1APPROXY(1)                  NorduGrid Users Manual                  APPROXY(1)
2
3
4

NAME

6       arcproxy - ARC Credentials Proxy generation utility
7

SYNOPSIS

9       arcproxy [OPTION]
10

DESCRIPTION

12       arcproxy  generates  proxy  credentials  (general proxy certificate, or
13       proxy certificate with VOMS AC extenstion) from private  key  and  cer‐
14       tificate of user.
15

OPTIONS

17       -h     prints short usage description
18
19
20       -P filename
21              location of the generated proxy file
22
23
24       -C     location  of  X509 certificate file, the file can be either pem,
25              der, or pkcs12 formated; if this option is  not  set,  then  env
26              X509_USER_CERT  will  be  searched; if X509_USER_CERT env is not
27              set, then certificatepath item in client.conf will be  searched;
28              if  the  location  still is not found, then ~/.arc/, ~/.globus/,
29              ./etc/arc, and ./ will be searched.
30
31
32       -K     location of private key file, if the certificate  is  in  pkcs12
33              format,  then no need to give private key; if this option is not
34              set, then env X509_USER_KEY will be searched;  if  X509_USER_KEY
35              env  is  not  set,  then  keypath  item  in  client.conf will be
36              searched; if the location still  is  not  found,  then  ~/.arc/,
37              ~/.globus/, ./etc/arc, and ./ will be searched.
38
39
40       -T     path  to  trusted  certificate  directory,  only needed for VOMS
41              client functionality; if  this  option  is  not  set,  then  env
42              X509_CERT_DIR will be searched; if X509_CERT_DIR env is not set,
43              then  cacertificatesdirectory  item  in  client.conf   will   be
44              searched.
45
46
47       -s     path  to top directory of VOMS *.lsc files, only needed for VOMS
48              client functionality
49
50
51       -V     path to VOMS server configuration file,  only  needed  for  VOMS
52              client  functionality  if  the path is a directory rather than a
53              file, all of the files under this directory will be searched
54
55
56       -S     voms<:command>. Specify VOMS server.
57                            :command is optional, and is used to ask for  spe‐
58              cific attributes(e.g: roles)
59                            command option is:
60                            all --- put all of this DN's attributes into AC;
61                            list  ---list  all  of the DN's attribute,will not
62              create AC extension;
63                            /Role=yourRole --- specify the role, if this DN
64                                             has such a role, the role will be
65              put into AC
66                            /voname/groupname/Role=yourRole  ---  specify  the
67              vo,group and role if this DN
68                                             has such a role, the role will be
69              put into AC
70
71
72       -o     group<:role>. Specify ordering of attributes.
73                            Example:     --order    /knowarc.eu/coredev:Devel‐
74              oper,/knowarc.eu/testers:Tester
75                            or: --order /knowarc.eu/coredev:Developer  --order
76              /knowarc.eu/testers:Tester
77                            Note  that  it  does not make sense to specify the
78              order if you have two or more different VOMS server specified
79
80
81       -G     use GSI communication protocol for contacting VOMS services
82
83
84       -H     use HTTP communication protocol  for  contacting  VOMS  services
85              that provide RESTful access
86                            Note for RESTful access, 'list' command and multi‐
87              ple VOMS server are not supported
88
89
90       -O     this option is not functional anymore (old GSI proxies  are  not
91              supported)
92
93
94       -I     print all information about this proxy.
95                            In  order  to  show the Identity (DN without CN as
96              subfix for proxy)
97                            of  the  certificate,  the  'trusted  certdir'  is
98              needed.
99
100
101       -i     print selected information about this proxy. Currently following
102              information items are supported:
103
104              subject - subject name of proxy certificate.
105
106              identity - identity subject name of proxy certificate.
107
108              issuer - issuer subject name of proxy certificate.
109
110              ca - subject name of CA which issued initial certificate.
111
112              path - file system path to file containing proxy.
113
114              type - type of proxy certificate.
115
116              validityStart - timestamp when proxy validity starts.
117
118              validityEnd - timestamp when proxy validity ends.
119
120              validityPeriod - duration of proxy validity in seconds.
121
122              validityLeft - duration of proxy validity left in seconds.
123
124              vomsVO - VO name  represented by VOMS attribute.
125
126              vomsSubject - subject of certificate for which VOMS attribute is
127              issued.
128
129              vomsIssuer - subject of service which issued VOMS certificate.
130
131              vomsACvalidityStart  -  timestamp  when  VOMS attribute validity
132              starts.
133
134              vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
135
136              vomsACvalidityPeriod - duration of VOMS  attribute  validity  in
137              seconds.
138
139              vomsACvalidityLeft - duration of VOMS attribute validity left in
140              seconds.
141
142              proxyPolicy
143
144              keybits - size of proxy certificate key in bits.
145
146              signingAlgorithm - algorithm used to sign proxy certificate.
147
148              Items are printed in requested order and are separated  by  new‐
