Changeset 3171 for TI12-security

Timestamp:

21/12/07 14:16:10 (12 years ago)

Author:

pjkersha

Message:

Installation Guide updated to include instructions for MyProxy? config with SimpleCA and PAM callout.

Location:

TI12-security/trunk/documentation/InstallationGuide

Files:

• html/NDGSecurityInstallationGuide.html (modified) (76 diffs)
• pdf/NDGSecurityInstallationGuide.pdf (modified) (previous)

TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html

@@ -7 +7 @@
         <META NAME="AUTHOR" CONTENT="P J Kershaw">
         <META NAME="CREATED" CONTENT="20071010;9350000">
-        <META NAME="CHANGED" CONTENT="20071010;15023700">
+        <META NAME="CHANGED" CONTENT="20071221;14112900">
         <STYLE TYPE="text/css">
         <!--
-                @page { size: 21cm 29.7cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
+                @page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }
                 @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm }
                 P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 }
@@ -28 +28 @@
                 H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic }
                 H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium }
-                H4 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
+                H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }
                 H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium }
                 H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium }
@@ -50 +50 @@
         Grid Security</B></FONT></P>
         <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P>
-        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.8</B></FONT></P>
+        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P>
 </SPAN><BR><BR>
 </P>
@@ -177 +177 @@
                 </TD>
         </TR>
+        <TR VALIGN=TOP>
+                <TD WIDTH=194>
+                        <P ALIGN=JUSTIFY>0.9</P>
+                </TD>
+                <TD WIDTH=195>
+                        <P CLASS="western" ALIGN=JUSTIFY>11//10/07</P>
+                </TD>
+                <TD WIDTH=195>
+                        <UL>
+                                <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Use of MyProxy with a
+                                SimpleCA and PAM callout for authentication</P>
+                                <LI><P CLASS="western" ALIGN=LEFT>details for certificate
+                                requests for Session Manager and Attribute Authority</P>
+                        </UL>
+                </TD>
+        </TR>
 </TABLE>
 <P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P>
 <DIV ID="Table of Contents1" DIR="LTR">
-        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        5</A></P>
-        <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      5</A></P>
+        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        6</A></P>
+        <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      7</A></P>
         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1
-        Pre-requisites  5</A></P>
+        Pre-requisites  7</A></P>
         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2
-        Deployment Model        5</A></P>
+        Deployment Model        7</A></P>
         <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3.
-        Software Installation Components        8</A></P>
-        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. Installation      9</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Python Packages|outline">4.1
-        Python Packages 9</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.distutils|outline">4.1.1
-        distutils       9</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.NDG Security Packages|outline">4.1.2
-        NDG Security Packages   9</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.NDG Web Services Configuration|outline">4.2
-        NDG Web Services Configuration  10</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.NDG Security System Configuration Files|outline">4.2.1
-        NDG Security System Configuration Files 10</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.Certificate Generation|outline">4.2.2
-        Certificate Generation  11</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.Session Manager Configuration|outline">4.3
-        Session Manager Configuration   12</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.Session Manager Credential Repository|outline">4.3.1
-        Session Manager Credential Repository   12</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2.Session Manager Properties File Settings|outline">4.3.2
-        Session Manager Properties File Settings        12</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.3.SysV-style Boot Script|outline">4.3.3
-        SysV-style Boot Script  15</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Attribute Authority Configuration|outline">4.4
-        Attribute Authority Configuration       16</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Attribute Authority Properties File Settings|outline">4.4.1
-        Attribute Authority Properties File Settings    16</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.User Roles Interface|outline">4.4.2
-        User Roles Interface    17</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.Role Mapping|outline">4.4.3
-        Role Mapping    18</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.4.Twisted Python server .tac file|outline">4.4.4
-        Twisted Python server .tac file 19</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.5.SysV-style Boot Script|outline">4.4.5
-        SysV-style Boot Script  19</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Python Unit Tests|outline">4.5
-        Python Unit Tests       20</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Globus MyProxy|outline">4.6
-        Globus MyProxy  20</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.1.MyProxy and NDG Security Background|outline">4.6.1
-        MyProxy and NDG Security Background     20</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.2.MyProxy user account and the repository location considerations|outline">4.6.2
-        MyProxy user account and the repository location considerations 20</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.3.Build Process|outline">4.6.3
-        Build Process   21</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.4.NDG SimpleCA Client Package |outline">4.6.4
-        NDG SimpleCA Client Package     22</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.5.Host Certificate Creation|outline">4.6.5
-        Host Certificate Creation       24</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.6.MyProxy Configuration File|outline">4.6.6
-        MyProxy Configuration File      24</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.7.Repository Directory|outline">4.6.7
-        Repository Directory    25</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.8.Adding MyProxy Server to the system start up|outline">4.6.8
-        Adding MyProxy Server to the system start up    25</A></P>
-        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  27</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1.MySQL Installation|outline">5.1
-        MySQL Installation      27</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1.Version|outline">5.1.1
-        Version 27</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.2.Getting the Binaries|outline">5.1.2
-        Getting the Binaries    27</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.3.New mysql User Account|outline">5.1.3
-        New mysql User Account  27</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.4.Unpacking the tarball|outline">5.1.4
-        Unpacking the tarball   27</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.5.Configuration File|outline">5.1.5
-        Configuration File      28</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.6.Create the Grant Tables|outline">5.1.6
-        Create the Grant Tables 28</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.7.File and Directory Permissions|outline">5.1.7
-        File and Directory Permissions  29</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.8.Starting the Server|outline">5.1.8
-        Starting the Server     29</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.9.Securing MySQL Accounts|outline">5.1.9
-        Securing MySQL Accounts 29</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.10.Server Automated Start up|outline">5.1.10
-        Server Automated Start up       30</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2.HTTPS set-up with Apache Web Server|outline">5.2
-        HTTPS set-up with Apache Web Server     30</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Web Server Host Certificate Generation|outline">5.2.1
-        Web Server Host Certificate Generation  30</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2.Apache Configuration File Settings|outline">5.2.2
-        Apache Configuration File Settings      30</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline">5.3
-        Apache Web Server Proxy Settings Configuration for Web Services 31</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4.An Example Attribute Authority AAUserRoles interface class|outline">5.4
-        An Example Attribute Authority AAUserRoles interface class      32</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.Troubleshooting|outline">5.5
-        Troubleshooting 35</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.1.M2Crypto SWIG Build Error|outline">5.5.1
-        M2Crypto SWIG Build Error       35</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.2.PyXML|outline">5.5.2
-        PyXML   36</A></P>
-        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.3.4Suite-XML Build error|outline">5.5.3
-        4Suite-XML Build error  36</A></P>
+        Software Installation Components        9</A></P>
+        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4.
+        Installation    10</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies|outline">4.1
+        Dependencies    10</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL|outline">4.1.1
+        OpenSSL 10</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG|outline">4.1.2
+        SWIG    10</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages|outline">4.2
+        Python Packages 10</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools|outline">4.2.1
+        setuptools      10</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages|outline">4.2.2
+        NDG Security Packages   11</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration|outline">4.3
+        NDG Web Services Configuration  11</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files|outline">4.3.1
+        NDG Security System Configuration Files 11</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation|outline">4.3.2
+         Certificate Generation 12</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration|outline">4.4
+        Session Manager Configuration   14</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository|outline">4.4.1
+        Session Manager Credential Repository   14</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings|outline">4.4.2
+        Session Manager Properties File Settings        14</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script|outline">4.4.3
+        SysV-style Boot Script  18</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration|outline">4.5
+        Attribute Authority Configuration       18</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings|outline">4.5.1
+        Attribute Authority Properties File Settings    18</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface|outline">4.5.2
+        User Roles Interface    20</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping|outline">4.5.3
+        Role Mapping    20</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file|outline">4.5.4
+        Twisted Python server .tac file 21</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script|outline">4.5.5
+        SysV-style Boot Script  22</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests|outline">4.6
+        Python Unit Tests       22</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy|outline">4.7
+         MyProxy        22</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background|outline">4.7.1
+         MyProxy and NDG Security Background    22</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations|outline">4.7.2
+         MyProxy user account and the repository location considerations        23</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation|outline">4.7.3
+         Installation   23</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation|outline">4.7.4
+         SimpleCA Installation  24</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation|outline">4.7.5
+         Host Certificate Creation      27</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File|outline">4.7.6
+         MyProxy Configuration File     27</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration|outline">4.7.7
+         MyProxy SimpleCA Configuration 28</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration|outline">4.7.8
+         MyProxy PAM Configuration      29</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy|outline">4.7.9
+         Testing MyProxy        30</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up|outline">4.7.10
+         Adding MyProxy Server to the system start up   33</A></P>
+        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  35</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy|outline">5.1
+         Postgres PAM for MyProxy       35</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration|outline">5.1.1
+         Configuration  35</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation|outline">5.2
+         MySQL Installation     36</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version|outline">5.2.1
+        Version 36</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries|outline">5.2.2
+         Getting the Binaries   36</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account|outline">5.2.3
+         New mysql User Account 36</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball|outline">5.2.4
+         Unpacking the tarball  36</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File|outline">5.2.5
+         Configuration File     37</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables|outline">5.2.6
+         Create the Grant Tables        37</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions|outline">5.2.7
+         File and Directory Permissions 38</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server|outline">5.2.8
+         Starting the Server    38</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts|outline">5.2.9
+         Securing MySQL Accounts        38</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up|outline">5.2.10
+         Server Automated Start up      39</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server|outline">5.3
+         HTTPS set-up with Apache Web Server    39</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation|outline">5.3.1
+         Web Server Host Certificate Generation 39</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings|outline">5.3.2
+        Apache Configuration File Settings      40</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline">5.4
+         Apache Web Server Proxy Settings Configuration for Web Services        40</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class|outline">5.5
+        An Example Attribute Authority AAUserRoles interface class      41</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting|outline">5.6
+        Troubleshooting 44</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto |outline">5.6.1
+        M2Crypto        44</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML|outline">5.6.2
+         PyXML  45</A></P>
+        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error|outline">5.6.3
+         4Suite-XML Build error 45</A></P>
 </DIV>
 <H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1>
@@ -287 +318 @@
         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI">
         - NCSA MyProxy site</SPAN></P>
-        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html"><SPAN LANG="fr-FR">http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html</SPAN></A></U></FONT><SPAN LANG="fr-FR">
-        - NCSA MyProxy installation instructions</SPAN></P>
+        <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/ca/">http://grid.ncsa.uiuc.edu/myproxy/ca/</A>
+        - MyProxy Certificate Authority</P>
+        <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>
+        – MyProxy PAM Support</P>
         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT>
         - Globus 4.0 and Security</P>
@@ -330 +363 @@
         CredentialRepository only]</P>
         <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P>
-        <LI><P CLASS="western" ALIGN=JUSTIFY>Python distutils utility</P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P>
         <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version
         0.9.8 or greater</P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for
+        M2Crypto Python OpenSSL wrapper)</P>
 </UL>
 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also
@@ -371 +406 @@
 the particular installation required:</P>
 <UL>
-        <LI><P CLASS="western" ALIGN=LEFT>ndg_security_server – components
-        required to run services</P>
+        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>ndg_security_server –
+        components required to run services</P>
         <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common – components
         required by both server and common eggs</P>
@@ -394 +429 @@
 are required:</P>
 <UL>
-        <LI><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.1 (or later)
-        – source installer tar ball  may be downloaded from the Globus
-        site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
-        <LI><P CLASS="western" ALIGN=JUSTIFY>NDG SimpleCA client package tar
-        ball – configures target machine to trust the NDG CA.</P>
+        <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.5
+        (or later) – source installer tar ball  may be downloaded from the
+        Globus site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>Globus SimpleCA to enable the
+        MyProxy Certificate Authority.</P>
 </UL>
 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These
@@ -407 +442 @@
 wish to install MyProxy on a separate secure server to the other
 Python based security services.</P>
-<H2 CLASS="western"><A NAME="4.1.Python Packages|outline"></A>4.1Python
-Packages</H2>
+<H2 CLASS="western"><A NAME="4.1.Dependencies|outline"></A>4.1Dependencies</H2>
+<H3 CLASS="western"><A NAME="4.1.1.OpenSSL|outline"></A>4.1.1 OpenSSL</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the
+installation check that an up to date version of OpenSSL is
+installed:</P>
+<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=596>
+        <TR>
+                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
+                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        openssl version</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required. 
