Name
myproxy-store — Store end-entity credential for later retrieval
Synopsis
myproxy-store
Tool description
The myproxy-store command uploads a credential to a myproxy-server(8) for later retrieval. Unlike myproxy-init(1), this command transfers the private key over the network (over a private channel). In the default mode, the command will take the credentials found in ~/.globus/usercert.pem and ~/.globus/userkey.pem and store them in the myproxy-server(8) repository. Proxy credentials with a default lifetime of 12 hours can then be retrieved by myproxy-logon(1) using the credential passphrase. The default behavior can be overridden by options specified below.
The hostname where the myproxy-server(8) is running must be specified by either defining the MYPROXY_SERVER environment variable or the -s option.
Command options
Table 7. myproxy-store options
-h, --help | Displays command usage text and exits. |
-u, --usage | Displays command usage text and exits. |
-v, --verbose | Enables verbose debugging output to the terminal. |
-V, --version | Displays version information and exits. |
-s hostname, --pshost hostname | Specifies the hostname of the myproxy-server. This option is required if the MYPROXY_SERVER environment variable is not defined. If specified, this option overrides the MYPROXY_SERVER environment variable. |
-p port, --psport port | Specifies the TCP port number of the myproxy-server(8). Default: 7512. |
-l, --username | Specifies the MyProxy account under which the credential should be stored. by default, the command uses the value of the LOGNAME environment variable. Use this option to specify a different account username on the MyProxy server. The MyProxy username need not correspond to a real Unix username. |
-c filename, --certfile filename | Specifies the filename of the source certificate. This is a required parameter. |
-y filename, --keyfile filename | Specifies the filename of the source private key. This is a required parameter. |
-t hours, --proxy_lifetime hours | Specifies the maximum lifetime of credentials retrieved from the myproxy-server(8) using the stored credential. Default: 12 hours |
-d, --dn_as_username | Use the certificate subject (DN) as the default username, instead of the LOGNAME environment variable. |
-a, --allow_anonymous_retrievers | Allow credentials to be retrieved with just pass phrase authentication. by default, only entities with credentials that match the myproxy-server.config(5) default retriever policy may retrieve credentials. This option allows entities without existing credentials to retrieve a credential using pass phrase authentication by including "anonymous" in the set of allowed retrievers. The myproxy-server.config(5) server-wide policy must also allow "anonymous" clients for this option to have an effect. |
-A, --allow_anonymous_renewers | Allow credentials to be renewed by any client. Any client with a valid credential with a subject name that matches the stored credential may retrieve a new credential from the MyProxy repository if this option is given. Since this effectively defeats the purpose of proxy credential lifetimes, it is not recommended. It is included only for sake of completeness. |
-r dn, --retrievable_by dn | Allow the specified entity to retrieve credentials. by default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead. |
-E dn, --retrieve_key dn | Allow the specified entity to retrieve end-entity credentials. by default, the argument will be matched against the common name (CN) of the client (for example: "Jim Basney"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=Jim Basney") instead. |
-R dn, --renewable_by dn | Allow the specified entity to renew credentials. by default, the argument will be matched against the common name (CN) of the client (for example: "condorg/modi4.ncsa.uiuc.edu"). Specify -x before this option to match against the full distinguished name (DN) (for example: "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu") instead. This option implies -n since passphrase authentication is not used for credential renewal. |
-x, --regex_dn_match | Specifies that the DN used by options -r and -R will be matched as a regular expression. |
-X, --match_cn_only | Specifies that the DN used by options -r and -R will be matched against the Common Name (CN) of the subject. |
-k name, --credname name | Specifies the credential name. |
-K description, --creddesc description | Specifies credential description. |