Abstract
You can also download a PDF version here.
Table of Contents
- Java WS Core Commands
- globus-start-container - Starts standalone container
- globus-stop-container - Stops standalone container
- globus-start-container-detached - Starts standalone container detached from controlling TTY
- globus-stop-container-detached - Stops standalone container detached from controlling TTY
- wsrf-destroy - Destroys a resource
- wsrf-set-termination-time - Sets termination time of a resource
- wsrf-query - Performs query on a resource property document
- wsrf-get-property - Gets values of a single resource property
- wsrf-get-properties - Gets values of multiple resource properties
- wsrf-insert-property - Inserts values into a resource property
- wsrf-update-property - Updates value of a resource property
- wsrf-delete-property - Deletes a resource property
- wsn-get-current-message - Gets a current message associated with a topic
- wsn-pause-subscription - Pauses a subscription
- wsn-resume-subscription - Resumes a subscription
- wsn-subscribe - Subscribes to a topic
- globus-deploy-gar - Deploys a GAR file (locally)
- globus-undeploy-gar - Undeploys a GAR file (locally)
- globus-check-environment - Displays component version information and validates JVM version.
- globus-check-remote-environment - Displays remote component version information.
- globus-update-client-config - Merges client-config.wsdd files from deployed modules into the global client-config.wsdd configuration file
- globus-validate-descriptors - Validate configuration files of all services
- globus-reload-container - Reinitializes standalone container
- globus-remote-undeploy-gar - Undeploys a GAR file (remotely)
- globus-remote-deploy-gar - Deploys a GAR file (remotely)
- ws-enumerate-start - Starts an enumeration
- ws-enumerate - Retrieves enumeration data
- ws-enumerate-end - Stops an enumeration
- globus-xpath-query - Performs XPath query on a resource property document
- Common Java Client Options - list of common options across commands
- C WS Core Commands
- globus-wsc-container - Host C web services
- globus-wsrf-cgen - Generate Stubs/Skeletons in C
- globus-wsrf-destroy - Set the scheduled termination time for a WSRF resource.
- globus-wsrf-set-termination-time - Set the scheduled termination time for a WSRF resource.
- globus-wsrf-query - Query a WSRF resource's Resource Property document
- globus-wsrf-get-property - Get a resource property's value
- globus-wsrf-get-properties - Get multiple resource property value
- globus-wsrf-insert-property - Insert a resource property value
- globus-wsrf-update-property - Update a resource property value
- globus-wsrf-delete-property - Delete a resource property
- globus-wsn-get-current-message - Get the current message associated with a specified topic
- globus-wsn-pause-subscription - Pause a WSRF notification subscription.
- globus-wsn-resume-subscription - Resume a WSRF notification subscription.
- globus-wsn-subscribe - Subscribe for notification for a specified topic.
- GSI Commands
- grid-cert-diagnostics - Print diagnostic information about certificates and keys
- grid-cert-info - Display certificate information
- grid-cert-request - Create a certificate request
- grid-default-ca - Set the default CA to use for certificate requests
- grid-change-pass-phrase - Change the pass phrase on a private key
- grid-proxy-init - Generate a new proxy certificate
- grid-proxy-destroy - Destroy the current proxy certificate (previously created with grid-proxy-init)
- grid-proxy-info - Display information obtained from a proxy certificate
- grid-mapfile-add-entry - Add an entry to a grid map file
- grid-mapfile-check-consistency - Check the internal consistency of a grid map file
- grid-mapfile-delete-entry - Delete an entry from a grid map file
- CAS Query Commands
- cas-whoami - Getting a user's CAS identity.
