1APPROXY(1) NorduGrid Users Manual APPROXY(1)
2
3
4
6 arcproxy - ARC Credentials Proxy generation utility
7
9 arcproxy [OPTION]
10
12 arcproxy generates proxy credentials (general proxy certificate, or
13 proxy certificate with VOMS AC extenstion) from private key and cer‐
14 tificate of user.
15
17 -h prints short usage description
18
19
20 -P filename
21 location of the generated proxy file
22
23
24 -C location of X509 certificate file, the file can be either pem,
25 der, or pkcs12 formated; if this option is not set, then env
26 X509_USER_CERT will be searched; if X509_USER_CERT env is not
27 set, then certificatepath item in client.conf will be searched;
28 if the location still is not found, then ~/.arc/, ~/.globus/,
29 ./etc/arc, and ./ will be searched.
30
31
32 -K location of private key file, if the certificate is in pkcs12
33 format, then no need to give private key; if this option is not
34 set, then env X509_USER_KEY will be searched; if X509_USER_KEY
35 env is not set, then keypath item in client.conf will be
36 searched; if the location still is not found, then ~/.arc/,
37 ~/.globus/, ./etc/arc, and ./ will be searched.
38
39
40 -T path to trusted certificate directory, only needed for VOMS
41 client functionality; if this option is not set, then env
42 X509_CERT_DIR will be searched; if X509_CERT_DIR env is not set,
43 then cacertificatesdirectory item in client.conf will be
44 searched.
45
46
47 -s path to top directory of VOMS *.lsc files, only needed for VOMS
48 client functionality
49
50
51 -V path to VOMS server configuration file, only needed for VOMS
52 client functionality if the path is a directory rather than a
53 file, all of the files under this directory will be searched
54
55
56 -S voms<:command>. Specify VOMS server.
57 :command is optional, and is used to ask for spe‐
58 cific attributes(e.g: roles)
59 command option is:
60 all --- put all of this DN's attributes into AC;
61 list ---list all of the DN's attribute,will not
62 create AC extension;
63 /Role=yourRole --- specify the role, if this DN
64 has such a role, the role will be
65 put into AC
66 /voname/groupname/Role=yourRole --- specify the
67 vo,group and role if this DN
68 has such a role, the role will be
69 put into AC
70
71
72 -o group<:role>. Specify ordering of attributes.
73 Example: --order /knowarc.eu/coredev:Devel‐
74 oper,/knowarc.eu/testers:Tester
75 or: --order /knowarc.eu/coredev:Developer --order
76 /knowarc.eu/testers:Tester
77 Note that it does not make sense to specify the
78 order if you have two or more different VOMS server specified
79
80
81 -G use GSI communication protocol for contacting VOMS services
82
83
84 -H use HTTP communication protocol for contacting VOMS services
85 that provide RESTful access
86 Note for RESTful access, 'list' command and multi‐
87 ple VOMS server are not supported
88
89
90 -O this option is not functional anymore (old GSI proxies are not
91 supported)
92
93
94 -I print all information about this proxy.
95 In order to show the Identity (DN without CN as
96 subfix for proxy)
97 of the certificate, the 'trusted certdir' is
98 needed.
99
100
101 -i print selected information about this proxy. Currently following
102 information items are supported:
103
104 subject - subject name of proxy certificate.
105
106 identity - identity subject name of proxy certificate.
107
108 issuer - issuer subject name of proxy certificate.
109
110 ca - subject name of CA which issued initial certificate.
111
112 path - file system path to file containing proxy.
113
114 type - type of proxy certificate.
115
116 validityStart - timestamp when proxy validity starts.
117
118 validityEnd - timestamp when proxy validity ends.
119
120 validityPeriod - duration of proxy validity in seconds.
121
122 validityLeft - duration of proxy validity left in seconds.
123
124 vomsVO - VO name represented by VOMS attribute.
125
126 vomsSubject - subject of certificate for which VOMS attribute is
127 issued.
128
129 vomsIssuer - subject of service which issued VOMS certificate.
130
131 vomsACvalidityStart - timestamp when VOMS attribute validity
132 starts.
133
134 vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
135
136 vomsACvalidityPeriod - duration of VOMS attribute validity in
137 seconds.
138
139 vomsACvalidityLeft - duration of VOMS attribute validity left in
140 seconds.
141
142 proxyPolicy
143
144 keybits - size of proxy certificate key in bits.
145
146 signingAlgorithm - algorithm used to sign proxy certificate.
147
148 Items are printed in requested order and are separated by new‐
149 line. If item has multiple values they are printed in same line
150 separated by |.
151
152
153 -r Remove the proxy file.
154
155
156 -U Username to myproxy server.
157
158
159 -N don't prompt for a credential passphrase, when retrieve a cre‐
160 dential from on MyProxy server.
161 The precondition of this choice is the credential
162 is PUT onto
163 the MyProxy server without a passphrase by using
164 -R (--retrievable_by_cert)
165 option when being PUTing onto Myproxy server.
166 This option is specific for the GET command when
167 contacting Myproxy server.
168
169
170 -R Allow specified entity to retrieve credential without
171 passphrase.
172 This option is specific for the PUT command when
173 contacting Myproxy server.
174
175
176 -L hostname of myproxy server optionally followed by colon and port
177 number, e.g.
178 example.org:7512. If the port number has not
179 been specified, 7512 is used by default.
180
181
182 -M command to myproxy server. The command can be PUT and GET.
183 PUT/put -- put a delegated credential to myproxy
184 server;
185 GET/get -- get a delegated credential from myproxy
186 server,
187 credential (certificate and key) is not needed in
188 this case;
189 myproxy functionality can be used together with
190 VOMS functionality.
191 voms and vomses can be used for Get command if
192 VOMS attributes
193 is required to be included in the proxy.
