arcproxy - ARC Credentials Proxy generation utility
- arcproxy [OPTION...]
The arcproxy command creates a proxy from a key/certificate pair
which can then be used to access grid resources.
- -h, --help
- Show help options
- -P,
--proxy=path
- path to the proxy file
- -C,
--cert=path
- path to the certificate file, it can be either PEM, DER, or PKCS12
formatted
- -K,
--key=path
- path to the private key file, if the certificate is in PKCS12 format, then
no need to give private key
- -T,
--cadir=path
- path to the trusted certificate directory, only needed for the VOMS client
functionality
- -s,
--vomsdir=path
- path to the top directory of VOMS *.lsc files, only needed for the VOMS
client functionality
- -V,
--vomses=path
- path to the VOMS server configuration file
- -S,
--voms=string
- voms<:command>. Specify VOMS server
- More than one VOMS server can be specified like this: --voms
VOa:command1 --voms VOb:command2. :command is optional, and is used
to ask for specific attributes (e.g: roles)
- command options are:
- all --- put all of this DN's attributes into AC;
- list --- list all of the DN's attribute, will not create AC
extension;
- /Role=yourRole --- specify the role, if this DN has such a role,
the role will be put into AC;
- /voname/groupname/Role=yourRole --- specify the VO, group and role;
if this DN has such a role, the role will be put into AC.
- If this option is not specified values from configuration files are used.
To avoid anything to be used specify -S with empty value.
- -o,
--order=string
- group<:role>. Specify ordering of attributes
- Example: --order
/knowarc.eu/coredev:Developer,/knowarc.eu/testers:Tester or:
--order /knowarc.eu/coredev:Developer --order
/knowarc.eu/testers:Tester
- Note that it does not make sense to specify the order if you have two or
more different VOMS servers specified
- -G, --gsicom
- use GSI communication protocol for contacting VOMS services
- -H, --httpcom
- use HTTP communication protocol for contacting VOMS services that provide
RESTful access
- Note for RESTful access, 'list' command and multiple VOMS server are not
supported
- -B, --oldcom
- use old communication protocol for contacting VOMS services instead of
RESTful access
- -O, --old
- this option is not functional (old GSI proxies are not supported
anymore)
- -I, --info
- print all information about this proxy.
- -i,
--infoitem=string
- print selected information about this proxy.
- -r, --remove
- remove proxy
- -U,
--user=string
- username to MyProxy server (if missing subject of user certificate is
used)
- -N,
--nopassphrase
- don't prompt for a credential passphrase, when retrieve a credential from
an MyProxy server.
- The precondition of this choice is that the credential was PUT onto the
MyProxy server without a passphrase by using the -R
(--retrievable_by_cert) option. This option is specific for the GET
command when contacting Myproxy server.
- -R,
--retrievable_by_cert=string
- Allow specified entity to retrieve credential without passphrase.
- This option is specific for the PUT command when contacting Myproxy
server.
- -L,
--myproxysrv=string
- hostname[:port] of MyProxy server
- -M,
--myproxycmd=string
- command to MyProxy server. The command can be PUT, GET, INFO, NEWPASS or
DESTROY.
- PUT -- put a delegated credentials to the MyProxy server;
- GET -- get a delegated credentials from the MyProxy server;
- INFO -- get and present information about credentials stored at the
MyProxy server;
- NEWPASS -- change password protecting credentials stored at the
MyProxy server;
- DESTROY -- wipe off credentials stored at the MyProxy server;
- Local credentials (certificate and key) are not necessary except in case
of PUT. MyProxy functionality can be used together with VOMS
functionality. --voms and --vomses can be used for Get
command if VOMS attributes is required to be included in the proxy.
- -F, --nssdb
- use NSS credential database in default Mozilla profiles, including
Firefox, Seamonkey and Thunderbird.
- -c,
--constraint=string
- proxy constraints
- -p,
--passwordsource=string
- password destination=password source
- -t,
--timeout=seconds
- timeout in seconds (default 20)
- -z,
--conffile=filename
- configuration file (default ~/.arc/client.conf)
- -d,
--debug=debuglevel
- FATAL, ERROR, WARNING, INFO, VERBOSE or DEBUG
- --systemca
- force using CA certificates configuration provided by OpenSSL
- --gridca
- force using CA certificates configuration for Grid services (typically
IGTF)
- --allowinsecureconnection
- allow TLS connection which failed verification
- -v, --version
- print version information
- validityStart=time (e.g. 2008-05-29T10:20:30Z; if not specified, start
from now)
- validityEnd=time
- validityPeriod=time (e.g. 43200 or 12h or 12H; if both validityPeriod and
validityEnd not specified, the default is 12 hours for local proxy, and
168 hours for delegated proxy on myproxy server)
- vomsACvalidityPeriod=time (e.g. 43200 or 12h or 12H; if not specified, the
default is the minimum value of 12 hours and validityPeriod)
- myproxyvalidityPeriod=time (lifetime of proxies delegated by myproxy
server, e.g. 43200 or 12h or 12H; if not specified, the default is the
minimum value of 12 hours and validityPeriod (which is lifetime of the
delegated proxy on myproxy server))
- proxyPolicy=policy content
- proxyPolicyFile=policy file
- keybits=number - length of the key to generate. Default is 2048 bits.
