Provided by: myproxy_5.9-6_amd64 bug

NAME

       myproxy-init - store a credential for later retrieval

SYNOPSIS

       myproxy-init [ options ]

DESCRIPTION

       The  myproxy-init command uploads a credential to a myproxy-server(8) for later retrieval.
       In the default mode, the command first  prompts  for  the  user's  Grid  pass  phrase  (if
       needed),  which  is  used  to  create  a proxy credential.  The command then prompts for a
       MyProxy pass phrase, which will be required to later retrieve the credential.  The MyProxy
       pass  phrase must be entered a second time for confirmation.  A credential with a lifetime
       of one week (by default) is then delegated to the myproxy-server(8) and  stored  with  the
       given  MyProxy  pass phrase.  Proxy credentials with default lifetime of 12 hours can then
       be retrieved by myproxy-logon(1) using the MyProxy passphrase.  The default  behavior  can
       be overridden by options specified below.

       The  myproxy-init  command  can also upload a credential to a myproxy-server(8) to support
       credential renewal.  Renewal allows a trusted service (for example, a batch job scheduler)
       to  obtain a new credential for a user before the existing credential it has for that user
       expires.  The -R argument to myproxy-init configures the credential  for  renewal  by  the
       specified  service.   Renewal  requires  two  authentications.   The renewing service must
       authenticate with its own credentials, matching the distinquished name specified by the -R
       argument,  and  must  also  authenticate  with  an  existing  credential  that matches the
       distinguished name of the stored credential, to retrieve a new credential.

       A credential may be used either for retrieval or  renewal  but  not  both.   If  both  are
       desired,  upload  a  different credential for each use, with a different name using the -k
       option.

       The hostname where the myproxy-server(8) is running must be specified by  either  defining
       the MYPROXY_SERVER environment variable or the -s option.

       By  default,  myproxy-init  will  create  a  proxy  credential  from the user's end-entity
       credentials  at  ~/.globus/usercert.pem  and  ~/.globus/userkey.pem  to  delegate  to  the
       myproxy-server(8).  To specify an alternate location for the source certificate and key to
       delegate, use the X509_USER_CERT and X509_USER_KEY environment variables.  To use a  proxy
       credential as the source of the delegation, set both environment variables to the location
       of the proxy credential.  To delegate a  "legacy  globus  proxy",  set  the  GT_PROXY_MODE
       environment  variable  to  "old".   To  delegate  an  "RFC  3820 compliant proxy", set the
       GT_PROXY_MODE environment variable to "rfc".

OPTIONS

       -h, --help
              Displays command usage text and exits.

       -u, --usage
              Displays command usage text and exits.

       -v, --verbose
              Enables verbose debugging output to the terminal.

       -V, --version
              Displays version information and exits.

       -s hostname[:port], --pshost hostname[:port]
              Specifies the hostname(s)  of  the  myproxy-server(s).   Multiple  hostnames,  each
              hostname optionally followed by a ':' and port number, may be specified in a comma-
              separated list.  This option is required if the MYPROXY_SERVER environment variable
              is not defined.  If specified, this option overrides the MYPROXY_SERVER environment
              variable. If a port number is specified with a hostname, it will  override  the  -p
              option as well as the MYPROXY_SERVER_PORT environment variable for that host.

       -p port, --psport port
              Specifies the TCP port number of the myproxy-server(8).  Default: 7512

       -l username, --username username
              Specifies  the  MyProxy  account  under  which the credential should be stored.  By
              default, the command uses the value of the LOGNAME environment variable.  Use  this
              option  to specify a different account username on the MyProxy server.  The MyProxy
              username need not correspond to a real Unix username.

       -c hours, --cred_lifetime hours
              Specifies the lifetime of the credential stored on the myproxy-server(8) in  hours.
              Specify  0  for  the  maximum possible lifetime, i.e., the lifetime of the original
              credential.  Default: 1 week (168 hours)

       -t hours, --proxy_lifetime hours
              Specifies the maximum lifetime of credentials retrieved from the  myproxy-server(8)
              using the stored credential.  Default: 12 hours

       -C filename, --certfile filename
              Specifies  the  filename  of  the source certificate.