+Should you need to upgrade, OpenSSL is available from
+<A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>.
+ Once downloaded, unpack the tarball and follow the installation
+intstructions.</P>
+<H3 CLASS="western"><A NAME="4.1.2.SWIG|outline"></A>4.1.2 SWIG</H3>
+<P CLASS="western">SWIG is a tool to help with bindings from C/C++ to
+interpreted languages such as Python.  The Python OpenSSL wrapper
+M2Crypto uses it and version 1.3.24 or later is required.  Downloads
+are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P>
+<H2 CLASS="western"><A NAME="4.2.Python Packages|outline"></A>4.2
+Python Packages</H2>
 <P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.
  Change to a suitable directory to hold temporary installation files.
  
 </P>
-<H3 CLASS="western"><A NAME="4.1.1.distutils|outline"></A>4.1.1distutils</H3>
+<H3 CLASS="western"><A NAME="4.2.1.setuptools|outline"></A>4.2.1
+setuptools</H3>
 <P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python
-distutils, the package that enables the use of Python eggs.  Download
-the distutils bootstrap script:</P>
+setuptools, the package that enables the use of Python eggs. 
+Download the setuptools bootstrap script:</P>
 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=596>
@@ -423 +487 @@
                         <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
                         </P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
-                        wget http://peak.telecommunity.com/dist/ez_setup.py</SPAN></FONT></P>
+                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P>
                 </TD>
         </TR>
@@ -459 +523 @@
         </TR>
 </TABLE>
-<H3 CLASS="western"></H3>
-<P CLASS="western" ALIGN=JUSTIFY>Once completed, you can delete
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P>
-<H3 CLASS="western"><A NAME="4.1.2.NDG Security Packages|outline"></A>
-4.1.2NDG Security Packages</H3>
+<P CLASS="western"><BR><BR>
+</P>
+<P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P>
+<H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages|outline"></A>
+4.2.2 NDG Security Packages</H3>
 <P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to
 distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT>
@@ -474 +538 @@
                         <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR>
                         </P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
-                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</SPAN></FONT></P>
+                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P>
                 </TD>
         </TR>
@@ -499 +563 @@
 using the –h option.  –a selects all packages for installation.  
 If there are problems with the installation, see the Troubleshooting
-Guide in the Appendices section 5.5.</P>
-<H2 CLASS="western"><A NAME="4.2.NDG Web Services Configuration|outline"></A>
-4.2NDG Web Services Configuration</H2>
-<H3 CLASS="western"><A NAME="4.2.1.NDG Security System Configuration Files|outline"></A>
-4.2.1NDG Security System Configuration Files</H3>
+Guide in the Appendices section 5.6.</P>
+<H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration|outline"></A>
+4.3 NDG Web Services Configuration</H2>
+<H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files|outline"></A>
+4.3.1 NDG Security System Configuration Files</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Properties files set the
 configuration settings for NDG security <I>server side</I> settings. 
@@ -520 +584 @@
                         <P STYLE="margin-bottom: 0cm"><BR>
                         </P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$
-                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</SPAN></FONT></P>
+                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P>
                 </TD>
         </TR>
@@ -532 +596 @@
 environment of the user account used to run the security services or
 can be set in the init scripts used to automatically start up the
-services from server boot up (See sections 4.3.24.3.3 and 4.4.5).</P>
+services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P>
 <P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT>
 egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT>
@@ -611 +675 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="4.2.2.Certificate Generation|outline"></A>
-4.2.2Certificate Generation</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run
+security web services under any specified system account and group. 
+Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT>
+e.g.</SPAN></P>
+<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=596>
+        <TR>
+                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        chmod ndg:ndggroup -R /etc/ndg/security</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<H3 CLASS="western"><A NAME="4.3.2. Certificate Generation|outline"></A>
+4.3.2 Certificate Generation</H3>
 <P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute
 Authority web services require individual X.509 certificates as a
@@ -631 +712 @@
                         openssl genrsa –out sm-key.pem 2048</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        chmod 400 sm-key.pem</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
                         openssl req –new –key sm-key.pem –out sm.csr</FONT></P>
                         <P CLASS="western" ALIGN=LEFT><BR>
@@ -649 +732 @@
  All other fields have been omitted.  You can skip individual fields
 by enter ‘.’ When prompted.</P>
-<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the NDG
-CA.  The CA will issue a certificate file.  Copy this file as
+<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the
+appropriate CA.  This could be your SimpleCA created for use with
+MyProxy – see MyProxy installation.  The CA will issue a
+certificate file.  Copy this file as
 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">
 </SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">
@@ -667 +752 @@
                         openssl genrsa –out aa-key.pem 2048</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        chmod 400 aa-key.pem</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
                         openssl req –new –key aa-key.pem –out aa.csr</FONT></P>
                         <P CLASS="western" ALIGN=LEFT><BR>
@@ -678 +765 @@
 Manager is run over https to keep user login credentials secured.   A
 server certificate and key will be required in addition to enable
-this.  These can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
-directory and can be <FONT FACE="Helvetica, sans-serif">referenced by
-the Session Manager’s properties file.</FONT></SPAN></FONT></P>
+this.  
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be
+issued from your SimpleCA.  Follow the same procedure as used for the
+Session Manager and Attirbute Authority above creating a private key
+and certificate request.  The private key should be generated without
+a password.  When generating the certificate request ensure that the
+Common Name is set to the fully qualified name of the server host.</P>
+<P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and
+private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
+<FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced
+by the Session Manager’s properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif">
+and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif">
+elements respectively.</FONT></SPAN></FONT></P>
 <P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate
 Authority’s X.509 certificate is also required.  Obtain this from
 the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs
 </SPAN></FONT>directory.</P>
-<H2 CLASS="western"><A NAME="4.3.Session Manager Configuration|outline"></A>
-4.3Session Manager Configuration</H2>
+<P CLASS="western" STYLE="background: #cccccc">Note that all other
+trusted NDG partner organisations MUST have copies of your CA
+certificate.  If they don't, partner organisations NDG Security
+infrastructures will reject requests from your security services.  
+CA certificates are referenced in the Attribute Authority and Session
+Manager properties file settings  <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt">
+</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and
+</FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">
+ Configuration for Gatekeepers may also need to reference your CA
+certificate.</FONT></FONT></P>
+<H2 CLASS="western"><A NAME="4.4.Session Manager Configuration|outline"></A>
+4.4 Session Manager Configuration</H2>
 <P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set
 via a properties file.  In addition, the Session Manager can
@@ -695 +803 @@
 use a Credential Repository.   If this is the case, skip this
 section.</P>
-<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.3.1.Session Manager Credential Repository|outline"></A>
-4.3.1Session Manager Credential Repository</H3>
+<H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository|outline"></A>
+4.4.1 Session Manager Credential Repository</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository
 database.  In the example below a MySQL database is assumed.   Notes
-on installing MySQL are given in the Appendices section 5.1. 
+on installing MySQL are given in the Appendices section 5.2. 
