Provided by: nordugrid-arc-client_7.0.0-4_amd64 
NAME
arcproxy - ARC Credentials Proxy generation utility
DESCRIPTION
Usage:
arcproxy [OPTION...]
The arcproxy command creates a proxy from a key/certificate pair which can then be used to access grid
resources.
OPTIONS
-h, --help
Show help options
-P, --proxy=path
path to the proxy file
-C, --cert=path
path to the certificate file, it can be either PEM, DER, or PKCS12 formatted
-K, --key=path
path to the private key file, if the certificate is in PKCS12 format, then no need to give private
key
-T, --cadir=path
path to the trusted certificate directory, only needed for the VOMS client functionality
-s, --vomsdir=path
path to the top directory of VOMS *.lsc files, only needed for the VOMS client functionality
-V, --vomses=path
path to the VOMS server configuration file
-S, --voms=string
voms<:command>. Specify VOMS server
More than one VOMS server can be specified like this: --voms VOa:command1 --voms VOb:command2.
:command is optional, and is used to ask for specific attributes (e.g: roles)
command options are:
all --- put all of this DN's attributes into AC;
list --- list all of the DN's attribute, will not create AC extension;
/Role=yourRole --- specify the role, if this DN has such a role, the role will be put into AC;
/voname/groupname/Role=yourRole --- specify the VO, group and role; if this DN has such a role,
the role will be put into AC.
If this option is not specified values from configuration files are used. To avoid anything to be
used specify -S with empty value.
-o, --order=string
group<:role>. Specify ordering of attributes
Example: --order /knowarc.eu/coredev:Developer,/knowarc.eu/testers:Tester or: --order
/knowarc.eu/coredev:Developer --order /knowarc.eu/testers:Tester
Note that it does not make sense to specify the order if you have two or more different VOMS
servers specified
-G, --gsicom
use GSI communication protocol for contacting VOMS services
-H, --httpcom
use HTTP communication protocol for contacting VOMS services that provide RESTful access
Note for RESTful access, 'list' command and multiple VOMS server are not supported
-B, --oldcom
use old communication protocol for contacting VOMS services instead of RESTful access
-O, --old
this option is not functional (old GSI proxies are not supported anymore)
-I, --info
print all information about this proxy.
-i, --infoitem=string
print selected information about this proxy.
-r, --remove
remove proxy
-U, --user=string
username to MyProxy server (if missing subject of user certificate is used)
-N, --nopassphrase
don't prompt for a credential passphrase, when retrieve a credential from an MyProxy server.
The precondition of this choice is that the credential was PUT onto the MyProxy server without a
passphrase by using the -R (--retrievable_by_cert) option. This option is specific for the GET
command when contacting Myproxy server.
-R, --retrievable_by_cert=string
Allow specified entity to retrieve credential without passphrase.
This option is specific for the PUT command when contacting Myproxy server.
-L, --myproxysrv=string
hostname[:port] of MyProxy server
-M, --myproxycmd=string
command to MyProxy server. The command can be PUT, GET, INFO, NEWPASS or DESTROY.
PUT -- put a delegated credentials to the MyProxy server;
GET -- get a delegated credentials from the MyProxy server;
INFO -- get and present information about credentials stored at the MyProxy server;
NEWPASS -- change password protecting credentials stored at the MyProxy server;
DESTROY -- wipe off credentials stored at the MyProxy server;
Local credentials (certificate and key) are not necessary except in case of PUT. MyProxy
functionality can be used together with VOMS functionality. --voms and --vomses can be used for
Get command if VOMS attributes is required to be included in the proxy.
-F, --nssdb
use NSS credential database in default Mozilla profiles, including Firefox, Seamonkey and
Thunderbird.
-c, --constraint=string
proxy constraints
-p, --passwordsource=string
password destination=password source
-t, --timeout=seconds
timeout in seconds (default 20)
-z, --conffile=filename
configuration file (default ~/.arc/client.conf)
-d, --debug=debuglevel
FATAL, ERROR, WARNING, INFO, VERBOSE or DEBUG
--systemca
force using CA certificates configuration provided by OpenSSL
--gridca
force using CA certificates configuration for Grid services (typically IGTF)
--allowinsecureconnection
allow TLS connection which failed verification
-v, --version
print version information
Supported constraints are:
validityStart=time (e.g. 2008-05-29T10:20:30Z; if not specified, start from now)
validityEnd=time
validityPeriod=time (e.g. 43200 or 12h or 12H; if both validityPeriod and validityEnd not
specified, the default is 12 hours for local proxy, and 168 hours for delegated proxy on myproxy
server)
vomsACvalidityPeriod=time (e.g. 43200 or 12h or 12H; if not specified, the default is the minimum
value of 12 hours and validityPeriod)
myproxyvalidityPeriod=time (lifetime of proxies delegated by myproxy server, e.g. 43200 or 12h or
12H; if not specified, the default is the minimum value of 12 hours and validityPeriod (which is
lifetime of the delegated proxy on myproxy server))
proxyPolicy=policy content
proxyPolicyFile=policy file
keybits=number - length of the key to generate. Default is 2048 bits. Special value 'inherit' is
to use key length of signing certificate.
