--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<wsdl:definitions
+ targetNamespace="http://www.gridsite.org/namespaces/delegation-1"
+ xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
+ xmlns:tns="http://www.gridsite.org/namespaces/delegation-1"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+ <wsdl:types>
+ <xsd:schema targetNamespace="http://www.gridsite.org/namespaces/delegation-1">
+ <xsd:complexType name="DelegationExceptionType">
+ <xsd:sequence>
+ <xsd:element name="message" type="xsd:string" nillable="true">
+ <xsd:annotation>
+ <xsd:documentation>
+ The cause of the delegation exception on the server side.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ <xsd:element name="DelegationException" type="tns:DelegationExceptionType"/>
+ <xsd:complexType name="NewProxyReq">
+ <xsd:annotation>
+ <xsd:documentation>
+ New proxy certificate request, containing the certificate
+ request and a generated delegation ID.
+ </xsd:documentation>
+ </xsd:annotation>
+ <xsd:sequence>
+ <xsd:element name="proxyRequest" nillable="true" type="xsd:string">
+ <xsd:annotation>
+ <xsd:documentation>
+ The new RFC 3280 style proxy certificate request
+ in PEM format with Base64 encoding.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:element>
+ <xsd:element name="delegationID" nillable="true" type="xsd:string">
+ <xsd:annotation>
+ <xsd:documentation>
+ The ID associated with the new delegation session.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:schema>
+ </wsdl:types>
+
+ <wsdl:message name="getProxyReqRequest">
+ <wsdl:part name="delegationID" type="xsd:string">
+ <wsdl:documentation>
+ The ID of the new delegation session, specified by the client.
+ The ID can be empty.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+ <wsdl:message name="getProxyReqResponse">
+ <wsdl:part name="getProxyReqReturn" type="xsd:string">
+ <wsdl:documentation>
+ The new RFC 3280 style proxy certificate request
+ in PEM format with Base64 encoding.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+
+ <wsdl:message name="putProxyRequest">
+ <wsdl:part name="delegationID" type="xsd:string">
+ <wsdl:documentation>
+ The ID of an already existing delegation session,
+ initiated by getProxyReq() or getNewProxyReq().
+ </wsdl:documentation>
+ </wsdl:part>
+ <wsdl:part name="proxy" type="xsd:string">
+ <wsdl:documentation>
+ RFC 3280 style proxy certificate, signed by the
+ client, in PEM format with Base64 encoding.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+ <wsdl:message name="putProxyResponse"/>
+
+ <wsdl:message name="renewProxyReqRequest">
+ <wsdl:part name="delegationID" type="xsd:string">
+ <wsdl:documentation>
+ The ID of an already existing delegation session,
+ where the client wants to renew the delegated
+ credential.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+ <wsdl:message name="renewProxyReqResponse">
+ <wsdl:part name="renewProxyReqReturn" type="xsd:string">
+ <wsdl:documentation>
+ The new RFC 3280 style proxy certificate request,
+ which is to replace the existing one,
+ in PEM format with Base64 encoding.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+
+ <wsdl:message name="getNewProxyReqRequest"/>
+ <wsdl:message name="getNewProxyReqResponse">
+ <wsdl:part name="getNewProxyReqReturn" type="tns:NewProxyReq">
+ <wsdl:documentation>
+ The server side generated ID of the new delegation
+ session and the new RFC 3280 style proxy certificate
+ request in PEM format with Base64 encoding.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+
+ <wsdl:message name="getTerminationTimeRequest">
+ <wsdl:part name="delegationID" type="xsd:string">
+ <wsdl:documentation>
+ The ID of an already existing delegation session to be queried.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+ <wsdl:message name="getTerminationTimeResponse">
+ <wsdl:part name="getTerminationTimeReturn" type="xsd:dateTime">
+ <wsdl:documentation>
+ The date and time when the delegated credentials will expire.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+
+ <wsdl:message name="destroyRequest">
+ <wsdl:part name="delegationID" type="xsd:string">
+ <wsdl:documentation>
+ The ID of an already existing delegation session to be destroyed.
