1SGE_CA(8) Grid Engine Administrative Commands SGE_CA(8)
2
6 util/sgeCA/sge_ca - Grid Engine CSP Support control command
7
9 sge_ca command [command options]
10
12 sge_ca controls a simple Grid Engine Certificate Authority that is used
13 for the special Certificate Security Protocol (CSP) mode. CSP mode
14 improves the security behavior of Grid Engine by enabling OpenSSL
15 secured communication channels and X509v3 certificates for authentica‐
16 tion. In addition it is possible to export the key material or to cre‐
17 ate JKS keystores for the JMX connector. It follows a list of possible
18 commands and command options to give an overview which functionality is
19 available. For further details about every command refer to the COMMAND
20 DETAILS section.
21
23 sge_ca [-help]
24 show usage
25 sge_ca -init [command options]
27 create the infrastructure for a new Grid Engine Certificate
28 Authority with its corresponding files and directories and a set
29 of keys and certificates for SGE Daemon, root and admin user.
30 sge_ca -req | -verify <cert> | -sign | -copy [command options]
32 manipulate individual keys and certificates
33 sge_ca -print <cert> | -printkey <key> | -printcrl <crl>
35 print out certificates, keys and certificate revocation lists in
36 human readable form.
37 sge_ca -showCaTop | -showCaLocalTop [command options]
39 echo the $CATOP or $CALOCALTOP directory. This command is usu‐
40 ally run as root on the qmaster host after a CA infrastructure
41 has been created. If "-cadir" or "-catop" or "-calocaltop" are
42 set the corresponding directories are printed.
43 sge_ca -usercert <user file> | -user <u:g:e> | -sdm_daemon <u:g:e>
45 [command options]
46 are used for creation of certificates and keys for a bunch of
47 users contained in <user file>, a single user or SDM daemon
48 <u:g:e>. (see hedeby_introduction(1) )
49 sge_ca -pkcs12 <user> | -sdm_pkcs12 <g> | -sys_pkcs12 [command options]
51 are used to export the certificate and key for user <user> or
52 SDM daemon <g> in pkcs12 format and to export the SGE Daemon
53 certificate and key in pkcs12 format.
54 sge_ca -userks | -ks <user> | -sysks [command options]
56 are used for creation of keystore for all users with a certifi‐
57 cate and key, the keystore for a single user <user> and the key‐
58 store containing the SGE Daemon certificate and key.
59 sge_ca -renew <user> | -renew_ca | -renew_sys | -renew_sdm <g> [command
61 options]
62 are used to renew the corresponding certificates for user
63 <user>, for the CA, for the SGE Daemon certificate and for the
64 SDM daemon <g> certificate.
65 where "[command options]" is a combination of the following options
67 depending on the command. The COMMAND DETAILS section explains which
68 options are usable for each command.
69 -days <days>
71 days of validity of the certificate
72 -sha1 use sha-1 instead of md5 as message digest
74 -encryptkey
76 use des to encrypt the generated private key with a passphrase.
77 The passphrase is requested when a key is created or used.
78 -outdir <dir>
80 write to directory <dir>
81 -cahost <host>
83 define CA hostname (CA master host)
84 -cadir <dir>
86 define $CALOCALTOP and $CATOP settings
87 -calocaltop <dir>
89 define $CALOCALTOP setting
90 -catop <dir>
92 define $CATOP setting
93 -kspwf <file>
95 define a keystore password file that contains a password that is
96 used to encrypt the keystore and the keys contained therein
97 -ksout <file>
99 define output file to write the keystore to
100 -pkcs12pwf <file>
102 define a pkcs12 password file that contains a password that is
103 used to encrypt the pkcs12 export file and the keys contained
104 therein
105 -pkcs12dir <dir>
107 define the output directory <dir> to write the exported pkcs12
108 format file to. Otherwise the current working directory is used.
109
111 sge_ca -init [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-admi‐
112 nuser <admin>] [-days <num days>]
113 The -init command creates a new Grid Engine certificate author‐
114 ity and its corresponding files. Usually "sge_ca -init" is run
115 by user root on the master host. If the options -adminuser,
116 -cadir, -calocaltop, -catop and the Grid Engine environment
117 variables SGE_ROOT, SGE_CELL and SGE_QMASTER_PORT are set the CA
118 directories are created in the following locations:
119 two letter country code, state, location, e.g city or your
120 buildingcode, organization (e.g. your company name), organiza‐
121 tional unit, e.g. your department, email address of the CA
122 administrator (you!)
