1APPROXY(1)                  NorduGrid Users Manual                  APPROXY(1)
2
3
4

NAME

6       arcproxy - ARC Credentials Proxy generation utility
7

SYNOPSIS

9       arcproxy [OPTION]
10

DESCRIPTION

12       arcproxy  generates  proxy  credentials  (general proxy certificate, or
13       proxy certificate with VOMS AC extenstion) from private  key  and  cer‐
14       tificate of user.
15

OPTIONS

17       -h     prints short usage description
18
19
20       -P filename
21              location of the generated proxy file
22
23
24       -C     location  of  X509 certificate file, the file can be either pem,
25              der, or pkcs12 formated; if this option is  not  set,  then  env
26              X509_USER_CERT  will  be  searched; if X509_USER_CERT env is not
27              set, then certificatepath item in client.conf will be  searched;
28              if  the  location  still is not found, then ~/.arc/, ~/.globus/,
29              ./etc/arc, and ./ will be searched.
30
31
32       -K     location of private key file, if the certificate  is  in  pkcs12
33              format,  then no need to give private key; if this option is not
34              set, then env X509_USER_KEY will be searched;  if  X509_USER_KEY
35              env  is  not  set,  then  keypath  item  in  client.conf will be
36              searched; if the location still  is  not  found,  then  ~/.arc/,
37              ~/.globus/, ./etc/arc, and ./ will be searched.
38
39
40       -T     path  to  trusted  certificate  directory,  only needed for VOMS
41              client functionality; if  this  option  is  not  set,  then  env
42              X509_CERT_DIR will be searched; if X509_CERT_DIR env is not set,
43              then  cacertificatesdirectory  item  in  client.conf   will   be
44              searched.
45
46
47       -s     path  to top directory of VOMS *.lsc files, only needed for VOMS
48              client functionality
49
50
51       -V     path to VOMS server configuration file,  only  needed  for  VOMS
52              client  functionality  if  the path is a directory rather than a
53              file, all of the files under this directory will be searched
54
55
56       -S     voms<:command>. Specify VOMS server.
57                            :command is optional, and is used to ask for  spe‐
58              cific attributes(e.g: roles)
59                            command option is:
60                            all --- put all of this DN's attributes into AC;
61                            list  ---list  all  of the DN's attribute,will not
62              create AC extension;
63                            /Role=yourRole --- specify the role, if this DN
64                                             has such a role, the role will be
65              put into AC
66                            /voname/groupname/Role=yourRole  ---  specify  the
67              vo,group and role if this DN
68                                             has such a role, the role will be
69              put into AC
70
71
72       -o     group<:role>. Specify ordering of attributes.
73                            Example:     --order    /knowarc.eu/coredev:Devel‐
74              oper,/knowarc.eu/testers:Tester
75                            or: --order /knowarc.eu/coredev:Developer  --order
76              /knowarc.eu/testers:Tester
77                            Note  that  it  does not make sense to specify the
78              order if you have two or more different VOMS server specified
79
80
81       -G     use GSI wire protocol for contacting VOMS  services  instead  of
82              SSL/TLS
83
84
85       -H     use  HTTP  communication  protocol  for contacting VOMS services
86              that provide RESTful access
87                            Note for RESTful access, 'list' command and multi‐
88              ple VOMS server are not supported.
89                            This protocol is now default communicaton protocol
90              and You do not need to specify this option.
91
92
93       -B     use old communication  protocol  for  contacting  VOMS  services
94              instead of RESTful.
95
96
97       -O     this  option  is not functional anymore (old GSI proxies are not
98              supported)
99
100
101       -I     print all information about this proxy.
102                            In order to show the Identity (DN  without  CN  as
103              subfix for proxy)
104                            of  the  certificate,  the  'trusted  certdir'  is
105              needed.
106
107
108       -i     print selected information about this proxy. Currently following
109              information items are supported:
110
111              subject - subject name of proxy certificate.
112
113              identity - identity subject name of proxy certificate.
114
115              issuer - issuer subject name of proxy certificate.
116
117              ca - subject name of CA which issued initial certificate.
118
119              path - file system path to file containing proxy.
120
121              type - type of proxy certificate.
122
123              validityStart - timestamp when proxy validity starts.
124
125              validityEnd - timestamp when proxy validity ends.
126
127              validityPeriod - duration of proxy validity in seconds.
128
129              validityLeft - duration of proxy validity left in seconds.
130
131              vomsVO - VO name  represented by VOMS attribute.
132
133              vomsSubject - subject of certificate for which VOMS attribute is
134              issued.
135
136              vomsIssuer - subject of service which issued VOMS certificate.
137
138              vomsACvalidityStart - timestamp  when  VOMS  attribute  validity
139              starts.
140
141              vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
142
143              vomsACvalidityPeriod  -  duration  of VOMS attribute validity in
144              seconds.
145
146              vomsACvalidityLeft - duration of VOMS attribute validity left in
147              seconds.
148
149              proxyPolicy
150
151              keybits - size of proxy certificate key in bits.
