A NAME="5.3. HTTPS set-up with Apache Web Server|outline"></A> 
     32595.3 HTTPS set-up with Apache Web Server</H2> 
    26053260<P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the 
    26063261transfer of user credentials across cookie domains between a data 
     
    26093264<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: full explanation - incl. 
    26103265mod_ssl must be installed&gt;</P> 
    2611 <H3 CLASS="western"><A NAME="5.2.1.Web Server Host Certificate Generation|outline"></A> 
    2612 5.2.1Web Server Host Certificate Generation</H3> 
     3266<H3 CLASS="western"><A NAME="5.3.1. Web Server Host Certificate Generation|outline"></A> 
     32675.3.1 Web Server Host Certificate Generation</H3> 
     3268<P CLASS="western" ALIGN=JUSTIFY>Generate a new private key and 
     3269certificate request.</P> 
    26133270<TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    26143271        <COL WIDTH=605> 
     
    26173274                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    26183275                        </P> 
     3276                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     3277                        openssl genrsa –out server.key 2048</FONT></P> 
    26193278                        <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    2620                         grid-cert-request -prefix <I>&lt;hostname&gt;</I> -dir . -cn 
    2621                         <I>&lt;hostname&gt;</I> -nopw </FONT> 
    2622                         </P> 
     3279                        openssl req –new –key server.key –out server.csr</FONT></P> 
    26233280                        <P><BR> 
    26243281                        </P> 
     
    26283285<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    26293286</P> 
    2630 <H3 CLASS="western"><A NAME="5.2.2.Apache Configuration File Settings|outline"></A> 
    2631 5.2.2Apache Configuration File Settings</H3> 
    2632 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    2633 </P> 
    2634 <H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline"></A> 
    2635 5.3Apache Web Server Proxy Settings Configuration for Web Services</H2> 
     3287<P CLASS="western" ALIGN=JUSTIFY>Send the certificate request to the 
     3288relevant CA (NDG if appropriate) for signing.</P> 
     3289<H3 CLASS="western"><A NAME="5.3.2.Apache Configuration File Settings|outline"></A> 
     32905.3.2Apache Configuration File Settings</H3> 
     3291<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     3292</P> 
     3293<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline"></A> 
     32945.4 Apache Web Server Proxy Settings Configuration for Web Services</H2> 
    26363295<P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient 
    26373296mechanism to re-route web service ports through port 80 and so make 
     
    26613320                        Session Manager and Attribute Authority settings</FONT></P> 
    26623321                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass 
    2663                                /sessionMgr    https://localhost:5700/</FONT></P> 
     3322                               /sessionMgr    https://localhost:5700</FONT></P> 
    26643323                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse 
    2665                         /sessionMgr    https://localhost:5700/</FONT></P> 
     3324                        /sessionMgr    https://localhost:5700</FONT></P> 
    26663325                        <P STYLE="margin-bottom: 0cm"><BR> 
    26673326                        </P> 
    26683327                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass 
    2669                                /attAuthority  http://localhost:5000/</FONT></P> 
     3328                               /attAuthority  http://localhost:5000</FONT></P> 
    26703329                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse 
    2671                         /attAuthority  http://localhost:5000/</FONT></P> 
     3330                        /attAuthority  http://localhost:5000</FONT></P> 
    26723331                        <P CLASS="western" ALIGN=LEFT><BR> 
    26733332                        </P> 
     
    27653424location=”
”&gt;</SPAN></FONT>  
    27663425</P> 
    2767 <H2 CLASS="western"><A NAME="5.4.An Example Attribute Authority AAUserRoles interface class|outline"></A> 
    2768 5.4An Example Attribute Authority AAUserRoles interface class</H2> 
     3426<H2 CLASS="western"><A NAME="5.5.An Example Attribute Authority AAUserRoles interface class|outline"></A> 
     34275.5An Example Attribute Authority AAUserRoles interface class</H2> 
    27693428<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This 
    27703429interface is required in order to link the Attribute Authority to the 
     
    27783437methods:</P> 
    27793438<UL> 
    2780         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT> 
     3439        <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT> 
    27813440        – returns True if the user with the given input Distinguished Name 
    27823441        is registered at the site.  This method might contain an SQL query 
     
