Scroll to navigation

ARCPROXY(1) User Commands ARCPROXY(1)

NAME

arcproxy - ARC Credentials Proxy generation utility

DESCRIPTION

Usage:

arcproxy [OPTION...]

The arcproxy command creates a proxy from a key/certificate pair which can then be used to access grid resources.

OPTIONS

Show help options
path to the proxy file
path to the certificate file, it can be either PEM, DER, or PKCS12 formatted
path to the private key file, if the certificate is in PKCS12 format, then no need to give private key
path to the trusted certificate directory, only needed for the VOMS client functionality
path to the top directory of VOMS *.lsc files, only needed for the VOMS client functionality
path to the VOMS server configuration file
voms<:command>. Specify VOMS server
More than one VOMS server can be specified like this: --voms VOa:command1 --voms VOb:command2. :command is optional, and is used to ask for specific attributes (e.g: roles)
command options are:
all --- put all of this DN's attributes into AC;
list --- list all of the DN's attribute, will not create AC extension;
/Role=yourRole --- specify the role, if this DN has such a role, the role will be put into AC;
/voname/groupname/Role=yourRole --- specify the VO, group and role; if this DN has such a role, the role will be put into AC.
If this option is not specified values from configuration files are used. To avoid anything to be used specify -S with empty value.
group<:role>. Specify ordering of attributes
Example: --order /knowarc.eu/coredev:Developer,/knowarc.eu/testers:Tester or: --order /knowarc.eu/coredev:Developer --order /knowarc.eu/testers:Tester
Note that it does not make sense to specify the order if you have two or more different VOMS servers specified
use GSI communication protocol for contacting VOMS services
use HTTP communication protocol for contacting VOMS services that provide RESTful access
Note for RESTful access, 'list' command and multiple VOMS server are not supported
use old communication protocol for contacting VOMS services instead of RESTful access
this option is not functional (old GSI proxies are not supported anymore)
print all information about this proxy.
print selected information about this proxy.
remove proxy
username to MyProxy server (if missing subject of user certificate is used)
don't prompt for a credential passphrase, when retrieve a credential from an MyProxy server.
The precondition of this choice is that the credential was PUT onto the MyProxy server without a passphrase by using the -R (--retrievable_by_cert) option. This option is specific for the GET command when contacting Myproxy server.
Allow specified entity to retrieve credential without passphrase.
This option is specific for the PUT command when contacting Myproxy server.
hostname[:port] of MyProxy server
command to MyProxy server. The command can be PUT, GET, INFO, NEWPASS or DESTROY.
PUT -- put a delegated credentials to the MyProxy server;
GET -- get a delegated credentials from the MyProxy server;
INFO -- get and present information about credentials stored at the MyProxy server;
NEWPASS -- change password protecting credentials stored at the MyProxy server;
DESTROY -- wipe off credentials stored at the MyProxy server;
Local credentials (certificate and key) are not necessary except in case of PUT. MyProxy functionality can be used together with VOMS functionality. --voms and --vomses can be used for Get command if VOMS attributes is required to be included in the proxy.
use NSS credential database in default Mozilla profiles, including Firefox, Seamonkey and Thunderbird.
proxy constraints
password destination=password source
timeout in seconds (default 20)
configuration file (default ~/.arc/client.conf)
FATAL, ERROR, WARNING, INFO, VERBOSE or DEBUG
force using CA certificates configuration provided by OpenSSL
force using CA certificates configuration for Grid services (typically IGTF)
allow TLS connection which failed verification
print version information

Supported constraints are:

validityStart=time (e.g. 2008-05-29T10:20:30Z; if not specified, start from now)
validityEnd=time
validityPeriod=time (e.g. 43200 or 12h or 12H; if both validityPeriod and validityEnd not specified, the default is 12 hours for local proxy, and 168 hours for delegated proxy on myproxy server)
vomsACvalidityPeriod=time (e.g. 43200 or 12h or 12H; if not specified, the default is the minimum value of 12 hours and validityPeriod)
myproxyvalidityPeriod=time (lifetime of proxies delegated by myproxy server, e.g. 43200 or 12h or 12H; if not specified, the default is the minimum value of 12 hours and validityPeriod (which is lifetime of the delegated proxy on myproxy server))
proxyPolicy=policy content
proxyPolicyFile=policy file
keybits=number - length of the key to generate. Default is 2048 bits. Special value 'inherit' is to use key length of signing certificate.
signingAlgorithm=name - signing algorithm to use for signing public key of proxy. Possible values are sha1, sha2 (alias for sha256), sha224, sha256, sha384, sha512 and inherit (use algorithm of signing certificate). Default is inherit. With old systems, only sha1 is acceptable.

