Changeset 3171 for TI12-security
- Timestamp:
- 21/12/07 14:16:10 (13 years ago)
- Location:
- TI12-security/trunk/documentation/InstallationGuide
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html
r2942 r3171 7 7 <META NAME="AUTHOR" CONTENT="P J Kershaw"> 8 8 <META NAME="CREATED" CONTENT="20071010;9350000"> 9 <META NAME="CHANGED" CONTENT="20071 010;15023700">9 <META NAME="CHANGED" CONTENT="20071221;14112900"> 10 10 <STYLE TYPE="text/css"> 11 11 <!-- 12 @page { size: 21cm 29.7cm; margin- right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm }12 @page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm } 13 13 @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm } 14 14 P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 } … … 28 28 H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic } 29 29 H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } 30 H4 { margin-top: 0cm; margin-bottom: 0 .42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 }30 H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } 31 31 H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium } 32 32 H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium } … … 50 50 Grid Security</B></FONT></P> 51 51 <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P> 52 <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0. 8</B></FONT></P>52 <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P> 53 53 </SPAN><BR><BR> 54 54 </P> … … 177 177 </TD> 178 178 </TR> 179 <TR VALIGN=TOP> 180 <TD WIDTH=194> 181 <P ALIGN=JUSTIFY>0.9</P> 182 </TD> 183 <TD WIDTH=195> 184 <P CLASS="western" ALIGN=JUSTIFY>11//10/07</P> 185 </TD> 186 <TD WIDTH=195> 187 <UL> 188 <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Use of MyProxy with a 189 SimpleCA and PAM callout for authentication</P> 190 <LI><P CLASS="western" ALIGN=LEFT>details for certificate 191 requests for Session Manager and Attribute Authority</P> 192 </UL> 193 </TD> 194 </TR> 179 195 </TABLE> 180 196 <P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P> 181 197 <DIV ID="Table of Contents1" DIR="LTR"> 182 <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1. References 5</A></P>183 <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction 5</A></P>198 <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1. References 6</A></P> 199 <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction 7</A></P> 184 200 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1 185 Pre-requisites 5</A></P>201 Pre-requisites 7</A></P> 186 202 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2 187 Deployment Model 5</A></P>203 Deployment Model 7</A></P> 188 204 <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3. 189 Software Installation Components 8</A></P> 190 <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. Installation 9</A></P> 191 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Python Packages|outline">4.1 192 Python Packages 9</A></P> 193 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.distutils|outline">4.1.1 194 distutils 9</A></P> 195 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.NDG Security Packages|outline">4.1.2 196 NDG Security Packages 9</A></P> 197 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.NDG Web Services Configuration|outline">4.2 198 NDG Web Services Configuration 10</A></P> 199 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.NDG Security System Configuration Files|outline">4.2.1 200 NDG Security System Configuration Files 10</A></P> 201 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.Certificate Generation|outline">4.2.2 202 Certificate Generation 11</A></P> 203 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.Session Manager Configuration|outline">4.3 204 Session Manager Configuration 12</A></P> 205 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.Session Manager Credential Repository|outline">4.3.1 206 Session Manager Credential Repository 12</A></P> 207 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2.Session Manager Properties File Settings|outline">4.3.2 208 Session Manager Properties File Settings 12</A></P> 209 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.3.SysV-style Boot Script|outline">4.3.3 210 SysV-style Boot Script 15</A></P> 211 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Attribute Authority Configuration|outline">4.4 212 Attribute Authority Configuration 16</A></P> 213 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Attribute Authority Properties File Settings|outline">4.4.1 214 Attribute Authority Properties File Settings 16</A></P> 215 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.User Roles Interface|outline">4.4.2 216 User Roles Interface 17</A></P> 217 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.Role Mapping|outline">4.4.3 218 Role Mapping 18</A></P> 219 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.4.Twisted Python server .tac file|outline">4.4.4 220 Twisted Python server .tac file 19</A></P> 221 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.5.SysV-style Boot Script|outline">4.4.5 222 SysV-style Boot Script 19</A></P> 223 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Python Unit Tests|outline">4.5 224 Python Unit Tests 20</A></P> 225 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Globus MyProxy|outline">4.6 226 Globus MyProxy 20</A></P> 227 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.1.MyProxy and NDG Security Background|outline">4.6.1 228 MyProxy and NDG Security Background 20</A></P> 229 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.2.MyProxy user account and the repository location considerations|outline">4.6.2 230 MyProxy user account and the repository location considerations 20</A></P> 231 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.3.Build Process|outline">4.6.3 232 Build Process 21</A></P> 233 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.4.NDG SimpleCA Client Package |outline">4.6.4 234 NDG SimpleCA Client Package 22</A></P> 235 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.5.Host Certificate Creation|outline">4.6.5 236 Host Certificate Creation 24</A></P> 237 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.6.MyProxy Configuration File|outline">4.6.6 238 MyProxy Configuration File 24</A></P> 239 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.7.Repository Directory|outline">4.6.7 240 Repository Directory 25</A></P> 241 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.6.8.Adding MyProxy Server to the system start up|outline">4.6.8 242 Adding MyProxy Server to the system start up 25</A></P> 243 <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices 27</A></P> 244 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1.MySQL Installation|outline">5.1 245 MySQL Installation 27</A></P> 246 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1.Version|outline">5.1.1 247 Version 27</A></P> 248 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.2.Getting the Binaries|outline">5.1.2 249 Getting the Binaries 27</A></P> 250 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.3.New mysql User Account|outline">5.1.3 251 New mysql User Account 27</A></P> 252 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.4.Unpacking the tarball|outline">5.1.4 253 Unpacking the tarball 27</A></P> 254 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.5.Configuration File|outline">5.1.5 255 Configuration File 28</A></P> 256 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.6.Create the Grant Tables|outline">5.1.6 257 Create the Grant Tables 28</A></P> 258 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.7.File and Directory Permissions|outline">5.1.7 259 File and Directory Permissions 29</A></P> 260 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.8.Starting the Server|outline">5.1.8 261 Starting the Server 29</A></P> 262 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.9.Securing MySQL Accounts|outline">5.1.9 263 Securing MySQL Accounts 29</A></P> 264 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.10.Server Automated Start up|outline">5.1.10 265 Server Automated Start up 30</A></P> 266 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2.HTTPS set-up with Apache Web Server|outline">5.2 267 HTTPS set-up with Apache Web Server 30</A></P> 268 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Web Server Host Certificate Generation|outline">5.2.1 269 Web Server Host Certificate Generation 30</A></P> 270 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2.Apache Configuration File Settings|outline">5.2.2 271 Apache Configuration File Settings 30</A></P> 272 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline">5.3 273 Apache Web Server Proxy Settings Configuration for Web Services 31</A></P> 274 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4.An Example Attribute Authority AAUserRoles interface class|outline">5.4 275 An Example Attribute Authority AAUserRoles interface class 32</A></P> 276 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.Troubleshooting|outline">5.5 277 Troubleshooting 35</A></P> 278 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.1.M2Crypto SWIG Build Error|outline">5.5.1 279 M2Crypto SWIG Build Error 35</A></P> 280 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.2.PyXML|outline">5.5.2 281 PyXML 36</A></P> 282 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.5.3.4Suite-XML Build error|outline">5.5.3 283 4Suite-XML Build error 36</A></P> 205 Software Installation Components 9</A></P> 206 <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. 207 Installation 10</A></P> 208 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies|outline">4.1 209 Dependencies 10</A></P> 210 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL|outline">4.1.1 211 OpenSSL 10</A></P> 212 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG|outline">4.1.2 213 SWIG 10</A></P> 214 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages|outline">4.2 215 Python Packages 10</A></P> 216 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools|outline">4.2.1 217 setuptools 10</A></P> 218 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages|outline">4.2.2 219 NDG Security Packages 11</A></P> 220 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration|outline">4.3 221 NDG Web Services Configuration 11</A></P> 222 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files|outline">4.3.1 223 NDG Security System Configuration Files 11</A></P> 224 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation|outline">4.3.2 225 Certificate Generation 12</A></P> 226 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration|outline">4.4 227 Session Manager Configuration 14</A></P> 228 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository|outline">4.4.1 229 Session Manager Credential Repository 14</A></P> 230 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings|outline">4.4.2 231 Session Manager Properties File Settings 14</A></P> 232 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script|outline">4.4.3 233 SysV-style Boot Script 18</A></P> 234 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration|outline">4.5 235 Attribute Authority Configuration 18</A></P> 236 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings|outline">4.5.1 237 Attribute Authority Properties File Settings 18</A></P> 238 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface|outline">4.5.2 239 User Roles Interface 20</A></P> 240 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping|outline">4.5.3 241 Role Mapping 20</A></P> 242 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file|outline">4.5.4 243 Twisted Python server .tac file 21</A></P> 244 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script|outline">4.5.5 245 SysV-style Boot Script 22</A></P> 246 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests|outline">4.6 247 Python Unit Tests 22</A></P> 248 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy|outline">4.7 249 MyProxy 22</A></P> 250 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background|outline">4.7.1 251 MyProxy and NDG Security Background 22</A></P> 252 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations|outline">4.7.2 253 MyProxy user account and the repository location considerations 23</A></P> 254 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation|outline">4.7.3 255 Installation 23</A></P> 256 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation|outline">4.7.4 257 SimpleCA Installation 24</A></P> 258 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation|outline">4.7.5 259 Host Certificate Creation 27</A></P> 260 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File|outline">4.7.6 261 MyProxy Configuration File 27</A></P> 262 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration|outline">4.7.7 263 MyProxy SimpleCA Configuration 28</A></P> 264 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration|outline">4.7.8 265 MyProxy PAM Configuration 29</A></P> 266 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy|outline">4.7.9 267 Testing MyProxy 30</A></P> 268 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up|outline">4.7.10 269 Adding MyProxy Server to the system start up 33</A></P> 270 <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices 35</A></P> 271 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy|outline">5.1 272 Postgres PAM for MyProxy 35</A></P> 273 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration|outline">5.1.1 274 Configuration 35</A></P> 275 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation|outline">5.2 276 MySQL Installation 36</A></P> 277 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version|outline">5.2.1 278 Version 36</A></P> 279 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries|outline">5.2.2 280 Getting the Binaries 36</A></P> 281 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account|outline">5.2.3 282 New mysql User Account 36</A></P> 283 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball|outline">5.2.4 284 Unpacking the tarball 36</A></P> 285 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File|outline">5.2.5 286 Configuration File 37</A></P> 287 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables|outline">5.2.6 288 Create the Grant Tables 37</A></P> 289 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions|outline">5.2.7 290 File and Directory Permissions 38</A></P> 291 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server|outline">5.2.8 292 Starting the Server 38</A></P> 293 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts|outline">5.2.9 294 Securing MySQL Accounts 38</A></P> 295 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up|outline">5.2.10 296 Server Automated Start up 39</A></P> 297 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server|outline">5.3 298 HTTPS set-up with Apache Web Server 39</A></P> 299 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation|outline">5.3.1 300 Web Server Host Certificate Generation 39</A></P> 301 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings|outline">5.3.2 302 Apache Configuration File Settings 40</A></P> 303 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline">5.4 304 Apache Web Server Proxy Settings Configuration for Web Services 40</A></P> 305 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class|outline">5.5 306 An Example Attribute Authority AAUserRoles interface class 41</A></P> 307 <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting|outline">5.6 308 Troubleshooting 44</A></P> 309 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto |outline">5.6.1 310 M2Crypto 44</A></P> 311 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML|outline">5.6.2 312 PyXML 45</A></P> 313 <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error|outline">5.6.3 314 4Suite-XML Build error 45</A></P> 284 315 </DIV> 285 316 <H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1> … … 287 318 <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI"> 288 319 - NCSA MyProxy site</SPAN></P> 289 <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html"><SPAN LANG="fr-FR">http://grid.ncsa.uiuc.edu/myproxy/fromscratch.html</SPAN></A></U></FONT><SPAN LANG="fr-FR"> 290 - NCSA MyProxy installation instructions</SPAN></P> 320 <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/ca/">http://grid.ncsa.uiuc.edu/myproxy/ca/</A> 321 - MyProxy Certificate Authority</P> 322 <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A> 323 â MyProxy PAM Support</P> 291 324 <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT> 292 325 - Globus 4.0 and Security</P> … … 330 363 CredentialRepository only]</P> 331 364 <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P> 332 <LI><P CLASS="western" ALIGN=JUSTIFY>Python distutils utility</P>365 <LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P> 333 366 <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version 334 367 0.9.8 or greater</P> 368 <LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for 369 M2Crypto Python OpenSSL wrapper)</P> 335 370 </UL> 336 371 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also … … 371 406 the particular installation required:</P> 372 407 <UL> 373 <LI ><P CLASS="western" ALIGN=LEFT>ndg_security_server â components374 required to run services</P>408 <LI VALUE=1><P CLASS="western" ALIGN=LEFT>ndg_security_server â 409 components required to run services</P> 375 410 <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common â components 376 411 required by both server and common eggs</P> … … 394 429 are required:</P> 395 430 <UL> 396 <LI ><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.1 (or later)397 â source installer tar ball may be downloaded from the Globus398 site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P>399 <LI><P CLASS="western" ALIGN=JUSTIFY> NDG SimpleCA client package tar400 ball â configures target machine to trust the NDG CA.