- cas-list-object - Getting object list
- cas-get-object - Getting CAS object
- cas-group-list-entries - Getting group members
- cas-find-policies - Getting policy information
- query-cas-service - Query CAS Service (using OGSA AuthZ interface)
- CAS Admin Commands
- cas-proxy-init - Generate a CAS proxy
- cas-wrap - Runs program with CAS credentials
- cas-enroll - Enroll a CAS Object
- cas-remove - Remove a CAS object from the database
- cas-action - Maintains service types
- cas-group-admin - Maintains user groups, object groups, or serviceAction groups
- cas-group-add-entry - Adds CAS objects to CAS groups
- cas-group-remove-entry - Removing CAS objects from CAS groups
- cas-rights-admin - Granting or revoking permissions
- Delegation Service Commands
- globus-credential-delegate - Delegation client
- globus-credential-refresh - Delegation refresh client
- globus-delegation-client - C Delegation client
- GridFTP Commands
- globus-url-copy - Multi-protocol data movement
- globus-gridftp-server - Configures the GridFTP Server
- RFT Commands
- rft - Submit and monitor a 3rd party GridFTP transfer
- globus-crft - Command-line client to transfer files using RFT
- rft-delete - Command-line client to delete files using RFT
- Replica Location Service (RLS) Commands
- globus-rls-admin - RLS administration tool
- globus-rls-cli - RLS client tool
- globus-rls-server - RLS server tool
- WS RLS Commands
- globus-replicalocation-createmappings - This tool is used to create mappings between logical names and target names. The create semantic implies that the logical name does not exist at the time of invocation.
- globus-replicalocation-addmappings - This tool is used to add mappings between logical names and target names. The add semantic implies that the logical name does exist at the time of invocation.
- globus-replicalocation-deletemappings - This tool is used to delete mappings between logical names and target names.
- globus-replicalocation-defineattributes - This tool is used to define attributes.
- globus-replicalocation-undefineattributes - This tool is used to undefine attributes.
- globus-replicalocation-addattributes - This tool is used to add attributes.
- globus-replicalocation-modifyattributes - This tool is used to modify attributes.
- globus-replicalocation-removeattributes - This tool is used to remove existing attributes.
- DataRep Commands
- globus-replication-create - This tool is used to create a replication resource by submitting a replication request to the designated replication service.
- globus-replication-start - This tool starts the replication activities.
- globus-replication-stop - This tool stops the replication activities.
- globus-replication-suspend - This tool suspends the replication activities.
- globus-replication-resume - This tool resumes the replication activities.
- globus-replication-finditems - This tool queries the replication resource to return the status of individual replication item activities.
- Replication Client Commands
- globus-replication-client - Performs several intuitive data replication operations.
- WS MDS Commands
- mds-servicegroup-add - Registering grid resources to aggregating MDS services such as the Index, Archive and Trigger services
- mds-set-multiple-termination-time - Administering the termination time of grid resources created by aggregating MDS services such as the Index and Trigger services
- GRAM4 Commands
- globusrun-ws - Official job submission client for GRAM4
- GridWay Commands
- Job and Array Job submission Command - job submission utility for the GridWay system
- DAG Job submission Command - dag job submission utility for the GridWay system
- Job Monitoring Command - report a snapshot of the current jobs
- Job History Command - shows history of a job
- Host Monitoring Command - shows hosts information
- Job Control Command - controls job execution
- Job Synchronization Command - synchronize a job
- User Monitoring Command - monitors users in GridWay
- Accounting Command - prints accounting information
- JSDL To GridWay Job Template Parser Command - parser to translate JSDL file into GridWay Job Template file
- Glossary
These command line tools are available on Unix and Windows platforms and will work in the same way (of course within the platform rules - the path syntax, variable definitions, etc.).
The wsrf-* and wsn-* clients should work against any service that supports the given WSRF or WSN operations.
Table of Contents
- globus-start-container - Starts standalone container
- globus-stop-container - Stops standalone container
- globus-start-container-detached - Starts standalone container detached from controlling TTY
- globus-stop-container-detached - Stops standalone container detached from controlling TTY
- wsrf-destroy - Destroys a resource
- wsrf-set-termination-time - Sets termination time of a resource
- wsrf-query - Performs query on a resource property document
- wsrf-get-property - Gets values of a single resource property
- wsrf-get-properties - Gets values of multiple resource properties
- wsrf-insert-property - Inserts values into a resource property
- wsrf-update-property - Updates value of a resource property
- wsrf-delete-property - Deletes a resource property
- wsn-get-current-message - Gets a current message associated with a topic
- wsn-pause-subscription - Pauses a subscription
- wsn-resume-subscription - Resumes a subscription
- wsn-subscribe - Subscribes to a topic
- globus-deploy-gar - Deploys a GAR file (locally)
- globus-undeploy-gar - Undeploys a GAR file (locally)
- globus-check-environment - Displays component version information and validates JVM version.
- globus-check-remote-environment - Displays remote component version information.