 </P>
 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
@@ -776 +884 @@
 sufficient permissions to be able to read and write records.  For
 details of how to create an account in MySQL see the Appendices
-section 5.1.9.</P>
-<H3 CLASS="western"><A NAME="4.3.2.Session Manager Properties File Settings|outline"></A>
-4.3.2Session Manager Properties File Settings</H3>
+section 5.2.9.</P>
+<H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings|outline"></A>
+4.4.2 Session Manager Properties File Settings</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT>
 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
@@ -797 +905 @@
                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem
                         &lt;/sslKeyFile&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!--
+                        <BR>    Directory containing CA cert.s to verify SSL peer cert
+                        against - ignored if useSSL is blank --&gt;<BR>   
+                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR>
+                           </FONT>&lt;!--</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
                         settings for signature of outbound SOAP messages</FONT></FONT></P>
@@ -809 +921 @@
                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
                         </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA
+                        Certificates used to verify X.509 certs used in peer SOAP
+                        messages,<BR>    SSL connections and Attribute Certificates<BR>   
+                        --&gt;<BR>    &lt;caCertFileList&gt;<BR>        
+                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR>
+                           &lt;/caCertFileList&gt;<BR></FONT>    &lt;!-- </FONT></FONT>
                         </P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
@@ -850 +967 @@
                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT
                         setting</SPAN></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></SPAN></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></SPAN></FONT></P>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">          
+                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful
@@ -922 +1040 @@
                         <P STYLE="margin-bottom: 0cm">          
                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;/myProxyProp&gt;</FONT></SPAN></FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  &lt;simpleCACltProp&gt;
-                        </FONT></SPAN></FONT>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/myProxyProp&gt;</FONT></FONT></P>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCACltProp&gt;
+                        </FONT></FONT>
                         </P>
                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        
@@ -941 +1059 @@
                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        
                            &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">  
-                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></SPAN></FONT></P>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        
+                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></FONT></P>
                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        
                            &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P>
@@ -1152 +1270 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.3.3.SysV-style Boot Script|outline"></A>
-4.3.3SysV-style Boot Script</H3>
+<H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script|outline"></A>
+4.4.3 SysV-style Boot Script</H3>
 <P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be
 configured to start up at system boot of the host machine.  A SysV
@@ -1195 +1313 @@
 command may not be available on your target machine.  Please refer to
 instructions for your particular Linux distribution.</P>
-<H2 CLASS="western"><A NAME="4.4.Attribute Authority Configuration|outline"></A>
-4.4Attribute Authority Configuration</H2>
+<H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration|outline"></A>
+4.5 Attribute Authority Configuration</H2>
 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a
 properties file for the setting of configuration parameters.</P>
-<H3 CLASS="western"><A NAME="4.4.1.Attribute Authority Properties File Settings|outline"></A>
-4.4.1Attribute Authority Properties File Settings</H3>
+<H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings|outline"></A>
+4.5.1Attribute Authority Properties File Settings</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT>
 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
@@ -1213 +1331 @@
                         version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
-                        </FONT></FONT></FONT>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">'name'
-                        setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;name&gt;Organisation
-                        Identifier&lt;/name&gt; </FONT></FONT></FONT>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;portNum&gt;SELECT
-                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
+                        </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name'
+                        setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;name&gt;Organisation
+                        Identifier&lt;/name&gt; </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;SELECT
+                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
@@ -1233 +1351 @@
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!--
+                        <BR>       Directory containing CA cert.s to verify SSL peer cert
+                        against - ignored if useSSL is blank --&gt;<BR>      
+                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR></FONT>
+                           &lt;!--</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI
                         settings for signature of outbound SOAP messages</FONT></FONT></P>
@@ -1240 +1362 @@
                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt;
                         &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;certFile&gt;$NDGSEC_DIR/conf/certs/aa-cert.pem&lt;/certFile&gt;</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem
-                        &lt;/keyFile&gt;</FONT></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
+                        </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA
+                        Certificates used to verify X.509 certs used in peer SOAP
+                        messages,<BR>         SSL connections and Attribute Certificates<BR>
+                                --&gt;<BR>        &lt;caCertFileList&gt;<BR>            
+                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR>
+                               &lt;/caCertFileList&gt;<BR></FONT>   
+                        &lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem &lt;/keyFile&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem
                         &lt;/caCertFile&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
-                        </FONT></FONT></FONT>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
+                        </FONT></FONT>
                         </P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set
@@ -1267 +1394 @@
                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt;
                         &lt;!-- Measured in seconds --&gt;</FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
-                        </FONT></FONT></FONT>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Allow
-                        an offset for clock skew between servers running </FONT></FONT></FONT>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">security
-                        services.  - Use minus sign for time in the past</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
+                        </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow
+                        an offset for clock skew between servers running </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security
+                        services.  - Use minus sign for time in the past</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P>
@@ -1281 +1408 @@
                         Location of role mapping file --&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></FONT></P>
+                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
                         All Attribute Certificates issued are recorded in this dir --&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;!--
-                        </FONT></FONT></FONT>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Files
-                        in attCertDir are stored using a rotating file handler</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">attCertFileLogCnt
-                        sets the max number of files created before the first is</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">overwritten</FONT></FONT></FONT></P>
-                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--&gt;</FONT></FONT></FONT></P>
+                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--
+                        </FONT></FONT>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files
+                        in attCertDir are stored using a rotating file handler</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt
+                        sets the max number of files created before the first is</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileName&gt;ac.xml&lt;/attCertFileName&gt;</FONT></FONT></P>
@@ -1309 +1436 @@
                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></FONT></P>
+                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></FONT></P>
+                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></FONT></P>
+                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm">   
-                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></FONT></P>
+                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P>
                         <P> 
@@ -1324 +1451 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="4.4.2.User Roles Interface|outline"></A>4.4.2User
-Roles Interface</H3>
+<H3 CLASS="western"><A NAME="4.5.2.User Roles Interface|outline"></A>4.5.2
+User Roles Interface</H3>
 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a
 valid user proxy certificate serves an attribute certificate
@@ -1336 +1463 @@
 programmatic interface to determine the roles to user id
 relationship.   A custom python class may be written to perform this
-task.   See the Appendices section 5.4.</P>
-<H3 CLASS="western"><A NAME="4.4.3.Role Mapping|outline"></A>4.4.3Role
-Mapping</H3>
+task.   See the Appendices section 5.5.</P>
+<H3 CLASS="western"><A NAME="4.5.3.Role Mapping|outline"></A>4.5.3
+Role Mapping</H3>
 <P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in
 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT>
@@ -1483 +1610 @@
         may map to many local roles.</P>
 </UL>
-<H3 CLASS="western"><A NAME="4.4.4.Twisted Python server .tac file|outline"></A>
-4.4.4Twisted Python server .tac file</H3>
+<H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file|outline"></A>
+4.5.4 Twisted Python server .tac file</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Copy this from the
 ndg_security_server to the NDG security conf/ area:</P>
@@ -1505 +1632 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.4.5.SysV-style Boot Script|outline"></A>
-4.4.5SysV-style Boot Script</H3>
+<H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script|outline"></A>
+4.5.5 SysV-style Boot Script</H3>
 <P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the
 Attribute Authority can be configured to start up at system boot of
@@ -1546 +1673 @@
 <P CLASS="western" ALIGN=JUSTIFY>If required, add any additional
 environment settings required to connect to a user database.</P>
-<H2 CLASS="western"><A NAME="4.5.Python Unit Tests|outline"></A>4.5Python
-Unit Tests</H2>
+<H2 CLASS="western"><A NAME="4.6.Python Unit Tests|outline"></A>4.6
+Python Unit Tests</H2>
 <P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are
 provided to enable the system to be checked to confirm that it is
@@ -1553 +1680 @@
 in the site-packages/ directory of the python installation.</P>
 <P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
-<H2 CLASS="western"><A NAME="4.6.Globus MyProxy|outline"></A>4.6Globus
-MyProxy</H2>
-<H3 CLASS="western"><A NAME="4.6.1.MyProxy and NDG Security Background|outline"></A>
-4.6.1MyProxy and NDG Security Background</H3>
+<H2 CLASS="western"><A NAME="4.7. MyProxy|outline"></A>4.7 MyProxy</H2>
+<H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background|outline"></A>
+4.7.1 MyProxy and NDG Security Background</H3>
 <P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
-from the Globus toolkit to store user’s authentication credentials.
- If a participating data centre supports user accounts then it will
-need to deploy its MyProxy repository.  
-</P>
-<P CLASS="western" ALIGN=JUSTIFY>The NDG SessionManager web service
-acts as a client to MyProxy.  When a user is registered at a site, it
-generates a new public/private key for the user and an X.509
-certificate request.  It sends the latter to the NDG Simple CA
-(Certificate Authority) for signing.  A new X.509 certificate is
-issued and returned.  The SessionManager uploads the public and
-private key into the MyProxy repository and associates a username and
-pass-phrase with these credentials.</P>
-<P CLASS="western" ALIGN=JUSTIFY>When a user subsequently logs in at
-their site, again the SessionManager is called.  It passes the
-username and pass-phrase provided to MyProxy.  MyProxy matches these
-with the X.509 certificate it holds and issues a <I>proxy</I> to that
-certificate.  The proxy certificate represents the user’s ID
-internally in the interactions between the various NDG components. 
+from the Globus toolkit to enable the use of individual user X.509
+certificates to secure messages in transactions.  For example, to
+request an Attribute Certificate from an Attribute Authority the
+request can be signed using the user's certificate to enable the 
+Attribute Authority to authenticate it.</P>
+<P CLASS="western" ALIGN=JUSTIFY>MyProxy is a flexible and can be
+configured to run in a number of different modes or combination of
+modes:</P>
+<OL>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>users can upload a proxy to
+        their personal user certificate for storage in the MyProxy
+        repository for later use in delegation   
+        </P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>Personal user certificates
+        issued by a CA can by stored in the repository.</P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy can be run with the
+        Globus SimpleCA package issuing certificates dynamically based on a
+        callout to some external authentication system.  MyProxy has basic
+        support for PAM (Pluggable Authentication Module) and SASL (<SPAN STYLE="font-style: normal">Simple
+        Authentication and Security Layer).</SPAN></P>
+</OL>
+<P CLASS="western" ALIGN=JUSTIFY>3) is the preferred mode for NDG
+deployments as typically NDG partners have existing user databases
+against which their users authenticate.   MyProxy can be configured
+to query the database with username/password via PAM/SASL.  
 </P>
 <P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service
@@ -1581 +1714 @@
 on its host machine and user credentials are held in a directory on
 the file system.  It is important to secure the host to ensure the
-credentials are not compromised. (Also see Ref 1above.)</P>
-<H3 CLASS="western"><A NAME="4.6.2.MyProxy user account and the repository location considerations|outline"></A>
-4.6.2MyProxy user account and the repository location considerations</H3>
+credentials are not compromised. 
+</P>
+<H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations|outline"></A>
+4.7.2 MyProxy user account and the repository location considerations</H3>
 <P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or
-using a separate user account.  The latter is preferable as it
-provides an extra level of security.  Note that the MyProxy
-repository will be in a standard location.  
+using a separate user account.  The latter provides an extra degree
+of security but for use with PAM, the MyProxy must be installed and
+run as root.  Note that the MyProxy repository will be in a standard
+location.  
 </P>
 <UL>
@@ -1599 +1734 @@
         </P>
 </UL>
-<P CLASS="western" ALIGN=JUSTIFY>It is possible to explicitly define
+<P CLASS="western" ALIGN=JUSTIFY>When run in mode 3) the repository
+is not used since all credentials are generated dynamically on a
+successful MyProxy logon request. It is possible to explicitly define
 an alternate location but this can only be done by providing a
 command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
@@ -1606 +1743 @@
 ps</SPAN></FONT>.  This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>
 with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd
-</SPAN></FONT>(See 4.6.8.1).</P>
-<P CLASS="western" ALIGN=LEFT>Another factor to take into
-consideration is the available space on the file system for the
-repository location.  There should be sufficient disk space on the
-partition where the directory is located to store credentials for all
-the users of the system at the target site.</P>
-<P CLASS="western" ALIGN=JUSTIFY>This guide assumes installation
-under a dedicated user account.  The username <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
-is used in the examples for convenience only.  An alternative
-username is recommended.</P>
-<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
-user set up a local user account.</P>
+</SPAN></FONT>(See 4.7.10.1).</P>
+<P CLASS="western" ALIGN=LEFT>This guide assumes installation as
+root.  
