Changeset 3200


Ignore:
Timestamp:
11/01/08 11:29:38 (12 years ago)
Author:
pjkersha
Message:

Updated Installation Guide to version 1.0 - re-ordered MyProxy? and Python package sections. Added more info for M2Crypto install troubleshooting.

Location:
TI12-security/trunk/documentation/InstallationGuide
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/documentation/InstallationGuide/html/NDGSecurityInstallationGuide.html

    r3171 r3200  
    44        <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8"> 
    55        <TITLE>NDG Security Installation Guide</TITLE> 
    6         <META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0  (Linux)"> 
     6        <META NAME="GENERATOR" CONTENT="OpenOffice.org 2.3  (Linux)"> 
    77        <META NAME="AUTHOR" CONTENT="P J Kershaw"> 
    88        <META NAME="CREATED" CONTENT="20071010;9350000"> 
    9         <META NAME="CHANGED" CONTENT="20071221;14112900"> 
     9        <META NAME="CHANGED" CONTENT="20080111;11231200"> 
    1010        <STYLE TYPE="text/css"> 
    1111        <!-- 
    12                 @page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm } 
     12                @page { margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm } 
    1313                @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm } 
    1414                P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 } 
    15                 P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB } 
     15                P.western { font-family: "Helvetica", sans-serif; font-size: 10pt } 
    1616                P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt } 
    1717                P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA } 
    1818                H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always } 
    19                 H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB } 
     19                H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt } 
    2020                H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt } 
    2121                H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } 
    2222                H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 } 
    23                 H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB } 
     23                H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt } 
    2424                H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt } 
    2525                H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } 
    2626                H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } 
    27                 H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic } 
     27                H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; font-style: italic } 
    2828                H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic } 
    2929                H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } 
    3030                H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } 
    31                 H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium } 
     31                H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; font-style: italic; font-weight: medium } 
    3232                H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium } 
    3333                H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } 
     
    5050        Grid Security</B></FONT></P> 
    5151        <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P> 
    52         <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P> 
     52        <P ALIGN=RIGHT><FONT SIZE=3><B>Version 1.0</B></FONT></P> 
    5353</SPAN><BR><BR> 
    5454</P> 
     
    193193                </TD> 
    194194        </TR> 
     195        <TR VALIGN=TOP> 
     196                <TD WIDTH=194> 
     197                        <P ALIGN=JUSTIFY>1.0</P> 
     198                </TD> 
     199                <TD WIDTH=195> 
     200                        <P CLASS="western" ALIGN=JUSTIFY>11/01/08</P> 
     201                </TD> 
     202                <TD WIDTH=195> 
     203                        <UL> 
     204                                <LI VALUE=1><P CLASS="western" ALIGN=LEFT>More notes in 
     205                                Appendices about M2Crypto installation</P> 
     206                                <LI><P CLASS="western" ALIGN=LEFT>re-ordered MyProxy and Python 
     207                                package headings</P> 
     208                        </UL> 
     209                </TD> 
     210        </TR> 
    195211</TABLE> 
    196212<P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P> 
    197213<DIV ID="Table of Contents1" DIR="LTR"> 
    198214        <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1.  References        6</A></P> 
    199         <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction      7</A></P> 
    200         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1 
    201         Pre-requisites  7</A></P> 
    202         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2 
    203         Deployment Model        7</A></P> 
    204         <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3. 
    205         Software Installation Components        9</A></P> 
     215        <P ALIGN=JUSTIFY><A HREF="#2. Introduction|outline">2.  
     216        Introduction    7</A></P> 
     217        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1. Pre-requisites |outline">2.1 
     218         Pre-requisites         7</A></P> 
     219        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2. Deployment Model|outline">2.2 
     220         Deployment Model       7</A></P> 
     221        <P ALIGN=JUSTIFY><A HREF="#3. Software Installation Components|outline">3. 
     222         Software Installation Components       10</A></P> 
    206223        <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. 
    207         Installation    10</A></P> 
    208         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies|outline">4.1 
    209         Dependencies    10</A></P> 
    210         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL|outline">4.1.1 
    211         OpenSSL 10</A></P> 
    212         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG|outline">4.1.2 
    213         SWIG    10</A></P> 
    214         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages|outline">4.2 
    215         Python Packages 10</A></P> 
    216         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools|outline">4.2.1 
    217         setuptools      10</A></P> 
    218         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages|outline">4.2.2 
    219         NDG Security Packages   11</A></P> 
    220         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration|outline">4.3 
    221         NDG Web Services Configuration  11</A></P> 
    222         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files|outline">4.3.1 
    223         NDG Security System Configuration Files 11</A></P> 
    224         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation|outline">4.3.2 
    225          Certificate Generation 12</A></P> 
    226         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration|outline">4.4 
    227         Session Manager Configuration   14</A></P> 
    228         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository|outline">4.4.1 
    229         Session Manager Credential Repository   14</A></P> 
    230         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings|outline">4.4.2 
    231         Session Manager Properties File Settings        14</A></P> 
    232         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script|outline">4.4.3 
    233         SysV-style Boot Script  18</A></P> 
    234         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration|outline">4.5 
    235         Attribute Authority Configuration       18</A></P> 
    236         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings|outline">4.5.1 
    237         Attribute Authority Properties File Settings    18</A></P> 
    238         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface|outline">4.5.2 
    239         User Roles Interface    20</A></P> 
    240         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping|outline">4.5.3 
    241         Role Mapping    20</A></P> 
    242         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file|outline">4.5.4 
    243         Twisted Python server .tac file 21</A></P> 
    244         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script|outline">4.5.5 
    245         SysV-style Boot Script  22</A></P> 
    246         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests|outline">4.6 
    247         Python Unit Tests       22</A></P> 
    248         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy|outline">4.7 
    249          MyProxy        22</A></P> 
    250         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background|outline">4.7.1 
    251          MyProxy and NDG Security Background    22</A></P> 
    252         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations|outline">4.7.2 
    253          MyProxy user account and the repository location considerations        23</A></P> 
    254         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation|outline">4.7.3 
    255          Installation   23</A></P> 
    256         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation|outline">4.7.4 
    257          SimpleCA Installation  24</A></P> 
    258         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation|outline">4.7.5 
    259          Host Certificate Creation      27</A></P> 
    260         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File|outline">4.7.6 
    261          MyProxy Configuration File     27</A></P> 
    262         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration|outline">4.7.7 
    263          MyProxy SimpleCA Configuration 28</A></P> 
    264         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration|outline">4.7.8 
    265          MyProxy PAM Configuration      29</A></P> 
    266         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy|outline">4.7.9 
    267          Testing MyProxy        30</A></P> 
    268         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up|outline">4.7.10 
    269          Adding MyProxy Server to the system start up   33</A></P> 
    270         <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  35</A></P> 
     224        Installation    11</A></P> 
     225        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1. Globus MyProxy and SimpleCA|outline">4.1 
     226         Globus MyProxy and SimpleCA    11</A></P> 
     227        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1. MyProxy and NDG Security Background|outline">4.1.1 
     228         MyProxy and NDG Security Background    11</A></P> 
     229        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2. MyProxy user account and the repository location considerations|outline">4.1.2 
     230         MyProxy user account and the repository location considerations        11</A></P> 
     231        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.3. Installation|outline">4.1.3 
     232         Installation   12</A></P> 
     233        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.4. SimpleCA Installation|outline">4.1.4 
     234         SimpleCA Installation  13</A></P> 
     235        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.5. Host Certificate Creation|outline">4.1.5 
     236         Host Certificate Creation      16</A></P> 
     237        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.6. MyProxy Configuration File|outline">4.1.6 
     238         MyProxy Configuration File     17</A></P> 
     239        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.7. MyProxy SimpleCA Configuration|outline">4.1.7 
     240         MyProxy SimpleCA Configuration 17</A></P> 
     241        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.8. MyProxy PAM Configuration|outline">4.1.8 
     242         MyProxy PAM Configuration      19</A></P> 
     243        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.9. Testing MyProxy|outline">4.1.9 
     244         Testing MyProxy        19</A></P> 
     245        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.10. Adding MyProxy Server to the system start up|outline">4.1.10 
     246         Adding MyProxy Server to the system start up   22</A></P> 
     247        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2. NDG Security Python Packages |outline">4.2 
     248         NDG Security Python Packages   23</A></P> 
     249        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1. Dependencies|outline">4.2.1 
     250         Dependencies   23</A></P> 
     251        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2. Installation Procedure|outline">4.2.2 
     252         Installation Procedure 23</A></P> 
     253        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.3. NDG Web Services Configuration|outline">4.2.3 
     254         NDG Web Services Configuration 24</A></P> 
     255        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.4. Session Manager Configuration|outline">4.2.4 
     256         Session Manager Configuration  27</A></P> 
     257        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.5. Attribute Authority Configuration|outline">4.2.5 
     258         Attribute Authority Configuration      32</A></P> 
     259        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.6. Python Unit Tests|outline">4.2.6 
     260         Python Unit Tests      36</A></P> 
     261        <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices  37</A></P> 
    271262        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy|outline">5.1 
    272          Postgres PAM for MyProxy       35</A></P> 
     263         Postgres PAM for MyProxy       37</A></P> 
    273264        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration|outline">5.1.1 
    274          Configuration  35</A></P> 
     265         Configuration  37</A></P> 
    275266        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation|outline">5.2 
    276          MySQL Installation     36</A></P> 
     267         MySQL Installation     38</A></P> 
    277268        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version|outline">5.2.1 
    278         Version 36</A></P> 
     269        Version 38</A></P> 
    279270        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries|outline">5.2.2 
    280          Getting the Binaries   36</A></P> 
     271         Getting the Binaries   38</A></P> 
    281272        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account|outline">5.2.3 
    282          New mysql User Account 36</A></P> 
     273         New mysql User Account 38</A></P> 
    283274        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball|outline">5.2.4 
    284          Unpacking the tarball  36</A></P> 
     275         Unpacking the tarball  39</A></P> 
    285276        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File|outline">5.2.5 
    286          Configuration File     37</A></P> 
     277         Configuration File     39</A></P> 
    287278        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables|outline">5.2.6 
    288          Create the Grant Tables        37</A></P> 
     279         Create the Grant Tables        40</A></P> 
    289280        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions|outline">5.2.7 
    290          File and Directory Permissions 38</A></P> 
     281         File and Directory Permissions 40</A></P> 
    291282        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server|outline">5.2.8 
    292          Starting the Server    38</A></P> 
     283         Starting the Server    40</A></P> 
    293284        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts|outline">5.2.9 
    294          Securing MySQL Accounts        38</A></P> 
     285         Securing MySQL Accounts        41</A></P> 
    295286        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up|outline">5.2.10 
    296          Server Automated Start up      39</A></P> 
     287         Server Automated Start up      42</A></P> 
    297288        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server|outline">5.3 
    298          HTTPS set-up with Apache Web Server    39</A></P> 
     289         HTTPS set-up with Apache Web Server    42</A></P> 
    299290        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation|outline">5.3.1 
    300          Web Server Host Certificate Generation 39</A></P> 
     291         Web Server Host Certificate Generation 42</A></P> 
    301292        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings|outline">5.3.2 
    302         Apache Configuration File Settings      40</A></P> 
     293        Apache Configuration File Settings      42</A></P> 
    303294        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline">5.4 
    304          Apache Web Server Proxy Settings Configuration for Web Services        40</A></P> 
     295         Apache Web Server Proxy Settings Configuration for Web Services        42</A></P> 
    305296        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class|outline">5.5 
    306         An Example Attribute Authority AAUserRoles interface class      41</A></P> 
    307         <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting|outline">5.6 
    308         Troubleshooting 44</A></P> 
    309         <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto |outline">5.6.1 
    310         M2Crypto        44</A></P> 
     297        An Example Attribute Authority AAUserRoles interface class      43</A></P> 
     298        <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6. Troubleshooting|outline">5.6 
     299         Troubleshooting        47</A></P> 
     300        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1. M2Crypto |outline">5.6.1 
     301         M2Crypto       47</A></P> 
    311302        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML|outline">5.6.2 
    312          PyXML  45</A></P> 
     303         PyXML  48</A></P> 
    313304        <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error|outline">5.6.3 
    314          4Suite-XML Build error 45</A></P> 
     305         4Suite-XML Build error 48</A></P> 
    315306</DIV> 
    316307<H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1> 
     
    337328        <FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P> 
    338329</OL> 
    339 <H1 CLASS="western"><A NAME="2.Introduction|outline"></A>2.Introduction</H1> 
     330<H1 CLASS="western"><A NAME="2. Introduction|outline"></A>2. 
     331Introduction</H1> 
    340332<P CLASS="western" ALIGN=JUSTIFY>This is a guide for system 
    341333administrators and developers deploying NDG security at a data 
    342334centre.</P> 
    343 <H2 CLASS="western"><A NAME="2.1.Pre-requisites |outline"></A>2.1Pre-requisites 
     335<H2 CLASS="western"><A NAME="2.1. Pre-requisites |outline"></A>2.1 
     336Pre-requisites  
    344337</H2> 
    345338<UL> 
     
    365358        <LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P> 
    366359        <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version 
    367         0.9.8 or greater</P> 
     360        0.9.8 or greater.  Libraries and header files must be present in 
     361        addition to executable(s)</P> 
    368362        <LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for 
    369363        M2Crypto Python OpenSSL wrapper)</P> 
     
    372366note document NDG <I>Security - Security Measures for Installation</I> 
    373367 (see Ref 1 above).</P> 
    374 <H2 CLASS="western"><A NAME="2.2.Deployment Model|outline"></A>2.2Deployment 
    375 Model</H2> 
     368<H2 CLASS="western"><A NAME="2.2. Deployment Model|outline"></A>2.2 
     369Deployment Model</H2> 
    376370<P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an 
    377371example deployment configuration for NDG security services.</P> 
     
    400394some way through the firewall to enable communication with other NDG 
    401395security web services at other sites.</P> 
    402 <H1 CLASS="western"><A NAME="3.Software Installation Components|outline"></A> 
    403 3.Software Installation Components</H1> 
    404 <P CLASS="western" ALIGN=JUSTIFY>Python software is package using 
    405 distutils eggs.   These are divided into separate components to suit 
     396<H1 CLASS="western"><A NAME="3. Software Installation Components|outline"></A> 
     3973. Software Installation Components</H1> 
     398<P CLASS="western" ALIGN=JUSTIFY>The NDG Security software can be 
     399divided into the categories of Python packages which implement NDG 
     400Security web services and third party packages Globus MyProxy and 
     401SimpleCA.</P> 
     402<P CLASS="western" ALIGN=JUSTIFY>The Python software is package using 
     403setuptools eggs.   These are divided into separate components to suit 
    406404the particular installation required:</P> 
    407405<UL> 
     