- globus-update-client-config - Merges client-config.wsdd files from deployed modules into the global client-config.wsdd configuration file
- globus-validate-descriptors - Validate configuration files of all services
- globus-reload-container - Reinitializes standalone container
- globus-remote-undeploy-gar - Undeploys a GAR file (remotely)
- globus-remote-deploy-gar - Deploys a GAR file (remotely)
- ws-enumerate-start - Starts an enumeration
- ws-enumerate - Retrieves enumeration data
- ws-enumerate-end - Stops an enumeration
- globus-xpath-query - Performs XPath query on a resource property document
- Common Java Client Options - list of common options across commands
Name
globus-start-container — Starts standalone container
Synopsis
globus-start-container
Tool description
Starts a standalone container. By default a secure container is started on port 8443 and is accessible via HTTPS. On successful startup a list of services will be displayed on the console. By default the non secure (HTTP) container is started on port 8080.
Command syntax
globus-start-container [options]
Table 1. Options
| -help |
Displays help information about the command. |
| -p <port> |
Sets the port number for the container. |
| -i <address> |
Binds container to the specified network address. |
| -quiet |
Does not show a list of services at startup. |
| -debug |
Enables debug mode. |
| -nosec |
Starts a non secure (HTTP) container. Please note that this option only disables transport security. Message security can still be used. |
| -containerDesc <file> |
Specifies a container security descriptor file. |
| -profile <name> |
Specifies a configuration profile name for the container. |
Name
globus-stop-container — Stops standalone container
Synopsis
globus-stop-container
Tool description
Stops a standalone container. By default this command will attempt to stop a container running on localhost:8443 and perform a soft shutdown.
The globus-stop-container command invokes a ShutdownService running in the container. By default that service is configured to perform self authorization and therefore the globus-stop-container must be executed with the same credentials as the container it is running with. Alternatively, the service can be configured with a gridmap file to allow a subset of users (with their own credentials) to invoke the service (please see the service security deployment descriptor for details).
Command syntax
globus-stop-container [options] ['soft' | 'hard']
Table 2. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Table 3. Shutdown options
| 'soft' | This option lets the threads die naturally. |
| 'hard' | This option forces an immediate JVM shutdown. |
Example:
$ globus-stop-container soft
Please see the troubleshooting section if you are having problems with
globus-stop-container.
Name
globus-start-container-detached — Starts standalone container detached from controlling TTY
Synopsis
globus-start-container-detached
Tool description
Starts a standalone container detached from the controlling TTY. This can be useful for
long running containers or when started from init.d scripts. Container log goes to
$GLOBUS_LOCATION/var/container.log and a PID file is written to
$GLOBUS_LOCATION/var/container.pid.
globus-start-container-detached is just a wrapper around
globus-start-container so see globus-start-container for more information and options.
![]() | Note |
|---|---|
Note that this tool is only available after doing a full Globus install. It is not available in Java WS Core only installs. |
Name
globus-stop-container-detached — Stops standalone container detached from controlling TTY
Synopsis
globus-stop-container-detached
Tool description
Stops a standalone container detached from the controlling TTY.
$GLOBUS_LOCATION/var/container.pid is used to find the PID of the running
container and signals are sent to stop the container.
![]() | Note |
|---|---|
Note that this tool is only available after doing a full Globus install. It is not available in Java WS Core only installs. |
Name
wsrf-destroy — Destroys a resource
Synopsis
wsrf-destroy
Command syntax
wsrf-destroy [options]
Table 6. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsrf-destroy -s http://localhost:8080/wsrf/services/CounterService \ -k
"{http://counter.com}CounterKey" 123Name
wsrf-set-termination-time — Sets termination time of a resource
Synopsis
wsrf-set-termination-time
Command syntax
wsrf-set-termination-time [options] <seconds> | 'infinity'
The following are command-specific options in addition to the common options:
Table 8. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsrf-set-termination-time -s http://localhost:8080/wsrf/services/CounterService \ -k
"{http://counter.com}CounterKey" 123 30Name
wsrf-query — Performs query on a resource property document
Synopsis
wsrf-query
Tool description
Queries the resource property document of a resource. By default, a simple XPath query is assumed that returns the entire resource property document.
