1myproxy-init(1) MyProxy myproxy-init(1)
2
6 myproxy-init - store a credential for later retrieval
7
9 myproxy-init [ options ]
10
12 The myproxy-init command uploads a credential to a myproxy-server(8)
13 for later retrieval. In the default mode, the command first prompts
14 for the user's Grid pass phrase (if needed), which is used to create a
15 proxy credential. The command then prompts for a MyProxy pass phrase,
16 which will be required to later retrieve the credential. The MyProxy
17 pass phrase must be entered a second time for confirmation. A creden‐
18 tial with a lifetime of one week (by default) is then delegated to the
19 myproxy-server(8) and stored with the given MyProxy pass phrase. Proxy
20 credentials with default lifetime of 12 hours can then be retrieved by
21 myproxy-logon(1) using the MyProxy passphrase. The default behavior
22 can be overridden by options specified below.
23 The myproxy-init command can also upload a credential to a myproxy-
25 server(8) to support credential renewal. Renewal allows a trusted ser‐
26 vice (for example, a batch job scheduler) to obtain a new credential
27 for a user before the existing credential it has for that user expires.
28 The -R argument to myproxy-init configures the credential for renewal
29 by the specified service. Renewal requires two authentications. The
30 renewing service must authenticate with its own credentials, matching
31 the distinquished name specified by the -R argument, and must also
32 authenticate with an existing credential that matches the distinguished
33 name of the stored credential, to retrieve a new credential.
34 A credential may be used either for retrieval or renewal but not both.
36 If both are desired, upload a different credential for each use, with a
37 different name using the -k option.
38 The hostname where the myproxy-server(8) is running must be specified
40 by either defining the MYPROXY_SERVER environment variable or the -s
41 option.
42 By default, myproxy-init will create a proxy credential from the user's
44 end-entity credentials at ~/.globus/usercert.pem and
45 ~/.globus/userkey.pem to delegate to the myproxy-server(8). To specify
46 an alternate location for the source certificate and key to delegate,
47 use the X509_USER_CERT and X509_USER_KEY environment variables. To use
48 a proxy credential as the source of the delegation, set both environ‐
49 ment variables to the location of the proxy credential. To delegate a
50 "legacy globus proxy", set the GT_PROXY_MODE environment variable to
51 "old". To delegate an "RFC 3820 compliant proxy", set the
52 GT_PROXY_MODE environment variable to "rfc".
53
55 -h, --help
56 Displays command usage text and exits.
57 -u, --usage
59 Displays command usage text and exits.
60 -v, --verbose
62 Enables verbose debugging output to the terminal.
63 -V, --version
65 Displays version information and exits.
66 -s hostname[:port], --pshost hostname[:port]
68 Specifies the hostname(s) of the myproxy-server(s). Multiple
69 hostnames, each hostname optionally followed by a ':' and port
70 number, may be specified in a comma-separated list. This option
71 is required if the MYPROXY_SERVER environment variable is not
72 defined. If specified, this option overrides the MYPROXY_SERVER
73 environment variable. If a port number is specified with a host‐
74 name, it will override the -p option as well as the
75 MYPROXY_SERVER_PORT environment variable for that host.
76 -p port, --psport port
78 Specifies the TCP port number of the myproxy-server(8).
79 Default: 7512
80 -l username, --username username
82 Specifies the MyProxy account under which the credential should
83 be stored. By default, the command uses the value of the LOG‐
84 NAME environment variable. Use this option to specify a differ‐
85 ent account username on the MyProxy server. The MyProxy user‐
86 name need not correspond to a real Unix username.
87 -c hours, --cred_lifetime hours
89 Specifies the lifetime of the credential stored on the myproxy-
90 server(8) in hours. Specify 0 for the maximum possible life‐
91 time, i.e., the lifetime of the original credential. Default: 1
92 week (168 hours)
93 -t hours, --proxy_lifetime hours
95 Specifies the maximum lifetime of credentials retrieved from the
96 myproxy-server(8) using the stored credential. Default: 12
97 hours
98 -C filename, --certfile filename
100 Specifies the filename of the source certificate.
101 -y filename, --keyfile filename
103 Specifies the filename of the source private key.
104 -d, --dn_as_username
106 Use the certificate subject (DN) as the default username,
107 instead of the LOGNAME environment variable.