+ </wsdl:documentation>
+ </wsdl:part>
+ </wsdl:message>
+ <wsdl:message name="destroyResponse"/>
+
+ <wsdl:message name="DelegationException">
+ <wsdl:part name="fault" element="tns:DelegationException"/>
+ </wsdl:message>
+
+ <wsdl:portType name="Delegation">
+ <wsdl:documentation>
+ Delegation interface.
+ </wsdl:documentation>
+
+ <wsdl:operation name="getProxyReq" parameterOrder="delegationID">
+ <wsdl:documentation>
+ <para>
+ Starts the delegation procedure by asking for a certificate
+ signing request from the server. The server answers with a
+ certificate signing request which includes the public key
+ for the new delegated credentials. putProxy() has to be
+ called to finish the procedure.
+ </para>
+ <orderedlist>
+ <listitem><para>
+ Check if a delegation ID was provided. If not, generate a delegation
+ id by hashing the client DN and client VOMS attributes.
+ </para></listitem>
+ <listitem><para>
+ Check if the delegation ID already exists in the
+ <emphasis>storage-area</emphasis>. If it does
+ (a credential renewal is happening), check
+ existing info (DN and VOMS attributes) against client info.
+ Throw exception if they do not match.
+ </para></listitem>
+ <listitem><para>
+ Create a new private/public key-pair (see also <emphasis>Key
+ Generation Semantics</emphasis>).
+ </para></listitem>
+ <listitem><para>
+ Generate a new proxy certificate request.
+ </para></listitem>
+ <listitem><para>
+ Store private key and cert request in
+ <emphasis>storage-cache-area</emphasis>, along with the
+ requesting DN and VOMS attributes.
+ </para></listitem>
+ </orderedlist>
+ </wsdl:documentation>
+ <wsdl:input message="tns:getProxyReqRequest" name="getProxyReqRequest"/>
+ <wsdl:output message="tns:getProxyReqResponse" name="getProxyReqResponse"/>
+ <wsdl:fault message="tns:DelegationException" name="DelegationException">
+ <wsdl:documentation>
+ The client's DN and VOMS attributes do not match the stored ones,
+ i.e. the client is not authorized.
+ </wsdl:documentation>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="getNewProxyReq">
+ <wsdl:documentation>
+ <para>
+ Starts the delegation procedure by asking for a certificate
+ signing request from the server. The server answers with a
+ certificate signing request which includes the public key
+ for the new delegated credentials. putProxy() has to be
+ called to finish the procedure.
+ </para>
+ <orderedlist>
+ <listitem><para>
+ Generate a delegation
+ ID by hashing the client DN and client VOMS attributes.
+ </para></listitem>
+ <listitem><para>
+ Check if the delegation ID already exists in the
+ <emphasis>storage-area</emphasis>. If it does, check
+ existing info (DN and VOMS attributes) against client info.
+ Throw exception if they do not match, because then this is
+ the rare case of hash collision, i.e. two different clients
+ are mapped to the same delegation ID.
+ </para></listitem>
+ <listitem><para>
+ Create a new private/public key-pair (see also <emphasis>Key
+ Generation Semantics</emphasis>).
+ </para></listitem>
+ <listitem><para>
+ Generate a new certificate request.
+ </para></listitem>
+ <listitem><para>
+ Store private key and cert request in
+ <emphasis>storage-cache-area</emphasis>, along with the
+ requesting DN and VOMS attributes.
+ </para></listitem>
+ </orderedlist>
+ </wsdl:documentation>
+ <wsdl:input message="tns:getNewProxyReqRequest" name="getNewProxyReqRequest"/>
+ <wsdl:output message="tns:getNewProxyReqResponse" name="getNewProxyReqResponse"/>
+ <wsdl:fault message="tns:DelegationException" name="DelegationException">
+ <wsdl:documentation>
+ There were already credentials associated to the delegation ID.
+ </wsdl:documentation>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="putProxy" parameterOrder="delegationID proxy">
+ <wsdl:documentation>
+ <para>
+ Finishes the delegation procedure by sending the signed
+ proxy certificate to the server.
