Verify-proxy

From PDP/Grid Wiki
Jump to navigationJump to search

The lcmaps_verify_proxy plugin verifies the validity of a proxy chain and (optionally) a valid delegation, including restrictions on the life time of any proxies in the chain.

Arguments

-certdir <dir> (-cadir <dir>)
trust anchor repository directory to use for verification
--[never_]discard_private_key_absense
allow the incoming proxy to (not) lack a private key. Normally, a private key in the proxy is required and is verified against the leaf proxy, to ensure that a true delegation was made to the invoking process.
--allow-limited-proxy
allow a limited ("/CN=limited") proxy to be accepted as valid.
--max-proxy-level-ttl=<level>  : allow the proxy at level <level> to be at most
--max-voms-ttl
maximum time of all active VOMS ACs to be valid.

Example configurations

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --max-proxy-level-ttl=0 260:00"
" --max-proxy-level-ttl=L 12:05"
" --max-proxy-level-ttl=1 12:00"
" --max-voms-ttl 12:00"

Other options and arguments to verify_proxy:

#" --[never_]discard_private_key_absence"
#" --only-post-verify-checks"
#" --allow-limited-proxy"
#" --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>"
#"   Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)"