myproxy-server 6.1.22-1 / etc / myproxy-server.config

#
# Example myproxy server configuration file.
#
# You should modify this file to meet your specific requirements
# and install in /etc/myproxy-server.config or
# $GLOBUS_LOCATION/etc/myproxy-server.config.
#
# Any line starting with a pound sign (#) is a comment.
#
######################################################################

#
# Complete Sample Policy #1 - Credential Repository
#
# The following lines define a sample policy that enables all
# myproxy-server credential repository features.
# See below for more examples.
#accepted_credentials       "*"
#authorized_retrievers      "*"
#default_retrievers         "*"
#authorized_renewers        "*"
#default_renewers           "none"
#authorized_key_retrievers  "*"
#default_key_retrievers     "none"
#trusted_retrievers         "*"
#default_trusted_retrievers "none"
#cert_dir /etc/grid-security/certificates

#
# Complete Sample Policy #2 - Certificate Authority
#
# The following lines define a sample policy that enables
# myproxy-server certificate authority features using
# an existing Globus Simple CA configuration.
# See below for more examples.
#authorized_retrievers "*"
#pam  "sufficient"
#sasl "sufficient"
#certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem
#certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem
#certificate_issuer_key_passphrase "myproxy"
#certificate_serialfile /home/globus/.globus/simpleCA/serial
#certificate_out_dir /home/globus/.globus/simpleCA/newcerts
#certificate_mapfile /etc/grid-security/grid-mapfile
#cert_dir /etc/grid-security/certificates

#
# Accepted Credentials
#
# Which credentials is the server willing to accept and store?
#
# Example: Willing to store Alliance credentials
#accepted_credentials  "/C=US/O=National Computational Science Alliance/CN=*"
#
# Example: Willing to store Globus credentials
#accepted_credentials  "/C=US/O=Globus/*"
#accepted_credentials  "/O=Grid/O=Globus/*"
#
# Example: Willing to story any credentials
#accepted_credentials  "*"

#
# Authorized Retrievers
#
# Who is authorized to retrieve proxy credentials from the repository?
#
# Example: Allow only trusted Alliance web portals with a valid
# Myproxy passphrase to retrieve proxy credentials, thereby discouraging
# users from giving out their Myproxy passphrase to untrusted sites
# and limiting the vulnerability of the credentials stored on the
# Myproxy server.
# Note: NCSA doesn't audit sites with portal certificates.
#authorized_retrievers "/C=US/O=National Computational Science Alliance/CN=portal/*"
#
# Example: Allow any client, including anonymous clients, with a valid
# MyProxy passphrase to retrieve credentials.  This is the recommended
# setting, as it gives users the flexibility to set their own policies
# on their credentials.
#authorized_retrievers "*"

#
# Default Retrievers
#
# If a user doesn't set a retrieval policy with the credential on
# upload, apply the following policy in addition to the
# authorized_retrievers policy.
#
# If no default_retrievers policy is set, then only the
# authorized_retrievers policy is applied.
#
# Example: Allow NCSA portals to retrieve credentials by default.
#default_retrievers "/C=US/O=National Computational Science Alliance/CN=portal/*"

#
# Authorized Renewers
#
# Who is authorized to renew a proxy credential before it expires?
#
# If no authorized_renewers line is defined, credential renewal is not
# allowed. 
#
# Example: Allow trusted schedulers to renew proxy credentials for the
# jobs they manage.
# Note: NCSA doesn't give out /CN=scheduler/* certificates.  This is
# a fictitious example.
#authorized_renewers "/C=US/O=National Computational Science Alliance/CN=scheduler/*"
#
# Example: Allow any client to renew a proxy credential.  In this
# case, the client can simply authenticate with the proxy it wants to
# renew.  This is potentially dangerous, in that it can be used to
# extend the lifetime of a compromised proxy credential on any host.
# However, when use with default_renewers, it gives users the
# flexibility to set their own policies.
#authorized_renewers "*"

