1APPROXY(1)                  NorduGrid Users Manual                  APPROXY(1)
2
3
4

NAME

6       arcproxy - ARC Credentials Proxy generation utility
7

SYNOPSIS

9       arcproxy [OPTION]
10

DESCRIPTION

12       arcproxy  generates  proxy  credentials  (general proxy certificate, or
13       proxy certificate with VOMS AC extension) from private key and certifi‐
14       cate of user.
15

OPTIONS

17       -h     prints short usage description
18
19
20       -P filename
21              location of the generated proxy file
22
23
24       -C     location  of  X509 certificate file, the file can be either pem,
25              der, or pkcs12 formatted; if this option is not  set,  then  env
26              X509_USER_CERT  will  be  searched; if X509_USER_CERT env is not
27              set, then certificatepath item in client.conf will be  searched;
28              if  the  location  still is not found, then ~/.arc/, ~/.globus/,
29              ./etc/arc, and ./ will be searched.
30
31
32       -K     location of private key file, if the certificate  is  in  pkcs12
33              format,  then no need to give private key; if this option is not
34              set, then env X509_USER_KEY will be searched;  if  X509_USER_KEY
35              env  is  not  set,  then  keypath  item  in  client.conf will be
36              searched; if the location still  is  not  found,  then  ~/.arc/,
37              ~/.globus/, ./etc/arc, and ./ will be searched.
38
39
40       -T     path  to  trusted  certificate  directory,  only needed for VOMS
41              client functionality; if  this  option  is  not  set,  then  env
42              X509_CERT_DIR will be searched; if X509_CERT_DIR env is not set,
43              then  cacertificatesdirectory  item  in  client.conf   will   be
44              searched.
45
46
47       -s     path  to top directory of VOMS *.lsc files, only needed for VOMS
48              client functionality
49
50
51       -V     path to VOMS server configuration file,  only  needed  for  VOMS
52              client  functionality  if  the path is a directory rather than a
53              file, all of the files under this directory will be searched
54
55
56       -S     voms<:command>. Specify VOMS server.
57                            :command is optional, and is used to ask for  spe‐
58              cific attributes(e.g: roles)
59                            command option is:
60                            all --- put all of this DN's attributes into AC;
61                            list  ---list  all  of the DN's attribute,will not
62              create AC extension;
63                            /Role=yourRole --- specify the role, if this DN
64                                             has such a role, the role will be
65              put into AC
66                            /voname/groupname/Role=yourRole  ---  specify  the
67              vo,group and role if this DN
68                                             has such a role, the role will be
69              put into AC
70
71
72       -o     group<:role>. Specify ordering of attributes.
73                            Example:     --order    /knowarc.eu/coredev:Devel‐
74              oper,/knowarc.eu/testers:Tester
75                            or: --order /knowarc.eu/coredev:Developer  --order
76              /knowarc.eu/testers:Tester
77                            Note  that  it  does not make sense to specify the
78              order if you have two or more different VOMS server specified
79
80
81       -G     use GSI wire protocol for contacting VOMS  services  instead  of
82              SSL/TLS
83
84
85       -H     use  HTTP  communication  protocol  for contacting VOMS services
86              that provide RESTful access
87                            Note for RESTful access, 'list' command and multi‐
88              ple VOMS server are not supported.
89                            This protocol is now default communicaton protocol
90              and You do not need to specify this option.
91
92
93       -B     use old communication protocol for contacting VOMS services  in‐
94              stead of RESTful.
95
96
97       -O     this  option  is not functional anymore (old GSI proxies are not
98              supported)
99
100
101       -I     print all information about this proxy.
102                            In order to show the Identity (DN  without  CN  as
103              subfix for proxy)
104                            of  the  certificate,  the  'trusted  certdir'  is
105              needed.
106
107
108       -i     print selected information about this proxy. Currently following
109              information items are supported:
110
111              subject - subject name of proxy certificate.
112
113              identity - identity subject name of proxy certificate.
114
115              issuer - issuer subject name of proxy certificate.
116
117              ca - subject name of CA which issued initial certificate.
118
119              path - file system path to file containing proxy.
120
121              type - type of proxy certificate.
122
123              validityStart - timestamp when proxy validity starts.
124
125              validityEnd - timestamp when proxy validity ends.
126
127              validityPeriod - duration of proxy validity in seconds.
128
129              validityLeft - duration of proxy validity left in seconds.
130
131              vomsVO - VO name  represented by VOMS attribute.
132
133              vomsSubject - subject of certificate for which VOMS attribute is
134              issued.
135
136              vomsIssuer - subject of service which issued VOMS certificate.
137
138              vomsACvalidityStart - timestamp  when  VOMS  attribute  validity
139              starts.
140
141              vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
142
143              vomsACvalidityPeriod  -  duration  of VOMS attribute validity in
144              seconds.
145
146              vomsACvalidityLeft - duration of VOMS attribute validity left in
147              seconds.
148
149              proxyPolicy
150
151              keybits - size of proxy certificate key in bits.
