.TP.BR disabled " (default)"PAM is not used to check passphrases..RE.TP.BI pam_id " string"The name that myproxy uses to identify itself to PAM.  Default is"myproxy".For example, on most Unix-like systems, if pam_id is set to "login",MyProxy will authenticate against the system's own usernames andpasswords..TP.BI sasl " option"This linegoverns the use of SASL authentication.Accepted values:.RS.TP.B requiredSASL authentication is required for retrieving credentials..TP.B sufficientSASL authentication is sufficient for retrieving credentials, butother authentication methods may be used instead..TP.BR disabled " (default)"SASL authentication isn't used..RE.PPThe MyProxy server can also be configured to act as a CertificateAuthority (CA) to issue credentials to clients.  The followingparameters enable and configure the CA functionality..TP.BI certificate_issuer " \*(lqDistinguished Name of CA\*(rq"This lineoptionally configures the myproxy-server to act as an onlinecertificate authority.  It specifies theissuer's distinguished name for certificates issued forauthenticated clients that don't have credentials stored.  You can either specify .BR certificate_issuer ,.BR certificate_issuer_cert , or .BR certificate_issuer_program .  See also the .B certificate_issuer_key and .B certificate_mapfile parameters below..TP.BI certificate_issuer_cert " full-path-to-certificate"As an alternative to .BR certificate_issuer , you can instead specify certificate_issuer_cert to be used to obtainthe issuer distinguished name..TP.BI certificate_issuer_key " full-path-to-key"When specifying .B certificate_issuer or .B certificate_issuer_cert above, you must also give the path to a CA private key in PEM formatfor signing certificates..TP.BI certificate_issuer_key_passphrase " \*(lqpassphrase\*(rq"If the .B certificate_issuer_key is encrypted, give the passphrase here..TP.BI certificate_issuer_email_domain " \*(lqdomain\*(rq"If set, specifies the domain part of the X509v3 Subject AlternativeName email address included in issued certificates..TP.BI certificate_issuer_program " full-path-to-script"This line specifies the path to a program to issue certificates forauthenticated clients that don't have credentials stored.  This optionallyconfigures the myproxy-server to act as an online certificateauthority, allowing programmatic control over the certificateissuance process.  You can either specify .BR certificate_issuer ,.BR certificate_issuer_cert , or .BR certificate_issuer_program .  .TP.BI certificate_serialfile " full-path-to-serial-file"Specifies the path to a file to store the serial number counter forissued certificates.  Defaults to /var/myproxy/serial..TP.BI max_cert_lifetime " hours"Specifies the maximum lifetime (in hours) for certificates issued bythe CA module.  Defaults to 12 hours..TP.BI certificate_mapfile " full-path-to-mapfile"When specifying certificate_issuer above, you can map account namesto certificate subject distinguished names for the issuedcertificates using this mapfile, which has the same format as usedby other Globus Toolkit services.By default, /etc/grid-security/grid-mapfile is used..PPIf OpenLDAP support is built-in to the.BR myproxy-server (8),the following parameters can be used to configure the CA module to mapaccount names to certificate subject distinguished names via LDAP..TP.BI ca_ldap_server " \*(lqldap://localhost:389/\*(rq"This parameter specifies the URI to the LDAP server to use forusername to DN resolution in the CA module.  Both ldap:// and ldaps://protocols are supported.  A port number may optionally be specified aswell.  Defining this directive is the "trigger" that causes the nameresolution module to use LDAP querying.  If it is not defined, thenmapfile lookup will be executed instead (see .B certificate_mapfileabove)..TP.BI ca_ldap_uid_attribute " \*(lquid\*(rq"The name of the record attribute that maps to the MyProxy username.Required for LDAP username to DN resolution..TP.BI ca_ldap_searchbase " \*(lqou=people,dc=bullwinkle,dc=lbl,dc=gov\*(rq"The DN of the region of the ldap database to be searched.Required for LDAP username to DN resolution..TP.BI ca_ldap_dn_attribute " \*(lqsubjectDN\*(rq"If this directive is set, the LDAP resolver will pull the DN fromthe specified attribute in the returned record.  If it is not set,the default is to use the DN of the record itself..TP.BI ca_ldap_connect_dn " \*(lqcn=MyProxy,ou=ldapusers,dc=lbl,dc=gov\*(rq"DN for LDAP basic authentication (optional)..TP.BI ca_ldap_connect_passphrase " \*(lqpassphrase\*(rq"Passphrase for LDAP basic authentication (optional)..PPThe following parameters control server replication with the.BR myproxy-replicate (1)utility..TP.BI slave_servers " server:port;"This value is for use with the .BR myproxy-replicate (1)utility.  This tag provides a list of servers that will be used as secondaryrepositories for the MyProxy database.  Each server should be seperated bya ";".  Also, a port may be provided if the slave server is using a portother then the default.  The server name maybe a recognized DNS or an IPaddress..PPThe following parameters control Pubcookie (http://www.pubcookie.org)authentication..TP.BI pubcookie_granting_cert " full-path-to-pem-file"Sets the full path to the PEM-encoded Pubcookie grantingcertificate for verifying signatures on Pubcookie granting cookies..TP.BI pubcookie_app_server_key " full-path-to-key-file"Sets the full path to the2048 byte application server key (PubcookieCryptKeyfile)..SH EXAMPLESThe following policy enables all credential repository features..PP.PD 0accepted_credentials       "*".PPauthorized_retrievers      "*".PPdefault_retrievers         "*".PPauthorized_renewers        "*".PPdefault_renewers           "none".PPauthorized_key_retrievers  "*".PPdefault_key_retrievers     "none".PD.PPThe following enables CA functionality using an existing Globus SimpleCA configuration..PP.PD 0pam  "sufficient".PPsasl "sufficient".PPcertificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem.PPcertificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem.PPcertificate_issuer_key_passphrase "myproxy".PPcertificate_serialfile /home/globus/.globus/simpleCA/serial.PPcertificate_mapfile /etc/grid-security/grid-mapfile.PD.SH FILES.TP.I /etc/myproxy-server.configDefault location for the server configuration file..TP.I $GLOBUS_LOCATION/etc/myproxy-server.configAlternate location for the server configuration file.A different location can be specified by using the.BR myproxy-server (8).B -coption..TP.I $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policyA sample program for evaluating passphrase quality..SH ENVIRONMENT.TP.B GLOBUS_LOCATIONSpecifies the root of the MyProxy installation, used to find thedefault location of the .I myproxy-server.configfile..SH AUTHORSBill Baker,Jim Basney,Shiva Shankar Chetan,Patrick Duda,Jarek Gawor,Monte Goode,Daniel Kouril,Zhenmin Li,Jason Novotny,Miroslav Ruda,Benjamin Temko,and Von Welch.SH "SEE ALSO".BR myproxy-change-pass-phrase (1),.BR myproxy-destroy (1),.BR myproxy-info (1),.BR myproxy-init (1),.BR myproxy-logon (1),.BR myproxy-retrieve (1),.BR myproxy-store (1),.BR myproxy-admin-adduser (8),.BR myproxy-admin-change-pass (8),.BR myproxy-admin-load-credential (8),.BR myproxy-admin-query (8),.BR myproxy-server (8)