Special value 'inherit' is to use key length of signing certificate.
- signingAlgorithm=name - signing algorithm to use for signing public key of
proxy. Possible values are sha1, sha2 (alias for sha256), sha224, sha256,
sha384, sha512 and inherit (use algorithm of signing certificate). Default
is inherit. With old systems, only sha1 is acceptable.
- subject - subject name of proxy certificate.
- identity - identity subject name of proxy certificate.
- issuer - issuer subject name of proxy certificate.
- ca - subject name of CA which issued initial certificate.
- path - file system path to file containing proxy.
- type - type of proxy certificate. validityStart - timestamp when proxy
validity starts.
- validityEnd - timestamp when proxy validity ends.
- validityPeriod - duration of proxy validity in seconds.
- validityLeft - duration of proxy validity left in seconds.
- vomsVO - VO name represented by VOMS attribute
- vomsSubject - subject of certificate for which VOMS attribute is
issued
- vomsIssuer - subject of service which issued VOMS certificate
- vomsACvalidityStart - timestamp when VOMS attribute validity starts.
- vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
- vomsACvalidityPeriod - duration of VOMS attribute validity in
seconds.
- vomsACvalidityLeft - duration of VOMS attribute validity left in
seconds.
- proxyPolicy
- keybits - size of proxy certificate key in bits.
- signingAlgorithm - algorithm used to sign proxy certificate.
Items are printed in requested order and are separated by newline.
If item has multiple values they are printed in same line separated by
|.
- key - for reading private key
- myproxy - for accessing credentials at MyProxy service
- myproxynew - for creating credentials at MyProxy service
- all - for any purspose.
- quoted string ("password") - explicitly specified password
- int - interactively request password from console
- stdin - read password from standard input delimited by newline
- file:filename - read password from file named filename
- stream:# - read password from input stream number #. Currently only 0
(standard input) is supported.
- ARC_LOCATION
- The location where ARC is installed can be specified by this variable. If
not specified the install location will be determined from the path to the
command being executed, and if this fails a WARNING will be given stating
the location which will be used.
- ARC_PLUGIN_PATH
- The location of ARC plugins can be specified by this variable. Multiple
locations can be specified by separating them by : (; in Windows). The
default location is $ARC_LOCATION/lib/arc (\ in Windows).
- /etc/vomses
- Common file containing a list of selected VO contact point, one VO per
line, for example:
- "gin" "kuiken.nikhef.nl" "15050"
"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
"gin.ggf.org"
- "nordugrid.org" "voms.uninett.no" "15015"
"/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org"
"nordugrid.org"
- ~/.voms/vomses
- Same as /etc/vomses but located in user's home area. If exists, has
precedence over /etc/vomses
The order of the parsing of vomses location is:
1. command line options
2. client configuration file ~/.arc/client.conf
3. $X509_VOMSES or $X509_VOMS_FILE
4. ~/.arc/vomses
5. ~/.voms/vomses
6. $ARC_LOCATION/etc/vomses (this is for Windows
environment)
7. $ARC_LOCATION/etc/grid-security/vomses (this is for
Windows environment)
8. $PWD/vomses
9. /etc/vomses
10. /etc/grid-security/vomses
- ~/.arc/client.conf
- Some options can be given default values by specifying them in the ARC
client configuration file. By using the --conffile option a
different configuration file can be used than the default.
ARC software is developed by the NorduGrid Collaboration
(http://www.nordugrid.org), please consult the AUTHORS file distributed with
ARC. Please report bugs and feature requests to
http://bugzilla.nordugrid.org
Report bugs to http://bugzilla.nordugrid.org/
APACHE LICENSE Version 2.0
arccat(1), arcclean(1), arccp(1),
arcget(1), arcinfo(1), arckill(1), arcls(1),
arcmkdir(1), arcrenew(1), arcresume(1),
arcrm(1), arcstat(1), arcsub(1), arcsync(1),
arctest(1)