152
153              signingAlgorithm - algorithm used to sign proxy certificate.
154
155              Items  are  printed in requested order and are separated by new‐
156              line. If item has multiple values they are printed in same  line
157              separated by |.
158
159
160       -r     Remove the proxy file.
161
162
163       -U     Username to myproxy server.
164
165
166       -N     don't  prompt  for a credential passphrase, when retrieve a cre‐
167              dential from on MyProxy server.
168                            The precondition of this choice is the  credential
169              is PUT onto
170                            the  MyProxy  server without a passphrase by using
171              -R (--retrievable_by_cert)
172                            option when being PUTing onto Myproxy server.
173                            This option is specific for the GET  command  when
174              contacting Myproxy server.
175
176
177       -R     Allow   specified   entity   to   retrieve   credential  without
178              passphrase.
179                            This option is specific for the PUT  command  when
180              contacting Myproxy server.
181
182
183       -L     hostname of myproxy server optionally followed by colon and port
184              number, e.g.
185                            example.org:7512. If the port number has not
186                            been specified, 7512 is used by default.
187
188
189       -M     command to myproxy server. The command can be PUT and GET.
190                            PUT/put -- put a delegated credential  to  myproxy
191              server;
192                            GET/get -- get a delegated credential from myproxy
193              server,
194                            credential (certificate and key) is not needed  in
195              this case;
196                            myproxy  functionality  can  be used together with
197              VOMS functionality.
198                            voms and vomses can be used  for  Get  command  if
199              VOMS attributes
200                            is required to be included in the proxy.
201
202
203       -F     use  NSS  credential  DB  in default Mozilla profiles, including
204              Firefox, Seamonkey and Thunderbird.
205
206
207       -c     constraints  of  proxy  certificate.  Currently  following  con‐
208              straints are supported:
209
210              validityStart=time  -  time  when certificate becomes valid. De‐
211              fault is now.
212
213              validityEnd=time - time when certificate  becomes  invalid.  De‐
214              fault  is 43200 (12 hours) from start for local proxy and 7 days
215              for delegated to MyProxy.
216
217              validityPeriod=time - for how long certificate is valid. Default
218              is  43200  (12 hours)for local proxy and 7 days for delegated to
219              MyProxy.
220
221              vomsACvalidityPeriod=time - for how long the AC  is  valid.  De‐
222              fault is shorter of validityPeriod and 12 hours.
223
224              myproxyvalidityPeriod=time  -  lifetime  of proxies delegated by
225              myproxy server. Default is  shorter  of  validityPeriod  and  12
226              hours.
227
228              proxyPolicy=policy  content  - assigns specified string to proxy
229              policy to limit it's functionality.
230
231              keybits=number - length of the key to generate. Default is  2048
232              bits.  Special  value  'inherit' is to use key length of signing
233              certificate.
234
235              signingAlgorithm=name - signing algorithm  to  use  for  signing
236              public  key of proxy. Default is sha1. Possible values are sha1,
237              sha2 (alias for sha256), sha224, sha256, sha384, sha512 and  in‐
238              herit (use algorithm of signing certificate).
239
240
241       -p     password  destination=password source. Supported password desti‐
242              nations are:
243
244              key - for reading private key
245
246              myproxy - for accessing credentials at MyProxy service
247
248              myproxynew - for creating credentials at MyProxy service
249
250              all - for any purspose.
251
252              Supported password sources are:
253
254              quoted string ("password") - explicitly specified password
255
256              int - interactively request password from console
257
258              stdin - read password from standard input delimited by newline
259
260              file:filename - read password from file named filename
261
262              stream:# - read password from input stream number  #.  Currently
263              only 0 (standard input) is supported.
264
265
266       -t     timeout in seconds (default 20)
267
268
269       -z     configuration file (default ~/.arc/client.conf)
270
271
272       -d     level  of  information  printed. Possible values are DEBUG, VER‐
273              BOSE, INFO, WARNING, ERROR and FATAL.
274
275
276       -v     print version information
277
278
279       If location of certificate and key are not  explicitly  specified  they
280       are looked for in following location and order:
281
282       Key/certificate   paths   specified   by   the   environment  variables
283       X509_USER_KEY and X509_USER_CERT respectively.
284
285       Paths specified in configuration file.
286
287       ~/.arc/usercert.pem and ~/.arc/userkey.pem for certificate and key  re‐
288       spectively.
289
290       ~/.globus/usercert.pem  and  ~/.globus/userkey.pem  for certificate and
291       key respectively.
292
293       If destination location of proxy file is not specified,  the  value  of
294       X509_USER_PROXY  environment  variable is used explicitly.  If no value
295       is  provided,  the  default  location  is  used  -  <TEMPORARY   DIREC‐
296       TORY>/x509up_u<USER  ID>.  Here TEMPORARY DIRECTORY is derived from en‐
297       vironment variables TMPDIR, TMP, TEMP or default location /tmp is used.
298
299

