1VOMS-PROXY-INIT(1) VOMS-PROXY-INIT(1)
2
6 voms-proxy-init - creates a proxy certificate with VOMS extensions
7
9 voms-proxy-init [options]
10
12 The voms-proxy-init command generates a proxy with the VOMS information
13 included in an X.509 non critical extension.
14 The VOMS attributes are obtained from a known VOMS server. The list of
16 known VOMS servers is configured using a vomses configuration file,
17 whose syntax is documented in the vomses man page. A custom vomses
18 location can be specified using the --vomses option.
19 VOMS attributes are requested only if the -voms option is passed on the
21 command line, specifying for which Virtual Organizations (VOs)
22 attributes are requested.
23 VOMS attributes are signed by the VOMS server that issues them. The
25 signature is verified on the client side leveraging local trust
26 information, which is typically maintained in
27 /etc/grid-security/vomsdir. The vomsdir structure is documented in the
28 vomsdir man page. A custom vomsdir can be specified using the --vomsdir
29 option.
30 The default location of the proxy generated by voms-proxy-init is
32 /tmp/x509up_u<user_id>
34 where user_id is the effective user id of the user running the command.
36 A non-standard location for the proxy can be specified using the -out
37 option.
38 Requesting VOMS attributes
40 Attributes can be requested using the -voms option. A basic usage is
41 given in the following example:
42 voms-proxy-init -voms <voname>
44 where voname is the name of one of the configured VOs. The above
46 command will create a proxy containing a VOMS extension which holds all
47 group attributes beloging to the user.
48 VOMS roles are conditional attributes which are included in a VOMS
50 attribute certificate only when explicitly requested. Roles can be
51 requested using a command like the following one:
52 voms-proxy-init -voms atlas:/atlas/Role=pilot
54 Ordering requested attributes
56 Typically VOMS attributes are returned in the order on which they are
57 requested on the command line. For instance, the following command:
58 voms-proxy-init -voms infngrid:/infngrid/group1 -voms infngrid:/infngrid/Role=pilot
60 will produce an Attribute Certificate which has as the primary
62 attribute /infngrid/group1, followed by /infngrid/Role=pilot, and then
63 by the other attributes belonging to the user. The -order can also be
64 used to express order requirements.
65 Setting the validity period of the generated proxy and attribute
67 certificate
68 By default, voms-proxy-init will generate a proxy valid for 12 hours
69 including a VOMS extension valid for the same time (if requested).
70 These time periods can be changed using the -valid option, which will
71 set the validity of both the proxy and the AC. Note that the validity
72 of the AC can only be "proposed" by voms-proxy-init, as the AC validity
73 is set by the VOMS server and its maximum value is limited by local
74 VOMS server configuration (typically the maximum value is 24 hours).
75 Setting the type of proxy generated by voms-proxy-init
77 By default, voms-proxy-init generates a legacy proxy compatible with
78 Globus Toolkit version 2. This behaviour can be changed using the -rfc
79 option, which will produce an RFC3820 compliant proxy. In order to
80 generate a Globus Toolkit version 3 proxy, i.e. a draft compliant
81 proxy, use the -proxyver 3 option.
82
84 Local configuration for trusted VOs is needed for voms-proxy-init to
85 work properly. See the vomses(5) and vomsdir(5) man pages for more
86 details.
87
89 Options may be specified using either a "-" or "--" prefix.
90 -b,--bits <num-bits>
92 Number of bits in key {512|1024|2048|4096}
94 --cert <certfile>
96 Nonstandard location of user certificate
98 --certdir <certdir>
100 Nonstandard location of trusted cert dir
102 --conf <file>
104 Read options from <file>
106 --debug
108 Enables extra debug output
110 --dont_verify_ac
112 Skips AC verification
114 -f,--failonwarn
116 Treat warnings as errors
118 --help
120 Displays helps and exits
122 --hours <hours>
124 Sets the generated proxy validity to H hours (default:12).
126 Note that this option only sets the lifetime of the generated proxy.
127 Use -valid to set lifetime for both the proxy and the AC.
128 --ignorewarn
130 Ignore warnings
132 -k,--key <keyfile>
134 Non standard location of user key
136 --limited
138 Creates a limited proxy
140 -n,--noregen
142 Use an existing proxy certificate to obtain VOMS attributes and to sign the new generated proxy
144 --old
146 Creates a legacy, GT2 compliant proxy (synonymous with '-proxyver 2')
148 --order <fqan>
150 The fqan specified with this option is set as the primary FQAN if present in the list of attributes returned by the server.
152 Use this option more than once if you want to set the order for more than one FQAN.
153 --out <proxyfile>
155 Non standard location of the generated proxy certificate
157 --path_length <L>
159 Allow a chain of at most L proxies to be generated and signed from the proxy created by voms-proxy-init.
161 --proxyver <2|3|4>
163 Sets the type of proxy generated by VOMS proxy init. 2 stands for legacy proxy,3 for draft proxy, 4 for rfc proxy.
165 Use -old or -rfc instead of this option.
166 --pwstdin
168 Reads private key passphrase from standard input.
170 -q,--quiet
172 Quiet mode, minimal output
174 -r,--rfc
176 Creates an RFC 3820 compliant proxy (synonymous with '-proxyver 4')
178 --target <hostname>
180 Targets the AC against a specific hostname. Multiple targets can be expressed using this option multiple times.
182 --usage
184 Displays helps and exits
186 --valid <h:m>
188 Sets generated proxy and AC validity to h hours and m minutes (defaults to 12:00).
190 Note that the VOMS server could shorten the validity of the issued AC depending on the server configuration.
191 --verify
193 Verifies the validity of the user certificate.
195 --version
197 Displays version
199 --voms <voms<:fqan>>
201 Specifies the VO for which the AC is requested. <:fqan> is optional,and is used to ask for
203 specific attributes (e.g: --voms atlas:/atlas/Role=pilot).
204 This option can be used multiple times to request multiple FQANs for different VOs.
205 The order in which the option appears on the command line influence the order of the issued attributes.
206 --vomsdir <DIR>
208 Sets the path where lsc files and other local VOMS trust anchors will be looked for.
210 --vomses <vomses file>
212 Specifies the name of a VOMSES file from which VOMS server contact information is parsed.
214 --vomslife <h:m>
216 Sets the validity of the requested VOMS attribute certificate to h hours and m minutes (defaults to the value of the '-valid' option)
218
220 To report bugs or ask for support, use GGUS:
221 https://ggus.eu/pages/home.php
222
224 Andrea Ceccanti <andrea.ceccanti@cnaf.infn.it>
225 Daniele Andreotti <daniele.andreotti@cnaf.infn.it>
227 Valerio Venturi <valerio.venturi@cnaf.infn.it>
229
231 voms-proxy-destroy(1), voms-proxy-info(1), vomses(5), vomsdir(5)
232
234 Copyright 2012 Istituto Nazionale di Fisica Nucleare
235 Licensed under the Apache License, Version 2.0 (the "License"); you may
237 not use this file except in compliance with the License. You may obtain
238 a copy of the License at
239 http://www.apache.org/licenses/LICENSE-2.0
241 Unless required by applicable law or agreed to in writing, software
243 distributed under the License is distributed on an "AS IS" BASIS,
244 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
245 implied. See the License for the specific language governing
246 permissions and limitations under the License.
247 09/26/2013 VOMS-PROXY-INIT(1)