+</P>
+<H3 CLASS="western"><A NAME="4.7.3. Installation|outline"></A>4.7.3
+Installation</H3>
+<P CLASS="western">MyProxy is available with Globus.  Version 4.0.5
+distribution is recommended for use with the NDG Security software.  
+<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++
+development packages are needed for the build.</SPAN></FONT></P>
+<H4 CLASS="western">4.7.3.1 PAM Dependencies</H4>
+<P CLASS="western">A binary version is available but it is
+recommended to build and install from the source code to include PAM
+dependencies (<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>).
+  To check, there should be a <CODE><FONT FACE="Helvetica, sans-serif">pam_appl.h
+header file either in /usr/include/security or /usr/include/pam.</FONT></CODE></P>
+<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">If they
+are not present, they can be installed with the PAM development
+package for your Linux distribution – e.g. pam-devel (Redhat) or
+libpam*-dev (Debian based).</FONT></CODE></P>
+<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">Due to a
+limitation in PAM, MyProxy must be built and installed under the
+system root account.</FONT></CODE></P>
+<H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif">
+Build</FONT></CODE></H4>
+<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code
+can be downloaded from  </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P>
+<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a
+target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
+</SPAN></FONT>so that only the MyProxy components of Globus are
+built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer</FONT>
+tarball.  Extract the files and change to the
+<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer/</FONT>
+directory created.</P>
+<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings.  The
+default installation location is /usr/local/globus-4.0.5.  Use
+–prefix=&lt;dir path&gt; command line option to specify an
+alternative location for the installation.</P>
 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=596>
         <TR>
-                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6">
+                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
                         <P STYLE="margin-bottom: 0cm"><BR>
                         </P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        groupadd globus</FONT></P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        useradd globus –g globus</FONT></P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<P CLASS="western" ALIGN=JUSTIFY>Note that for security purposes, the
-globus user account is set up as a local rather NIS account so that
-access is restricted.  Set the default home directory as necessary
-and default shell to bash.  Set the password for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>:</P>
+                        ./configure </FONT>
+                        </P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>Compile and install MyProxy:</P>
 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=596>
@@ -1643 +1804 @@
                         <P STYLE="margin-bottom: 0cm"><BR>
                         </P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        passwd globus</FONT></P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<P CLASS="western" ALIGN=JUSTIFY>Modify the relevant files and
-directories in the NDG installation area to be owned by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
-account:</P>
-<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=596>
-        <TR>
-                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        chown -R globus:globus $NDGSEC_DIR/conf/ $NDGSEC_DIR/ndgSetup.sh</FONT></P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<P CLASS="western" ALIGN=LEFT>For convenience, the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>
-file may be called from the globus account’s <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.bashrc</SPAN></FONT>
-file so that the NDG environment is automatically initialised when a
-new globus shell is invoked.</P>
-<P CLASS="western" ALIGN=LEFT>Change to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
-account and edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">~/.bashrc</SPAN></FONT>
-adding the following lines at the end:</P>
-<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=596>
-        <TR>
-                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
-                        NDG set-up</FONT></P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">.
-                        /usr/local/NDG/ndgSetup.sh</FONT></P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<H3 CLASS="western"><A NAME="4.6.3.Build Process|outline"></A>4.6.3Build
-Process</H3>
-<P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
-create an installation directory for Globus within the NDG
-installation:</P>
-<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=596>
-        <TR>
-                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        mkdir $NDGSEC_DIR/globus-4.0.1</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        chown globus:globus $NDGSEC_DIR/globus-4.0.1</FONT></P>
-                        <P><BR>
-                        </P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
-</P>
-<P CLASS="western" ALIGN=JUSTIFY>Ensure that the setting for
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">GLOBUS_LOCATION</FONT>
-in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/ndgSetup.sh</FONT>
-points to the new directory created <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/globus-4.0.1</FONT>.</P>
-<P CLASS="western" ALIGN=JUSTIFY>Switch to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
-user account ready to download the globus installation.</P>
-<P CLASS="western" ALIGN=JUSTIFY>Globus 4.0.1 distribution is
-recommended for use with the NDG Security software.  This is
-available from <FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT></P>
-<P CLASS="western" ALIGN=JUSTIFY>A binary version is available but it
-is recommended to install the source code version and build from
-scratch on the target machine.  Note that it is possible to set a
-target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make
-</SPAN></FONT>so that only the MyProxy components of Globus are
-built.  Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer</FONT>
-tarball.  Extract the files and change to the
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer/</FONT>
-directory created.</P>
-<P CLASS="western" ALIGN=JUSTIFY>Configure the build settings compile
-and install MyProxy:</P>
-<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=596>
-        <TR>
-                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        ./configure –prefix=$GLOBUS_LOCATION</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
                         make gsi-myproxy postinstall</FONT></P>
@@ -1752 +1818 @@
 environment variable is not set.  This can be ignored because Java is
 not required for the MyProxy build.</SPAN></FONT></FONT></P>
-<P STYLE="margin-bottom: 0cm"><BR>
-</P>
-<H3 CLASS="western"><A NAME="4.6.4.NDG SimpleCA Client Package |outline"></A>
-4.6.4NDG SimpleCA Client Package 
-</H3>
-<P CLASS="western" ALIGN=JUSTIFY>This configures the target machine
-to trust the NDG CA.  
-</P>
-<P CLASS="western" ALIGN=JUSTIFY>Login as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
-user. To install first initialise the environment settings (The
-following line should be included in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>.
- Check and amend as necessary).</P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">  
+</P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If
+you encounter errors with the build you can trobuleshoot by checking
+config.log in the BUILD/globus_core-* or source-trees/core/source
+directories.</SPAN></FONT></P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">Verify
+myproxy has built with PAM support by running the command:</SPAN></FONT></P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
+</P>
 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=596>
         <TR>
                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        . $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
-                </TD>
-        </TR>
-</TABLE>
-<P><BR><BR>
-</P>
-<P CLASS="western" ALIGN=LEFT>Install the client package.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;CA
-Hash&gt;</SPAN></FONT> below is a unique identifier for the CA.  Note
-that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">–nonroot</SPAN></FONT>
-option ensures that the configuration files are installed in
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>
-rather than the default location used with the root user:
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>.
- If you are installing as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
-this option may be omitted if required.</P>
-<P CLASS="western" ALIGN=LEFT>Also note that for 64 bit architectures
-the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc32dbg</SPAN></FONT>
-argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-build</SPAN></FONT>
-should be substituted with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc64dbg</SPAN></FONT>.</P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        /usr/local/globus-4.0.5/sbin/myproxy-server -V</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
+                        version MYPROXYv2 (v3.7 12 Dec 2006 PAM)</FONT></P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If
+'PAM' is included in the output as above then the executable has
+built correctly to include PAM support.</SPAN></FONT></P>
+<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR>
+</P>
+<H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation|outline"></A>
+4.7.4 SimpleCA Installation</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Reference: 
+</P>
+<P CLASS="western" ALIGN=JUSTIFY><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing">http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing</A></P>
+<P CLASS="western" ALIGN=JUSTIFY>The SimpleCA can be set up under a
+dedicated user account but this user must have read/write permissions
+to the Globus MyProxy installation location.   For simplicity, this
+guide assumes installation for MyProxy and the SimpleCA under root.</P>
+<P CLASS="western" ALIGN=JUSTIFY>To install first initialise the
+environment settings (These may be added to the appropriate start-up
+file e.g. .bashrc):</P>
 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=596>
         <TR>
                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        gpt-build globus_simple_ca_&lt;CA hash&gt;_setup-0.18.tar.gz
-                        gcc32dbg</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        gpt-postinstall</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        $GLOBUS_LOCATION/setup/globus_simple_ca_&lt;CA
-                        hash&gt;_setup/setup-gsi </FONT>
-                        </P>
-                        <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
-                        –nonroot</FONT></P>
-                </TD>
-        </TR>
-</TABLE>
-<P STYLE="margin-bottom: 0cm"><BR>
-</P>
-<P CLASS="western" ALIGN=LEFT>When running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-postinstall</SPAN></FONT>,
-you may see a warning:</P>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
+                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
+                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P><BR><BR>
+</P>
+<P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Installation
+script:</FONT></P>
 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=596>
         <TR>
                 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">WARNING:
-                        The following packages were not set up correctly:</FONT></P>
-                        <P STYLE="margin-bottom: 0cm">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus_simple_ca_&lt;CA
-                        hash&gt;_setup-noflavor-pgm</FONT></P>
-                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Check
-                        the package documentation or run postinstall -verbose to see what
-                        happened</FONT></P>
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P>
                 </TD>
         </TR>
@@ -1832 +1896 @@
 <P CLASS="western" ALIGN=LEFT><BR><BR>
 </P>
-<P CLASS="western" ALIGN=LEFT>This can be ignored.</P>
-<H4 CLASS="western">4.6.4.1Modifications to Configuration File
-Settings</H4>
-<P CLASS="western" ALIGN=LEFT>The configuration files installed
-require some minor modifications before proceeding:</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Under the
-directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>,
-edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-host-ssl.conf</SPAN></FONT>
-and under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[
-req_distinguished_name ]</SPAN></FONT>, edit the setting for
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
-and change the default <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">BADC</SPAN></FONT>
-to the name of the organisation where this NDG security software is
-being installed.  This name will be used as the default for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">OU</SPAN></FONT>
-field of certificates held in the MyProxy server.</P>
+<P CLASS="western" ALIGN=LEFT>You will be prompted for the following
+information:</P>
+<OL>
+        <LI><P CLASS="western" ALIGN=LEFT>Subject Name: When prompted, type
+        'n' to override the default and set an appropriate subject name for
+        the CA for your organisation.  O = Organisation Name, OU =
+        Organisational Unit (you can set more than one), CN = the Common
+        Name i.e. the name of the Certificate Authority.  For
+        example,<BR><BR>/O=STFC/OU=Rutherford Appleton
+        Laboratory/OU=Testing/CN=CA<BR><BR>could be the Certificate
+        Authority’s subject for a CA for the Space Science and Technology
+        Department at Rutherford Appleton Laboratory which is part of the
+        Science and Technology Facilities Council.</P>
+        <LI><P CLASS="western" ALIGN=LEFT>e-mail Address: the contact
+        address for certificate requests.   If you are using the CA for
+        MyProxy only you will probably not need this facility.  You could
+        enter globus@&lt;target host&gt; or some suitable administrative
+        contact</P>
+        <LI><P CLASS="western" ALIGN=LEFT>CA Certificate Expiry Date: Press
+        enter to accept the default of five years, otherwise override and
+        enter your required period.</P>
+        <LI><P CLASS="western" ALIGN=LEFT>PEM Pass phrase: this is the
+        password that will protect the CA's private key file.  It will need
+        to be entered in MyProxy's configuration file to enable MyProxy to
+        dynamically issue certificates.</P>
+</OL>
+<P CLASS="western" ALIGN=LEFT>A message will appear indicating that
+the set-up has completed and confirming the subject chosen for your
+certificate and the location of certificate and private key:</P>
+<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=596>
+        <TR>
+                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">C
+                        e r t i f i c a t e    A u t h o r i t y    S e t u p</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
+                        script will setup a Certificate Authority for signing Globus</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">users
+                        certificates.  It will also generate a simple CA package</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">that
+                        can be distributed to the users of the CA.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        CA information about the certificates it distributes will</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">be
+                        kept in:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA/</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        unique subject name for this CA is:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cn=Globus
+                        Simple CA, ou=simpleCA-gabriel, ou=GlobusTest, o=Grid</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Do
+                        you want to keep this as the CA subject (y/n) [y]:n</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
+                        a unique subject name for this CA:cn=CA, ou=BADC, ou=Gabriel,
+                        o=NDG</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
+                        the email of the CA (this is the email where certificate</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">requests