149              line.  If item has multiple values they are printed in same line
150              separated by |.
151
152
153       -r     Remove the proxy file.
154
155
156       -U     Username to myproxy server.
157
158
159       -N     don't prompt for a credential passphrase, when retrieve  a  cre‐
160              dential from on MyProxy server.
161                            The  precondition of this choice is the credential
162              is PUT onto
163                            the MyProxy server without a passphrase  by  using
164              -R (--retrievable_by_cert)
165                            option when being PUTing onto Myproxy server.
166                            This  option  is specific for the GET command when
167              contacting Myproxy server.
168
169
170       -R     Allow  specified   entity   to   retrieve   credential   without
171              passphrase.
172                            This  option  is specific for the PUT command when
173              contacting Myproxy server.
174
175
176       -L     hostname of myproxy server optionally followed by colon and port
177              number, e.g.
178                            example.org:7512. If the port number has not
179                            been specified, 7512 is used by default.
180
181
182       -M     command to myproxy server. The command can be PUT and GET.
183                            PUT/put  --  put a delegated credential to myproxy
184              server;
185                            GET/get -- get a delegated credential from myproxy
186              server,
187                            credential  (certificate and key) is not needed in
188              this case;
189                            myproxy functionality can be  used  together  with
190              VOMS functionality.
191                            voms  and  vomses  can  be used for Get command if
192              VOMS attributes
193                            is required to be included in the proxy.
194
195
196       -F     use NSS credential DB in  default  Mozilla  profiles,  including
197              Firefox, Seamonkey and Thunderbird.
198
199
200       -c     constraints  of  proxy  certificate.  Currently  following  con‐
201              straints are supported:
202
203              validityStart=time  -  time  when  certificate  becomes   valid.
204              Default is now.
205
206              validityEnd=time   -  time  when  certificate  becomes  invalid.
207              Default is 43200 (12 hours) from start for  local  proxy  and  7
208              days for delegated to MyProxy.
209
210              validityPeriod=time - for how long certificate is valid. Default
211              is 43200 (12 hours)for local proxy and 7 days for  delegated  to
212              MyProxy.
213
214              vomsACvalidityPeriod=time  -  for  how  long  the  AC  is valid.
215              Default is shorter of validityPeriod and 12 hours.
216
217              myproxyvalidityPeriod=time - lifetime of  proxies  delegated  by
218              myproxy  server.  Default  is  shorter  of validityPeriod and 12
219              hours.
220
221              proxyPolicy=policy content - assigns specified string  to  proxy
222              policy to limit it's functionality.
223
224              keybits=number  - length of the key to generate. Default is 2048
225              bits. Special value 'inherit' is to use key  length  of  signing
226              certificate.
227
228              signingAlgorithm=name  -  signing  algorithm  to use for signing
229              public key of proxy. Default is sha1. Possible values are  sha1,
230              sha2  (alias  for  sha256),  sha224,  sha256, sha384, sha512 and
231              inherit (use algorithm of signing certificate).
232
233
234       -p     password destination=password source. Supported password  desti‐
235              nations are:
236
237              key - for reading private key
238
239              myproxy - for accessing credentials at MyProxy service
240
241              myproxynew - for creating credentials at MyProxy service
242
243              all - for any purspose.
244
245              Supported password sources are:
246
247              quoted string ("password") - explicitly specified password
248
249              int - interactively request password from console
250
251              stdin - read password from standard input delimited by newline
252
253              file:filename - read password from file named filename
254
255              stream:#  -  read password from input stream number #. Currently
256              only 0 (standard input) is supported.
257
258
259       -t     timeout in seconds (default 20)
260
261
262       -z     configuration file (default ~/.arc/client.conf)
263
264
265       -d     level of information printed. Possible values  are  DEBUG,  VER‐
266              BOSE, INFO, WARNING, ERROR and FATAL.
267
268
269       -v     print version information
270
271
272       If location of certificate and key are not exlicitly specified they are
273       looked for in following location and order:
274
275       Key/certificate  paths   specified   by   the   environment   variables
276       X509_USER_KEY and X509_USER_CERT respectively.
277
278       Paths specified in configuration file.
279
280       ~/.arc/usercert.pem  and  ~/.arc/userkey.pem  for  certificate  and key
281       respectively.
282
283       ~/.globus/usercert.pem and ~/.globus/userkey.pem  for  certificate  and
284       key respectively.
285
286       If  destination  location  of proxy file is not specified, the value of
287       X509_USER_PROXY environment variable is used explicitly.  If  no  value
288       is   provided,  the  default  location  is  used  -  <TEMPORARY  DIREC‐
289       TORY>/x509up_u<USER ID>.  Here  TEMPORARY  DIRECTORY  is  derived  from
290       environment  variables  TMPDIR,  TMP,  TEMP or default location /tmp is
291       used.
292
293