signingAlgorithm=name - signing algorithm to use for signing public key of proxy. Possible values
are sha1, sha2 (alias for sha256), sha224, sha256, sha384, sha512 and inherit (use algorithm of
signing certificate). Default is inherit. With old systems, only sha1 is acceptable.
Supported information item names are:
subject - subject name of proxy certificate.
identity - identity subject name of proxy certificate.
issuer - issuer subject name of proxy certificate.
ca - subject name of CA which issued initial certificate.
path - file system path to file containing proxy.
type - type of proxy certificate. validityStart - timestamp when proxy validity starts.
validityEnd - timestamp when proxy validity ends.
validityPeriod - duration of proxy validity in seconds.
validityLeft - duration of proxy validity left in seconds.
vomsVO - VO name represented by VOMS attribute
vomsSubject - subject of certificate for which VOMS attribute is issued
vomsIssuer - subject of service which issued VOMS certificate
vomsACvalidityStart - timestamp when VOMS attribute validity starts.
vomsACvalidityEnd - timestamp when VOMS attribute validity ends.
vomsACvalidityPeriod - duration of VOMS attribute validity in seconds.
vomsACvalidityLeft - duration of VOMS attribute validity left in seconds.
proxyPolicy
keybits - size of proxy certificate key in bits.
signingAlgorithm - algorithm used to sign proxy certificate.
Items are printed in requested order and are separated by newline. If item has multiple values they are
printed in same line separated by |.
Supported password destinations are:
key - for reading private key
myproxy - for accessing credentials at MyProxy service
myproxynew - for creating credentials at MyProxy service
all - for any purspose.
Supported password sources are:
quoted string ("password") - explicitly specified password
int - interactively request password from console
stdin - read password from standard input delimited by newline
file:filename - read password from file named filename
stream:# - read password from input stream number #. Currently only 0 (standard input) is
supported.
ENVIRONMENT VARIABLES
ARC_LOCATION
The location where ARC is installed can be specified by this variable. If not specified the
install location will be determined from the path to the command being executed, and if this fails
a WARNING will be given stating the location which will be used.
ARC_PLUGIN_PATH
The location of ARC plugins can be specified by this variable. Multiple locations can be specified
by separating them by : (; in Windows). The default location is $ARC_LOCATION/lib/arc (\ in
Windows).
FILES
/etc/vomses
Common file containing a list of selected VO contact point, one VO per line, for example:
"gin" "kuiken.nikhef.nl" "15050" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
"gin.ggf.org"
"nordugrid.org" "voms.uninett.no" "15015" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org"
"nordugrid.org"
~/.voms/vomses
Same as /etc/vomses but located in user's home area. If exists, has precedence over /etc/vomses
The order of the parsing of vomses location is:
1. command line options
2. client configuration file ~/.arc/client.conf
3. $X509_VOMSES or $X509_VOMS_FILE
4. ~/.arc/vomses
5. ~/.voms/vomses
6. $ARC_LOCATION/etc/vomses (this is for Windows environment)
7. $ARC_LOCATION/etc/grid-security/vomses (this is for Windows environment)
8. $PWD/vomses
9. /etc/vomses
10. /etc/grid-security/vomses
~/.arc/client.conf
Some options can be given default values by specifying them in the ARC client configuration file.
By using the --conffile option a different configuration file can be used than the default.
AUTHOR
ARC software is developed by the NorduGrid Collaboration (http://www.nordugrid.org), please consult the
AUTHORS file distributed with ARC. Please report bugs and feature requests to
http://bugzilla.nordugrid.org
REPORTING BUGS
Report bugs to http://bugzilla.nordugrid.org/
COPYRIGHT
APACHE LICENSE Version 2.0
SEE ALSO
arccat(1), arcclean(1), arccp(1), arcget(1), arcinfo(1), arckill(1), arcls(1), arcmkdir(1), arcrenew(1),
arcresume(1), arcrm(1), arcstat(1), arcsub(1), arcsync(1), arctest(1)
arcproxy version 7.0.0 June 2025 ARCPROXY(1)