+                        will be sent to be signed by the CA):p.j.kershaw@rl.ac.uk</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        CA certificate has an expiration date. Keep in mind that</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">once
+                        the CA certificate has expired, all the certificates</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">signed
+                        by that CA become invalid.  A CA should regenerate</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
+                        CA certificate and start re-issuing ca-setup packages</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">before
+                        the actual CA certificate expires.  This can be done</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">by
+                        re-running this setup script.  Enter the number of DAYS</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
+                        CA certificate should last before it expires.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[default:
+                        5 years (1825 days)]:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter
+                        PEM pass phrase:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Verifying
+                        - Enter PEM pass phrase:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">creating
+                        CA config package...done.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">A
+                        self-signed certificate has been generated</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">for
+                        the Certificate Authority with the subject:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/O=NDG/OU=Gabriel/OU=BADC/CN=CA</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If
+                        this is invalid, rerun this script</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus/setup-simple-ca</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">and
+                        enter the appropriate fields.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        private key of the CA is stored in
+                        /root/.globus/simpleCA//private/cakey.pem</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        public CA certificate is stored in
+                        /root/.globus/simpleCA//cacert.pem</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        distribution package built for this CA is stored in</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
+                        file must be distributed to any host wishing to request</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificates
+                        from this CA.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">CA
+                        setup complete.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The
+                        following commands will now be run to setup the security</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">configuration
+                        files for this CA:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-build
+                        /root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-postinstall</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils:
+                        Configuring ssl-utils package</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Running
+                        setup-ssl-utils-sh-scripts...</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Note:
+                        To complete setup of the GSI software you need to run the</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">following
+                        script as root to configure your security configuration</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">directory:</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus_simple_ca_2cba3376_setup/setup-gsi</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">For
+                        further information on using the setup-gsi script, use the -help</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">option.
+                         The -default option sets this security configuration to be</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the
+                        default, and -nonroot can be used on systems where root access is</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">not
+                        available.</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils:
+                        Complete</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=LEFT><BR><BR>
+</P>
+<P CLASS="western" ALIGN=LEFT>The number in the file names “
+2cba3376” is a unique h<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ash</SPAN></FONT>
+identifier for the CA.  It will be different for for your
+installation when you run the setup.  To complete the set-up run the
+setup-gsi script:</P>
+<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=596>
+        <TR>
+                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        $GLOBUS_LOCATION/setup/globus_simple_ca_2cba3376_setup/setup-gsi </FONT>
+                        </P>
+                        <P>–<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default
+                        </FONT>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P STYLE="margin-bottom: 0cm"><BR>
+</P>
+<H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation|outline"></A>
+4.7.5 Host Certificate Creation</H3>
+<P CLASS="western">As root user to carry out these steps.   First
+check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
 </P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
-                        req_distinguished_name ]</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
-                        BEGIN CONFIG</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
-                                      = Level 0 Organization</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
-                              = NDG</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
-                                 = Level 0 Organizational Unit</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
-                        = BADC</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
-                                             = Name (e.g., John M. Smith)</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
-                                         = 64</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
-                        END CONFIG</FONT></P>
-                        <P><BR>
-                        </P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<P CLASS="western" ALIGN=LEFT>Under the same directory, edit the file
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-user-ssl.conf</SPAN></FONT>
-and carry out the same modification as above but also comment out the
-two lines below <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName</SPAN></FONT>
-and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName_default</SPAN></FONT>:</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-</P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[
-                        req_distinguished_name ]</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
-                        BEGIN CONFIG</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName
-                                      = Level 0 Organization</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default
-                              = NDG</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName
-                                 = Level 0 Organizational Unit</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default
-                        = BADC</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName
-                                 = Level 1 Organizational Unit</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName_default
-                        = badc.rl.ac.uk</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName
-                                             = Name (e.g., John M. Smith)</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max
-                                         = 64</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#
-                        END CONFIG</FONT></P>
-                        <P><BR>
-                        </P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<P CLASS="western" ALIGN=LEFT>Edit
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/certificates/&lt;CA
-Hash&gt;.signing_policy</SPAN></FONT> and change the setting of <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">OU</FONT>
-in the line:</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-</P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
-                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cond_subjects
-                            globus       '&quot;/O=NDG/OU=BADC/*&quot;'</FONT></P>
-                        <P CLASS="western" ALIGN=LEFT><BR>
-                        </P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=LEFT><BR><BR>
-</P>
-<P CLASS="western" ALIGN=LEFT>Replacing ‘BADC’ with the name of
-the Organisational Unit for your organisation.  This should be the
-same as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT>
-set above for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-host-ssl.conf</FONT>
-and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-user-ssl.conf</FONT>.</P>
-<P CLASS="western" ALIGN=LEFT>Having completed these steps, a host
-certificate for the target machine can be made in order to identify
-it.</P>
-<H3 CLASS="western"><A NAME="4.6.5.Host Certificate Creation|outline"></A>
-4.6.5Host Certificate Creation</H3>
-<P CLASS="western" ALIGN=LEFT>Login as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
-user to carry out these steps.   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ndgSetup.sh
-</FONT>should configure the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">PATH</FONT>
-variable to have included the Globus executable directories
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/bin</FONT>
-and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin</FONT>.
- Check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-</P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+<TABLE WIDTH=609 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=593>
+        <TR>
+                <TD WIDTH=593 VALIGN=TOP BGCOLOR="#e0e0e0">
                         <P STYLE="margin-bottom: 0cm"><BR>
                         </P>
@@ -1978 +2158 @@
 </TABLE>
 <P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like:
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/NDG/globus-4.0.1/bin/grid-cert-request</FONT></P>
+<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/globus-4.0.5/bin/grid-cert-request</FONT></P>
+<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If
+not check the settings as made earlier for the SimpleCA:</FONT></P>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=596>
+        <TR>
+                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
+                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
+                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P><BR><BR>
+</P>
 <P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate
-request, change to the certificates directory:</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-</P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+request:</P>
+<TABLE WIDTH=608 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=592>
+        <TR>
+                <TD WIDTH=592 VALIGN=TOP BGCOLOR="#e0e0e0">
                         <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
                         </P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        cd $GLOBUS_LOCATION/etc</FONT></P>
-                        <P CLASS="western" ALIGN=LEFT><BR>
-                        </P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=JUSTIFY><BR>Nb. If you installed MyProxy as
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,
-as root user change to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>
-where the certificates should be held.</P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
-                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        grid-cert-request –host &lt;machine hostname&gt; -dir .</FONT></P>
+                        grid-cert-request –host &lt;fully qualified hostname&gt; </FONT>
+                        </P>
                         <P CLASS="western" ALIGN=LEFT><BR>
                         </P>
@@ -2017 +2198 @@
 <P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>,
 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT>
-and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
- <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
+and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
+in /etc/grid-security directory</FONT>.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
 is empty.  
 </P>
 <P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate
-it must be signed by the NDG CA.  Contact the NDG CA forwarding
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>.
- The CA will issue a <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>
-file.  Copy this file into this directory i.e. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc</FONT>.
-  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
-</FONT>is no longer needed and may be deleted if desired.</P>
-<H3 CLASS="western"><A NAME="4.6.6.MyProxy Configuration File|outline"></A>
-4.6.6MyProxy Configuration File</H3>
+it must be signed by the CA:  
+</P>
+<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=596>
+        <TR>
+                <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        grid-ca-sign -in  /<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">etc/grid-security/hostcert_request.pem
+                         -out  /etc/grid-security/hostcert.pem </FONT></FONT>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem
+</FONT>is no longer needed and can be deleted.</P>
+<H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File|outline"></A>
+4.7.6 MyProxy Configuration File</H3>
 <P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is
 normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT>
@@ -2050 +2244 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<P CLASS="western" ALIGN=JUSTIFY>As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>
-user edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config</FONT></P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Modify the
-entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
+<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Edit
+<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config
+ m</FONT>odifying the entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete
 Sample Policy</SPAN></FONT> so that they are all uncommented (remove
 leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">#
@@ -2074 +2267 @@
                         myproxy-server features.  See below for more examples.</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials
-                         &quot;*&quot;</FONT></P>
+                               &quot;*&quot;</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
-                        &quot;*&quot;</FONT></P>
+                               &quot;*&quot;</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers
-                           &quot;*&quot;</FONT></P>
+                                     &quot;*&quot;</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers
-                          &quot;*&quot;</FONT></P>
+                                &quot;*&quot;</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers
-                             &quot;none&quot;</FONT></P>
+                                      &quot;none&quot;</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers
                         &quot;*&quot;</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers
-                        &quot;none&quot;</FONT></P>
+                              &quot;none&quot;</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">trusted_retrievers
+                                     “*”</FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_trusted_retrievers
+                        “none”</FONT></P>
                         <P><BR>
                         </P>
@@ -2096 +2293 @@
 <P CLASS="western" ALIGN=LEFT>Note that the wildcards for these
 fields may be modified such that only Distinguished Names of a given
-format may be accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P>
-<H3 CLASS="western"><A NAME="4.6.7.Repository Directory|outline"></A>4.6.7Repository
-Directory</H3>
-<P CLASS="western" ALIGN=LEFT>A directory needs to be specified on
-the file system to store the user credentials generated by MyProxy. 