    435433        MyProxy Certificate Authority.</P> 
    436434</UL> 
    437 <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These 
    438 two packages should be installed on the target host for MyProxy.</P> 
     435<P CLASS="western" ALIGN=JUSTIFY>These two packages should be 
     436installed on the target host for MyProxy.</P> 
    439437<H1 CLASS="western"><A NAME="4.Installation|outline"></A>4.Installation</H1> 
    440438<P CLASS="western" ALIGN=JUSTIFY>This section is divided into the 
    441 Python installation and MyProxy.  Note that you will almost certainly 
    442 wish to install MyProxy on a separate secure server to the other 
    443 Python based security services.</P> 
    444 <H2 CLASS="western"><A NAME="4.1.Dependencies|outline"></A>4.1Dependencies</H2> 
    445 <H3 CLASS="western"><A NAME="4.1.1.OpenSSL|outline"></A>4.1.1 OpenSSL</H3> 
    446 <P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the 
    447 installation check that an up to date version of OpenSSL is 
    448 installed:</P> 
    449 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    450         <COL WIDTH=596> 
    451         <TR> 
    452                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    453                         <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
    454                         </P> 
    455                         <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    456                         openssl version</FONT></P> 
    457                 </TD> 
    458         </TR> 
    459 </TABLE> 
    460 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    461 </P> 
    462 <P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required.  
    463 Should you need to upgrade, OpenSSL is available from 
    464 <A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>. 
    465  Once downloaded, unpack the tarball and follow the installation 
    466 intstructions.</P> 
    467 <H3 CLASS="western"><A NAME="4.1.2.SWIG|outline"></A>4.1.2 SWIG</H3> 
    468 <P CLASS="western">SWIG is a tool to help with bindings from C/C++ to 
    469 interpreted languages such as Python.  The Python OpenSSL wrapper 
    470 M2Crypto uses it and version 1.3.24 or later is required.  Downloads 
    471 are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P> 
    472 <H2 CLASS="western"><A NAME="4.2.Python Packages|outline"></A>4.2 
    473 Python Packages</H2> 
    474 <P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>. 
    475  Change to a suitable directory to hold temporary installation files. 
    476   
    477 </P> 
    478 <H3 CLASS="western"><A NAME="4.2.1.setuptools|outline"></A>4.2.1 
    479 setuptools</H3> 
    480 <P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python 
    481 setuptools, the package that enables the use of Python eggs.  
    482 Download the setuptools bootstrap script:</P> 
    483 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    484         <COL WIDTH=596> 
    485         <TR> 
    486                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    487                         <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
    488                         </P> 
    489                         <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    490                         wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P> 
    491                 </TD> 
    492         </TR> 
    493 </TABLE> 
    494 <P CLASS="western" ALIGN=LEFT><BR><BR> 
    495 </P> 
    496 <P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment 
    497 for a http proxy at your site.  For example,</P> 
    498 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    499         <COL WIDTH=596> 
    500         <TR> 
    501                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    502                         <P STYLE="margin-bottom: 0cm"><BR> 
    503                         </P> 
    504                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    505                         export http_proxy=http://yourproxyurl.com:8080</FONT></P> 
    506                 </TD> 
    507         </TR> 
    508 </TABLE> 
    509 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    510 </P> 
    511 <P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script.  Make sure 
    512 to use the correct version of python in your system path.  Some 
    513 systems may have multiple python versions installed:</P> 
    514 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    515         <COL WIDTH=596> 
    516         <TR> 
    517                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    518                         <P STYLE="margin-bottom: 0cm"><BR> 
    519                         </P> 
    520                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    521                         python ez_setup.py</FONT></P> 
    522                 </TD> 
    523         </TR> 
    524 </TABLE> 
    525 <P CLASS="western"><BR><BR> 
    526 </P> 
    527 <P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P> 
    528 <H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages|outline"></A> 
    529 4.2.2 NDG Security Packages</H3> 
    530 <P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to 
    531 distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT> 
    532 to enable custom installation steps to be correctly carried out.  
    533 Download the script from the NDG distribution site:</P> 
    534 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    535         <COL WIDTH=596> 
    536         <TR> 
    537                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    538                         <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
    539                         </P> 
    540                         <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    541                         wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P> 
    542                 </TD> 
    543         </TR> 
    544 </TABLE> 
    545 <P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    546 </P> 
    547 <P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of 
    548 the NDG security python packages:</P> 
    549 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    550         <COL WIDTH=596> 
    551         <TR> 
    552                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    553                         <P STYLE="margin-bottom: 0cm"><BR> 
    554                         </P> 
    555                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    556                         python ./ndg-security-install.py -a</FONT></P> 
    557                 </TD> 
    558         </TR> 
    559 </TABLE> 
    560 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    561 </P> 
    562 <P CLASS="western" ALIGN=JUSTIFY>The script options can be checked 
    563 using the –h option.  –a selects all packages for installation.   
    564 If there are problems with the installation, see the Troubleshooting 
    565 Guide in the Appendices section 5.6.</P> 
    566 <H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration|outline"></A> 
    567 4.3 NDG Web Services Configuration</H2> 
    568 <H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files|outline"></A> 
    569 4.3.1 NDG Security System Configuration Files</H3> 
    570 <P CLASS="western" ALIGN=JUSTIFY>Properties files set the 
    571 configuration settings for NDG security <I>server side</I> settings.  
    572 Templates for these are contained within the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> 
    573 installed in your python distribution’s site-packages directory.   
    574 A future version of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-security-install.py</SPAN></FONT> 
    575 script will extract these and install at a suitable location on the 
    576 file system.  For the moment though, this is a manual process.</P> 
    577 <P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under 
    578 your servers <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc</SPAN></FONT> 
    579 directory:</P> 
    580 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    581         <COL WIDTH=596> 
    582         <TR> 
    583                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    584                         <P STYLE="margin-bottom: 0cm"><BR> 
    585                         </P> 
    586                         <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    587                         mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P> 
    588                 </TD> 
    589         </TR> 
    590 </TABLE> 
    591 <P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    592 </P> 
    593 <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/ndg/security</SPAN></FONT> 
    594 is recognised by the Python security software by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR 
    595 </SPAN></FONT>environment variable.  This variable can be set in the 
    596 environment of the user account used to run the security services or 
    597 can be set in the init scripts used to automatically start up the 
    598 services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P> 
    599 <P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> 
    600 egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
    601 directory into the configuration area.  For example if you are using 
    602 python installed in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local</SPAN></FONT> 
    603 then the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
    604 directory will be in:</P> 
    605 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    606         <COL WIDTH=596> 
    607         <TR> 
    608                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    609                         <P STYLE="margin-bottom: 0cm"><BR> 
    610                         </P> 
    611                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python&lt;python 
    612                         version num&gt;/site-packages/ndg_security_server-&lt;version 
    613                         info&gt;.egg/ndg/security/server/conf</FONT></P> 
    614                 </TD> 
    615         </TR> 
    616 </TABLE> 
    617 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    618 </P> 
    619 <P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P> 
    620 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    621         <COL WIDTH=596> 
    622         <TR> 
    623                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    624                         <P STYLE="margin-bottom: 0cm"><BR> 
    625                         </P> 
    626                         <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ cp 
    627                         /usr/local/lib/python&lt;python version 
    628                         num&gt;/site-packages/ndg_security_server-&lt;version 
    629                         info&gt;.egg/ndg/security/server/conf /etc/ndg/security</FONT></P> 
    630                 </TD> 
    631         </TR> 
    632 </TABLE> 
    633 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    634 </P> 
    635 <P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
    636 directory will contain these important files:</P> 
    637 <UL> 
    638         <LI><P CLASS="western" ALIGN=JUSTIFY>Session Manager and Attribute 
    639         Authority properties XML files</P> 
    640         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT> 
    641         – used by the Session Manager to configure client connections to 
    642         MyProxy</P> 
    643         <LI><P CLASS="western" ALIGN=JUSTIFY>Special <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT> 
    644         configuration files loaded by the <I>Twisted</I> application server 
    645         used to run Session Manager and Attribute Authority services</P> 
    646         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">certs/</SPAN></FONT> 
    647         directory for storing X.509 certificates</P> 
    648         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT> 
    649         for role mapping and other trust configuration parameters to enable 
    650         the Attribute Authority to operate with other trusted organisations 
    651         within NDG</P> 
    652         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attCertLog/</SPAN></FONT> 
    653         directory for storing Attribute Certificates issued by the Attribute 
    654         Authority.</P> 
    655         <LI><P CLASS="western" ALIGN=JUSTIFY>Logging configuration files: 
    656         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg 
    657         </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT></P> 
    658 </UL> 
    659 <P CLASS="western" ALIGN=JUSTIFY>The default location for log files 
    660 set in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg</SPAN></FONT> 
    661 and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT> 
    662 is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/log</SPAN></FONT>. 
    663  Create this directory as follows:</P> 
    664 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    665         <COL WIDTH=596> 
    666         <TR> 
    667                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    668                         <P STYLE="margin-bottom: 0cm"><BR> 
    669                         </P> 
    670                         <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    671                         mkdir /etc/ndg/security/log</FONT></P> 
    672                 </TD> 
    673         </TR> 
    674 </TABLE> 
    675 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    676 </P> 
    677 <P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run 
    678 security web services under any specified system account and group.  
    679 Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT> 
    680 e.g.</SPAN></P> 
    681 <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    682         <COL WIDTH=596> 
    683         <TR> 
    684                 <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
    685                         <P STYLE="margin-bottom: 0cm"><BR> 
    686                         </P> 
    687                         <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    688                         chmod ndg:ndggroup -R /etc/ndg/security</FONT></P> 
    689                 </TD> 
    690         </TR> 
    691 </TABLE> 
    692 <P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    693 </P> 
    694 <H3 CLASS="western"><A NAME="4.3.2. Certificate Generation|outline"></A> 
    695 4.3.2 Certificate Generation</H3> 
    696 <P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute 
    697 Authority web services require individual X.509 certificates as a 
    698 means to identify them in the various interactions required for user 
    699 registration, authentication and authorisation.  These may be created 
    700 by similar means to the host certificate creation.</P> 
    701 <P CLASS="western" ALIGN=JUSTIFY>Change directory to 
    702 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>. 
    703  The certificates will be stored here.  Make a new private key and 
    704 certificate request for the Session Manager:</P> 
    705 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    706         <COL WIDTH=610> 
    707         <TR> 
    708                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    709                         <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    710                         </P> 
    711                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    712                         openssl genrsa –out sm-key.pem 2048</FONT></P> 
    713                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    714                         chmod 400 sm-key.pem</FONT></P> 
    715                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    716                         openssl req –new –key sm-key.pem –out sm.csr</FONT></P> 
    717                         <P CLASS="western" ALIGN=LEFT><BR> 
    718                         </P> 
    719                 </TD> 
    720         </TR> 
    721 </TABLE> 
    722 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    723 </P> 
    724 <P CLASS="western" ALIGN=JUSTIFY>The private key may be password 
    725 protected if required by adding the –des3 option to the genrsa 
    726 command.   Type in a password when prompted.   The req command will 
    727 prompt you for the components of the Distinguished Name for the new 
    728 certificate.  When prompted for the Common Name, enter 
    729 â€˜SessionManager’.  The other fields can be set as required but by 
    730 convention for NDG, the Organisation field has been set to NDG and 
    731 the Organisation Unit to the individual data provider name e.g. BADC. 
    732  All other fields have been omitted.  You can skip individual fields 
    733 by enter ‘.’ When prompted.</P> 
    734 <P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the 
    735 appropriate CA.  This could be your SimpleCA created for use with 
    736 MyProxy – see MyProxy installation.  The CA will issue a 
    737 certificate file.  Copy this file as 
    738 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
    739 </SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
    740 </FONT>file can be deleted once a certificate has been obtained from 
    741 the CA.</P> 
    742 <P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the 
    743 Attribute Authority, selecting ‘AttributeAuthority’ for the 
    744 Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P> 
    745 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    746         <COL WIDTH=610> 
    747         <TR> 
    748                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    749                         <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
    750                         </P> 
    751                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    752                         openssl genrsa –out aa-key.pem 2048</FONT></P> 
    753                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    754                         chmod 400 aa-key.pem</FONT></P> 
    755                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    756                         openssl req –new –key aa-key.pem –out aa.csr</FONT></P> 
    757                         <P CLASS="western" ALIGN=LEFT><BR> 
    758                         </P> 
    759                 </TD> 
    760         </TR> 
    761 </TABLE> 
    762 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    763 </P> 
    764 <P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session 
    765 Manager is run over https to keep user login credentials secured.   A 
    766 server certificate and key will be required in addition to enable 
    767 this.   
    768 </P> 
    769 <P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be 
    770 issued from your SimpleCA.  Follow the same procedure as used for the 
    771 Session Manager and Attirbute Authority above creating a private key 
    772 and certificate request.  The private key should be generated without 
    773 a password.  When generating the certificate request ensure that the 
    774 Common Name is set to the fully qualified name of the server host.</P> 
    775 <P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and 
    776 private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
    777 <FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced 
    778 by the Session Manager’s properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif"> 
    779 and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif"> 
    780 elements respectively.</FONT></SPAN></FONT></P> 
    781 <P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate 
    782 Authority’s X.509 certificate is also required.  Obtain this from 
    783 the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
    784 </SPAN></FONT>directory.</P> 
    785 <P CLASS="western" STYLE="background: #cccccc">Note that all other 
    786 trusted NDG partner organisations MUST have copies of your CA 
    787 certificate.  If they don't, partner organisations NDG Security 
    788 infrastructures will reject requests from your security services.   
    789 CA certificates are referenced in the Attribute Authority and Session 
    790 Manager properties file settings  <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt"> 
    791 </FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and 
    792 </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif"> 
    793  Configuration for Gatekeepers may also need to reference your CA 
    794 certificate.</FONT></FONT></P> 
    795 <H2 CLASS="western"><A NAME="4.4.Session Manager Configuration|outline"></A> 
    796 4.4 Session Manager Configuration</H2> 
    797 <P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set 
    798 via a properties file.  In addition, the Session Manager can 
    799 optionally make use of a Credential Repository database.  This 
    800 enables the credentials that users acquire during a session to be 
    801 stored so that they may be retrieved.   When installed, the default 
    802 configuration set in the Session Manager Properties file is to <I>not</I> 
    803 use a Credential Repository.   If this is the case, skip this 
    804 section.</P> 
    805 <H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository|outline"></A> 
    806 4.4.1 Session Manager Credential Repository</H3> 
    807 <P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository 
    808 database.  In the example below a MySQL database is assumed.   Notes 
    809 on installing MySQL are given in the Appendices section 5.2.  
    810 </P> 
    811 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    812         <COL WIDTH=610> 
    813         <TR> 
    814                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    815                         <P STYLE="margin-bottom: 0cm"><BR> 
    816                         </P> 
    817                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    818                         mysql –u root –p</FONT></P> 
    819                         <P CLASS="western" ALIGN=JUSTIFY>mysql&gt; create database 
    820                         ndgCredRepos;</P> 
    821                         <P><BR> 
    822                         </P> 
    823                 </TD> 
    824         </TR> 
    825 </TABLE> 
    826 <P CLASS="western" ALIGN=JUSTIFY><BR>Use the script  
    827 init-credrepos-db to create the tables.  As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
    828 user, run the script.  Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT> 
    829 account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT> 
    830 to confirm creation of the tables:</P> 
    831 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    832         <COL WIDTH=610> 
    833         <TR> 
    834                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    835                         <P STYLE="margin-bottom: 0cm"><BR> 
    836                         </P> 
    837                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    838                         init-credrepos-db –u root</FONT></P> 
    839                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database 
    840                         password:</FONT></P> 
    841                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are 
    842                         you sure you want to initialise the database tables? (yes/no) yes</FONT></P> 
    843                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables 
    844                         created</FONT></P> 
    845                         <P STYLE="margin-bottom: 0cm"><BR> 
    846                         </P> 
    847                         <P><BR> 
    848                         </P> 
    849                 </TD> 
    850         </TR> 
    851 </TABLE> 
    852 <P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have 
    853 been created, restart the database client:</P> 
    854 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    855         <COL WIDTH=610> 
    856         <TR> 
    857                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    858                         <P STYLE="margin-bottom: 0cm"><BR> 
    859                         </P> 
    860                         <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$ 
    861                         mysql –u root –p –D ndgCredRepos</P> 
    862                         <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql&gt; 
    863                         show tables;</P> 
    864                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> 
    865                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| 
    866                         Tables_in_ndgCredRepos |</FONT></FONT></P> 
    867                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> 
    868                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| 
    869                         UserCredential         |</FONT></FONT></P> 
    870                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| 
    871                         UserID                 |</FONT></FONT></P> 
    872                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> 
    873                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2 
    874                         rows in set (0.00 sec)</FONT></FONT></P> 
    875                         <P><BR> 
    876                         </P> 
    877                 </TD> 
    878         </TR> 
    879 </TABLE> 
    880 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    881 </P> 
    882 <P CLASS="western" ALIGN=JUSTIFY>A separate account should be created 
    883 for the Session Manager to access the database.  It should have 
    884 sufficient permissions to be able to read and write records.  For 
    885 details of how to create an account in MySQL see the Appendices 
    886 section 5.2.9.</P> 
    887 <H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings|outline"></A> 
    888 4.4.2 Session Manager Properties File Settings</H3> 
    889 <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT> 
    890 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
    891 and modify the default settings:</P> 
    892 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    893         <COL WIDTH=610> 
    894         <TR> 
    895                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    896                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml 
    897                         version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P> 
    898                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrProp&gt;</FONT></FONT></P> 
    899                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;&lt;/portNum&gt;</FONT></FONT></P> 
    900                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;Yes&lt;/useSSL&gt; 
    901                         &lt;!-- leave blank to use http --&gt;</FONT></FONT></P> 
    902                         <P STYLE="margin-bottom: 0cm">    
    903                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;$NDGSEC_DIR/conf/certs/server-cert.pem&lt;/sslCertFile&gt;</FONT></FONT></P> 
    904                         <P STYLE="margin-bottom: 0cm">    
    905                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem 
    906                         &lt;/sslKeyFile&gt;</FONT></FONT></P> 
    907                         <P STYLE="margin-bottom: 0cm">   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!-- 
    908                         <BR>    Directory containing CA cert.s to verify SSL peer cert 
    909                         against - ignored if useSSL is blank --&gt;<BR>    
    910                         &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR> 
    911                            </FONT>&lt;!--</FONT></FONT></P> 
    912                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
    913                         settings for signature of outbound SOAP messages</FONT></FONT></P> 
    914                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    915                         <P STYLE="margin-bottom: 0cm">    
    916                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt; 
    917                         &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P> 
    918                         <P STYLE="margin-bottom: 0cm">    
    919                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;certFile&gt;&gt;$NDGSEC_DIR/conf/certs/sm-cert.pem&lt;/certFile&gt;</FONT></FONT></P> 
    920                         <P STYLE="margin-bottom: 0cm">    
    921                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P> 
    922                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P> 
    923                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    924                         </FONT></FONT> 
    925                         </P> 
    926                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 
    927                         Certificates used to verify X.509 certs used in peer SOAP 
    928                         messages,<BR>    SSL connections and Attribute Certificates<BR>    
    929                         --&gt;<BR>    &lt;caCertFileList&gt;<BR>         
    930                         &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR> 
    931                            &lt;/caCertFileList&gt;<BR></FONT>    &lt;!-- </FONT></FONT> 
    932                         </P> 
    933                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
    934                         the certificate used to verify the signature of messages from the </FONT></FONT> 
    935                         </P> 
    936                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client. 
    937                          This can usually be left blank since the client is expected to </FONT></FONT> 
    938                         </P> 
    939                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include 
    940                         the cert with the signature in the inbound SOAP message</FONT></FONT></P> 
    941                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    942                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt; 
    943                            </FONT></FONT> 
    944                         </P> 
    945                         <P STYLE="margin-bottom: 0cm">    
    946                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrEncrKey&gt;&lt;/sessMgrEncrKey&gt;</FONT></FONT></P> 
    947                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrURI&gt;&lt;/sessMgrURI&gt;</FONT></FONT></P> 
    948                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;cookieDomain&gt;&lt;/cookieDomain&gt;</FONT></FONT></P> 
    949                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;myProxyProp&gt;</FONT></FONT></P> 
    950                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    951                         </FONT></FONT> 
    952                         </P> 
    953                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete 
    954                         this element and take setting from MYPROXY_SERVER environment </FONT></FONT> 
    955                         </P> 
    956                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">variable 
    957                         if required</FONT></FONT></P> 
    958                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    959                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;hostname&gt;ENTER 
    960                         THE FULLY QUALIFIED HOSTNAME OF THE SERVER&lt;/hostname&gt;</FONT></FONT></P> 
    961                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    962                         </FONT></FONT> 
    963                         </P> 
    964                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete 
    965                         this element to take default setting 7512 or read </FONT></FONT> 
    966                         </P> 
    967                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT 
    968                         setting</SPAN></FONT></FONT></P> 
    969                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    970                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           
    971                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></FONT></P> 
    972                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
    973                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful 
    974                         if hostname and certificate CN don't match correctly.  Globus </FONT></FONT> 
    975                         </P> 
    976                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">host 
    977                         DN is set to &quot;host/&lt;fqdn&gt;&quot;.  Delete this element 
    978                         and set from </FONT></FONT> 
    979                         </P> 
    980                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">MYPROXY_SERVER_DN 
    981                         environment variable if prefered</FONT></FONT></P> 
    982                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverDN&gt;&lt;/serverDN&gt;</FONT></FONT></P> 
    983                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    984                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
    985                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
    986                         &quot;host/&quot; prefix to host cert CN as is default with globus</FONT></FONT></P> 
    987                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    988                         <P STYLE="margin-bottom: 0cm">           
    989                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverCNprefix&gt;host/&lt;/serverCNprefix&gt; </FONT></FONT></P> 
    990                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
    991                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">This 
    992                         directory path is used to locate the OpenSSL configuration file</FONT></FONT></P> 
    993                         <P STYLE="margin-bottom: 0cm">            
    994                         </P> 
    995                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">The 
    996                         settings are used to set up the defaults for the Distinguished 
    997                         Name of</FONT></FONT></P> 
    998                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">the 
    999                         new proxy cert. issued </FONT></FONT> 
    1000                         </P> 
    1001                         <P STYLE="margin-bottom: 0cm">            
    1002                         </P> 
    1003                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">GLOBUS_LOCATION 
    1004                         or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P> 
    1005                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">but 
    1006                         the settings can be independent of any Globus installation</FONT></FONT></P> 
    1007                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR> 
    1008                                   --&gt;</FONT></FONT></P> 
    1009                         <P STYLE="margin-bottom: 0cm">           
    1010                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;openSSLConfFilePath&gt;$NDGSEC_DIR/conf/openssl.conf&lt;/openSSLConfFilePath&gt;</FONT></FONT></P> 
    1011                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;tmpDir&gt;/tmp&lt;/tmpDir&gt;</FONT></FONT></P> 
    1012                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1013                         </FONT></FONT> 
    1014                         </P> 
    1015                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
    1016                                   Limit on maximum lifetime any proxy certificate can have 
    1017                         - </FONT></FONT> 
    1018                         </P> 
    1019                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
    1020                                   specified when a certificate is first created by store() 
    1021                         method</FONT></FONT></P> 
    1022                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1023                         <P STYLE="margin-bottom: 0cm">           
    1024                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertMaxLifetime&gt;24&lt;/proxyCertMaxLifetime&gt; 
    1025                         &lt;!-- in hours --&gt;</FONT></FONT></P> 
    1026                         <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1027                         </FONT></FONT> 
    1028                         </P> 
    1029                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
    1030                                   Life time of a proxy certificate when issued from the 
    1031                         Proxy Server </FONT></FONT> 
    1032                         </P> 
    1033                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
    1034                                   with getDelegation() method</FONT></FONT></P> 
    1035                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
    1036                                   --&gt;</FONT></FONT></P> 
    1037                         <P STYLE="margin-bottom: 0cm">           
    1038                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertLifetime&gt;8&lt;/proxyCertLifetime&gt; 
    1039                         &lt;!-- in hours --&gt;</FONT></FONT></P> 
    1040                         <P STYLE="margin-bottom: 0cm">           
    1041                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P> 
    1042                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/myProxyProp&gt;</FONT></FONT></P> 
    1043                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCACltProp&gt; 
    1044                         </FONT></FONT> 
    1045                         </P> 
    1046                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1047                            &lt;uri&gt;&lt;/uri&gt;</FONT></FONT></P> 
    1048                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">        
    1049                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigKeyFile&gt;&lt;/xmlSigKeyFile&gt;</FONT></FONT></P> 
    1050                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">        
    1051                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertFile&gt;&lt;/xmlSigCertFile&gt;</FONT></FONT></P> 
    1052                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">        
    1053                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertPwd&gt;&lt;/xmlSigCertPwd&gt;</FONT></FONT></P> 
    1054                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/simpleCACltProp&gt;</FONT></FONT></P> 
    1055                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;!--</FONT></FONT></P> 
    1056                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCASrvProp&gt;</FONT></FONT></P> 
    1057                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1058                            &lt;certExpiryDate&gt;&lt;/certExpiryDate&gt;</FONT></FONT></P> 
    1059                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1060                            &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P> 
    1061                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1062                            &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></FONT></P> 
    1063                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1064                            &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P> 
    1065                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1066                            &lt;signExe&gt;&lt;/signExe&gt;</FONT></FONT></P> 
    1067                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1068                            &lt;path&gt;&lt;/path&gt;</FONT></FONT></P> 
    1069                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/simpleCASrvProp&gt;</FONT></FONT></P> 
    1070                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        --&gt;</FONT></FONT></P> 
    1071                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;credReposProp&gt;</FONT></FONT></P> 
    1072                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1073                            &lt;modFilePath&gt;&lt;/modFilePath&gt;</FONT></FONT></P> 
    1074                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1075                            &lt;modName&gt;ndg.security.common.CredWallet&lt;/modName&gt;</FONT></FONT></P> 
    1076                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1077                            &lt;className&gt;NullCredRepos&lt;/className&gt;</FONT></FONT></P> 
    1078                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
    1079                            &lt;propFile&gt;&lt;/propFile&gt;</FONT></FONT></P> 
    1080                         <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/credReposProp&gt;</FONT></FONT></P> 
    1081                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/sessMgrProp&gt;</FONT></FONT></P> 
    1082                         <P>  
    1083                         </P> 
    1084                 </TD> 
    1085         </TR> 
    1086 </TABLE> 
    1087 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1088 </P> 
    1089 <P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P> 
    1090 <UL> 
    1091         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The 
    1092         property file reading software will expand any environment variables 
    1093         included in the file.</FONT></SPAN></FONT></P> 
    1094         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf<FONT FACE="Helvetica, sans-serif"> 
    1095         file uses the standard OpenSSL configuration file format.  It is 
    1096         used by the Session Manager MyProxy client to formulate a 
    1097         certificate request for a proxy certificate generated for a users 