REPORTING BUGS

301       Report bugs to http://bugzilla.nordugrid.org/
302
303

ENVIRONMENT VARIABLES

305       ARC_LOCATION
306              The location where ARC is installed can  be  specified  by  this
307              variable.  If  not specified the install location will be deter‐
308              mined from the path to the command being executed, and  if  this
309              fails a WARNING will be given stating the location which will be
310              used.
311
312
313       ARC_PLUGIN_PATH
314              The location of ARC plugins can be specified by  this  variable.
315              Multiple  locations  can be specified by separating them by : (;
316              in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
317              Windows).
318
319
321       APACHE LICENSE Version 2.0
322
323

FILES

325       /etc/vomses
326              Common  file containing a list of selected VO contact point, one
327              VO per line, for example:
328
329              "gin"        "kuiken.nikhef.nl"        "15050"        "/O=dutch‐
330              grid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
331
332              "nordugrid.org"    "voms.uninett.no"   "15015"   "/O=Grid/O=Nor‐
333              duGrid/CN=host/voms.ndgf.org" "nordugrid.org"
334
335
336       ~/.voms/vomses
337              Same as /etc/vomses but located in user's home area. If  exists,
338              has precedence over /etc/vomses
339
340              The order of the parsing of vomses location is:
341
342                     1. command line options
343                     2. client configuration file ~/.arc/client.conf
344                     3. $X509_VOMSES  or $X509_VOMS_FILE
345                     4. ~/.arc/vomses
346                     5. ~/.voms/vomses
347                     6.  $ARC_LOCATION/etc/vomses   (this is for Windows envi‐
348                     ronment)
349                     7. $ARC_LOCATION/etc/grid-security/vomses  (this  is  for
350                     Windows environment)
351                     8. $PWD/vomses
352                     9. /etc/vomses
353                     10. /etc/grid-security/vomses
354
355
356       ~/.arc/client.conf
357              Some  options  can be given default values by specifying them in
358              the ARC client configuration file. By using the  --conffile  op‐
359              tion  a  different  configuration  file can be used than the de‐
360              fault.
361
362

AUTHOR

364       ARC   software   is   developed   by   the   NorduGrid    Collaboration
365       (http://www.nordugrid.org), please consult the AUTHORS file distributed
366       with   ARC.   Please   report   bugs   and    feature    requests    to
367       http://bugzilla.nordugrid.org
368
369

SEE ALSO

371       arccat(1),  arcclean(1),  arccp(1),  arcget(1), arcinfo(1), arckill(1),
372       arcls(1),  arcmkdir(1),  arcrenew(1),  arcresub(1),  arcresume(1),  ar‐
373       crm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
374
375
376
377
378NorduGrid ARC 6.17.0              2022-11-24                        APPROXY(1)
Impressum