1myproxy-init(1) MyProxy myproxy-init(1)
2
6 myproxy-init - store a credential for later retrieval
7
9 myproxy-init [ options ]
10
12 The myproxy-init command uploads a credential to a myproxy-server(8)
13 for later retrieval. In the default mode, the command first prompts
14 for the user's Grid pass phrase (if needed), which is used to create a
15 proxy credential. The command then prompts for a MyProxy pass phrase,
16 which will be required to later retrieve the credential. The MyProxy
17 pass phrase must be entered a second time for confirmation. A creden‐
18 tial with a lifetime of one week (by default) is then delegated to the
19 myproxy-server(8) and stored with the given MyProxy pass phrase. Proxy
20 credentials with default lifetime of 12 hours can then be retrieved by
21 myproxy-logon(1) using the MyProxy passphrase. The default behavior
22 can be overridden by options specified below.
23 The myproxy-init command can also upload a credential to a myproxy-
25 server(8) to support credential renewal. Renewal allows a trusted ser‐
26 vice (for example, a batch job scheduler) to obtain a new credential
27 for a user before the existing credential it has for that user expires.
28 The -R argument to myproxy-init configures the credential for renewal
29 by the specified service. Renewal requires two authentications. The
30 renewing service must authenticate with its own credentials, matching
31 the distinquished name specified by the -R argument, and must also
32 authenticate with an existing credential that matches the distinguished
33 name of the stored credential, to retrieve a new credential.
34 A credential may be used either for retrieval or renewal but not both.
36 If both are desired, upload a different credential for each use, with a
37 different name using the -k option.
38 The hostname where the myproxy-server(8) is running must be specified
40 by either defining the MYPROXY_SERVER environment variable or the -s
41 option.
42 By default, myproxy-init will create a proxy credential from the user's
44 end-entity credentials at ~/.globus/usercert.pem and
45 ~/.globus/userkey.pem to delegate to the myproxy-server(8). To specify
46 an alternate location for the source certificate and key to delegate,
47 use the X509_USER_CERT and X509_USER_KEY environment variables. To use
48 a proxy credential as the source of the delegation, set both environ‐
49 ment variables to the location of the proxy credential. To delegate a
50 "legacy globus proxy", set the GT_PROXY_MODE environment variable to
51 "old". To delegate an "RFC 3820 compliant proxy", set the
52 GT_PROXY_MODE environment variable to "rfc".
53
55 -h, --help
56 Displays command usage text and exits.
57 -u, --usage
59 Displays command usage text and exits.
60 -v, --verbose
62 Enables verbose debugging output to the terminal.
63 -V, --version
65 Displays version information and exits.
66 -s hostname[:port], --pshost hostname[:port]
68 Specifies the hostname(s) of the myproxy-server(s). Multiple
69 hostnames, each hostname optionally followed by a ':' and port
70 number, may be specified in a comma-separated list. This option
71 is required if the MYPROXY_SERVER environment variable is not
72 defined. If specified, this option overrides the MYPROXY_SERVER
73 environment variable. If a port number is specified with a host‐
74 name, it will override the -p option as well as the
75 MYPROXY_SERVER_PORT environment variable for that host.
76 -p port, --psport port
78 Specifies the TCP port number of the myproxy-server(8).
79 Default: 7512
80 -l, --username
82 Specifies the MyProxy account under which the credential should
83 be stored. By default, the command uses the value of the LOG‐
84 NAME environment variable. Use this option to specify a differ‐
85 ent account username on the MyProxy server. The MyProxy user‐
86 name need not correspond to a real Unix username.
87 -c hours, --cred_lifetime hours
89 Specifies the lifetime of the credential stored on the myproxy-
90 server(8) in hours. Specify 0 for the maximum possible life‐
91 time, i.e., the lifetime of the original credential. Default: 1
92 week (168 hours)
93 -t hours, --proxy_lifetime hours
95 Specifies the maximum lifetime of credentials retrieved from the
96 myproxy-server(8) using the stored credential. Default: 12
97 hours
98 -C filename, --certfile filename
100 Specifies the filename of the source certificate.
101 -y filename, --keyfile filename
103 Specifies the filename of the source private key.
104 -d, --dn_as_username
106 Use the certificate subject (DN) as the default username,
107 instead of the LOGNAME environment variable.
