1myproxy-retrieve(1) MyProxy myproxy-retrieve(1)
2
3
4
6 myproxy-retrieve - retrieve an end-entity credential
7
9 myproxy-retrieve [ options ]
10
12 The myproxy-retrieve command retrieves a credential directly from the
13 myproxy-server(8) that was previously stored using myproxy-init(1) or
14 myproxy-store(1). Unlike myproxy-logon(1), this command transfers the
15 private key in the repository over the network (over a private chan‐
16 nel). To obtain a proxy credential, we recommend using myproxy-
17 logon(1) instead.
18
19 In the default mode, the command prompts for the pass phrase associated
20 with the credential to be retrieved and stores the retrieved credential
21 in the standard location ( ~/.globus/usercert.pem and
22 ~/.globus/userkey.pem). You could then run grid-proxy-init to create a
23 proxy credential from the retrieved credentials.
24
26 -h, --help
27 Displays command usage text and exits.
28
29 -u, --usage
30 Displays command usage text and exits.
31
32 -v, --verbose
33 Enables verbose debugging output to the terminal.
34
35 -V, --version
36 Displays version information and exits.
37
38 -s hostname[:port], --pshost hostname[:port]
39 Specifies the hostname(s) of the myproxy-server(s). Multiple
40 hostnames, each hostname optionally followed by a ':' and port
41 number, may be specified in a comma-separated list. This option
42 is required if the MYPROXY_SERVER environment variable is not
43 defined. If specified, this option overrides the MYPROXY_SERVER
44 environment variable. If a port number is specified with a host‐
45 name, it will override the -p option as well as the
46 MYPROXY_SERVER_PORT environment variable for that host.
47
48 -p port, --psport port
49 Specifies the TCP port number of the myproxy-server(8).
50 Default: 7512
51
52 -l username, --username username
53 Specifies the MyProxy account under which the credential to
54 retrieve is stored. By default, the command uses the value of
55 the LOGNAME environment variable. Use this option to specify a
56 different account username on the MyProxy server. The MyProxy
57 username need not correspond to a real Unix username.
58
59 -d, --dn_as_username
60 Use the certificate subject (DN) as the default username,
61 instead of the LOGNAME environment variable. When used with the
62 -a option, the certificate subject of the authorization creden‐
63 tial is used. Otherwise, the certificate subject of the default
64 credential is used.
65
66 -t hours, --proxy_lifetime hours
67 Specifies the lifetime of credentials retrieved from the
68 myproxy-server(8) using the stored credential. The resulting
69 lifetime is the shorter of the requested lifetime and the life‐
70 time specified when the credential was stored using myproxy-
71 init(1). Default: 12 hours
72
73 -c filename, --certfile filename
74 Specifies the filename of where the certificate will be
75 stored.
76
77 -y filename, --keyfile filename
78 Specifies the filename of where the private key will be stored.
79
80 -a file, --authorization file
81 Use this option to specify an existing, valid credential that
82 you want to renew. Renewing a credential generally requires two
83 certificate-based authentications. The client authenticates
84 with its identity, using the credential in the standard location
85 or specified by X509_USER_PROXY or X509_USER_CERT and
86 X509_USER_KEY in addition to authenticating with the existing
87 credential, in the location specified by this option, that it
88 wants to renew.
89
90 -k name, --credname name
91 Specifies the name of the credential that is to be retrieved or
92 renewed.
93
94 -S, --stdin_pass
95 By default, the command prompts for a passphrase and reads the
96 passphrase from the active tty. When running the command non-
97 interactively, there may be no associated tty. Specifying this
98 option tells the command to read passphrases from standard input
99 without prompts or confirmation.
100
101 -T, --trustroots
102 Retrieve CA certificates directory from server (if available) to
103 store in the location specified by the X509_CERT_DIR environment
104 variable if set or /etc/grid-security/certificates if running as
105 root or ~/.globus/certificates if running as non-root.
106
107 -n, --no_passphrase
108 Don't prompt for a credential passphrase. Use other methods for
109 authentication, such as Kerberos ticket or X.509 certificate.
110
112 0 on success, >0 on error
113
115 GLOBUS_GSSAPI_NAME_COMPATIBILITY
116 This client will, by default, perform a reverse-DNS lookup to
117 determine the FQHN (Fully Qualified Host Name) to use in verify‐
118 ing the identity of the server by checking the FQHN against the
119 CN in server's certificate. Setting this variable to
120 STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be per‐
121 formed and the user-specified name to be used instead. This
122 variable setting will be ignored if MYPROXY_SERVER_DN (described
123 later) is set.
124
125 MYPROXY_SERVER
126 Specifies the hostname(s) where the myproxy-server(8) is run‐
127 ning. Multiple hostnames can be specified in a comma separated
128 list with each hostname optionally followed by a ':' and port
129 number. This environment variable can be used in place of the
130 -s option.
131
132 MYPROXY_SERVER_PORT
133 Specifies the port where the myproxy-server(8) is running. This
134 environment variable can be used in place of the -p option.
135
136 MYPROXY_SERVER_DN
137 Specifies the distinguished name (DN) of the myproxy-server(8).
138 All MyProxy client programs authenticate the server's identity.
139 By default, MyProxy servers run with host credentials, so the
140 MyProxy client programs expect the server to have a distin‐
141 guished name with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or
142 "/CN=<fqhn>" (where <fqhn> is the fully-qualified hostname of
143 the server). If the server is running with some other DN, you
144 can set this environment variable to tell the MyProxy clients to
145 accept the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATI‐
146 BILITY above.
147
148 MYPROXY_TCP_PORT_RANGE
149 Specifies a range of valid port numbers in the form "min,max"
150 for the client side of the network connection to the server. By
151 default, the client will bind to any available port. Use this
152 environment variable to restrict the ports used to a range
153 allowed by your firewall. If unset, MyProxy will follow the
154 setting of the GLOBUS_TCP_PORT_RANGE environment variable.
155
156 X509_USER_CERT
157 Specifies a non-standard location for the certificate to be used
158 for authentication to the myproxy-server(8). Also specifies the
159 location for where the retrieved certificate will be stored
160 unless the -c option is given.
161
162 X509_USER_KEY
163 Specifies a non-standard location for the private key to be used
164 for authentication to the myproxy-server(8). Also specifies the
165 location for where the retrieved private key will be stored
166 unless the -y option is given.
167
168 X509_USER_PROXY
169 Specifies a non-standard location for the proxy credential to be
170 used for authentication to the myproxy-server(8).
171
172 X509_CERT_DIR
173 Specifies a non-standard location for the CA certificates direc‐
174 tory.
175
177 See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
178 authors.
179
181 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
182 roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-
183 store(1), myproxy-server.config(5), myproxy-admin-adduser(8), myproxy-
184 admin-change-pass(8), myproxy-admin-load-credential(8), myproxy-admin-
185 query(8), myproxy-server(8)
186
187
188
189MyProxy 2009-12-1 myproxy-retrieve(1)