arcproxy - Man Page

ARC Credentials Proxy generation utility

Description

Usage

arcproxy [OPTION...]

The arcproxy command creates a proxy from a key/certificate pair which can then be used to access grid resources.

Options

-h,  --help

Show help options

-P,  --proxy=path

path to the proxy file

-C,  --cert=path

path to the certificate file, it can be either PEM, DER, or PKCS12 formatted

-K,  --key=path

path to the private key file, if the certificate is in PKCS12 format, then no need to give private key

-T,  --cadir=path

path to the trusted certificate directory, only needed for the VOMS client functionality

-s,  --vomsdir=path

path to the top directory of VOMS *.lsc files, only needed for the VOMS client functionality

-V,  --vomses=path

path to the VOMS server configuration file

-S,  --voms=string

voms<:command>. Specify VOMS server

More than one VOMS server can be specified like this: --voms VOa:command1 --voms VOb:command2. :command is optional, and is used to ask for specific attributes (e.g: roles)

command options are:

all --- put all of this DN's attributes into AC;

list --- list all of the DN's attribute, will not create AC extension;

/Role=yourRole --- specify the role, if this DN has such a role, the role will be put into AC;

/voname/groupname/Role=yourRole --- specify the VO, group and role; if this DN has such a role, the role will be put into AC.

If this option is not specified values from configuration files are used. To avoid anything to be used specify -S with empty value.

-o,  --order=string

group<:role>. Specify ordering of attributes

Example: --order /knowarc.eu/coredev:Developer,/knowarc.eu/testers:Tester or: --order /knowarc.eu/coredev:Developer --order /knowarc.eu/testers:Tester

Note that it does not make sense to specify the order if you have two or more different VOMS servers specified

-G,  --gsicom

use GSI communication protocol for contacting VOMS services

-H,  --httpcom

use HTTP communication protocol for contacting VOMS services that provide RESTful access

Note for RESTful access, 'list' command and multiple VOMS server are not supported

-B,  --oldcom

use old communication protocol for contacting VOMS services instead of RESTful access

-O,  --old

this option is not functional (old GSI proxies are not supported anymore)

-I,  --info

print all information about this proxy.

-i,  --infoitem=string

print selected information about this proxy.

-r,  --remove

remove proxy

-U,  --user=string

username to MyProxy server (if missing subject of user certificate is used)

-N,  --nopassphrase

don't prompt for a credential passphrase, when retrieve a credential from an MyProxy server.

The precondition of this choice is that the credential was PUT onto the MyProxy server without a passphrase by using the -R (--retrievable_by_cert) option. This option is specific for the GET command when contacting Myproxy server.

-R,  --retrievable_by_cert=string

Allow specified entity to retrieve credential without passphrase.

This option is specific for the PUT command when contacting Myproxy server.

-L,  --myproxysrv=string

hostname[:port] of MyProxy server

-M,  --myproxycmd=string

command to MyProxy server. The command can be PUT, GET, INFO, NEWPASS or DESTROY.

PUT -- put a delegated credentials to the MyProxy server;

GET -- get a delegated credentials from the MyProxy server;

INFO -- get and present information about credentials stored at the MyProxy server;

NEWPASS -- change password protecting credentials stored at the MyProxy server;

DESTROY -- wipe off credentials stored at the MyProxy server;

Local credentials (certificate and key) are not necessary except in case of PUT. MyProxy functionality can be used together with VOMS functionality. --voms and --vomses can be used for Get command if VOMS attributes is required to be included in the proxy.

-F,  --nssdb

use NSS credential database in default Mozilla profiles, including Firefox, Seamonkey and Thunderbird.

-c,  --constraint=string

proxy constraints

-p,  --passwordsource=string

password destination=password source

-t,  --timeout=seconds

timeout in seconds (default 20)

-z,  --conffile=filename

configuration file (default ~/.arc/client.conf)

-d,  --debug=debuglevel

FATAL, ERROR, WARNING, INFO, VERBOSE or DEBUG

--systemca

force using CA certificates configuration provided by OpenSSL

--gridca

force using CA certificates configuration for Grid services (typically IGTF)