    1098         session when they login.  An example is given below.  The important 
    1099         section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P> 
    1100 </UL> 
    1101 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1102 </P> 
    1103 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1104         <COL WIDTH=610> 
    1105         <TR> 
    1106                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1107                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P> 
    1108                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1109                         SSLeay example configuration file.</FONT></FONT></P> 
    1110                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1111                         This is mostly being used for generation of certificate requests.</FONT></FONT></P> 
    1112                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P> 
    1113                         <P STYLE="margin-bottom: 0cm"><BR> 
    1114                         </P> 
    1115                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE 
    1116                                        = $ENV::HOME/.rnd</FONT></FONT></P> 
    1117                         <P STYLE="margin-bottom: 0cm"><BR> 
    1118                         </P> 
    1119                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> 
    1120                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1121                         ca ]</FONT></FONT></P> 
    1122                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca 
    1123                              = CA_default            # The default ca section</FONT></FONT></P> 
    1124                         <P STYLE="margin-bottom: 0cm"><BR> 
    1125                         </P> 
    1126                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> 
    1127                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1128                         CA_default ]</FONT></FONT></P> 
    1129                         <P STYLE="margin-bottom: 0cm"><BR> 
    1130                         </P> 
    1131                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir 
    1132                                     = ./demoCA              # Where everything is kept</FONT></FONT></P> 
    1133                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs 
    1134                                   = $dir/certs            # Where the issued certs are 
    1135                         kept</FONT></FONT></P> 
    1136                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir 
    1137                                 = $dir/crl              # Where the issued crl are kept</FONT></FONT></P> 
    1138                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database 
    1139                                = $dir/index.txt        # database index file.</FONT></FONT></P> 
    1140                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir 
    1141                           = $dir/newcerts         # default place for new certs.</FONT></FONT></P> 
    1142                         <P STYLE="margin-bottom: 0cm"><BR> 
    1143                         </P> 
    1144                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate 
    1145                             = $dir/cacert.pem       # The CA certificate</FONT></FONT></P> 
    1146                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial 
    1147                                  = $dir/serial           # The current serial number</FONT></FONT></P> 
    1148                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl 
    1149                                     = $dir/crl.pem          # The current CRL</FONT></FONT></P> 
    1150                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key 
    1151                             = $dir/private/cakey.pem# The private key</FONT></FONT></P> 
    1152                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE 
    1153                                = $dir/private/.rand    # private random number file</FONT></FONT></P> 
    1154                         <P STYLE="margin-bottom: 0cm"><BR> 
    1155                         </P> 
    1156                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions 
    1157                         = x509v3_extensions     # The extentions to add to the cert</FONT></FONT></P> 
    1158                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days 
    1159                            = 365                   # how long to certify for</FONT></FONT></P> 
    1160                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days= 
    1161                         365 # DEE 30  # how long before next CRL</FONT></FONT></P> 
    1162                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md 
    1163                              = md5                   # which md to use.</FONT></FONT></P> 
    1164                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve 
    1165                                = no                    # keep passed DN ordering</FONT></FONT></P> 
    1166                         <P STYLE="margin-bottom: 0cm"><BR> 
    1167                         </P> 
    1168                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1169                         A few difference way of specifying how similar the request should 
    1170                         look</FONT></FONT></P> 
    1171                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1172                         For type CA, the listed attributes must be the same, and the 
    1173                         optional</FONT></FONT></P> 
    1174                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1175                         and supplied fields are just that :-)</FONT></FONT></P> 
    1176                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy 
    1177                                  = policy_match</FONT></FONT></P> 
    1178                         <P STYLE="margin-bottom: 0cm"><BR> 
    1179                         </P> 
    1180                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1181                         For the CA policy</FONT></FONT></P> 
    1182                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1183                         policy_match ]</FONT></FONT></P> 
    1184                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName 
    1185                                     = optional</FONT></FONT></P> 
    1186                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName 
    1187                             = optional</FONT></FONT></P> 
    1188                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName 
    1189                                = match</FONT></FONT></P> 
    1190                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName 
    1191                          = optional</FONT></FONT></P> 
    1192                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName 
    1193                                      = supplied</FONT></FONT></P> 
    1194                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress 
    1195                                    = optional</FONT></FONT></P> 
    1196                         <P STYLE="margin-bottom: 0cm"><BR> 
    1197                         </P> 
    1198                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1199                         For the 'anything' policy</FONT></FONT></P> 
    1200                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1201                         At this point in time, you must list all acceptable 'object'</FONT></FONT></P> 
    1202                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1203                         types.</FONT></FONT></P> 
    1204                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1205                         policy_anything ]</FONT></FONT></P> 
    1206                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName 
    1207                                     = optional</FONT></FONT></P> 
    1208                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName 
    1209                             = optional</FONT></FONT></P> 
    1210                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName 
    1211                                    = optional</FONT></FONT></P> 
    1212                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName 
    1213                                = optional</FONT></FONT></P> 
    1214                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName 
    1215                          = optional</FONT></FONT></P> 
    1216                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName 
    1217                                      = supplied</FONT></FONT></P> 
    1218                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress 
    1219                                    = optional</FONT></FONT></P> 
    1220                         <P STYLE="margin-bottom: 0cm"><BR> 
    1221                         </P> 
    1222                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> 
    1223                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1224                         req ]</FONT></FONT></P> 
    1225                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits 
    1226                                    = 1024</FONT></FONT></P> 
    1227                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile 
    1228                                 = privkey.pem</FONT></FONT></P> 
    1229                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name 
    1230                              = req_distinguished_name</FONT></FONT></P> 
    1231                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions 
    1232                                  = v3_req</FONT></FONT></P> 
    1233                         <P STYLE="margin-bottom: 0cm"><BR> 
    1234                         </P> 
    1235                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1236                         req_distinguished_name ]</FONT></FONT></P> 
    1237                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1238                         BEGIN CONFIG</FONT></FONT></P> 
    1239                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName 
    1240                                       = Level 0 Organization</FONT></FONT></P> 
    1241                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default 
    1242                               = NDG</FONT></FONT></P> 
    1243                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName 
    1244                                  = Level 0 Organizational Unit</FONT></FONT></P> 
    1245                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default 
    1246                         = BADC</FONT></FONT></P> 
    1247                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName 
    1248                                  = Level 1 Organizational Unit</FONT></FONT></P> 
    1249                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default 
    1250                         = localdomain</FONT></FONT></P> 
    1251                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName 
    1252                                              = Name (e.g., John M. Smith)</FONT></FONT></P> 
    1253                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max 
    1254                                          = 64</FONT></FONT></P> 
    1255                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
    1256                         END CONFIG</FONT></FONT></P> 
    1257                         <P STYLE="margin-bottom: 0cm"><BR> 
    1258                         </P> 
    1259                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
    1260                         v3_req ]</FONT></FONT></P> 
    1261                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType 
    1262                                              = objsign,email,server,client</FONT></FONT></P> 
    1263                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints 
    1264                                        = critical,CA:false</FONT></FONT></P> 
    1265                         <P><BR> 
    1266                         </P> 
    1267                 </TD> 
    1268         </TR> 
    1269 </TABLE> 
    1270 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1271 </P> 
    1272 <H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script|outline"></A> 
    1273 4.4.3 SysV-style Boot Script</H3> 
    1274 <P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be 
    1275 configured to start up at system boot of the host machine.  A SysV 
    1276 style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT> 
    1277 is provided in the installation in:</P> 
    1278 <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/lib/python</SPAN></FONT>&lt;python 
    1279 version num&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/site-packages/ndg_security_server</SPAN></FONT>-&lt;version 
    1280 info&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.egg/ndg/security/server/share 
    1281  </SPAN></FONT> 
    1282 </P> 
    1283 <P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P> 
    1284 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1285         <COL WIDTH=602> 
    1286         <TR> 
    1287                 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1288                         <P STYLE="margin-bottom: 0cm"><BR> 
    1289                         </P> 
    1290                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1291                         cp /usr/local/lib/python&lt;python version 
    1292                         num&gt;/site-packages/ndg_security_server-&lt;version 
    1293                         info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
    1294                         /share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P> 
    1295                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 
    1296                         chkconfig --add ndg-sm</SPAN></FONT></FONT></P> 
    1297                         <P><BR> 
    1298                         </P> 
    1299                 </TD> 
    1300         </TR> 
    1301 </TABLE> 
    1302 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1303 </P> 
    1304 <P CLASS="western" ALIGN=JUSTIFY>Edit the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT> 
    1305 so that it uses the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR</SPAN></FONT> 
    1306 environment variable to point to the correct location of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT> 
    1307 file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
    1308 directory. User and group ID settings can be made to run under 
    1309 alternative account to root.  If used ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR</SPAN></FONT> 
    1310 is set with the necessary permissions to enable access.   
    1311 </P> 
    1312 <P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chkconfig</SPAN></FONT> 
    1313 command may not be available on your target machine.  Please refer to 
    1314 instructions for your particular Linux distribution.</P> 
    1315 <H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration|outline"></A> 
    1316 4.5 Attribute Authority Configuration</H2> 
    1317 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a 
    1318 properties file for the setting of configuration parameters.</P> 
    1319 <H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings|outline"></A> 
    1320 4.5.1Attribute Authority Properties File Settings</H3> 
    1321 <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> 
    1322 in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
    1323 and modify the default settings:</P> 
    1324 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1325         <COL WIDTH=610> 
    1326         <TR> 
    1327                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1328                         <P STYLE="margin-bottom: 0cm"><BR> 
    1329                         </P> 
    1330                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml 
    1331                         version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P> 
    1332                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P> 
    1333                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1334                         </FONT></FONT> 
    1335                         </P> 
    1336                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name' 
    1337                         setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P> 
    1338                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1339                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;name&gt;Organisation 
    1340                         Identifier&lt;/name&gt; </FONT></FONT> 
    1341                         </P> 
    1342                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;SELECT 
    1343                         A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></P> 
    1344                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
    1345                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
    1346                         settings for transport level encryption</FONT></FONT></P> 
    1347                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1348                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;&lt;/useSSL&gt; 
    1349                         &lt;!-- leave blank to use http --&gt;</FONT></FONT></P> 
    1350                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;&lt;/sslCertFile&gt;</FONT></FONT></P> 
    1351                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P> 
    1352                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P> 
    1353                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!-- 
    1354                         <BR>       Directory containing CA cert.s to verify SSL peer cert 
    1355                         against - ignored if useSSL is blank --&gt;<BR>       
    1356                         &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR></FONT> 
    1357                            &lt;!--</FONT></FONT></P> 
    1358                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
    1359                         settings for signature of outbound SOAP messages</FONT></FONT></P> 
    1360                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1361                         <P STYLE="margin-bottom: 0cm">    
    1362                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt; 
    1363                         &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P> 
    1364                         <P STYLE="margin-bottom: 0cm">         <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1365                         </FONT></FONT> 
    1366                         </P> 
    1367                         <P STYLE="margin-bottom: 0cm">         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 
    1368                         Certificates used to verify X.509 certs used in peer SOAP 
    1369                         messages,<BR>         SSL connections and Attribute Certificates<BR> 
    1370                                 --&gt;<BR>        &lt;caCertFileList&gt;<BR>             
    1371                         &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR> 
    1372                                &lt;/caCertFileList&gt;<BR></FONT>    
    1373                         &lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem &lt;/keyFile&gt;</FONT></FONT></P> 
    1374                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P> 
    1375                         <P STYLE="margin-bottom: 0cm">    
    1376                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem 
    1377                         &lt;/caCertFile&gt;</FONT></FONT></P> 
    1378                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1379                         </FONT></FONT> 
    1380                         </P> 
    1381                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
    1382                         the certificate used to verify the signature of messages from the </FONT></FONT> 
    1383                         </P> 
    1384                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client. 
    1385                          This can usually be left blank since the client is expected to </FONT></FONT> 
    1386                         </P> 
    1387                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include 
    1388                         the cert with the signature in the inbound SOAP message</FONT></FONT></P> 
    1389                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1390                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt; 
    1391                            </FONT></FONT> 
    1392                         </P> 
    1393                         <P STYLE="margin-bottom: 0cm">    
    1394                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt; 
    1395                         &lt;!-- Measured in seconds --&gt;</FONT></FONT></P> 
    1396                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1397                         </FONT></FONT> 
    1398                         </P> 
    1399                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow 
    1400                         an offset for clock skew between servers running </FONT></FONT> 
    1401                         </P> 
    1402                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security 
    1403                         services.  - Use minus sign for time in the past</FONT></FONT></P> 
    1404                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1405                         <P STYLE="margin-bottom: 0cm">    
    1406                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P> 
    1407                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1408                         Location of role mapping file --&gt;</FONT></FONT></P> 
    1409                         <P STYLE="margin-bottom: 0cm">    
    1410                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></P> 
    1411                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1412                         All Attribute Certificates issued are recorded in this dir --&gt;</FONT></FONT></P> 
    1413                         <P STYLE="margin-bottom: 0cm">    
    1414                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></P> 
    1415                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1416                         </FONT></FONT> 
    1417                         </P> 
    1418                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files 
    1419                         in attCertDir are stored using a rotating file handler</FONT></FONT></P> 
    1420                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt 
    1421                         sets the max number of files created before the first is</FONT></FONT></P> 
    1422                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P> 
    1423                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1424                         <P STYLE="margin-bottom: 0cm">    
    1425                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileName&gt;ac.xml&lt;/attCertFileName&gt;</FONT></FONT></P> 
    1426                         <P STYLE="margin-bottom: 0cm">    
    1427                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileLogCnt&gt;1024&lt;/attCertFileLogCnt&gt;</FONT></FONT></P> 
    1428                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;dnSeparator&gt;/&lt;/dnSeparator&gt;</FONT></FONT></P> 
    1429                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
    1430                         </FONT></FONT> 
    1431                         </P> 
    1432                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings 
    1433                         for custom AAUserRoles derived class to get user roles for</FONT></FONT></P> 
    1434                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given 
    1435                         user ID</FONT></FONT></P> 
    1436                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
    1437                         <P STYLE="margin-bottom: 0cm">    
    1438                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></P> 
    1439                         <P STYLE="margin-bottom: 0cm">    
    1440                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></P> 
    1441                         <P STYLE="margin-bottom: 0cm">    
    1442                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></P> 
    1443                         <P STYLE="margin-bottom: 0cm">    
    1444                         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></P> 
    1445                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P> 
    1446                         <P>  
    1447                         </P> 
    1448                 </TD> 
    1449         </TR> 
    1450 </TABLE> 
    1451 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1452 </P> 
    1453 <H3 CLASS="western"><A NAME="4.5.2.User Roles Interface|outline"></A>4.5.2 
    1454 User Roles Interface</H3> 
    1455 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a 
    1456 valid user proxy certificate serves an attribute certificate 
    1457 containing authorisation roles for that user.  It is for the data 
    1458 centre to determine how these roles map to the users identity as 
    1459 given by their Distinguished Name given in the proxy certificate.  
    1460 Typically, a data centre might have a user database which relates 
    1461 user id to authorisation roles.</P> 
    1462 <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a 
    1463 programmatic interface to determine the roles to user id 
    1464 relationship.   A custom python class may be written to perform this 
    1465 task.   See the Appendices section 5.5.</P> 
    1466 <H3 CLASS="western"><A NAME="4.5.3.Role Mapping|outline"></A>4.5.3 
    1467 Role Mapping</H3> 
    1468 <P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in 
    1469 the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
    1470 directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>. 
    1471  This is an XML file which relates local roles at the target data 
    1472 centre to roles of other trusted data centres.  These role mapping 
    1473 are made by agreement between data centres.</P> 
    1474 <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1475         <COL WIDTH=610> 
    1476         <TR> 
    1477                 <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1478                         <P STYLE="margin-bottom: 0cm"><BR> 
    1479                         </P> 
    1480                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;?xml 
    1481                         version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></P> 
    1482                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;AAmap&gt;</FONT></P> 
    1483                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;thisHost 
    1484                         name=&quot;yourSiteIdentifier&quot;&gt;</FONT></P> 
    1485                         <P STYLE="margin-bottom: 0cm">          
    1486                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;yourSiteAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
    1487                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
    1488                         DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
    1489                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;Your 
    1490                         Site Login Page URI (https expected)&lt;/loginURI&gt;</FONT></P> 
    1491                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
    1492                         DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
    1493                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
    1494                         <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
    1495                         cert. DN for SSL server making a request to loginURI</FONT></P> 
    1496                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
    1497                         <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/thisHost&gt;</FONT></P> 
    1498                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted 
    1499                         name=&quot;BODC&quot;&gt;</FONT></P> 
    1500                         <P STYLE="margin-bottom: 0cm">          
    1501                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;bodcAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
    1502                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
    1503                         DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
    1504                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;BODC’s 
    1505                         Login Page URI&lt;/loginURI&gt;</FONT></P> 
    1506                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
    1507                         DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
    1508                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
    1509                         <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
    1510                         cert. DN for SSL server making a request to loginURI</FONT></P> 
    1511                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
    1512                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role 
    1513                         remote=&quot;aBODCrole&quot; local=&quot;aLocalRole&quot;/&gt;</FONT></P> 
    1514                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P> 
    1515                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted 
    1516                         name=&quot;NOCS&quot;&gt;</FONT></P> 
    1517                         <P STYLE="margin-bottom: 0cm">          
    1518                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;nocsAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
    1519                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
    1520                         DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
    1521                         <P STYLE="margin-bottom: 0cm">          
    1522                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;nocsLoginPageURI&lt;/loginURI&gt;</FONT></P> 
    1523                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
    1524                         DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
    1525                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
    1526                         <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
    1527                         cert. DN for SSL server making a request to loginURI</FONT></P> 
    1528                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
    1529                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role 
    1530                         remote=&quot;aNOCSrole&quot; local=&quot;anotherLocalRole&quot;/&gt;</FONT></P> 
    1531                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P> 
    1532                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted 
    1533                         name=&quot;NEODAAS&quot;&gt;</FONT></P> 
    1534                         <P STYLE="margin-bottom: 0cm">          
    1535                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;neodaasAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
    1536                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
    1537                         DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
    1538                         <P STYLE="margin-bottom: 0cm">          
    1539                         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;neodaasLoginPageURI&lt;/loginURI&gt;</FONT></P> 
    1540                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
    1541                         DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
    1542                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
    1543                         <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
    1544                         cert. DN for SSL server making a request to loginURI</FONT></P> 
    1545                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
    1546                         <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role 
    1547                         remote=&quot;neodaasRole&quot; local=&quot;yetAnotherLocalRole&quot;/&gt;</FONT></P> 
    1548                         <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P> 
    1549                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/AAmap&gt;</FONT></P> 
    1550                         <P STYLE="margin-bottom: 0cm"><BR> 
    1551                         </P> 
    1552                         <P><BR> 
    1553                         </P> 
    1554                 </TD> 
    1555         </TR> 
    1556 </TABLE> 
    1557 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1558 </P> 
    1559 <P CLASS="western" ALIGN=JUSTIFY>The map file contains an entry for 
    1560 each site that the Attribute Authority trusts.  These are listed 
    1561 using the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">trusted</SPAN></FONT> 
    1562 element name.  The Attribute Authority identifies itself with the 
    1563 similar <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> 
    1564 element.  Each uses a name attribute to uniquely identify the 
    1565 organisation.  The example above shows a BADC map file which trusts 
    1566 the organisations BODC, NOCS and NEODAAS.</P> 
    1567 <P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost 
    1568 name </SPAN></FONT>attribute should match the name element in the 
    1569 corresponding <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> 
    1570 file.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">name</SPAN></FONT> 
    1571 is copied as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">issuerName</SPAN></FONT> 
    1572 used in Attribute Certificates issued by the Attribute Authority.</P> 
    1573 <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> 
    1574 and trusted elements share all the same sub-elements barring role.  
    1575 </P> 
    1576 <UL> 
    1577         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaURI</SPAN></FONT> 
    1578         – this is the address of the Attribute Authority</P> 
    1579         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaDN</SPAN></FONT> 
    1580         – the Distinguished Name of the Attribute Authority’s X.509 
    1581         certificate (not currently used)</P> 
    1582         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginURI</SPAN></FONT> 
    1583         – the address of the Login Service  
    1584         </P> 
    1585         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginServerDN</SPAN></FONT> 
    1586         – the Distinguished Name of the X.509 certificate held by the 
    1587         Login Service for SSL connections.  It is expected that the Login 
    1588         Service is run over https to protect the privacy of login 
    1589         credentials.  This field is not currently used.</P> 
    1590         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT> 
    1591         – on request for secured credentials a service provider enables 
    1592         the user to redirect to their chosen Login Service at another 
    1593         trusted site.   The on successful authentication the Login Service 
    1594         can return the user back to the service provider to enable them to 
    1595         continue with their request.  This return to address must be over 
    1596         https to enable credentials to be encrypted for the transit but also 
    1597         to validate service provider host making the request.   The Login 
    1598         Service carries this out by checking the SSL certificate of the 
    1599         service provider host and checking its Distinguished Name against 
    1600         the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT> 
    1601         entries for the organisations it trusts.</P> 
    1602         <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">role</SPAN></FONT> 
    1603         – this element is used to express an individual role mapping.  The 
    1604         <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">local</SPAN></FONT> 
    1605         attribute refers to a role <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> 
    1606         supports.  The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">remote</SPAN></FONT> 
    1607         attribute is assigned to the role of the trusted organisation it 
    1608         maps to.  It is possible to have multiple role entries.  One local 
    1609         role may map to many remote roles and vice versa: one remote role 
    1610         may map to many local roles.</P> 
    1611 </UL> 
    1612 <H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file|outline"></A> 
    1613 4.5.4 Twisted Python server .tac file</H3> 
    1614 <P CLASS="western" ALIGN=JUSTIFY>Copy this from the 
    1615 ndg_security_server to the NDG security conf/ area:</P> 
    1616 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1617         <COL WIDTH=602> 
    1618         <TR> 
    1619                 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1620                         <P STYLE="margin-bottom: 0cm"><BR> 
    1621                         </P> 
    1622                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1623                         cp /usr/local/lib/python&lt;python version 
    1624                         num&gt;/site-packages/ndg_security_server-&lt;version 
    1625                         info&gt;.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
    1626                         $NDGSEC_DIR/conf</SPAN></FONT></FONT></P> 
    1627                         <P><BR> 
    1628                         </P> 
    1629                 </TD> 
    1630         </TR> 
    1631 </TABLE> 
    1632 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1633 </P> 
    1634 <H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script|outline"></A> 
    1635 4.5.5 SysV-style Boot Script</H3> 
    1636 <P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the 
    1637 Attribute Authority can be configured to start up at system boot of 
    1638 the host machine.  A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT> 
    1639 is provided in the installation in:</P> 
    1640 <P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python&lt;python 
    1641 version num&gt;/site-packages/ndg_security_server-&lt;version 
    1642 info&gt;.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT> 
    1643   
    1644 </P> 
    1645 <P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P> 
    1646 <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    1647         <COL WIDTH=602> 
    1648         <TR> 
    1649                 <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
    1650                         <P STYLE="margin-bottom: 0cm"><BR> 
    1651                         </P> 
    1652                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
    1653                         cp /usr/local/lib/python&lt;python version 
    1654                         num&gt;/site-packages/ndg_security_server-&lt;version 
    1655                         info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
    1656                         /share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P> 
    1657                         <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 
    1658                         chkconfig --add ndg-aa</SPAN></FONT></FONT></P> 
    1659                         <P><BR> 
    1660                         </P> 
    1661                 </TD> 
    1662         </TR> 
    1663 </TABLE> 
    1664 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    1665 </P> 
    1666 <P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the 
    1667 NDGSEC_DIR environment variable to point to the correct location of 
    1668 the .tac file in the conf/ directory.  User and group ID settings can 
    1669 be made to run under alternative account to root.  If used ensure 
    1670 that $NDGSEC_DIR is set with the necessary permissions to enable 
    1671 access.   
    1672 </P> 
    1673 <P CLASS="western" ALIGN=JUSTIFY>If required, add any additional 
    1674 environment settings required to connect to a user database.</P> 
    1675 <H2 CLASS="western"><A NAME="4.6.Python Unit Tests|outline"></A>4.6 
    1676 Python Unit Tests</H2> 
    1677 <P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are 
    1678 provided to enable the system to be checked to confirm that it is 
    1679 running correctly.   These are located in the ndg_security_test egg 
    1680 in the site-packages/ directory of the python installation.</P> 
    1681 <P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P> 
    1682 <H2 CLASS="western"><A NAME="4.7. MyProxy|outline"></A>4.7 MyProxy</H2> 
    1683 <H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background|outline"></A> 
    1684 4.7.1 MyProxy and NDG Security Background</H3> 
     439MyProxy and Python packages installations.  Note that you will almost 
     440certainly wish to install MyProxy on a separate secure server to the 
     441other Python based security services.</P> 
     442<H2 CLASS="western"><A NAME="4.1. Globus MyProxy and SimpleCA|outline"></A> 
     4434.1 Globus MyProxy and SimpleCA</H2> 
     444<H3 CLASS="western"><A NAME="4.1.1. MyProxy and NDG Security Background|outline"></A> 
     4454.1.1 MyProxy and NDG Security Background</H3> 
    1685446<P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy 
    1686447from the Globus toolkit to enable the use of individual user X.509 
     
