myproxy-retrieve(1)                 MyProxy                myproxy-retrieve(1)




NAME

       myproxy-retrieve - retrieve an end-entity credential


SYNOPSIS

       myproxy-retrieve [ options ]


DESCRIPTION

       The  myproxy-retrieve  command retrieves a credential directly from the
       myproxy-server(8) that was previously stored using  myproxy-init(1)  or
       myproxy-store(1).   Unlike myproxy-logon(1), this command transfers the
       private key in the repository over the network (over  a  private  chan-
       nel).   To  obtain  a  proxy  credential,  we  recommend using myproxy-
       logon(1) instead.

       In the default mode, the command prompts for the pass phrase associated
       with the credential to be retrieved and stores the retrieved credential
       in    the    standard    location    (    ~/.globus/usercert.pem    and
       ~/.globus/userkey.pem).  You could then run grid-proxy-init to create a
       proxy credential from the retrieved credentials.


OPTIONS

       -h, --help
              Displays command usage text and exits.

       -u, --usage
              Displays command usage text and exits.

       -v, --verbose
              Enables verbose debugging output to the terminal.

       -V, --version
              Displays version information and exits.

       -s hostname[:port], --pshost hostname[:port]
              Specifies the hostname(s) of  the  myproxy-server(s).   Multiple
              hostnames,  each  hostname optionally followed by a ':' and port
              number, may be specified in a comma-separated list.  This option
              is  required  if  the MYPROXY_SERVER environment variable is not
              defined.  If specified, this option overrides the MYPROXY_SERVER
              environment variable. If a port number is specified with a host-
              name,  it  will  override  the  -p  option  as   well   as   the
              MYPROXY_SERVER_PORT environment variable for that host.

       -p port, --psport port
              Specifies   the   TCP  port  number  of  the  myproxy-server(8).
              Default: 7512

       -l username, --username username
              Specifies the MyProxy account  under  which  the  credential  to
              retrieve  is  stored.  By default, the command uses the value of
              the LOGNAME environment variable.  Use this option to specify  a
              different  account  username on the MyProxy server.  The MyProxy
              username need not correspond to a real Unix username.

       -d, --dn_as_username
              Use the  certificate  subject  (DN)  as  the  default  username,
              instead of the LOGNAME environment variable.  When used with the
              -a option, the certificate subject of the authorization  creden-
              tial is used.  Otherwise, the certificate subject of the default
              credential is used.

       -t hours, --proxy_lifetime hours
              Specifies  the  lifetime  of  credentials  retrieved  from   the
              myproxy-server(8)  using  the  stored credential.  The resulting
              lifetime is the shorter of the requested lifetime and the  life-
              time  specified  when  the  credential was stored using myproxy-
              init(1).  Default: 12 hours

       -c filename, --certfile filename
              Specifies  the  filename  of  where  the   certificate  will  be
              stored.

       -y filename, --keyfile filename
              Specifies the filename of where the private  key will be stored.

       -a file, --authorization file
              Use  this  option  to specify an existing, valid credential that
              you want to renew.  Renewing a credential generally requires two
              certificate-based  authentications.   The  client  authenticates
              with its identity, using the credential in the standard location
              or   specified   by   X509_USER_PROXY   or   X509_USER_CERT  and
              X509_USER_KEY in addition to authenticating  with  the  existing
              credential,  in  the  location specified by this option, that it
              wants to renew.

       -k name, --credname name
              Specifies the name of the credential that is to be retrieved  or
              renewed.

       -S, --stdin_pass
              By  default,  the command prompts for a passphrase and reads the
              passphrase from the active tty.  When running the  command  non-
              interactively,  there may be no associated tty.  Specifying this
              option tells the command to read passphrases from standard input
              without prompts or confirmation.

       -T, --trustroots
              Retrieve CA certificates directory from server (if available) to
              store in the location specified by the X509_CERT_DIR environment
              variable if set or /etc/grid-security/certificates if running as
              root or ~/.globus/certificates if running as non-root.

       -n, --no_passphrase
              Don't prompt for a credential passphrase.  Use other methods for
              authentication, such as Kerberos ticket or X.509 certificate.


EXIT STATUS

       0 on success, >0 on error


ENVIRONMENT

       GLOBUS_GSSAPI_NAME_COMPATIBILITY
              This  client  will,  by default, perform a reverse-DNS lookup to
              determine the FQHN (Fully Qualified Host Name) to use in verify-
              ing  the identity of the server by checking the FQHN against the
              CN  in  server's  certificate.    Setting   this   variable   to
              STRICT_RFC2818  will cause the reverse-DNS lookup to NOT be per-
              formed and the user-specified name to  be  used  instead.   This
              variable setting will be ignored if MYPROXY_SERVER_DN (described
              later) is set.

       MYPROXY_SERVER
              Specifies the hostname(s) where the  myproxy-server(8)  is  run-
              ning.  Multiple  hostnames can be specified in a comma separated
              list with each hostname optionally followed by a  ':'  and  port
              number.   This  environment variable can be used in place of the
              -s option.

       MYPROXY_SERVER_PORT
              Specifies the port where the myproxy-server(8) is running.  This
              environment variable can be used in place of the -p option.

       MYPROXY_SERVER_DN
              Specifies  the distinguished name (DN) of the myproxy-server(8).
              All MyProxy client programs authenticate the server's  identity.
              By  default,  MyProxy  servers run with host credentials, so the
              MyProxy client programs expect the  server  to  have  a  distin-
              guished  name  with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or
              "/CN=<fqhn>" (where <fqhn> is the  fully-qualified  hostname  of
              the  server).   If the server is running with some other DN, you
              can set this environment variable to tell the MyProxy clients to
              accept  the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATI-
              BILITY above.

       MYPROXY_TCP_PORT_RANGE
              Specifies a range of valid port numbers in  the  form  "min,max"
              for the client side of the network connection to the server.  By
              default, the client will bind to any available port.   Use  this
              environment  variable  to  restrict  the  ports  used to a range
              allowed by your firewall.  If unset,  MyProxy  will  follow  the
              setting of the GLOBUS_TCP_PORT_RANGE environment variable.

       X509_USER_CERT
              Specifies a non-standard location for the certificate to be used
              for authentication to the myproxy-server(8).  Also specifies the
              location  for  where  the  retrieved  certificate will be stored
              unless the -c option is given.

       X509_USER_KEY
              Specifies a non-standard location for the private key to be used
              for authentication to the myproxy-server(8).  Also specifies the
              location for where the retrieved  private  key  will  be  stored
              unless the -y option is given.

       X509_USER_PROXY
              Specifies a non-standard location for the proxy credential to be
              used for authentication to the myproxy-server(8).

       X509_CERT_DIR
              Specifies a non-standard location for the CA certificates direc-
              tory.


AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.


SEE ALSO

       myproxy-change-pass-phrase(1),  myproxy-destroy(1),  myproxy-get-trust-
       roots(1), myproxy-info(1), myproxy-init(1), myproxy-logon(1),  myproxy-
       store(1),  myproxy-server.config(5), myproxy-admin-adduser(8), myproxy-
       admin-change-pass(8), myproxy-admin-load-credential(8),  myproxy-admin-
       query(8), myproxy-server(8)



MyProxy                            2009-12-1               myproxy-retrieve(1)

Man(1) output converted with man2html