108 -a, --allow_anonymous_retrievers
110 Allow credentials to be retrieved with just pass phrase authen‐
111 tication. By default, only entities with credentials that match
112 the myproxy-server.config(5) default retriever policy may
113 retrieve credentials. This option allows entities without
114 existing credentials to retrieve a credential using pass phrase
115 authentication by including "anonymous" in the set of allowed
116 retrievers. The myproxy-server.config(5) server-wide policy
117 must also allow "anonymous" clients for this option to have an
118 effect.
119 -A, --allow_anonymous_renewers
121 Allow credentials to be renewed by any client. Any client with
122 a valid credential with a subject name that matches the stored
123 credential may retrieve a new credential from the MyProxy repos‐
124 itory if this option is given. Since this effectively defeats
125 the purpose of proxy credential lifetimes, it is not recom‐
126 mended. It is included only for sake of completeness.
127 -r name, --retrievable_by name
129 Allow the specified entity to retrieve credentials. See -x and
130 -X options for controlling name matching behavior.
131 -R name, --renewable_by name
133 Allow the specified entity to renew credentials. See -x and -X
134 options for controlling name matching behavior. This option
135 implies -n since passphrase authentication is not used for cre‐
136 dential renewal.
137 -Z name, --retrievable_by_cert name
139 Allow the specified entity to retrieve credentials without a
140 passphrase. See -x and -X options for controlling name matching
141 behavior. This option implies -n.
142 -x, --regex_dn_match
144 Specifies that names used with following options -r, -R, and -Z
145 will be matched against the full certificate subject distin‐
146 guished name (DN) according to REGULAR EXPRESSIONS in myproxy-
147 server.config(5).
148 -X, --match_cn_only
150 Specifies that names used with following options -r, -R, and -Z
151 will be matched against the certificate subject common name (CN)
152 according to REGULAR EXPRESSIONS in myproxy-server.config(5).
153 For example, if an argument of -r "Jim Basney" is specified,
154 then the resulting policy will be "*/CN=Jim Basney". This is
155 the default behavior.
156 -k name, --credname name
158 Specifies the credential name.
159 -K description, --creddesc description
161 Specifies credential description.
162 -S, --stdin_pass
164 By default, the command prompts for a passphrase and reads the
165 passphrase from the active tty. When running the command non-
166 interactively, there may be no associated tty. Specifying this
167 option tells the command to read passphrases from standard input
168 without prompts or confirmation.
169 -L, --local_proxy
171 In addition to storing a proxy credential on the myproxy-
172 server(8) with lifetime set by --cred_lifetime (default 1 week),
173 create a local proxy credential with lifetime set by
174 --proxy_lifetime (default 12 hours).
175 -n, --no_passphrase
177 Don't prompt for a credential passphrase. Store credentials
178 without a credential passphrase, to be protected by other meth‐
179 ods, such as PAM, SASL, or certificate-based authentication.
180 This option is implied by -R since passphrase authentication is
181 not used for credential renewal. Note that the myproxy-
182 server(8) always requires some type of authentication for
183 retrieving credentials, so if you store a credential with no
184 passphrase and other authentication methods are not configured,
185 the credential will not be accessible.
186 -m voms, --voms voms
188 Add VOMS attributes to the credential by running voms-proxy-init
189 on the client-side before storing the credential on the myproxy-
190 server(8). The VOMS VO name must be provided, as required by
191 voms-proxy-init -voms. The voms-proxy-init command must be
192 installed and configured to use this option. For example, the
193 VOMS_USERCONF environment variable may need to be set for voms-
194 proxy-init to run correctly.