    1714475on its host machine and user credentials are held in a directory on 
    1715476the file system.  It is important to secure the host to ensure the 
    1716 credentials are not compromised.  
    1717 </P> 
    1718 <H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations|outline"></A> 
    1719 4.7.2 MyProxy user account and the repository location considerations</H3> 
     477credentials are not compromised.   It is recommended to install 
     478MyProxy on a separate host to the other NDG security services as a 
     479security measure.  This host must be carefully secured and run 
     480minimal other services.</P> 
     481<H3 CLASS="western"><A NAME="4.1.2. MyProxy user account and the repository location considerations|outline"></A> 
     4824.1.2 MyProxy user account and the repository location considerations</H3> 
    1720483<P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or 
    1721484using a separate user account.  The latter provides an extra degree 
     
    1743506ps</SPAN></FONT>.  This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> 
    1744507with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd 
    1745 </SPAN></FONT>(See 4.7.10.1).</P> 
     508</SPAN></FONT>(See 4.1.10.1).</P> 
    1746509<P CLASS="western" ALIGN=LEFT>This guide assumes installation as 
    1747510root.   
    1748511</P> 
    1749 <H3 CLASS="western"><A NAME="4.7.3. Installation|outline"></A>4.7.3 
     512<H3 CLASS="western"><A NAME="4.1.3. Installation|outline"></A>4.1.3 
    1750513Installation</H3> 
    1751514<P CLASS="western">MyProxy is available with Globus.  Version 4.0.5 
     
    1753516<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++ 
    1754517development packages are needed for the build.</SPAN></FONT></P> 
    1755 <H4 CLASS="western">4.7.3.1 PAM Dependencies</H4> 
     518<H4 CLASS="western">4.1.3.1 PAM Dependencies</H4> 
    1756519<P CLASS="western">A binary version is available but it is 
    1757520recommended to build and install from the source code to include PAM 
     
    1766529limitation in PAM, MyProxy must be built and installed under the 
    1767530system root account.</FONT></CODE></P> 
    1768 <H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif"> 
     531<H4 CLASS="western">4.1.3.2<CODE><FONT FACE="Helvetica, sans-serif"> 
    1769532Build</FONT></CODE></H4> 
    1770533<P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code 
    1771 can be downloaded from  </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P> 
     534can be downloaded from  </FONT></CODE><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></P> 
    1772535<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a 
    1773536target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make 
     
    1854617<P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> 
    1855618</P> 
    1856 <H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation|outline"></A> 
    1857 4.7.4 SimpleCA Installation</H3> 
     619<H3 CLASS="western"><A NAME="4.1.4. SimpleCA Installation|outline"></A> 
     6204.1.4 SimpleCA Installation</H3> 
    1858621<P CLASS="western" ALIGN=JUSTIFY>Reference:  
    1859622</P> 
     
    2138901<P STYLE="margin-bottom: 0cm"><BR> 
    2139902</P> 
    2140 <H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation|outline"></A> 
    2141 4.7.5 Host Certificate Creation</H3> 
     903<H3 CLASS="western"><A NAME="4.1.5. Host Certificate Creation|outline"></A> 
     9044.1.5 Host Certificate Creation</H3> 
    2142905<P CLASS="western">As root user to carry out these steps.   First 
    2143906check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P> 
     
    2222985<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem 
    2223986</FONT>is no longer needed and can be deleted.</P> 
    2224 <H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File|outline"></A> 
    2225 4.7.6 MyProxy Configuration File</H3> 
     987<H3 CLASS="western"><A NAME="4.1.6. MyProxy Configuration File|outline"></A> 
     9884.1.6 MyProxy Configuration File</H3> 
    2226989<P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is 
    2227990normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT> 
     
    22981061user has read/write access for the directory.  Note also that the 
    22991062directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P> 
    2300 <H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration|outline"></A> 
    2301 4.7.7 MyProxy SimpleCA Configuration</H3> 
     1063<H3 CLASS="western"><A NAME="4.1.7. MyProxy SimpleCA Configuration|outline"></A> 
     10644.1.7 MyProxy SimpleCA Configuration</H3> 
    23021065<P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to 
    23031066dynamically generate user certificates on user login.  For this, 
     
    24391202        <P CLASS="western" ALIGN=LEFT></P> 
    24401203</OL> 
    2441 <H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration|outline"></A> 
    2442 4.7.8 MyProxy PAM Configuration</H3> 
     1204<H3 CLASS="western"><A NAME="4.1.8. MyProxy PAM Configuration|outline"></A> 
     12054.1.8 MyProxy PAM Configuration</H3> 
    24431206<P CLASS="western" ALIGN=JUSTIFY>Reference: 
    24441207<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P> 
     
    24711234<P CLASS="western">Appendices are provided at the end of this 
    24721235document for some of the more common configurations.</P> 
    2473 <H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy|outline"></A>4.7.9 
     1236<H3 CLASS="western"><A NAME="4.1.9. Testing MyProxy|outline"></A>4.1.9 
    24741237Testing MyProxy</H3> 
    24751238<P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy 
     