152
153              signingAlgorithm - algorithm used to sign proxy certificate.
154
155              Items  are  printed in requested order and are separated by new‐
156              line. If item has multiple values they are printed in same  line
157              separated by |.
158
159
160       -r     Remove the proxy file.
161
162
163       -U     Username to myproxy server.
164
165
166       -N     don't  prompt  for a credential passphrase, when retrieve a cre‐
167              dential from on MyProxy server.
168                            The precondition of this choice is the  credential
169              is PUT onto
170                            the  MyProxy  server without a passphrase by using
171              -R (--retrievable_by_cert)
172                            option when being PUTing onto Myproxy server.
173                            This option is specific for the GET  command  when
174              contacting Myproxy server.
175
176
177       -R     Allow   specified   entity   to   retrieve   credential  without
178              passphrase.
179                            This option is specific for the PUT  command  when
180              contacting Myproxy server.
181
182
183       -L     hostname of myproxy server optionally followed by colon and port
184              number, e.g.
185                            example.org:7512. If the port number has not
186                            been specified, 7512 is used by default.
187
188
189       -M     command to myproxy server. The command can be PUT and GET.
190                            PUT/put -- put a delegated credential  to  myproxy
191              server;
192                            GET/get -- get a delegated credential from myproxy
193              server,
194                            credential (certificate and key) is not needed  in
195              this case;
196                            myproxy  functionality  can  be used together with
197              VOMS functionality.
198                            voms and vomses can be used  for  Get  command  if
199              VOMS attributes
200                            is required to be included in the proxy.
201
202
203       -F     use  NSS  credential  DB  in default Mozilla profiles, including
204              Firefox, Seamonkey and Thunderbird.
205
206
207       -c     constraints  of  proxy  certificate.  Currently  following  con‐
208              straints are supported:
209
210              validityStart=time   -  time  when  certificate  becomes  valid.
211              Default is now.
212
213              validityEnd=time  -  time  when  certificate  becomes   invalid.
214              Default  is  43200  (12  hours) from start for local proxy and 7
215              days for delegated to MyProxy.
216
217              validityPeriod=time - for how long certificate is valid. Default
218              is  43200  (12 hours)for local proxy and 7 days for delegated to
219              MyProxy.
220
221              vomsACvalidityPeriod=time -  for  how  long  the  AC  is  valid.
222              Default is shorter of validityPeriod and 12 hours.
223
224              myproxyvalidityPeriod=time  -  lifetime  of proxies delegated by
225              myproxy server. Default is  shorter  of  validityPeriod  and  12
226              hours.
227
228              proxyPolicy=policy  content  - assigns specified string to proxy
229              policy to limit it's functionality.
230
231              keybits=number - length of the key to generate. Default is  2048
232              bits.  Special  value  'inherit' is to use key length of signing
233              certificate.
234
235              signingAlgorithm=name - signing algorithm  to  use  for  signing
236              public  key of proxy. Default is sha1. Possible values are sha1,
237              sha2 (alias for sha256),  sha224,  sha256,  sha384,  sha512  and
238              inherit (use algorithm of signing certificate).
239
240
241       -p     password  destination=password source. Supported password desti‐
242              nations are:
243
244              key - for reading private key
245
246              myproxy - for accessing credentials at MyProxy service
247
248              myproxynew - for creating credentials at MyProxy service
249
250              all - for any purspose.
251
252              Supported password sources are:
253
254              quoted string ("password") - explicitly specified password
255
256              int - interactively request password from console
257
258              stdin - read password from standard input delimited by newline
259
260              file:filename - read password from file named filename
261
262              stream:# - read password from input stream number  #.  Currently
263              only 0 (standard input) is supported.
264
265
266       -t     timeout in seconds (default 20)
267
268
269       -z     configuration file (default ~/.arc/client.conf)
270
271
272       -d     level  of  information  printed. Possible values are DEBUG, VER‐
273              BOSE, INFO, WARNING, ERROR and FATAL.
274
275
276       -v     print version information
277
278
279       If location of certificate and key are not exlicitly specified they are
280       looked for in following location and order:
281
282       Key/certificate   paths   specified   by   the   environment  variables
283       X509_USER_KEY and X509_USER_CERT respectively.
284
285       Paths specified in configuration file.
286
287       ~/.arc/usercert.pem and  ~/.arc/userkey.pem  for  certificate  and  key
288       respectively.
289
290       ~/.globus/usercert.pem  and  ~/.globus/userkey.pem  for certificate and
291       key respectively.
292
293       If destination location of proxy file is not specified,  the  value  of
294       X509_USER_PROXY  environment  variable is used explicitly.  If no value
295       is  provided,  the  default  location  is  used  -  <TEMPORARY   DIREC‐
296       TORY>/x509up_u<USER  ID>.   Here  TEMPORARY  DIRECTORY  is derived from
297       environment variables TMPDIR, TMP, TEMP or  default  location  /tmp  is
298       used.
299
300