</P>431 <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.5 432 (or later) â source installer tar ball may be downloaded from the 433 Globus site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P> 434 <LI><P CLASS="western" ALIGN=JUSTIFY>Globus SimpleCA to enable the 435 MyProxy Certificate Authority.</P> 401 436 </UL> 402 437 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These … … 407 442 wish to install MyProxy on a separate secure server to the other 408 443 Python based security services.</P> 409 <H2 CLASS="western"><A NAME="4.1.Python Packages|outline"></A>4.1Python 410 Packages</H2> 444 <H2 CLASS="western"><A NAME="4.1.Dependencies|outline"></A>4.1Dependencies</H2> 445 <H3 CLASS="western"><A NAME="4.1.1.OpenSSL|outline"></A>4.1.1 OpenSSL</H3> 446 <P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the 447 installation check that an up to date version of OpenSSL is 448 installed:</P> 449 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 450 <COL WIDTH=596> 451 <TR> 452 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 453 <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 454 </P> 455 <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 456 openssl version</FONT></P> 457 </TD> 458 </TR> 459 </TABLE> 460 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 461 </P> 462 <P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required. 463 Should you need to upgrade, OpenSSL is available from 464 <A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>. 465 Once downloaded, unpack the tarball and follow the installation 466 intstructions.</P> 467 <H3 CLASS="western"><A NAME="4.1.2.SWIG|outline"></A>4.1.2 SWIG</H3> 468 <P CLASS="western">SWIG is a tool to help with bindings from C/C++ to 469 interpreted languages such as Python. The Python OpenSSL wrapper 470 M2Crypto uses it and version 1.3.24 or later is required. Downloads 471 are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P> 472 <H2 CLASS="western"><A NAME="4.2.Python Packages|outline"></A>4.2 473 Python Packages</H2> 411 474 <P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>. 412 475 Change to a suitable directory to hold temporary installation files. 413 476 414 477 </P> 415 <H3 CLASS="western"><A NAME="4.1.1.distutils|outline"></A>4.1.1distutils</H3> 478 <H3 CLASS="western"><A NAME="4.2.1.setuptools|outline"></A>4.2.1 479 setuptools</H3> 416 480 <P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python 417 distutils, the package that enables the use of Python eggs. Download 418 the distutils bootstrap script:</P>481 setuptools, the package that enables the use of Python eggs. 482 Download the setuptools bootstrap script:</P> 419 483 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 420 484 <COL WIDTH=596> … … 423 487 <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 424 488 </P> 425 <P ><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$426 wget http://peak.telecommunity.com/dist/ez_setup.py</ SPAN></FONT></P>489 <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 490 wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P> 427 491 </TD> 428 492 </TR> … … 459 523 </TR> 460 524 </TABLE> 461 < H3 CLASS="western"></H3>462 < P CLASS="western" ALIGN=JUSTIFY>Once completed, you can delete463 < FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P>464 <H3 CLASS="western"><A NAME="4. 1.2.NDG Security Packages|outline"></A>465 4. 1.2NDG Security Packages</H3>525 <P CLASS="western"><BR><BR> 526 </P> 527 <P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P> 528 <H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages|outline"></A> 529 4.2.2 NDG Security Packages</H3> 466 530 <P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to 467 531 distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT> … … 474 538 <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 475 539 </P> 476 <P ><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$477 wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</ SPAN></FONT></P>540 <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 541 wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P> 478 542 </TD> 479 543 </TR> … … 499 563 using the âh option. âa selects all packages for installation. 500 564 If there are problems with the installation, see the Troubleshooting 501 Guide in the Appendices section 5. 5.</P>502 <H2 CLASS="western"><A NAME="4. 2.NDG Web Services Configuration|outline"></A>503 4. 2NDG Web Services Configuration</H2>504 <H3 CLASS="western"><A NAME="4. 2.1.NDG Security System Configuration Files|outline"></A>505 4. 2.1NDG Security System Configuration Files</H3>565 Guide in the Appendices section 5.6.</P> 566 <H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration|outline"></A> 567 4.3 NDG Web Services Configuration</H2> 568 <H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files|outline"></A> 569 4.3.1 NDG Security System Configuration Files</H3> 506 570 <P CLASS="western" ALIGN=JUSTIFY>Properties files set the 507 571 configuration settings for NDG security <I>server side</I> settings. … … 520 584 <P STYLE="margin-bottom: 0cm"><BR> 521 585 </P> 522 <P ><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="da-DK">$523 mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</ SPAN></FONT></P>586 <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 587 mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P> 524 588 </TD> 525 589 </TR> … … 532 596 environment of the user account used to run the security services or 533 597 can be set in the init scripts used to automatically start up the 534 services from server boot up (See sections 4. 3.24.3.3 and 4.4.5).</P>598 services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P> 535 599 <P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> 536 600 egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> … … 611 675 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 612 676 </P> 613 <H3 CLASS="western"><A NAME="4.2.2.Certificate Generation|outline"></A> 614 4.2.2Certificate Generation</H3> 677 <P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run 678 security web services under any specified system account and group. 679 Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT> 680 e.g.</SPAN></P> 681 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 682 <COL WIDTH=596> 683 <TR> 684 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 685 <P STYLE="margin-bottom: 0cm"><BR> 686 </P> 687 <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 688 chmod ndg:ndggroup -R /etc/ndg/security</FONT></P> 689 </TD> 690 </TR> 691 </TABLE> 692 <P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR> 693 </P> 694 <H3 CLASS="western"><A NAME="4.3.2. Certificate Generation|outline"></A> 695 4.3.2 Certificate Generation</H3> 615 696 <P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute 616 697 Authority web services require individual X.509 certificates as a … … 631 712 openssl genrsa âout sm-key.pem 2048</FONT></P> 632 713 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 714 chmod 400 sm-key.pem</FONT></P> 715 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 633 716 openssl req ânew âkey sm-key.pem âout sm.csr</FONT></P> 634 717 <P CLASS="western" ALIGN=LEFT><BR> … … 649 732 All other fields have been omitted. You can skip individual fields 650 733 by enter â.â When prompted.</P> 651 <P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the NDG 652 CA. The CA will issue a certificate file. Copy this file as 734 <P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the 735 appropriate CA. This could be your SimpleCA created for use with 736 MyProxy â see MyProxy installation. The CA will issue a 737 certificate file. Copy this file as 653 738 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 654 739 </SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> … … 667 752 openssl genrsa âout aa-key.pem 2048</FONT></P> 668 753 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 754 chmod 400 aa-key.pem</FONT></P> 755 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 669 756 openssl req ânew âkey aa-key.pem âout aa.csr</FONT></P> 670 757 <P CLASS="western" ALIGN=LEFT><BR> … … 678 765 Manager is run over https to keep user login credentials secured. A 679 766 server certificate and key will be required in addition to enable 680 this. These can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 681 directory and can be <FONT FACE="Helvetica, sans-serif">referenced by 682 the Session Managerâs properties file.</FONT></SPAN></FONT></P> 767 this. 768 </P> 769 <P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be 770 issued from your SimpleCA. Follow the same procedure as used for the 771 Session Manager and Attirbute Authority above creating a private key 772 and certificate request. The private key should be generated without 773 a password. When generating the certificate request ensure that the 774 Common Name is set to the fully qualified name of the server host.</P> 775 <P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and 776 private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 777 <FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced 778 by the Session Managerâs properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif"> 779 and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif"> 780 elements respectively.</FONT></SPAN></FONT></P> 683 781 <P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate 684 782 Authorityâs X.509 certificate is also required. Obtain this from 685 783 the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 686 784 </SPAN></FONT>directory.</P> 687 <H2 CLASS="western"><A NAME="4.3.Session Manager Configuration|outline"></A> 688 4.3Session Manager Configuration</H2> 785 <P CLASS="western" STYLE="background: #cccccc">Note that all other 786 trusted NDG partner organisations MUST have copies of your CA 787 certificate. If they don't, partner organisations NDG Security 788 infrastructures will reject requests from your security services. 789 CA certificates are referenced in the Attribute Authority and Session 790 Manager properties file settings <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt"> 791 </FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and 792 </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif"> 793 Configuration for Gatekeepers may also need to reference your CA 794 certificate.</FONT></FONT></P> 795 <H2 CLASS="western"><A NAME="4.4.Session Manager Configuration|outline"></A> 796 4.4 Session Manager Configuration</H2> 689 797 <P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set 690 798 via a properties file. In addition, the Session Manager can … … 695 803 use a Credential Repository. If this is the case, skip this 696 804 section.</P> 697 <H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4. 3.1.Session Manager Credential Repository|outline"></A>698 4. 3.1Session Manager Credential Repository</H3>805 <H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository|outline"></A> 806 4.4.1 Session Manager Credential Repository</H3> 699 807 <P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository 700 808 database. In the example below a MySQL database is assumed. Notes 701 on installing MySQL are given in the Appendices section 5. 1.809 on installing MySQL are given in the Appendices section 5.2. 702 810 </P> 703 811 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> … … 776 884 sufficient permissions to be able to read and write records. For 777 885 details of how to create an account in MySQL see the Appendices 778 section 5. 1.9.</P>779 <H3 CLASS="western"><A NAME="4. 3.2.Session Manager Properties File Settings|outline"></A>780 4. 3.2Session Manager Properties File Settings</H3>886 section 5.2.9.</P> 887 <H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings|outline"></A> 888 4.4.2 Session Manager Properties File Settings</H3> 781 889 <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT> 782 890 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> … … 797 905 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile>>$NDGSEC_DIR/conf/certs/server-key.pem 798 906 </sslKeyFile></FONT></FONT></P> 799 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> 907 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><!-- 908 <BR> Directory containing CA cert.s to verify SSL peer cert 909 against - ignored if useSSL is blank --><BR> 910 <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir><BR> 911 </FONT><!--</FONT></FONT></P> 800 912 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 801 913 settings for signature of outbound SOAP messages</FONT></FONT></P> … … 809 921 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyFile>>$NDGSEC_DIR/conf/certs/server-key.pem</keyFile></FONT></FONT></P> 810 922 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P> 811 <P STYLE="margin-bottom: 0cm"> 812 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><caCertFile>>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile></FONT></FONT></P> 813 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 923 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 814 924 </FONT></FONT> 925 </P> 926 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 927 Certificates used to verify X.509 certs used in peer SOAP 928 messages,<BR> SSL connections and Attribute Certificates<BR> 929 --><BR> <caCertFileList><BR> 930 <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile><BR> 931 </caCertFileList><BR></FONT> <!-- </FONT></FONT> 815 932 </P> 816 933 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set … … 850 967 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT 851 968 setting</SPAN></FONT></FONT></P> 852 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></SPAN></FONT></P> 853 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"><port>7512</port></FONT></SPAN></FONT></P> 969 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> 970 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> 971 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><port>7512</port></FONT></FONT></P> 854 972 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> 855 973 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful … … 922 1040 <P STYLE="margin-bottom: 0cm"> 923 1041 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile></SPAN></FONT></FONT></P> 924 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"> </myProxyProp></FONT></SPAN></FONT></P>925 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCACltProp>926 </FONT></ SPAN></FONT>1042 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </myProxyProp></FONT></FONT></P> 1043 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCACltProp> 1044 </FONT></FONT> 927 1045 </P> 928 1046 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> … … 941 1059 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> 942 1060 <certLifetimeDays></certLifetimeDays></FONT></FONT></P> 943 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="fr-FR"><FONT SIZE=2 STYLE="font-size: 9pt">944 <certTmpDir></certTmpDir></FONT></ SPAN></FONT></P>1061 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> 1062 <certTmpDir></certTmpDir></FONT></FONT></P> 945 1063 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> 946 1064 <caCertFile></caCertFile></FONT></FONT></P> … … 1152 1270 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 1153 1271 </P> 1154 <H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4. 3.3.SysV-style Boot Script|outline"></A>1155 4. 3.3SysV-style Boot Script</H3>1272 <H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script|outline"></A> 1273 4.4.3 SysV-style Boot Script</H3> 1156 1274 <P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be 1157 1275 configured to start up at system boot of the host machine. A SysV … … 1195 1313 command may not be available on your target machine. Please refer to 1196 1314 instructions for your particular Linux distribution.</P> 1197 <H2 CLASS="western"><A NAME="4. 4.Attribute Authority Configuration|outline"></A>1198 4. 4Attribute Authority Configuration</H2>1315 <H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration|outline"></A> 1316 4.5 Attribute Authority Configuration</H2> 1199 1317 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a 1200 1318 properties file for the setting of configuration parameters.