    24841247the user account in which it was installed - root.   Ensure that the 
    24851248environment is set correctly i.e. GLOBUS_LOCATION variable set and 
    2486 $GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P> 
     1249$GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<FONT SIZE=2><SPAN LANG="pt-PT">:</SPAN></FONT></P> 
    24871250<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    24881251        <COL WIDTH=602> 
     
    26911454Python NDG services are installed but not MyProxy itself.   The 
    26921455MyProxy unit tests are in the package ndg.security.test.myProxy.</P> 
    2693 <H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up|outline"></A> 
    2694 4.7.10 Adding MyProxy Server to the system start up</H3> 
     1456<H3 CLASS="western"><A NAME="4.1.10. Adding MyProxy Server to the system start up|outline"></A> 
     14574.1.10 Adding MyProxy Server to the system start up</H3> 
    26951458<P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may 
    26961459be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> 
     
    27131476<BR> 
    27141477</P> 
    2715 <H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd / 
     1478<H4 CLASS="western"><A NAME="_Ref143089522"></A>4.1.10.1 inetd / 
    27161479xinetd</H4> 
    27171480<P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd 
     
    28141577        man page for your system.</P> 
    28151578</UL> 
    2816 <H4 CLASS="western">4.7.10.2 SysV-style boot script  
     1579<H4 CLASS="western">4.1.10.2 SysV-style boot script  
    28171580</H4> 
    28181581<P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is 
     