#
# Default Renewers
#
# If a user doesn't set a renewal policy with the credential on
# upload, apply the following policy.
#
# Example: Disable renewal unless the client specifically authorizes it.
#default_renewers "none"
#
# Example: Allow the Condor-G scheduler on modi4.ncsa.uiuc.edu to
# renew user credentials by default.
#default_renewers "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu"

#
# Authorized Key Retrievers
#
# Who is authorized to retrieve credentials (keys) directly from the
# repository?
#
# Example: Allow any client, including anonymous clients, with a valid
# MyProxy passphrase to retrieve credentials.  This allows expert
# users to have direct access to their keys, with the associated added
# vulnerability.  See default_key_retrievers below for a way to
# restrict this to specific credentials.
#authorized_key_retrievers "*"

#
# Default Key Retrievers
#
# If a user doesn't set a key retrieval policy with the credential on
# upload, apply the following policy in addition to the
# authorized_key_retrievers policy.
#
# If no default_key_retrievers policy is set, then only the
# authorized_key_retrievers policy is applied.
#
# Example: Don't allow anyone to retrieve keys directly by default.
# Expert users must enable key retrieval when storing credentials.
#default_key_retrievers "none"

#
# Trusted Retrievers
#
# Who is authorized to retrieve credentials without further
# authentication?
#
# By default, clients that match authorized_retrievers must perform
# additional authentication (such as passphrase, PAM, or SASL) to
# retrieve credentials.  However, authenticated clients that match
# trusted_retrievers do not need to perform additional authentication.
#
# Example: Allow any client to retrieve a credential.  This permissive
# policy can be used with a restrictive default_trusted_retrievers
# policy (see below) to allow expert users to set their own policy
# with 'myproxy-init -Z'.
#trusted_retrievers "*"

#
# Default Trusted Retrievers
#
#
# If a user doesn't set a trusted retrieval policy with the credential
# on upload (via 'myproxy-init -Z'), the myproxy-server will apply the
# following policy in addition to the trusted_retrievers policy.
#
# If no default_trusted_retrievers policy is set, then only the
# trusted_retrievers policy is applied.
#
# Example: Don't allow retrieval based on certificate-only
# authentication by default.  Expert users must enable
# certificate-only retrieval when storing credentials.
#default_trusted_retrievers "none"

#
# Allow Self Authorization
#

# The authorized_renewers and trusted_retrievers policies are
# typically used to allow authenticated clients to retrieve
# credentials with different identities (i.e., certificate subject
# distinguished names) than the credentials used for
# authentication. Typically we want to disallow the case where the
# client can get a new credential with the same subject as the one it
# uses for authentication, as this could allow a stolen proxy to be
# refreshed by the attacker. By default, the myproxy-server will not
# allow this. Set allow_self_authorization to true to override this
# behavior.
#allow_self_authorization true

#
# Passphrase Policy Enforcement
#
# Specifies the path to an external passphrase policy enforcement
# program.  The program is passed the new passphrase via stdin and is
# passed the following arguments: username, distinguished name,
# credential name (if any), per-credential retriever policy (if any),
# and per-credential renewal policy (if any).  If the passphrase is
# acceptable, the program should exit with status 0.  Otherwise, it
# should exit with non-zero status, causing the operation in progress
# (credential load, passphrase change) to fail with the error message
# provided by the program's stdout.
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#passphrase_policy_program /usr/local/sbin/myproxy-passphrase-policy

#
# Trusted CA Directory
#
# Specifies the path to the CA certificates directory to be returned
# to clients requesting trust roots (i.e., myproxy-logon -T).
#cert_dir /etc/grid-security/certificates

#
# Maximum Proxy Certificate Lifetime
#
# Specifies the maximum allowed lifetime (in hours) of proxy
# certificates issued by the myproxy-server, to minimize the window of
# vulnerability of all issued credentials.  By default, no server-wide
# maximum is enforced.  There is also a maximum proxy lifetime set per
# credential by the client.
#max_proxy_lifetime 12

#
# Maximum Credential Lifetime
#
# Specifies the maximum lifetime (in hours) of credentials allowed to
# be stored on the myproxy-server, to minimize the window of
# vulnerability for stored credentials.  By default, no server-wide
# maximum is enforced.
#max_cred_lifetime 12