+ </para>
+ <orderedlist>
+ <listitem><para>
+ Check if a delegation ID was provided. If not, generate a
+ delegation id by hashing the client DN and client VOMS
+ attributes.
+ </para></listitem>
+ <listitem><para>
+ Check if the delegation ID already exists in the
+ <emphasis>storage-area</emphasis>. If it does, check
+ existing info (DN and VOMS attributes) against client info.
+ Throw exception if it does not match.
+ </para></listitem>
+ <listitem><para>
+ Check, if client information matches proxy information.
+ </para></listitem>
+ <listitem><para>
+ Check given proxy against private key of delegation ID in
+ <emphasis>storage-cache-area</emphasis>. If they do not
+ match, throw exception.
+ </para></listitem>
+ <listitem><para>
+ Store proxy in <emphasis>storage-area</emphasis>
+ and clean up the <emphasis>storage-cache-area</emphasis>.
+ </para></listitem>
+ </orderedlist>
+ </wsdl:documentation>
+ <wsdl:input message="tns:putProxyRequest" name="putProxyRequest"/>
+ <wsdl:output message="tns:putProxyResponse" name="putProxyResponse"/>
+ <wsdl:fault message="tns:DelegationException" name="DelegationException">
+ <wsdl:documentation>
+ <para>
+ There were no cached credentials associated to the delegation ID
+ (neither <link linkend="Delegation.getNewProxyReq">
+ getNewProxyReq()</link> nor
+ <link linkend="Delegation.renewProxyReq">
+ renewProxyReq()</link> was called previously),
+ or the client's DN and VOMS attributes do not match the stored ones,
+ i.e. the client is not authorized.
+ </para>
+ </wsdl:documentation>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="renewProxyReq" parameterOrder="delegationID">
+ <wsdl:documentation>
+ <para>
+ Restarts the delegation procedure by asking for a certificate
+ signing request from the server for an already existing delegation ID.
+ The server answers with a certificate signing request which includes
+ the public key for new delegated credentials. putProxy() has to be
+ called to finish the procedure.
+ </para>
+ <orderedlist>
+ <listitem><para>
+ Check if a delegation ID was provided. If not, generate a delegation
+ id by hashing the client DN and client VOMS attributes.
+ </para></listitem>
+ <listitem><para>
+ Check if the delegation ID already exists in the
+ <emphasis>storage-area</emphasis>. If it does
+ not, then throw an exception.
+ </para></listitem>
+ <listitem><para>
+ Check if the existing info (DN and VOMS attributes) against client info.
+ Throw exception if they do not match.
+ </para></listitem>
+ <listitem><para>
+ Create a new private/public key-pair (see also <emphasis>Key
+ Generation Semantics</emphasis>).
+ </para></listitem>
+ <listitem><para>
+ Generate a new certificate request.
+ </para></listitem>
+ <listitem><para>
+ Store private key and cert request in
+ <emphasis>storage-cache-area</emphasis>, along with the
+ requesting DN and VOMS attributes.
+ </para></listitem>
+ </orderedlist>
+ </wsdl:documentation>
+ <wsdl:input message="tns:renewProxyReqRequest" name="renewProxyReqRequest"/>
+ <wsdl:output message="tns:renewProxyReqResponse" name="renewProxyReqResponse"/>
+ <wsdl:fault message="tns:DelegationException" name="DelegationException">
+ <wsdl:documentation>
+ There were no credentials associated to the delegation ID, or the
+ client's DN and VOMS attributes do not match the stored ones, i.e.
+ the client is not authorized.
+ </wsdl:documentation>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="getTerminationTime" parameterOrder="delegationID">
+ <wsdl:documentation>
+ Returns the termination (expiration) date and time of the credential,
+ associated with the given delegaion ID. If there was no delegation ID,
+ then generate one by hashing the client DN and client VOMS attributes.