Command syntax
wsrf-query [options] [query expression] [dialect]
Table 9. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Examples:
$ wsrf-query -s https://127.0.0.1:8443/wsrf/services/DefaultIndexService \
"count(//*[local-name()='Entry'])" $ wsrf-query -s https://127.0.0.1:8443/wsrf/services/DefaultIndexService \
"number(//*[local-name()='GLUECE']/glue:ComputingElement/glue:State/@glue:FreeCPUs)=0" $ wsrf-query -s http://localhost:8080/wsrf/services/ContainerRegistryService \
"/*/*/*/*[local-name()='Address']"Name
wsrf-get-property — Gets values of a single resource property
Synopsis
wsrf-get-property
Command syntax
wsrf-get-property [options] <property>
The <property> is a QName of the resource property in the string form: {namespaceURI}localPart.
Table 10. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsrf-get-property -s http://localhost:8080/wsrf/services/CounterService \ -k
"{http://counter.com}CounterKey" 123 \
"{http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd}CurrentTime"Name
wsrf-get-properties — Gets values of multiple resource properties
Synopsis
wsrf-get-properties
Command syntax
wsrf-get-properties [options] <property1> [<property2>...
<propertyN>]Each <propertyN> is a QName of the resource property in the string form: {namespaceURI}localPart.
Table 11. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsrf-get-properties -s http://localhost:8080/wsrf/services/CounterService \ -k
"{http://counter.com}CounterKey" 123 \
"{http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd}CurrentTime"
\
"{http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd}TerminationTime"Name
wsrf-insert-property — Inserts values into a resource property
Synopsis
wsrf-insert-property
Command syntax
wsrf-insert-property [options] <propertyValueFile>
The <propertyValueFile> is an XML file that contains the value of the resource property. The QName of the property is the outer most element.
Table 12. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example: Contents of in.xml:
<doc> <ns1:Foo xmlns:ns1="http://widgets.com"> Value1
</ns1:Foo> <ns1:Foo xmlns:ns1="http://widgets.com"> Value2
</ns1:Foo> </doc> $ wsrf-insert-property -s http://localhost:8080/wsrf/services/WidgetService \ -k
"{http://www.globus.org/namespaces/2004/06/core}WidgetKey" 123 \ in.xmlName
wsrf-update-property — Updates value of a resource property
Synopsis
wsrf-update-property
Command syntax
wsrf-update-property [options] <propertyValueFile>
The <propertyValueFile> is an XML file that contains the value of the resource property. The QName of the property is the outermost element.
Table 13. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example: Contents of in.xml:
<doc> <ns1:Foo xmlns:ns1="http://widgets.com"> Value
</ns1:Foo> </doc> $ wsrf-update-property -s http://localhost:8080/wsrf/services/WidgetService \ -k
"{http://www.globus.org/namespaces/2004/06/core}WidgetKey" 123 \ in.xmlName
wsrf-delete-property — Deletes a resource property
Synopsis
wsrf-delete-property
Command syntax
wsrf-delete-property [options] <property>
The <property> is a QName of the resource property in the string form: {namespaceURI}localPart.
Table 14. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsrf-delete-property -s http://localhost:8080/wsrf/services/WidgetService \ -k
"{http://www.globus.org/namespaces/2004/06/core}WidgetKey" 123 \
"{http://widgets.com}Foo"Name
wsn-get-current-message — Gets a current message associated with a topic
Synopsis
wsn-get-current-message
Command syntax
wsn-get-current-message [options] <topic>
The <topic> is a QName of the resource property in the string form: {namespaceURI}localPart.
Table 15. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsn-get-current-message -s
http://localhost:8080/wsrf/services/CounterService \ -k "{http://counter.com}CounterKey" 123 \
"{http://counter.com}Value"
Name
wsn-pause-subscription — Pauses a subscription
Synopsis
wsn-pause-subscription
Tool description
Pauses a subscription (notifications on that subscription will not be sent out until it is resumed).
Command syntax
wsn-pause-subscription [options]
Table 16. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsn-pause-subscription -s
http://localhost:8080/wsrf/services/SubscriptionManagerService \ -k
"{http://www.globus.org/namespaces/2004/06/core}acc271c0-4df9-11d9-ab19-87da3bc7cf28"Name
wsn-resume-subscription — Resumes a subscription
Synopsis
wsn-resume-subscription
Tool description
Resumes a subscription (notifications on that subscription will be sent out again).