123 Certificates and keys are generated for the CA itself, for SGE
125 Daemon, for GE install user (usually root) and finally for the
126 GE admin user.
127 How and where the certificates and keys are created can be
129 influenced additionally by:
130 -days <days> change the time of validity of the certificates to
131 number of <days> instead of 365 days
132 -sha1 change the message digest algorithm from md5 to sha-1
133 -encryptkey encrypt the generated keys with a passphrase
134 -adminuser <user> use <user> as admin user
135 -cahost <host> use <host> as the CA master host
136 [-cadir <dir>] [-catop <dir> [-calocaltop <dir>] set $CATOP and
137 $CALOCALTOP to <dir> to use something different than the Grid
138 Engine default directories. Either -cadir <dir> has to be speci‐
139 fied to replace $CATOP and $CALOCALTOP by the same directory or
140 -catop <dir> for $CATOP and -calocaltop <dir> for $CALOCALTOP.
141 sge_ca -user <u:g:e> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
143 [-adminuser <admin>] [-days <days>]
144 generate certificate and keys for <u:g:e> with u='Unix user
145 account name', g='common name' and e='email address'. By default
146 the certificate is valid for 365 days or by <days> specified
147 with -days <days>. This command is usually run as user root on
148 the qmaster host. $CATOP and $CALOCALTOP maybe overruled by
149 -cadir, -catop and -calocaltop.
150 sge_ca -sdm_daemon <u:g:e>
152 generate daemon certificate and keys for <u:g:e> with u='Unix
153 user account name', g='common name' and e='email address'. By
154 default the certificate is valid for 365 days or by <days> spec‐
155 ified with "-days <days>". This command is usually run as user
156 root on the qmaster host.
157 sge_ca -usercert <user file> [-cadir <dir>] [-catop <dir>] [-calocaltop
159 <dir>] [-adminuser <admin>] [-days <days>] [-encryptkey] [-sha1]
160 Usually sge_ca -usercert <user file> is run as user root on the
161 master host. The argument <user file> contains a list of users
162 in the following format:
163 eddy:Eddy Smith:eddy@griders.org
165 sarah:Sarah Miller:sarah@griders.org
166 leo:Leo Lion:leo@griders.org
167 where the fields separated by colon are:
169 Unix user:Gecos field:email address
170 sge_ca -renew <user> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
172 [-adminuser <admin>] [-days <days>]
173 Renew the certificate for <user>. By default the certificate is
174 extended for 365 days or by <days> specified with -days <days>.
175 If the value is negative the certificate becomes invalid. This
176 command is usually run as user root on the qmaster host. $CATOP
177 and $CALOCALTOP maybe overruled by -cadir, -catop and -calocal‐
178 top.
179 sge_ca -renew_ca [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
181 [-adminuser <admin>] [-days <days>]
182 Renew the CA certificate. By default the certificate is extended
183 for 365 days or by <days> specified with -days <days>. If the
184 value is negative the certificate becomes invalid. This command
185 is usually run as user root on the qmaster host. $CATOP and
186 $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop.
187 sge_ca -renew_sys [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
189 [-adminuser <admin>] [-days <days>]
190 Renew the SGE Daemon certificate. By default the certificate is
191 extended for 365 days or by <days> specified with -days <days>.
192 If the value is negative the certificate becomes invalid. This
193 command is usually run as user root on the qmaster host. $CATOP
194 and $CALOCALTOP maybe overruled by -cadir, -catop and -calocal‐
195 top.
196 sge_ca -renew_sdm <g> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
198 [-adminuser <admin>] [-days <days>]
199 Renew the SDM daemon certificate of <g>, where <g> is the common
200 name of the daemon. By default the certificate is extended for
201 365 days or by <days> specified with -days <days>. If the value
202 is negative the certificate becomes invalid. This command is
203 usually run as user root on the qmaster host. $CATOP and $CALO‐
204 CALTOP maybe overruled by -cadir, -catop and -calocaltop.
205 sge_ca -pkcs12 <user> [-pkcs12pwf <file>] [-pkcs12dir <dir>] [-cadir
207 <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]
208 export certificate and key of user <user> 'the Unix user name'
209 in pkcs12 format. This command is usually run as user root on
210 the qmaster host. If -pkcs12pwf <file> is used the file and the
211 corresponding key will be encrypted with the password in <file>.
