'\" t .\" Title: grid-proxy-init .\" Author: University of Chicago .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 04/25/2011 .\" Manual: Globus Commands .\" Source: Globus Toolkit 5.0.2 .\" Language: English .\" .TH "GRID\-PROXY\-INIT" "1" "04/25/2011" "Globus Toolkit 5.0.2" "Globus Commands" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" grid-proxy-init \- Generate a new proxy certificate .SH "SYNOPSIS" .HP \w'\fBgrid\-proxy\-init\fR\ 'u \fBgrid\-proxy\-init\fR [\-help] [\-usage] [\-version] .HP \w'\fBgrid\-proxy\-init\fR\ 'u \fBgrid\-proxy\-init\fR [\-debug] [\-q] [\-verify] .br [[\-valid\ \fIHOURS\fR:\fIMINUTES\fR] | [\-hours\ \fIHOURS\fR]] [\-cert\ \fICERTFILE\fR] [\-key\ \fIKEYFILE\fR] [\-certdir\ \fICERTDIR\fR] [\-out\ \fIPROXYPATH\fR] [\-bits\ \fIBITS\fR] .br [\-policy\ \fIPOLICYFILE\fR] .br [[\-pl\ \fIPOLICY\-OID\fR] | [\-policy\-language\ \fIPOLICY\-OID\fR]] [\-path\-length\ \fIMAXIMUM\fR] [\-pwstdin] [\-limited] [\-independent] [[\-draft] | [\-old] | [\-rfc]] .SH "DESCRIPTION" .PP The \fBgrid\-proxy\-init\fR program generates X\&.509 proxy certificates derived from the currently available certificate files\&. By default, this command generates a \m[blue]\fBRFC 3820\fR\m[]\&\s-2\u[1]\d\s+2 Proxy Certificate with a 512 bit key valid for 12 hours in a file named /tmp/x509up_u\fIUID\fR\&. Command\-line options and variables can modify the format, strength, lifetime, and location of the generated proxy certificate\&. .PP X\&.509 proxy certificates are short\-lived certificates, signed usually by a user\'s identity certificate or another proxy certificate\&. The key associated with a proxy certificate is unencrypted, so applications can authenticate using a proxy identity without providing a passphrase\&. .PP Proxy certificates provide a convenient alternative to constantly entering passwords, but are also less secure than the user\'s normal security credential\&. Therefore, they should always be user\-readable only (this is enforced by the GSI libraries), and should be deleted after they are no longer needed\&. .PP This version of \fBgrid\-proxy\-init\fR supports three different proxy formats: the old proxy format used in early releases of the Globus Toolkit up to version 2\&.4\&.x, an IETF draft version of X\&.509 Proxy Certificate profile used in Globus Toolkit 3\&.0\&.x and 3\&.2\&.x, and the RFC 3820 profile used in Globus Toolkit Version 4\&.0\&.x and 4\&.2\&.x\&. By default, this version of \fBgrid\-proxy\-init\fR creates an RFC 3820 compliant proxy\&. To create a proxy compatible with older versions of the Globus Toolkit, use the \fB\-old\fR or \fB\-draft\fR command\-line options\&. .PP The full set of command\-line options to \fBgrid\-proxy\-init\fR are: .PP \fB\-help\fR, \fB\-usage\fR .RS 4 Display the command\-line options to \fBgrid\-proxy\-init\fR\&. .RE .PP \fB\-version\fR .RS 4 Display the version number of the \fBgrid\-proxy\-init\fR command .RE .PP \fB\-debug\fR .RS 4 Display information about the path to the certificate and key used to generate the proxy certificate, the path to the trusted certificate directory, and verbose error messages .RE .PP \fB\-q\fR .RS 4 Suppress all output from \fBgrid\-proxy\-init\fR except for passphrase prompts\&. .RE .PP \fB\-verify\fR .RS 4 Perform certificate chain validity checks on the generated proxy\&. .RE .PP \fB\-valid \fR\fB\fIHOURS\fR\fR\fB:\fR\fB\fIMINUTES\fR\fR, \fB\-hours \fR\fB\fIHOURS\fR\fR .RS 4 Create a certificate that is valid for \fIHOURS\fR hours and \fIMINUTES\fR minutes\&. If not specified, the default of twelve hours and no minutes is used\&. .RE .PP \fB\-cert \fR\fB\fICERTFILE\fR\fR, \fB\-key \fR\fB\fIKEYFILE\fR\fR .RS 4 Create a proxy certificate signed by the certificate located in CERTFILE using the key located in KEYFILE\&. If not specified the default certificate and key will be used\&. This overrides the values of environment variables described below\&. .RE .PP \fB\-certdir \fR\fB\fICERTDIR\fR\fR .RS 4 Search \fICERTDIR\fR for trusted certificates if verifying the proxy certificate\&. If not specified, the default trusted certificate search path is used\&. This overrides the value of the \fBX509_CERT_DIR\fR environment variable .RE .PP \fB\-out \fR\fB\fIPROXYPATH\fR\fR .RS 4 Write