Command syntax
wsn-resume-subscription [options]
Table 17. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsn-resume-subscription -s
http://localhost:8080/wsrf/services/SubscriptionManagerService \ -k
"{http://www.globus.org/namespaces/2004/06/core}acc271c0-4df9-11d9-ab19-87da3bc7cf28"Name
wsn-subscribe — Subscribes to a topic
Synopsis
wsn-subscribe
Command syntax
wsn-subscribe [options] <topic>
The <topic> is a QName of the resource property in the string form: {namespaceURI}localPart.
The following are subscribe-specific options in addition to the common options:
Table 18. Command-specific options
| -r, --resDescFile <file> |
Specifies a file containing a resource security descriptor for the notification consumer resource. |
| -b, --subEpr <file> |
Specifies a file to which the subscription resource EPR will be saved. |
Table 19. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ wsn-subscribe -s http://localhost:8080/wsrf/services/CounterService \ -k
"{http://counter.com}CounterKey" 123 \ "{http://counter.com}Value"Name
globus-deploy-gar — Deploys a GAR file (locally)
Synopsis
globus-deploy-gar
Command syntax
globus-deploy-gar [options] <gar.file>
The <gar.file> is the path to the GAR file to be deployed.
Table 20. Options
| -help |
Displays help information about the command. |
| -debug |
Enables debug mode. |
| -verbose |
Enables verbose mode. |
| -backup |
Creates backup of existing configuration files. |
| -overwrite |
Overwrite existing deployment. |
| -profile <name> |
Specifies the profile name under which the configuration files in the GAR will be deployed. Please see "Configuration Profiles" under Configuring Java WS Core for details. |
| -tomcat <dir> |
Deploys a GAR file to Apache Tomcat. The
|
| -D<property>=<value> |
Passes arbitrary property-value pairs. See below for the list of currently supported properties. |
Table 21. Supported property-value pairs
| -Dall.scripts=true |
Causes Windows and Unix launcher scripts to be generated. |
| -DdoValidation=false |
Turns off automatic validation of service configuration files. |
![]() | Note |
|---|---|
Since GT 4.2, globus-deploy-gar command will NOT overwrite the
existing deployment unless |
Example I:
$ globus-deploy-gar /tmp/gars/globus_wsrf_core_samples_counter.gar
The above command will deploy the
globus_wsrf_core_samples_counter.gar into Java WS Core installation
directory. The above command invokes the deployGar task in the
build-packages.xml Ant build file. The above example is equivalent to
running:
$ ant -f $GLOBUS_LOCATION/share/globus_wsrf_common/build-packages.xml deployGar \
-Dgar.name=/tmp/gars/globus_wsrf_core_samples_counter.garThe profile name can be passed using the -Dprofile Ant option. To enable back up of the existing configuration files add the -DcreateBackup=true Ant option. Make sure to use the absolute path name for the gar file when using Ant directly.
Example II:
$ globus-deploy-gar -tomcat /soft/tomcat-5.5.20 \
/tmp/gars/globus_wsrf_core_samples_counter.gar The above command will deploy the
globus_wsrf_core_samples_counter.gar into Apache Tomcat. The above command
invokes the deployGar task in the
tomcat-service.xml Ant build file. The above example is equivalent to
running:
$ ant -f $GLOBUS_LOCATION/share/globus_wsrf_common/tomcat/tomcat-service.xml deployGar \
-Dgar.name=/tmp/gars/globus_wsrf_core_samples_counter.gar \ -Dtomcat.dir=/soft/tomcat-5.5.20 By default the GAR file will be deployed under the
"wsrf" web application. To specify a
different web application name use -Dwebapp.name=<name>
option.
Name
globus-undeploy-gar — Undeploys a GAR file (locally)
Synopsis
globus-undeploy-gar
Command syntax
globus-undeploy-gar [options] <gar.id>
The <gar.id> is the base name of the GAR file without the .gar extension to undeploy. For example if the GAR file is "foo.gar", then the GAR id is "foo". The directory names under $GLOBUS_LOCATION/etc/globus_packages/ are the GAR ids of the undeployable items.