212 If -pkcs12dir <dir> is used the output file is written into
213 <dir>/<user>.p12 instead of ./<user>.p12 . $CATOP and $CALOCAL‐
214 TOP maybe overruled by -cadir, -catop and -calocaltop.
215 sge_ca -sys_pkcs12 [-pkcs12pwf <file>] [-pkcs12dir <dir>] [-cadir
217 <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]
218 export certificate and key of SGE Daemon in pkcs12 format. This
219 command is usually run as user root on the qmaster host. If
220 -pkcs12pwf <file> is used the file and the corresponding key
221 will be encrypted with the password in <file>. If -pkcs12dir
222 <dir> is used the output file is written into <dir>/<user>.p12
223 instead of ./<user>.p12 . $CATOP and $CALOCALTOP maybe overruled
224 by -cadir, -catop and -calocaltop.
225 sge_ca -sdm_pkcs12 <g> [-pkcs12pwf <file>] [-pkcs12dir <dir>] [-cadir
227 <dir>] [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]
228 export certificate and key of daemon <g> g='common name' in
229 pkcs12 format. This command is usually run as user root on the
230 qmaster host. If -pkcs12pwf <file> is used the file and the cor‐
231 responding key will be encrypted with the password in <file>. If
232 -pkcs12dir <dir> is used the output file is written into
233 <dir>/<g>.p12 instead of ./<g>.p12 . $CATOP and $CALOCALTOP
234 maybe overruled by -cadir, -catop and -calocaltop.
235 sge_ca -ks <user> [-ksout <file>] [-kspwf <file>] [-cadir <dir>]
237 [-catop <dir>] [-calocaltop <dir>] [-adminuser <admin>]
238 create a keystore containing certificate and key of user <user>
239 in JKS format where <user> is the Unix user name. This command
240 is usually run as user root on the qmaster host. If -kspwf
241 <file> is used the keystore and the corresponding key will be
242 encrypted with the password in <file>. The -ksout <file> option
243 specifies the keystore file that is created. If the -ksout
244 <file> option is missing the default location for the keystore
245 is $CALOCALTOP/userkeys/<user>/keystore. This command is usually
246 invoked by sge_ca -userks. A prerequisite is a valid JAVA_HOME
247 environment variable setting. $CATOP and $CALOCALTOP maybe over‐
248 ruled by -cadir, -catop and -calocaltop.
249 sge_ca -userks [-kspwf <file>] [-cadir <dir>] [-catop <dir>] [-calocal‐
251 top <dir>] [-adminuser <admin>]
252 generate a keystore in JKS format for all users having a key and
253 certificate. This command is usually run as user root on the
254 qmaster host. If -kspwf <file> is used the keystore and the
255 corresponding key will be encrypted with the password in <file>.
256 The keystore files are created in $CALOCAL‐
257 TOP/userkeys/<user>/keystore. This command is run after user
258 certificates and keys have been created with sge_ca -usercert
259 <userfile> or if any of the certificates have been renewed.
260 $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and
261 -calocaltop.
262 sge_ca -sysks [-kspwf <file>] [-cadir <dir>] [-catop <dir>] [-calocal‐
264 top <dir>] [-adminuser <admin>]
265 generate a keystore containing the SGE Daemon certificate and
266 key in JKS format. This command is usually run as user root on
267 the qmaster host. If -kspwf <file> is used the keystore and the
268 corresponding key will be encrypted with the password in <file>.
269 The keystore file is created in $CALOCALTOP/private/keystore.
270 $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and
271 -calocaltop.
272 sge_ca -print <cert>
274 Print a certificate where <cert> is the corresponding certifi‐
275 cate in pem format.
276 sge_ca -printkey <key>
278 Print a key where <key> is the corresponding key in pem format.
279 sge_ca -printcrl <crl>
281 Print a certificate revocation list where <crl> is the corre‐
282 sponding certificate revocation list in pem format.
