1APPROXY(1) NorduGrid Users Manual APPROXY(1)
2
6 arcproxy - ARC Credentials Proxy generation utility
7
9 arcproxy [OPTION]
10
12 arcproxy generates proxy credentials (general proxy certificate, or
13 proxy certificate with VOMS AC extension) from private key and certifi‐
14 cate of user.
15
17 -h prints short usage description
18 -P filename
21 location of the generated proxy file
22 -C location of X509 certificate file, the file can be either pem,
25 der, or pkcs12 formatted; if this option is not set, then env
26 X509_USER_CERT will be searched; if X509_USER_CERT env is not
27 set, then certificatepath item in client.conf will be searched;
28 if the location still is not found, then ~/.arc/, ~/.globus/,
29 ./etc/arc, and ./ will be searched.
30 -K location of private key file, if the certificate is in pkcs12
33 format, then no need to give private key; if this option is not
34 set, then env X509_USER_KEY will be searched; if X509_USER_KEY
35 env is not set, then keypath item in client.conf will be
36 searched; if the location still is not found, then ~/.arc/,
37 ~/.globus/, ./etc/arc, and ./ will be searched.
38 -T path to trusted certificate directory, only needed for VOMS
41 client functionality; if this option is not set, then env
42 X509_CERT_DIR will be searched; if X509_CERT_DIR env is not set,
43 then cacertificatesdirectory item in client.conf will be
44 searched.
45 -s path to top directory of VOMS *.lsc files, only needed for VOMS
48 client functionality
49 -V path to VOMS server configuration file, only needed for VOMS
52 client functionality if the path is a directory rather than a
53 file, all of the files under this directory will be searched
54 -S voms<:command>. Specify VOMS server.
57 :command is optional, and is used to ask for spe‐
58 cific attributes(e.g: roles)
59 command option is:
60 all --- put all of this DN's attributes into AC;
61 list ---list all of the DN's attribute,will not
62 create AC extension;
63 /Role=yourRole --- specify the role, if this DN
64 has such a role, the role will be
65 put into AC
66 /voname/groupname/Role=yourRole --- specify the
67 vo,group and role if this DN
68 has such a role, the role will be
69 put into AC
70 -o group<:role>. Specify ordering of attributes.
73 Example: --order /knowarc.eu/coredev:Devel‐
74 oper,/knowarc.eu/testers:Tester
75 or: --order /knowarc.eu/coredev:Developer --order
76 /knowarc.eu/testers:Tester
77 Note that it does not make sense to specify the
78 order if you have two or more different VOMS server specified
79 -G use GSI wire protocol for contacting VOMS services instead of
82 SSL/TLS
83 -H use HTTP communication protocol for contacting VOMS services
86 that provide RESTful access
87 Note for RESTful access, 'list' command and multi‐
88 ple VOMS server are not supported.
89 This protocol is now default communicaton protocol
90 and You do not need to specify this option.
91 -B use old communication protocol for contacting VOMS services in‐
94 stead of RESTful.
95 -O this option is not functional anymore (old GSI proxies are not
98 supported)
99 -I print all information about this proxy.
102 In order to show the Identity (DN without CN as
103 subfix for proxy)
104 of the certificate, the 'trusted certdir' is
105 needed.
106 -i print selected information about this proxy. Currently following
109 information items are supported:
110 subject - subject name of proxy certificate.
112 identity - identity subject name of proxy certificate.
114 issuer - issuer subject name of proxy certificate.
116 ca - subject name of CA which issued initial certificate.
118 path - file system path to file containing proxy.
120 type - type of proxy certificate.
122 validityStart - timestamp when proxy validity starts.
124 validityEnd - timestamp when proxy validity ends.
126 validityPeriod - duration of proxy validity in seconds.
128 validityLeft - duration of proxy validity left in seconds.
130 vomsVO - VO name represented by VOMS attribute.
132 vomsSubject - subject of certificate for which VOMS attribute is
134 issued.
135 vomsIssuer - subject of service which issued VOMS certificate.
137 vomsACvalidityStart - timestamp when VOMS attribute validity
139 starts.
140 vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
142 vomsACvalidityPeriod - duration of VOMS attribute validity in
144 seconds.
145 vomsACvalidityLeft - duration of VOMS attribute validity left in
147 seconds.
148 proxyPolicy
150 keybits - size of proxy certificate key in bits.
152 signingAlgorithm - algorithm used to sign proxy certificate.
154 Items are printed in requested order and are separated by new‐
156 line. If item has multiple values they are printed in same line
157 separated by |.
158 -r Remove the proxy file.
161 -U Username to myproxy server.
164 -N don't prompt for a credential passphrase, when retrieve a cre‐
167 dential from on MyProxy server.
168 The precondition of this choice is the credential
169 is PUT onto
170 the MyProxy server without a passphrase by using
171 -R (--retrievable_by_cert)
172 option when being PUTing onto Myproxy server.
173 This option is specific for the GET command when
174 contacting Myproxy server.
175 -R Allow specified entity to retrieve credential without
178 passphrase.
179 This option is specific for the PUT command when
180 contacting Myproxy server.
181 -L hostname of myproxy server optionally followed by colon and port
184 number, e.g.
185 example.org:7512. If the port number has not
186 been specified, 7512 is used by default.
187 -M command to myproxy server. The command can be PUT and GET.
190 PUT/put -- put a delegated credential to myproxy
191 server;
192 GET/get -- get a delegated credential from myproxy
193 server,
194 credential (certificate and key) is not needed in
195 this case;
196 myproxy functionality can be used together with
197 VOMS functionality.
198 voms and vomses can be used for Get command if
199 VOMS attributes
200 is required to be included in the proxy.