    28441607</SPAN></FONT>environment variable correctly.   
    28451608</P> 
     1609<H2 CLASS="western"><A NAME="4.2. NDG Security Python Packages |outline"></A> 
     16104.2 NDG Security Python Packages  
     1611</H2> 
     1612<H3 CLASS="western"><A NAME="4.2.1. Dependencies|outline"></A>4.2.1 
     1613Dependencies</H3> 
     1614<H4 CLASS="western">4.2.1.1 OpenSSL</H4> 
     1615<P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the 
     1616installation check that an up to date version of OpenSSL is 
     1617installed:</P> 
     1618<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1619        <COL WIDTH=596> 
     1620        <TR> 
     1621                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1622                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
     1623                        </P> 
     1624                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1625                        openssl version</FONT></P> 
     1626                </TD> 
     1627        </TR> 
     1628</TABLE> 
     1629<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1630</P> 
     1631<P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required.  
     1632Should you need to upgrade, OpenSSL is available from 
     1633<A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>. 
     1634 Once downloaded, unpack the tarball and follow the installation 
     1635intstructions.</P> 
     1636<H4 CLASS="western">4.2.1.2 SWIG</H4> 
     1637<P CLASS="western">SWIG is a tool to help with bindings from C/C++ to 
     1638interpreted languages such as Python.  The Python OpenSSL wrapper 
     1639M2Crypto uses it and version 1.3.24 or later is required.  Downloads 
     1640are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P> 
     1641<H3 CLASS="western"><A NAME="4.2.2. Installation Procedure|outline"></A> 
     16424.2.2 Installation Procedure</H3> 
     1643<P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>. 
     1644 Change to a suitable directory to hold temporary installation files. 
     1645  
     1646</P> 
     1647<H4 CLASS="western">4.2.2.1 setuptools</H4> 
     1648<P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python 
     1649setuptools, the package that enables the use of Python eggs.  
     1650Download the setuptools bootstrap script:</P> 
     1651<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1652        <COL WIDTH=596> 
     1653        <TR> 
     1654                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1655                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
     1656                        </P> 
     1657                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1658                        wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P> 
     1659                </TD> 
     1660        </TR> 
     1661</TABLE> 
     1662<P CLASS="western" ALIGN=LEFT><BR><BR> 
     1663</P> 
     1664<P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment 
     1665for a http proxy at your site.  For example,</P> 
     1666<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1667        <COL WIDTH=596> 
     1668        <TR> 
     1669                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1670                        <P STYLE="margin-bottom: 0cm"><BR> 
     1671                        </P> 
     1672                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1673                        export http_proxy=http://yourproxyurl.com:8080</FONT></P> 
     1674                </TD> 
     1675        </TR> 
     1676</TABLE> 
     1677<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1678</P> 
     1679<P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script.  Make sure 
     1680to use the correct version of python in your system path.  Some 
     1681systems may have multiple python versions installed:</P> 
     1682<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1683        <COL WIDTH=596> 
     1684        <TR> 
     1685                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1686                        <P STYLE="margin-bottom: 0cm"><BR> 
     1687                        </P> 
     1688                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1689                        python ez_setup.py</FONT></P> 
     1690                </TD> 
     1691        </TR> 
     1692</TABLE> 
     1693<P CLASS="western"><BR><BR> 
     1694</P> 
     1695<P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P> 
     1696<H4 CLASS="western">4.2.2.2 Set-up Script</H4> 
     1697<P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to 
     1698setuptools <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT> 
     1699to enable custom installation steps to be correctly carried out.  
     1700Download the script from the NDG distribution site:</P> 
     1701<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1702        <COL WIDTH=596> 
     1703        <TR> 
     1704                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1705                        <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> 
     1706                        </P> 
     1707                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1708                        wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P> 
     1709                </TD> 
     1710        </TR> 
     1711</TABLE> 
     1712<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1713</P> 
     1714<P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of 
     1715the NDG security python packages:</P> 
     1716<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1717        <COL WIDTH=596> 
     1718        <TR> 
     1719                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1720                        <P STYLE="margin-bottom: 0cm"><BR> 
     1721                        </P> 
     1722                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1723                        python ./ndg-security-install.py -a</FONT></P> 
     1724                </TD> 
     1725        </TR> 
     1726</TABLE> 
     1727<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1728</P> 
     1729<P CLASS="western" ALIGN=JUSTIFY>The script options can be checked 
     1730using the –h option.  –a selects all packages for installation.   
     1731If there are problems with the installation, see the Troubleshooting 
     1732Guide in the Appendices section 5.6.</P> 
     1733<H3 CLASS="western"><A NAME="4.2.3. NDG Web Services Configuration|outline"></A> 
     17344.2.3 NDG Web Services Configuration</H3> 
     1735<H4 CLASS="western">4.2.3.1 NDG Security System Configuration Files</H4> 
     1736<P CLASS="western" ALIGN=JUSTIFY>Properties files set the 
     1737configuration settings for NDG security <I>server side</I> settings.  
     1738Templates for these are contained within the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> 
     1739installed in your python distribution’s site-packages directory.   
     1740A future version of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-security-install.py</SPAN></FONT> 
     1741script will extract these and install at a suitable location on the 
     1742file system.  For the moment though, this is a manual process.</P> 
     1743<P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under 
     1744your servers <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc</SPAN></FONT> 
     1745directory:</P> 
     1746<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1747        <COL WIDTH=596> 
     1748        <TR> 
     1749                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1750                        <P STYLE="margin-bottom: 0cm"><BR> 
     1751                        </P> 
     1752                        <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1753                        mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P> 
     1754                </TD> 
     1755        </TR> 
     1756</TABLE> 
     1757<P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1758</P> 
     1759<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/ndg/security</SPAN></FONT> 
     1760is recognised by the Python security software by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR 
     1761</SPAN></FONT>environment variable.  This variable can be set in the 
     1762environment of the user account used to run the security services or 
     1763can be set in the init scripts used to automatically start up the 
     1764services from server boot up (See sections 4.2.4.2, 4.2.4.3 and 4.2.5.5).</P> 
     1765<P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> 
     1766egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
     1767directory into the configuration area.  For example if you are using 
     1768python installed in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local</SPAN></FONT> 
     1769then the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
     1770directory will be in:</P> 
     1771<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1772        <COL WIDTH=596> 
     1773        <TR> 
     1774                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1775                        <P STYLE="margin-bottom: 0cm"><BR> 
     1776                        </P> 
     1777                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python&lt;python 
     1778                        version num&gt;/site-packages/ndg_security_server-&lt;version 
     1779                        info&gt;.egg/ndg/security/server/conf</FONT></P> 
     1780                </TD> 
     1781        </TR> 
     1782</TABLE> 
     1783<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1784</P> 
     1785<P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P> 
     1786<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1787        <COL WIDTH=596> 
     1788        <TR> 
     1789                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1790                        <P STYLE="margin-bottom: 0cm"><BR> 
     1791                        </P> 
     1792                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ cp 
     1793                        /usr/local/lib/python&lt;python version 
     1794                        num&gt;/site-packages/ndg_security_server-&lt;version 
     1795                        info&gt;.egg/ndg/security/server/conf /etc/ndg/security</FONT></P> 
     1796                </TD> 
     1797        </TR> 
     1798</TABLE> 
     1799<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1800</P> 
     1801<P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
     1802directory will contain these important files:</P> 
     1803<UL> 
     1804        <LI><P CLASS="western" ALIGN=JUSTIFY>Session Manager and Attribute 
     1805        Authority properties XML files</P> 
     1806        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT> 
     1807        – used by the Session Manager to configure client connections to 
     1808        MyProxy</P> 
     1809        <LI><P CLASS="western" ALIGN=JUSTIFY>Special <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT> 
     1810        configuration files loaded by the <I>Twisted</I> application server 
     1811        used to run Session Manager and Attribute Authority services</P> 
     1812        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">certs/</SPAN></FONT> 
     1813        directory for storing X.509 certificates</P> 
     1814        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT> 
     1815        for role mapping and other trust configuration parameters to enable 
     1816        the Attribute Authority to operate with other trusted organisations 
     1817        within NDG</P> 
     1818        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attCertLog/</SPAN></FONT> 
     1819        directory for storing Attribute Certificates issued by the Attribute 
     1820        Authority.</P> 
     1821        <LI><P CLASS="western" ALIGN=JUSTIFY>Logging configuration files: 
     1822        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg 
     1823        </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT></P> 
     1824</UL> 
     1825<P CLASS="western" ALIGN=JUSTIFY>The default location for log files 
     1826set in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg</SPAN></FONT> 
     1827and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT> 
     1828is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/log</SPAN></FONT>. 
     1829 Create this directory as follows:</P> 
     1830<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1831        <COL WIDTH=596> 
     1832        <TR> 
     1833                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1834                        <P STYLE="margin-bottom: 0cm"><BR> 
     1835                        </P> 
     1836                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1837                        mkdir /etc/ndg/security/log</FONT></P> 
     1838                </TD> 
     1839        </TR> 
     1840</TABLE> 
     1841<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1842</P> 
     1843<P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run 
     1844security web services under any specified system account and group.  
     1845Ensure that this user has full access to <FONT FACE="Lucida Console"><SPAN LANG="es-ES">/etc/ndg/security</SPAN></FONT><SPAN LANG="es-ES"> 
     1846e.g.</SPAN></P> 
     1847<TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1848        <COL WIDTH=596> 
     1849        <TR> 
     1850                <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> 
     1851                        <P STYLE="margin-bottom: 0cm"><BR> 
     1852                        </P> 
     1853                        <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1854                        chmod ndg:ndggroup -R /etc/ndg/security</FONT></P> 
     1855                </TD> 
     1856        </TR> 
     1857</TABLE> 
     1858<P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1859</P> 
     1860<H4 CLASS="western">4.2.3.2 Certificate Generation</H4> 
     1861<P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute 
     1862Authority web services require individual X.509 certificates as a 
     1863means to identify them in the various interactions required for user 
     1864registration, authentication and authorisation.  These may be created 
     1865by similar means to the host certificate creation.</P> 
     1866<P CLASS="western" ALIGN=JUSTIFY>Change directory to 
     1867<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>. 
     1868 The certificates will be stored here.  Make a new private key and 
     1869certificate request for the Session Manager:</P> 
     1870<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1871        <COL WIDTH=610> 
     1872        <TR> 
     1873                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     1874                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     1875                        </P> 
     1876                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1877                        openssl genrsa –out sm-key.pem 2048</FONT></P> 
     1878                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1879                        chmod 400 sm-key.pem</FONT></P> 
     1880                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1881                        openssl req –new –key sm-key.pem –out sm.csr</FONT></P> 
     1882                        <P CLASS="western" ALIGN=LEFT><BR> 
     1883                        </P> 
     1884                </TD> 
     1885        </TR> 
     1886</TABLE> 
     1887<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1888</P> 
     1889<P CLASS="western" ALIGN=JUSTIFY>The private key may be password 
     1890protected if required by adding the –des3 option to the genrsa 
     1891command.   Type in a password when prompted.   The req command will 
     1892prompt you for the components of the Distinguished Name for the new 
     1893certificate.  When prompted for the Common Name, enter 
     1894‘SessionManager’.  The other fields can be set as required but by 
     1895convention for NDG, the Organisation field has been set to NDG and 
     1896the Organisation Unit to the individual data provider name e.g. BADC. 
     1897 All other fields have been omitted.  You can skip individual fields 
     1898by enter ‘.’ When prompted.</P> 
     1899<P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the 
     1900appropriate CA.  This could be your SimpleCA created for use with 
     1901MyProxy – see MyProxy installation.  The CA will issue a 
     1902certificate file.  Copy this file as 
     1903<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
     1904</SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> 
     1905</FONT>file can be deleted once a certificate has been obtained from 
     1906the CA.</P> 
     1907<P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the 
     1908Attribute Authority, selecting ‘AttributeAuthority’ for the 
     1909Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P> 
     1910<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1911        <COL WIDTH=610> 
     1912        <TR> 
     1913                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     1914                        <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> 
     1915                        </P> 
     1916                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1917                        openssl genrsa –out aa-key.pem 2048</FONT></P> 
     1918                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1919                        chmod 400 aa-key.pem</FONT></P> 
     1920                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1921                        openssl req –new –key aa-key.pem –out aa.csr</FONT></P> 
     1922                        <P CLASS="western" ALIGN=LEFT><BR> 
     1923                        </P> 
     1924                </TD> 
     1925        </TR> 
     1926</TABLE> 
     1927<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     1928</P> 
     1929<P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session 
     1930Manager is run over https to keep user login credentials secured.   A 
     1931server certificate and key will be required in addition to enable 
     1932this.   
     1933</P> 
     1934<P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be 
     1935issued from your SimpleCA.  Follow the same procedure as used for the 
     1936Session Manager and Attirbute Authority above creating a private key 
     1937and certificate request.  The private key should be generated without 
     1938a password.  When generating the certificate request ensure that the 
     1939Common Name is set to the fully qualified name of the server host.</P> 
     1940<P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and 
     1941private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
     1942</SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">directory 
     1943and can be </FONT></SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">referenced 
     1944by the Session Manager’s properties file with the </FONT></SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Lucida Console">sslCertFile</FONT></SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif"> 
     1945and </FONT></SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Lucida Console">sslKeyFile</FONT></SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif"> 
     1946elements respectively.</FONT></SPAN></FONT></P> 
     1947<P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate 
     1948Authority’s X.509 certificate is also required.  Obtain this from 
     1949the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs 
     1950</SPAN></FONT>directory.</P> 
     1951<P CLASS="western" STYLE="background: #cccccc">Note that all other 
     1952trusted NDG partner organisations MUST have copies of your CA 
     1953certificate.  If they don't, partner organisations NDG Security 
     1954infrastructures will reject requests from your security services.   
     1955CA certificates are referenced in the Attribute Authority and Session 
     1956Manager properties file settings  <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"> 
     1957</FONT></FONT><FONT FACE="Helvetica, sans-serif"><FONT SIZE=2>and 
     1958</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT FACE="Helvetica, sans-serif"><FONT SIZE=2> 
     1959 Configuration for Gatekeepers may also need to reference your CA 
     1960certificate.</FONT></FONT></P> 
     1961<H3 CLASS="western"><A NAME="4.2.4. Session Manager Configuration|outline"></A> 
     19624.2.4 Session Manager Configuration</H3> 
     1963<P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set 
     1964via a properties file.  In addition, the Session Manager can 
     1965optionally make use of a Credential Repository database.  This 
     1966enables the credentials that users acquire during a session to be 
     1967stored so that they may be retrieved.   When installed, the default 
     1968configuration set in the Session Manager Properties file is to <I>not</I> 
     1969use a Credential Repository.   If this is the case, skip this 
     1970section.</P> 
     1971<H4 CLASS="western"><A NAME="_Ref156702859"></A>4.2.4.1 Session 
     1972Manager Credential Repository</H4> 
     1973<P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository 
     1974database.  In the example below a MySQL database is assumed.   Notes 
     1975on installing MySQL are given in the Appendices section 5.2.  
     1976</P> 
     1977<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1978        <COL WIDTH=610> 
     1979        <TR> 
     1980                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     1981                        <P STYLE="margin-bottom: 0cm"><BR> 
     1982                        </P> 
     1983                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     1984                        mysql –u root –p</FONT></P> 
     1985                        <P CLASS="western" ALIGN=JUSTIFY>mysql&gt; create database 
     1986                        ndgCredRepos;</P> 
     1987                        <P><BR> 
     1988                        </P> 
     1989                </TD> 
     1990        </TR> 
     1991</TABLE> 
     1992<P CLASS="western" ALIGN=JUSTIFY><BR>Use the script  
     1993init-credrepos-db to create the tables.  As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> 
     1994user, run the script.  Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT> 
     1995account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT> 
     1996to confirm creation of the tables:</P> 
     1997<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     1998        <COL WIDTH=610> 
     1999        <TR> 
     2000                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2001                        <P STYLE="margin-bottom: 0cm"><BR> 
     2002                        </P> 
     2003                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2004                        init-credrepos-db –u root</FONT></P> 
     2005                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database 
     2006                        password:</FONT></P> 
     2007                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are 
     2008                        you sure you want to initialise the database tables? (yes/no) yes</FONT></P> 
     2009                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables 
     2010                        created</FONT></P> 
     2011                        <P STYLE="margin-bottom: 0cm"><BR> 
     2012                        </P> 
     2013                        <P><BR> 
     2014                        </P> 
     2015                </TD> 
     2016        </TR> 
     2017</TABLE> 
     2018<P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have 
     2019been created, restart the database client:</P> 
     2020<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2021        <COL WIDTH=610> 
     2022        <TR> 
     2023                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2024                        <P STYLE="margin-bottom: 0cm"><BR> 
     2025                        </P> 
     2026                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$ 
     2027                        mysql –u root –p –D ndgCredRepos</P> 
     2028                        <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql&gt; 
     2029                        show tables;</P> 
     2030                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> 
     2031                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| 
     2032                        Tables_in_ndgCredRepos |</FONT></FONT></P> 
     2033                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> 
     2034                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| 
     2035                        UserCredential         |</FONT></FONT></P> 
     2036                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| 
     2037                        UserID                 |</FONT></FONT></P> 
     2038                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> 
     2039                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2 
     2040                        rows in set (0.00 sec)</FONT></FONT></P> 
     2041                        <P><BR> 
     2042                        </P> 
     2043                </TD> 
     2044        </TR> 
     2045</TABLE> 
     2046<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2047</P> 
     2048<P CLASS="western" ALIGN=JUSTIFY>A separate account should be created 
     2049for the Session Manager to access the database.  It should have 
     2050sufficient permissions to be able to read and write records.  For 
     2051details of how to create an account in MySQL see the Appendices 
     2052section 5.2.9.</P> 
     2053<H4 CLASS="western">4.2.4.2 Session Manager Properties File Settings</H4> 
     2054<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT> 
     2055in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
     2056and modify the default settings:</P> 
     2057<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2058        <COL WIDTH=610> 
     2059        <TR> 
     2060                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2061                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml 
     2062                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P> 
     2063                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrProp&gt;</FONT></FONT></P> 
     2064                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;&lt;/portNum&gt;</FONT></FONT></P> 
     2065                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;Yes&lt;/useSSL&gt; 
     2066                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P> 
     2067                        <P STYLE="margin-bottom: 0cm">    
     2068                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;$NDGSEC_DIR/conf/certs/server-cert.pem&lt;/sslCertFile&gt;</FONT></FONT></P> 
     2069                        <P STYLE="margin-bottom: 0cm">    
     2070                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem 
     2071                        &lt;/sslKeyFile&gt;</FONT></FONT></P> 
     2072                        <P STYLE="margin-bottom: 0cm">   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2073                        <BR>    </FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">Directory 
     2074                        containing CA cert.s to verify SSL peer cert against - ignored if 
     2075                        useSSL is blank --&gt;<BR>    
     2076                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR> 
     2077                           </FONT></FONT><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     2078                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
     2079                        settings for signature of outbound SOAP messages</FONT></FONT></P> 
     2080                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2081                        <P STYLE="margin-bottom: 0cm">    
     2082                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt; 
     2083                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P> 
     2084                        <P STYLE="margin-bottom: 0cm">    
     2085                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;certFile&gt;&gt;$NDGSEC_DIR/conf/certs/sm-cert.pem&lt;/certFile&gt;</FONT></FONT></P> 
     2086                        <P STYLE="margin-bottom: 0cm">    
     2087                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyFile&gt;&gt;$NDGSEC_DIR/conf/certs/server-key.pem&lt;/keyFile&gt;</FONT></FONT></P> 
     2088                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P> 
     2089                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2090                        </FONT></FONT> 
     2091                        </P> 
     2092                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 
     2093                        Certificates used to verify X.509 certs used in peer SOAP 
     2094                        messages,<BR>    SSL connections and Attribute Certificates<BR>    
     2095                        --&gt;<BR>    &lt;caCertFileList&gt;<BR>         
     2096                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR> 
     2097                           &lt;/caCertFileList&gt;<BR></FONT>    &lt;!-- </FONT></FONT> 
     2098                        </P> 
     2099                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
     2100                        the certificate used to verify the signature of messages from the </FONT></FONT> 
     2101                        </P> 
     2102                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client. 
     2103                         This can usually be left blank since the client is expected to </FONT></FONT> 
     2104                        </P> 
     2105                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include 
     2106                        the cert with the signature in the inbound SOAP message</FONT></FONT></P> 
     2107                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2108                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt; 
     2109                           </FONT></FONT> 
     2110                        </P> 
     2111                        <P STYLE="margin-bottom: 0cm">    
     2112                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrEncrKey&gt;&lt;/sessMgrEncrKey&gt;</FONT></FONT></P> 
     2113                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sessMgrURI&gt;&lt;/sessMgrURI&gt;</FONT></FONT></P> 
     2114                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;cookieDomain&gt;&lt;/cookieDomain&gt;</FONT></FONT></P> 
     2115                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;myProxyProp&gt;</FONT></FONT></P> 
     2116                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2117                        </FONT></FONT> 
     2118                        </P> 
     2119                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete 
     2120                        this element and take setting from MYPROXY_SERVER environment </FONT></FONT> 
     2121                        </P> 
     2122                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">variable 
     2123                        if required</FONT></FONT></P> 
     2124                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2125                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;hostname&gt;ENTER 
     2126                        THE FULLY QUALIFIED HOSTNAME OF THE SERVER&lt;/hostname&gt;</FONT></FONT></P> 
     2127                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2128                        </FONT></FONT> 
     2129                        </P> 
     2130                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete 
     2131                        this element to take default setting 7512 or read </FONT></FONT> 
     2132                        </P> 
     2133                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT 
     2134                        setting</SPAN></FONT></FONT></P> 
     2135                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2136                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">           
     2137                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;port&gt;7512&lt;/port&gt;</FONT></FONT></P> 
     2138                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     2139                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful 
     2140                        if hostname and certificate CN don't match correctly.  Globus </FONT></FONT> 
     2141                        </P> 
     2142                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">host 
     2143                        DN is set to &quot;host/&lt;fqdn&gt;&quot;.  Delete this element 
     2144                        and set from </FONT></FONT> 
     2145                        </P> 
     2146                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">MYPROXY_SERVER_DN 
     2147                        environment variable if prefered</FONT></FONT></P> 
     2148                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverDN&gt;&lt;/serverDN&gt;</FONT></FONT></P> 
     2149                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2150                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     2151                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
     2152                        &quot;host/&quot; prefix to host cert CN as is default with globus</FONT></FONT></P> 
     2153                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2154                        <P STYLE="margin-bottom: 0cm">           
     2155                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;serverCNprefix&gt;host/&lt;/serverCNprefix&gt; </FONT></FONT></P> 
     2156                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     2157                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">This 
     2158                        directory path is used to locate the OpenSSL configuration file</FONT></FONT></P> 
     2159                        <P STYLE="margin-bottom: 0cm">            
     2160                        </P> 
     2161                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">The 
     2162                        settings are used to set up the defaults for the Distinguished 
     2163                        Name of</FONT></FONT></P> 
     2164                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">the 
     2165                        new proxy cert. issued </FONT></FONT> 
     2166                        </P> 
     2167                        <P STYLE="margin-bottom: 0cm">            
     2168                        </P> 
     2169                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">GLOBUS_LOCATION 
     2170                        or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P> 
     2171                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">but 
     2172                        the settings can be independent of any Globus installation</FONT></FONT></P> 
     2173                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR> 
     2174                                  --&gt;</FONT></FONT></P> 
     2175                        <P STYLE="margin-bottom: 0cm">           
     2176                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;openSSLConfFilePath&gt;$NDGSEC_DIR/conf/openssl.conf&lt;/openSSLConfFilePath&gt;</FONT></FONT></P> 
     2177                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;tmpDir&gt;/tmp&lt;/tmpDir&gt;</FONT></FONT></P> 
     2178                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2179                        </FONT></FONT> 
     2180                        </P> 
     2181                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
     2182                                  Limit on maximum lifetime any proxy certificate can have 
     2183                        - </FONT></FONT> 
     2184                        </P> 
     2185                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
     2186                                  specified when a certificate is first created by store() 
     2187                        method</FONT></FONT></P> 
     2188                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2189                        <P STYLE="margin-bottom: 0cm">           
     2190                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertMaxLifetime&gt;24&lt;/proxyCertMaxLifetime&gt; 
     2191                        &lt;!-- in hours --&gt;</FONT></FONT></P> 
     2192                        <P STYLE="margin-bottom: 0cm">           <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2193                        </FONT></FONT> 
     2194                        </P> 
     2195                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
     2196                                  Life time of a proxy certificate when issued from the 
     2197                        Proxy Server </FONT></FONT> 
     2198                        </P> 
     2199                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
     2200                                  with getDelegation() method</FONT></FONT></P> 
     2201                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">      
     2202                                  --&gt;</FONT></FONT></P> 
     2203                        <P STYLE="margin-bottom: 0cm">           
     2204                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;proxyCertLifetime&gt;8&lt;/proxyCertLifetime&gt; 
     2205                        &lt;!-- in hours --&gt;</FONT></FONT></P> 
     2206                        <P STYLE="margin-bottom: 0cm">           
     2207                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;</SPAN></FONT></FONT></P> 
     2208                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/myProxyProp&gt;</FONT></FONT></P> 
     2209                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCACltProp&gt; 
     2210                        </FONT></FONT> 
     2211                        </P> 
     2212                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2213                           &lt;uri&gt;&lt;/uri&gt;</FONT></FONT></P> 
     2214                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">        
     2215                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigKeyFile&gt;&lt;/xmlSigKeyFile&gt;</FONT></FONT></P> 
     2216                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">        
     2217                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertFile&gt;&lt;/xmlSigCertFile&gt;</FONT></FONT></P> 
     2218                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">        
     2219                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;xmlSigCertPwd&gt;&lt;/xmlSigCertPwd&gt;</FONT></FONT></P> 
     2220                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/simpleCACltProp&gt;</FONT></FONT></P> 
     2221                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;!--</FONT></FONT></P> 
     2222                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;simpleCASrvProp&gt;</FONT></FONT></P> 
     2223                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2224                           &lt;certExpiryDate&gt;&lt;/certExpiryDate&gt;</FONT></FONT></P> 
     2225                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2226                           &lt;certLifetimeDays&gt;&lt;/certLifetimeDays&gt;</FONT></FONT></P> 
     2227                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2228                           &lt;certTmpDir&gt;&lt;/certTmpDir&gt;</FONT></FONT></P> 
     2229                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2230                           &lt;caCertFile&gt;&lt;/caCertFile&gt;</FONT></FONT></P> 
     2231                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2232                           &lt;signExe&gt;&lt;/signExe&gt;</FONT></FONT></P> 
     2233                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2234                           &lt;path&gt;&lt;/path&gt;</FONT></FONT></P> 
     2235                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        &lt;/simpleCASrvProp&gt;</FONT></FONT></P> 
     2236                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">        --&gt;</FONT></FONT></P> 
     2237                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;credReposProp&gt;</FONT></FONT></P> 
     2238                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2239                           &lt;modFilePath&gt;&lt;/modFilePath&gt;</FONT></FONT></P> 
     2240                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2241                           &lt;modName&gt;ndg.security.common.CredWallet&lt;/modName&gt;</FONT></FONT></P> 
     2242                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2243                           &lt;className&gt;NullCredRepos&lt;/className&gt;</FONT></FONT></P> 
     2244                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">         
     2245                           &lt;propFile&gt;&lt;/propFile&gt;</FONT></FONT></P> 
     2246                        <P LANG="fr-FR" STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/credReposProp&gt;</FONT></FONT></P> 
     2247                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/sessMgrProp&gt;</FONT></FONT></P> 
     2248                        <P>  
     2249                        </P> 
     2250                </TD> 
     2251        </TR> 
     2252</TABLE> 
     2253<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2254</P> 
     2255<P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P> 
     2256<UL> 
     2257        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The 
     2258        property file reading software will expand any environment variables 
     2259        included in the file.</FONT></SPAN></FONT></P> 
     2260        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif"> 
     2261        file uses the standard OpenSSL configuration file format.  It is 
     2262        used by the Session Manager MyProxy client to formulate a 
     2263        certificate request for a proxy certificate generated for a users 
     2264        session when they login.  An example is given below.  The important 