-This should be owned by the account that runs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>.
- In the examples given this would be the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">globus</FONT></SPAN></FONT>
-user and the expected location, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var</SPAN></FONT>.
-  See section 2.3.2 <I>MyProxy user account and repository location</I>.</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Login as the
-<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
-user and change directory to the location for the repository:</P>
-<P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
-</P>
-<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
-        <COL WIDTH=610>
-        <TR>
-                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
-                        <P STYLE="margin-bottom: 0cm"><BR>
-                        </P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        cd $GLOBUS_LOCATION/var</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        mkdir myproxy</FONT></P>
-                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        chmod 700 myproxy</FONT></P>
-                        <P><BR>
-                        </P>
-                </TD>
-        </TR>
-</TABLE>
-<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
-</P>
+format are accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&quot;/O=NDG/OU=BADC/*&quot;</SPAN></FONT></P>
 <P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod
 </SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>
 user has read/write access for the directory.  Note also that the
 directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P>
-<H3 CLASS="western"><A NAME="4.6.8.Adding MyProxy Server to the system start up|outline"></A>
-4.6.8Adding MyProxy Server to the system start up</H3>
+<H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration|outline"></A>
+4.7.7 MyProxy SimpleCA Configuration</H3>
+<P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to
+dynamically generate user certificates on user login.  For this,
+MyProxy requires configuration details from the SimpleCA.  Make these
+settings in $GLOBUS_LOCATION/etc/myproxy-server.config (Note that the
+sensitivity of this information and the need to secure this file
+carefully!)</P>
+<OL>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>enable any retriever –
+        retrieval is based on the retrievers login credentials:</P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
+                                </P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers
+                                &quot;*&quot;</FONT></P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=JUSTIFY></P>
+        <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA
+        certificate.  In this example the CA is installed in the root user's
+        home directory:</P>
+</OL>
+<DL>
+        <DD>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
+                                </P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_cert
+                                /root/.globus/simpleCA/cacert.pem</FONT></P>
+                        </TD>
+                </TR>
+        </TABLE>
+</DL>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<OL START=3>
+        <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA private
+        key: 
+        </P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
+                                </P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key
+                                /root/.globus/simpleCA/private/cakey.pem</FONT></P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=JUSTIFY></P>
+        <LI><P CLASS="western" ALIGN=LEFT>Provide the password to the CA's
+        private key.  (This was set when you created the SimpleCA with
+        $GLOBUS_LOCATION/setup/globus/setup-simple-ca):</P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
+                                </P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key_passphrase
+                                &quot;password&quot;</FONT></P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=JUSTIFY></P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>Set the path to the certificate
+        serial file</P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_serialfile
+                                /root/.globus/simpleCA/serial </FONT>
+                                </P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=JUSTIFY></P>
+        <LI><P CLASS="western" ALIGN=JUSTIFY>Configure how MyProxy maps
+        usernames to Distinguished Names in generated certificates. This can
+        be done either with a grid mapfile or a script.  A script is more
+        flexible as you can use a wildcard match rather requiring a map
+        entry for every single user.  An example script is:</P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
+                                </P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#!/bin/sh<BR>username=$1<BR>if
+                                [ X&quot;$username&quot; = X ]; then<BR>    # no username given<BR>
+                                   exit 1<BR>fi<BR>echo
+                                &quot;/O=NDG/OU=Gabriel/OU=BADC/CN=${username}&quot;</FONT></P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">exit
+                                0</FONT></P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=LEFT><BR>In the example above, if a user
+        logs in as pjkershaw, they will be issued with a certificate with
+        the Distinguished Name /O=NDG/OU=Gabriel/OU=BADC/CN=pjkershaw. Copy
+        the file above file into $GLOBUS_LOCATION/sbin/mapper.sh replacing
+        “/O=NDG/OU=Gabriel/OU=BADC/CN=” with the form of the
+        Distinguished Name that you require for users for your site.  Ensure
+        that the file has execute permissions set e.g.<BR><BR><BR>
+        </P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
+                                </P>
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                                chmod 700 $GLOBUS_LOCATION/sbin/mapper.sh</FONT></P>
+                                <P CLASS="western" ALIGN=LEFT><BR>
+                                </P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=LEFT><BR>Refer to the script in
+        $GLOBUS_LOCATION/etc/myproxy-server.config with this setting:</P>
+        <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+                <COL WIDTH=577>
+                <TR>
+                        <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0">
+                                <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_mapapp
+                                /usr/local/globus-4.0.5/sbin/mapper.sh</FONT></P>
+                        </TD>
+                </TR>
+        </TABLE>
+        <P CLASS="western" ALIGN=LEFT></P>
+</OL>
+<H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration|outline"></A>
+4.7.8 MyProxy PAM Configuration</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Reference:
+<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P>
+<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy
+with PAM to enable MyProxy logon requests to be authenticated against
+a site's existing security infrastructure, for example a user
+database or LDAP repository.   Linux systems have PAMs for login, ssh
+and other services.   PAMs can be obtained for the major database
+varieties such as MySQL, Postgres and Oracle.</P>
+<P CLASS="western">To configure MyProxy for PAM, settings are made
+via myproxy-server.config to two different fields:</P>
+<UL>
+        <LI><P CLASS="western">pam: may be set to disabled, “required”
+        or “sufficient”.   Set to “required”.  With this setting,
+        all MyProxy logon requests will be authenticated via PAM.   The
+        “sufficient” setting may be useful in some circumstances.  It
+        enables authentication via PAM and via credentials held in the
+        MyProxy repository.</P>
+        <LI><P CLASS="western">pam_id: name that MyProxy uses to identify
+        itself to PAM.   This can correspond either to a file of the same
+        name in /etc/pam.d or entries prefixed with that name in
+        /etc/pam.conf.  This setting determines the PAM used by MyProxy to
+        authenticate.  
+        </P>
+</UL>
+<P CLASS="western">The most straightforward way to set-up MyProxy
+with PAM is to try one of the existing PAMs such as login.  If the
+pam_id is set to login, a myproxy-logon request will link to that
+user's Linux login.</P>
+<P CLASS="western">Appendices are provided at the end of this
+document for some of the more common configurations.</P>
+<H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy|outline"></A>4.7.9
+Testing MyProxy</H3>
+<P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy
+configuration to run the myproxy-logon client command.  For initial
+testing set the pam_id in $GLOBUS_LOCATION/etc/myproxy-server.config
+to “logon” so that it uses the Linux user accounts for
+authentication.</P>
+<P CLASS="western" ALIGN=JUSTIFY>Client error messages can be
+difficult to interpret but a -v verbose option is provided to give
+more information.   In addition, MyProxy server can be run in debug
+mode using the -d command line switch.   MyProxy should be run under
+the user account in which it was installed - root.   Ensure that the
+environment is set correctly i.e. GLOBUS_LOCATION variable set and
+$GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export
+                        GPT_LOCATION=$GLOBUS_LOCATION<BR>$ .
+                        $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>If you already have MyProxy running
+via xinetd or as a process started from a SysV init script, it is
+possible to run a separate MyProxy server process on a different port
+with the -p flag.</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server
+                        -d -v -p 60000</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server
+                        v3.7 12 Dec 2006 PAM starting at Fri Dec 21 12:45:59 2007</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">reading
+                        configuration file
+                        /usr/local/globus-4.0.5/etc/myproxy-server.config</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CA
+                        enabled</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
+                        storage directory /var/myproxy</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Starting
+                        myproxy-server on localhost: 60000...</SPAN></FONT></FONT></P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=LEFT><BR><BR>
+</P>
+<P CLASS="western" ALIGN=LEFT>Note that in debug mode, myproxy-server
+will exit after the first request made to it.</P>
+<P CLASS="western" ALIGN=LEFT>Run myproxy-logon in a separate window
+under a user account for which you know the Linux password.  Provide
+the port number if myproxy-server was started on a different port to
+the default and give the full name of the server as set in the host
+certificate (/etc/grid-security/hostcert.pem)</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-logon
+                        -v -s &lt;fully qualified server hostname&gt; -p 60000</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">MyProxy
+                        v3.7 12 Dec 2006 PAM</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Attempting
+                        to connect to 127.0.0.1:60000</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Enter
+                        MyProxy pass phrase:</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
+                        trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">no
+                        valid credentials found -- performing anonymous authentication</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
+                        name: /O=NDG/OU=Gabriel/OU=BADC/CN=gabriel&lt;&gt;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">checking
+                        that server name is acceptable...</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
+                        name does not match &quot;myproxy@gabriel&lt;&gt;&quot;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server
+                        name matches &quot;host@gabriel&lt;&gt;&quot;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">authenticated
+                        server name is acceptable</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">A
+                        credential has been received for user pjkershaw in
+                        /tmp/x509up_u1000.</SPAN></FONT></FONT></P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=LEFT><BR><BR>
+</P>
+<P CLASS="western" ALIGN=LEFT>The equivalent output from the server
+will be something like:</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Connection
+                        from 127.0.0.1</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
+                        trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Authenticated
+                        client &lt;anonymous&gt;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
+                        trusted_retrievers policy</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
+                        authorized_retrievers policy</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying
+                        authorized_renewers policy</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">resolve_via_mapapp(/usr/local/globus-4.0.5/sbin/mapper.sh,
+                        pjkershaw)</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Checking
+                        passphrase via PAM.  PAM policy: &quot;sufficient&quot;; PAM ID:
+                        &quot;logon&quot;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PAM
+                        authentication succeeded for pjkershaw</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Received
+                        GET request from &lt;anonymous&gt;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending
+                        OK response to client &lt;anonymous&gt;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
+                        CA callout</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Calling
+                        CA Extensions</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">handle_certificate()</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Cert
+                        request loaded.</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Got
+                        a cert request for user &quot;pjkershaw&quot;, with pubkey hash
+                        &quot;282944311&quot;, and lifetime &quot;43200&quot;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Using
+                        internal openssl/generate_certificate() code</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Generating
+                        certificate internally.</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using
+                        cached value</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">tokenizing:
+                        /O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