201 -F use NSS credential DB in default Mozilla profiles, including
204 Firefox, Seamonkey and Thunderbird.
205 -c constraints of proxy certificate. Currently following con‐
208 straints are supported:
209 validityStart=time - time when certificate becomes valid. De‐
211 fault is now.
212 validityEnd=time - time when certificate becomes invalid. De‐
214 fault is 43200 (12 hours) from start for local proxy and 7 days
215 for delegated to MyProxy.
216 validityPeriod=time - for how long certificate is valid. Default
218 is 43200 (12 hours)for local proxy and 7 days for delegated to
219 MyProxy.
220 vomsACvalidityPeriod=time - for how long the AC is valid. De‐
222 fault is shorter of validityPeriod and 12 hours.
223 myproxyvalidityPeriod=time - lifetime of proxies delegated by
225 myproxy server. Default is shorter of validityPeriod and 12
226 hours.
227 proxyPolicy=policy content - assigns specified string to proxy
229 policy to limit it's functionality.
230 keybits=number - length of the key to generate. Default is 2048
232 bits. Special value 'inherit' is to use key length of signing
233 certificate.
234 signingAlgorithm=name - signing algorithm to use for signing
236 public key of proxy. Default is sha1. Possible values are sha1,
237 sha2 (alias for sha256), sha224, sha256, sha384, sha512 and in‐
238 herit (use algorithm of signing certificate).
239 -p password destination=password source. Supported password desti‐
242 nations are:
243 key - for reading private key
245 myproxy - for accessing credentials at MyProxy service
247 myproxynew - for creating credentials at MyProxy service
249 all - for any purspose.
251 Supported password sources are:
253 quoted string ("password") - explicitly specified password
255 int - interactively request password from console
257 stdin - read password from standard input delimited by newline
259 file:filename - read password from file named filename
261 stream:# - read password from input stream number #. Currently
263 only 0 (standard input) is supported.
264 -t timeout in seconds (default 20)
267 -z configuration file (default ~/.arc/client.conf)
270 -d level of information printed. Possible values are DEBUG, VER‐
273 BOSE, INFO, WARNING, ERROR and FATAL.
274 -v print version information
277 If location of certificate and key are not explicitly specified they
280 are looked for in following location and order:
281 Key/certificate paths specified by the environment variables
283 X509_USER_KEY and X509_USER_CERT respectively.
284 Paths specified in configuration file.
286 ~/.arc/usercert.pem and ~/.arc/userkey.pem for certificate and key re‐
288 spectively.
289 ~/.globus/usercert.pem and ~/.globus/userkey.pem for certificate and
291 key respectively.
292 If destination location of proxy file is not specified, the value of
294 X509_USER_PROXY environment variable is used explicitly. If no value
295 is provided, the default location is used - <TEMPORARY DIREC‐
296 TORY>/x509up_u<USER ID>. Here TEMPORARY DIRECTORY is derived from en‐
297 vironment variables TMPDIR, TMP, TEMP or default location /tmp is used.
298
301 Report bugs to http://bugzilla.nordugrid.org/
302
305 ARC_LOCATION
306 The location where ARC is installed can be specified by this
307 variable. If not specified the install location will be deter‐
308 mined from the path to the command being executed, and if this
309 fails a WARNING will be given stating the location which will be
310 used.
311 ARC_PLUGIN_PATH
314 The location of ARC plugins can be specified by this variable.
315 Multiple locations can be specified by separating them by : (;
316 in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
317 Windows).
318
321 APACHE LICENSE Version 2.0
322
325 /etc/vomses
326 Common file containing a list of selected VO contact point, one
327 VO per line, for example:
328 "gin" "kuiken.nikhef.nl" "15050" "/O=dutch‐
330 grid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
331 "nordugrid.org" "voms.uninett.no" "15015" "/O=Grid/O=Nor‐
333 duGrid/CN=host/voms.ndgf.org" "nordugrid.org"
334 ~/.voms/vomses
337 Same as /etc/vomses but located in user's home area. If exists,
338 has precedence over /etc/vomses
339 The order of the parsing of vomses location is:
341 1. command line options
343 2. client configuration file ~/.arc/client.conf
344 3. $X509_VOMSES or $X509_VOMS_FILE
345 4. ~/.arc/vomses
346 5. ~/.voms/vomses
347 6. $ARC_LOCATION/etc/vomses (this is for Windows envi‐
348 ronment)
349 7. $ARC_LOCATION/etc/grid-security/vomses (this is for
350 Windows environment)
351 8. $PWD/vomses
352 9. /etc/vomses
353 10. /etc/grid-security/vomses
354 ~/.arc/client.conf
357 Some options can be given default values by specifying them in
358 the ARC client configuration file. By using the --conffile op‐
359 tion a different configuration file can be used than the de‐
360 fault.
361
364 ARC software is developed by the NorduGrid Collaboration
365 (http://www.nordugrid.org), please consult the AUTHORS file distributed
366 with ARC. Please report bugs and feature requests to
367 http://bugzilla.nordugrid.org
368
371 arccat(1), arcclean(1), arccp(1), arcget(1), arcinfo(1), arckill(1),
372 arcls(1), arcmkdir(1), arcrenew(1), arcresub(1), arcresume(1), ar‐
373 crm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
374NorduGrid ARC 6.17.0 2022-11-24 APPROXY(1)