</P> 1201 <H3 CLASS="western"><A NAME="4. 4.1.Attribute Authority Properties File Settings|outline"></A>1202 4. 4.1Attribute Authority Properties File Settings</H3>1319 <H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings|outline"></A> 1320 4.5.1Attribute Authority Properties File Settings</H3> 1203 1321 <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> 1204 1322 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> … … 1213 1331 version="1.0" encoding="utf-8"?></FONT></FONT></P> 1214 1332 <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><AAprop></FONT></FONT></P> 1215 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><!--1216 </FONT></FONT> </FONT>1217 </P> 1218 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">'name'1219 setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></ FONT></P>1220 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--></FONT></FONT></FONT></P>1221 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><name>Organisation1222 Identifier</name> </FONT></FONT> </FONT>1223 </P> 1224 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><portNum>SELECT1225 A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE</portNum></FONT></FONT></ FONT></P>1333 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 1334 </FONT></FONT> 1335 </P> 1336 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name' 1337 setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P> 1338 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> 1339 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><name>Organisation 1340 Identifier</name> </FONT></FONT> 1341 </P> 1342 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><portNum>SELECT 1343 A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE</portNum></FONT></FONT></P> 1226 1344 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> 1227 1345 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI … … 1233 1351 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile></sslKeyFile></FONT></FONT></P> 1234 1352 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyPwd></sslKeyPwd></FONT></FONT></P> 1235 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> 1353 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><!-- 1354 <BR> Directory containing CA cert.s to verify SSL peer cert 1355 against - ignored if useSSL is blank --><BR> 1356 <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir><BR></FONT> 1357 <!--</FONT></FONT></P> 1236 1358 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 1237 1359 settings for signature of outbound SOAP messages</FONT></FONT></P> … … 1240 1362 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler> 1241 1363 <!-- leave blank for no signature --></FONT></FONT></P> 1242 <P STYLE="margin-bottom: 0cm"> 1243 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><certFile>$NDGSEC_DIR/conf/certs/aa-cert.pem</certFile></FONT></FONT></FONT></P> 1244 <P STYLE="margin-bottom: 0cm"> 1245 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem 1246 </keyFile></FONT></FONT></FONT></P> 1364 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 1365 </FONT></FONT> 1366 </P> 1367 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 1368 Certificates used to verify X.509 certs used in peer SOAP 1369 messages,<BR> SSL connections and Attribute Certificates<BR> 1370 --><BR> <caCertFileList><BR> 1371 <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile><BR> 1372 </caCertFileList><BR></FONT> 1373 <keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem </keyFile></FONT></FONT></P> 1247 1374 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P> 1248 1375 <P STYLE="margin-bottom: 0cm"> 1249 1376 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem 1250 1377 </caCertFile></FONT></FONT></P> 1251 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><!--1252 </FONT></FONT> </FONT>1378 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 1379 </FONT></FONT> 1253 1380 </P> 1254 1381 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set … … 1267 1394 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertLifetime>86400</attCertLifetime> 1268 1395 <!-- Measured in seconds --></FONT></FONT></P> 1269 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><!--1270 </FONT></FONT> </FONT>1271 </P> 1272 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Allow1273 an offset for clock skew between servers running </FONT></FONT> </FONT>1274 </P> 1275 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">security1276 services. - Use minus sign for time in the past</FONT></FONT></ FONT></P>1277 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--></FONT></FONT></FONT></P>1396 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 1397 </FONT></FONT> 1398 </P> 1399 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow 1400 an offset for clock skew between servers running </FONT></FONT> 1401 </P> 1402 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security 1403 services. - Use minus sign for time in the past</FONT></FONT></P> 1404 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> 1278 1405 <P STYLE="margin-bottom: 0cm"> 1279 1406 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertNotBeforeOff>0</attCertNotBeforeOff></FONT></FONT></P> … … 1281 1408 Location of role mapping file --></FONT></FONT></P> 1282 1409 <P STYLE="margin-bottom: 0cm"> 1283 <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><mapConfigFile>$NDGSEC_DIR/conf/mapConfig.xml</mapConfigFile></FONT></FONT></FONT></P>1410 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><mapConfigFile>$NDGSEC_DIR/conf/mapConfig.xml</mapConfigFile></FONT></FONT></P> 1284 1411 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 1285 1412 All Attribute Certificates issued are recorded in this dir --></FONT></FONT></P> 1286 1413 <P STYLE="margin-bottom: 0cm"> 1287 <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><attCertDir>$NDGSEC_DIR/conf/attCertLog</attCertDir></FONT></FONT></FONT></P>1288 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><!--1289 </FONT></FONT> </FONT>1290 </P> 1291 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">Files1292 in attCertDir are stored using a rotating file handler</FONT></FONT></ FONT></P>1293 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">attCertFileLogCnt1294 sets the max number of files created before the first is</FONT></FONT></ FONT></P>1295 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">overwritten</FONT></FONT></FONT></P>1296 <P STYLE="margin-bottom: 0cm"> <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace">--></FONT></FONT></FONT></P>1414 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertDir>$NDGSEC_DIR/conf/attCertLog</attCertDir></FONT></FONT></P> 1415 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- 1416 </FONT></FONT> 1417 </P> 1418 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files 1419 in attCertDir are stored using a rotating file handler</FONT></FONT></P> 1420 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt 1421 sets the max number of files created before the first is</FONT></FONT></P> 1422 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P> 1423 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> 1297 1424 <P STYLE="margin-bottom: 0cm"> 1298 1425 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFileName>ac.xml</attCertFileName></FONT></FONT></P> … … 1309 1436 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> 1310 1437 <P STYLE="margin-bottom: 0cm"> 1311 <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><userRolesModFilePath>$NDGSEC_DIR/conf</userRolesModFilePath></FONT></FONT></FONT></P>1438 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModFilePath>$NDGSEC_DIR/conf</userRolesModFilePath></FONT></FONT></P> 1312 1439 <P STYLE="margin-bottom: 0cm"> 1313 <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><userRolesModName>userRoles</userRolesModName></FONT></FONT></FONT></P>1440 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModName>userRoles</userRolesModName></FONT></FONT></P> 1314 1441 <P STYLE="margin-bottom: 0cm"> 1315 <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><userRolesClassName>UserRoles</userRolesClassName></FONT></FONT></FONT></P>1442 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesClassName>UserRoles</userRolesClassName></FONT></FONT></P> 1316 1443 <P STYLE="margin-bottom: 0cm"> 1317 <FONT FACE=" Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Monospace"><userRolesPropFile>$NDGSEC_DIR/conf/userRoles.cfg</userRolesPropFile></FONT></FONT></FONT></P>1444 <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesPropFile>$NDGSEC_DIR/conf/userRoles.cfg</userRolesPropFile></FONT></FONT></P> 1318 1445 <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></AAprop></FONT></FONT></P> 1319 1446 <P> … … 1324 1451 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 1325 1452 </P> 1326 <H3 CLASS="western"><A NAME="4. 4.2.User Roles Interface|outline"></A>4.4.2User1327 Roles Interface</H3>1453 <H3 CLASS="western"><A NAME="4.5.2.User Roles Interface|outline"></A>4.5.2 1454 User Roles Interface</H3> 1328 1455 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a 1329 1456 valid user proxy certificate serves an attribute certificate … … 1336 1463 programmatic interface to determine the roles to user id 1337 1464 relationship. A custom python class may be written to perform this 1338 task. See the Appendices section 5. 4.</P>1339 <H3 CLASS="western"><A NAME="4. 4.3.Role Mapping|outline"></A>4.4.3Role1340 Mapping</H3>1465 task. See the Appendices section 5.5.</P> 1466 <H3 CLASS="western"><A NAME="4.5.3.Role Mapping|outline"></A>4.5.3 1467 Role Mapping</H3> 1341 1468 <P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in 1342 1469 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> … … 1483 1610 may map to many local roles.</P> 1484 1611 </UL> 1485 <H3 CLASS="western"><A NAME="4. 4.4.Twisted Python server .tac file|outline"></A>1486 4. 4.4Twisted Python server .tac file</H3>1612 <H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file|outline"></A> 1613 4.5.4 Twisted Python server .tac file</H3> 1487 1614 <P CLASS="western" ALIGN=JUSTIFY>Copy this from the 1488 1615 ndg_security_server to the NDG security conf/ area:</P> … … 1505 1632 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 1506 1633 </P> 1507 <H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4. 4.5.SysV-style Boot Script|outline"></A>1508 4. 4.5SysV-style Boot Script</H3>1634 <H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script|outline"></A> 1635 4.5.5 SysV-style Boot Script</H3> 1509 1636 <P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the 1510 1637 Attribute Authority can be configured to start up at system boot of … … 1546 1673 <P CLASS="western" ALIGN=JUSTIFY>If required, add any additional 1547 1674 environment settings required to connect to a user database.</P> 1548 <H2 CLASS="western"><A NAME="4. 5.Python Unit Tests|outline"></A>4.5Python1549 Unit Tests</H2>1675 <H2 CLASS="western"><A NAME="4.6.Python Unit Tests|outline"></A>4.6 1676 Python Unit Tests</H2> 1550 1677 <P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are 1551 1678 provided to enable the system to be checked to confirm that it is … … 1553 1680 in the site-packages/ directory of the python installation.</P> 1554 1681 <P CLASS="western" ALIGN=JUSTIFY><todo: ></P> 1555 <H2 CLASS="western"><A NAME="4.6.Globus MyProxy|outline"></A>4.6Globus 1556 MyProxy</H2> 1557 <H3 CLASS="western"><A NAME="4.6.1.MyProxy and NDG Security Background|outline"></A> 1558 4.6.1MyProxy and NDG Security Background</H3> 1682 <H2 CLASS="western"><A NAME="4.7. MyProxy|outline"></A>4.7 MyProxy</H2> 1683 <H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background|outline"></A> 1684 4.7.1 MyProxy and NDG Security Background</H3> 1559 1685 <P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy 1560 from the Globus toolkit to store userâs authentication credentials. 1561 If a participating data centre supports user accounts then it will 1562 need to deploy its MyProxy repository. 1563 </P> 1564 <P CLASS="western" ALIGN=JUSTIFY>The NDG SessionManager web service 1565 acts as a client to MyProxy. When a user is registered at a site, it 1566 generates a new public/private key for the user and an X.509 1567 certificate request. It sends the latter to the NDG Simple CA 1568 (Certificate Authority) for signing. A new X.509 certificate is 1569 issued and returned. The SessionManager uploads the public and 1570 private key into the MyProxy repository and associates a username and 1571 pass-phrase with these credentials.</P> 1572 <P CLASS="western" ALIGN=JUSTIFY>When a user subsequently logs in at 1573 their site, again the SessionManager is called. It passes the 1574 username and pass-phrase provided to MyProxy. MyProxy matches these 1575 with the X.509 certificate it holds and issues a <I>proxy</I> to that 1576 certificate. The proxy certificate represents the userâs ID 1577 internally in the interactions between the various NDG components. 1686 from the Globus toolkit to enable the use of individual user X.509 1687 certificates to secure messages in transactions. For example, to 1688 request an Attribute Certificate from an Attribute Authority the 1689 request can be signed using the user's certificate to enable the 1690 Attribute Authority to authenticate it.</P> 1691 <P CLASS="western" ALIGN=JUSTIFY>MyProxy is a flexible and can be 1692 configured to run in a number of different modes or combination of 1693 modes:</P> 1694 <OL> 1695 <LI><P CLASS="western" ALIGN=JUSTIFY>users can upload a proxy to 1696 their personal user certificate for storage in the MyProxy 1697 repository for later use in delegation 1698 </P> 1699 <LI><P CLASS="western" ALIGN=JUSTIFY>Personal user certificates 1700 issued by a CA can by stored in the repository.</P> 1701 <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy can be run with the 1702 Globus SimpleCA package issuing certificates dynamically based on a 1703 callout to some external authentication system. MyProxy has basic 1704 support for PAM (Pluggable Authentication Module) and SASL (<SPAN STYLE="font-style: normal">Simple 1705 Authentication and Security Layer).</SPAN></P> 1706 </OL> 1707 <P CLASS="western" ALIGN=JUSTIFY>3) is the preferred mode for NDG 1708 deployments as typically NDG partners have existing user databases 1709 against which their users authenticate. MyProxy can be configured 1710 to query the database with username/password via PAM/SASL. 1578 1711 </P> 1579 1712 <P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service … … 1581 1714 on its host machine and user credentials are held in a directory on 1582 1715 the file system. It is important to secure the host to ensure the 1583 credentials are not compromised. (Also see Ref 1above.)</P> 1584 <H3 CLASS="western"><A NAME="4.6.2.MyProxy user account and the repository location considerations|outline"></A> 1585 4.6.2MyProxy user account and the repository location considerations</H3> 1716 credentials are not compromised. 1717 </P> 1718 <H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations|outline"></A> 1719 4.7.2 MyProxy user account and the repository location considerations</H3> 1586 1720 <P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or 1587 using a separate user account. The latter is preferable as it 1588 provides an extra level of security. Note that the MyProxy 1589 repository will be in a standard location. 1721 using a separate user account. The latter provides an extra degree 1722 of security but for use with PAM, the MyProxy must be installed and 1723 run as root. Note that the MyProxy repository will be in a standard 1724 location. 1590 1725 </P> 1591 1726 <UL> … … 1599 1734 </P> 1600 1735 </UL> 1601 <P CLASS="western" ALIGN=JUSTIFY>It is possible to explicitly define 1736 <P CLASS="western" ALIGN=JUSTIFY>When run in mode 3) the repository 1737 is not used since all credentials are generated dynamically on a 1738 successful MyProxy logon request. It is possible to explicitly define 1602 1739 an alternate location but this can only be done by providing a 1603 1740 command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>. … … 1606 1743 ps</SPAN></FONT>. This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> 1607 1744 with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd 1608 </SPAN></FONT>(See 4.6.8.1).</P> 1609 <P CLASS="western" ALIGN=LEFT>Another factor to take into 1610 consideration is the available space on the file system for the 1611 repository location. There should be sufficient disk space on the 1612 partition where the directory is located to store credentials for all 1613 the users of the system at the target site.</P> 1614 <P CLASS="western" ALIGN=JUSTIFY>This guide assumes installation 1615 under a dedicated user account. The username <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 1616 is used in the examples for convenience only. An alternative 1617 username is recommended.