The MyProxy Configuration

This tag contains the MyProxy server configuration information.

Name Required Default
host N localhost The host on which the MyProxy service resides.
port N 7512 The port of the service
serverDN N (none) A server DN (distinguished name) to be used when checking the name returned by a MyProxy server Note: this may also be set globally for all MyProxy instances in the service tag. Note that setting this in a MyProxy element will over-ride the global setting. If you are looking to set the DN of the certificate for the client, look at the entry for the trust store.
port N 7512 The port of the service
N 0 The timeout for the connection, in ms.
useProxy N false If you have configured a proxy for authorization, you may also use it to get certificates from the proxy.

Multiple MyProxy servers may be specified. These will be tried until one that is available is found. If none are available, then an exception will be thrown.

Getting the trusted Roots

The OA4MP server acts as a front-end to an existing MyProxy server. The OAuth server can run on the same system as the MyProxy server or they can run on separate systems. To connect securely to the MyProxy server, the OA4MP install must include a trusted CA certificates directory (in /etc/grid-security/certificates or $HOME/.globus/certificates). Since we're installing as a regular system user, we use the myproxy-get-trustroots command to create our $HOME/.globus/certificates directory. Alternatively, you can manually setup a $HOME/.globus/certificates directory using a CA distribution from IGTF or XSEDE or another trusted source. You will have to do this anyway if your platform does not have a myproxy client available.

$ myproxy-get-trustroots -s myproxy.ncsa.uiuc.edu
Bootstrapping MyProxy server root of trust.
New trusted MyProxy server: /C=US/O=National Center for Supercomputing Applications/OU=Services/CN=myproxy.ncsa.uiuc.edu
New trusted CA (9b95bbf2.0): /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL
Trust roots have been installed in /Users/jbasney/.globus/certificates/.

Example 1.

Omitting the tag means to accept the defaults. So all of these are equivalent:

(no tag)
<myproxy/>
<myproxy host="localhost" port="7512"/>

Example 2. Specifying a host and port

<config>
    <service  name="my-server">
       <myproxy host="myproxy.teragrid.org" port="1234" socketTimeout=20000/>
       <!-- more configuration -->
    </service>
</config>

Use the host at myproxy.teragrid.org with the port 1234 (instead of the default) with a timeout of 20000 ms. for the connection. If the MyProxy server does not respond withing 20000 ms, the attempt will end.

Example 3. Multiple servers

<config>
    <service  name="my-server">
       <myproxy host="myproxy.bigstate.edu" port="9352"/>
       <myproxy host="myproxy.xsede.org"
       serverDN="CN=myproxy.xsede.org,OU=IGTF Server,OU=UIUC - NCSA,O=University of Illinois,L=Urbana,ST=IL,C=US,DC=incommon,DC=org"
    />
       <myproxy host="myproxy.teragrid.org"/>
       <!-- more configuration -->
    </service>
</config>

Use the myproxy server at myproxy.bigstate.edu with the non-standard port. If that fails, there are two other backup MyProxy servers to try. An exception is only raised if all of these fail and only the last failure is returned.
Note: Listing any MyProxy servers means that localhost will not be tried unless explicitly added.
Note: the server DN in this case will be applied to the myproxy.xsede.org server. In that case, there may be several servers that actually handle the request and any of them may respond. The server name is checked using a reverse DNS lookup, so this the common name (CN) in this DN must match that.

Levels of Assurance

The MyProxy configuration allows you to specify multiple levels of assurance. A good discussion of them as they are used in OA4MP can be found under the CILogon site. These are elements (there may be multiple) within the MyProxy element and support two properties:
Name Required Default
name Y - The name assigned to this level of assurance.
port Y - The port of the service
See the example in the next section for a use of this.

Using MyProxy with a Client Certificate

MyProxy may also be used by an OA4MP server with a client certificate (remember that the OA4MP server in this case is a client of the MyProxy server to help keep this straight). This means that rather than sending the username and password to the MyProxy Server, there is a trust relationship so that only the username need be supplied. Of course, setting this up with a MyProxy server requires issuing a client certificate so it not trivial. In this case, the keystore that the OA4MP server must use will be required. It is an additional element within the myproxy element.

An Example

Consider the following server configuration with the given MyProxy configuration: 
<config>
   <service  name="my-server">
       <myproxy host="myproxy.bigstate.edu" port="7512">
             <loa name="openid" port="7516"/>
             <loa name="http://incommonfederation.org/assurance/silver" port="7514"/>
             <keystore path="/var/www/config/hostcred.p12"
                       type="pkcs12"
                       password="my-weird-password"
                       factory="SunX509"
                       useJavaKeystore="true"/>
       </myproxy>
       <!-- lots more configuration -->
   </service>
</config>
In this case, there is a basic Myproxy server residing at port 7512 on the machine myproxy.bigstate.edu. This same server also supports two additional levels of assurance. A custom keystore which contains the client certificate MyProxy accepts is also configured.