+ </wsdl:documentation>
+ <wsdl:input message="tns:getTerminationTimeRequest" name="getTerminationTimeRequest"/>
+ <wsdl:output message="tns:getTerminationTimeResponse" name="getTerminationTimeResponse"/>
+ <wsdl:fault message="tns:DelegationException" name="DelegationException">
+ <wsdl:documentation>
+ There were no credentials associated to the delegation ID, or the
+ client's DN and VOMS attributes do not match the stored ones, i.e.
+ the client is not authorized.
+ </wsdl:documentation>
+ </wsdl:fault>
+ </wsdl:operation>
+
+
+ <wsdl:operation name="destroy" parameterOrder="delegationID">
+ <wsdl:documentation>
+ Destroys the delegated credentials associated with the
+ given delegation ID immediately. If there was no delegation ID,
+ then generate one by hashing the client DN and client VOMS attributes.
+ </wsdl:documentation>
+ <wsdl:input message="tns:destroyRequest" name="destroyRequest"/>
+ <wsdl:output message="tns:destroyResponse" name="destroyResponse"/>
+ <wsdl:fault message="tns:DelegationException" name="DelegationException">
+ <wsdl:documentation>
+ There were no credentials associated to the delegation ID, or the
+ client's DN and VOMS attributes do not match the stored ones, i.e.
+ the client is not authorized.
+ </wsdl:documentation>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ </wsdl:portType>
+
+ <wsdl:binding name="DelegationSoapBinding" type="tns:Delegation">
+ <wsdlsoap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
+
+ <wsdl:operation name="getProxyReq">
+ <wsdlsoap:operation soapAction=""/>
+ <wsdl:input name="getProxyReqRequest">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:input>
+ <wsdl:output name="getProxyReqResponse">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DelegationException">
+ <wsdlsoap:fault name="DelegationException" use="literal"/>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="getNewProxyReq">
+ <wsdlsoap:operation soapAction=""/>
+ <wsdl:input name="getNewProxyReqRequest">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:input>
+ <wsdl:output name="getNewProxyReqResponse">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DelegationException">
+ <wsdlsoap:fault name="DelegationException" use="literal"/>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="renewProxyReq">
+ <wsdlsoap:operation soapAction=""/>
+ <wsdl:input name="renewProxyReqRequest">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:input>
+ <wsdl:output name="renewProxyReqResponse">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DelegationException">
+ <wsdlsoap:fault name="DelegationException" use="literal"/>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="putProxy">
+ <wsdlsoap:operation soapAction=""/>
+ <wsdl:input name="putProxyRequest">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:input>
+ <wsdl:output name="putProxyResponse">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DelegationException">
+ <wsdlsoap:fault name="DelegationException" use="literal"/>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="getTerminationTime">
+ <wsdlsoap:operation soapAction=""/>
+ <wsdl:input name="getTerminationTimeRequest">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:input>
+ <wsdl:output name="getTerminationTimeResponse">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DelegationException">
+ <wsdlsoap:fault name="DelegationException" use="literal"/>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ <wsdl:operation name="destroy">
+ <wsdlsoap:operation soapAction=""/>
+ <wsdl:input name="destroyRequest">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:input>
+ <wsdl:output name="destroyResponse">
+ <wsdlsoap:body namespace="http://www.gridsite.org/namespaces/delegation-1" use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DelegationException">
+ <wsdlsoap:fault name="DelegationException" use="literal"/>
+ </wsdl:fault>
+ </wsdl:operation>
+
+ </wsdl:binding>
+
+ <wsdl:service name="DelegationService">
+ <wsdl:port binding="tns:DelegationSoapBinding" name="gridsite-delegation">
+ <wsdlsoap:address location="https://localhost:8443/glite-security-delegation"/>
+ </wsdl:port>
+ </wsdl:service>
+
+</wsdl:definitions>
--- /dev/null
+.TH HTPROXYPUT 1 "March 2006" "htproxyput" "GridSite Manual"
+.SH NAME
+.B htproxyput, htproxydestroy, htproxytime, htproxyunixtime, htproxyrenew
+\- GSI proxy delegations and querying, using GridSite/gLite delegation API
+.SH SYNOPSIS
+.B htproxyput, htproxydestroy, htproxytime, htproxyunixtime, htproxyrenew
+[options] Service-URL
+
+.SH DESCRIPTION
+.B htproxyput
+is a client to perform GSI proxy delegations using the GridSite/gLite
+delegation Web Service portType. The gridsite-delegation(8) CGI program is
+the complementary server-side implementation.
