|DACSKEY(1)||DACS Commands Manual||DACSKEY(1)|
NAME¶dacskey - generate encryption keys for DACS
[-check | -gen | -priv | -private | -pub | -public]
[-p | -pf passphrase-file] [-pem] [-vfs] [-rsa_key_bits number] [--] keyfile
DESCRIPTION¶This program is part of the DACS suite.
The dacskey utility generates encryption keys for DACS that are cryptographically sound. Keys are represented externally as an XML document called a keyfile. The program can also validate a keyfile or display a key.
Keys are created for at least three different purposes, although every keyfile has the same format:
Ideally, new keys should be generated at regular intervals and also whenever warranted to maintain security, such as when a jurisdiction leaves the federation or if a key may have been compromised. When a jurisdiction joins a federation, it must receive a copy of the current keys. There is currently no automated key management support; administrators must distribute these keys to all jurisdictions over a secure channel whenever they are changed. Besides using some method of encryption to ensure the keys remain private during distribution, take care not to mangle the XML document (e.g., through line breaks or truncation).
The program ordinarily uses OpenSSL's ssl(3) library to acquire high-quality random material. In certain situations, an experienced administrator might find the -p and -pf options useful; others should avoid them, however.
When keys are generated, the output is written to keyfile, which is either created or truncated. In this context, keyfile must be a pathname. Unless directly written to where federation_keys (or jurisdiction_keys) points, keyfile must be copied there.
Assuming that the default site configuration file (conf/site.conf-std, which establishes default locations for these files) has been installed:
% dacskey -u mysite.example.com -q fkeys % install -o root -g www -m 0640 fkeys \ /usr/local/dacs/federations/example.com/federation_keyfile % dacskey -u mysite.example.com -q jkeys % install -o root -g www -m 0640 jkeys \ /usr/local/dacs/federations/example.com/mysite/jurisdiction_keyfile
The owner, group, and mode assigned to these files in this example are typical but are only suggestions.
A keyfile generated by this command must be accessible (readable and writable) only by DACS web services and the DACS administrator. It must be kept unreadable and unwritable by all others.
When not generating keys, by default keyfile is a pathname. If the -vfs flag is given, then keyfile is a DACS URI, item type, or absolute pathname.
OPTIONS¶In addition to the standard dacsoptions, dacskey recognizes these options:
DIAGNOSTICS¶The program exits 0 if everything was fine, 1 if an error occurred.
SEE ALSO¶dacsauth(1), dacsgrid(1), dacsinit(1), dacsrlink(1) dacstoken(1), dacs.install(7), dacs_acs(8)
AUTHOR¶Distributed Systems Software (www.dss.ca)
COPYING¶Copyright © 2003-2018 Distributed Systems Software. See the LICENSE file that accompanies the distribution for licensing information.