195
197 0 on success, >0 on error
198
200 ~/.globus/usercert.pem
201 Default location of the certificate from which the proxy creden‐
202 tial is created. Set the X509_USER_CERT environment variable to
203 override.
204 ~/.globus/userkey.pem
206 Default location of the private key from which the proxy creden‐
207 tial is created. Set the X509_USER_KEY environment variable to
208 override.
209 /tmp/myproxy-proxy.<uid>.<pid>
211 Location of the temporary proxy credential that is delegated to
212 the myproxy-server(8). It is removed after the delegation is
213 completed.
214
216 GLOBUS_GSSAPI_NAME_COMPATIBILITY
217 This client will, by default, perform a reverse-DNS lookup to
218 determine the FQHN (Fully Qualified Host Name) to use in verify‐
219 ing the identity of the server by checking the FQHN against the
220 CN in server's certificate. Setting this variable to
221 STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be per‐
222 formed and the user-specified name to be used instead. This
223 variable setting will be ignored if MYPROXY_SERVER_DN (described
224 later) is set.
225 MYPROXY_SERVER
227 Specifies the hostname(s) where the myproxy-server(8) is run‐
228 ning. Multiple hostnames can be specified in a comma separated
229 list with each hostname optionally followed by a ':' and port
230 number. This environment variable can be used in place of the
231 -s option.
232 MYPROXY_SERVER_PORT
234 Specifies the port where the myproxy-server(8) is running. This
235 environment variable can be used in place of the -p option.
236 MYPROXY_SERVER_DN
238 Specifies the distinguished name (DN) of the myproxy-server(8).
239 All MyProxy client programs authenticate the server's identity.
240 By default, MyProxy servers run with host credentials, so the
241 MyProxy client programs expect the server to have a distin‐
242 guished name with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or
243 "/CN=<fqhn>" (where <fqhn> is the fully-qualified hostname of
244 the server). If the server is running with some other DN, you
245 can set this environment variable to tell the MyProxy clients to
246 accept the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATI‐
247 BILITY above.
248 X509_USER_CERT
250 Specifies a non-standard location for the certificate from which
251 the proxy credential is created. The location may be the path
252 to an end-entity certificate (ex. ~/.globus/usercert.pem) or a
253 proxy (ex. /tmp/x509up_u<uid>).
254 X509_USER_KEY
256 Specifies a non-standard location for the private key from which
257 the proxy credential is created. The location may be the path
258 to an end-entity private key (ex. ~/.globus/userkey.pem) or a
259 proxy (ex. /tmp/x509up_u<uid>).
260 X509_CERT_DIR
262 Specifies a non-standard location for the CA certificates direc‐
263 tory.
264 GT_PROXY_MODE
266 Set to "old" to store a "legacy globus proxy" in the MyProxy
267 repository. Set to "rfc" to store an "RFC 3820 compliant proxy"
268 in the MyProxy repository.
269 MYPROXY_TCP_PORT_RANGE
271 Specifies a range of valid port numbers in the form "min,max"
272 for the client side of the network connection to the server. By
273 default, the client will bind to any available port. Use this
274 environment variable to restrict the ports used to a range
275 allowed by your firewall. If unset, MyProxy will follow the
276 setting of the GLOBUS_TCP_PORT_RANGE environment variable.
277 MYPROXY_KEYBITS
279 Specifies the size for RSA keys generated by MyProxy. By
280 default, MyProxy generates 2048 bit RSA keys. Set this environ‐
281 ment variable to "1024" for 1024 bit RSA keys.
282
284 See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
285 authors.
286
288 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
289 roots(1), myproxy-info(1), myproxy-logon(1), myproxy-retrieve(1),
290 myproxy-store(1), myproxy-server.config(5), myproxy-admin-adduser(8),
291 myproxy-admin-change-pass(8), myproxy-admin-load-credential(8),
292 myproxy-admin-query(8), myproxy-server(8)
293MyProxy 2011-09-05 myproxy-init(1)