       -y filename, --keyfile filename
              Specifies the filename of the source private key.

       -d, --dn_as_username
              Use  the  certificate  subject (DN) as the default username, instead of the LOGNAME
              environment variable.

       -a, --allow_anonymous_retrievers
              Allow credentials to  be  retrieved  with  just  pass  phrase  authentication.   By
              default,  only  entities  with  credentials that match the myproxy-server.config(5)
              default retriever policy may retrieve credentials.   This  option  allows  entities
              without   existing   credentials   to  retrieve  a  credential  using  pass  phrase
              authentication by including "anonymous" in the  set  of  allowed  retrievers.   The
              myproxy-server.config(5) server-wide policy must also allow "anonymous" clients for
              this option to have an effect.

       -A, --allow_anonymous_renewers
              Allow credentials to be renewed by any client.  Any client with a valid  credential
              with  a  subject  name  that  matches  the  stored  credential  may  retrieve a new
              credential from the MyProxy  repository  if  this  option  is  given.   Since  this
              effectively   defeats  the  purpose  of  proxy  credential  lifetimes,  it  is  not
              recommended.  It is included only for sake of completeness.

       -r name, --retrievable_by name
              Allow the specified entity to retrieve credentials.  See  -x  and  -X  options  for
              controlling name matching behavior.

       -R name, --renewable_by name
              Allow  the  specified  entity  to  renew  credentials.   See  -x and -X options for
              controlling name matching  behavior.   This  option  implies  -n  since  passphrase
              authentication is not used for credential renewal.

       -Z name, --retrievable_by_cert name
              Allow  the  specified  entity to retrieve credentials without a passphrase.  See -x
              and -X options for controlling name matching behavior.  This option implies -n.

       -x, --regex_dn_match
              Specifies that names used with following options -r, -R, and  -Z  will  be  matched
              against  the  full certificate subject distinguished name (DN) according to REGULAR
              EXPRESSIONS in myproxy-server.config(5).

       -X, --match_cn_only
              Specifies that names used with following options -r, -R, and  -Z  will  be  matched
              against  the  certificate subject common name (CN) according to REGULAR EXPRESSIONS
              in myproxy-server.config(5).  For example, if an argument of  -r  "Jim  Basney"  is
              specified,  then  the  resulting  policy  will  be  "*/CN=Jim Basney".  This is the
              default behavior.

       -k name, --credname name
              Specifies the credential name.

       -K description, --creddesc description
              Specifies credential description.

       -S, --stdin_pass
              By default, the command prompts for a passphrase and reads the passphrase from  the
              active tty.  When running the command non-interactively, there may be no associated
              tty.  Specifying this option tells the command to read  passphrases  from  standard
              input without prompts or confirmation.

       -L, --local_proxy
              In  addition  to  storing a proxy credential on the myproxy-server(8) with lifetime
              set by --cred_lifetime (default 1 week),  create  a  local  proxy  credential  with
              lifetime set by --proxy_lifetime (default 12 hours).

       -n, --no_passphrase
              Don't  prompt  for a credential passphrase.  Store credentials without a credential
              passphrase, to be protected by other methods, such as PAM,  SASL,  or  certificate-
              based authentication.  This option is implied by -R since passphrase authentication
              is not used  for  credential  renewal.   Note  that  the  myproxy-server(8)  always
              requires  some type of authentication for retrieving credentials, so if you store a
              credential with no passphrase and other authentication methods are not  configured,
              the credential will not be accessible.

       -m voms, --voms voms
              Add VOMS attributes to the credential by running voms-proxy-init on the client-side
              before storing the credential on the myproxy-server(8).  The VOMS VO name  must  be
              provided,  as  required by voms-proxy-init -voms.  The voms-proxy-init command must
              be installed and configured to use this option.   For  example,  the  VOMS_USERCONF
              environment variable may need to be set for voms-proxy-init to run correctly.

EXIT STATUS

       0 on success, >0 on error

FILES

       ~/.globus/usercert.pem
              Default  location  of  the  certificate from which the proxy credential is created.
              Set the X509_USER_CERT environment variable to override.