</P> 1618 <P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT> 1619 user set up a local user account.</P> 1745 </SPAN></FONT>(See 4.7.10.1).</P> 1746 <P CLASS="western" ALIGN=LEFT>This guide assumes installation as 1747 root. 1748 </P> 1749 <H3 CLASS="western"><A NAME="4.7.3. Installation|outline"></A>4.7.3 1750 Installation</H3> 1751 <P CLASS="western">MyProxy is available with Globus. Version 4.0.5 1752 distribution is recommended for use with the NDG Security software. 1753 <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++ 1754 development packages are needed for the build.</SPAN></FONT></P> 1755 <H4 CLASS="western">4.7.3.1 PAM Dependencies</H4> 1756 <P CLASS="western">A binary version is available but it is 1757 recommended to build and install from the source code to include PAM 1758 dependencies (<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>). 1759 To check, there should be a <CODE><FONT FACE="Helvetica, sans-serif">pam_appl.h 1760 header file either in /usr/include/security or /usr/include/pam.</FONT></CODE></P> 1761 <P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">If they 1762 are not present, they can be installed with the PAM development 1763 package for your Linux distribution â e.g. pam-devel (Redhat) or 1764 libpam*-dev (Debian based).</FONT></CODE></P> 1765 <P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">Due to a 1766 limitation in PAM, MyProxy must be built and installed under the 1767 system root account.</FONT></CODE></P> 1768 <H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif"> 1769 Build</FONT></CODE></H4> 1770 <P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code 1771 can be downloaded from </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P> 1772 <P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a 1773 target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make 1774 </SPAN></FONT>so that only the MyProxy components of Globus are 1775 built. Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer</FONT> 1776 tarball. Extract the files and change to the 1777 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer/</FONT> 1778 directory created.</P> 1779 <P CLASS="western" ALIGN=JUSTIFY>Configure the build settings. The 1780 default installation location is /usr/local/globus-4.0.5. Use 1781 âprefix=<dir path> command line option to specify an 1782 alternative location for the installation.</P> 1620 1783 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1621 1784 <COL WIDTH=596> 1622 1785 <TR> 1623 <TD WIDTH=596 HEIGHT=4 6VALIGN=TOP BGCOLOR="#e6e6e6">1786 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 1624 1787 <P STYLE="margin-bottom: 0cm"><BR> 1625 1788 </P> 1626 1789 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1627 groupadd globus</FONT></P> 1628 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1629 useradd globus âg globus</FONT></P> 1630 </TD> 1631 </TR> 1632 </TABLE> 1633 <P CLASS="western" ALIGN=LEFT><BR><BR> 1634 </P> 1635 <P CLASS="western" ALIGN=JUSTIFY>Note that for security purposes, the 1636 globus user account is set up as a local rather NIS account so that 1637 access is restricted. Set the default home directory as necessary 1638 and default shell to bash. Set the password for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>:</P> 1790 ./configure </FONT> 1791 </P> 1792 <P><BR> 1793 </P> 1794 </TD> 1795 </TR> 1796 </TABLE> 1797 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 1798 </P> 1799 <P CLASS="western" ALIGN=JUSTIFY>Compile and install MyProxy:</P> 1639 1800 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1640 1801 <COL WIDTH=596> … … 1643 1804 <P STYLE="margin-bottom: 0cm"><BR> 1644 1805 </P> 1645 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$1646 passwd globus</FONT></P>1647 </TD>1648 </TR>1649 </TABLE>1650 <P CLASS="western" ALIGN=LEFT><BR><BR>1651 </P>1652 <P CLASS="western" ALIGN=JUSTIFY>Modify the relevant files and1653 directories in the NDG installation area to be owned by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>1654 account:</P>1655 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>1656 <COL WIDTH=596>1657 <TR>1658 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">1659 <P STYLE="margin-bottom: 0cm"><BR>1660 </P>1661 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$1662 chown -R globus:globus $NDGSEC_DIR/conf/ $NDGSEC_DIR/ndgSetup.sh</FONT></P>1663 </TD>1664 </TR>1665 </TABLE>1666 <P CLASS="western" ALIGN=LEFT><BR><BR>1667 </P>1668 <P CLASS="western" ALIGN=LEFT>For convenience, the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>1669 file may be called from the globus accountâs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.bashrc</SPAN></FONT>1670 file so that the NDG environment is automatically initialised when a1671 new globus shell is invoked.</P>1672 <P CLASS="western" ALIGN=LEFT>Change to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT>1673 account and edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">~/.bashrc</SPAN></FONT>1674 adding the following lines at the end:</P>1675 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>1676 <COL WIDTH=596>1677 <TR>1678 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">1679 <P STYLE="margin-bottom: 0cm"><BR>1680 </P>1681 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1682 NDG set-up</FONT></P>1683 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">.1684 /usr/local/NDG/ndgSetup.sh</FONT></P>1685 </TD>1686 </TR>1687 </TABLE>1688 <P CLASS="western" ALIGN=LEFT><BR><BR>1689 </P>1690 <H3 CLASS="western"><A NAME="4.6.3.Build Process|outline"></A>4.6.3Build1691 Process</H3>1692 <P CLASS="western" ALIGN=JUSTIFY>As <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>,1693 create an installation directory for Globus within the NDG1694 installation:</P>1695 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>1696 <COL WIDTH=596>1697 <TR>1698 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">1699 <P STYLE="margin-bottom: 0cm"><BR>1700 </P>1701 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$1702 mkdir $NDGSEC_DIR/globus-4.0.1</FONT></P>1703 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$1704 chown globus:globus $NDGSEC_DIR/globus-4.0.1</FONT></P>1705 <P><BR>1706 </P>1707 </TD>1708 </TR>1709 </TABLE>1710 <P CLASS="western" ALIGN=JUSTIFY><BR><BR>1711 </P>1712 <P CLASS="western" ALIGN=JUSTIFY>Ensure that the setting for1713 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">GLOBUS_LOCATION</FONT>1714 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/ndgSetup.sh</FONT>1715 points to the new directory created <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$NDGSEC_DIR/globus-4.0.1</FONT>.</P>1716 <P CLASS="western" ALIGN=JUSTIFY>Switch to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT>1717 user account ready to download the globus installation.</P>1718 <P CLASS="western" ALIGN=JUSTIFY>Globus 4.0.1 distribution is1719 recommended for use with the NDG Security software. This is1720 available from <FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT></P>1721 <P CLASS="western" ALIGN=JUSTIFY>A binary version is available but it1722 is recommended to install the source code version and build from1723 scratch on the target machine. Note that it is possible to set a1724 target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make1725 </SPAN></FONT>so that only the MyProxy components of Globus are1726 built. Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer</FONT>1727 tarball. Extract the files and change to the1728 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.1-all-source-installer/</FONT>1729 directory created.</P>1730 <P CLASS="western" ALIGN=JUSTIFY>Configure the build settings compile1731 and install MyProxy:</P>1732 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0>1733 <COL WIDTH=596>1734 <TR>1735 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6">1736 <P STYLE="margin-bottom: 0cm"><BR>1737 </P>1738 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$1739 ./configure âprefix=$GLOBUS_LOCATION</FONT></P>1740 1806 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1741 1807 make gsi-myproxy postinstall</FONT></P> … … 1752 1818 environment variable is not set. This can be ignored because Java is 1753 1819 not required for the MyProxy build.</SPAN></FONT></FONT></P> 1754 <P STYLE="margin-bottom: 0cm"><BR> 1755 </P> 1756 <H3 CLASS="western"><A NAME="4.6.4.NDG SimpleCA Client Package |outline"></A> 1757 4.6.4NDG SimpleCA Client Package 1758 </H3> 1759 <P CLASS="western" ALIGN=JUSTIFY>This configures the target machine 1760 to trust the NDG CA. 1761 </P> 1762 <P CLASS="western" ALIGN=JUSTIFY>Login as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 1763 user. To install first initialise the environment settings (The 1764 following line should be included in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgSetup.sh</SPAN></FONT>. 1765 Check and amend as necessary).</P> 1820 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"> 1821 </P> 1822 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If 1823 you encounter errors with the build you can trobuleshoot by checking 1824 config.log in the BUILD/globus_core-* or source-trees/core/source 1825 directories.</SPAN></FONT></P> 1826 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 1827 </P> 1828 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">Verify 1829 myproxy has built with PAM support by running the command:</SPAN></FONT></P> 1830 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 1831 </P> 1832 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 1833 </P> 1766 1834 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1767 1835 <COL WIDTH=596> 1768 1836 <TR> 1769 1837 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 1770 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 1771 </P> 1772 <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1773 . $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 1774 </TD> 1775 </TR> 1776 </TABLE> 1777 <P><BR><BR> 1778 </P> 1779 <P CLASS="western" ALIGN=LEFT>Install the client package. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><CA 1780 Hash></SPAN></FONT> below is a unique identifier for the CA. Note 1781 that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ânonroot</SPAN></FONT> 1782 option ensures that the configuration files are installed in 1783 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT> 1784 rather than the default location used with the root user: 1785 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT>. 1786 If you are installing as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>, 1787 this option may be omitted if required.</P> 1788 <P CLASS="western" ALIGN=LEFT>Also note that for 64 bit architectures 1789 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc32dbg</SPAN></FONT> 1790 argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-build</SPAN></FONT> 1791 should be substituted with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gcc64dbg</SPAN></FONT>.</P> 1838 <P STYLE="margin-bottom: 0cm"><BR> 1839 </P> 1840 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1841 /usr/local/globus-4.0.5/sbin/myproxy-server -V</FONT></P> 1842 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server 1843 version MYPROXYv2 (v3.7 12 Dec 2006 PAM)</FONT></P> 1844 <P><BR> 1845 </P> 1846 </TD> 1847 </TR> 1848 </TABLE> 1849 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 1850 </P> 1851 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If 1852 'PAM' is included in the output as above then the executable has 1853 built correctly to include PAM support.</SPAN></FONT></P> 1854 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 1855 </P> 1856 <H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation|outline"></A> 1857 4.7.4 SimpleCA Installation</H3> 1858 <P CLASS="western" ALIGN=JUSTIFY>Reference: 1859 </P> 1860 <P CLASS="western" ALIGN=JUSTIFY><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing">http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing</A></P> 1861 <P CLASS="western" ALIGN=JUSTIFY>The SimpleCA can be set up under a 1862 dedicated user account but this user must have read/write permissions 1863 to the Globus MyProxy installation location. For simplicity, this 1864 guide assumes installation for MyProxy and the SimpleCA under root.</P> 1865 <P CLASS="western" ALIGN=JUSTIFY>To install first initialise the 1866 environment settings (These may be added to the appropriate start-up 1867 file e.g. .bashrc):</P> 1792 1868 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1793 1869 <COL WIDTH=596> 1794 1870 <TR> 1795 1871 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 1796 <P STYLE="margin-bottom: 0cm"><BR> 1797 </P> 1798 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1799 gpt-build globus_simple_ca_<CA hash>_setup-0.18.tar.gz 1800 gcc32dbg</FONT></P> 1801 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1802 gpt-postinstall</FONT></P> 1803 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1804 $GLOBUS_LOCATION/setup/globus_simple_ca_<CA 1805 hash>_setup/setup-gsi </FONT> 1806 </P> 1807 <P>â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default 1808 ânonroot</FONT></P> 1809 </TD> 1810 </TR> 1811 </TABLE> 1812 <P STYLE="margin-bottom: 0cm"><BR> 1813 </P> 1814 <P CLASS="western" ALIGN=LEFT>When running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">gpt-postinstall</SPAN></FONT>, 1815 you may see a warning:</P> 1872 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 1873 </P> 1874 <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1875 export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export 1876 GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . 1877 $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 1878 </TD> 1879 </TR> 1880 </TABLE> 1881 <P><BR><BR> 1882 </P> 1883 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Installation 1884 script:</FONT></P> 1816 1885 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1817 1886 <COL WIDTH=596> 1818 1887 <TR> 1819 1888 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 1820 <P STYLE="margin-bottom: 0cm"><BR> 1821 </P> 1822 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">WARNING: 1823 The following packages were not set up correctly:</FONT></P> 1824 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus_simple_ca_<CA 1825 hash>_setup-noflavor-pgm</FONT></P> 1826 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Check 1827 the package documentation or run postinstall -verbose to see what 1828 happened</FONT></P> 1889 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 1890 </P> 1891 <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1892 $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P> 1829 1893 </TD> 1830 1894 </TR> … … 1832 1896 <P CLASS="western" ALIGN=LEFT><BR><BR> 1833 1897 </P> 1834 <P CLASS="western" ALIGN=LEFT>This can be ignored.</P> 1835 <H4 CLASS="western">4.6.4.1Modifications to Configuration File 1836 Settings</H4> 1837 <P CLASS="western" ALIGN=LEFT>The configuration files installed 1838 require some minor modifications before proceeding:</P> 1839 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Under the 1840 directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/etc</SPAN></FONT>, 1841 edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-host-ssl.conf</SPAN></FONT> 1842 and under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[ 1843 req_distinguished_name ]</SPAN></FONT>, edit the setting for 1844 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT> 1845 and change the default <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">BADC</SPAN></FONT> 1846 to the name of the organisation where this NDG security software is 1847 being installed. This name will be used as the default for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">OU</SPAN></FONT> 1848 field of certificates held in the MyProxy server.</P> 1898 <P CLASS="western" ALIGN=LEFT>You will be prompted for the following 1899 information:</P> 1900 <OL> 1901 <LI><P CLASS="western" ALIGN=LEFT>Subject Name: When prompted, type 1902 'n' to override the default and set an appropriate subject name for 1903 the CA for your organisation. O = Organisation Name, OU = 1904 Organisational Unit (you can set more than one), CN = the Common 1905 Name i.e. the name of the Certificate Authority. For 1906 example,<BR><BR>/O=STFC/OU=Rutherford Appleton 1907 Laboratory/OU=Testing/CN=CA<BR><BR>could be the Certificate 1908 Authorityâs subject for a CA for the Space Science and Technology 1909 Department at Rutherford Appleton Laboratory which is part of the 1910 Science and Technology Facilities Council.</P> 1911 <LI><P CLASS="western" ALIGN=LEFT>e-mail Address: the contact 1912 address for certificate requests. If you are using the CA for 1913 MyProxy only you will probably not need this facility. You could 1914 enter globus@<target host> or some suitable administrative 1915 contact</P> 1916 <LI><P CLASS="western" ALIGN=LEFT>CA Certificate Expiry Date: Press 1917 enter to accept the default of five years, otherwise override and 1918 enter your required period.