REPORTING BUGS

302       Report bugs to http://bugzilla.nordugrid.org/
303
304

ENVIRONMENT VARIABLES

306       ARC_LOCATION
307              The  location  where  ARC  is installed can be specified by this
308              variable. If not specified the install location will  be  deter‐
309              mined  from  the path to the command being executed, and if this
310              fails a WARNING will be given stating the location which will be
311              used.
312
313
314       ARC_PLUGIN_PATH
315              The  location  of ARC plugins can be specified by this variable.
316              Multiple locations can be specified by separating them by  :  (;
317              in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
318              Windows).
319
320
322       APACHE LICENSE Version 2.0
323
324

FILES

326       /etc/vomses
327              Common file containing a list of selected VO contact point,  one
328              VO per line, for example:
329
330              "gin"        "kuiken.nikhef.nl"        "15050"        "/O=dutch‐
331              grid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
332
333              "nordugrid.org"   "voms.uninett.no"   "15015"    "/O=Grid/O=Nor‐
334              duGrid/CN=host/voms.ndgf.org" "nordugrid.org"
335
336
337       ~/.voms/vomses
338              Same  as /etc/vomses but located in user's home area. If exists,
339              has precedence over /etc/vomses
340
341              The order of the parsing of vomses location is:
342
343                     1. command line options
344                     2. client configuration file ~/.arc/client.conf
345                     3. $X509_VOMSES  or $X509_VOMS_FILE
346                     4. ~/.arc/vomses
347                     5. ~/.voms/vomses
348                     6. $ARC_LOCATION/etc/vomses  (this is for  Windows  envi‐
349                     ronment)
350                     7.  $ARC_LOCATION/etc/grid-security/vomses   (this is for
351                     Windows environment)
352                     8. $PWD/vomses
353                     9. /etc/vomses
354                     10. /etc/grid-security/vomses
355
356
357       ~/.arc/client.conf
358              Some options can be given default values by specifying  them  in
359              the  ARC  client  configuration  file.  By  using the --conffile
360              option a different configuration  file  can  be  used  than  the
361              default.
362
363

AUTHOR

365       ARC    software   is   developed   by   the   NorduGrid   Collaboration
366       (http://www.nordugrid.org), please consult the AUTHORS file distributed
367       with    ARC.    Please    report   bugs   and   feature   requests   to
368       http://bugzilla.nordugrid.org
369
370

SEE ALSO

372       arccat(1), arcclean(1), arccp(1),  arcget(1),  arcinfo(1),  arckill(1),
373       arcls(1),    arcmkdir(1),   arcrenew(1),   arcresub(1),   arcresume(1),
374       arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
375
376
377
378
379NorduGrid ARC 6.10.2              2021-03-12                        APPROXY(1)
Impressum