Home -> Toolkit -> Docs -> 3.2 -> Cas -> User	Website Email Lists Search:

This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.

CAS: User's Guide

Overview
>Generating CAS credentials (cas-proxy-init)
Using CAS credentials (cas-wrap)
CAS Service Data
Writing CAS clients
Performance Measurements

Generating CAS credentials (cas-proxy-init)

The syntax of the cas-proxy-init program is:

cas-proxy-init [ options ] [ -t tag | -p proxyfile ]

This program contacts the CAS server, obtains a credential, and places that credential into a file. If "-p proxyfile " is used, then the credential is placed in the file named proxyfile ; if "-t tag " is used, then cas-proxy-init chooses a filename based on the value of tag .

A environment variable, GLOBUS_LOCATION needs to be set to point to the GT3.2 install location. If CAS clients have been deployed, then this script is placed in GLOBUS_LOCATION/bin. This directory needs to be added to the PATH for it to be executed from other locations.

The other options that can be used with cas-proxy-init are:

-c url	Contact URL for the CAS server. This typically looks like, http:// GT3Host : GT3Port /ogsa/services/base/cas/CASService where GT3Host and GT3Port are host and port where container with CAS service is running.
-s server_identity	When doing mutual authentication with the CAS server, expect server_identity as the remote identity.
-f policy_file	Generate a CAS credential that includes only those permissions specified in file policy_file (the default is to generate a credential with all the user's permissions).
-l hours	Generate a credential that will time out after hours hours. This is a request for lifetime, but the CAS server may have a set maximum for the assertion lifetime which will be enforced.

The cas-proxy-init program also consults environment variables to determine the appropriate URL to connect to and server identity to expect.The URL is determined using this algorithm:

If the -c option was specified, use the URL specified with that option is used.
Otherwise, if the CAS_SERVER_URL environment variable is set, use the value of that variable as the URL.

The server identity is determined in a similar fashion:

If the -s option was specified, use the identity specified with that option
Otherwise, if the CAS_SERVER_IDENTITY environment variable is set, use the value of that variable as the expected server identity.
If neither is set, host authorization is done and the expected server credential is cas/ , where is the fully qualified domain name of the host on which the CAS service is up.

Getting specific CAS rights

It is possible to request specific permissions from the CAS server using the -f option. This option causes cas-proxy-init to read a set of requested rights from a file.

This file should contain one or more resource identifiers:

Resource: ResourceNamesapce | ResourceName

For each resource, one or more actions identifers:

serviceType action

For example, if the client needed assertions for "file/read" service/action for resource "ftp://sample.org" and "ftp://sample3.org", both in "FTPNamespace" and "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:

Resource: FTPNamespace|ftp://sample1.org file read directory read directory write
Resource: FTPNamespace|ftp://sample3.org file read

To indicate any resource, the following wildcard notation should be used:

uri:samlResourceWildcard

To indicate any action, the following wildcard notation for serviceType and action should be used. Note that this should be the first (and clearly the only action) in the list of action specified. All other actions in the list are ignored and if it is not the first, it is not treated as wildcard:

uri:samlActionNSWildcard
uri:samlActionWildcard

For example, if the client needs assertions for all resources and all actions the policy file should look like:

Resource: uri:samlResourceWildcard uri:samlActionNSWildcard
uri:samlActionWildcard

If the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows:

Resource: FTPNamespace|ftp://sample1.org
uri:samlActionNSWildcard uri:samlActionWildcard