+
+.SH OPTIONS
+.IP "-v/--verbose"
+Turn on debugging information.
+
+.IP "--delegation-id <ID>"
+Explicitly specify the Delegation ID to use.
+
+.IP "--destroy"
+Instead of delegating a proxy, delete the proxy from the service's proxy
+cache. Calling the program as htproxydestroy has the same effect.
+
+.IP "--time"
+Instead of delegating a proxy, report the expiration time of the proxy,
+in the local time of the client. Calling the program as htproxytime has the
+same effect.
+
+.IP "--unixtime"
+Instead of delegating a proxy, report the expiration time of the proxy, as
+the number of seconds since 00:00:00 1970-01-01 UTC. Calling the program as
+htproxyunixtime has the same effect.
+
+.IP "--renew"
+Delegate an updated version of an existing proxy. The Delegation ID
+.B must
+be given when using this option. Calling the program as htproxyrenew has the
+same effect.
+
+.IP "--cert <X.509 cert path> and --key <X.509 key path>"
+Path to the PEM-encoded
+X.509 or GSI Proxy user certificate and key to use for HTTPS
+connections, intead of "anonymous mode." If only one of --key or --cert
+is given, then that will be tried for both. If neither is given, then the
+following order of precedence is used:
+the file name held by the variable X509_USER_PROXY; the file
+/tmp/x509up_uID (with Unix UID equal to ID); the file names held by
+X509_USER_CERT / X509_USER_KEY; the files ~/.globus/usercert.pem and
+~/.globus/userkey.pem (where ~/ is the home directory of the user.)
+
+.IP "--capath <X.509 CA root certs directory or file>"
+Path to the PEM-encoded CA root certificates to use when
+verifying remote servers' host certificates in HTTPS connections. Ideally
+this should be a directory of hash.0 files as described in the OpenSSL
+verify(1) man page, but a file may be used instead. If --capath is not
+given, the value of the environment variable X509_CERT_DIR will be tried.
+If this is not valid, then /etc/grid-security/certificates will be used.
+
+.IP "--no-verify"
+Do not use CA root certificates to verify remote servers' host certificates.
+This is useful for testing sites before their certificate is set up properly,
+but leaves you vulnerable to "man in the middle" attacks by hostile servers
+masquerading as your target.
+
+.SH FILES
+.IP /tmp/x509up_uID
+Default GSI Proxy file for Unix UID equal to ID.
+
+.IP /etc/grid-security/certificates
+Default location for trusted Certification Authority root certificates to use
+when checking server certificates.
+
+.IP /tmp/.ca-roots-XXXXXX
+Prior to 7.9.8, the underlying curl library did not support the CA root
+certificates directory.
+If built with an old version of libcurl, htproxyput will concatenate the
+certificates in the CA roots directory into a unique temporary file and use
+that.
+
+.SH ENVIRONMENT
+
+.IP X509_CERT_DIR
+Holds directory to search for Certification Authority root certificates when
+verifying server certificates. (Tried if --capath is not given on the
+command line.)
+
+.IP X509_USER_PROXY
+Holds file name of a GSI Proxy to use as user certificate. (Tried if --cert or
+--key are not given on the command line.)
+
+.IP "X509_USER_CERT and X509_USER_KEY"
+Holds file name of X.509 user certificate and key. (Tried if X509_USER_PROXY
+is not valid.)
+
+.SH EXIT CODES
+0 is returned on complete success, and non-zero on error.
+
+.SH TO DO
+Better error recovery.
+
+.SH AUTHOR
+Andrew McNab <Andrew.McNab@manchester.ac.uk>
+
+htproxyput is part of GridSite: http://www.gridsite.org/
+.SH "SEE ALSO"
+.BR htcp(1),
+.BR gridsite-delegation(8)
git://scientific.zcu.cz / jra1mw.git / commitdiff