#
# Ignore Globus Limited Proxy Flag
#
# By default, MyProxy will respect the policy of "limited" proxy
# certificates as follows.  If a client authenticates with a limited
# proxy, the client should only be able to obtain another limited
# proxy, not a full proxy or end entity certificate.  Thus, the
# MyProxy CA will not accept limited proxies for authentication.
# However, if this option is set, MyProxy will treat limited proxy
# certificates as if they were full proxy certificates.
#ignore_globus_limited_proxy_flag true

#
# PAM Policy
#
# Governs use of PAM to check passphrases.  MyProxy will attempt to
# authenticate via PAM, with the supplied username and passphrase.
# Note that PAM will need to be configured externally for the
# application "myproxy" (usually in /etc/pam.d/), or for the
# application named by pam_id, below.
#
# Accepted values: 
#
#    required
#       PAM password authentication is required under all conditions.
#       If the credential is unencrypted (that is, it has no
#       passphrase), a PAM password check is still required for
#       authentication.  If the credential is encrypted, its
#       passphrase must match the PAM password.
#
#    sufficient
#       The user's passphrase may match either the credential
#       passphrase or, if the credential is unencrypted, the PAM
#       passphrase.  If the credential is encrypted, then the PAM
#       password is not relevant.
#
#    disabled (default)
#       PAM is not used to check passphrases.
#pam "disabled"

#
# PAM ID
#
# The name that myproxy uses to identify itself to PAM.  Default is
# "myproxy".
#
# For example, on most Unix-like systems, if pam_id is set to "login",
# MyProxy will authenticate against the system's own usernames and
# passwords.
#pam_id "myproxy"

#
# SASL Policy
#
# Governs use of SASL authentication.
#
# Accepted values: 
#
#    required
#       SASL authentication is required for retrieving credentials.
#
#    sufficient
#       SASL authentication is sufficient for retrieving credentials,
#       but other authentication methods may also be used.
#
#    disabled (default)
#       SASL authentication isn't used.
#sasl "disabled"

#
# SASL Mechanism
#
# Forces the use of a single SASL mechanism, overriding the SASL
# configuration file. (Typically not required.)
#sasl_mech GSSAPI

#
# SASL Server FQDN
#
# Configures the SASL server fully-qualified domain name for
# multi-homed servers. (Typically not required.)
#sasl_serverFQDN myproxy.teragrid.org

#
# SASL User Realm
#
# Configures the SASL user realm. (Typically not required.)
#sasl_user_realm TERAGRID.ORG

#
# Certificate Issuer Certificate
#
# Specifies the path to the issuer certificate to optionally configure
# the myproxy-server to act as an online certificate authority.
#certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem

#
# Certificate Issuer Key
#
# When specifying certificate_issuer_cert above, you must also give
# the path to a CA private key in PEM format for signing certificates.
#certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem

#
# Certificate Issuer Key Passphrase
#
# If the certificate_issuer_key is encrypted, give the passphrase here.
#certificate_issuer_key_passphrase "myproxy"

#
# Certificate Issuer Sub-CA Certificates
#
# If you would like an intermediate/sub-CA certificate chain to be sent
# along with the EEC (End Entity Certificate) generated using a local
# intermediate/sub-CA, specify the file that contains those certificates in
# PEM format. This is meant to aid scenarios where the CA used is an
# intermediate CA (i.e. not a root CA) and the client may not have the
# intermediate CA(s) in its trust store. The client will write out the
# chain into the same file as the EEC, following the EEC.
#certificate_issuer_subca_certfile "/etc/grid-security/subca_certificates"

#
# Certificate Issuer Hash Algorithm
#
# Specifies the hash algorithm to use when signing end-entity
# certificates. Defaults to "sha256". When linked with OpenSSL 0.9.8 or
# later, "sha224", "sha256", "sha384" and "sha512" are also
# supported.
#certificate_issuer_hashalg "sha256"