Supported information item names are:

subject - subject name of proxy certificate.
identity - identity subject name of proxy certificate.
issuer - issuer subject name of proxy certificate.
ca - subject name of CA which issued initial certificate.
path - file system path to file containing proxy.
type - type of proxy certificate. validityStart - timestamp when proxy validity starts.
validityEnd - timestamp when proxy validity ends.
validityPeriod - duration of proxy validity in seconds.
validityLeft - duration of proxy validity left in seconds.
vomsVO - VO name represented by VOMS attribute
vomsSubject - subject of certificate for which VOMS attribute is issued
vomsIssuer - subject of service which issued VOMS certificate
vomsACvalidityStart - timestamp when VOMS attribute validity starts.
vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
vomsACvalidityPeriod - duration of VOMS attribute validity in seconds.
vomsACvalidityLeft - duration of VOMS attribute validity left in seconds.
proxyPolicy
keybits - size of proxy certificate key in bits.
signingAlgorithm - algorithm used to sign proxy certificate.

Items are printed in requested order and are separated by newline. If item has multiple values they are printed in same line separated by |.

Supported password destinations are:

key - for reading private key
myproxy - for accessing credentials at MyProxy service
myproxynew - for creating credentials at MyProxy service
all - for any purspose.

Supported password sources are:

quoted string ("password") - explicitly specified password
int - interactively request password from console
stdin - read password from standard input delimited by newline
file:filename - read password from file named filename
stream:# - read password from input stream number #. Currently only 0 (standard input) is supported.

ENVIRONMENT VARIABLES

The location where ARC is installed can be specified by this variable. If not specified the install location will be determined from the path to the command being executed, and if this fails a WARNING will be given stating the location which will be used.

The location of ARC plugins can be specified by this variable. Multiple locations can be specified by separating them by : (; in Windows). The default location is $ARC_LOCATION/lib/arc (\ in Windows).

FILES

/etc/vomses
Common file containing a list of selected VO contact point, one VO per line, for example:
"gin" "kuiken.nikhef.nl" "15050" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
"nordugrid.org" "voms.uninett.no" "15015" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "nordugrid.org"

~/.voms/vomses
Same as /etc/vomses but located in user's home area. If exists, has precedence over /etc/vomses

The order of the parsing of vomses location is:

1. command line options
2. client configuration file ~/.arc/client.conf
3. $X509_VOMSES or $X509_VOMS_FILE
4. ~/.arc/vomses
5. ~/.voms/vomses
6. $ARC_LOCATION/etc/vomses (this is for Windows environment)
7. $ARC_LOCATION/etc/grid-security/vomses (this is for Windows environment)
8. $PWD/vomses
9. /etc/vomses
10. /etc/grid-security/vomses

~/.arc/client.conf
Some options can be given default values by specifying them in the ARC client configuration file. By using the --conffile option a different configuration file can be used than the default.

AUTHOR

ARC software is developed by the NorduGrid Collaboration (http://www.nordugrid.org), please consult the AUTHORS file distributed with ARC. Please report bugs and feature requests to http://bugzilla.nordugrid.org

REPORTING BUGS

Report bugs to http://bugzilla.nordugrid.org/

COPYRIGHT

APACHE LICENSE Version 2.0

SEE ALSO

arccat(1), arcclean(1), arccp(1), arcget(1), arcinfo(1), arckill(1), arcls(1), arcmkdir(1), arcrenew(1), arcresume(1), arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)

April 2025 arcproxy version 7.0.0