    32183877<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    32193878</P> 
    3220 <H2 CLASS="western"><A NAME="5.5.Troubleshooting|outline"></A>5.5Troubleshooting</H2> 
    3221 <H3 CLASS="western"><A NAME="5.5.1.M2Crypto SWIG Build Error|outline"></A> 
    3222 5.5.1M2Crypto SWIG Build Error</H3> 
     3879<H2 CLASS="western"><A NAME="5.6.Troubleshooting|outline"></A>5.6 
     3880Troubleshooting</H2> 
     3881<H3 CLASS="western"><A NAME="5.6.1.M2Crypto |outline"></A>5.6.1 
     3882M2Crypto  
     3883</H3> 
     3884<H4 CLASS="western">5.6.1.1SWIG Version too Old</H4> 
    32233885<P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL 
    32243886library code to the Python interface.  Compilation errors with swig 
     
    32433905<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    32443906</P> 
    3245 <P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt; 1.1 
    3246 and re-run the installation script.  SWIG is available from 
    3247 <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P> 
    3248 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    3249 </P> 
    3250 <H3 CLASS="western"><A NAME="5.5.2.PyXML|outline"></A>5.5.2PyXML</H3> 
     3907<P CLASS="western" ALIGN=JUSTIFY>Some version will build OK but then 
     3908cause runtime errors e.g.</P> 
     3909<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3910        <COL WIDTH=610> 
     3911        <TR> 
     3912                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3913                        <P STYLE="margin-bottom: 0cm"><BR> 
     3914                        </P> 
     3915                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">File 
     3916                        &quot;.../M2Crypto/SSL/Context.py&quot;, line 43, in __init__ 
     3917                        map()[long(self.ctx)] = self ValueError: invalid literal for 
     3918                        long(): _480e1008_p_SSL_CTX </FONT> 
     3919                        </P> 
     3920                </TD> 
     3921        </TR> 
     3922</TABLE> 
     3923<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     3924</P> 
     3925<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt;= 
     39261.3.24 and re-run the installation script but also make sure to read 
     3927the next section.  SWIG is available from <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P> 
     3928<H4 CLASS="western">5.6.1.2 SWIG and Py_ssize_t build error</H4> 
     3929<P CLASS="western" ALIGN=JUSTIFY>The combination SWIG version 
     39301.3.30rc1 and Python &lt; 2.5 can cause a build error:</P> 
     3931<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3932        <COL WIDTH=610> 
     3933        <TR> 
     3934                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3935                        <P STYLE="margin-bottom: 0cm"><BR> 
     3936                        </P> 
     3937                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">_lib.h:5: 
     3938                        error: redefinition of typedef 'Py_ssize_t'</FONT></P> 
     3939                </TD> 
     3940        </TR> 
     3941</TABLE> 
     3942<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     3943</P> 
     3944<P CLASS="western" ALIGN=JUSTIFY>Avoid this version of SWIG.</P> 
     3945<P CLASS="western" ALIGN=JUSTIFY>See: 
     3946<A HREF="http://chandlerproject.org/Projects/MeTooCrypto#FAQ">http://chandlerproject.org/Projects/MeTooCrypto#FAQ</A> 
     3947for reference and up to date details of any other M2Crypto related 
     3948issues.</P> 
     3949<H3 CLASS="western"><A NAME="5.6.2. PyXML|outline"></A>5.6.2 PyXML</H3> 
    32513950<P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable 
    32523951distribution for Requirement.parse('PyXML&gt;=0.8.3')</P> 
    3253 <P CLASS="western" ALIGN=JUSTIFY>$ easy_install –f 
    3254 <FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT> 
    3255 PyXML</P> 
    3256 <P CLASS="western" ALIGN=JUSTIFY>or –f option with 
     3952<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3953        <COL WIDTH=610> 
     3954        <TR> 
     3955                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3956                        <P STYLE="margin-bottom: 0cm"><BR> 
     3957                        </P> 
     3958                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     3959                        easy_install –f 
