Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Name
cas-proxy-init — Generate a CAS proxy
Synopsis
cas-proxy-init [common options] [ -p proxyfile | -t tag ]
Tool description
The cas-proxy-init command contacts a CAS server, obtains an assertion for the user, and embeds it in a credential. This credential can be used to access CAS-enabled services.
Options
Command-specific options
- -p
proxyfile Specify the file in which to store the CAS credential. Cannot be used with the
-toption.FIXME: how does this relate to the -p, --protection common option?
- -t
tag Choose a filename in which to store the CAS credential based on the value
tag. Cannot be used with the-poption.- -c
url Contact URL for the CAS server. This typically looks like
http://whereHost:Port/wsrf/services/CASServiceHostandPortare the host and port where the container with the CAS service is running.FIXME: how does this relate to the -c, --serverCertificate common option?
- -s
server_identity When doing mutual authentication with the CAS server, expect
server_identityas the remote identity.FIXME: how does this relate to the -s
cas-urlcommon option?- -f
policy_file Generate a CAS credential that includes only those permissions specified in file
policy_file(the default is to generate a credential with all the user's permissions). Details about the template of the file is provided here.FIXME: How does this relate to the -f, --descriptor
<file>common option?- -l
hours Generate a credential which has an assertion with a lifetime of
hours. This is just a request for lifetime, but may be overruled by the CAS server if the request exceeds a set maximum for the lifetime of assertions it issues.FIXME: How does this relate to the -l, --contextLifetime
<value>common option?- -m
messageType Used to set the chosen security mechanism. It can be set to:
msgfor Secure Message, [FIXME - glossterm?]convfor Secure Conversation [FIXME - glossterm?], andtransfor Transport security.
If not set and the server URL starts with
https, Transport Security is used; otherwise, Secure Message is used.FIXME: How does this relate to the -m, --securityMech
<type>common option?- -n
protectionType Used to set the protection type. Can be set to:
sigor to indicate signature, orencto indicate encryption.
Defaults to
sig.FIXME: Is this related to the -p, --protection
<type>common option?
Common Options
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism [FIXME glossterm?].- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport [FIXME glossterm], then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
- -v
Prints the version number.
![[Important]](/docbook-images/important.gif) | Important |
|---|---|
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ). |
Requesting specific permissions from the CAS server
It is possible to request specific permissions from the CAS server
using the -f option. This option causes cas-proxy-init
to read a set of requested rights from a file.
This file should contain one or more resource identifiers:
Resource:ResourceNamespace|ResourceName
For each resource, there should be one or more action identifiers:
serviceType actionFor example, if the client needed assertions for "file/read" service/action (permission) on two resources ("ftp://sample1.org" and "ftp://sample3.org", both in "FTPNamespace") but "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:
Resource: FTPNamespace|ftp://sample1.org
file read
directory read
directory write
Resource: FTPNamespace|ftp://sample3.org
file readTo indicate any resource, the following wildcard notation should be used:
uri:samlResourceWildcard
To indicate any action, the following wildcard notation for
serviceType and action should be used. Note that this should be the
first (and clearly the only action) in the list of actions
specified. All other actions in the list are ignored and if it is not
the first, it is not treated as a wildcard.
uri:samlActionNSWildcard uri:samlActionWildcard
For example, if the client needs assertions for all resources and all actions, the policy file should look like:
Resource: uri:samlResourceWildcard
uri:samlActionNSWildcard uri:samlActionWildcardIf the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows:
Resource: FTPNamespace|ftp://sample1.org
uri:samlActionNSWildcard uri:samlActionWildcard