File: grid-cert-diagnostics.1

package info (click to toggle)
globus-proxy-utils 7.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 1,708 kB
  • sloc: sh: 4,268; ansic: 3,682; perl: 159; makefile: 105
file content (249 lines) | stat: -rw-r--r-- 7,890 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
 
'\" t
.\"     Title: grid-cert-diagnostics
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 03/31/2018
.\"    Manual: Grid Community Toolkit Manual
.\"    Source: Grid Community Toolkit 6
.\"  Language: English
.\"
.TH "GRID\-CERT\-DIAGNOST" "1" "03/31/2018" "Grid Community Toolkit 6" "Grid Community Toolkit Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
grid-cert-diagnostics \- Print diagnostic information about certificates and keys
.SH "SYNOPSIS"
.sp
\fBgrid\-cert\-diagnostics\fR [ \-h | \-help ]
.sp
\fBgrid\-cert\-diagnostics\fR [ \-p ] [ \-n ] [ \-c CERTIFICATE [\-H HOSTNAME] [\-m { STRICT_GT2 | HYBRID | STRICT_RFC2818 }]]
.sp
\fBgrid\-cert\-diagnostics\fR [ \-s HOST[:PORT] | \-g HOST[:PORT] ] [\-m { STRICT_GT2 | HYBRID | STRICT_RFC2818 }]
.SH "DESCRIPTION"
.sp
The \fBgrid\-cert\-diagnostics\fR program displays information about the current user\(cqs security environment, including information about security\-related environment variables, security directory search path, personal key and certificates, and trusted certificates\&. It is intended to provide information to help diagnose problems using GSIC\&.
.sp
By default, \fBgrid\-cert\-diagnostics\fR prints out information regarding the environment and trusted certificate directory\&. If the \fI\-p\fR command\-line option is used, then additional information about the current user\(cqs default certificate and key will be printed\&.
.sp
The \fBgrid\-cert\-diagnostics\fR program can also attempt do diagnose problems connecting to remote GridFTP or SSL\-based services\&.
.SH "OPTIONS"
.sp
The full set of command\-line options to \fBgrid\-cert\-diagnostics\fR consists of:
.PP
\fB\-h, \-help\fR
.RS 4
Display a help message and exit\&.
.RE
.PP
\fB\-p\fR
.RS 4
Display information about the personal certificate and key that is the current user\(cqs default credential\&.
.RE
.PP
\fB\-n\fR
.RS 4
Check time synchronization with the
ntpdate
command\&.
.RE
.PP
\fB\-c \fR\fB\fICERTIFICATE\fR\fR\fB, \-c \fR\fB\fI\-\fR\fR
.RS 4
Check the validity of the certificate in the file named by
\fICERTIFICATE\fR
or standard input if the parameter to
\fI\-c\fR
is
\fI\-\fR\&.
.RE
.PP
\fB\-H \fR\fB\fIHOSTNAME\fR\fR
.RS 4
When using the
\fB\-c\fR
option above, check that the certificate\(cqs identity matches HOSTNAME\&.
.RE
.PP
\fB\-m \fR\fB\fISTRICT_GT2 | HYBRID | STRICT_RFC2818\fR\fR
.RS 4
Use the specified mode when comparing host certificate names\&.
.RE
.PP
\fB\-s \fR\fB\fIHOST[:PORT]\fR\fR
.RS 4
Connect to the service listening on
\fIHOST:PORT\fR
and initiate the TLS protocol\&. Diagnostics will be printed containing the TLS / SSL protocol version and available cipher list\&. The certificate chain will be verified, and certificate subject name, issuer name, and subjectAltName extensions will be printed\&. If the
\fI:PORT\fR
is omitted, the default of
\fI443\fR
is used\&.
.RE
.PP
\fB\-g \fR\fB\fIHOST[:PORT]\fR\fR
.RS 4
Similar to the
\fI\-s\fR
option, but use the GridFTP protocol\&. The initial GridFTP banner response is included in the diagnostic output\&. If the
\fI:PORT\fR
is omitted, the default of
\fI2811\fR
is used\&.
.RE
.SH "EXAMPLES"
.sp
In this example, we see the default mode of checking the default security environment for the system, without processing the user\(cqs key and certificate\&. Note the user receives a warning about a cog\&.properties and about an expired CA certificate\&.
.sp
.if n \{\
.RS 4
.\}
.nf
% grid\-cert\-diagnostics
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Checking Environment Variables
==============================
Checking if X509_CERT_DIR is set\&.\&.\&. no
Checking if X509_USER_CERT is set\&.\&.\&. no
Checking if X509_USER_KEY is set\&.\&.\&. no
Checking if X509_USER_PROXY is set\&.\&.\&. no
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Checking Security Directories
=======================
Determining trusted cert path\&.\&.\&. /etc/grid\-security/certificates
Checking for cog\&.properties\&.\&.\&. found
    WARNING: If the cog\&.properties file contains security properties,
             Java apps will ignore the security paths described in the GSI
             documentation
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Checking trusted certificates\&.\&.\&.
================================
Getting trusted certificate list\&.\&.\&.
Checking CA file /etc/grid\-security/certificates/1c4f4c48\&.0\&.\&.\&. ok
Verifying certificate chain for "/etc/grid\-security/certificates/1c3f2ca8\&.0"\&.\&.\&. ok
Checking CA file /etc/grid\-security/certificates/9d8788eb\&.0\&.\&.\&. ok
Verifying certificate chain for "/etc/grid\-security/certificates/9d8753eb\&.0"\&.\&.\&. failed
    globus_credential: Error verifying credential: Failed to verify credential
    globus_gsi_callback_module: Could not verify credential
    globus_gsi_callback_module: The certificate has expired:
    Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired\&.
.fi
.if n \{\
.RE
.\}
.sp
In this example, we show a user with a mismatched private key and certificate:
.sp
.if n \{\
.RS 4
.\}
.nf
% grid\-cert\-diagnostics \-p
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Checking Environment Variables
==============================
Checking if X509_CERT_DIR is set\&.\&.\&. no
Checking if X509_USER_CERT is set\&.\&.\&. no
Checking if X509_USER_KEY is set\&.\&.\&. no
Checking if X509_USER_PROXY is set\&.\&.\&. no
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Checking Security Directories
=======================
Determining trusted cert path\&.\&.\&. /etc/grid\-security/certificates
Checking for cog\&.properties\&.\&.\&. not found
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Checking Default Credentials
==============================
Determining certificate and key file names\&.\&.\&. ok
Certificate Path: "/home/juser/\&.globus/usercert\&.pem"
Key Path: "/home/juser/\&.globus/userkey\&.pem"
Reading certificate\&.\&.\&. ok
Reading private key\&.\&.\&.
ok
Checking Certificate Subject\&.\&.\&.
"/O=Grid/OU=Example/OU=User/CN=Joe User"
Checking cert\&.\&.\&. ok
Checking key\&.\&.\&. ok
Checking that certificate contains an RSA key\&.\&.\&. ok
Checking that private key is an RSA key\&.\&.\&. ok
Checking that public and private keys have the same modulus\&.\&.\&. failed
Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5
219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8
FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403
CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2
Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790
600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022
6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF
7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5
Certificate and and private key don\*(Aqt match
.fi
.if n \{\
.RE
.\}
.SH "AUTHOR"
.sp
Copyright \(co 1999\-2015 University of Chicago