Difference between revisions of "Verify-proxy"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 15: Line 15:
 
  #" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>"
 
  #" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>"
 
  #"  Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"
 
  #"  Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"
 +
 +
 +
== Arguments ==
 +
 +
; <tt>-certdir <dir></tt> (<tt>-cadir <dir></tt>) : trust anchor repository directory to use for verification
 +
; <tt>--[never_]discard_private_key_absense</tt> : allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process.
 +
; <tt>--allow-limited-proxy</tt> : allow a limited ("/CN=limited") proxy to be accepted as valid.
 +
; <tt>--max-proxy-level-ttl=<level> <time></tt> : allow the proxy at level <level> to be at most <time> time long. The level "L" is used to indicat eth final 'leaf' level proxy
 +
; <tt>--max-voms-ttl</tt> : maximum time of all active VOMS ACs to be valid.

Revision as of 08:22, 30 March 2009

Example configurations

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --max-proxy-level-ttl=0 260:00"
" --max-proxy-level-ttl=L 12:05"
" --max-proxy-level-ttl=1 12:00"
" --max-voms-ttl 12:00"

Other options and arguments to verify_proxy:

#" --[never_]discard_private_key_absence"
#" --only-post-verify-checks"
#" --allow-limited-proxy"
#" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>"
#"   Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"


Arguments

-certdir <dir> (-cadir <dir>)
trust anchor repository directory to use for verification
--[never_]discard_private_key_absense
allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process.
--allow-limited-proxy
allow a limited ("/CN=limited") proxy to be accepted as valid.
--max-proxy-level-ttl=<level>  : allow the proxy at level <level> to be at most
--max-voms-ttl
maximum time of all active VOMS ACs to be valid.