194
195
196 -F use NSS credential DB in default Mozilla profiles, including
197 Firefox, Seamonkey and Thunderbird.
198
199
200 -c constraints of proxy certificate. Currently following con‐
201 straints are supported:
202
203 validityStart=time - time when certificate becomes valid.
204 Default is now.
205
206 validityEnd=time - time when certificate becomes invalid.
207 Default is 43200 (12 hours) from start for local proxy and 7
208 days for delegated to MyProxy.
209
210 validityPeriod=time - for how long certificate is valid. Default
211 is 43200 (12 hours)for local proxy and 7 days for delegated to
212 MyProxy.
213
214 vomsACvalidityPeriod=time - for how long the AC is valid.
215 Default is shorter of validityPeriod and 12 hours.
216
217 myproxyvalidityPeriod=time - lifetime of proxies delegated by
218 myproxy server. Default is shorter of validityPeriod and 12
219 hours.
220
221 proxyPolicy=policy content - assigns specified string to proxy
222 policy to limit it's functionality.
223
224 keybits=number - length of the key to generate. Default is 2048
225 bits. Special value 'inherit' is to use key length of signing
226 certificate.
227
228 signingAlgorithm=name - signing algorithm to use for signing
229 public key of proxy. Default is sha1. Possible values are sha1,
230 sha2 (alias for sha256), sha224, sha256, sha384, sha512 and
231 inherit (use algorithm of signing certificate).
232
233
234 -p password destination=password source. Supported password desti‐
235 nations are:
236
237 key - for reading private key
238
239 myproxy - for accessing credentials at MyProxy service
240
241 myproxynew - for creating credentials at MyProxy service
242
243 all - for any purspose.
244
245 Supported password sources are:
246
247 quoted string ("password") - explicitly specified password
248
249 int - interactively request password from console
250
251 stdin - read password from standard input delimited by newline
252
253 file:filename - read password from file named filename
254
255 stream:# - read password from input stream number #. Currently
256 only 0 (standard input) is supported.
257
258
259 -t timeout in seconds (default 20)
260
261
262 -z configuration file (default ~/.arc/client.conf)
263
264
265 -d level of information printed. Possible values are DEBUG, VER‐
266 BOSE, INFO, WARNING, ERROR and FATAL.
267
268
269 -v print version information
270
271
272 If location of certificate and key are not exlicitly specified they are
273 looked for in following location and order:
274
275 Key/certificate paths specified by the environment variables
276 X509_USER_KEY and X509_USER_CERT respectively.
277
278 Paths specified in configuration file.
279
280 ~/.arc/usercert.pem and ~/.arc/userkey.pem for certificate and key
281 respectively.
282
283 ~/.globus/usercert.pem and ~/.globus/userkey.pem for certificate and
284 key respectively.
285
286 If destination location of proxy file is not specified, the value of
287 X509_USER_PROXY environment variable is used explicitly. If no value
288 is provided, the default location is used - <TEMPORARY DIREC‐
289 TORY>/x509up_u<USER ID>. Here TEMPORARY DIRECTORY is derived from
290 environment variables TMPDIR, TMP, TEMP or default location /tmp is
291 used.
292
293
295 Report bugs to http://bugzilla.nordugrid.org/
296
297
299 ARC_LOCATION
300 The location where ARC is installed can be specified by this
301 variable. If not specified the install location will be deter‐
302 mined from the path to the command being executed, and if this
303 fails a WARNING will be given stating the location which will be
304 used.
305
306
307 ARC_PLUGIN_PATH
308 The location of ARC plugins can be specified by this variable.
309 Multiple locations can be specified by separating them by : (;
310 in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
311 Windows).
312
313
315 APACHE LICENSE Version 2.0
316
317
319 /etc/vomses
320 Common file containing a list of selected VO contact point, one
321 VO per line, for example:
322
323 "gin" "kuiken.nikhef.nl" "15050" "/O=dutch‐
324 grid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
325
326 "nordugrid.org" "voms.uninett.no" "15015" "/O=Grid/O=Nor‐
327 duGrid/CN=host/voms.ndgf.org" "nordugrid.org"
328
329
330 ~/.voms/vomses
331 Same as /etc/vomses but located in user's home area. If exists,
332 has precedence over /etc/vomses
333
334 The order of the parsing of vomses location is:
335
336 1. command line options
337 2. client configuration file ~/.arc/client.conf
338 3. $X509_VOMSES or $X509_VOMS_FILE
339 4. ~/.arc/vomses
340 5. ~/.voms/vomses
341 6. $ARC_LOCATION/etc/vomses (this is for Windows envi‐
342 ronment)
343 7. $ARC_LOCATION/etc/grid-security/vomses (this is for
344 Windows environment)
345 8. $PWD/vomses
346 9. /etc/vomses
347 10. /etc/grid-security/vomses
348
349
350 ~/.arc/client.conf
351 Some options can be given default values by specifying them in
352 the ARC client configuration file. By using the --conffile
353 option a different configuration file can be used than the
354 default.
355
356
358 ARC software is developed by the NorduGrid Collaboration
359 (http://www.nordugrid.org), please consult the AUTHORS file distributed
360 with ARC. Please report bugs and feature requests to
361 http://bugzilla.nordugrid.org
362
363
365 arccat(1), arcclean(1), arccp(1), arcget(1), arcinfo(1), arckill(1),
366 arcls(1), arcmkdir(1), arcrenew(1), arcresub(1), arcresume(1),
367 arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
368
369
370
371
372NorduGrid ARC 6.4.1 2019-12-01 APPROXY(1)