108 -a, --allow_anonymous_retrievers
110 Allow credentials to be retrieved with just pass phrase authen‐
111 tication. By default, only entities with credentials that match
112 the myproxy-server.config(5) default retriever policy may
113 retrieve credentials. This option allows entities without
114 existing credentials to retrieve a credential using pass phrase
115 authentication by including "anonymous" in the set of allowed
116 retrievers. The myproxy-server.config(5) server-wide policy
117 must also allow "anonymous" clients for this option to have an
118 effect.
119 -A, --allow_anonymous_renewers
121 Allow credentials to be renewed by any client. Any client with
122 a valid credential with a subject name that matches the stored
123 credential may retrieve a new credential from the MyProxy repos‐
124 itory if this option is given. Since this effectively defeats
125 the purpose of proxy credential lifetimes, it is not recom‐
126 mended. It is included only for sake of completeness.
127 -r dn, --retrievable_by dn
129 Allow the specified entity to retrieve credentials. By default,
130 the argument will be matched against the common name (CN) of the
131 client (for example: "Jim Basney"). Specify -x before this
132 option to match against the full distinguished name (DN) (for
133 example: "/C=US/O=National Computational Science Alliance/CN=Jim
134 Basney") or a regular expression (for example: "*/CN=Jim Bas‐
135 ney|*/CN=James Basney").
136 -R dn, --renewable_by dn
138 Allow the specified entity to renew credentials. By default,
139 the argument will be matched against the common name (CN) of the
140 client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x
141 before this option to match against the full distinguished name
142 (DN) (for example: "/C=US/O=National Computational Science
143 Alliance/CN=condorg/modi4.ncsa.uiuc.edu") or a regular expres‐
144 sion (for example:
145 "*/CN=server1.ncsa.uiuc.edu|*/CN=server2.ncsa.uiuc.edu"). This
146 option implies -n since passphrase authentication is not used
147 for credential renewal.
148 -Z dn, --retrievable_by_cert dn
150 Allow the specified entity to retrieve credentials without a
151 passphrase. By default, the argument will be matched against
152 the common name (CN) of the client (for example: "Jim Basney").
153 Specify -x before this option to match against the full distin‐
154 guished name (DN) (for example: "/C=US/O=National Computational
155 Science Alliance/CN=Jim Basney") or a regular expression (for
156 example: "*/CN=Jim Basney|*/CN=James Basney"). This option
157 implies -n.
158 -x, --regex_dn_match
160 Specifies that the DN used by options -r and -R will be matched
161 as a regular expression.
162 -X, --match_cn_only
164 Specifies that the DN used by options -r and -R will be matched
165 against the Common Name (CN) of the subject.
166 -k name, --credname name
168 Specifies the credential name.
169 -K description, --creddesc description
171 Specifies credential description.
172 -S, --stdin_pass
174 By default, the command prompts for a passphrase and reads the
175 passphrase from the active tty. When running the command non-
176 interactively, there may be no associated tty. Specifying this
177 option tells the command to read passphrases from standard input
178 without prompts or confirmation.
179 -L, --local_proxy
181 In addition to storing a proxy credential on the myproxy-
182 server(8) with lifetime set by --cred_lifetime (default 1 week),
183 create a local proxy credential with lifetime set by
184 --proxy_lifetime (default 12 hours).
185 -n, --no_passphrase
187 Don't prompt for a credential passphrase. Store credentials
188 without a credential passphrase, to be protected by other meth‐
189 ods, such as PAM, SASL, or certificate-based authentication.
190 This option is implied by -R since passphrase authentication is
191 not used for credential renewal. Note that the myproxy-
192 server(8) always requires some type of authentication for
193 retrieving credentials, so if you store a credential with no
194 passphrase and other authentication methods are not configured,
195 the credential will not be accessible.
