Difference between revisions of "Verify-proxy"

From PDP/Grid Wiki
Jump to navigationJump to search
m
 
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
The <tt>lcmaps_verify_proxy</tt> plugin verifies the validity of a proxy chain and (optionally) a valid delegation, including restrictions on the life time of any proxies in the chain.
 +
 +
== Arguments ==
 +
 +
* '''-certdir <dir>''' or '''-cadir <dir>''' : trust anchor repository directory to use for verification
 +
* '''--only-enforce-lifetime-checks''' : This new option will skip the proxy certificate chain verification stage and will only enforce the lifetime check on the chain and the VOMS credentials.
 +
* '''--[never_]discard_private_key_absense''' : allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process.
 +
* '''--max-proxy-level-ttl=<level> <time>''' : allow the proxy at level <level> to be at most <time> time long. The level "L" is used to indicate the final 'leaf' level proxy. The smallest life time will take precedence.
 +
* '''--max-voms-ttl''' : maximum time of all active VOMS ACs to be valid.
  
 
= Example configurations =
 
= Example configurations =
Line 4: Line 13:
 
  verify_proxy = "lcmaps_verify_proxy.mod"
 
  verify_proxy = "lcmaps_verify_proxy.mod"
 
  " -certdir /etc/grid-security/certificates"
 
  " -certdir /etc/grid-security/certificates"
  " --max-proxy-level-ttl=0 12:05"
+
  " --max-voms-ttl 48:00"
  " --max-proxy-level-ttl=L 12:05"
+
  " --max-proxy-level-ttl=L 1d-00:05"
  " --max-proxy-level-ttl=1 12:00"
+
  " --max-proxy-level-ttl=0 7d-00:05"
  " --max-voms-ttl 12:00"
+
 
 +
Other options and arguments to verify_proxy:
 +
 
 +
#" --[never_]discard_private_key_absence"
 +
  #" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>"
 +
#"  Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"

Latest revision as of 12:02, 7 March 2010

The lcmaps_verify_proxy plugin verifies the validity of a proxy chain and (optionally) a valid delegation, including restrictions on the life time of any proxies in the chain.

Arguments

  • -certdir <dir> or -cadir <dir> : trust anchor repository directory to use for verification
  • --only-enforce-lifetime-checks : This new option will skip the proxy certificate chain verification stage and will only enforce the lifetime check on the chain and the VOMS credentials.
  • --[never_]discard_private_key_absense : allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process.
  • --max-proxy-level-ttl=<level>  : allow the proxy at level <level> to be at most
  • --max-voms-ttl : maximum time of all active VOMS ACs to be valid.

Example configurations

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --max-voms-ttl 48:00"
" --max-proxy-level-ttl=L 1d-00:05"
" --max-proxy-level-ttl=0 7d-00:05"

Other options and arguments to verify_proxy:

#" --[never_]discard_private_key_absence"
#" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>"
#"   Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"