cas-enroll

Home -> Toolkit -> Docs -> 4.0 -> Security -> Cas	Website Email Lists Search:

Name

cas-enroll — PURPOSE

Synopsis

cas-enroll

Tool description

To enroll a trust anchor, the user must have cas/enroll_trustAnchor permission on that cas server object (that is, the user must have permission to perform the enroll_trustAnchor action on the CAS service type). The enroll operation allows the user to choose a user group to which cas/grantAll permission on the enrolled object should be granted. The nickname should be unique across the CAS database and is used to refer to this trust anchor.

Command syntax

  casAdmin$ cas-enroll [options] trustAnchor userGpName nickname authMethod authData

options: client options
userGpName: the user group to which cas/grantAll permission should be granted on this trust anchor entity
nickname: trust anchor nickname
authMethod: authentication method used by the trust anchor
authData: data used for authentication, typically the DN

CAS Client common options

The following options are common to all command line clients:

 [-debug -help -v -c cas-url -s server-identity -m mechanism -p protection]

CAS Service URL: The -c cas-url option can be used to set the CAS Service instance, where cas-url is the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.
The instance URL typically looks like
```
http://Host:Port/wsrf/services/CASService
```
, where Host and Port are the host and port where the container with the CAS service is running.

CAS Service Identity: The -s server-identity option can be used to set the expected CAS server identity, where server-identity is the identity of the CAS service. Alternatively, an environment variable can be set as shown here. If neither is set, host authorization is done and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.

	Note
	If the service being contacted is using GSI Secure Transport, then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.

Debug: To run the client with debug message traces and error stack traces, the -debug flag must be used.
Usage: The -help flag prints the usage message for the client.
Version number: The -v flag prints the version number.
Security Mechanism: The -m flag is used to set the chosen security mechanism. It can be set to 'msg' for Secure Message, 'conv' for Secure Conversation and 'trans' for Transport security. If not set and the server URL starts with 'https', Transport Security is used, else Secure Message is used.
Protection type: The -p flag is used to set the protection type required with the security mechanism. Can be set to 'sig' or 'enc' to indicate signature or encryption. Defaults to signature.

Note: If you have a asterisk (*) in your command, you might have to escape it with backslash.