Table 22. Options
| -help |
Displays help information about the command. |
| -debug |
Enables debug mode. |
| -verbose |
Enables verbose mode. |
| -tomcat <dir> |
Undeploy a GAR file from Apache Tomcat. The
|
| -D<property>=<value> |
Passes arbitrary property-value pairs. |
![]() | Note |
|---|---|
The container must be off to undeploy a GAR file. |
Example I:
$ globus-undeploy-gar globus_wsrf_core_samples_counter
The above command will undeploy globus_wsrf_core_samples_counter GAR
from Java WS Core installation directory. The above command invokes the
undeployGar task in the build-packages.xml Ant build
file. The above example is equivalent to running:
$ ant -f $GLOBUS_LOCATION/share/globus_wsrf_common/build-packages.xml undeployGar \
-Dgar.id=globus_wsrf_core_samples_counterExample II:
$ globus-undeploy-gar -tomcat /soft/tomcat-5.5.20 \ globus_wsrf_core_samples_counter
The above command will undeploy globus_wsrf_core_samples_counter GAR
from Apache Tomcat. The above command invokes the undeployGar task in the
tomcat-service.xml Ant build file. The above example is equivalent to
running:
$ ant -f $GLOBUS_LOCATION/share/globus_wsrf_common/tomcat/tomcat-service.xml undeployGar
\ -Dgar.id=globus_wsrf_core_samples_counter \ -Dtomcat.dir=/soft/tomcat-5.5.20 By default the GAR file will be undeployed under the
"wsrf" web application. To specify a
different web application name use -Dwebapp.name=<name>
option.
Name
globus-check-environment — Displays component version information and validates JVM version.
Synopsis
globus-check-environment
Name
globus-check-remote-environment — Displays remote component version information.
Synopsis
globus-check-remote-environment
Command syntax
globus-check-environment [-help] -s endpoint -z authz
Table 23. Options
| -help |
Displays help information about the command. |
| -s endpoint |
Remote endpoint to print vesion information about. It should be of the format protocol://host:port, example https://localhost:8443. |
| -z authz |
Sets authorization, can be 'self', 'host', 'hostOrSelf' or 'none' or a string specifying the expected identity of the remote party. Defaults to no authorization. |
Name
globus-update-client-config — Merges client-config.wsdd files from deployed modules into the global client-config.wsdd configuration file
Synopsis
globus-update-client-config
Tool description
Merges multiple client-config.wsdd files from deployed modules into the global configuration file.
Scans each $GLOBUS_LOCATION/etc/<modulename>/client-config.wsdd and merges the contents into $GLOBUS_LOCATION/client-config.wsdd
This tool is primarily intended for use by administrators and automation tools to facilitate the adding and removing of module
specific type-mapping and/or other client-side configuration from the global client-config.wsdd file used by the Globus installation.
Name
globus-validate-descriptors — Validate configuration files of all services
Synopsis
globus-validate-descriptors
Name
globus-reload-container — Reinitializes standalone container
Synopsis
globus-reload-container
Tool description
Invokes the reload() operation on the DeployService running in the remote container. It tells the container to reinitialize all of its services, re-read its and service configuration files, etc. For example, the administrator can change the security descriptor of a service and then use the globus-reload-container command to force the container to load the updated configuration without restarting the container.
By default the DeployService is configured to perform self authorization and therefore the globus-reload-container must be executed with the same credentials as the container it is running with. Alternatively, the service can be configured with a gridmap file to allow a subset of users (with their own credentials) to invoke the service (please see the service security deployment descriptor for details).
![]() | Note |
|---|---|
This command only works with the standalone container. Please see the Java WS Core Dynamic Deploy Design Document for more information. |
Command syntax
globus-reload-container [options]
Table 26. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ globus-reload-container
Name
globus-remote-undeploy-gar — Undeploys a GAR file (remotely)
Synopsis
globus-remote-undeploy-gar
Tool description
The globus-remote-undeploy-gar command undeploys a GAR file remotely. It invokes the undeploy() operation on the DeployService running in the remote container. It works just like the globus-undeploy-gar command but the GAR file is undeployed remotely.
By default the DeployService is configured to perform self authorization and therefore the globus-remote-undeploy-gar must be executed with the same credentials as the container it is running with. Alternatively, the service can be configured with a gridmap file to allow a subset of users (with their own credentials) to invoke the service (please see the service security deployment descriptor for details).
![]() | Note |
|---|---|
This command only works with the standalone container. Please see the Java WS Core Dynamic Deploy Design Document for more information. |
Command syntax
globus-remote-undeploy-gar [options] <gar.id>
The <gar.id> is the base name of the GAR file without the .gar extension to undeploy. For example if the GAR file is "foo.gar", then the GAR id is "foo".