</P> 1919 <LI><P CLASS="western" ALIGN=LEFT>PEM Pass phrase: this is the 1920 password that will protect the CA's private key file. It will need 1921 to be entered in MyProxy's configuration file to enable MyProxy to 1922 dynamically issue certificates.</P> 1923 </OL> 1924 <P CLASS="western" ALIGN=LEFT>A message will appear indicating that 1925 the set-up has completed and confirming the subject chosen for your 1926 certificate and the location of certificate and private key:</P> 1927 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1928 <COL WIDTH=596> 1929 <TR> 1930 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 1931 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1932 $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P> 1933 <P STYLE="margin-bottom: 0cm"><BR> 1934 </P> 1935 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">C 1936 e r t i f i c a t e A u t h o r i t y S e t u p</FONT></P> 1937 <P STYLE="margin-bottom: 0cm"><BR> 1938 </P> 1939 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This 1940 script will setup a Certificate Authority for signing Globus</FONT></P> 1941 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">users 1942 certificates. It will also generate a simple CA package</FONT></P> 1943 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">that 1944 can be distributed to the users of the CA.</FONT></P> 1945 <P STYLE="margin-bottom: 0cm"><BR> 1946 </P> 1947 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 1948 CA information about the certificates it distributes will</FONT></P> 1949 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">be 1950 kept in:</FONT></P> 1951 <P STYLE="margin-bottom: 0cm"><BR> 1952 </P> 1953 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA/</FONT></P> 1954 <P STYLE="margin-bottom: 0cm"><BR> 1955 </P> 1956 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 1957 unique subject name for this CA is:</FONT></P> 1958 <P STYLE="margin-bottom: 0cm"><BR> 1959 </P> 1960 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cn=Globus 1961 Simple CA, ou=simpleCA-gabriel, ou=GlobusTest, o=Grid</FONT></P> 1962 <P STYLE="margin-bottom: 0cm"><BR> 1963 </P> 1964 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Do 1965 you want to keep this as the CA subject (y/n) [y]:n</FONT></P> 1966 <P STYLE="margin-bottom: 0cm"><BR> 1967 </P> 1968 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter 1969 a unique subject name for this CA:cn=CA, ou=BADC, ou=Gabriel, 1970 o=NDG</FONT></P> 1971 <P STYLE="margin-bottom: 0cm"><BR> 1972 </P> 1973 <P STYLE="margin-bottom: 0cm"><BR> 1974 </P> 1975 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter 1976 the email of the CA (this is the email where certificate</FONT></P> 1977 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">requests 1978 will be sent to be signed by the CA):p.j.kershaw@rl.ac.uk</FONT></P> 1979 <P STYLE="margin-bottom: 0cm"><BR> 1980 </P> 1981 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 1982 CA certificate has an expiration date. Keep in mind that</FONT></P> 1983 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">once 1984 the CA certificate has expired, all the certificates</FONT></P> 1985 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">signed 1986 by that CA become invalid. A CA should regenerate</FONT></P> 1987 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the 1988 CA certificate and start re-issuing ca-setup packages</FONT></P> 1989 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">before 1990 the actual CA certificate expires. This can be done</FONT></P> 1991 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">by 1992 re-running this setup script. Enter the number of DAYS</FONT></P> 1993 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the 1994 CA certificate should last before it expires.</FONT></P> 1995 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[default: 1996 5 years (1825 days)]:</FONT></P> 1997 <P STYLE="margin-bottom: 0cm"><BR> 1998 </P> 1999 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter 2000 PEM pass phrase:</FONT></P> 2001 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Verifying 2002 - Enter PEM pass phrase:</FONT></P> 2003 <P STYLE="margin-bottom: 0cm"><BR> 2004 </P> 2005 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">creating 2006 CA config package...done.</FONT></P> 2007 <P STYLE="margin-bottom: 0cm"><BR> 2008 </P> 2009 <P STYLE="margin-bottom: 0cm"><BR> 2010 </P> 2011 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">A 2012 self-signed certificate has been generated</FONT></P> 2013 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">for 2014 the Certificate Authority with the subject:</FONT></P> 2015 <P STYLE="margin-bottom: 0cm"><BR> 2016 </P> 2017 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/O=NDG/OU=Gabriel/OU=BADC/CN=CA</FONT></P> 2018 <P STYLE="margin-bottom: 0cm"><BR> 2019 </P> 2020 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If 2021 this is invalid, rerun this script</FONT></P> 2022 <P STYLE="margin-bottom: 0cm"><BR> 2023 </P> 2024 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus/setup-simple-ca</FONT></P> 2025 <P STYLE="margin-bottom: 0cm"><BR> 2026 </P> 2027 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">and 2028 enter the appropriate fields.</FONT></P> 2029 <P STYLE="margin-bottom: 0cm"><BR> 2030 </P> 2031 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P> 2032 <P STYLE="margin-bottom: 0cm"><BR> 2033 </P> 2034 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 2035 private key of the CA is stored in 2036 /root/.globus/simpleCA//private/cakey.pem</FONT></P> 2037 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 2038 public CA certificate is stored in 2039 /root/.globus/simpleCA//cacert.pem</FONT></P> 2040 <P STYLE="margin-bottom: 0cm"><BR> 2041 </P> 2042 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 2043 distribution package built for this CA is stored in</FONT></P> 2044 <P STYLE="margin-bottom: 0cm"><BR> 2045 </P> 2046 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P> 2047 <P STYLE="margin-bottom: 0cm"><BR> 2048 </P> 2049 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This 2050 file must be distributed to any host wishing to request</FONT></P> 2051 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificates 2052 from this CA.</FONT></P> 2053 <P STYLE="margin-bottom: 0cm"><BR> 2054 </P> 2055 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">CA 2056 setup complete.</FONT></P> 2057 <P STYLE="margin-bottom: 0cm"><BR> 2058 </P> 2059 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 2060 following commands will now be run to setup the security</FONT></P> 2061 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">configuration 2062 files for this CA:</FONT></P> 2063 <P STYLE="margin-bottom: 0cm"><BR> 2064 </P> 2065 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-build 2066 /root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P> 2067 <P STYLE="margin-bottom: 0cm"><BR> 2068 </P> 2069 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-postinstall</FONT></P> 2070 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P> 2071 <P STYLE="margin-bottom: 0cm"><BR> 2072 </P> 2073 <P STYLE="margin-bottom: 0cm"><BR> 2074 </P> 2075 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils: 2076 Configuring ssl-utils package</FONT></P> 2077 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Running 2078 setup-ssl-utils-sh-scripts...</FONT></P> 2079 <P STYLE="margin-bottom: 0cm"><BR> 2080 </P> 2081 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P> 2082 <P STYLE="margin-bottom: 0cm"><BR> 2083 </P> 2084 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Note: 2085 To complete setup of the GSI software you need to run the</FONT></P> 2086 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">following 2087 script as root to configure your security configuration</FONT></P> 2088 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">directory:</FONT></P> 2089 <P STYLE="margin-bottom: 0cm"><BR> 2090 </P> 2091 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus_simple_ca_2cba3376_setup/setup-gsi</FONT></P> 2092 <P STYLE="margin-bottom: 0cm"><BR> 2093 </P> 2094 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">For 2095 further information on using the setup-gsi script, use the -help</FONT></P> 2096 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">option. 2097 The -default option sets this security configuration to be</FONT></P> 2098 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the 2099 default, and -nonroot can be used on systems where root access is</FONT></P> 2100 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">not 2101 available.</FONT></P> 2102 <P STYLE="margin-bottom: 0cm"><BR> 2103 </P> 2104 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P> 2105 <P STYLE="margin-bottom: 0cm"><BR> 2106 </P> 2107 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils: 2108 Complete</FONT></P> 2109 <P STYLE="margin-bottom: 0cm"><BR> 2110 </P> 2111 <P><BR> 2112 </P> 2113 </TD> 2114 </TR> 2115 </TABLE> 2116 <P CLASS="western" ALIGN=LEFT><BR><BR> 2117 </P> 2118 <P CLASS="western" ALIGN=LEFT>The number in the file names â 2119 2cba3376â is a unique h<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ash</SPAN></FONT> 2120 identifier for the CA. It will be different for for your 2121 installation when you run the setup. To complete the set-up run the 2122 setup-gsi script:</P> 2123 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2124 <COL WIDTH=596> 2125 <TR> 2126 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 2127 <P STYLE="margin-bottom: 0cm"><BR> 2128 </P> 2129 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2130 $GLOBUS_LOCATION/setup/globus_simple_ca_2cba3376_setup/setup-gsi </FONT> 2131 </P> 2132 <P>â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default 2133 </FONT> 2134 </P> 2135 </TD> 2136 </TR> 2137 </TABLE> 2138 <P STYLE="margin-bottom: 0cm"><BR> 2139 </P> 2140 <H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation|outline"></A> 2141 4.7.5 Host Certificate Creation</H3> 2142 <P CLASS="western">As root user to carry out these steps. First 2143 check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P> 1849 2144 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1850 2145 </P> 1851 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1852 <COL WIDTH=610> 1853 <TR> 1854 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 1855 <P STYLE="margin-bottom: 0cm"><BR> 1856 </P> 1857 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[ 1858 req_distinguished_name ]</FONT></P> 1859 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 1860 BEGIN CONFIG</FONT></P> 1861 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName 1862 = Level 0 Organization</FONT></P> 1863 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default 1864 = NDG</FONT></P> 1865 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName 1866 = Level 0 Organizational Unit</FONT></P> 1867 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default 1868 = BADC</FONT></P> 1869 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName 1870 = Name (e.g., John M. Smith)</FONT></P> 1871 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max 1872 = 64</FONT></P> 1873 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 1874 END CONFIG</FONT></P> 1875 <P><BR> 1876 </P> 1877 </TD> 1878 </TR> 1879 </TABLE> 1880 <P CLASS="western" ALIGN=LEFT><BR><BR> 1881 </P> 1882 <P CLASS="western" ALIGN=LEFT>Under the same directory, edit the file 1883 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus-user-ssl.conf</SPAN></FONT> 1884 and carry out the same modification as above but also comment out the 1885 two lines below <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName</SPAN></FONT> 1886 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">1.organizationalUnitName_default</SPAN></FONT>:</P> 1887 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1888 </P> 1889 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1890 <COL WIDTH=610> 1891 <TR> 1892 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 1893 <P STYLE="margin-bottom: 0cm"><BR> 1894 </P> 1895 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[ 1896 req_distinguished_name ]</FONT></P> 1897 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 1898 BEGIN CONFIG</FONT></P> 1899 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName 1900 = Level 0 Organization</FONT></P> 1901 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationName_default 1902 = NDG</FONT></P> 1903 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName 1904 = Level 0 Organizational Unit</FONT></P> 1905 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">0.organizationalUnitName_default 1906 = BADC</FONT></P> 1907 <P STYLE="margin-bottom: 0cm"><BR> 1908 </P> 1909 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName 1910 = Level 1 Organizational Unit</FONT></P> 1911 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#1.organizationalUnitName_default 1912 = badc.rl.ac.uk</FONT></P> 1913 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName 1914 = Name (e.g., John M. Smith)</FONT></P> 1915 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">commonName_max 1916 = 64</FONT></P> 1917 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># 1918 END CONFIG</FONT></P> 1919 <P><BR> 1920 </P> 1921 </TD> 1922 </TR> 1923 </TABLE> 1924 <P CLASS="western" ALIGN=LEFT><BR><BR> 1925 </P> 1926 <P CLASS="western" ALIGN=LEFT>Edit 1927 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/certificates/<CA 1928 Hash>.signing_policy</SPAN></FONT> and change the setting of <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">OU</FONT> 1929 in the line:</P> 1930 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1931 </P> 1932 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1933 <COL WIDTH=610> 1934 <TR> 1935 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 1936 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1937 </P> 1938 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cond_subjects 1939 globus '"/O=NDG/OU=BADC/*"'</FONT></P> 1940 <P CLASS="western" ALIGN=LEFT><BR> 1941 </P> 1942 </TD> 1943 </TR> 1944 </TABLE> 1945 <P CLASS="western" ALIGN=LEFT><BR><BR> 1946 </P> 1947 <P CLASS="western" ALIGN=LEFT>Replacing âBADCâ with the name of 1948 the Organisational Unit for your organisation. This should be the 1949 same as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">0.organizationalUnitName_default</SPAN></FONT> 1950 set above for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-host-ssl.conf</FONT> 1951 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus-user-ssl.conf</FONT>.</P> 1952 <P CLASS="western" ALIGN=LEFT>Having completed these steps, a host 1953 certificate for the target machine can be made in order to identify 1954 it.</P> 1955 <H3 CLASS="western"><A NAME="4.6.5.Host Certificate Creation|outline"></A> 1956 4.6.5Host Certificate Creation</H3> 1957 <P CLASS="western" ALIGN=LEFT>Login as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 1958 user to carry out these steps. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ndgSetup.sh 1959 </FONT>should configure the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">PATH</FONT> 1960 variable to have included the Globus executable directories 1961 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/bin</FONT> 1962 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin</FONT>. 1963 Check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P> 1964 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1965 </P> 1966 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1967 <COL WIDTH=610> 1968 <TR> 1969 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 2146 <TABLE WIDTH=609 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2147 <COL WIDTH=593> 2148 <TR> 2149 <TD WIDTH=593 VALIGN=TOP BGCOLOR="#e0e0e0"> 1970 2150 <P STYLE="margin-bottom: 0cm"><BR> 1971 2151 </P> … … 1978 2158 </TABLE> 1979 2159 <P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like: 1980 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/NDG/globus-4.0.1/bin/grid-cert-request</FONT></P> 2160 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/globus-4.0.5/bin/grid-cert-request</FONT></P> 2161 <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If 2162 not check the settings as made earlier for the SimpleCA:</FONT></P> 2163 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2164 </P> 2165 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2166 <COL WIDTH=596> 2167 <TR> 2168 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 2169 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 2170 </P> 2171 <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2172 export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export 2173 GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . 