GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [PHP Manual] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

  [0-9] [Aa] [Bb] [Cc] [Dd] [Ee] [Ff] [Gg] [Hh] [Ii] [Jj] [Kk] [Ll] [Mm] [Nn] [Oo] [Pp] [Qq] [Rr] [Ss] [Tt] [Uu] [Vv] [Ww] [Xx] [Yy] [Zz]


NAME

       ipsec_openac - Generation of X.509 attribute certificates

SYNOPSIS

       ipsec openac [ --help ] [ --version ] [ --optionsfrom filename ]
          [ --quiet ] [ --debug level ]
          [ --days days ] [ --hours hours ]
          [ --startdate YYYYMMDDHHMMSSZ ] [ --stopdate YYYYMMDDHHMMSSZ ]
          --cert certfile --key keyfile [ --password password ]
          --usercert certfile --groups attr1,attr2,...  --out filename

DESCRIPTION

       openac  is  intended  to  be used by an Authorization Authority (AA) to
       generate and sign X.509  attribute  certificates.  Currently  only  the
       inclusion  of  one  ore  several  group  attributes  is  supported.  An
       attribute certificate is linked to a holder by including the issuer and
       serial number of the holder's X.509 certificate.

OPTIONS

       --help display the usage message.

       --version
              display the version of openac.

       --optionsfrom filename
              adds the contents of the file to the argument list.  If filename
              is a relative path then the file is searched  in  the  directory
              /etc/openac.

       --quiet
              By  default  openac  logs  all control output both to syslog and
              stderr.  With the --quiet option no output is written to stderr.

       --days days
              Validity of the X.509 attribute certificate in days.  If  neiter
              the  --days nor  the  --hours option is specified then a default
              validity interval of 1 day is assumed.  The --days option can be
              combined with the --hours option.

       --hours hours
              Validity  of the X.509 attribute certificate in hours. If neiter
              the --hours nor the --days option is specified  then  a  default
              validity  interval  of  24 hours is assumed.  The --hours option
              can be combined with the --days option.

       --startdate YYYYMMDDHHMMSSZ
              defines the notBefore date when the X.509 attribute  certificate
              becomes valid.  The date YYYYMMDDHHMMSS must be specified in UTC
              (Zulu time).  If the --startdate option is  not  specified  then
              the current date is taken as a default.

       --stopdate YYYYMMDDHHMMSSZ
              defines  the  notAfter date when the X.509 attribute certificate
              will expire.  The date YYYYMMDDHHMMSS must be specified  in  UTC
              (Zulu time).  If the --stopdate option is not specified then the
              default notAfter  value  is  computed  by  adding  the  validity
              interval  specified  by  the --days and/or --days options to the
              notBefore date.

       --cert certfile
              specifies the file  containing  the  X.509  certificate  of  the
              Authorization  Authority.   The  certificate is stored either in
              PEM or DER format.

       --key keyfile
              specifies the encrypted file containing the private RSA  key  of
              the  Authoritzation  Authority.  The  private  key  is stored in
              PKCS#1 format.

       --password password
              specifies the  password  with  which  the  private  RSA  keyfile
              defined by the --key option has been protected. If the option is
              missing then the password is prompted for on the command line.

       --usercert certfile
              specifies file containing the X.509 certificate of the  user  to
              which  the  generated  attribute  certificate  will  apply.  The
              certificate file is stored either in PEM or DER format.

       --groups attr1,attr2
              specifies a comma-separated list of group attributes  that  will
              go into the X.509 attribute certificate.

       --out filename
              specifies   the   file   where  the  generated  X.509  attribute
              certificate will be stored to.

   Debugging
       openac produces a prodigious amount of debugging  information.   To  do
       so,  it  must  be  compiled with -DDEBUG.  There are several classes of
       debugging output, and openac may be directed to produce a selection  of
       them.   All  lines  of  debugging  output  are  prefixed with ``| '' to
       distinguish them from error messages.

       When openac is invoked, it may be  given  arguments  to  specify  which
       classes to output.  The current options are:

       --debug level
              sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw),
              and 4 (private), the default level being 1.

EXIT STATUS

       The execution of openac terminates with one of the following  two  exit
       codes:

       0      means  that the attribute certificate was successfully generated
              and stored.

       1      means that something went wrong.

FILES

       /etc/openac/serial   serial number of latest attribute certificate

SEE ALSO

       The X.509 attribute certificates generated with openac can be  used  to
       enforce  group  policies defined by ipsec.conf(5). Use ipsec_auto(8) to
       load and list X.509 attribute certificates.

       For more information on X.509  attribute  certificates,  refer  to  the
       following IETF RFC:

              RFC   3281   An   Internet  Attribute  Certificate  Profile  for
              Authorization

HISTORY

       The openac program was originally written by  Ariane  Seiler  and  Ueli
       Galizzi.    The   software   was   recoded  by  Andreas  Steffen  using
       strongSwan's X.509 library  and  the  ASN.1  code  synthesis  functions
       written  by  Christoph  Gysin  and Christoph Zwahlen.  All authors were
       with  the  Zurich  University  of  Applied  Sciences   in   Winterthur,
       Switzerland.

BUGS

       Bugs  should  be  reported  to the <users@lists.strongswan.org> mailing
       list.

                               22 September 2007               IPSEC_OPENAC(8)



  All copyrights belong to their respective owners. Other content (c) 2014-2018, GNU.WIKI. Please report site errors to webmaster@gnu.wiki.
Page load time: 0.104 seconds. Last modified: November 04 2018 12:49:43.