Table 27. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ globus-remote-undeploy-gar globus_wsrf_core_samples_counter
To see what GAR files can be undeployed on the remote container run the following query on the DeployService, for example:
$ wsrf-query -z hostSelf -s https://127.0.0.1:8443/wsrf/services/DeployService
Name
globus-remote-deploy-gar — Deploys a GAR file (remotely)
Synopsis
globus-remote-deploy-gar
Tool description
The globus-remote-deploy-gar command deploys a GAR file remotely. It first transfers the GAR file to the DeployService running in the remote container and then it deploys it using the deploy() operation of the service (the tool can also perform these two operations separately).
By default the DeployService is configured to perform self authorization and therefore the globus-remote-deploy-gar must be executed with the same credentials as the container it is running with. Alternatively, the service can be configured with a gridmap file to allow a subset of users (with their own credentials) to invoke the service (please see the service security deployment descriptor for details).
![]() | Note |
|---|---|
This command only works with the standalone container. Please see the Java WS Core Dynamic Deploy Design Document for more information. |
Command syntax
globus-remote-deploy-gar [options] <gar>
The <gar> can be either an URL or a file location. If a file location is passed to the tool, it will transfer the file to the service via SOAP with Attachments (the upload() function) using the MTOM format. If an URL is passed, the tool will call the download() function of the service, and let the service download the GAR file.
The following are command-specific options in addition to the common options:
Table 28. Command-specific options
| -n, --transfer |
Transfer GAR file only. |
| -y, --deploy |
Deploy GAR file only (assumes the GAR is already transferred to the DeployService. |
| -o, --overwrite |
Overwrite existing deployment. |
| -b, --backup |
Creates backup of existing configuration files |
Table 29. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Examples:
$ globus-remote-deploy-gar /tmp/myServie.gar
$ globus-remote-deploy-gar gsiftp://localhost/tmp/myServie.gar
To see what GAR files haven been transfered but not yet deployed on the remote container run the following query on the DeployService, for example:
$ wsrf-query -z hostSelf -s https://127.0.0.1:8443/wsrf/services/DeployService
Name
ws-enumerate-start — Starts an enumeration
Synopsis
ws-enumerate-start
Tool description
Creates a new enumeration context and prints it out to the console.
![]() | Note |
|---|---|
The remote service must support the enumerate operation of the WS-Enumeration specification. |
Command syntax
ws-enumerate-start [options]
Table 30. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ ws-enumerate-start -s http://localhost:8080/wsrf/services/ContainerRegistryService \
> enum.contextThe created enumeration context will be stored in the enum.context
file which then can be passed to ws-enumerate and
ws-enumerate-end command line clients.
Name
ws-enumerate — Retrieves enumeration data
Synopsis
ws-enumerate
Tool description
Retrieves the next set of enumeration data and prints it out to the console.
![]() | Note |
|---|---|
The remote service must implement the WS-Enumeration specification. |
Command syntax
ws-enumerate [options] <enumContextFile>
The <enumContextFile> is a file that contains the enumeration context.
The following are command-specific options in addition to the common options:
Table 31. Command-specific options
| -i, --items <int> |
Specifies the total number of enumeration items to retrieve. The parameter value can be 'all' to retrieve the all the enumeration data. By default, only one element is retrieved. |
| -r, --maxCharacters <int> |
Specifies the maximum number of characters (in Unicode) of the enumeration data that the client can accept at a time. By default, there is no limit on the size of the elements. |
| -n, --maxElements <int> |
Specifies the maximum number of enumeration items to fetch at a time. By default, one element is retrieved at a time. |
| -o, --maxTime <int> |
Specifies the maximum amount of time (in milliseconds) in which the enumeration data must be assembled. By default, there is no time limit. |
Table 32. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ ws-enumerate -s http://localhost:8080/wsrf/services/ContainerRegistryService \ -i 10
-n 5 enum.contextThis command will display 10 elements of the enumeration data obtaining 5 elements at a time from the service.
Name
ws-enumerate-end — Stops an enumeration
Synopsis
ws-enumerate-end
Tool description
Releases an enumeration context.
![]() | Note |
|---|---|
The remote service must implement the WS-Enumeration specification. |
Command syntax
ws-enumerate-end [options] <enumContextFile>
The <enumContextFile> is a file that contains the enumeration context.