2174 $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 2175 </TD> 2176 </TR> 2177 </TABLE> 2178 <P><BR><BR> 2179 </P> 1981 2180 <P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate 1982 request, change to the certificates directory:</P> 1983 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1984 </P> 1985 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 1986 <COL WIDTH=610> 1987 <TR> 1988 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 2181 request:</P> 2182 <TABLE WIDTH=608 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2183 <COL WIDTH=592> 2184 <TR> 2185 <TD WIDTH=592 VALIGN=TOP BGCOLOR="#e0e0e0"> 1989 2186 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 1990 2187 </P> 1991 2188 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 1992 cd $GLOBUS_LOCATION/etc</FONT></P> 1993 <P CLASS="western" ALIGN=LEFT><BR> 1994 </P> 1995 </TD> 1996 </TR> 1997 </TABLE> 1998 <P CLASS="western" ALIGN=JUSTIFY><BR>Nb. If you installed MyProxy as 1999 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>, 2000 as root user change to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/grid-security</SPAN></FONT> 2001 where the certificates should be held.</P> 2002 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2003 <COL WIDTH=610> 2004 <TR> 2005 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 2006 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2007 </P> 2008 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2009 grid-cert-request âhost <machine hostname> -dir .</FONT></P> 2189 grid-cert-request âhost <fully qualified hostname> </FONT> 2190 </P> 2010 2191 <P CLASS="western" ALIGN=LEFT><BR> 2011 2192 </P> … … 2017 2198 <P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>, 2018 2199 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT> 2019 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem </FONT>.2020 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>2200 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 2201 in /etc/grid-security directory</FONT>. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT> 2021 2202 is empty. 2022 2203 </P> 2023 2204 <P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate 2024 it must be signed by the NDG CA. Contact the NDG CA forwarding 2025 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem</FONT>. 2026 The CA will issue a <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT> 2027 file. Copy this file into this directory i.e. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc</FONT>. 2028 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 2029 </FONT>is no longer needed and may be deleted if desired.</P> 2030 <H3 CLASS="western"><A NAME="4.6.6.MyProxy Configuration File|outline"></A> 2031 4.6.6MyProxy Configuration File</H3> 2205 it must be signed by the CA: 2206 </P> 2207 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2208 <COL WIDTH=596> 2209 <TR> 2210 <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> 2211 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 2212 </P> 2213 <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2214 grid-ca-sign -in /<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">etc/grid-security/hostcert_request.pem 2215 -out /etc/grid-security/hostcert.pem </FONT></FONT> 2216 </P> 2217 </TD> 2218 </TR> 2219 </TABLE> 2220 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2221 </P> 2222 <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 2223 </FONT>is no longer needed and can be deleted.</P> 2224 <H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File|outline"></A> 2225 4.7.6 MyProxy Configuration File</H3> 2032 2226 <P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is 2033 2227 normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT> … … 2050 2244 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2051 2245 </P> 2052 <P CLASS="western" ALIGN=JUSTIFY>As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">globus</FONT> 2053 user edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config</FONT></P> 2054 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Modify the 2055 entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete 2246 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Edit 2247 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config 2248 m</FONT>odifying the entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete 2056 2249 Sample Policy</SPAN></FONT> so that they are all uncommented (remove 2057 2250 leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"># … … 2074 2267 myproxy-server features. See below for more examples.</FONT></P> 2075 2268 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials 2076 "*"</FONT></P>2269 "*"</FONT></P> 2077 2270 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers 2078 "*"</FONT></P>2271 "*"</FONT></P> 2079 2272 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers 2080 "*"</FONT></P>2273 "*"</FONT></P> 2081 2274 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers 2082 "*"</FONT></P>2275 "*"</FONT></P> 2083 2276 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers 2084 "none"</FONT></P>2277 "none"</FONT></P> 2085 2278 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers 2086 2279 "*"</FONT></P> 2087 2280 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers 2088 "none"</FONT></P> 2281 "none"</FONT></P> 2282 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">trusted_retrievers 2283 â*â</FONT></P> 2284 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_trusted_retrievers 2285 ânoneâ</FONT></P> 2089 2286 <P><BR> 2090 2287 </P> … … 2096 2293 <P CLASS="western" ALIGN=LEFT>Note that the wildcards for these 2097 2294 fields may be modified such that only Distinguished Names of a given 2098 format may be accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">"/O=NDG/OU=BADC/*"</SPAN></FONT></P> 2099 <H3 CLASS="western"><A NAME="4.6.7.Repository Directory|outline"></A>4.6.7Repository 2100 Directory</H3> 2101 <P CLASS="western" ALIGN=LEFT>A directory needs to be specified on 2102 the file system to store the user credentials generated by MyProxy. 2103 This should be owned by the account that runs <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>. 2104 In the examples given this would be the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">globus</FONT></SPAN></FONT> 2105 user and the expected location, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var</SPAN></FONT>. 2106 See section 2.3.2 <I>MyProxy user account and repository location</I>.</P> 2107 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Login as the 2108 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 2109 user and change directory to the location for the repository:</P> 2110 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2111 </P> 2112 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2113 <COL WIDTH=610> 2114 <TR> 2115 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 2116 <P STYLE="margin-bottom: 0cm"><BR> 2117 </P> 2118 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2119 cd $GLOBUS_LOCATION/var</FONT></P> 2120 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2121 mkdir myproxy</FONT></P> 2122 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2123 chmod 700 myproxy</FONT></P> 2124 <P><BR> 2125 </P> 2126 </TD> 2127 </TR> 2128 </TABLE> 2129 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2130 </P> 2295 format are accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">"/O=NDG/OU=BADC/*"</SPAN></FONT></P> 2131 2296 <P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod 2132 2297 </SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 2133 2298 user has read/write access for the directory. Note also that the 2134 2299 directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P> 2135 <H3 CLASS="western"><A NAME="4.6.8.Adding MyProxy Server to the system start up|outline"></A> 2136 4.6.8Adding MyProxy Server to the system start up</H3> 2300 <H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration|outline"></A> 2301 4.7.7 MyProxy SimpleCA Configuration</H3> 2302 <P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to 2303 dynamically generate user certificates on user login. For this, 2304 MyProxy requires configuration details from the SimpleCA. Make these 2305 settings in $GLOBUS_LOCATION/etc/myproxy-server.config (Note that the 2306 sensitivity of this information and the need to secure this file 2307 carefully!)</P> 2308 <OL> 2309 <LI><P CLASS="western" ALIGN=JUSTIFY>enable any retriever â 2310 retrieval is based on the retrievers login credentials:</P> 2311 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2312 <COL WIDTH=577> 2313 <TR> 2314 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2315 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2316 </P> 2317 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers 2318 "*"</FONT></P> 2319 </TD> 2320 </TR> 2321 </TABLE> 2322 <P CLASS="western" ALIGN=JUSTIFY></P> 2323 <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA 2324 certificate. In this example the CA is installed in the root user's 2325 home directory:</P> 2326 </OL> 2327 <DL> 2328 <DD> 2329 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2330 <COL WIDTH=577> 2331 <TR> 2332 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2333 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2334 </P> 2335 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_cert 2336 /root/.globus/simpleCA/cacert.pem</FONT></P> 2337 </TD> 2338 </TR> 2339 </TABLE> 2340 </DL> 2341 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2342 </P> 2343 <OL START=3> 2344 <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA private 2345 key: 2346 </P> 2347 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2348 <COL WIDTH=577> 2349 <TR> 2350 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2351 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2352 </P> 2353 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key 2354 /root/.globus/simpleCA/private/cakey.pem</FONT></P> 2355 </TD> 2356 </TR> 2357 </TABLE> 2358 <P CLASS="western" ALIGN=JUSTIFY></P> 2359 <LI><P CLASS="western" ALIGN=LEFT>Provide the password to the CA's 2360 private key. (This was set when you created the SimpleCA with 2361 $GLOBUS_LOCATION/setup/globus/setup-simple-ca):</P> 2362 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2363 <COL WIDTH=577> 2364 <TR> 2365 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2366 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2367 </P> 2368 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key_passphrase 2369 "password"</FONT></P> 2370 </TD> 2371 </TR> 2372 </TABLE> 2373 <P CLASS="western" ALIGN=JUSTIFY></P> 2374 <LI><P CLASS="western" ALIGN=JUSTIFY>Set the path to the certificate 2375 serial file</P> 2376 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2377 <COL WIDTH=577> 2378 <TR> 2379 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2380 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_serialfile 2381 /root/.globus/simpleCA/serial </FONT> 2382 </P> 2383 </TD> 2384 </TR> 2385 </TABLE> 2386 <P CLASS="western" ALIGN=JUSTIFY></P> 2387 <LI><P CLASS="western" ALIGN=JUSTIFY>Configure how MyProxy maps 2388 usernames to Distinguished Names in generated certificates. This can 2389 be done either with a grid mapfile or a script. A script is more 2390 flexible as you can use a wildcard match rather requiring a map 2391 entry for every single user. An example script is:</P> 2392 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2393 <COL WIDTH=577> 2394 <TR> 2395 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2396 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2397 </P> 2398 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#!/bin/sh<BR>username=$1<BR>if 2399 [ X"$username" = X ]; then<BR> # no username given<BR> 2400 exit 1<BR>fi<BR>echo 2401 "/O=NDG/OU=Gabriel/OU=BADC/CN=${username}"</FONT></P> 2402 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">exit 2403 0</FONT></P> 2404 </TD> 2405 </TR> 2406 </TABLE> 2407 <P CLASS="western" ALIGN=LEFT><BR>In the example above, if a user 2408 logs in as pjkershaw, they will be issued with a certificate with 2409 the Distinguished Name /O=NDG/OU=Gabriel/OU=BADC/CN=pjkershaw. Copy 2410 the file above file into $GLOBUS_LOCATION/sbin/mapper.sh replacing 2411 â/O=NDG/OU=Gabriel/OU=BADC/CN=â with the form of the 2412 Distinguished Name that you require for users for your site. Ensure 2413 that the file has execute permissions set e.g.<BR><BR><BR> 2414 </P> 2415 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2416 <COL WIDTH=577> 2417 <TR> 2418 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2419 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2420 </P> 2421 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2422 chmod 700 $GLOBUS_LOCATION/sbin/mapper.sh</FONT></P> 2423 <P CLASS="western" ALIGN=LEFT><BR> 2424 </P> 2425 </TD> 2426 </TR> 2427 </TABLE> 2428 <P CLASS="western" ALIGN=LEFT><BR>Refer to the script in 2429 $GLOBUS_LOCATION/etc/myproxy-server.config with this setting:</P> 2430 <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2431 <COL WIDTH=577> 2432 <TR> 2433 <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> 2434 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_mapapp 2435 /usr/local/globus-4.0.5/sbin/mapper.sh</FONT></P> 2436 </TD> 2437 </TR> 2438 </TABLE> 2439 <P CLASS="western" ALIGN=LEFT></P> 2440 </OL> 2441 <H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration|outline"></A> 2442 4.7.8 MyProxy PAM Configuration</H3> 2443 <P CLASS="western" ALIGN=JUSTIFY>Reference: 2444 <A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P> 2445 <P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy 2446 with PAM to enable MyProxy logon requests to be authenticated against 2447 a site's existing security infrastructure, for example a user 2448 database or LDAP repository. Linux systems have PAMs for login, ssh 2449 and other services. PAMs can be obtained for the major database 2450 varieties such as MySQL, Postgres and Oracle.</P> 2451 <P CLASS="western">To configure MyProxy for PAM, settings are made 2452 via myproxy-server.config to two different fields:</P> 2453 <UL> 2454 <LI><P CLASS="western">pam: may be set to disabled, ârequiredâ 2455 or âsufficientâ. Set to ârequiredâ. With this setting, 2456 all MyProxy logon requests will be authenticated via PAM. The 2457 âsufficientâ setting may be useful in some circumstances. It 2458 enables authentication via PAM and via credentials held in the 2459 MyProxy repository.</P> 2460 <LI><P CLASS="western">pam_id: name that MyProxy uses to identify 2461 itself to PAM. This can correspond either to a file of the same 2462 name in /etc/pam.d or entries prefixed with that name in 2463 /etc/pam.conf. This setting determines the PAM used by MyProxy to 2464 authenticate. 2465 </P> 2466 </UL> 2467 <P CLASS="western">The most straightforward way to set-up MyProxy 2468 with PAM is to try one of the existing PAMs such as login. If the 2469 pam_id is set to login, a myproxy-logon request will link to that 2470 user's Linux login.</P> 2471 <P CLASS="western">Appendices are provided at the end of this 2472 document for some of the more common configurations.</P> 2473 <H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy|outline"></A>4.7.9 2474 Testing MyProxy</H3> 2475 <P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy 2476 configuration to run the myproxy-logon client command. For initial 2477 testing set the pam_id in $GLOBUS_LOCATION/etc/myproxy-server.config 2478 to âlogonâ so that it uses the Linux user accounts for 2479 authentication.</P> 2480 <P CLASS="western" ALIGN=JUSTIFY>Client error messages can be 2481 difficult to interpret but a -v verbose option is provided to give 2482 more information. In addition, MyProxy server can be run in debug 2483 mode using the -d command line switch. MyProxy should be run under 2484 the user account in which it was installed - root. Ensure that the 2485 environment is set correctly i.e. GLOBUS_LOCATION variable set and 2486 $GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P> 2487 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2488 <COL WIDTH=602> 2489 <TR> 2490 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2491 <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> 2492 </P> 2493 <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2494 export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export 2495 GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . 2496 $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> 2497 </TD> 2498 </TR> 2499 </TABLE> 2500 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2501 </P> 2502 <P CLASS="western" ALIGN=JUSTIFY>If you already have MyProxy running 2503 via xinetd or as a process started from a SysV init script, it is 2504 possible to run a separate MyProxy server process on a different port 2505 with the -p flag.