Name
cas-proxy-init — Generate a CAS proxy
Synopsis
cas-proxy-init
Tool description
cas-proxy-init contacts a CAS server and obtains an assertion for the user and embeds it in an credential. This credential can be used to access CAS-enabled services.
Command syntax
cas-proxy-init [options
] [ -ttag
| -pproxyfile
]
Table 11. cas-proxy-init options
-p proxyfile | Specify the file in which to store the CAS credential. Cannot be used with the -t option. |
-t tag | Choose a filename in which to store the CAS credential based on the value tag. Cannot be used with the -p option. |
-c url |
Contact URL for the CAS server. This typically looks like http://Host:Port/wsrf/services/CASService where Host and Port are the host and port where the container with the CAS service is running. |
-s server_identity |
When doing mutual authentication with the CAS server, expect server_identity as the remote identity. |
-f policy_file |
Generate a CAS credential that includes only those permissions specified in file policy_file (the default is to generate a credential with all the user's permissions). Details about the template of the file is provided at end of this table. |
-l hours |
Generate a credential which has an assertion with a lifetime of hours hours. This is just a request for lifetime, but may be overruled by the CAS server, if the request exceeds a set maximum for the lifetime of assertions it issues. |
-m messageType | Used to set the chosen security mechanism. It can be set to 'msg' for Secure Message, 'conv' for Secure Conversation and 'trans' for Transport security. If not set and the server URL starts with 'https', Transport Security is used, otherwise Secure Message is used. |
-n protectionType | Used to set the protection type. Can be set to 'sig' or 'enc' to indicate signature or encryption. Defaults to signature. |
CAS Client common options
The following options are common to all command line clients:
[-debug -help -v -c cas-url -s server-identity -m mechanism -p protection]
CAS Service URL: The -c cas-url option can be used to set the CAS Service instance, where cas-url is the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.
The instance URL typically looks like
http://Host:Port/wsrf/services/CASService
, where Host and Port are the host and port where the container with the CAS service is running.
CAS Service Identity: The -s server-identity option can be used to set the expected CAS server identity, where server-identity is the identity of the CAS service. Alternatively, an environment variable can be set as shown here. If neither is set, host authorization is done and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.
Note If the service being contacted is using GSI Secure Transport, then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
- Debug: To run the client with debug message traces and error stack traces, the -debug flag must be used.
- Usage: The -help flag prints the usage message for the client.
- Version number: The -v flag prints the version number.
- Security Mechanism: The -m flag is used to set the chosen security mechanism. It can be set to 'msg' for Secure Message, 'conv' for Secure Conversation and 'trans' for Transport security. If not set and the server URL starts with 'https', Transport Security is used, else Secure Message is used.
- Protection type: The -p flag is used to set the protection type required with the security mechanism. Can be set to 'sig' or 'enc' to indicate signature or encryption. Defaults to signature.
Note: If you have a asterisk (*) in your command, you might have to escape it with backslash.
Requesting specific permissions from the CAS server
It is possible to request specific permissions from the CAS server using the -f option. This option causes cas-proxy-init to read a set of requested rights from a file.
This file should contain one or more resource identifiers:
Resource: ResourceNamesapce|ResourceName
For each resource, there should be one or more action identifiers:
serviceType action
For example, if the client needed assertions for "file/read" service/action for resource "ftp://sample.org" and "ftp://sample3.org", both in "FTPNamespace" and "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:
Resource: FTPNamespace|ftp://sample1.org file read directory read directory write Resource: FTPNamespace|ftp://sample3.org file read
To indicate any resource, the following wildcard notation should be used:
uri:samlResourceWildcard
To indicate any action, the following wildcard notation for serviceType and action should be used. Note that this should be the first (and clearly the only action) in the list of action specified. All other actions in the list are ignored and if it is not the first, it is not treated as a wildcard.
uri:samlActionNSWildcard uri:samlActionWildcard
For example, if the client needs assertions for all resources and all actions, the policy file should look like:
Resource: uri:samlResourceWildcard uri:samlActionNSWildcard uri:samlActionWildcard
If the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows:
Resource: FTPNamespace|ftp://sample1.org uri:samlActionNSWildcard uri:samlActionWildcard