1APPROXY(1) NorduGrid Users Manual APPROXY(1)
2
3
4
6 arcproxy - ARC Credentials Proxy generation utility
7
9 arcproxy [OPTION]
10
12 arcproxy generates proxy credentials (general proxy certificate, or
13 proxy certificate with VOMS AC extenstion) from private key and cer‐
14 tificate of user.
15
17 -h prints short usage description
18
19
20 -P filename
21 location of the generated proxy file
22
23
24 -C location of X509 certificate file, the file can be either pem,
25 der, or pkcs12 formated; if this option is not set, then env
26 X509_USER_CERT will be searched; if X509_USER_CERT env is not
27 set, then certificatepath item in client.conf will be searched;
28 if the location still is not found, then ~/.arc/, ~/.globus/,
29 ./etc/arc, and ./ will be searched.
30
31
32 -K location of private key file, if the certificate is in pkcs12
33 format, then no need to give private key; if this option is not
34 set, then env X509_USER_KEY will be searched; if X509_USER_KEY
35 env is not set, then keypath item in client.conf will be
36 searched; if the location still is not found, then ~/.arc/,
37 ~/.globus/, ./etc/arc, and ./ will be searched.
38
39
40 -T path to trusted certificate directory, only needed for VOMS
41 client functionality; if this option is not set, then env
42 X509_CERT_DIR will be searched; if X509_CERT_DIR env is not set,
43 then cacertificatesdirectory item in client.conf will be
44 searched.
45
46
47 -s path to top directory of VOMS *.lsc files, only needed for VOMS
48 client functionality
49
50
51 -V path to VOMS server configuration file, only needed for VOMS
52 client functionality if the path is a directory rather than a
53 file, all of the files under this directory will be searched
54
55
56 -S voms<:command>. Specify VOMS server.
57 :command is optional, and is used to ask for spe‐
58 cific attributes(e.g: roles)
59 command option is:
60 all --- put all of this DN's attributes into AC;
61 list ---list all of the DN's attribute,will not
62 create AC extension;
63 /Role=yourRole --- specify the role, if this DN
64 has such a role, the role will be
65 put into AC
66 /voname/groupname/Role=yourRole --- specify the
67 vo,group and role if this DN
68 has such a role, the role will be
69 put into AC
70
71
72 -o group<:role>. Specify ordering of attributes.
73 Example: --order /knowarc.eu/coredev:Devel‐
74 oper,/knowarc.eu/testers:Tester
75 or: --order /knowarc.eu/coredev:Developer --order
76 /knowarc.eu/testers:Tester
77 Note that it does not make sense to specify the
78 order if you have two or more different VOMS server specified
79
80
81 -G use GSI wire protocol for contacting VOMS services instead of
82 SSL/TLS
83
84
85 -H use HTTP communication protocol for contacting VOMS services
86 that provide RESTful access
87 Note for RESTful access, 'list' command and multi‐
88 ple VOMS server are not supported.
89 This protocol is now default communicaton protocol
90 and You do not need to specify this option.
91
92
93 -B use old communication protocol for contacting VOMS services
94 instead of RESTful.
95
96
97 -O this option is not functional anymore (old GSI proxies are not
98 supported)
99
100
101 -I print all information about this proxy.
102 In order to show the Identity (DN without CN as
103 subfix for proxy)
104 of the certificate, the 'trusted certdir' is
105 needed.
106
107
108 -i print selected information about this proxy. Currently following
109 information items are supported:
110
111 subject - subject name of proxy certificate.
112
113 identity - identity subject name of proxy certificate.
114
115 issuer - issuer subject name of proxy certificate.
116
117 ca - subject name of CA which issued initial certificate.
118
119 path - file system path to file containing proxy.
120
121 type - type of proxy certificate.
122
123 validityStart - timestamp when proxy validity starts.
124
125 validityEnd - timestamp when proxy validity ends.