</P> 2506 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2507 <COL WIDTH=602> 2508 <TR> 2509 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2510 <P STYLE="margin-bottom: 0cm"><BR> 2511 </P> 2512 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2513 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server 2514 -d -v -p 60000</SPAN></FONT></FONT></P> 2515 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server 2516 v3.7 12 Dec 2006 PAM starting at Fri Dec 21 12:45:59 2007</SPAN></FONT></FONT></P> 2517 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">reading 2518 configuration file 2519 /usr/local/globus-4.0.5/etc/myproxy-server.config</SPAN></FONT></FONT></P> 2520 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CA 2521 enabled</SPAN></FONT></FONT></P> 2522 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 2523 storage directory /var/myproxy</SPAN></FONT></FONT></P> 2524 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Starting 2525 myproxy-server on localhost: 60000...</SPAN></FONT></FONT></P> 2526 <P><BR> 2527 </P> 2528 </TD> 2529 </TR> 2530 </TABLE> 2531 <P CLASS="western" ALIGN=LEFT><BR><BR> 2532 </P> 2533 <P CLASS="western" ALIGN=LEFT>Note that in debug mode, myproxy-server 2534 will exit after the first request made to it.</P> 2535 <P CLASS="western" ALIGN=LEFT>Run myproxy-logon in a separate window 2536 under a user account for which you know the Linux password. Provide 2537 the port number if myproxy-server was started on a different port to 2538 the default and give the full name of the server as set in the host 2539 certificate (/etc/grid-security/hostcert.pem)</P> 2540 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2541 <COL WIDTH=602> 2542 <TR> 2543 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2544 <P STYLE="margin-bottom: 0cm"><BR> 2545 </P> 2546 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2547 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-logon 2548 -v -s <fully qualified server hostname> -p 60000</SPAN></FONT></FONT></P> 2549 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">MyProxy 2550 v3.7 12 Dec 2006 PAM</SPAN></FONT></FONT></P> 2551 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Attempting 2552 to connect to 127.0.0.1:60000</SPAN></FONT></FONT></P> 2553 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Enter 2554 MyProxy pass phrase:</SPAN></FONT></FONT></P> 2555 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 2556 trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P> 2557 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">no 2558 valid credentials found -- performing anonymous authentication</SPAN></FONT></FONT></P> 2559 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server 2560 name: /O=NDG/OU=Gabriel/OU=BADC/CN=gabriel<></SPAN></FONT></FONT></P> 2561 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">checking 2562 that server name is acceptable...</SPAN></FONT></FONT></P> 2563 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server 2564 name does not match "myproxy@gabriel<>"</SPAN></FONT></FONT></P> 2565 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server 2566 name matches "host@gabriel<>"</SPAN></FONT></FONT></P> 2567 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">authenticated 2568 server name is acceptable</SPAN></FONT></FONT></P> 2569 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">A 2570 credential has been received for user pjkershaw in 2571 /tmp/x509up_u1000.</SPAN></FONT></FONT></P> 2572 <P><BR> 2573 </P> 2574 </TD> 2575 </TR> 2576 </TABLE> 2577 <P CLASS="western" ALIGN=LEFT><BR><BR> 2578 </P> 2579 <P CLASS="western" ALIGN=LEFT>The equivalent output from the server 2580 will be something like:</P> 2581 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2582 <COL WIDTH=602> 2583 <TR> 2584 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2585 <P STYLE="margin-bottom: 0cm"><BR> 2586 </P> 2587 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Connection 2588 from 127.0.0.1</SPAN></FONT></FONT></P> 2589 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 2590 trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P> 2591 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Authenticated 2592 client <anonymous></SPAN></FONT></FONT></P> 2593 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying 2594 trusted_retrievers policy</SPAN></FONT></FONT></P> 2595 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying 2596 authorized_retrievers policy</SPAN></FONT></FONT></P> 2597 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying 2598 authorized_renewers policy</SPAN></FONT></FONT></P> 2599 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P> 2600 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">resolve_via_mapapp(/usr/local/globus-4.0.5/sbin/mapper.sh, 2601 pjkershaw)</SPAN></FONT></FONT></P> 2602 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Checking 2603 passphrase via PAM. PAM policy: "sufficient"; PAM ID: 2604 "logon"</SPAN></FONT></FONT></P> 2605 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PAM 2606 authentication succeeded for pjkershaw</SPAN></FONT></FONT></P> 2607 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Received 2608 GET request from <anonymous></SPAN></FONT></FONT></P> 2609 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending 2610 OK response to client <anonymous></SPAN></FONT></FONT></P> 2611 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 2612 CA callout</SPAN></FONT></FONT></P> 2613 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Calling 2614 CA Extensions</SPAN></FONT></FONT></P> 2615 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">handle_certificate()</SPAN></FONT></FONT></P> 2616 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Cert 2617 request loaded.</SPAN></FONT></FONT></P> 2618 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Got 2619 a cert request for user "pjkershaw", with pubkey hash 2620 "282944311", and lifetime "43200"</SPAN></FONT></FONT></P> 2621 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Using 2622 internal openssl/generate_certificate() code</SPAN></FONT></FONT></P> 2623 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Generating 2624 certificate internally.</SPAN></FONT></FONT></P> 2625 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P> 2626 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using 2627 cached value</SPAN></FONT></FONT></P> 2628 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">tokenizing: 2629 /O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw</SPAN></FONT></FONT></P> 2630 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 2631 O = NDG</SPAN></FONT></FONT></P> 2632 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 2633 OU = BADC</SPAN></FONT></FONT></P> 2634 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 2635 OU = Gabriel</SPAN></FONT></FONT></P> 2636 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: 2637 CN = pjkershaw</SPAN></FONT></FONT></P> 2638 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Assigning 2639 serial number</SPAN></FONT></FONT></P> 2640 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Loaded 2641 serial number F6 from /root/.globus/simpleCA/serial</SPAN></FONT></FONT></P> 2642 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">serial 2643 number assigned</SPAN></FONT></FONT></P> 2644 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cert 2645 lifetime: 43200</SPAN></FONT></FONT></P> 2646 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CAkey: 2647 /root/.globus/simpleCA/private/cakey.pem</SPAN></FONT></FONT></P> 2648 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Signing 2649 internally generated certificate.</SPAN></FONT></FONT></P> 2650 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Issued 2651 certificate for user "pjkershaw", with DN 2652 "/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw", lifetime 2653 "43200", and serial number "246"</SPAN></FONT></FONT></P> 2654 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending 2655 OK response to client <anonymous></SPAN></FONT></FONT></P> 2656 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Client 2657 <anonymous> disconnected</SPAN></FONT></FONT></P> 2658 <P><BR> 2659 </P> 2660 </TD> 2661 </TR> 2662 </TABLE> 2663 <P CLASS="western" ALIGN=LEFT><BR><BR> 2664 </P> 2665 <P CLASS="western" ALIGN=LEFT>The certificate and private key are 2666 written to file in /tmp by myproxy-logon. This takes the form 2667 x509up_<uid>. It's possible to check the certificate 2668 generated using openssl e.g.:</P> 2669 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2670 <COL WIDTH=602> 2671 <TR> 2672 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2673 <P STYLE="margin-bottom: 0cm"><BR> 2674 </P> 2675 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 2676 openssl -in /tmp/x509up_1001 -text</SPAN></FONT></FONT></P> 2677 <P><BR> 2678 </P> 2679 </TD> 2680 </TR> 2681 </TABLE> 2682 <P CLASS="western" ALIGN=LEFT><BR>The output includes details 2683 including the certificate's DN, issuer and expiry time. If you wish 2684 to run the test again delete or move this file as myproxy-logon will 2685 try to use it to authenticate to the MyProxy server.</P> 2686 <P CLASS="western" ALIGN=LEFT>If you encounter problems check the 2687 output from the client and server. commands. The system logs may 2688 contain useful additional information from the PAM used.</P> 2689 <P CLASS="western" ALIGN=LEFT>The Python MyProxy client unit tests 2690 can be used to test the server from a separate client machine where 2691 Python NDG services are installed but not MyProxy itself. The 2692 MyProxy unit tests are in the package ndg.security.test.myProxy.</P> 2693 <H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up|outline"></A> 2694 4.7.10 Adding MyProxy Server to the system start up</H3> 2137 2695 <P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may 2138 2696 be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> … … 2155 2713 <BR> 2156 2714 </P> 2157 <H4 CLASS="western"><A NAME="_Ref143089522"></A>4.6.8.1inetd / xinetd</H4> 2715 <H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd / 2716 xinetd</H4> 2158 2717 <P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd 2159 2718 </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>, … … 2177 2736 </P> 2178 2737 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server 2179 7512/tcp # My proxy server</FONT></P>2738 7512/tcp # MyProxy server</FONT></P> 2180 2739 <P><BR> 2181 2740 </P> … … 2187 2746 </P> 2188 2747 <UL> 2189 <LI ><P CLASS="western" ALIGN=LEFT>Add the entries from2748 <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Add the entries from 2190 2749 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P> 2191 2750 <UL> … … 2223 2782 = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P> 2224 2783 <P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env 2225 = GLOBUS_LOCATION=/usr/local/ NDG/globus-4.0.12226 LD_LIBRARY_PATH=/usr/local/ NDG/globus-4.0.1/lib</FONT></FONT></P>2784 = GLOBUS_LOCATION=/usr/local/globus-4.0.5 2785 LD_LIBRARY_PATH=/usr/local/globus-4.0.5/lib</FONT></FONT></P> 2227 2786 <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable 2228 2787 = no</FONT></FONT></P> … … 2237 2796 </P> 2238 2797 <UL> 2239 <LI ><P CLASS="western" ALIGN=LEFT>Note also, the additional setting2240 in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>.2798 <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Note also, the additional 2799 setting in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>. 2241 2800 This a limit to be placed on which hosts clients can connect from 2242 2801 to the server. In the above, clients can connect from the local 2243 2802 machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>) 2244 2803 and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress1> 2245 </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress2></SPAN></FONT>.</P> 2804 </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress2></SPAN></FONT>. 2805 Care must be taken with these settings. Client requests will exit 2806 with an SSL error if set incorrectly.</P> 2246 2807 <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> 2247 2808 / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>. … … 2253 2814 man page for your system.</P> 2254 2815 </UL> 2255 <H4 CLASS="western">4. 6.8.2SysV-style boot script2816 <H4 CLASS="western">4.7.10.2 SysV-style boot script 2256 2817 </H4> 2257 2818 <P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is … … 2283 2844 </SPAN></FONT>environment variable correctly. 2284 2845 </P> 2285 <P CLASS="western" ALIGN= JUSTIFY><BR><BR>2846 <P CLASS="western" ALIGN=LEFT><BR><BR> 2286 2847 </P> 2287 2848 <H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1> 2288 <H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.1.MySQL Installation|outline"></A> 2289 5.1MySQL Installation</H2> 2290 <P CLASS="western" ALIGN=JUSTIFY>MySQL is required for the Credential 2291 Repository used by the SessionManager to stored user credentials as 2292 cached in their Credential Wallet held in their session.</P> 2849 <H2 CLASS="western"><A NAME="5.1. Postgres PAM for MyProxy|outline"></A> 2850 5.1 Postgres PAM for MyProxy</H2> 2851 <P CLASS="western" ALIGN=JUSTIFY>This section is intended to provide 2852 the information needed to enable MyProxy to authenticate against 2853 tables in a Postgres database. Before, making these settings ensure 2854 that MyProxy is fully installed following the steps outlined in the 2855 MyProxy section. It's recommended to try out MyProxy with an 2856 existing PAM such as âlogonâ first to ensure it is working. See 2857 the section <I>Testing MyProxy</I>.</P> 2858 <P CLASS="western" ALIGN=JUSTIFY>Obtain and install the latest 2859 libpam_pgsql. This can be installed from Debian or RPM packages or 2860 from source. For NDG Security, version 0.5.2-9 Debian and 0.6.3 2861 source distributions have been tested. Check the documentation in 2862 the source tar ball for details of Postgres version requirements. 2863 </P> 2864 <H3 CLASS="western"><A NAME="5.1.1. Configuration|outline"></A>5.1.1 2865 Configuration</H3> 2866 <P CLASS="western" ALIGN=JUSTIFY>Depending on your native system 2867 create either a /etc/pam.d/myproxy file or the relevant entry in 2868 /etc/pam.conf 2869 </P> 2870 <P CLASS="western" ALIGN=JUSTIFY>For /etc/pam.d/myproxy:</P> 2871 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2872 <COL WIDTH=602> 2873 <TR> 2874 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2875 <P STYLE="margin-bottom: 0cm"><BR> 2876 </P> 2877 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">auth 2878 required pam_pgsql.so <BR>account required 2879 pam_pgsql.so<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password 2880 required pam_pgsql.so</SPAN></FONT></FONT></P> 2881 </TD> 2882 </TR> 2883 </TABLE> 2884 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2885 </P> 2886 <P CLASS="western" ALIGN=JUSTIFY>or /etc/pam.conf:</P> 2887 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2888 <COL WIDTH=602> 2889 <TR> 2890 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2891 <P STYLE="margin-bottom: 0cm"><BR> 2892 </P> 2893 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy 2894 auth required pam_pgsql.so <BR>myproxy account 2895 required pam_pgsql.so<BR>myproxy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password 2896 required pam_pgsql.so</SPAN></FONT></FONT></P> 2897 </TD> 2898 </TR> 2899 </TABLE> 2900 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2901 </P> 2902 <P CLASS="western" ALIGN=JUSTIFY>Configure the database, and table 2903 the module should use with the configuration file 2904 /etc/pam_pgsql.conf. e.g.</P> 2905 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2906 <COL WIDTH=602> 2907 <TR> 2908 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2909 <P STYLE="margin-bottom: 0cm"><BR> 2910 </P> 2911 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">database 2912 = userdb<BR>user = admin<BR>password = adminpassword<BR>table = 2913 account<BR>user_column = username<BR>pwd_column = password<BR>pw_type 2914 = md5<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">debug</SPAN></FONT></FONT></P> 2915 </TD> 2916 </TR> 2917 </TABLE> 2918 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2919 </P> 2920 <P CLASS="western" ALIGN=JUSTIFY>In the above example, password in 2921 the database table âaccountâ are MD5 encrypted. This field can 2922 also be set to Crypt or left out altogether if passwords are 2923 unencrypted.</P> 2924 <P CLASS="western" ALIGN=JUSTIFY>Restart MyProxy and test it using 2925 the myproxy-logon client command as outlined in the section <I>Testing 2926 MyProxy.</I><SPAN STYLE="font-style: normal"> To specify a database 2927 account name use the -l flag. If this omitted then the Linux account 2928 name is assumed e.g.