myproxy-get-trustroots - Man Page

fetch trustroots from a myproxy-server

Synopsis

myproxy-get-trustroots [ options ]

Description

The myproxy-get-trustroots command retrieves the trusted certificates from the myproxy-server(8) and stores them in the location specified by the X509_CERT_DIR environment variable if set or /etc/grid-security/certificates if running as root or ~/.globus/certificates if running as non-root.

An example cron job for running myproxy-get-trustroots periodically to keep the X509_CERT_DIR up-to-date is provided at $GLOBUS_LOCATION/share/myproxy/myproxy-get-trustroots.cron.

Options

-b,  --bootstrap

Unless this option is specified, then if the X509_CERT_DIR exists and the CA that signed the myproxy-server(8) certificate is not trusted, myproxy-get-trustroots will fail with an error, to protect against man-in-the-middle attacks. If, however, this option is specified, myproxy-get-trustroots will accept the CA to bootstrap trust.

-h,  --help

Displays command usage text and exits.

-u,  --usage

Displays command usage text and exits.

-v,  --verbose

Enables verbose debugging output to the terminal.

-V,  --version

Displays version information and exits.

-s hostname[:port], --pshost hostname[:port]

Specifies the hostname(s) of the myproxy-server(s). Multiple hostnames, each hostname optionally followed by a ':' and port number, may be specified in a comma-separated list. This option is required if the MYPROXY_SERVER environment variable is not defined.  If specified, this option overrides the MYPROXY_SERVER environment variable. If a port number is specified with a hostname, it will override the -p option as well as the MYPROXY_SERVER_PORT environment variable for that host.

-p port, --psport port

Specifies the TCP port number of the myproxy-server(8). Default: 7512

-q,  --quiet

Only write output messages on error.

Environment

GLOBUS_GSSAPI_NAME_COMPATIBILITY

This client will, by default, perform a reverse-DNS lookup to determine the FQHN (Fully Qualified Host Name) to use in verifying the identity of the server by checking the FQHN against the CN in server's certificate. Setting this variable to STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be performed and the user-specified name to be used instead. This variable setting will be ignored if MYPROXY_SERVER_DN (described later) is set.

MYPROXY_SERVER

Specifies the hostname(s) where the myproxy-server(8) is running. Multiple hostnames can be specified in a comma separated list with each hostname optionally followed by a ':' and port number.  This environment variable can be used in place of the -s option.

MYPROXY_SERVER_PORT

Specifies the port where the myproxy-server(8) is running.  This environment variable can be used in place of the -p option.

MYPROXY_SERVER_DN

Specifies the distinguished name (DN) of the myproxy-server(8). All MyProxy client programs authenticate the server's identity. By default, MyProxy servers run with host credentials, so the MyProxy client programs expect the server to have a distinguished name with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or "/CN=<fqhn>" (where <fqhn> is the fully-qualified hostname of the server).  If the server is running with some other DN, you can set this environment variable to tell the MyProxy clients to accept the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATIBILITY above.

MYPROXY_TCP_PORT_RANGE

Specifies a range of valid port numbers  in the form "min,max" for the client side of the network connection to the server. By default, the client will bind to any available port. Use this environment variable to restrict the ports used to a range allowed by your firewall. If unset, MyProxy will follow the setting of the GLOBUS_TCP_PORT_RANGE environment variable.

X509_USER_CERT

Specifies a non-standard location for the certificate to be used for authentication to the myproxy-server(8).

X509_USER_KEY

Specifies a non-standard location for the private key to be used for authentication to the myproxy-server(8).

X509_USER_PROXY

Specifies a non-standard location for the proxy credential to be used for authentication to the myproxy-server(8).

X509_CERT_DIR

Specifies a non-standard location for the CA certificates directory.

Authors

See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy authors.

See Also

myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-retrieve(1), myproxy-server.config(5), myproxy-store(1), myproxy-admin-adduser(8), myproxy-admin-change-pass(8), myproxy-admin-load-credential(8), myproxy-admin-query(8), myproxy-server(8)

Referenced By

myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1), myproxy-retrieve(1), myproxy-server(8), myproxy-server.config(5), myproxy-store(1).

2009-12-1 MyProxy