     2265        section to reference is </FONT></SPAN></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">[ 
     2266        req_distinguished_name ]</SPAN></FONT></P> 
     2267</UL> 
     2268<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2269</P> 
     2270<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2271        <COL WIDTH=610> 
     2272        <TR> 
     2273                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2274                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P> 
     2275                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2276                        SSLeay example configuration file.</FONT></FONT></P> 
     2277                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2278                        This is mostly being used for generation of certificate requests.</FONT></FONT></P> 
     2279                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P> 
     2280                        <P STYLE="margin-bottom: 0cm"><BR> 
     2281                        </P> 
     2282                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE 
     2283                                       = $ENV::HOME/.rnd</FONT></FONT></P> 
     2284                        <P STYLE="margin-bottom: 0cm"><BR> 
     2285                        </P> 
     2286                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> 
     2287                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2288                        ca ]</FONT></FONT></P> 
     2289                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca 
     2290                             = CA_default            # The default ca section</FONT></FONT></P> 
     2291                        <P STYLE="margin-bottom: 0cm"><BR> 
     2292                        </P> 
     2293                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> 
     2294                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2295                        CA_default ]</FONT></FONT></P> 
     2296                        <P STYLE="margin-bottom: 0cm"><BR> 
     2297                        </P> 
     2298                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir 
     2299                                    = ./demoCA              # Where everything is kept</FONT></FONT></P> 
     2300                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs 
     2301                                  = $dir/certs            # Where the issued certs are 
     2302                        kept</FONT></FONT></P> 
     2303                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir 
     2304                                = $dir/crl              # Where the issued crl are kept</FONT></FONT></P> 
     2305                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database 
     2306                               = $dir/index.txt        # database index file.</FONT></FONT></P> 
     2307                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir 
     2308                          = $dir/newcerts         # default place for new certs.</FONT></FONT></P> 
     2309                        <P STYLE="margin-bottom: 0cm"><BR> 
     2310                        </P> 
     2311                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate 
     2312                            = $dir/cacert.pem       # The CA certificate</FONT></FONT></P> 
     2313                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial 
     2314                                 = $dir/serial           # The current serial number</FONT></FONT></P> 
     2315                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl 
     2316                                    = $dir/crl.pem          # The current CRL</FONT></FONT></P> 
     2317                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key 
     2318                            = $dir/private/cakey.pem# The private key</FONT></FONT></P> 
     2319                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE 
     2320                               = $dir/private/.rand    # private random number file</FONT></FONT></P> 
     2321                        <P STYLE="margin-bottom: 0cm"><BR> 
     2322                        </P> 
     2323                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions 
     2324                        = x509v3_extensions     # The extentions to add to the cert</FONT></FONT></P> 
     2325                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days 
     2326                           = 365                   # how long to certify for</FONT></FONT></P> 
     2327                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days= 
     2328                        365 # DEE 30  # how long before next CRL</FONT></FONT></P> 
     2329                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md 
     2330                             = md5                   # which md to use.</FONT></FONT></P> 
     2331                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve 
     2332                               = no                    # keep passed DN ordering</FONT></FONT></P> 
     2333                        <P STYLE="margin-bottom: 0cm"><BR> 
     2334                        </P> 
     2335                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2336                        A few difference way of specifying how similar the request should 
     2337                        look</FONT></FONT></P> 
     2338                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2339                        For type CA, the listed attributes must be the same, and the 
     2340                        optional</FONT></FONT></P> 
     2341                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2342                        and supplied fields are just that :-)</FONT></FONT></P> 
     2343                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy 
     2344                                 = policy_match</FONT></FONT></P> 
     2345                        <P STYLE="margin-bottom: 0cm"><BR> 
     2346                        </P> 
     2347                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2348                        For the CA policy</FONT></FONT></P> 
     2349                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2350                        policy_match ]</FONT></FONT></P> 
     2351                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName 
     2352                                    = optional</FONT></FONT></P> 
     2353                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName 
     2354                            = optional</FONT></FONT></P> 
     2355                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName 
     2356                               = match</FONT></FONT></P> 
     2357                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName 
     2358                         = optional</FONT></FONT></P> 
     2359                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName 
     2360                                     = supplied</FONT></FONT></P> 
     2361                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress 
     2362                                   = optional</FONT></FONT></P> 
     2363                        <P STYLE="margin-bottom: 0cm"><BR> 
     2364                        </P> 
     2365                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2366                        For the 'anything' policy</FONT></FONT></P> 
     2367                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2368                        At this point in time, you must list all acceptable 'object'</FONT></FONT></P> 
     2369                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2370                        types.</FONT></FONT></P> 
     2371                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2372                        policy_anything ]</FONT></FONT></P> 
     2373                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName 
     2374                                    = optional</FONT></FONT></P> 
     2375                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName 
     2376                            = optional</FONT></FONT></P> 
     2377                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName 
     2378                                   = optional</FONT></FONT></P> 
     2379                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName 
     2380                               = optional</FONT></FONT></P> 
     2381                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName 
     2382                         = optional</FONT></FONT></P> 
     2383                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName 
     2384                                     = supplied</FONT></FONT></P> 
     2385                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress 
     2386                                   = optional</FONT></FONT></P> 
     2387                        <P STYLE="margin-bottom: 0cm"><BR> 
     2388                        </P> 
     2389                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> 
     2390                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2391                        req ]</FONT></FONT></P> 
     2392                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits 
     2393                                   = 1024</FONT></FONT></P> 
     2394                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile 
     2395                                = privkey.pem</FONT></FONT></P> 
     2396                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name 
     2397                             = req_distinguished_name</FONT></FONT></P> 
     2398                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions 
     2399                                 = v3_req</FONT></FONT></P> 
     2400                        <P STYLE="margin-bottom: 0cm"><BR> 
     2401                        </P> 
     2402                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2403                        req_distinguished_name ]</FONT></FONT></P> 
     2404                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2405                        BEGIN CONFIG</FONT></FONT></P> 
     2406                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName 
     2407                                      = Level 0 Organization</FONT></FONT></P> 
     2408                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default 
     2409                              = NDG</FONT></FONT></P> 
     2410                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName 
     2411                                 = Level 0 Organizational Unit</FONT></FONT></P> 
     2412                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default 
     2413                        = BADC</FONT></FONT></P> 
     2414                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName 
     2415                                 = Level 1 Organizational Unit</FONT></FONT></P> 
     2416                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default 
     2417                        = localdomain</FONT></FONT></P> 
     2418                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName 
     2419                                             = Name (e.g., John M. Smith)</FONT></FONT></P> 
     2420                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max 
     2421                                         = 64</FONT></FONT></P> 
     2422                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># 
     2423                        END CONFIG</FONT></FONT></P> 
     2424                        <P STYLE="margin-bottom: 0cm"><BR> 
     2425                        </P> 
     2426                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ 
     2427                        v3_req ]</FONT></FONT></P> 
     2428                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType 
     2429                                             = objsign,email,server,client</FONT></FONT></P> 
     2430                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints 
     2431                                       = critical,CA:false</FONT></FONT></P> 
     2432                        <P><BR> 
     2433                        </P> 
     2434                </TD> 
     2435        </TR> 
     2436</TABLE> 
     2437<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2438</P> 
     2439<H4 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A> 
     24404.2.4.3 SysV-style Boot Script</H4> 
     2441<P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be 
     2442configured to start up at system boot of the host machine.  A SysV 
     2443style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT> 
     2444is provided in the installation in:</P> 
     2445<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/lib/python</SPAN></FONT>&lt;python 
     2446version num&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/site-packages/ndg_security_server</SPAN></FONT>-&lt;version 
     2447info&gt;<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.egg/ndg/security/server/share 
     2448 </SPAN></FONT> 
     2449</P> 
     2450<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P> 
     2451<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2452        <COL WIDTH=602> 
     2453        <TR> 
     2454                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2455                        <P STYLE="margin-bottom: 0cm"><BR> 
     2456                        </P> 
     2457                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2458                        cp /usr/local/lib/python&lt;python version 
     2459                        num&gt;/site-packages/ndg_security_server-&lt;version 
     2460                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
     2461                        /share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P> 
     2462                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 
     2463                        chkconfig --add ndg-sm</SPAN></FONT></FONT></P> 
     2464                        <P><BR> 
     2465                        </P> 
     2466                </TD> 
     2467        </TR> 
     2468</TABLE> 
     2469<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2470</P> 
     2471<P CLASS="western" ALIGN=JUSTIFY>Edit the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT> 
     2472so that it uses the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR</SPAN></FONT> 
     2473environment variable to point to the correct location of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT> 
     2474file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> 
     2475directory. User and group ID settings can be made to run under 
     2476alternative account to root.  If used ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR</SPAN></FONT> 
     2477is set with the necessary permissions to enable access.   
     2478</P> 
     2479<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chkconfig</SPAN></FONT> 
     2480command may not be available on your target machine.  Please refer to 
     2481instructions for your particular Linux distribution.</P> 
     2482<H3 CLASS="western"><A NAME="4.2.5. Attribute Authority Configuration|outline"></A> 
     24834.2.5 Attribute Authority Configuration</H3> 
     2484<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a 
     2485properties file for the setting of configuration parameters.</P> 
     2486<H4 CLASS="western">4.2.5.1Attribute Authority Properties File 
     2487Settings</H4> 
     2488<P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> 
     2489in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
     2490and modify the default settings:</P> 
     2491<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2492        <COL WIDTH=610> 
     2493        <TR> 
     2494                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2495                        <P STYLE="margin-bottom: 0cm"><BR> 
     2496                        </P> 
     2497                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;?xml 
     2498                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></FONT></P> 
     2499                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;AAprop&gt;</FONT></FONT></P> 
     2500                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2501                        </FONT></FONT> 
     2502                        </P> 
     2503                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name' 
     2504                        setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P> 
     2505                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2506                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;name&gt;Organisation 
     2507                        Identifier&lt;/name&gt; </FONT></FONT> 
     2508                        </P> 
     2509                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;portNum&gt;SELECT 
     2510                        A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE&lt;/portNum&gt;</FONT></FONT></P> 
     2511                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!--</FONT></FONT></P> 
     2512                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
     2513                        settings for transport level encryption</FONT></FONT></P> 
     2514                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2515                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSSL&gt;&lt;/useSSL&gt; 
     2516                        &lt;!-- leave blank to use http --&gt;</FONT></FONT></P> 
     2517                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslCertFile&gt;&lt;/sslCertFile&gt;</FONT></FONT></P> 
     2518                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyFile&gt;&lt;/sslKeyFile&gt;</FONT></FONT></P> 
     2519                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;sslKeyPwd&gt;&lt;/sslKeyPwd&gt;</FONT></FONT></P> 
     2520                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">&lt;!-- 
     2521                        <BR>       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">Directory 
     2522                        containing CA cert.s to verify SSL peer cert against - ignored if 
     2523                        useSSL is blank --&gt;<BR>       
     2524                        &lt;sslCACertDir&gt;$NDGSEC_DIR/conf/certs/ca&lt;/sslCACertDir&gt;<BR></FONT> 
     2525                           &lt;!--</FONT></FONT></P> 
     2526                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI 
     2527                        settings for signature of outbound SOAP messages</FONT></FONT></P> 
     2528                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2529                        <P STYLE="margin-bottom: 0cm">    
     2530                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;useSignatureHandler&gt;Yes&lt;/useSignatureHandler&gt; 
     2531                        &lt;!-- leave blank for no signature --&gt;</FONT></FONT></P> 
     2532                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2533                        </FONT></FONT> 
     2534                        </P> 
     2535                        <P STYLE="margin-bottom: 0cm">         <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA 
     2536                        Certificates used to verify X.509 certs used in peer SOAP 
     2537                        messages,<BR>         SSL connections and Attribute Certificates<BR> 
     2538                                --&gt;<BR>        &lt;caCertFileList&gt;<BR>             
     2539                        &lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem&lt;/caCertFile&gt;<BR> 
     2540                               &lt;/caCertFileList&gt;<BR></FONT>    
     2541                        &lt;keyFile&gt;$NDGSEC_DIR/conf/certs/aa-key.pem &lt;/keyFile&gt;</FONT></FONT></P> 
     2542                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;keyPwd&gt;&lt;/keyPwd&gt;</FONT></FONT></P> 
     2543                        <P STYLE="margin-bottom: 0cm">    
     2544                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;caCertFile&gt;$NDGSEC_DIR/conf/certs/cacert.pem 
     2545                        &lt;/caCertFile&gt;</FONT></FONT></P> 
     2546                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2547                        </FONT></FONT> 
     2548                        </P> 
     2549                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set 
     2550                        the certificate used to verify the signature of messages from the </FONT></FONT> 
     2551                        </P> 
     2552                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client. 
     2553                         This can usually be left blank since the client is expected to </FONT></FONT> 
     2554                        </P> 
     2555                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include 
     2556                        the cert with the signature in the inbound SOAP message</FONT></FONT></P> 
     2557                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2558                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;clntCertFile&gt;&lt;/clntCertFile&gt; 
     2559                           </FONT></FONT> 
     2560                        </P> 
     2561                        <P STYLE="margin-bottom: 0cm">    
     2562                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertLifetime&gt;86400&lt;/attCertLifetime&gt; 
     2563                        &lt;!-- Measured in seconds --&gt;</FONT></FONT></P> 
     2564                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2565                        </FONT></FONT> 
     2566                        </P> 
     2567                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow 
     2568                        an offset for clock skew between servers running </FONT></FONT> 
     2569                        </P> 
     2570                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security 
     2571                        services.  - Use minus sign for time in the past</FONT></FONT></P> 
     2572                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2573                        <P STYLE="margin-bottom: 0cm">    
     2574                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertNotBeforeOff&gt;0&lt;/attCertNotBeforeOff&gt;</FONT></FONT></P> 
     2575                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2576                        Location of role mapping file --&gt;</FONT></FONT></P> 
     2577                        <P STYLE="margin-bottom: 0cm">    
     2578                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;mapConfigFile&gt;$NDGSEC_DIR/conf/mapConfig.xml&lt;/mapConfigFile&gt;</FONT></FONT></P> 
     2579                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2580                        All Attribute Certificates issued are recorded in this dir --&gt;</FONT></FONT></P> 
     2581                        <P STYLE="margin-bottom: 0cm">    
     2582                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertDir&gt;$NDGSEC_DIR/conf/attCertLog&lt;/attCertDir&gt;</FONT></FONT></P> 
     2583                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2584                        </FONT></FONT> 
     2585                        </P> 
     2586                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files 
     2587                        in attCertDir are stored using a rotating file handler</FONT></FONT></P> 
     2588                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt 
     2589                        sets the max number of files created before the first is</FONT></FONT></P> 
     2590                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P> 
     2591                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2592                        <P STYLE="margin-bottom: 0cm">    
     2593                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileName&gt;ac.xml&lt;/attCertFileName&gt;</FONT></FONT></P> 
     2594                        <P STYLE="margin-bottom: 0cm">    
     2595                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;attCertFileLogCnt&gt;1024&lt;/attCertFileLogCnt&gt;</FONT></FONT></P> 
     2596                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;dnSeparator&gt;/&lt;/dnSeparator&gt;</FONT></FONT></P> 
     2597                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;!-- 
     2598                        </FONT></FONT> 
     2599                        </P> 
     2600                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings 
     2601                        for custom AAUserRoles derived class to get user roles for</FONT></FONT></P> 
     2602                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given 
     2603                        user ID</FONT></FONT></P> 
     2604                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--&gt;</FONT></FONT></P> 
     2605                        <P STYLE="margin-bottom: 0cm">    
     2606                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModFilePath&gt;$NDGSEC_DIR/conf&lt;/userRolesModFilePath&gt;</FONT></FONT></P> 
     2607                        <P STYLE="margin-bottom: 0cm">    
     2608                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesModName&gt;userRoles&lt;/userRolesModName&gt;</FONT></FONT></P> 
     2609                        <P STYLE="margin-bottom: 0cm">    
     2610                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesClassName&gt;UserRoles&lt;/userRolesClassName&gt;</FONT></FONT></P> 
     2611                        <P STYLE="margin-bottom: 0cm">    
     2612                        <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;userRolesPropFile&gt;$NDGSEC_DIR/conf/userRoles.cfg&lt;/userRolesPropFile&gt;</FONT></FONT></P> 
     2613                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">&lt;/AAprop&gt;</FONT></FONT></P> 
     2614                        <P>  
     2615                        </P> 
     2616                </TD> 
     2617        </TR> 
     2618</TABLE> 
     2619<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2620</P> 
     2621<H4 CLASS="western">4.2.5.2 User Roles Interface</H4> 
     2622<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a 
     2623valid user proxy certificate serves an attribute certificate 
     2624containing authorisation roles for that user.  It is for the data 
     2625centre to determine how these roles map to the users identity as 
     2626given by their Distinguished Name given in the proxy certificate.  
     2627Typically, a data centre might have a user database which relates 
     2628user id to authorisation roles.</P> 
     2629<P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a 
     2630programmatic interface to determine the roles to user id 
     2631relationship.   A custom python class may be written to perform this 
     2632task.   See the Appendices section 5.5.</P> 
     2633<H4 CLASS="western">4.2.5.3 Role Mapping</H4> 
     2634<P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in 
     2635the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> 
     2636directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>. 
     2637 This is an XML file which relates local roles at the target data 
     2638centre to roles of other trusted data centres.  These role mapping 
     2639are made by agreement between data centres.</P> 
     2640<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2641        <COL WIDTH=610> 
     2642        <TR> 
     2643                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2644                        <P STYLE="margin-bottom: 0cm"><BR> 
     2645                        </P> 
     2646                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;?xml 
     2647                        version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;</FONT></P> 
     2648                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;AAmap&gt;</FONT></P> 
     2649                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;thisHost 
     2650                        name=&quot;yourSiteIdentifier&quot;&gt;</FONT></P> 
     2651                        <P STYLE="margin-bottom: 0cm">          
     2652                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;yourSiteAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
     2653                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
     2654                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
     2655                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;Your 
     2656                        Site Login Page URI (https expected)&lt;/loginURI&gt;</FONT></P> 
     2657                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
     2658                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
     2659                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
     2660                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2661                        cert. DN for SSL server making a request to loginURI</FONT></P> 
     2662                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
     2663                        <P STYLE="margin-bottom: 0cm">     <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/thisHost&gt;</FONT></P> 
     2664                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted 
     2665                        name=&quot;BODC&quot;&gt;</FONT></P> 
     2666                        <P STYLE="margin-bottom: 0cm">          
     2667                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;bodcAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
     2668                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
     2669                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
     2670                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;BODC’s 
     2671                        Login Page URI&lt;/loginURI&gt;</FONT></P> 
     2672                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
     2673                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
     2674                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
     2675                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2676                        cert. DN for SSL server making a request to loginURI</FONT></P> 
     2677                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
     2678                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role 
     2679                        remote=&quot;aBODCrole&quot; local=&quot;aLocalRole&quot;/&gt;</FONT></P> 
     2680                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P> 
     2681                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted 
     2682                        name=&quot;NOCS&quot;&gt;</FONT></P> 
     2683                        <P STYLE="margin-bottom: 0cm">          
     2684                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;nocsAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
     2685                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
     2686                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
     2687                        <P STYLE="margin-bottom: 0cm">          
     2688                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;nocsLoginPageURI&lt;/loginURI&gt;</FONT></P> 
     2689                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
     2690                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
     2691                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
     2692                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2693                        cert. DN for SSL server making a request to loginURI</FONT></P> 
     2694                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
     2695                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role 
     2696                        remote=&quot;aNOCSrole&quot; local=&quot;anotherLocalRole&quot;/&gt;</FONT></P> 
     2697                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P> 
     2698                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;trusted 
     2699                        name=&quot;NEODAAS&quot;&gt;</FONT></P> 
     2700                        <P STYLE="margin-bottom: 0cm">          
     2701                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaURI&gt;neodaasAttAuthorityURI&lt;/aaURI&gt;</FONT></P> 
     2702                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;aaDN&gt;the 
     2703                        DN for the Attribute Authority’s X.509 Cert.&lt;/aaDN&gt;</FONT></P> 
     2704                        <P STYLE="margin-bottom: 0cm">          
     2705                        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginURI&gt;neodaasLoginPageURI&lt;/loginURI&gt;</FONT></P> 
     2706                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginServerDN&gt;The 
     2707                        DN of loginURI’s SSL cert.&lt;/loginServerDN&gt;</FONT></P> 
     2708                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;loginRequestServerDN&gt;</FONT></P> 
     2709                        <P STYLE="margin-bottom: 0cm">              <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The 
     2710                        cert. DN for SSL server making a request to loginURI</FONT></P> 
     2711                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/loginRequestServerDN&gt;</FONT></P> 
     2712                        <P STYLE="margin-bottom: 0cm">          <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;role 
     2713                        remote=&quot;neodaasRole&quot; local=&quot;yetAnotherLocalRole&quot;/&gt;</FONT></P> 
     2714                        <P STYLE="margin-bottom: 0cm">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/trusted&gt;</FONT></P> 
     2715                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">&lt;/AAmap&gt;</FONT></P> 
     2716                        <P STYLE="margin-bottom: 0cm"><BR> 
     2717                        </P> 
     2718                        <P><BR> 
     2719                        </P> 
     2720                </TD> 
     2721        </TR> 
     2722</TABLE> 
     2723<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2724</P> 
     2725<P CLASS="western" ALIGN=JUSTIFY>The map file contains an entry for 
     2726each site that the Attribute Authority trusts.  These are listed 
     2727using the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">trusted</SPAN></FONT> 
     2728element name.  The Attribute Authority identifies itself with the 
     2729similar <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> 
     2730element.  Each uses a name attribute to uniquely identify the 
     2731organisation.  The example above shows a BADC map file which trusts 
     2732the organisations BODC, NOCS and NEODAAS.</P> 
     2733<P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost 
     2734name </SPAN></FONT>attribute should match the name element in the 
     2735corresponding <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> 
     2736file.  <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">name</SPAN></FONT> 
     2737is copied as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">issuerName</SPAN></FONT> 
     2738used in Attribute Certificates issued by the Attribute Authority.</P> 
     2739<P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> 
     2740and trusted elements share all the same sub-elements barring role.  
     2741</P> 
     2742<UL> 
     2743        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaURI</SPAN></FONT> 
     2744        – this is the address of the Attribute Authority</P> 
     2745        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaDN</SPAN></FONT> 
     2746        – the Distinguished Name of the Attribute Authority’s X.509 
     2747        certificate (not currently used)</P> 
     2748        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginURI</SPAN></FONT> 
     2749        – the address of the Login Service  
     2750        </P> 
     2751        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginServerDN</SPAN></FONT> 
     2752        – the Distinguished Name of the X.509 certificate held by the 
     2753        Login Service for SSL connections.  It is expected that the Login 
     2754        Service is run over https to protect the privacy of login 
     2755        credentials.  This field is not currently used.</P> 
     2756        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT> 
     2757        – on request for secured credentials a service provider enables 
     2758        the user to redirect to their chosen Login Service at another 
     2759        trusted site.   The on successful authentication the Login Service 
     2760        can return the user back to the service provider to enable them to 
     2761        continue with their request.  This return to address must be over 
     2762        https to enable credentials to be encrypted for the transit but also 
     2763        to validate service provider host making the request.   The Login 
     2764        Service carries this out by checking the SSL certificate of the 
     2765        service provider host and checking its Distinguished Name against 
     2766        the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT> 
     2767        entries for the organisations it trusts.</P> 
     2768        <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">role</SPAN></FONT> 
     2769        – this element is used to express an individual role mapping.  The 
     2770        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">local</SPAN></FONT> 
     2771        attribute refers to a role <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> 
     2772        supports.  The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">remote</SPAN></FONT> 
     2773        attribute is assigned to the role of the trusted organisation it 
     2774        maps to.  It is possible to have multiple role entries.  One local 
     2775        role may map to many remote roles and vice versa: one remote role 
     2776        may map to many local roles.</P> 
     2777</UL> 
     2778<H4 CLASS="western">4.2.5.4 Twisted Python server .tac file</H4> 
     2779<P CLASS="western" ALIGN=JUSTIFY>Copy this from the 
     2780ndg_security_server to the NDG security conf/ area:</P> 
     2781<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2782        <COL WIDTH=602> 
     2783        <TR> 
     2784                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2785                        <P STYLE="margin-bottom: 0cm"><BR> 
     2786                        </P> 
     2787                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2788                        cp /usr/local/lib/python&lt;python version 
     2789                        num&gt;/site-packages/ndg_security_server-&lt;version 
     2790                        info&gt;.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
     2791                        $NDGSEC_DIR/conf</SPAN></FONT></FONT></P> 
     2792                        <P><BR> 
     2793                        </P> 
     2794                </TD> 
     2795        </TR> 
     2796</TABLE> 
     2797<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2798</P> 
     2799<H4 CLASS="western"><A NAME="_Ref179772414"></A>4.2.5.5 SysV-style 
     2800Boot Script</H4> 
     2801<P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the 
     2802Attribute Authority can be configured to start up at system boot of 
     2803the host machine.  A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT> 
     2804is provided in the installation in:</P> 
     2805<P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python&lt;python 
     2806version num&gt;/site-packages/ndg_security_server-&lt;version 
     2807info&gt;.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT> 
     2808  
     2809</P> 
     2810<P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P> 
     2811<TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     2812        <COL WIDTH=602> 
     2813        <TR> 
     2814                <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     2815                        <P STYLE="margin-bottom: 0cm"><BR> 
     2816                        </P> 
     2817                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ 
     2818                        cp /usr/local/lib/python&lt;python version 
     2819                        num&gt;/site-packages/ndg_security_server-&lt;version 
     2820                        info&gt;.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> 
     2821                        /share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P> 
     2822                        <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ 
     2823                        chkconfig --add ndg-aa</SPAN></FONT></FONT></P> 
     2824                        <P><BR> 
     2825                        </P> 
     2826                </TD> 
     2827        </TR> 
     2828</TABLE> 
     2829<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
     2830</P> 
     2831<P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the 
     2832NDGSEC_DIR environment variable to point to the correct location of 
     2833the .tac file in the conf/ directory.  User and group ID settings can 
     2834be made to run under alternative account to root.  If used ensure 
     2835that $NDGSEC_DIR is set with the necessary permissions to enable 
     2836access.   
     2837</P> 
     2838<P CLASS="western" ALIGN=JUSTIFY>If required, add any additional 
     2839environment settings required to connect to a user database.</P> 
     2840<H3 CLASS="western"><A NAME="4.2.6. Python Unit Tests|outline"></A>4.2.6 
     2841Python Unit Tests</H3> 
     2842<P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are 
     2843provided to enable the system to be checked to confirm that it is 
     2844running correctly.   These are located in the ndg_security_test egg 
     2845in the site-packages/ directory of the python installation.</P> 
     2846<P CLASS="western" ALIGN=JUSTIFY>&lt;todo: &gt;</P> 
    28462847<P CLASS="western" ALIGN=LEFT><BR><BR> 
    28472848</P> 
     