126
127 validityPeriod - duration of proxy validity in seconds.
128
129 validityLeft - duration of proxy validity left in seconds.
130
131 vomsVO - VO name represented by VOMS attribute.
132
133 vomsSubject - subject of certificate for which VOMS attribute is
134 issued.
135
136 vomsIssuer - subject of service which issued VOMS certificate.
137
138 vomsACvalidityStart - timestamp when VOMS attribute validity
139 starts.
140
141 vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
142
143 vomsACvalidityPeriod - duration of VOMS attribute validity in
144 seconds.
145
146 vomsACvalidityLeft - duration of VOMS attribute validity left in
147 seconds.
148
149 proxyPolicy
150
151 keybits - size of proxy certificate key in bits.
152
153 signingAlgorithm - algorithm used to sign proxy certificate.
154
155 Items are printed in requested order and are separated by new‐
156 line. If item has multiple values they are printed in same line
157 separated by |.
158
159
160 -r Remove the proxy file.
161
162
163 -U Username to myproxy server.
164
165
166 -N don't prompt for a credential passphrase, when retrieve a cre‐
167 dential from on MyProxy server.
168 The precondition of this choice is the credential
169 is PUT onto
170 the MyProxy server without a passphrase by using
171 -R (--retrievable_by_cert)
172 option when being PUTing onto Myproxy server.
173 This option is specific for the GET command when
174 contacting Myproxy server.
175
176
177 -R Allow specified entity to retrieve credential without
178 passphrase.
179 This option is specific for the PUT command when
180 contacting Myproxy server.
181
182
183 -L hostname of myproxy server optionally followed by colon and port
184 number, e.g.
185 example.org:7512. If the port number has not
186 been specified, 7512 is used by default.
187
188
189 -M command to myproxy server. The command can be PUT and GET.
190 PUT/put -- put a delegated credential to myproxy
191 server;
192 GET/get -- get a delegated credential from myproxy
193 server,
194 credential (certificate and key) is not needed in
195 this case;
196 myproxy functionality can be used together with
197 VOMS functionality.
198 voms and vomses can be used for Get command if
199 VOMS attributes
200 is required to be included in the proxy.
201
202
203 -F use NSS credential DB in default Mozilla profiles, including
204 Firefox, Seamonkey and Thunderbird.
205
206
207 -c constraints of proxy certificate. Currently following con‐
208 straints are supported:
209
210 validityStart=time - time when certificate becomes valid.
211 Default is now.
212
213 validityEnd=time - time when certificate becomes invalid.
214 Default is 43200 (12 hours) from start for local proxy and 7
215 days for delegated to MyProxy.
216
217 validityPeriod=time - for how long certificate is valid. Default
218 is 43200 (12 hours)for local proxy and 7 days for delegated to
219 MyProxy.
220
221 vomsACvalidityPeriod=time - for how long the AC is valid.
222 Default is shorter of validityPeriod and 12 hours.
223
224 myproxyvalidityPeriod=time - lifetime of proxies delegated by
225 myproxy server. Default is shorter of validityPeriod and 12
226 hours.
227
228 proxyPolicy=policy content - assigns specified string to proxy
229 policy to limit it's functionality.
230
231 keybits=number - length of the key to generate. Default is 2048
232 bits. Special value 'inherit' is to use key length of signing
233 certificate.
234
235 signingAlgorithm=name - signing algorithm to use for signing
236 public key of proxy. Default is sha1. Possible values are sha1,
237 sha2 (alias for sha256), sha224, sha256, sha384, sha512 and
238 inherit (use algorithm of signing certificate).
239
240
241 -p password destination=password source. Supported password desti‐
242 nations are:
243
244 key - for reading private key
245
246 myproxy - for accessing credentials at MyProxy service
247
248 myproxynew - for creating credentials at MyProxy service
249
250 all - for any purspose.