#
# Certificate Issuer Program
#
# The path to a program to issue certificates for authenticated
# clients that don't have credentials stored.  This optionally
# configures the myproxy-server to act as an online certificate
# authority, allowing programmatic control over the certificate
# issuance process.
# You can specify certificate_issuer_cert or
# certificate_issuer_program but not both.
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#certificate_issuer_program /usr/local/sbin/myproxy-ca

#
# OpenSSL engine support
#
# OpenSSL engine support allows you to use a Certificate Issuer Key
# that is stored in a hardware token or HSM.  This gives the ID of
# the engine to use.  In this case the certificate_issuer_key
# details the identity of the key to use from the engine and
# certificate_issuer_key_passphrase gives the passphrase (if any)
# to access that key
#certificate_openssl_engine_id "dynamic"

#
# OpenSSL engine lockfile
#
# If your hardware token or HSM is unable to handle simultaneous
# operations, provide a path to a lockfile for synchronizing
# operations to the engine device.  The myproxy-server will create the
# file if it does not already exist.
#certificate_openssl_engine_lockfile /var/lib/myproxy/enginelock

#
# Pre commands for OpenSSL engine support
#
# Some OpenSSL engines require parameters before they are initialised,
# these can be specified here:
# certificate_openssl_engine_pre  "SO_PATH:/usr/lib/engines/engine_pkcs11.so" "ID:pkcs11" "LIST_ADD:1" "LOAD" "MODULE_PATH:/usr/lib/opensc-pksc11.so"

#
# Post commands for OpenSSL engine support
#
# Some OpenSSL engines require parameters after they are initialised,
# these can be specified here:
# certificate_openssl_engine_post  "PIN:abcdef"

#
# Certificate Issuer Serial File
#
# The path to a file to store the serial number counter for issued
# certificates.
#certificate_serialfile /home/globus/.globus/simpleCA/serial

#
# Certificate Issuer Serial Skip
#
# The number to add to the serial number each time a certificate is
# issued. Use this to stagger serial numbers across multiple CA
# instances to avoid serial number clashes. Defaults to 1.
#certificate_serial_skip 1

#
# Certificate Issuer Output Directory
#
# A path to the directory where new certificates will be archived.
#certificate_out_dir /home/globus/.globus/simpleCA/newcerts

#
# Certificate Issuer Email Domain
#
# If set, include an email X509v3 Subject Alternative Name in issued
# certificates with the MyProxy username and the configured domain.
#certificate_issuer_email_domain "ncsa.uiuc.edu"

#
# Max Certificate Lifetime
#
# The maximum lifetime (in hours) for certificates issued by the CA
# module.  Defaults to 12 hours.
#max_cert_lifetime 12

#
# Minimum RSA key length
#
# The minimum RSA key length (in bits) for certificates issued by the
# CA module.
#min_keylen 1024

#
# Certificate Issuer Extension File
#
# Optionally specifies the full path to a file containing an OpenSSL
# formatted set of certificate extensions to include in all issued
# end-entity certificates (from the CA module).  For example:
#   keyUsage=critical,digitalSignature,keyEncipherment,dataEncipherment
#   subjectKeyIdentifier=hash
#   authorityKeyIdentifier=keyid,issuer:always
#   crlDistributionPoints=URI:http://ca.ncsa.uiuc.edu/4a6cd8b1.r0
#   basicConstraints=CA:FALSE
# If not set, the MyProxy CA will include a basic set of extensions in
# issued certificates.
#certificate_extfile /etc/myproxy-ca-extfile.txt

#
# Certificate Issuer Extension Application
#
# This is the call-out version of certificate_extfile.  It optionally
# specifies the full path to a call-out program for specifying
# certificate extensions.  It will be passed the authenticated
# username as the single command argument.  On success, it should
# write the OpenSSL formatted set of certificate extensions to stdout
# and exit with zero status.  On error, it should write to stderr and
# exit with nonzero status.
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#certificate_extapp /usr/local/sbin/myproxy-extapp

#
# Certificate Authority Mapfile
#
# When specifying certificate_issuer_cert above, you can map account
# names to certificate subject distinguished names for the issued
# certificates using this mapfile, which has the same format as used
# by other Globus Toolkit services, i.e., lines of the form:
#   "DN" username
# By default, /etc/grid-security/grid-mapfile is used.
#certificate_mapfile /etc/grid-security/grid-mapfile