REPORTING BUGS

295       Report bugs to http://bugzilla.nordugrid.org/
296
297

ENVIRONMENT VARIABLES

299       ARC_LOCATION
300              The location where ARC is installed can  be  specified  by  this
301              variable.  If  not specified the install location will be deter‐
302              mined from the path to the command being executed, and  if  this
303              fails a WARNING will be given stating the location which will be
304              used.
305
306
307       ARC_PLUGIN_PATH
308              The location of ARC plugins can be specified by  this  variable.
309              Multiple  locations  can be specified by separating them by : (;
310              in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
311              Windows).
312
313
315       APACHE LICENSE Version 2.0
316
317

FILES

319       /etc/vomses
320              Common  file containing a list of selected VO contact point, one
321              VO per line, for example:
322
323              "gin"        "kuiken.nikhef.nl"        "15050"        "/O=dutch‐
324              grid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
325
326              "nordugrid.org"    "voms.uninett.no"   "15015"   "/O=Grid/O=Nor‐
327              duGrid/CN=host/voms.ndgf.org" "nordugrid.org"
328
329
330       ~/.voms/vomses
331              Same as /etc/vomses but located in user's home area. If  exists,
332              has precedence over /etc/vomses
333
334              The order of the parsing of vomses location is:
335
336                     1. command line options
337                     2. client configuration file ~/.arc/client.conf
338                     3. $X509_VOMSES  or $X509_VOMS_FILE
339                     4. ~/.arc/vomses
340                     5. ~/.voms/vomses
341                     6.  $ARC_LOCATION/etc/vomses   (this is for Windows envi‐
342                     ronment)
343                     7. $ARC_LOCATION/etc/grid-security/vomses  (this  is  for
344                     Windows environment)
345                     8. $PWD/vomses
346                     9. /etc/vomses
347                     10. /etc/grid-security/vomses
348
349
350       ~/.arc/client.conf
351              Some  options  can be given default values by specifying them in
352              the ARC client  configuration  file.  By  using  the  --conffile
353              option  a  different  configuration  file  can  be used than the
354              default.
355
356

AUTHOR

358       ARC   software   is   developed   by   the   NorduGrid    Collaboration
359       (http://www.nordugrid.org), please consult the AUTHORS file distributed
360       with   ARC.   Please   report   bugs   and    feature    requests    to
361       http://bugzilla.nordugrid.org
362
363

SEE ALSO

365       arccat(1),  arcclean(1),  arccp(1),  arcget(1), arcinfo(1), arckill(1),
366       arcls(1),   arcmkdir(1),   arcrenew(1),   arcresub(1),    arcresume(1),
367       arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
368
369
370
371
372NorduGrid ARC 6.4.1               2019-12-01                        APPROXY(1)
Impressum