Difference between revisions of "Verify-proxy"
From PDP/Grid Wiki
Jump to navigationJump to searchm |
|||
Line 1: | Line 1: | ||
+ | The <tt>lcmaps_verify_proxy</tt> plugin verifies the validity of a proxy chain and (optionally) a valid delegation, including restrictions on the life time of any proxies in the chain. | ||
+ | |||
+ | == Arguments == | ||
+ | |||
+ | ; <tt>-certdir <dir></tt> (<tt>-cadir <dir></tt>) : trust anchor repository directory to use for verification | ||
+ | ; <tt>--[never_]discard_private_key_absense</tt> : allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process. | ||
+ | ; <tt>--allow-limited-proxy</tt> : allow a limited ("/CN=limited") proxy to be accepted as valid. | ||
+ | ; <tt>--max-proxy-level-ttl=<level> <time></tt> : allow the proxy at level <level> to be at most <time> time long. The level "L" is used to indicat eth final 'leaf' level proxy | ||
+ | ; <tt>--max-voms-ttl</tt> : maximum time of all active VOMS ACs to be valid. | ||
+ | |||
= Example configurations = | = Example configurations = | ||
Line 15: | Line 25: | ||
#" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>" | #" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>" | ||
#" Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)" | #" Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)" | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 08:23, 30 March 2009
The lcmaps_verify_proxy plugin verifies the validity of a proxy chain and (optionally) a valid delegation, including restrictions on the life time of any proxies in the chain.
Arguments
- -certdir <dir> (-cadir <dir>)
- trust anchor repository directory to use for verification
- --[never_]discard_private_key_absense
- allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process.
- --allow-limited-proxy
- allow a limited ("/CN=limited") proxy to be accepted as valid.
- --max-proxy-level-ttl=<level> : allow the proxy at level <level> to be at most
- --max-voms-ttl
- maximum time of all active VOMS ACs to be valid.
Example configurations
verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates" " --max-proxy-level-ttl=0 260:00" " --max-proxy-level-ttl=L 12:05" " --max-proxy-level-ttl=1 12:00" " --max-voms-ttl 12:00"
Other options and arguments to verify_proxy:
#" --[never_]discard_private_key_absence" #" --only-post-verify-checks" #" --allow-limited-proxy" #" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>" #" Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"