    32493250the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT> 
    32503251script if you install the `DBI' and `DBD::mysql' Perl modules.</P> 
    3251 <P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about 
     3252<P CLASS="western" ALIGN=LEFT>See section 4.2.4.1 for details about 
    32523253creation of the Credential Repository database.</P> 
    32533254<H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up|outline"></A> 
     
    34823483                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>&quot;&quot;&quot;</FONT></FONT></P> 
    34833484                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">__revision__ 
    3484                         = </FONT><I><FONT COLOR="#00aa00">'$Id:$'</FONT></I></FONT></FONT></P> 
     3485                        = </FONT><FONT COLOR="#00aa00"><I>'$Id:$'</I></FONT></FONT></FONT></P> 
    34853486                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    34863487                        </P> 
     
    35253526                        </P> 
    35263527                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000"> 
    3527                         <B>TestUserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P> 
    3528                         <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3529                            </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;Test 
    3530                         User Roles class dynamic import for Attribute Authority</FONT></I></FONT></FONT></P> 
     3528                        </FONT><FONT COLOR="#000000"><B>TestUserRoles</B></FONT><FONT COLOR="#000000">(AAUserRoles):</FONT></FONT></FONT></P> 
     3529                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
     3530                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#00aa00"><I>&quot;&quot;&quot;Test 
     3531                        User Roles class dynamic import for Attribute Authority</I></FONT></FONT></FONT></P> 
    35313532                        <P STYLE="margin-bottom: 0cm; background: transparent">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>NOT 
    35323533                        for use on production system&quot;&quot;&quot;</FONT></FONT></P> 
     
    35353536                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35363537                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> 
    3537                         <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P> 
     3538                        </FONT><FONT COLOR="#000000"><B>__init__</B></FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#000000"><I>self</I></FONT><FONT COLOR="#000000">, 
     3539                        propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P> 
    35383540                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35393541                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P> 
     
    35423544                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35433545                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> 
    3544                         <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P> 
    3545                         <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3546                                </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;Test 
    3547                         getRoles returns role attributes regardless of user Id!&quot;&quot;&quot;</FONT></I></FONT></FONT></P> 
     3546                        </FONT><FONT COLOR="#000000"><B>getRoles</B></FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#000000"><I>self</I></FONT><FONT COLOR="#000000">, 
     3547                        dn):</FONT></FONT></FONT></P> 
     3548                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
     3549                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#00aa00"><I>&quot;&quot;&quot;Test 
     3550                        getRoles returns role attributes regardless of user Id!&quot;&quot;&quot;</I></FONT></FONT></FONT></P> 
    35483551                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    35493552                        </P> 
     
    35583561                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35593562                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn 
    3560                         = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
     3563                        = X500DN(dn)[</FONT><FONT COLOR="#00aa00"><I>'CN'</I></FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
    35613564                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35623565                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> 
     
    35733576                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000"> 
    35743577                        cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> 
    3575                         n!=</FONT><I><FONT COLOR="#00aa00">&quot;proxy&quot;</FONT></I><FONT COLOR="#000000"> 
     3578                        n!=</FONT><FONT COLOR="#00aa00"><I>&quot;proxy&quot;</I></FONT><FONT COLOR="#000000"> 
    35763579                        </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000"> 
    35773580                        n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
     
    35883591                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35893592                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> 
    3590                         AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Parsing 
    3591                         username from DN %s: %s&quot;</FONT></I><FONT COLOR="#000000"> % 
     3593                        AAUserRolesError, </FONT><FONT COLOR="#00aa00"><I>&quot;Parsing 
     3594                        username from DN %s: %s&quot;</I></FONT><FONT COLOR="#000000"> % 
    35923595                        (dn,e)</FONT></FONT></FONT></P> 
    35933596                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
     
    35953598                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    35963599                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000"> 
    3597                         [</FONT><I><FONT COLOR="#00aa00">'Public'</FONT></I><FONT COLOR="#000000">, 
    3598                         </FONT><I><FONT COLOR="#00aa00">'Researcher'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
     3600                        [</FONT><FONT COLOR="#00aa00"><I>'Public'</I></FONT><FONT COLOR="#000000">, 
     3601                        </FONT><FONT COLOR="#00aa00"><I>'Researcher'</I></FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
    35993602                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    36003603                        </P> 
     
    36023605                        </P> 
    36033606                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000"> 
    3604                         <B>UserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P> 
    3605                         <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3606                            </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">&quot;&quot;&quot;User 
    3607                         Roles class dynamically imported for Attribute Authority</FONT></I></FONT></FONT></P> 
     3607                        </FONT><FONT COLOR="#000000"><B>UserRoles</B></FONT><FONT COLOR="#000000">(AAUserRoles):</FONT></FONT></FONT></P> 
     3608                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
     3609                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#00aa00"><I>&quot;&quot;&quot;User 
     3610                        Roles class dynamically imported for Attribute Authority</I></FONT></FONT></FONT></P> 
    36083611                        <P STYLE="margin-bottom: 0cm; background: transparent">    <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>- 
    36093612                        see the Attribute Authority Properties file to make the correct</FONT></FONT></P> 
     
    36143617                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    36153618                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> 
    3616                         <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P> 
     3619                        </FONT><FONT COLOR="#000000"><B>__init__</B></FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#000000"><I>self</I></FONT><FONT COLOR="#000000">, 
     3620                        propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P> 
    36173621                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    36183622                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> 
     
    36213625                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    36223626                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> 
    3623                         AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;No user 
    3624                         roles property file set&quot;</FONT></I></FONT></FONT></P> 
     3627                        AAUserRolesError, </FONT><FONT COLOR="#00aa00"><I>&quot;No user 
     3628                        roles property file set&quot;</I></FONT></FONT></FONT></P> 
    36253629                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    36263630                        </P> 
     
    36363640                        </P> 
    36373641                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3638                                <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__conxnStr 
    3639                         = configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">, 
    3640                         </FONT><I><FONT COLOR="#00aa00">'connection'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P> 
     3642                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000"><I>self</I></FONT><FONT COLOR="#000000">.__conxnStr 
     3643                        = configParser.get(</FONT><FONT COLOR="#00aa00"><I>'Oracle'</I></FONT><FONT COLOR="#000000">, 
     3644                        </FONT><FONT COLOR="#00aa00"><I>'connection'</I></FONT><FONT COLOR="#000000">)</FONT></FONT></FONT></P> 
    36413645                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    36423646                        </P> 
     
    36543658                           </FONT><FONT COLOR="#c0c0c0"># pool</FONT></FONT></FONT></P> 
    36553659                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3656                                <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__query 
    3657                         =  configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">, 
    3658                         </FONT><I><FONT COLOR="#00aa00">'query'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P> 
     3660                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000"><I>self</I></FONT><FONT COLOR="#000000">.__query 
     3661                        =  configParser.get(</FONT><FONT COLOR="#00aa00"><I>'Oracle'</I></FONT><FONT COLOR="#000000">, 
     3662                        </FONT><FONT COLOR="#00aa00"><I>'query'</I></FONT><FONT COLOR="#000000">)</FONT></FONT></FONT></P> 
    36593663                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    36603664                        </P> 
     
    36633667                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    36643668                           </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> 
    3665                         <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P> 
    3666                         <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3667                                </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">'''Roles 
    3668                         interface for BODC database'''</FONT></I></FONT></FONT></P> 
     3669                        </FONT><FONT COLOR="#000000"><B>getRoles</B></FONT><FONT COLOR="#000000">(</FONT><FONT COLOR="#000000"><I>self</I></FONT><FONT COLOR="#000000">, 
     3670                        dn):</FONT></FONT></FONT></P> 
     3671                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
     3672                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#00aa00"><I>'''Roles 
     3673                        interface for BODC database'''</I></FONT></FONT></FONT></P> 
    36693674                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
    36703675                        </P> 
     
    36793684                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    36803685                                   <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn 
    3681                         = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
     3686                        = X500DN(dn)[</FONT><FONT COLOR="#00aa00"><I>'CN'</I></FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
    36823687                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    36833688                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> 
     
    36943699                        </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000"> 
    36953700                        cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> 
    3696                         n!=</FONT><I><FONT COLOR="#00aa00">&quot;proxy&quot;</FONT></I><FONT COLOR="#000000"> 
     3701                        n!=</FONT><FONT COLOR="#00aa00"><I>&quot;proxy&quot;</I></FONT><FONT COLOR="#000000"> 
    36973702                        </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000"> 
    36983703                        n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> 
     
    37093714                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    37103715                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> 
    3711                         AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Parsing 
    3712                         username from DN %s: %s&quot;</FONT></I><FONT COLOR="#000000"> % 
     3716                        AAUserRolesError, </FONT><FONT COLOR="#00aa00"><I>&quot;Parsing 
     3717                        username from DN %s: %s&quot;</I></FONT><FONT COLOR="#000000"> % 
    37133718                        (dn,e)</FONT></FONT></FONT></P> 
    37143719                        <P STYLE="margin-bottom: 0cm; background: transparent"><BR> 
     
    37403745                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    37413746                                   </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> 
    3742                         AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Error 
    3743                         connecting to Oracle database: &quot;</FONT></I><FONT COLOR="#000000"> 
     3747                        AAUserRolesError, </FONT><FONT COLOR="#00aa00"><I>&quot;Error 
     3748                        connecting to Oracle database: &quot;</I></FONT><FONT COLOR="#000000"> 
    37443749                        +\</FONT></FONT></FONT></P> 
    37453750                        <P STYLE="margin-bottom: 0cm; background: transparent">        <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>                    
     
    37803785                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    37813786                                       </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> 
    3782                         AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">&quot;Error 
    3783                         executing query: &quot;</FONT></I><FONT COLOR="#000000"> + str(e)</FONT></FONT></FONT></P> 
     3787                        AAUserRolesError, </FONT><FONT COLOR="#00aa00"><I>&quot;Error 
     3788                        executing query: &quot;</I></FONT><FONT COLOR="#000000"> + str(e)</FONT></FONT></FONT></P> 
    37843789                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    37853790                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">finally</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> 
     
    38163821                        </P> 
    38173822                        <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> 
    3818                                </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT FACE="Monospace"><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000"> 
     3823                               </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff"><FONT FACE="Monospace">return</FONT></FONT><FONT COLOR="#000000"><FONT FACE="Monospace"> 
    38193824                        roleNames</FONT></FONT></FONT></FONT></P> 
    38203825                        <P STYLE="background: transparent"><BR> 
     
    38773882<P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    38783883</P> 
    3879 <H2 CLASS="western"><A NAME="5.6.Troubleshooting|outline"></A>5.6 
     3884<H2 CLASS="western"><A NAME="5.6. Troubleshooting|outline"></A>5.6 
    38803885Troubleshooting</H2> 
    3881 <H3 CLASS="western"><A NAME="5.6.1.M2Crypto |outline"></A>5.6.1 
     3886<H3 CLASS="western"><A NAME="5.6.1. M2Crypto |outline"></A>5.6.1 
    38823887M2Crypto  
    38833888</H3> 
    3884 <H4 CLASS="western">5.6.1.1SWIG Version too Old</H4> 
     3889<H4 CLASS="western">5.6.1.1 SWIG</H4> 
    38853890<P CLASS="western" ALIGN=JUSTIFY>M2Crypto uses SWIG to bind C OpenSSL 
    3886 library code to the Python interface.  Compilation errors with swig 
    3887 <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.i</SPAN></FONT> 
    3888 files in the M2Crypto tar bundle can be caused by using an earlier 
     3891library code to the Python interface.   If SWIG is not present on 
     3892your system, the M2Crypto build will fail with an error such as:</P> 
     3893<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3894        <COL WIDTH=610> 
     3895        <TR> 
     3896                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3897                        <P STYLE="margin-bottom: 0cm"><BR> 
     3898                        </P> 
     3899                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">unable 
     3900                        to execute swig: No such file or directory<BR>error: Setup script 
     3901                        exited with error: command 'swig' failed with exit status 1</FONT></P> 
     3902                </TD> 
     3903        </TR> 
     3904</TABLE> 
     3905<P CLASS="western" ALIGN=JUSTIFY><BR>Alternatively, compilation 
     3906errors with swig <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.i</SPAN></FONT> 
     3907files in the M2Crypto tar bundle can be caused by use of an earlier 
    38893908version of swig.  This has been seen with the default swig on Redhat 
    38903909EL4.  This comes with swig version 1.1.  To check the SWIG version 
     
    39033922        </TR> 
    39043923</TABLE> 
    3905 <P CLASS="western" ALIGN=JUSTIFY><BR><BR> 
    3906 </P> 
    3907 <P CLASS="western" ALIGN=JUSTIFY>Some version will build OK but then 
    3908 cause runtime errors e.g.</P> 
     3924<P CLASS="western" ALIGN=JUSTIFY><BR>Some version will build OK but 
     3925then cause runtime errors e.g.</P> 
    39093926<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
    39103927        <COL WIDTH=610> 
     
    39253942<P CLASS="western" ALIGN=JUSTIFY>To fix update to a version &gt;= 
    392639431.3.24 and re-run the installation script but also make sure to read 
    3927 the next section.  SWIG is available from <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT></P> 
     3944the next section.  SWIG is available from <FONT COLOR="#0000ff"><U><A HREF="http://www.swig.org/">http://www.swig.org/</A></U></FONT> 
     3945or alternatively may be installed as an rpm or with apt-get for a 
     3946Debian package.</P> 
    39283947<H4 CLASS="western">5.6.1.2 SWIG and Py_ssize_t build error</H4> 
    39293948<P CLASS="western" ALIGN=JUSTIFY>The combination SWIG version 
     
    39473966for reference and up to date details of any other M2Crypto related 
    39483967issues.</P> 
     3968<H4 CLASS="western">5.6.1.3 OpenSSL Header files Missing</H4> 
     3969<P CLASS="western" ALIGN=JUSTIFY>M2Crypto requires OpenSSL libraries 
     3970and header files to link with when being built.  On some systems, the 
     3971openssl executable may be present but not the required header files 
     3972or libraries.  You may see an error like this:</P> 
     3973<TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> 
     3974        <COL WIDTH=610> 
     3975        <TR> 
     3976                <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> 
     3977                        <P STYLE="margin-bottom: 0cm"><BR> 
     3978                        </P> 
     3979                        <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">SWIG/_m2crypto.i:23: 
     3980                        Error: Unable to find 'openssl/opensslv.h'<BR>SWIG/_ec.i:7: Error: 
     3981                        Unable to find 'openssl/opensslconf.h'<BR>error: Setup script 
     3982                        exited with error: command 'swig' failed with exit status 1</FONT></P> 
     3983                </TD> 
     3984        </TR> 
     3985</TABLE> 
     3986<P CLASS="western">Depending on your system, install the 
     3987<FONT SIZE=2><SPAN STYLE="font-weight: medium">openssl-devel RPM or 
     3988</SPAN></FONT>libssl-dev Debian package or re-install OpenSSL from 
     3989source (<A HREF="http://www.openssl.org/">http://www.openssl.org</A>)</P> 
    39493990<H3 CLASS="western"><A NAME="5.6.2. PyXML|outline"></A>5.6.2 PyXML</H3> 
    39503991<P CLASS="western" ALIGN=JUSTIFY>error: Could not find suitable 
Note: See TracChangeset for help on using the changeset viewer.