283 sge_ca -printcrl <crl>
285 Print a certificate revocation list where <crl> is the corre‐
286 sponding certificate revocation list in pem format.
287 sge_ca -req [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-admi‐
289 nuser <admin>] [-days <days>] [-encryptkey] [-sha1] [-outdir <dir>]
290 create a private key and a certificate request for the calling
291 user. This are created as newkey.pem and newreq.pem in the cur‐
292 rent working directory. If the option -outdir <dir> is speci‐
293 fied in addition the files are created in <dir>.
294 sge_ca -sign [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>] [-admi‐
296 nuser <admin>] [-days <days>] [-encryptkey] [-sha1] [-outdir <dir>
297 Sign a certificate request. The CA certificate under $CATOP
298 (default: $SGE_ROOT/$SGE_CELL/common/sgeCA) and CA key from
299 $CALOCALTOP (default: /var/sgaCA/{port$SGE_QMAS‐
300 TER_PORT|sge_qmaster}/$SGE_CELL) are used for the signature. If
301 $CATOP and $CALOCALTOP are set to a different directory the
302 information there is used. The certificate is created as
303 newcert.pem in the current working directory or in <dir> if the
304 option -outdir <dir> has been specified. In addition the option
305 "-days <number of days>" can be specified to change the default
306 validity from 365 to number of days.
307 sge_ca -verify <cert> [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
309 [-adminuser <admin>]
310 Verify a certificates validity where <cert> is the corresponding
311 certificate in pem format. $CATOP and $CALOCALTOP can be over‐
312 ruled by -cadir, -catop and -calocaltop.
313 sge_ca -copy [-cadir <dir>] [-catop <dir>] [-calocaltop <dir>]
315 sge_ca -copy is run by a user to copy the users certificate and
316 key on the master host to $HOME/.sge/port$SGE_QMAS‐
317 TER_PORT/$SGE_CELL/certs/cert.pem and the corresponding private
318 key in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/pri‐
319 vate/key.pem which are used instead of the files in $CATOP and
320 $CALOCALTOP. The command is only recommended for testing pur‐
321 poses or where $HOME is on a secure shared file system.
322
324 # sge_ca -init -cadir /tmp -sha1 -encryptkey -days 31
325 create a CA infrastructure in /tmp with a certificate validity
326 of 31 days using sha-1 instead of md5 as message digest.The keys
327 are encrypted and a passphrase has to be entered during the cre‐
328 ation of the different keys or during signing a certificate with
329 the created CA key.
330 # sge_ca -usercert /tmp/myusers.txt -cadir /tmp
332 /tmp/myusers.txt contains user1:My User:user1@myorg.org and
333 user1 is a valid Unix user account. Create a key and certificate
334 for user1.
335 # sge_ca -userks -cadir /tmp
337 create a keystore for all users of the simple CA. The keystore
338 is stored under /tmp/userkeys/<user>/keystore.
339 # sge_ca -renew root -cadir /tmp -days -1
341 make the root certificate temporarily invalid.
342 # sge_ca -renew_ca -days 365 -cadir /tmp
344 renew the CA certificate for 365 days
345
347 SGE_ROOT Specifies the location of the Grid Engine standard con‐
348 figuration files.
349 SGE_CELL If set, specifies the default Grid Engine cell.
351
353 sge_ca The command must be usually called with Grid Engine root permis‐
354 sions on the master host. For more details on the permission require‐
355 ments consult the detailed description for the different commands
356 above.
357
359 sge_ca creates a file tree starting in $CATOP and $CALOCALTOP. The
360 default for $CATOP is usually $SGE_ROOT/$SGE_CELL/common/sgeCA and for
361 $CALOCALTOP /var/sgeCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL
362 where the subpaths beginning with $ expands to the content of the cor‐
363 responding environment variable.
364 In addition there may optionally exist the user certificate in
366 $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem and the cor‐
367 responding private key in $HOME/.sge/port$SGE_QMAS‐
368 TER_PORT/$SGE_CELL/private/key.pem which are used instead of the files
369 in $CATOP and $CALOCALTOP. (see sge_ca -copy above)
370
372 ge_qmaster(8).
373
375 See ge_intro(1) for a full statement of rights and permissions.
376GE 6.2u5 $Date: 2008/07/19 17:12:58 $ SGE_CA(8)