1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
// SPDX-FileCopyrightText: 2006 Istituto Nazionale di Fisica Nucleare
//
// SPDX-License-Identifier: Apache-2.0
VOMS-PROXY-INIT(1)
==================
:doctype: manpage
== NAME
voms-proxy-init - creates a proxy certificate with VOMS extensions
== SYNOPSIS
*voms-proxy-init* [options]
== DESCRIPTION
The voms-proxy-init command generates a proxy with the VOMS information included in an X.509 non critical extension.
The VOMS attributes are obtained from a known VOMS server. The list of known VOMS servers is configured using a *vomses*
configuration file, whose syntax is documented in the *vomses* man page. A custom vomses location can be specified using
the *--vomses* option.
VOMS attributes are requested only if the *-voms* option is passed on the command line, specifying for which
Virtual Organizations (VOs) attributes are requested.
VOMS attributes are signed by the VOMS server that issues them. The signature is verified on the client side leveraging
local trust information, which is typically maintained in
*/etc/grid-security/vomsdir*. The vomsdir structure is documented in the *vomsdir* man page.
A custom vomsdir can be specified using the *--vomsdir* option.
The default location of the proxy generated by voms-proxy-init is
----
/tmp/x509up_u<user_id>
----
where user_id is the effective user id of the user running the command.
A non-standard location for the proxy can be specified using the *-out* option.
=== Requesting VOMS attributes
Attributes can be requested using the *-voms* option. A basic usage is given in the following example:
----
voms-proxy-init -voms <voname>
----
where voname is the name of one of the configured VOs. The above command will create a proxy containing
a VOMS extension which holds all group attributes beloging to the user.
VOMS roles are conditional attributes which are included in a VOMS attribute certificate only when explicitly
requested. Roles can be requested using a command like the following one:
----
voms-proxy-init -voms atlas:/atlas/Role=pilot
----
=== Ordering requested attributes
Typically VOMS attributes are returned in the order on which they are requested on the command line. For instance,
the following command:
----
voms-proxy-init -voms infngrid:/infngrid/group1 -voms infngrid:/infngrid/Role=pilot
----
will produce an Attribute Certificate which has as the primary attribute `/infngrid/group1`, followed by `/infngrid/Role=pilot`,
and then by the other attributes belonging to the user. The *-order* can also be used to express order requirements.
=== Setting the validity period of the generated proxy and attribute certificate
By default, voms-proxy-init will generate a proxy valid for 12 hours including a VOMS extension valid for the same time (if requested).
These time periods can be changed using the *-valid* option, which will set the validity of both the proxy and
the AC. Note that the validity of the AC can only be "proposed" by voms-proxy-init, as the AC validity is set by the VOMS server
and its maximum value is limited by local VOMS server configuration (typically the maximum value is 24 hours).
=== Setting the type of proxy generated by voms-proxy-init
By default, voms-proxy-init generates a legacy proxy compatible with Globus Toolkit version 2. This behaviour can be changed using the *-rfc*
option, which will produce an RFC3820 compliant proxy. In order to generate a Globus Toolkit version 3 proxy, i.e. a draft compliant proxy,
use the *-proxyver 3* option.
== CONFIGURATION
Local configuration for trusted VOs is needed for _voms-proxy-init_ to work properly. See the _vomses(5)_ and _vomsdir(5)_ man pages
for more details.
== OPTIONS
Options may be specified using either a "-" or "--" prefix.
*-b,--bits <num-bits>*
Number of bits in key {512|1024|2048|4096}
*--cert <certfile>*
Nonstandard location of user certificate
*--certdir <certdir>*
Nonstandard location of trusted cert dir
*--conf <file>*
Read options from <file>
*--debug*
Enables extra debug output
*--dont_verify_ac*
Skips AC verification
*-f,--failonwarn*
Treat warnings as errors
*--help*
Displays helps and exits
*--hours <hours>*
Sets the generated proxy validity to H hours (default:12).
Note that this option only sets the lifetime of the generated proxy.
Use -valid to set lifetime for both the proxy and the AC.
*--ignorewarn*
Ignore warnings
*-k,--key <keyfile>*
Non standard location of user key
*--limited*
Creates a limited proxy
*-n,--noregen*
Use an existing proxy certificate to obtain VOMS attributes and to sign the new generated proxy
*--old*
Creates a legacy, GT2 compliant proxy (synonymous with '-proxyver 2')
*--order <fqan>*
The fqan specified with this option is set as the primary FQAN if present in the list of attributes returned by the server.
Use this option more than once if you want to set the order for more than one FQAN.
*--out <proxyfile>*
Non standard location of the generated proxy certificate
*--path_length <L>*
Allow a chain of at most L proxies to be generated and signed from the proxy created by voms-proxy-init.
*--proxyver <2|3|4>*
Sets the type of proxy generated by VOMS proxy init. 2 stands for legacy proxy,3 for draft proxy, 4 for rfc proxy.
Use -old or -rfc instead of this option.
*--pwstdin*
Reads private key passphrase from standard input.
*-q,--quiet*
Quiet mode, minimal output
*-r,--rfc*
Creates an RFC 3820 compliant proxy (synonymous with '-proxyver 4')
*--target <hostname>*
Targets the AC against a specific hostname. Multiple targets can be expressed using this option multiple times.
*--usage*
Displays helps and exits
*--valid <h:m>*
Sets generated proxy and AC validity to h hours and m minutes (defaults to 12:00).
Note that the VOMS server could shorten the validity of the issued AC depending on the server configuration.
*--verify*
Verifies the validity of the user certificate.
*--version*
Displays version
*--voms <voms<:fqan>>*
Specifies the VO for which the AC is requested. <:fqan> is optional,and is used to ask for
specific attributes (e.g: --voms atlas:/atlas/Role=pilot).
This option can be used multiple times to request multiple FQANs for different VOs.
The order in which the option appears on the command line influence the order of the issued attributes.
*--vomsdir <DIR>*
Sets the path where lsc files and other local VOMS trust anchors will be looked for.
*--vomses <vomses file>*
Specifies the name of a VOMSES file from which VOMS server contact information is parsed.
*--vomslife <h:m>*
Sets the validity of the requested VOMS attribute certificate to h hours and m minutes (defaults to the value of the '-valid' option)
BUGS
----
To report bugs or ask for support, use GGUS: https://ggus.eu/pages/home.php
AUTHORS
------
Enrico Vianello <enrico.vianello@cnaf.infn.it>
Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
SEE ALSO
--------
voms-proxy-destroy(1), voms-proxy-info(1), vomses(5), vomsdir(5)
|
