cas-proxy-init contacts a CAS server and obtains an assertion for the user and embeds it in an credential. This credential can be used to access CAS-enabled services.

Command syntax

cas-proxy-init [options] [ -t tag | -p proxyfile]

Table 45. cas-proxy-init options

-p proxyfile

Specify the file in which to store the CAS credential. Cannot be used with the -t option.

-t tag

Choose a filename in which to store the CAS credential based on the value tag. Cannot be used with the -p option.

-c url

Contact URL for the CAS server. This typically looks like

http://Host:Port/wsrf/services/CASService

where Host and Port are the host and port where the container with the CAS service is running.

-s server_identity

When doing mutual authentication with the CAS server, expect server_identity as the remote identity.

-f policy_file

Generate a CAS credential that includes only those permissions specified in file policy_file (the default is to generate a credential with all the user's permissions). Details about the template of the file is provided at end of this table.

-l hours

Generate a credential which has an assertion with a lifetime of hours hours. This is just a request for lifetime, but may be overruled by the CAS server, if the request exceeds a set maximum for the lifetime of assertions it issues.

-m messageType

Used to set the chosen security mechanism. It can be set to 'msg' for Secure Message, 'conv' for Secure Conversation and 'trans' for Transport security. If not set and the server URL starts with 'https', Transport Security is used, otherwise Secure Message is used.

-n protectionType

Used to set the protection type. Can be set to 'sig' or 'enc' to indicate signature or encryption. Defaults to signature.

Common options

The following options are common to all CAS command-line tools

-a, --anonymous

Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.

-c, --serverCertificate <file>

Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.

-debug

Debug: To run the client with debug message traces and error stack traces, the -debug flag must be used.

-f, --descriptor <file>

Specifies a client security descriptor. Overrides all other security settings.

-help

Usage: The -help flag prints the usage message for the client.

-l, --contextLifetime <value>

Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.

-m, --securityMech <type>

Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation.

-p, --protection <type>

Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption.

-x, --proxyFilename <value>

Sets the proxy file to use as client credential.

-s cas-url

CAS Service URL: This option can be used to set the CAS Service instance, where cas-url is the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.

The instance URL typically looks like http://Host:Port/wsrf/services/CASService, where Host and Port are the host and port where the container with the CAS service is running.

-z authorization

CAS Service Identity: This option can be used to set the expected CAS server identity, where server-identity is the identity of the CAS service. Alternatively, an environment variable can be set as shown here. If neither is set, host authorization is done and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.

	Note
	If the service being contacted is using GSI Secure Transport, then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.

-v

Version number: The -v flag prints the version number.

	Note
	If you have a asterisk (*) in your command, you might have to escape it with backslash.

Requesting specific permissions from the CAS server

It is possible to request specific permissions from the CAS server using the -f option. This option causes cas-proxy-init to read a set of requested rights from a file.

This file should contain one or more resource identifiers:

Resource: ResourceNamesapce|ResourceName

For each resource, there should be one or more action identifiers:

serviceType action

For example, if the client needed assertions for "file/read" service/action for resource "ftp://sample.org" and "ftp://sample3.org", both in "FTPNamespace" and "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:

Resource: FTPNamespace|ftp://sample1.org

file read

directory read

directory write

Resource: FTPNamespace|ftp://sample3.org

file read

To indicate any resource, the following wildcard notation should be used:

uri:samlResourceWildcard

To indicate any action, the following wildcard notation for serviceType and action should be used. Note that this should be the first (and clearly the only action) in the list of action specified. All other actions in the list are ignored and if it is not the first, it is not treated as a wildcard.

uri:samlActionNSWildcard uri:samlActionWildcard

For example, if the client needs assertions for all resources and all actions, the policy file should look like:

Resource: uri:samlResourceWildcard

uri:samlActionNSWildcard uri:samlActionWildcard

If the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows:

Resource: FTPNamespace|ftp://sample1.org

uri:samlActionNSWildcard uri:samlActionWildcard

Prev	Up	Next
GT 4.1.0 CAS Command Reference	Home	cas-wrap