+                        O = NDG</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
+                        OU = BADC</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
+                        OU = Gabriel</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding:
+                        CN = pjkershaw</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Assigning
+                        serial number</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Loaded
+                        serial number F6 from /root/.globus/simpleCA/serial</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">serial
+                        number assigned</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cert
+                        lifetime: 43200</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CAkey:
+                        /root/.globus/simpleCA/private/cakey.pem</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Signing
+                        internally generated certificate.</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Issued
+                        certificate for user &quot;pjkershaw&quot;, with DN
+                        &quot;/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw&quot;, lifetime
+                        &quot;43200&quot;, and serial number &quot;246&quot;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending
+                        OK response to client &lt;anonymous&gt;</SPAN></FONT></FONT></P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Client
+                        &lt;anonymous&gt; disconnected</SPAN></FONT></FONT></P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=LEFT><BR><BR>
+</P>
+<P CLASS="western" ALIGN=LEFT>The certificate and private key are
+written to file in /tmp by myproxy-logon.   This takes the form
+x509up_&lt;uid&gt;.   It's possible to check the certificate
+generated using openssl e.g.:</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
+                        openssl -in /tmp/x509up_1001 -text</SPAN></FONT></FONT></P>
+                        <P><BR>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=LEFT><BR>The output includes details
+including the certificate's DN, issuer and expiry time.   If you wish
+to run the test again delete or move this file as myproxy-logon will
+try to use it to authenticate to the MyProxy server.</P>
+<P CLASS="western" ALIGN=LEFT>If you encounter problems check the
+output from the client and server. commands.  The system logs may
+contain useful additional information from the PAM used.</P>
+<P CLASS="western" ALIGN=LEFT>The Python MyProxy client unit tests
+can be used to test the server from a separate client machine where
+Python NDG services are installed but not MyProxy itself.   The
+MyProxy unit tests are in the package ndg.security.test.myProxy.</P>
+<H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up|outline"></A>
+4.7.10 Adding MyProxy Server to the system start up</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may
 be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
@@ -2155 +2713 @@
 <BR>
 </P>
-<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.6.8.1inetd / xinetd</H4>
+<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd /
+xinetd</H4>
 <P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd
 </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>,
@@ -2177 +2736 @@
                                 </P>
                                 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server
-                                 7512/tcp                        # Myproxy server</FONT></P>
+                                 7512/tcp                        # MyProxy server</FONT></P>
                                 <P><BR>
                                 </P>
@@ -2187 +2746 @@
 </P>
 <UL>
-        <LI><P CLASS="western" ALIGN=LEFT>Add the entries from
+        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Add the entries from
         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P>
         <UL>
@@ -2223 +2782 @@
                                       = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P>
                                 <P LANG="pt-PT" STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env   
-                                        = GLOBUS_LOCATION=/usr/local/NDG/globus-4.0.1
-                                LD_LIBRARY_PATH=/usr/local/NDG/globus-4.0.1/lib</FONT></FONT></P>
+                                        = GLOBUS_LOCATION=/usr/local/globus-4.0.5
+                                LD_LIBRARY_PATH=/usr/local/globus-4.0.5/lib</FONT></FONT></P>
                                 <P STYLE="margin-bottom: 0cm">  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable
                                      = no</FONT></FONT></P>
@@ -2237 +2796 @@
 </P>
 <UL>
-        <LI><P CLASS="western" ALIGN=LEFT>Note also, the additional setting
-        in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
+        <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Note also, the additional
+        setting in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.
          This a limit to be placed on which hosts clients can connect from
         to the server.  In the above, clients can connect from the local
         machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>)
         and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress1&gt;
-        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>.</P>
+        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">&lt;hostAddress2&gt;</SPAN></FONT>.
+          Care must be taken with these settings.  Client requests will exit
+        with an SSL error if set incorrectly.</P>
         <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>
         / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>.
@@ -2253 +2814 @@
         man page for your system.</P>
 </UL>
-<H4 CLASS="western">4.6.8.2SysV-style boot script 
+<H4 CLASS="western">4.7.10.2 SysV-style boot script 
 </H4>
 <P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is
@@ -2283 +2844 @@
 </SPAN></FONT>environment variable correctly.  
 </P>
-<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+<P CLASS="western" ALIGN=LEFT><BR><BR>
 </P>
 <H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1>
-<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.1.MySQL Installation|outline"></A>
-5.1MySQL Installation</H2>
-<P CLASS="western" ALIGN=JUSTIFY>MySQL is required for the Credential
-Repository used by the SessionManager to stored user credentials as
-cached in their Credential Wallet held in their session.</P>
+<H2 CLASS="western"><A NAME="5.1. Postgres PAM for MyProxy|outline"></A>
+5.1 Postgres PAM for MyProxy</H2>
+<P CLASS="western" ALIGN=JUSTIFY>This section is intended to provide
+the information needed to enable MyProxy to authenticate against
+tables in a Postgres database.  Before, making these settings ensure
+that MyProxy is fully installed following the steps outlined in the
+MyProxy section.  It's recommended to try out MyProxy with an
+existing PAM such as “logon” first to ensure it is working.  See
+the section <I>Testing MyProxy</I>.</P>
+<P CLASS="western" ALIGN=JUSTIFY>Obtain and install the latest
+libpam_pgsql.  This can be installed from Debian or RPM packages or
+from source.   For NDG Security, version 0.5.2-9 Debian and 0.6.3
+source distributions have been tested.  Check the documentation in
+the source tar ball for details of Postgres version requirements.  
+</P>
+<H3 CLASS="western"><A NAME="5.1.1. Configuration|outline"></A>5.1.1
+Configuration</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Depending on your native system
+create either a /etc/pam.d/myproxy file or the relevant entry in
+/etc/pam.conf 
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>For /etc/pam.d/myproxy:</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">auth  
+                              required   pam_pgsql.so <BR>account    required  
+                        pam_pgsql.so<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password
+                        required   pam_pgsql.so</SPAN></FONT></FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>or /etc/pam.conf:</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy
+                        auth         required   pam_pgsql.so <BR>myproxy account   
+                        required   pam_pgsql.so<BR>myproxy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password
+                        required   pam_pgsql.so</SPAN></FONT></FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>Configure the database, and table
+the module should use with the configuration file
+/etc/pam_pgsql.conf. e.g.</P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">database
+                        = userdb<BR>user = admin<BR>password = adminpassword<BR>table =
+                        account<BR>user_column = username<BR>pwd_column = password<BR>pw_type
+                        = md5<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">debug</SPAN></FONT></FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>In the above example, password in
+the database table “account” are MD5 encrypted.   This field can
+also be set to Crypt or left out altogether if passwords are
+unencrypted.</P>
+<P CLASS="western" ALIGN=JUSTIFY>Restart MyProxy and test it using
+the myproxy-logon client command as outlined in the section <I>Testing
+MyProxy.</I><SPAN STYLE="font-style: normal">   To specify a database
+account name use the -l flag.  If this omitted then the Linux account
+name is assumed e.g.</SPAN></P>
+<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=602>
+        <TR>
+                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$
+                        myproxy-logon -v -p 60000 -l mydbaccountid</SPAN></FONT></FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western"><BR>Consult the myproxy-logon and myproxy-server
+output and the system logs to trouble shoot errors.</P>
+<H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.2. MySQL Installation|outline"></A>
+5.2 MySQL Installation</H2>
+<P CLASS="western" ALIGN=JUSTIFY>MySQL can be used to implement a
+Credential Repository for the SessionManager to stored user
+credentials as cached in their Credential Wallet held in their
+session.</P>
 <P CLASS="western" ALIGN=JUSTIFY>This section describes how to make
 an installation from the MySQL binary package tarball.   System
@@ -2299 +2954 @@
 instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT>
 provided in the tarball.</P>
-<H3 CLASS="western"><A NAME="5.1.1.Version|outline"></A>5.1.1Version</H3>
+<H3 CLASS="western"><A NAME="5.2.1.Version|outline"></A>5.2.1Version</H3>
 <P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended. 
 These instructions are for version 5.0.20a, the latest stable release
 at time of writing.</P>
-<H3 CLASS="western"><A NAME="5.1.2.Getting the Binaries|outline"></A>5.1.2Getting
-the Binaries</H3>
+<H3 CLASS="western"><A NAME="5.2.2. Getting the Binaries|outline"></A>
+5.2.2 Getting the Binaries</H3>
 <P CLASS="western" ALIGN=LEFT>The package can be obtained from the
 MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>).
@@ -2321 +2976 @@
 <P CLASS="western" ALIGN=LEFT><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="5.1.3.New mysql User Account|outline"></A>
-5.1.3New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
+<H3 CLASS="western"><A NAME="5.2.3. New mysql User Account|outline"></A>
+5.2.3 New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>
 User Account</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if
@@ -2337 +2992 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="5.1.4.Unpacking the tarball|outline"></A>
-5.1.4Unpacking the tarball</H3>
+<H3 CLASS="western"><A NAME="5.2.4. Unpacking the tarball|outline"></A>
+5.2.4 Unpacking the tarball</H3>
 <P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target
 directory for installation e.g. /usr/local, unpack the file:</P>
@@ -2375 +3030 @@
 properly. 
 </P>
-<H3 CLASS="western"><A NAME="5.1.5.Configuration File|outline"></A>5.1.5Configuration
-File</H3>
+<H3 CLASS="western"><A NAME="5.2.5. Configuration File|outline"></A>5.2.5
+Configuration File</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called
 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT>
@@ -2419 +3074 @@
 MySQL’s tables and the Credential Repository database will be
 stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P>
-<H3 CLASS="western"><A NAME="5.1.6.Create the Grant Tables|outline"></A>
-5.1.6Create the Grant Tables</H3>
+<H3 CLASS="western"><A NAME="5.2.6. Create the Grant Tables|outline"></A>
+5.2.6 Create the Grant Tables</H3>
 <P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT>
 directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT>
@@ -2445 +3100 @@
 can omit the -user option.  After creating or updating the grant
 tables, you need to restart the server manually.</P>
-<H3 CLASS="western"><A NAME="5.1.7.File and Directory Permissions|outline"></A>
-5.1.7File and Directory Permissions</H3>
+<H3 CLASS="western"><A NAME="5.2.7. File and Directory Permissions|outline"></A>
+5.2.7 File and Directory Permissions</H3>
 <P CLASS="western" ALIGN=LEFT>Change the ownership of program
 binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>
@@ -2470 +3125 @@
 user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>
 group.</P>
-<H3 CLASS="western"><A NAME="5.1.8.Starting the Server|outline"></A>5.1.8Starting
-the Server</H3>
+<H3 CLASS="western"><A NAME="5.2.8. Starting the Server|outline"></A>5.2.8
+Starting the Server</H3>
 <P CLASS="western" ALIGN=LEFT>If you want MySQL to start
 automatically when you boot your machine, you can copy
@@ -2499 +3154 @@
 file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT>
 directory.</P>
-<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.1.9.Securing MySQL Accounts|outline"></A>
-5.1.9Securing MySQL Accounts</H3>
+<H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.2.9. Securing MySQL Accounts|outline"></A>
+5.2.9 Securing MySQL Accounts</H3>
 <P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P>
 <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
@@ -2594 +3249 @@
 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT>
 script if you install the `DBI' and `DBD::mysql' Perl modules.</P>
-<P CLASS="western" ALIGN=LEFT>See section 4.3.1 for details about
+<P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about
 creation of the Credential Repository database.</P>
-<H3 CLASS="western"><A NAME="5.1.10.Server Automated Start up|outline"></A>
-5.1.10Server Automated Start up</H3>
+<H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up|outline"></A>
+5.2.10 Server Automated Start up</H3>
 <P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P>
 <P CLASS="western" ALIGN=LEFT><BR><BR>
 </P>
-<H2 CLASS="western"><A NAME="5.2.HTTPS set-up with Apache Web Server|outline"></A>
-5.2HTTPS set-up with Apache Web Server</H2>
+<H2 CLASS="western"><A NAME="5.3. HTTPS set-up with Apache Web Server|outline"></A>
+5.3 HTTPS set-up with Apache Web Server</H2>
 <P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the
 transfer of user credentials across cookie domains between a data
@@ -2609 +3264 @@
 <P CLASS="western" ALIGN=JUSTIFY>&lt;todo: full explanation - incl.