196 -m voms, --voms voms
198 Add VOMS attributes to the credential by running voms-proxy-init
199 on the client-side before storing the credential on the myproxy-
200 server(8). The VOMS VO name must be provided, as required by
201 voms-proxy-init -voms. The voms-proxy-init command must be
202 installed and configured to use this option. For example, the
203 VOMS_USERCONF environment variable may need to be set for voms-
204 proxy-init to run correctly.
205
207 0 on success, >0 on error
208
210 ~/.globus/usercert.pem
211 Default location of the certificate from which the proxy creden‐
212 tial is created. Set the X509_USER_CERT environment variable to
213 override.
214 ~/.globus/userkey.pem
216 Default location of the private key from which the proxy creden‐
217 tial is created. Set the X509_USER_KEY environment variable to
218 override.
219 /tmp/myproxy-proxy.<uid>.<pid>
221 Location of the temporary proxy credential that is delegated to
222 the myproxy-server(8). It is removed after the delegation is
223 completed.
224
226 MYPROXY_SERVER
227 Specifies the hostname(s) where the myproxy-server(8) is run‐
228 ning. Multiple hostnames can be specified in a comma separated
229 list with each hostname optionally followed by a ':' and port
230 number. This environment variable can be used in place of the
231 -s option.
232 MYPROXY_SERVER_PORT
234 Specifies the port where the myproxy-server(8) is running. This
235 environment variable can be used in place of the -p option.
236 MYPROXY_SERVER_DN
238 Specifies the distinguished name (DN) of the myproxy-server(8).
239 All MyProxy client programs authenticate the server's identity.
240 By default, MyProxy servers run with host credentials, so the
241 MyProxy client programs expect the server to have a distin‐
242 guished name with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or
243 "/CN=<fqhn>" (where <fqhn> is the fully-qualified hostname of
244 the server). If the server is running with some other DN, you
245 can set this environment variable to tell the MyProxy clients to
246 accept the alternative DN.
247 X509_USER_CERT
249 Specifies a non-standard location for the certificate from which
250 the proxy credential is created. The location may be the path
251 to an end-entity certificate (ex. ~/.globus/usercert.pem) or a
252 proxy (ex. /tmp/x509up_u<uid>).
253 X509_USER_KEY
255 Specifies a non-standard location for the private key from which
256 the proxy credential is created. The location may be the path
257 to an end-entity private key (ex. ~/.globus/userkey.pem) or a
258 proxy (ex. /tmp/x509up_u<uid>).
259 X509_CERT_DIR
261 Specifies a non-standard location for the CA certificates direc‐
262 tory.
263 GT_PROXY_MODE
265 Set to "old" to store a "legacy globus proxy" in the MyProxy
266 repository. Set to "rfc" to store an "RFC 3820 compliant proxy"
267 in the MyProxy repository.
268 MYPROXY_TCP_PORT_RANGE
270 Specifies a range of valid port numbers in the form "min,max"
271 for the client side of the network connection to the server. By
272 default, the client will bind to any available port. Use this
273 environment variable to restrict the ports used to a range
274 allowed by your firewall. If unset, MyProxy will follow the
275 setting of the GLOBUS_TCP_PORT_RANGE environment variable.
276 MYPROXY_KEYBITS
278 Specifies the size for RSA keys generated by MyProxy. By
279 default, MyProxy generates 2048 bit RSA keys. Set this environ‐
280 ment variable to "1024" for 1024 bit RSA keys.
281
283 See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.
284
286 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
287 roots(1), myproxy-info(1), myproxy-logon(1), myproxy-retrieve(1),
288 myproxy-store(1), myproxy-server.config(5), myproxy-admin-adduser(8),
289 myproxy-admin-change-pass(8), myproxy-admin-load-credential(8),
290 myproxy-admin-query(8), myproxy-server(8)
291MyProxy 2010-09-09 myproxy-init(1)