myproxy-init(1)                     MyProxy                    myproxy-init(1)




NAME

       myproxy-init - store a credential for later retrieval


SYNOPSIS

       myproxy-init [ options ]


DESCRIPTION

       The  myproxy-init  command  uploads a credential to a myproxy-server(8)
       for later retrieval.  In the default mode, the  command  first  prompts
       for  the user's Grid pass phrase (if needed), which is used to create a
       proxy credential.  The command then prompts for a MyProxy pass  phrase,
       which  will  be required to later retrieve the credential.  The MyProxy
       pass phrase must be entered a second time for confirmation.  A  creden-
       tial  with a lifetime of one week (by default) is then delegated to the
       myproxy-server(8) and stored with the given MyProxy pass phrase.  Proxy
       credentials  with default lifetime of 12 hours can then be retrieved by
       myproxy-logon(1) using the MyProxy passphrase.   The  default  behavior
       can be overridden by options specified below.

       The  myproxy-init  command  can  also upload a credential to a myproxy-
       server(8) to support credential renewal.  Renewal allows a trusted ser-
       vice  (for  example,  a batch job scheduler) to obtain a new credential
       for a user before the existing credential it has for that user expires.
       The  -R  argument to myproxy-init configures the credential for renewal
       by the specified service.  Renewal requires two  authentications.   The
       renewing  service  must authenticate with its own credentials, matching
       the distinquished name specified by the  -R  argument,  and  must  also
       authenticate with an existing credential that matches the distinguished
       name of the stored credential, to retrieve a new credential.

       A credential may be used either for retrieval or renewal but not  both.
       If both are desired, upload a different credential for each use, with a
       different name using the -k option.

       The hostname where the myproxy-server(8) is running must  be  specified
       by  either  defining  the MYPROXY_SERVER environment variable or the -s
       option.

       By default, myproxy-init will create a proxy credential from the user's
       end-entity      credentials      at      ~/.globus/usercert.pem     and
       ~/.globus/userkey.pem to delegate to the myproxy-server(8).  To specify
       an  alternate  location for the source certificate and key to delegate,
       use the X509_USER_CERT and X509_USER_KEY environment variables.  To use
       a  proxy  credential as the source of the delegation, set both environ-
       ment variables to the location of the proxy credential.  To delegate  a
       "legacy  globus  proxy",  set the GT_PROXY_MODE environment variable to
       "old".   To  delegate  an  "RFC  3820   compliant   proxy",   set   the
       GT_PROXY_MODE environment variable to "rfc".


OPTIONS

       -h, --help
              Displays command usage text and exits.

       -u, --usage
              Displays command usage text and exits.

       -v, --verbose
              Enables verbose debugging output to the terminal.

       -V, --version
              Displays version information and exits.

       -s hostname[:port], --pshost hostname[:port]
              Specifies  the  hostname(s)  of the myproxy-server(s).  Multiple
              hostnames, each hostname optionally followed by a ':'  and  port
              number, may be specified in a comma-separated list.  This option
              is required if the MYPROXY_SERVER environment  variable  is  not
              defined.  If specified, this option overrides the MYPROXY_SERVER
              environment variable. If a port number is specified with a host-
              name,   it   will   override  the  -p  option  as  well  as  the
              MYPROXY_SERVER_PORT environment variable for that host.

       -p port, --psport port
              Specifies  the  TCP  port  number  of   the   myproxy-server(8).
              Default: 7512

       -l username, --username username
              Specifies  the MyProxy account under which the credential should
              be stored.  By default, the command uses the value of  the  LOG-
              NAME environment variable.  Use this option to specify a differ-
              ent account username on the MyProxy server.  The  MyProxy  user-
              name need not correspond to a real Unix username.

       -c hours, --cred_lifetime hours
              Specifies  the lifetime of the credential stored on the myproxy-
              server(8) in hours.  Specify 0 for the  maximum  possible  life-
              time, i.e., the lifetime of the original credential.  Default: 1
              week (168 hours)

       -t hours, --proxy_lifetime hours
              Specifies the maximum lifetime of credentials retrieved from the
              myproxy-server(8)  using  the  stored  credential.   Default: 12
              hours

       -C filename, --certfile filename
              Specifies  the  filename  of  the source certificate.