#
# CA Map Application
#
# When specifying certificate_issuer_cert above, you can map account
# names to certificate subject distinguished names for the issued
# certificates using this call-out.  It will be passed the
# authenticated username as the single command argument.  On success,
# it should write the distinguished name to stdout and exit with zero
# status.  On error, it should write to stderr and exit with nonzero
# status.  If it is not defined, then mapfile lookup will be executed
# instead (see certificate_mapfile above).
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#certificate_mapapp /usr/local/sbin/myproxy-mapapp

#
# CA Certificate Request Callout
#
# This CA call-out can be used to perform checks on incoming
# certificate requests. It will be passed the certificate request in
# PEM format on stdin. If it returns a nonzero exit status, the CA
# will abort without signing the request.  When returning a nonzero
# exit status, the callout should indicate the problem on stderr.
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#certificate_request_checker /usr/local/bin/certreq-checker

#
# CA Certificate Issuance Callout
#
# This CA call-out can be used to perform checks on issued
# certificates before the certificate is returned to the client.  It
# will be passed the certificate in PEM format on stdin. If it returns
# a nonzero exit status, the CA will abort without returning the
# signed certificate to the client. When returning a nonzero exit
# status, the callout should indicate the problem on stderr.
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#certificate_issuer_checker /usr/local/bin/cert-checker

#
# CA LDAP Server
#
# If OpenLDAP support is built-in to the myproxy-server, this
# parameter specifies the URI to the LDAP server to use for username
# to DN resolution in the Certificate Authority module.  Both ldap://
# and ldaps:// protocols are supported.  A port number may optionally
# be specified as well.  Defining this directive is the "trigger" that
# causes the name resolution module to use LDAP querying.  If it is
# not defined, then mapfile lookup will be executed instead (see
# certificate_mapfile above).
#ca_ldap_server "ldap://localhost:389/"

#
# CA LDAP UID Attribute
#
# The name of the record attribute that maps to the MyProxy username.
# Required for LDAP username to DN resolution.
#ca_ldap_uid_attribute "uid"

#
# CA LDAP SearchBase
#
# The DN of the region of the ldap database to be searched.
# Required for LDAP username to DN resolution.
#ca_ldap_searchbase "ou=people,dc=bullwinkle,dc=lbl,dc=gov"

#
# CA LDAP DN Attribute
#
# If this directive is set, the LDAP resolver will pull the DN from
# the specified attribute in the returned record.  If it is not set,
# the default is to use the DN of the record itself.
#ca_ldap_dn_attribute "subjectDN"

#
# CA LDAP DN/Passphrase
#
# User/passphrase combination to be used for LDAP basic
# authentication (optional).
#ca_ldap_connect_dn "cn=Monte Goode,ou=ldapusers,dc=bullwinkle,dc=lbl,dc=gov"
#ca_ldap_connect_passphrase "passphrase"

#
# CA LDAP StartTLS
#
# If this option is set to a "positive" boolean value (true/1/yes/enabled/on),
# use StartTLS when connecting to the LDAP server.
#ca_ldap_start_tls true

#
# Slave server list 
#
# When the myproxy-replicate program is run.  This list of servers is 
# used to indicate where the repository information is to be sent.
# The list is comprised of hostnames and optional port numbers. The 
# hostname may be in the form:
#	name
#	FQDN
#	tcp/ip address
#
# The host name and port number must be seperated by a ':'.
#
# If multiple slaves are given, each slave server must be seperated with
# a ';'.
#
#
# Example: 
#	grids1
#	grids1.ncsa.uiuc.edu
#	grids1:9000
#	grids1;grids2.ncsa.uiuc.edu:9000;141.142.96.41
#
#slave_servers