251
252 Supported password sources are:
253
254 quoted string ("password") - explicitly specified password
255
256 int - interactively request password from console
257
258 stdin - read password from standard input delimited by newline
259
260 file:filename - read password from file named filename
261
262 stream:# - read password from input stream number #. Currently
263 only 0 (standard input) is supported.
264
265
266 -t timeout in seconds (default 20)
267
268
269 -z configuration file (default ~/.arc/client.conf)
270
271
272 -d level of information printed. Possible values are DEBUG, VER‐
273 BOSE, INFO, WARNING, ERROR and FATAL.
274
275
276 -v print version information
277
278
279 If location of certificate and key are not exlicitly specified they are
280 looked for in following location and order:
281
282 Key/certificate paths specified by the environment variables
283 X509_USER_KEY and X509_USER_CERT respectively.
284
285 Paths specified in configuration file.
286
287 ~/.arc/usercert.pem and ~/.arc/userkey.pem for certificate and key
288 respectively.
289
290 ~/.globus/usercert.pem and ~/.globus/userkey.pem for certificate and
291 key respectively.
292
293 If destination location of proxy file is not specified, the value of
294 X509_USER_PROXY environment variable is used explicitly. If no value
295 is provided, the default location is used - <TEMPORARY DIREC‐
296 TORY>/x509up_u<USER ID>. Here TEMPORARY DIRECTORY is derived from
297 environment variables TMPDIR, TMP, TEMP or default location /tmp is
298 used.
299
300
302 Report bugs to http://bugzilla.nordugrid.org/
303
304
306 ARC_LOCATION
307 The location where ARC is installed can be specified by this
308 variable. If not specified the install location will be deter‐
309 mined from the path to the command being executed, and if this
310 fails a WARNING will be given stating the location which will be
311 used.
312
313
314 ARC_PLUGIN_PATH
315 The location of ARC plugins can be specified by this variable.
316 Multiple locations can be specified by separating them by : (;
317 in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
318 Windows).
319
320
322 APACHE LICENSE Version 2.0
323
324
326 /etc/vomses
327 Common file containing a list of selected VO contact point, one
328 VO per line, for example:
329
330 "gin" "kuiken.nikhef.nl" "15050" "/O=dutch‐
331 grid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
332
333 "nordugrid.org" "voms.uninett.no" "15015" "/O=Grid/O=Nor‐
334 duGrid/CN=host/voms.ndgf.org" "nordugrid.org"
335
336
337 ~/.voms/vomses
338 Same as /etc/vomses but located in user's home area. If exists,
339 has precedence over /etc/vomses
340
341 The order of the parsing of vomses location is:
342
343 1. command line options
344 2. client configuration file ~/.arc/client.conf
345 3. $X509_VOMSES or $X509_VOMS_FILE
346 4. ~/.arc/vomses
347 5. ~/.voms/vomses
348 6. $ARC_LOCATION/etc/vomses (this is for Windows envi‐
349 ronment)
350 7. $ARC_LOCATION/etc/grid-security/vomses (this is for
351 Windows environment)
352 8. $PWD/vomses
353 9. /etc/vomses
354 10. /etc/grid-security/vomses
355
356
357 ~/.arc/client.conf
358 Some options can be given default values by specifying them in
359 the ARC client configuration file. By using the --conffile
360 option a different configuration file can be used than the
361 default.
362
363
365 ARC software is developed by the NorduGrid Collaboration
366 (http://www.nordugrid.org), please consult the AUTHORS file distributed
367 with ARC. Please report bugs and feature requests to
368 http://bugzilla.nordugrid.org
369
370
372 arccat(1), arcclean(1), arccp(1), arcget(1), arcinfo(1), arckill(1),
373 arcls(1), arcmkdir(1), arcrenew(1), arcresub(1), arcresume(1),
374 arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
375
376
377
378
379NorduGrid ARC 6.10.2 2021-03-12 APPROXY(1)