       -y filename, --keyfile filename
              Specifies the filename of the source private key.

       -d, --dn_as_username
              Use the  certificate  subject  (DN)  as  the  default  username,
              instead of the LOGNAME environment variable.

       -a, --allow_anonymous_retrievers
              Allow  credentials to be retrieved with just pass phrase authen-
              tication.  By default, only entities with credentials that match
              the   myproxy-server.config(5)   default  retriever  policy  may
              retrieve  credentials.   This  option  allows  entities  without
              existing  credentials to retrieve a credential using pass phrase
              authentication by including "anonymous" in the  set  of  allowed
              retrievers.   The  myproxy-server.config(5)  server-wide  policy
              must also allow "anonymous" clients for this option to  have  an
              effect.

       -A, --allow_anonymous_renewers
              Allow  credentials to be renewed by any client.  Any client with
              a valid credential with a subject name that matches  the  stored
              credential may retrieve a new credential from the MyProxy repos-
              itory if this option is given.  Since this  effectively  defeats
              the  purpose  of  proxy  credential  lifetimes, it is not recom-
              mended.  It is included only for sake of completeness.

       -r name, --retrievable_by name
              Allow the specified entity to retrieve credentials.  See -x  and
              -X options for controlling name matching behavior.

       -R name, --renewable_by name
              Allow  the specified entity to renew credentials.  See -x and -X
              options for controlling name  matching  behavior.   This  option
              implies  -n since passphrase authentication is not used for cre-
              dential renewal.

       -Z name, --retrievable_by_cert name
              Allow the specified entity to  retrieve  credentials  without  a
              passphrase.  See -x and -X options for controlling name matching
              behavior.  This option implies -n.

       -x, --regex_dn_match
              Specifies that names used with following options -r, -R, and  -Z
              will  be  matched  against  the full certificate subject distin-
              guished name (DN) according to REGULAR EXPRESSIONS  in  myproxy-
              server.config(5).

       -X, --match_cn_only
              Specifies  that names used with following options -r, -R, and -Z
              will be matched against the certificate subject common name (CN)
              according  to  REGULAR  EXPRESSIONS in myproxy-server.config(5).
              For example, if an argument of -r  "Jim  Basney"  is  specified,
              then  the  resulting  policy will be "*/CN=Jim Basney".  This is
              the default behavior.

       -k name, --credname name
              Specifies the credential name.

       -K description, --creddesc description
              Specifies credential description.

       -S, --stdin_pass
              By default, the command prompts for a passphrase and  reads  the
              passphrase  from  the active tty.  When running the command non-
              interactively, there may be no associated tty.  Specifying  this
              option tells the command to read passphrases from standard input
              without prompts or confirmation.

       -L, --local_proxy
              In addition to  storing  a  proxy  credential  on  the  myproxy-
              server(8) with lifetime set by --cred_lifetime (default 1 week),
              create  a  local  proxy  credential   with   lifetime   set   by
              --proxy_lifetime (default 12 hours).

       -n, --no_passphrase
              Don't  prompt  for  a  credential passphrase.  Store credentials
              without a credential passphrase, to be protected by other  meth-
              ods,  such  as  PAM,  SASL, or certificate-based authentication.
              This option is implied by -R since passphrase authentication  is
              not  used  for  credential  renewal.   Note  that  the  myproxy-
              server(8)  always  requires  some  type  of  authentication  for
              retrieving  credentials,  so  if  you store a credential with no
              passphrase and other authentication methods are not  configured,
              the credential will not be accessible.

       -m voms, --voms voms
              Add VOMS attributes to the credential by running voms-proxy-init
              on the client-side before storing the credential on the myproxy-
              server(8).   The  VOMS  VO name must be provided, as required by
              voms-proxy-init -voms.   The  voms-proxy-init  command  must  be
              installed  and  configured to use this option.  For example, the
              VOMS_USERCONF environment variable may need to be set for  voms-
              proxy-init to run correctly.