# 
# Accepted Credentials Mapfile
#
# This option points to a grid-mapfile which is possibly different from
# the grid-mapfiles specified above.  When specified, this mapfile is
# utilized during puts/stores (e.g. with myproxy-init and myproxy-store).
# The credential being put/stored must be under the username specified in
# the mapfile.  In essence, a given username must be in the mapfile to be
# authorized to put/store a given credential.  This prevents storing a
# user's credential under a different username.  
#accepted_credentials_mapfile /etc/grid-security/store-mapfile

#
# Accepted Credentials Mapapp
#
# As an alternative to the accepted_credentials_mapfile option above, you
# can specify a call-out which is passed two parameters: a certificate
# subject distinguished name and a username (in that order).  In essence,
# the call-out performs a lookup in a 'virtual' accepted_credentials_mapfile.
# If the SubjectDN/Username line would appear in such a mapfile, then the
# call-out should exit with zero status indicating that a credential with
# the given SubjectDN is allowed to be stored under the given Username.
# Otherwise, the call-out should exit with nonzero status indicating error.
#accepted_credentials_mapapp /usr/local/sbin/myproxy-accepted-mapapp

#
# Check Multiple Credentials 
#
# If this option is set to a "positive" boolean value (true/1/yes/enabled/on)
# AND the user does not specify a credential name for a MyProxy GET operation,
# then multiple credentials (i.e. the 'unnamed' credential as well as any
# named credentials) will be checked for the given username.  If one
# credential is found that is 'authorized' by MyProxy, then that credential
# will be used during processing.  Otherwise, an error message will be
# printed.  Note that the credentials for the username are checked
# in an unspecified order.  If there are multiple credentials that would be
# authorized given the user's criteria, only the first one found will be
# utilized.
#check_multiple_credentials true

#
# OCSP Policy
#
# Controls the policy for checking certificate validity via OCSP
# before credentials may be delegated.  Supported policies are:
#   "aia" - use OCSP responder in certificate AIA extension, if
#           present; otherwise use ocsp_responder_url, if set
# Currently, only the status of the end entity certificate is checked
# via OCSP (and not any proxy certificates or CA certificates).
# OCSP will not be used unless ocsp_responder_url and/or ocsp_policy
# are set.
#ocsp_policy "aia"

#
# OCSP Responder URL
#
# Specifies the URL of an OCSP responder to use to check the validity
# of credentials stored in the myproxy-server repository before
# they may be delegated, so that revoked credentials can not be
# retrieved and used where their revocation status may not be checked.
# Currently, only the status of the end entity certificate is checked
# via OCSP (and not any proxy certificates or CA certificates).
# In any case, CRL checks are always performed.
# Both http and https urls are supported.
# OCSP will not be used unless ocsp_responder_url and/or ocsp_policy
# are set.
#ocsp_responder_url "http://ca.ncsa.uiuc.edu:8888/"

#
# OCSP Responder Certificate
#
# Specifies the path to the certificate of a trusted OCSP responder.
# This is needed if the OCSP responder must be explicity trusted in
# cases where standard path validation fails for the OCSP responder's
# certificate.
#ocsp_responder_cert /etc/grid-security/trustedocspresponder.pem

#
# Syslog Ident
#
# When the myproxy-server is run in server mode (i.e. not debug), messages
# are output to the syslog.  With this option you can specify the string
# that gets prepended to every message written to the syslog.  When not
# specified, the program's name (myproxy-server) is prepended to each
# message.
#syslog_ident myproxy-server

#
# Syslog Facility
#

# By default, the myproxy-server will log to the syslog "daemon"
# facility. With this option you can specify an alternate syslog
# facility, such as "auth", "user", "security", or "local0".  The
# facility can also be specified numerically as with the logger(1)
# command.
#syslog_facility user

#
# Request Timeout
#
# Specifies the maximum time a myproxy-server child process should
# spend servicing a client request before aborting.
# By default, child processes will abort after 120 seconds.
# A negative value will disable the timeout.
#request_timeout 120

#
# Request Size Limit
#
# Limits the amount of incoming application-level protocol data the
# myproxy-server will accept from clients, to avoid memory exhaustion
# under heavy load. Specified in bytes.
# Defaults to 1MB (1048576 bytes).
# A zero or negative value disables the limit.
#request_size_limit 1048576

