arcproxy - ARC Credentials Proxy generation utility
arcproxy generates proxy credentials (general proxy certificate,
or proxy certificate with VOMS AC extenstion) from private key and
certificate of user.
- -h
- prints short usage description
- -P filename
- location of the generated proxy file
- -C
- location of X509 certificate file, the file can be either pem, der, or
pkcs12 formated; if this option is not set, then env X509_USER_CERT will
be searched; if X509_USER_CERT env is not set, then certificatepath item
in client.conf will be searched; if the location still is not found, then
~/.arc/, ~/.globus/, ./etc/arc, and ./ will be searched.
- -K
- location of private key file, if the certificate is in pkcs12 format, then
no need to give private key; if this option is not set, then env
X509_USER_KEY will be searched; if X509_USER_KEY env is not set, then
keypath item in client.conf will be searched; if the location still is not
found, then ~/.arc/, ~/.globus/, ./etc/arc, and ./ will be searched.
- -T
- path to trusted certificate directory, only needed for VOMS client
functionality; if this option is not set, then env X509_CERT_DIR will be
searched; if X509_CERT_DIR env is not set, then cacertificatesdirectory
item in client.conf will be searched.
- -s
- path to top directory of VOMS *.lsc files, only needed for VOMS client
functionality
- -V
- path to VOMS server configuration file, only needed for VOMS client
functionality if the path is a directory rather than a file, all of the
files under this directory will be searched
- -S
- voms<:command>. Specify VOMS server.
:command is optional, and is used to ask for specific attributes(e.g:
roles)
command option is:
all --- put all of this DN's attributes into AC;
list ---list all of the DN's attribute,will not create AC extension;
/Role=yourRole --- specify the role, if this DN
has such a role, the role will be put into AC
/voname/groupname/Role=yourRole --- specify the vo,group and role if this
DN
has such a role, the role will be put into AC
- -o
- group<:role>. Specify ordering of attributes.
Example: --order /knowarc.eu/coredev:Developer,/knowarc.eu/testers:Tester
or: --order /knowarc.eu/coredev:Developer --order
/knowarc.eu/testers:Tester
Note that it does not make sense to specify the order if you have two or
more different VOMS server specified
- -G
- use GSI communication protocol for contacting VOMS services
- -H
- use HTTP communication protocol for contacting VOMS services that provide
RESTful access
Note for RESTful access, 'list' command and multiple VOMS server are not
supported
- -O
- this option is not functional anymore (old GSI proxies are not supported)
- -I
- print all information about this proxy.
In order to show the Identity (DN without CN as subfix for proxy)
of the certificate, the 'trusted certdir' is needed.
- -i
- print selected information about this proxy. Currently following
information items are supported:
subject - subject name of proxy certificate.
identity - identity subject name of proxy
certificate.
issuer - issuer subject name of proxy certificate.
ca - subject name of CA which issued initial
certificate.
path - file system path to file containing proxy.
type - type of proxy certificate.
validityStart - timestamp when proxy validity
starts.
validityEnd - timestamp when proxy validity ends.
validityPeriod - duration of proxy validity in
seconds.
validityLeft - duration of proxy validity left in
seconds.
vomsVO - VO name represented by VOMS attribute.
vomsSubject - subject of certificate for which VOMS
attribute is issued.
vomsIssuer - subject of service which issued VOMS
certificate.
vomsACvalidityStart - timestamp when VOMS attribute
validity starts.
vomsACvalidityEnd - timestamp when VOMS attribute
validity ends.
vomsACvalidityPeriod - duration of VOMS attribute
validity in seconds.
vomsACvalidityLeft - duration of VOMS attribute
validity left in seconds.
proxyPolicy
keybits - size of proxy certificate key in bits.
signingAlgorithm - algorithm used to sign proxy
certificate.
Items are printed in requested order and are separated by
newline. If item has multiple values they are printed in same line
separated by |.
- -r
- Remove the proxy file.
- -U
- Username to myproxy server.
- -N
- don't prompt for a credential passphrase, when retrieve a credential from
on MyProxy server.
The precondition of this choice is the credential is PUT onto
the MyProxy server without a passphrase by using -R (--retrievable_by_cert)
option when being PUTing onto Myproxy server.
This option is specific for the GET command when contacting Myproxy server.
- -R
- Allow specified entity to retrieve credential without passphrase.
This option is specific for the PUT command when contacting Myproxy server.
- -L
- hostname of myproxy server optionally followed by colon and port number,
e.g.
example.org:7512. If the port number has not
been specified, 7512 is used by default.
- -M
- command to myproxy server. The command can be PUT and GET.
PUT/put -- put a delegated credential to myproxy server;
GET/get -- get a delegated credential from myproxy server,
credential (certificate and key) is not needed in this case;
myproxy functionality can be used together with VOMS functionality.
voms and vomses can be used for Get command if VOMS attributes
is required to be included in the proxy.