EXIT STATUS

       0 on success, >0 on error


FILES

       ~/.globus/usercert.pem
              Default location of the certificate from which the proxy creden-
              tial is created.  Set the X509_USER_CERT environment variable to
              override.

       ~/.globus/userkey.pem
              Default location of the private key from which the proxy creden-
              tial is created.  Set the X509_USER_KEY environment variable  to
              override.

       /tmp/myproxy-proxy.<uid>.<pid>
              Location  of the temporary proxy credential that is delegated to
              the myproxy-server(8).  It is removed after  the  delegation  is
              completed.


ENVIRONMENT

       GLOBUS_GSSAPI_NAME_COMPATIBILITY
              This  client  will,  by default, perform a reverse-DNS lookup to
              determine the FQHN (Fully Qualified Host Name) to use in verify-
              ing  the identity of the server by checking the FQHN against the
              CN  in  server's  certificate.    Setting   this   variable   to
              STRICT_RFC2818  will cause the reverse-DNS lookup to NOT be per-
              formed and the user-specified name to  be  used  instead.   This
              variable setting will be ignored if MYPROXY_SERVER_DN (described
              later) is set.

       MYPROXY_SERVER
              Specifies the hostname(s) where the  myproxy-server(8)  is  run-
              ning.  Multiple  hostnames can be specified in a comma separated
              list with each hostname optionally followed by a  ':'  and  port
              number.   This  environment variable can be used in place of the
              -s option.

       MYPROXY_SERVER_PORT
              Specifies the port where the myproxy-server(8) is running.  This
              environment variable can be used in place of the -p option.

       MYPROXY_SERVER_DN
              Specifies  the distinguished name (DN) of the myproxy-server(8).
              All MyProxy client programs authenticate the server's  identity.
              By  default,  MyProxy  servers run with host credentials, so the
              MyProxy client programs expect the  server  to  have  a  distin-
              guished  name  with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or
              "/CN=<fqhn>" (where <fqhn> is the  fully-qualified  hostname  of
              the  server).   If the server is running with some other DN, you
              can set this environment variable to tell the MyProxy clients to
              accept  the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATI-
              BILITY above.

       X509_USER_CERT
              Specifies a non-standard location for the certificate from which
              the  proxy  credential is created.  The location may be the path
              to an end-entity certificate (ex.  ~/.globus/usercert.pem) or  a
              proxy (ex.  /tmp/x509up_u<uid>).

       X509_USER_KEY
              Specifies a non-standard location for the private key from which
              the proxy credential is created.  The location may be  the  path
              to  an  end-entity private key (ex.  ~/.globus/userkey.pem) or a
              proxy (ex.  /tmp/x509up_u<uid>).

       X509_CERT_DIR
              Specifies a non-standard location for the CA certificates direc-
              tory.

       GT_PROXY_MODE
              Set  to  "old"  to  store a "legacy globus proxy" in the MyProxy
              repository.  Set to "rfc" to store an "RFC 3820 compliant proxy"
              in the MyProxy repository.

       MYPROXY_TCP_PORT_RANGE
              Specifies  a  range  of valid port numbers in the form "min,max"
              for the client side of the network connection to the server.  By
              default,  the  client will bind to any available port.  Use this
              environment variable to restrict  the  ports  used  to  a  range
              allowed  by  your  firewall.   If unset, MyProxy will follow the
              setting of the GLOBUS_TCP_PORT_RANGE environment variable.

       MYPROXY_KEYBITS
              Specifies the size  for  RSA  keys  generated  by  MyProxy.   By
              default, MyProxy generates 2048 bit RSA keys.  Set this environ-
              ment variable to "1024" for 1024 bit RSA keys.


AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.


SEE ALSO

       myproxy-change-pass-phrase(1),  myproxy-destroy(1),  myproxy-get-trust-
       roots(1),   myproxy-info(1),   myproxy-logon(1),   myproxy-retrieve(1),
       myproxy-store(1),  myproxy-server.config(5),  myproxy-admin-adduser(8),
       myproxy-admin-change-pass(8),         myproxy-admin-load-credential(8),
       myproxy-admin-query(8), myproxy-server(8)



MyProxy                           2011-09-05                   myproxy-init(1)

Man(1) output converted with man2html