#
# Proxy Certificate Extension File
#
# Optionally specifies the full path to a file containing an OpenSSL
# formatted set of certificate extensions to include in all proxy
# certificates issued from the MyProxy repository (analogous to
# certificate_extfile for the CA module).
#proxy_extfile /etc/myproxy-proxy-extfile.txt

#
# Proxy Certificate Extension Application
#
# This is the call-out version of proxy_extfile.  It optionally
# specifies the full path to a call-out program for specifying proxy
# certificate extensions.  It will be passed the authenticated
# username and the proxy credential location as the two command
# arguments.  On success, it should write the OpenSSL formatted set of
# certificate extensions to stdout and exit with zero status.  On
# error, it should write to stderr and exit with nonzero status.
# Be sure to follow secure coding practices for this call-out:
# - Don't allow input to overflow fixed-size buffers.
# - Don't pass unchecked input to a shell command.
#proxy_extapp /usr/local/sbin/myproxy-extapp

#
# Allow VOMS Attribute Requests
#
# If this parameter is set to true and a GET request includes VONAME
# and (optionally) VOMSES parameters, call-out to VOMS to add the
# requested attributes to the issued certificate. Requires linking
# with VOMS libraries. By default, VONAME and VOMSES parameters in
# requests will be ignored unless this parameter is set to true.
#allow_voms_attribute_requests true

#
# VOMS Server Configuration
#
# Specifies the path to the VOMS server configuration.
#
#voms_userconf /path/to/vomses

#
# Disable Usage Metrics
#
# Disable reporting of usage metrics. This overrides usage_stats_target.
#
# By default, Usage Metrics reporting is enabled. This can be disabled in
# the following ways:
#
# a. Setting disable_usage_stats to "true", "enabled", "yes", "on" or "1".
# b. Setting the GLOBUS_USAGE_OPTOUT environment variable to "1".
#
# NOTE: DISABLING USAGE METRICS REPORTING WILL CAUSE THE usage_stats_target
# SETTING TO BE IGNORED.
#
# Example: Disable Usage Metrics reporting
#disable_usage_stats "true"

#
# Usage Metrics Targets
#
# Specify the target hosts that should receive the usage metrics information.
# This setting will be ignored if disable_usage_stats is enabled.
# Metrics can be reported to multiple collector hosts. Multiple target
# specifications must be separated by a comma. Each target specification
# must be in the format: host:port[!tags]
#
# Tags control what data are reported to that specific host. The set of tags
# allowed are: VvtrlLBIuU
#
# V - Major Version number of MyProxy server
# v - Minor Version number of MyProxy server
# t - Task Code (0=Get, 1=Put, 2=Info, 3=Destroy, 4=ChangeCredPassphrase,
#                5=StoreEndEntCred, 6=RetrEndEntCred, 7=GetTrustRoots)
# r - Task Return Code.
# l - Requested Lifetime for Credential.
# L - Actual Lifetime for Credential.
# B - Informational Bit mask to be interpreted left to right as follows:
#	PAM used
#	SASL used
#	Credential passphrase check used
#	Trusted Retriever (Certificate-based authentication)
#	Certificate Authorization method used (Trusted Renewer)
#	Pubcookie was used
#	Trustroots requested
#	Trustroots delivered
# I - Client IP address
# u - Username
# U - User DN
#
# In addition to the above selected information, the following data are reported to
# ALL target collectors. There's no way to exclude these from being reported other
# than by disabling the reporting of usage metrics:
#
# Component code - 11 for MyProxy
# Component Data Format version - 0 currently
# IP Address of Reporting Server
# Timestamp
# Hostname
#
# If no tags are specified in a target spec, or the special string "default" is specified,
# the tags VvtrlLB are assumed. A site could choose to allow a different set of data to
# be reported by specifying a different tag set. The last 3 tags I, u and U above are
# more meant for a local collector that a site might like to deploy since they could be
# construed as private information. The special string "all" denotes all tags.
#
# Example: Report usage metrics to a
# local collector (including the tags IuU):
#usage_stats_target "usage-stats.example.org:4810!VvtrlLBIuU"