Software Links
Getting Started
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide
- Migrating Guides
Reference
Manuals
Common Runtime
Security
- GSI C
- GSI Java
- Java WS A&A
- C WS A&A (coming soon)
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
Data Mgt
WS MDS
Execution Mgt
Name
cas-proxy-init — Generate a CAS proxy
Synopsis
cas-proxy-init [common options] [ -p proxyfile | -t tag ]
Tool description
The cas-proxy-init command contacts a CAS server, obtains an assertion for the user, and embeds it in a credential. This credential can be used to access CAS-enabled services.
Options
Command-specific options
- -b
policyFileName Generate a CAS credential that includes only those permissions specified in file
policyFileName(the default is to generate a credential with all the user's permissions). Details about the template of the file is provided here.- -u
tag Choose a filename in which to store the CAS credential based on the value
tag. Cannot be used with the-poption.- -w
generatedCredFile Specify the file in which to store the CAS credential. Cannot be used with the
-toption.
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Usage
The following gets the assertion from the CAS server, generates a proxy with the assertion and writes it out to "casProxy".
cas-proxy-init -p casProxy
Requesting specific permissions from the CAS server
It is possible to request specific permissions from the CAS server
using the -f option. This option causes cas-proxy-init
to read a set of requested rights from a file.
This file should contain one or more resource identifiers:
Resource:ResourceNamespace|ResourceName
For each resource, there should be one or more action identifiers:
serviceType actionFor example, if the client needed assertions for "file/read" service/action (permission) on two resources ("ftp://sample1.org" and "ftp://sample3.org", both in "FTPNamespace") but "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:
Resource: FTPNamespace|ftp://sample1.org
file read
directory read
directory write
Resource: FTPNamespace|ftp://sample3.org
file readTo indicate any resource, the following wildcard notation should be used:
uri:samlResourceWildcard
To indicate any action, the following wildcard notation for
serviceType and action should be used. Note that this should be the
first (and clearly the only action) in the list of actions
specified. All other actions in the list are ignored and if it is not
the first, it is not treated as a wildcard.
uri:samlActionNSWildcard uri:samlActionWildcard
For example, if the client needs assertions for all resources and all actions, the policy file should look like:
Resource: uri:samlResourceWildcard
uri:samlActionNSWildcard uri:samlActionWildcardIf the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows:
Resource: FTPNamespace|ftp://sample1.org
uri:samlActionNSWildcard uri:samlActionWildcard