 mod_ssl must be installed&gt;</P>
-<H3 CLASS="western"><A NAME="5.2.1.Web Server Host Certificate Generation|outline"></A>
-5.2.1Web Server Host Certificate Generation</H3>
+<H3 CLASS="western"><A NAME="5.3.1. Web Server Host Certificate Generation|outline"></A>
+5.3.1 Web Server Host Certificate Generation</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Generate a new private key and
+certificate request.</P>
 <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
         <COL WIDTH=605>
@@ -2617 +3274 @@
                         <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR>
                         </P>
+                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        openssl genrsa –out server.key 2048</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
-                        grid-cert-request -prefix <I>&lt;hostname&gt;</I> -dir . -cn
-                        <I>&lt;hostname&gt;</I> -nopw </FONT>
-                        </P>
+                        openssl req –new –key server.key –out server.csr</FONT></P>
                         <P><BR>
                         </P>
@@ -2628 +3285 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H3 CLASS="western"><A NAME="5.2.2.Apache Configuration File Settings|outline"></A>
-5.2.2Apache Configuration File Settings</H3>
-<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
-</P>
-<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline"></A>
-5.3Apache Web Server Proxy Settings Configuration for Web Services</H2>
+<P CLASS="western" ALIGN=JUSTIFY>Send the certificate request to the
+relevant CA (NDG if appropriate) for signing.</P>
+<H3 CLASS="western"><A NAME="5.3.2.Apache Configuration File Settings|outline"></A>
+5.3.2Apache Configuration File Settings</H3>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline"></A>
+5.4 Apache Web Server Proxy Settings Configuration for Web Services</H2>
 <P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient
 mechanism to re-route web service ports through port 80 and so make
@@ -2661 +3320 @@
                         Session Manager and Attribute Authority settings</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
-                               /sessionMgr    https://localhost:5700/</FONT></P>
+                               /sessionMgr    https://localhost:5700</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
-                        /sessionMgr    https://localhost:5700/</FONT></P>
+                        /sessionMgr    https://localhost:5700</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><BR>
                         </P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass
-                               /attAuthority  http://localhost:5000/</FONT></P>
+                               /attAuthority  http://localhost:5000</FONT></P>
                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse
-                        /attAuthority  http://localhost:5000/</FONT></P>
+                        /attAuthority  http://localhost:5000</FONT></P>
                         <P CLASS="western" ALIGN=LEFT><BR>
                         </P>
@@ -2765 +3424 @@
 location=”
”&gt;</SPAN></FONT> 
 </P>
-<H2 CLASS="western"><A NAME="5.4.An Example Attribute Authority AAUserRoles interface class|outline"></A>
-5.4An Example Attribute Authority AAUserRoles interface class</H2>
+<H2 CLASS="western"><A NAME="5.5.An Example Attribute Authority AAUserRoles interface class|outline"></A>
+5.5An Example Attribute Authority AAUserRoles interface class</H2>
 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This
 interface is required in order to link the Attribute Authority to the
@@ -2778 +3437 @@
 methods:</P>
 <UL>
-        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
+        <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>
         – returns True if the user with the given input Distinguished Name
         is registered at the site.  This method might contain an SQL query
@@ -3218 +3877 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<H2 CLASS="western"><A NAME="5.5.Troubleshooting|outline"></A>5.5Troubleshooting</H2>
-<H3 CLASS="western"><A NAME="5.5.1.M2Crypto SWIG Build Error|outline"></A>
-5.5.1M2Crypto SWIG Build Error</H3>
+<H2 CLASS="western"><A NAME="5.6.Troubleshooting|outline"></A>5.6
+Troubleshooting</H2>
+<H3 CLASS="western"><A NAME="5.6.1.M2Crypto |outline"></A>5.6.1
+M2Crypto 
+</H3>
+<H4 CLASS="western">5.6.1.1SWIG Version too Old</H4>
 <P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL
 library code to the Python interface.  Compilation errors with swig
@@ -3243 +3905 @@
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>
-<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt; 1.1
-and re-run the installation script.  SWIG is available from
-<FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P>
-<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
-</P>
-<H3 CLASS="western"><A NAME="5.5.2.PyXML|outline"></A>5.5.2PyXML</H3>
+<P CLASS="western" ALIGN=JUSTIFY>Some version will build OK but then
+cause runtime errors e.g.</P>
+<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=610>
+        <TR>
+                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">File
+                        &quot;.../M2Crypto/SSL/Context.py&quot;, line 43, in __init__
+                        map()[long(self.ctx)] = self ValueError: invalid literal for
+                        long(): _480e1008_p_SSL_CTX </FONT>
+                        </P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt;=
+1.3.24 and re-run the installation script but also make sure to read
+the next section.  SWIG is available from <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P>
+<H4 CLASS="western">5.6.1.2 SWIG and Py_ssize_t build error</H4>
+<P CLASS="western" ALIGN=JUSTIFY>The combination SWIG version
+1.3.30rc1 and Python &lt; 2.5 can cause a build error:</P>
+<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=610>
+        <TR>
+                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">_lib.h:5:
+                        error: redefinition of typedef 'Py_ssize_t'</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>Avoid this version of SWIG.</P>
+<P CLASS="western" ALIGN=JUSTIFY>See:
+<A HREF="http://chandlerproject.org/Projects/MeTooCrypto#FAQ">http://chandlerproject.org/Projects/MeTooCrypto#FAQ</A>
+for reference and up to date details of any other M2Crypto related
+issues.</P>
+<H3 CLASS="western"><A NAME="5.6.2. PyXML|outline"></A>5.6.2 PyXML</H3>
 <P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable
 distribution for Requirement.parse('PyXML&gt;=0.8.3')</P>
-<P CLASS="western" ALIGN=JUSTIFY>$ easy_install –f
-<FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT>
-PyXML</P>
-<P CLASS="western" ALIGN=JUSTIFY>or –f option with
+<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=610>
+        <TR>
+                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        easy_install –f
+                        <FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT>
+                        PyXML</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR>or –f option with
 ndg-security-install.py</P>
-<H3 CLASS="western"><A NAME="5.5.3.4Suite-XML Build error|outline"></A>
-5.5.34Suite-XML Build error</H3>
+<H3 CLASS="western"><A NAME="5.6.3. 4Suite-XML Build error|outline"></A>
+5.6.3 4Suite-XML Build error</H3>
 <P CLASS="western" ALIGN=JUSTIFY>Ft/Xml/src/expat/lib/xmlparse.c:89:2:
 #error memmove does not exist on this platform, nor is a substitute
 available</P>
 <P CLASS="western" ALIGN=JUSTIFY>4Suite-XML 1.0.2</P>
-<P CLASS="western" ALIGN=JUSTIFY>$ cat /proc/version</P>
-<P CLASS="western" ALIGN=JUSTIFY>Linux version 2.4.21-32.0.1.ELsmp
-(bhcompile@bugs.build.redhat.com) (gcc version</P>
-<P CLASS="western" ALIGN=JUSTIFY> 3.2.3 20030502 (Red Hat Linux
-3.2.3-52)) #1 SMP Tue May 17 17:52:23 EDT 2005</P>
-<P CLASS="western" ALIGN=JUSTIFY>$ uname –a 
-</P>
-<P CLASS="western" ALIGN=JUSTIFY>Linux glue.badc.rl.ac.uk
-2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686
-i386 GNU/Linux</P>
-<P CLASS="western" ALIGN=JUSTIFY>Solution</P>
-<P CLASS="western" ALIGN=JUSTIFY>$ echo -e
-&quot;[build_ext]\ndefine=HAVE_MMEMOVE&quot; &gt; ~/.pydistutils.cfg</P>
-<P CLASS="western" ALIGN=JUSTIFY>$ easy_install 4Suite-XML</P>
+<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=610>
+        <TR>
+                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <OL START=3>
+                                <P CLASS="western" ALIGN=LEFT>$ cat /proc/version<BR>Linux
+                                version 2.4.21-32.0.1.ELsmp (bhcompile@bugs.build.redhat.com)
+                                (gcc version 20030502 (Red Hat Linux 3.2.3-52)) #1 SMP Tue May 17
+                                17:52:23 EDT 2005</P>
+                        </OL>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=610>
+        <TR>
+                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$
+                        uname –a </FONT>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Linux
+                        glue.badc.rl.ac.uk 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23
+                        EDT 2005 i686 i686 i386 GNU/Linux</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
+<P CLASS="western" ALIGN=JUSTIFY>Solution:</P>
+<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>
+        <COL WIDTH=610>
+        <TR>
+                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0">
+                        <P STYLE="margin-bottom: 0cm"><BR>
+                        </P>
+                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ echo
+                        -e &quot;[build_ext]\ndefine=HAVE_MMEMOVE&quot; &gt;
+                        ~/.pydistutils.cfg<BR>$ easy_install 4Suite-XML</FONT></P>
+                </TD>
+        </TR>
+</TABLE>
+<P CLASS="western" ALIGN=JUSTIFY><BR><BR>
+</P>
 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>
 </P>