the generated proxy certificate file to \fIPROXYPATH\fR instead of the default path of /tmp/x509up_u\fIUID\fR\&. .RE .PP \fB\-bits \fR\fB\fIBITS\fR\fR .RS 4 When creating the proxy certificate, use a \fIBITS\fR bit key instead of the default 512 bit keys\&. .RE .PP \fB\-policy \fR\fB\fIPOLICYFILE\fR\fR .RS 4 Add the certificate policy data described in \fIPOLICYFILE\fR as the ProxyCertInfo X\&.509 extension to the generated proxy certificate\&. .RE .PP \fB\-pl \fR\fB\fIPOLICY\-OID\fR\fR, \fB\-policy\-language \fR\fB\fIPOLICY\-OID\fR\fR .RS 4 Set the policy language identifier of the policy data specified by the \fB\-policy\fR command\-line option to the oid specified by the \fIPOLICY\-OID\fR string\&. .RE .PP \fB\-path\-length \fR\fB\fIMAXIMUM\fR\fR .RS 4 Set the maximum length of the chain of proxies that can be created by the generated proxy to \fIMAXIMUM\fR\&. If not set, the default of an unlimited proxy chain length is used\&. .RE .PP \fB\-pwstdin\fR .RS 4 Read the private key\'s passphrase from stdin instead of reading input from the controlling tty\&. This is useful when scripting \fBgrid\-proxy\-init\fR\&. .RE .PP \fB\-limited\fR .RS 4 Create a limited proxy\&. Limited proxies are generally refused by process\-creating services, but may be used to authorize with other services\&. .RE .PP \fB\-independent\fR .RS 4 Create an independent proxy\&. An independent proxy is not treated as an impersonation proxy but as a separate identity for authorization purposes\&. .RE .PP \fB\-draft\fR .RS 4 Create a IETF draft proxy instead of the default RFC 3280\-compliant proxy\&. This type of proxy uses a non\-standard proxy policy identifier\&. This might be useful for authenticating with older versions of the Globus Toolkit\&. .RE .PP \fB\-old\fR .RS 4 Create a legacy proxy instead of the default RFC 3280\-compliant proxy\&. This type of proxy uses a non\-standard method of indicating that the certificate is a proxy and whether it is limited\&. This might be useful for authenticating with older versions of the Globus Toolkit\&. .RE .PP \fB\-rfc\fR .RS 4 Create an RFC 3820\-compliant proxy certificate\&. This is the default for this version of \fBgrid\-proxy\-init\fR\&. .RE .SH "EXAMPLES" .PP To create a proxy with the default lifetime and format, run the \fBgrid\-proxy\-init\fR program with no arguments\&. For example: .sp .if n \{\ .RS 4 .\} .nf % \fBgrid\-proxy\-init\fR Your identity: /DC=org/DC=example/CN=Joe User Enter GRID pass phrase for this identity: Creating proxy \&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&. Done Your proxy is valid until: Thu Mar 18 03:48:05 2010 .fi .if n \{\ .RE .\} .PP To create a stronger proxy that lasts for only 8 hours, use the \fB\-hours\fR and \fB\-bits\fR command\-line options to \fBgrid\-proxy\-init\fR\&. For example: .sp .if n \{\ .RS 4 .\} .nf % \fBgrid\-proxy\-init\fR \fB\-hours 8\fR \fB\-bits 1024\fR Your identity: /DC=org/DC=example/CN=Joe User Enter GRID pass phrase for this identity: Creating proxy \&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&. Done Your proxy is valid until: Thu Mar 17 23:48:05 2010 .fi .if n \{\ .RE .\} .sp .SH "ENVIRONMENT VARIABLES" .PP The following environment variables affect the execution of \fBgrid\-proxy\-init\fR: .PP \fBX509_USER_CERT\fR .RS 4 Path to the certificate to use as issuer of the new proxy\&. .RE .PP \fBX509_USER_KEY\fR .RS 4 Path to the key to use to sign the new proxy\&. .RE .PP \fBX509_CERT_DIR\fR .RS 4 Path to the directory containing trusted certifiate certificates and signing policies\&. .RE .SH "FILES" .PP The following files affect the execution of \fBgrid\-proxy\-init\fR: .PP \fB$HOME\fR/\&.globus/usercert\&.pem .RS 4 Default path to the certificate to use as issuer of the new proxy\&. .RE .PP \fB$HOME\fR/\&.globus/userkey\&.pem .RS 4 Default path to the key to use to sign the new proxy\&. .RE .SH "COMPATIBILITY" .PP For more information about proxy certificate types and their compatibility in GT, see \m[blue]\fBhttp://dev\&.globus\&.org/wiki/Security/ProxyCertTypes\fR\m[]\&. .SH "SEE ALSO" .PP \fBgrid-proxy-destroy\fR(1), \fBgrid-proxy-info\fR(1) .SH "AUTHOR" .PP \fBUniversity of Chicago\fR .SH "NOTES" .IP " 1." 4 RFC 3820 .RS 4 \%http://www.ietf.org/rfc/rfc3820.txt .RE