--allowinsecureconnection

allow TLS connection which failed verification

-v,  --version

print version information

Supported constraints are

validityStart=time (e.g. 2008-05-29T10:20:30Z; if not specified, start from now)

validityEnd=time

validityPeriod=time (e.g. 43200 or 12h or 12H; if both validityPeriod and validityEnd not specified, the default is 12 hours for local proxy, and 168 hours for delegated proxy on myproxy server)

vomsACvalidityPeriod=time (e.g. 43200 or 12h or 12H; if not specified, the default is the minimum value of 12 hours and validityPeriod)

myproxyvalidityPeriod=time (lifetime of proxies delegated by myproxy server, e.g. 43200 or 12h or 12H; if not specified, the default is the minimum value of 12 hours and validityPeriod (which is lifetime of the delegated proxy on myproxy server))

proxyPolicy=policy content

proxyPolicyFile=policy file

keybits=number - length of the key to generate. Default is 2048 bits. Special value 'inherit' is to use key length of signing certificate.

signingAlgorithm=name - signing algorithm to use for signing public key of proxy. Possible values are sha1, sha2 (alias for sha256), sha224, sha256, sha384, sha512 and inherit (use algorithm of signing certificate). Default is inherit. With old systems, only sha1 is acceptable.

Supported information item names are

subject - subject name of proxy certificate.

identity - identity subject name of proxy certificate.

issuer - issuer subject name of proxy certificate.

ca - subject name of CA which issued initial certificate.

path - file system path to file containing proxy.

type - type of proxy certificate. validityStart - timestamp when proxy validity starts.

validityEnd - timestamp when proxy validity ends.

validityPeriod - duration of proxy validity in seconds.

validityLeft - duration of proxy validity left in seconds.

vomsVO - VO name represented by VOMS attribute

vomsSubject - subject of certificate for which VOMS attribute is issued

vomsIssuer - subject of service which issued VOMS certificate

vomsACvalidityStart - timestamp when VOMS attribute validity starts.

vomsACvalidityEnd - timestamp when VOMS attribute validity ends.

vomsACvalidityPeriod - duration of VOMS attribute validity in seconds.

vomsACvalidityLeft - duration of VOMS attribute validity left in seconds.

proxyPolicy

keybits - size of proxy certificate key in bits.

signingAlgorithm - algorithm used to sign proxy certificate.

Items are printed in requested order and are separated by newline. If item has multiple values they are printed in same line separated by |.

Supported password destinations are

key - for reading private key

myproxy - for accessing credentials at MyProxy service

myproxynew - for creating credentials at MyProxy service

all - for any purspose.

Supported password sources are

quoted string ("password") - explicitly specified password

int - interactively request password from console

stdin - read password from standard input delimited by newline

file:filename - read password from file named filename

stream:# - read password from input stream number #. Currently only 0 (standard input) is supported.

Environment Variables

ARC_LOCATION

The location where ARC is installed can be specified by this variable. If not specified the install location will be determined from the path to the command being executed, and if this fails a WARNING will be given stating the location which will be used.

ARC_PLUGIN_PATH

The location of ARC plugins can be specified by this variable. Multiple locations can be specified by separating them by : (; in Windows). The default location is $ARC_LOCATION/lib/arc (\ in Windows).

Files

/etc/vomses

Common file containing a list of selected VO contact point, one VO per line, for example:

"gin" "kuiken.nikhef.nl" "15050" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"

"nordugrid.org" "voms.uninett.no" "15015" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "nordugrid.org"

~/.voms/vomses

Same as /etc/vomses but located in user's home area. If exists, has precedence over /etc/vomses

The order of the parsing of vomses location is:

1. command line options
2. client configuration file ~/.arc/client.conf
3. $X509_VOMSES  or $X509_VOMS_FILE
4. ~/.arc/vomses
5. ~/.voms/vomses  
6. $ARC_LOCATION/etc/vomses  (this is for Windows environment)
7. $ARC_LOCATION/etc/grid-security/vomses  (this is for Windows environment)
8. $PWD/vomses
9. /etc/vomses
10. /etc/grid-security/vomses

~/.arc/client.conf

Some options can be given default values by specifying them in the ARC client configuration file. By using the --conffile option a different configuration file can be used than the default.

Author

ARC software is developed by the NorduGrid Collaboration  (http://www.nordugrid.org), please consult the AUTHORS file distributed with  ARC. Please report bugs and feature requests to http://bugzilla.nordugrid.org

Reporting Bugs

Report bugs to http://bugzilla.nordugrid.org/

See Also

arccat(1), arcclean(1), arccp(1), arcget(1), arcinfo(1), arckill(1), arcls(1), arcmkdir(1), arcrenew(1), arcresume(1), arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)

Referenced By

arccat(1), arcclean(1), arcget(1), arcinfo(1), arckill(1), arcrenew(1), arcresume(1), arcstat(1), arcsub(1), arcsync(1), arctest(1).

April 2025 arcproxy version 7.0.0