- -F
- use NSS credential DB in default Mozilla profiles, including Firefox,
Seamonkey and Thunderbird.
- -c
- constraints of proxy certificate. Currently following constraints are
supported:
validityStart=time - time when certificate becomes
valid. Default is now.
validityEnd=time - time when certificate becomes
invalid. Default is 43200 (12 hours) from start for local proxy and 7
days for delegated to MyProxy.
validityPeriod=time - for how long certificate is
valid. Default is 43200 (12 hours)for local proxy and 7 days for
delegated to MyProxy.
vomsACvalidityPeriod=time - for how long the AC is
valid. Default is shorter of validityPeriod and 12 hours.
myproxyvalidityPeriod=time - lifetime of proxies
delegated by myproxy server. Default is shorter of validityPeriod and 12
hours.
proxyPolicy=policy content - assigns specified string
to proxy policy to limit it's functionality.
keybits=number - length of the key to generate. Default
is 1024 bits. Special value 'inherit' is to use key length of signing
certificate.
signingAlgorithm=name - signing algorithm to use for
signing public key of proxy. Default is sha1. Possible values are sha1,
sha2 (alias for sha256), sha224, sha256, sha384, sha512 and inherit (use
algorithm of signing certificate).
- -p
- password destination=password source. Supported password destinations are:
key - for reading private key
myproxy - for accessing credentials at MyProxy
service
myproxynew - for creating credentials at MyProxy
service
all - for any purspose.
Supported password sources are:
quoted string ("password") - explicitly
specified password
int - interactively request password from console
stdin - read password from standard input delimited by
newline
file:filename - read password from file named
filename
stream:# - read password from input stream number #.
Currently only 0 (standard input) is supported.
- -t
- timeout in seconds (default 20)
- -z
- configuration file (default ~/.arc/client.conf)
- -d
- level of information printed. Possible values are DEBUG, VERBOSE, INFO,
WARNING, ERROR and FATAL.
- -v
- print version information
If location of certificate and key are not exlicitly specified
they are looked for in following location and order:
Key/certificate paths specified by the environment variables
X509_USER_KEY and X509_USER_CERT respectively.
Paths specified in configuration file.
~/.arc/usercert.pem and ~/.arc/userkey.pem for certificate and key
respectively.
~/.globus/usercert.pem and ~/.globus/userkey.pem for certificate
and key respectively.
If destination location of proxy file is not specified, the value
of X509_USER_PROXY environment variable is used explicitly. If no value is
provided, the default location is used - <TEMPORARY
DIRECTORY>/x509up_u<USER ID>. Here TEMPORARY DIRECTORY is derived
from environment variables TMPDIR, TMP, TEMP or default location /tmp is
used.
Report bugs to http://bugzilla.nordugrid.org/
- ARC_LOCATION
- The location where ARC is installed can be specified by this variable. If
not specified the install location will be determined from the path to the
command being executed, and if this fails a WARNING will be given stating
the location which will be used.
- ARC_PLUGIN_PATH
- The location of ARC plugins can be specified by this variable. Multiple
locations can be specified by separating them by : (; in Windows). The
default location is $ARC_LOCATION/lib/arc (\ in Windows).
APACHE LICENSE Version 2.0
- /etc/vomses
- Common file containing a list of selected VO contact point, one VO per
line, for example:
- "gin" "kuiken.nikhef.nl" "15050"
"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
"gin.ggf.org"
- "nordugrid.org" "voms.uninett.no" "15015"
"/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org"
"nordugrid.org"
- ~/.voms/vomses
- Same as /etc/vomses but located in user's home area. If exists, has
precedence over /etc/vomses
The order of the parsing of vomses location is:
1. command line options
2. client configuration file ~/.arc/client.conf
3. $X509_VOMSES or $X509_VOMS_FILE
4. ~/.arc/vomses
5. ~/.voms/vomses
6. $ARC_LOCATION/etc/vomses (this is for Windows
environment)
7. $ARC_LOCATION/etc/grid-security/vomses (this is for
Windows environment)
8. $PWD/vomses
9. /etc/vomses
10. /etc/grid-security/vomses
- ~/.arc/client.conf
- Some options can be given default values by specifying them in the ARC
client configuration file. By using the --conffile option a
different configuration file can be used than the default.
ARC software is developed by the NorduGrid Collaboration
(http://www.nordugrid.org), please consult the AUTHORS file distributed with
ARC. Please report bugs and feature requests to
http://bugzilla.nordugrid.org
arccat(1), arcclean(1), arccp(1),
arcget(1), arcinfo(1), arckill(1), arcls(1),
arcmkdir(1), arcrenew(1), arcresub(1),
arcresume(1), arcrm(1), arcstat(1), arcsub(1),
arcsync(1), arctest(1)