     3960                        <FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT> 
     3961                        PyXML</FONT></P> 
     3962                </TD> 
     3963        </TR> 
     3964</TABLE> 
     3965<P CLASS="western" ALIGN=JUSTIFY><BR>or –f option with 
    32573966ndg-security-install.py</P> 
    3258 <H3 CLASS="western"><A NAME="5.5.3.4Suite-XML Build error|outline"></A> 
    3259 5.5.34Suite-XML Build error</H3> 
     3967<H3 CLASS="western"><A NAME="5.6.3. 4Suite-XML Build error|outline"></A> 
     39685.6.3 4Suite-XML Build error</H3> 
    32603969<P CLASS="western" ALIGN=JUSTIFY>Ft/Xml/src/expat/lib/xmlparse.c:89:2: 
    32613970#error memmove does not exist on this platform, nor is a substitute 
    32623971available</P> 
    32633972<P CLASS="western" ALIGN=JUSTIFY>4Suite-XML 1.0.2</P> 
    3264 <P CLASS="western" ALIGN=JUSTIFY>$ cat /proc/version</P> 
    3265 <P CLASS="western" ALIGN=JUSTIFY>Linux version 2.4.21-32.0.1.ELsmp 
    3266 (bhcompile@bugs.build.redhat.com) (gcc version</P> 
    3267 <P CLASS="western" ALIGN=JUSTIFY> 3.2.3 20030502 (Red Hat Linux 
    3268 3.2.3-52)) #1 SMP Tue May 17 17:52:23 EDT 2005</P> 
    3269 <P CLASS="western" ALIGN=JUSTIFY>$ uname –a  
    3270 </P> 
    3271 <P CLASS="western" ALIGN=JUSTIFY>Linux glue.badc.rl.ac.uk 
    3272 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686 
    3273 i386 GNU/Linux</P> 
    3274 <P CLASS="western" ALIGN=JUSTIFY>Solution</P> 
    3275 <P CLASS="western" ALIGN=JUSTIFY>$ echo -e 
    3276 &quot;[build_ext]\ndefine=HAVE_MMEMOVE&quot; &gt; ~/.pydistutils.cfg</P> 
    3277 <P CLASS="western" ALIGN=JUSTIFY>$ easy_install 4Suite-XML</P> 
     3973<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3974        <COL WIDTH=610> 
     3975        <TR> 
     3976                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3977                        <P STYLE="margin-bottom: 0cm"><BR> 
     3978                        </P> 
     3979                        <OL START=3> 
     3980                                <P CLASS="western" ALIGN=LEFT>$ cat /proc/version<BR>Linux 
     3981                                version 2.4.21-32.0.1.ELsmp (bhcompile@bugs.build.redhat.com) 
     3982                                (gcc version 20030502 (Red Hat Linux 3.2.3-52)) #1 SMP Tue May 17 
     3983                                17:52:23 EDT 2005</P> 
     3984                        </OL> 
     3985                </TD> 
     3986        </TR> 
     3987</TABLE> 
     3988<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     3989</P> 
     3990<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3991        <COL WIDTH=610> 
     3992        <TR> 
     3993                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3994                        <P STYLE="margin-bottom: 0cm"><BR> 
     3995                        </P> 
     3996                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     3997                        uname –a </FONT> 
     3998                        </P> 
     3999                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Linux 
     4000                        glue.badc.rl.ac.uk 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 
     4001                        EDT 2005 i686 i686 i386 GNU/Linux</FONT></P> 
     4002                </TD> 
     4003        </TR> 
     4004</TABLE> 
     4005<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     4006</P> 
     4007<P CLASS="western" ALIGN=JUSTIFY>Solution:</P> 
     4008<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     4009        <COL WIDTH=610> 
     4010        <TR> 
     4011                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     4012                        <P STYLE="margin-bottom: 0cm"><BR> 
     4013                        </P> 
     4014                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ echo 
     4015                        -e &quot;[build_ext]\ndefine=HAVE_MMEMOVE&quot; &gt; 
     4016                        ~/.pydistutils.cfg<BR>$ easy_install 4Suite-XML</FONT></P> 
     4017                </TD> 
     4018        </TR> 
     4019</TABLE> 
     4020<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     4021</P> 
    32784022<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    32794023</P> 
Note: See TracChangeset for help on using the changeset viewer.