Provided by: lcmaps-plugins-verify-proxy_1.5.4-2_amd64 bug


       lcmaps_verify_proxy.mod - LCMAPS plugin to verify a certificate chain including proxies



       [--allow-limited-proxy] [-certdir|-cadir <certificate_directory>] [--disallow-limited-
       proxy] [--discard_private_key_absence] [--max-proxy-level-ttl=<level>|--max-proxy-level-
       ttl@<level> <timeperiod>] [--max-voms-ttl <timeperiod>]
       [--never_discard_private_key_absence] [--only-enforce-lifetime-checks] [--require-limited-


       This  plugin will test if the presented proxy certificate is authentic. This is done using
       OpenSSL methods to verify the certificate chain, check if the  End-Entity  Certificate  is
       not  revoked  by  checking  CRLs or OCSP(*). In an lcmaps.db (5) file it is advised to run
       this plug-in as the first plug-in and fail  the  policy  if  there  is  no  other  way  of
       verifying the input credentials.

       Additional  this  plug-in  can  impose  other  policies,  like  proxy  and  VOMS life-time
       restrictions or require that the certificate chain is offered in a certain  way,  e.g.  by
       offering a Limited proxy or (optionally) without a private key.

       The  plug-in  takes  its  input from the LCMAPS framework. The certificate chain is coming
       from the registered (derived) STACK_OF(X509) * and the private  key  (when  available)  is
       taken from the registered PEM string credentials.

       A  certificate  chain  will  be checked and verified by OpenSSL, but additionally to these
       checks this plug-in also performs semantic checks on the certificate chain  based  on  how
       GT2, GT3 and RFC 3820 proxy certificates are to be constructed and used.


              When  enabled  allow  the certificate chain to contain a limited proxy certificate.
              GT2, GT3 and RFC Limited proxies are treated as equal.

       -certdir | -cadir <certificate_directory>
              This option sets the directory used to find the CA  certificates,  CRLs  and  other
              files used in the verification process of the presented certificate chain.  Setting
              this option is muted by the option --only-enforce-lifetime-checks.

              When enabled all uses of limited proxies  will  be  prohibited  and  treated  as  a
              failure condition. GT2, GT3 and RFC Limited proxies are treated as equal.

              When  enabled  the plug-in verification process will not fail on the absence of the
              private key. Having a private key to present is part of the proof of possession  of
              the  certificate  chain  its  delegations, therefore a fundamental part of the user
              credentials. Discarding the private key check is  useful  in  cases  where  another
              process  has  already  establish  trust  in  the user credentials by performing the
              private key proof of possession steps.  Example: This feature  can  be  enabled  in
              deployments  where  gLExec is part of the CREAM CE. The CREAM CE's SSL handshake is
              taking ensuring that fully verified credentials get passed down.  Counter  example:
              This  feature  is not-enabled on a gLExec-on-the-WN deployment, as gLExec will need
              to ensure that the pilot-job payload credentials are fully verified before  account
              mapping should occur.

       --max-proxy-level-ttl=<level> | --max-proxy-level-ttl@<level> <timeperiod>
              Set  a  maximum  to  the  allowed  validity  period  of the proxy certificate for a
              specific delegation <level>. The first  delegation  after  an  EEC  certificate  is
              <level>  0.  This  delegation  level  could be used in a MyProxy. A typical setting
              would be 14d-00:00 to allow for a MyProxy certificate with a validity period of two

              A  special  <level> is indicated by an l or L. This is the leaf proxy or also known
              as the final delegation. A safe setting for this would be 1d-00:00 to allow a proxy
              certificate validity period of 1 day/24 hours.

              Set  the  <timeperiod>  in the following format: [0-99]d-[0-23][00-59]. For example

       --max-voms-ttl <timeperiod>
              Set a maximum to  the  allowed  validity  period  of  the  VOMS  credentials  (when
              present).  Using  VOMS  credentials  with  a  validity  period  longer then the set
              timeperiod> will result in a failure.

              This setting will override the option --discard_private_key_absence and  option  to
              set   the   environment  variable  $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE  which
              performs the same behavior.

              When enable this option will bypass all verification steps and  will  only  perform
              the lifetime checks configured by --max-proxy-level-ttl and/or --max-voms-ttl. This
              option is ideal to be used in a Globus  Gatekeeper,  GridFTPd  and/or  GSI-OpenSSHd

              Explicitly  require  the  certificate  chain  to  have  a  limited proxy as a final
              delegation. The plug-in will fail if the certificate chain does not have a  limited





       OCSP is not functional and will be added when either CAB/Forum or the IGTF publish a clear

       Please report any errors to the Nikhef Grid Middleware  Security  Team  <grid-mw-security->.


       lcmaps.db(5), lcmaps(3).


       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw->.

                                         October 31, 2012              LCMAPS_VERIFY_PROXY.MOD(8)