       ~/.globus/userkey.pem
              Default location of the private key from which the  proxy  credential  is  created.
              Set the X509_USER_KEY environment variable to override.

       /tmp/myproxy-proxy.<uid>.<pid>
              Location  of  the  temporary  proxy  credential  that  is delegated to the myproxy-
              server(8).  It is removed after the delegation is completed.

ENVIRONMENT

       GLOBUS_GSSAPI_NAME_COMPATIBILITY
              This client will, by default, perform a reverse-DNS lookup to  determine  the  FQHN
              (Fully  Qualified  Host  Name)  to  use  in verifying the identity of the server by
              checking the FQHN against the CN in server's certificate.  Setting this variable to
              STRICT_RFC2818  will cause the reverse-DNS lookup to NOT be performed and the user-
              specified name to be used instead.   This  variable  setting  will  be  ignored  if
              MYPROXY_SERVER_DN (described later) is set.

       MYPROXY_SERVER
              Specifies   the  hostname(s)  where  the  myproxy-server(8)  is  running.  Multiple
              hostnames can be specified in a comma separated list with each hostname  optionally
              followed  by a ':' and port number.  This environment variable can be used in place
              of the -s option.

       MYPROXY_SERVER_PORT
              Specifies the port  where  the  myproxy-server(8)  is  running.   This  environment
              variable can be used in place of the -p option.

       MYPROXY_SERVER_DN
              Specifies the distinguished name (DN) of the myproxy-server(8).  All MyProxy client
              programs authenticate the server's identity.  By default, MyProxy servers run  with
              host  credentials,  so  the  MyProxy  client  programs  expect the server to have a
              distinguished name with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>"  or  "/CN=<fqhn>"
              (where  <fqhn>  is  the  fully-qualified hostname of the server).  If the server is
              running with some other DN, you can set  this  environment  variable  to  tell  the
              MyProxy     clients     to     accept     the     alternative    DN.    Also    see
              GLOBUS_GSSAPI_NAME_COMPATIBILITY above.

       X509_USER_CERT
              Specifies a  non-standard  location  for  the  certificate  from  which  the  proxy
              credential  is  created.  The location may be the path to an end-entity certificate
              (ex.  ~/.globus/usercert.pem) or a proxy (ex.  /tmp/x509up_u<uid>).

       X509_USER_KEY
              Specifies a non-standard  location  for  the  private  key  from  which  the  proxy
              credential  is  created.  The location may be the path to an end-entity private key
              (ex.  ~/.globus/userkey.pem) or a proxy (ex.  /tmp/x509up_u<uid>).

       X509_CERT_DIR
              Specifies a non-standard location for the CA certificates directory.

       GT_PROXY_MODE
              Set to "old" to store a "legacy globus proxy" in the MyProxy  repository.   Set  to
              "rfc" to store an "RFC 3820 compliant proxy" in the MyProxy repository.

       MYPROXY_TCP_PORT_RANGE
              Specifies  a  range of valid port numbers in the form "min,max" for the client side
              of the network connection to the server.  By default, the client will bind  to  any
              available  port.   Use  this  environment  variable to restrict the ports used to a
              range allowed by your firewall.  If unset, MyProxy will follow the setting  of  the
              GLOBUS_TCP_PORT_RANGE environment variable.

       MYPROXY_KEYBITS
              Specifies  the  size  for  RSA  keys  generated  by  MyProxy.   By default, MyProxy
              generates 2048 bit RSA keys.  Set this environment variable to "1024" for 1024  bit
              RSA keys.

AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.

SEE ALSO

       myproxy-change-pass-phrase(1),   myproxy-destroy(1),  myproxy-get-trustroots(1),  myproxy-
       info(1),     myproxy-logon(1),     myproxy-retrieve(1),     myproxy-store(1),     myproxy-
       server.config(5),  myproxy-admin-adduser(8),  myproxy-admin-change-pass(8), myproxy-admin-
       load-credential(8), myproxy-admin-query(8), myproxy-server(8)