</SPAN></P> 2929 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2930 <COL WIDTH=602> 2931 <TR> 2932 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 2933 <P STYLE="margin-bottom: 0cm"><BR> 2934 </P> 2935 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 2936 myproxy-logon -v -p 60000 -l mydbaccountid</SPAN></FONT></FONT></P> 2937 </TD> 2938 </TR> 2939 </TABLE> 2940 <P CLASS="western"><BR>Consult the myproxy-logon and myproxy-server 2941 output and the system logs to trouble shoot errors.</P> 2942 <H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.2. MySQL Installation|outline"></A> 2943 5.2 MySQL Installation</H2> 2944 <P CLASS="western" ALIGN=JUSTIFY>MySQL can be used to implement a 2945 Credential Repository for the SessionManager to stored user 2946 credentials as cached in their Credential Wallet held in their 2947 session.</P> 2293 2948 <P CLASS="western" ALIGN=JUSTIFY>This section describes how to make 2294 2949 an installation from the MySQL binary package tarball. System … … 2299 2954 instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT> 2300 2955 provided in the tarball.</P> 2301 <H3 CLASS="western"><A NAME="5. 1.1.Version|outline"></A>5.1.1Version</H3>2956 <H3 CLASS="western"><A NAME="5.2.1.Version|outline"></A>5.2.1Version</H3> 2302 2957 <P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended. 2303 2958 These instructions are for version 5.0.20a, the latest stable release 2304 2959 at time of writing.</P> 2305 <H3 CLASS="western"><A NAME="5. 1.2.Getting the Binaries|outline"></A>5.1.2Getting2306 the Binaries</H3>2960 <H3 CLASS="western"><A NAME="5.2.2. Getting the Binaries|outline"></A> 2961 5.2.2 Getting the Binaries</H3> 2307 2962 <P CLASS="western" ALIGN=LEFT>The package can be obtained from the 2308 2963 MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>). … … 2321 2976 <P CLASS="western" ALIGN=LEFT><BR><BR> 2322 2977 </P> 2323 <H3 CLASS="western"><A NAME="5. 1.3.New mysql User Account|outline"></A>2324 5. 1.3New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT>2978 <H3 CLASS="western"><A NAME="5.2.3. New mysql User Account|outline"></A> 2979 5.2.3 New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT> 2325 2980 User Account</H3> 2326 2981 <P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if … … 2337 2992 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2338 2993 </P> 2339 <H3 CLASS="western"><A NAME="5. 1.4.Unpacking the tarball|outline"></A>2340 5. 1.4Unpacking the tarball</H3>2994 <H3 CLASS="western"><A NAME="5.2.4. Unpacking the tarball|outline"></A> 2995 5.2.4 Unpacking the tarball</H3> 2341 2996 <P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target 2342 2997 directory for installation e.g. /usr/local, unpack the file:</P> … … 2375 3030 properly. 2376 3031 </P> 2377 <H3 CLASS="western"><A NAME="5. 1.5.Configuration File|outline"></A>5.1.5Configuration2378 File</H3>3032 <H3 CLASS="western"><A NAME="5.2.5. Configuration File|outline"></A>5.2.5 3033 Configuration File</H3> 2379 3034 <P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called 2380 3035 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT> … … 2419 3074 MySQLâs tables and the Credential Repository database will be 2420 3075 stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P> 2421 <H3 CLASS="western"><A NAME="5. 1.6.Create the Grant Tables|outline"></A>2422 5. 1.6Create the Grant Tables</H3>3076 <H3 CLASS="western"><A NAME="5.2.6. Create the Grant Tables|outline"></A> 3077 5.2.6 Create the Grant Tables</H3> 2423 3078 <P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT> 2424 3079 directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT> … … 2445 3100 can omit the -user option. After creating or updating the grant 2446 3101 tables, you need to restart the server manually.</P> 2447 <H3 CLASS="western"><A NAME="5. 1.7.File and Directory Permissions|outline"></A>2448 5. 1.7File and Directory Permissions</H3>3102 <H3 CLASS="western"><A NAME="5.2.7. File and Directory Permissions|outline"></A> 3103 5.2.7 File and Directory Permissions</H3> 2449 3104 <P CLASS="western" ALIGN=LEFT>Change the ownership of program 2450 3105 binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT> … … 2470 3125 user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT> 2471 3126 group.</P> 2472 <H3 CLASS="western"><A NAME="5. 1.8.Starting the Server|outline"></A>5.1.8Starting2473 the Server</H3>3127 <H3 CLASS="western"><A NAME="5.2.8. Starting the Server|outline"></A>5.2.8 3128 Starting the Server</H3> 2474 3129 <P CLASS="western" ALIGN=LEFT>If you want MySQL to start 2475 3130 automatically when you boot your machine, you can copy … … 2499 3154 file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT> 2500 3155 directory.</P> 2501 <H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5. 1.9.Securing MySQL Accounts|outline"></A>2502 5. 1.9Securing MySQL Accounts</H3>3156 <H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.2.9. Securing MySQL Accounts|outline"></A> 3157 5.2.9 Securing MySQL Accounts</H3> 2503 3158 <P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P> 2504 3159 <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> … … 2594 3249 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT> 2595 3250 script if you install the `DBI' and `DBD::mysql' Perl modules.</P> 2596 <P CLASS="western" ALIGN=LEFT>See section 4. 3.1 for details about3251 <P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about 2597 3252 creation of the Credential Repository database.</P> 2598 <H3 CLASS="western"><A NAME="5. 1.10.Server Automated Start up|outline"></A>2599 5. 1.10Server Automated Start up</H3>3253 <H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up|outline"></A> 3254 5.2.10 Server Automated Start up</H3> 2600 3255 <P CLASS="western" ALIGN=JUSTIFY><todo: ></P> 2601 3256 <P CLASS="western" ALIGN=LEFT><BR><BR> 2602 3257 </P> 2603 <H2 CLASS="western"><A NAME="5. 2.HTTPS set-up with Apache Web Server|outline"></A>2604 5. 2HTTPS set-up with Apache Web Server</H2>3258 <H2 CLASS="western"><A NAME="5.3. HTTPS set-up with Apache Web Server|outline"></A> 3259 5.3 HTTPS set-up with Apache Web Server</H2> 2605 3260 <P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the 2606 3261 transfer of user credentials across cookie domains between a data … … 2609 3264 <P CLASS="western" ALIGN=JUSTIFY><todo: full explanation - incl. 2610 3265 mod_ssl must be installed></P> 2611 <H3 CLASS="western"><A NAME="5.2.1.Web Server Host Certificate Generation|outline"></A> 2612 5.2.1Web Server Host Certificate Generation</H3> 3266 <H3 CLASS="western"><A NAME="5.3.1. Web Server Host Certificate Generation|outline"></A> 3267 5.3.1 Web Server Host Certificate Generation</H3> 3268 <P CLASS="western" ALIGN=JUSTIFY>Generate a new private key and 3269 certificate request.</P> 2613 3270 <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 2614 3271 <COL WIDTH=605> … … 2617 3274 <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 2618 3275 </P> 3276 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 3277 openssl genrsa âout server.key 2048</FONT></P> 2619 3278 <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 2620 grid-cert-request -prefix <I><hostname></I> -dir . -cn 2621 <I><hostname></I> -nopw </FONT> 2622 </P> 3279 openssl req ânew âkey server.key âout server.csr</FONT></P> 2623 3280 <P><BR> 2624 3281 </P> … … 2628 3285 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2629 3286 </P> 2630 <H3 CLASS="western"><A NAME="5.2.2.Apache Configuration File Settings|outline"></A> 2631 5.2.2Apache Configuration File Settings</H3> 2632 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 2633 </P> 2634 <H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.3.Apache Web Server Proxy Settings Configuration for Web Services|outline"></A> 2635 5.3Apache Web Server Proxy Settings Configuration for Web Services</H2> 3287 <P CLASS="western" ALIGN=JUSTIFY>Send the certificate request to the 3288 relevant CA (NDG if appropriate) for signing.</P> 3289 <H3 CLASS="western"><A NAME="5.3.2.Apache Configuration File Settings|outline"></A> 3290 5.3.2Apache Configuration File Settings</H3> 3291 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3292 </P> 3293 <H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline"></A> 3294 5.4 Apache Web Server Proxy Settings Configuration for Web Services</H2> 2636 3295 <P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient 2637 3296 mechanism to re-route web service ports through port 80 and so make … … 2661 3320 Session Manager and Attribute Authority settings</FONT></P> 2662 3321 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass 2663 /sessionMgr https://localhost:5700 /</FONT></P>3322 /sessionMgr https://localhost:5700</FONT></P> 2664 3323 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse 2665 /sessionMgr https://localhost:5700 /</FONT></P>3324 /sessionMgr https://localhost:5700</FONT></P> 2666 3325 <P STYLE="margin-bottom: 0cm"><BR> 2667 3326 </P> 2668 3327 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass 2669 /attAuthority http://localhost:5000 /</FONT></P>3328 /attAuthority http://localhost:5000</FONT></P> 2670 3329 <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse 2671 /attAuthority http://localhost:5000 /</FONT></P>3330 /attAuthority http://localhost:5000</FONT></P> 2672 3331 <P CLASS="western" ALIGN=LEFT><BR> 2673 3332 </P> … … 2765 3424 location=ââŠâ></SPAN></FONT> 2766 3425 </P> 2767 <H2 CLASS="western"><A NAME="5. 4.An Example Attribute Authority AAUserRoles interface class|outline"></A>2768 5. 4An Example Attribute Authority AAUserRoles interface class</H2>3426 <H2 CLASS="western"><A NAME="5.5.An Example Attribute Authority AAUserRoles interface class|outline"></A> 3427 5.5An Example Attribute Authority AAUserRoles interface class</H2> 2769 3428 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This 2770 3429 interface is required in order to link the Attribute Authority to the … … 2778 3437 methods:</P> 2779 3438 <UL> 2780 <LI ><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT>3439 <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT> 2781 3440 â returns True if the user with the given input Distinguished Name 2782 3441 is registered at the site. This method might contain an SQL query … … 3218 3877 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3219 3878 </P> 3220 <H2 CLASS="western"><A NAME="5.5.Troubleshooting|outline"></A>5.5Troubleshooting</H2> 3221 <H3 CLASS="western"><A NAME="5.5.1.M2Crypto SWIG Build Error|outline"></A> 3222 5.5.1M2Crypto SWIG Build Error</H3> 3879 <H2 CLASS="western"><A NAME="5.6.Troubleshooting|outline"></A>5.6 3880 Troubleshooting</H2> 3881 <H3 CLASS="western"><A NAME="5.6.1.M2Crypto |outline"></A>5.6.1 3882 M2Crypto 3883 </H3> 3884 <H4 CLASS="western">5.6.1.1SWIG Version too Old</H4> 3223 3885 <P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL 3224 3886 library code to the Python interface. Compilation errors with swig … … 3243 3905 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3244 3906 </P> 3245 <P CLASS="western" ALIGN=JUSTIFY>To fix update to a version > 1.1 3246 and re-run the installation script. SWIG is available from 3247 <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P> 3248 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3249 </P> 3250 <H3 CLASS="western"><A NAME="5.5.2.PyXML|outline"></A>5.5.2PyXML</H3> 3907 <P CLASS="western" ALIGN=JUSTIFY>Some version will build OK but then 3908 cause runtime errors e.g.</P> 3909 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 3910 <COL WIDTH=610> 3911 <TR> 3912 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 3913 <P STYLE="margin-bottom: 0cm"><BR> 3914 </P> 3915 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">File 3916 ".../M2Crypto/SSL/Context.py", line 43, in __init__ 3917 map()[long(self.ctx)] = self ValueError: invalid literal for 3918 long(): _480e1008_p_SSL_CTX </FONT> 3919 </P> 3920 </TD> 3921 </TR> 3922 </TABLE> 3923 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3924 </P> 3925 <P CLASS="western" ALIGN=JUSTIFY>To fix update to a version >= 3926 1.3.24 and re-run the installation script but also make sure to read 3927 the next section. SWIG is available from <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P> 3928 <H4 CLASS="western">5.6.1.2 SWIG and Py_ssize_t build error</H4> 3929 <P CLASS="western" ALIGN=JUSTIFY>The combination SWIG version 3930 1.3.30rc1 and Python < 2.5 can cause a build error:</P> 3931 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 3932 <COL WIDTH=610> 3933 <TR> 3934 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 3935 <P STYLE="margin-bottom: 0cm"><BR> 3936 </P> 3937 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">_lib.h:5: 3938 error: redefinition of typedef 'Py_ssize_t'</FONT></P> 3939 </TD> 3940 </TR> 3941 </TABLE> 3942 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3943 </P> 3944 <P CLASS="western" ALIGN=JUSTIFY>Avoid this version of SWIG.</P> 3945 <P CLASS="western" ALIGN=JUSTIFY>See: 3946 <A HREF="http://chandlerproject.org/Projects/MeTooCrypto#FAQ">http://chandlerproject.org/Projects/MeTooCrypto#FAQ</A> 3947 for reference and up to date details of any other M2Crypto related 3948 issues.</P> 3949 <H3 CLASS="western"><A NAME="5.6.2. PyXML|outline"></A>5.6.2 PyXML</H3> 3251 3950 <P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable 3252 3951 distribution for Requirement.parse('PyXML>=0.8.3')</P> 3253 <P CLASS="western" ALIGN=JUSTIFY>$ easy_install âf 3254 <FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT> 3255 PyXML</P> 3256 <P CLASS="western" ALIGN=JUSTIFY>or âf option with 3952 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 3953 <COL WIDTH=610> 3954 <TR> 3955 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 3956 <P STYLE="margin-bottom: 0cm"><BR> 3957 </P> 3958 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 3959 easy_install âf 3960 <FONT COLOR="#0000ff"><U><A HREF="http://sourceforge.net/project/showfiles.php?group_id=6473">http://sourceforge.net/project/showfiles.php?group_id=6473</A></U></FONT> 3961 PyXML</FONT></P> 3962 </TD> 3963 </TR> 3964 </TABLE> 3965 <P CLASS="western" ALIGN=JUSTIFY><BR>or âf option with 3257 3966 ndg-security-install.py</P> 3258 <H3 CLASS="western"><A NAME="5. 5.3.4Suite-XML Build error|outline"></A>3259 5. 5.34Suite-XML Build error</H3>3967 <H3 CLASS="western"><A NAME="5.6.3. 4Suite-XML Build error|outline"></A> 3968 5.6.3 4Suite-XML Build error</H3> 3260 3969 <P CLASS="western" ALIGN=JUSTIFY>Ft/Xml/src/expat/lib/xmlparse.c:89:2: 3261 3970 #error memmove does not exist on this platform, nor is a substitute 3262 3971 available</P> 3263 3972 <P CLASS="western" ALIGN=JUSTIFY>4Suite-XML 1.0.2</P> 3264 <P CLASS="western" ALIGN=JUSTIFY>$ cat /proc/version</P> 3265 <P CLASS="western" ALIGN=JUSTIFY>Linux version 2.4.21-32.0.1.ELsmp 3266 (bhcompile@bugs.build.redhat.com) (gcc version</P> 3267 <P CLASS="western" ALIGN=JUSTIFY> 3.2.3 20030502 (Red Hat Linux 3268 3.2.3-52)) #1 SMP Tue May 17 17:52:23 EDT 2005</P> 3269 <P CLASS="western" ALIGN=JUSTIFY>$ uname âa 3270 </P> 3271 <P CLASS="western" ALIGN=JUSTIFY>Linux glue.badc.rl.ac.uk 3272 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686 3273 i386 GNU/Linux</P> 3274 <P CLASS="western" ALIGN=JUSTIFY>Solution</P> 3275 <P CLASS="western" ALIGN=JUSTIFY>$ echo -e 3276 "[build_ext]\ndefine=HAVE_MMEMOVE" > ~/.pydistutils.cfg</P> 3277 <P CLASS="western" ALIGN=JUSTIFY>$ easy_install 4Suite-XML</P> 3973 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 3974 <COL WIDTH=610> 3975 <TR> 3976 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 3977 <P STYLE="margin-bottom: 0cm"><BR> 3978 </P> 3979 <OL START=3> 3980 <P CLASS="western" ALIGN=LEFT>$ cat /proc/version<BR>Linux 3981 version 2.4.21-32.0.1.ELsmp (bhcompile@bugs.build.redhat.com) 3982 (gcc version 20030502 (Red Hat Linux 3.2.3-52)) #1 SMP Tue May 17 3983 17:52:23 EDT 2005</P> 3984 </OL> 3985 </TD> 3986 </TR> 3987 </TABLE> 3988 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3989 </P> 3990 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 3991 <COL WIDTH=610> 3992 <TR> 3993 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 3994 <P STYLE="margin-bottom: 0cm"><BR> 3995 </P> 3996 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 3997 uname âa </FONT> 3998 </P> 3999 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Linux 4000 glue.badc.rl.ac.uk 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 4001 EDT 2005 i686 i686 i386 GNU/Linux</FONT></P> 4002 </TD> 4003 </TR> 4004 </TABLE> 4005 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 4006 </P> 4007 <P CLASS="western" ALIGN=JUSTIFY>Solution:</P> 4008 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 4009 <COL WIDTH=610> 4010 <TR> 4011 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 4012 <P STYLE="margin-bottom: 0cm"><BR> 4013 </P> 4014 <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ echo 4015 -e "[build_ext]\ndefine=HAVE_MMEMOVE" > 4016 ~/.pydistutils.cfg<BR>$ easy_install 4Suite-XML</FONT></P> 4017 </TD> 4018 </TR> 4019 </TABLE> 4020 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 4021 </P> 3278 4022 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 3279 4023 </P>
Note: See TracChangeset
for help on using the changeset viewer.