myproxy-get-trustroots(1)           MyProxy          myproxy-get-trustroots(1)


       myproxy-get-trustroots - fetch trustroots from a myproxy-server


       myproxy-get-trustroots [ options ]


       The  myproxy-get-trustroots  command retrieves the trusted certificates
       from the myproxy-server(8) and stores them in the location specified by
       the  X509_CERT_DIR  environment  variable  if  set  or  /etc/grid-secu-
       rity/certificates if running as root or ~/.globus/certificates if  run-
       ning as non-root.

       An  example cron job for running myproxy-get-trustroots periodically to
       keep  the  X509_CERT_DIR  up-to-date  is  provided   at   $GLOBUS_LOCA-


       -b, --bootstrap
              Unless  this  option  is  specified,  then  if the X509_CERT_DIR
              exists and the CA that signed the myproxy-server(8)  certificate
              is  not trusted, myproxy-get-trustroots will fail with an error,
              to protect against man-in-the-middle attacks.  If, however, this
              option  is  specified, myproxy-get-trustroots will accept the CA
              to bootstrap trust.

       -h, --help
              Displays command usage text and exits.

       -u, --usage
              Displays command usage text and exits.

       -v, --verbose
              Enables verbose debugging output to the terminal.

       -V, --version
              Displays version information and exits.

       -s hostname[:port], --pshost hostname[:port]
              Specifies the hostname(s) of  the  myproxy-server(s).   Multiple
              hostnames,  each  hostname optionally followed by a ':' and port
              number, may be specified in a comma-separated list.  This option
              is  required  if  the MYPROXY_SERVER environment variable is not
              defined.  If specified, this option overrides the MYPROXY_SERVER
              environment variable. If a port number is specified with a host-
              name,  it  will  override  the  -p  option  as   well   as   the
              MYPROXY_SERVER_PORT environment variable for that host.

       -p port, --psport port
              Specifies   the   TCP  port  number  of  the  myproxy-server(8).
              Default: 7512

       -q, --quiet
              Only write output messages on error.


              This client will, by default, perform a  reverse-DNS  lookup  to
              determine the FQHN (Fully Qualified Host Name) to use in verify-
              ing the identity of the server by checking the FQHN against  the
              CN   in   server's   certificate.    Setting  this  variable  to
              STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be  per-
              formed  and  the  user-specified  name to be used instead.  This
              variable setting will be ignored if MYPROXY_SERVER_DN (described
              later) is set.

              Specifies  the  hostname(s)  where the myproxy-server(8) is run-
              ning. Multiple hostnames can be specified in a  comma  separated
              list  with  each  hostname optionally followed by a ':' and port
              number.  This environment variable can be used in place  of  the
              -s option.

              Specifies the port where the myproxy-server(8) is running.  This
              environment variable can be used in place of the -p option.

              Specifies the distinguished name (DN) of the  myproxy-server(8).
              All  MyProxy client programs authenticate the server's identity.
              By default, MyProxy servers run with host  credentials,  so  the
              MyProxy  client  programs  expect  the  server to have a distin-
              guished name with "/CN=host/<fqhn>" or  "/CN=myproxy/<fqhn>"  or
              "/CN=<fqhn>"  (where  <fqhn>  is the fully-qualified hostname of
              the server).  If the server is running with some other  DN,  you
              can set this environment variable to tell the MyProxy clients to
              accept the alternative DN. Also see  GLOBUS_GSSAPI_NAME_COMPATI-
              BILITY above.

              Specifies  a  range  of valid port numbers in the form "min,max"
              for the client side of the network connection to the server.  By
              default,  the  client will bind to any available port.  Use this
              environment variable to restrict  the  ports  used  to  a  range
              allowed  by  your  firewall.   If unset, MyProxy will follow the
              setting of the GLOBUS_TCP_PORT_RANGE environment variable.

              Specifies a non-standard location for the certificate to be used
              for authentication to the myproxy-server(8).

              Specifies a non-standard location for the private key to be used
              for authentication to the myproxy-server(8).

              Specifies a non-standard location for the proxy credential to be
              used for authentication to the myproxy-server(8).

              Specifies a non-standard location for the CA certificates direc-


       See for the list of MyProxy authors.


       myproxy-change-pass-phrase(1),   myproxy-destroy(1),   myproxy-info(1),
       myproxy-init(1),    myproxy-logon(1),   myproxy-retrieve(1),   myproxy-
       server.config(5), myproxy-store(1), myproxy-admin-adduser(8),  myproxy-
       admin-change-pass(8),  myproxy-admin-load-credential(8), myproxy-admin-
       query(8), myproxy-server(8)

MyProxy                            2009-12-1         myproxy-get-trustroots(1)

Man(1) output converted with man2html