Table 33. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Example:
$ ws-enumerate-end -s http://localhost:8080/wsrf/services/ContainerRegistryService \
enum.contextName
globus-xpath-query — Performs XPath query on a resource property document
Synopsis
globus-xpath-query
Tool description
The globus-xpath-query uses a custom query dialect implementation
called TargetedXPath to query the resource property document of
a resource. Please see the querying resource properties using XPath section
for more details.
Command syntax
globus-xpath-query [options] [query expression] [rpQName]
The query expression is an XPath expression. The rpQName is a resource property QName. If a resource property is specified only that resource property within the resource property document will be queried. Otherwise, the entire resource property document will be queried. By default, a simple XPath query is assumed that returns the entire resource property document.
Table 34. Command-specific options
| -n, --nsMapFile <file> |
Specifies a file that contains namespace mappings. By default, the
|
| -u, --enumerate |
Enumerate the query results. The query response will contain an enumeration context through which the actual query results can be obtained. The returned enumeration context can be used with the ws-enumerate command line tool. Also, please note that by default the enumeration context will expire in 30 minutes. |
Table 35. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Examples:
$ globus-xpath-query -s http://localhost:8080/wsrf/services/ContainerRegistryService \
"//wssg:MemberServiceEPR/wsa:Address"The above command will query the entire resource property document of the service.
$ globus-xpath-query -s http://localhost:8080/wsrf/services/ContainerRegistryService \
"//wssg:MemberServiceEPR/wsa:Address" wssg:EntryThe above command will query only the wssg:Entry resource
property of the resource property document of the service.
$ globus-xpath-query -s http://localhost:8080/wsrf/services/ContainerRegistryService \
-u "//wssg:MemberServiceEPR/wsa:Address" > enum.context $ ws-enumerate
-s http://localhost:8080/wsrf/services/ContainerRegistryService \ -i all enum.contextThe first command will create an enumeration for the query results and store the returned enumeration context in a file. The second command will use the enumeration context stored in that file to retrieve the actual query results.
Name
Common Java Client Options — list of common options across commands
Common Java Client Options
Table 36. Common options
| -h, --help |
Displays help information about the command. |
| -d, --debug |
Enables debug mode. For example, full stack traces of errors will be displayed. |
| -e, --eprFile <file> |
Specifies an XML file that contains the WS-Addressing endpoint reference. |
| -s, --service <url> |
Specifies the service URL. |
| -k, --key <name value> |
Specifies the resource key. The name is the QName of the resource key in the string form: {namespaceURI}localPart, while the value is the simple value of the key. For complex keys, use the --eprFile option. Example: -k "{http://www.globus.org}MyKey"
123
|
| -f, --descriptor <file> |
Specifies a client security descriptor. Overrides all other security settings. |
| -a, --anonymous |
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -g, --delegation <mode> |
Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -l, --contextLifetime <value> |
Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -m, --securityMech <type> |
Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -c, --serverCertificate <file> |
Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -p, --protection <type> |
Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -x, --proxyFilename <value> |
Sets the proxy file to use as client credential. |
| -z, --authorization <type> |
Specifies authorization type. type can be 'self', 'host', 'none', or a string specifying the expected identity of the remote party. |
| -t, --timeout <timeout> |
Specifies client timeout (in seconds). The client will wait maximum of the timeout value for a response from the server before returning an error. By default the timeout value is 10 minutes. |
Table of Contents
- globus-wsc-container - Host C web services
- globus-wsrf-cgen - Generate Stubs/Skeletons in C
- globus-wsrf-destroy - Set the scheduled termination time for a WSRF resource.
- globus-wsrf-set-termination-time - Set the scheduled termination time for a WSRF resource.
- globus-wsrf-query - Query a WSRF resource's Resource Property document
- globus-wsrf-get-property - Get a resource property's value
- globus-wsrf-get-properties - Get multiple resource property value
- globus-wsrf-insert-property - Insert a resource property value
- globus-wsrf-update-property - Update a resource property value
- globus-wsrf-delete-property - Delete a resource property
- globus-wsn-get-current-message - Get the current message associated with a specified topic
- globus-wsn-pause-subscription - Pause a WSRF notification subscription.
- globus-wsn-resume-subscription - Resume a WSRF notification subscription.
- globus-wsn-subscribe - Subscribe for notification for a specified topic.
Name
globus-wsc-container — Host C web services
Synopsis
globus-wsc-container [-help] [-usage] [-version]
[-bg] [-pidfile PID]
[-max MAX-SESSIONS]
[-port PORT]
[-log LOGPATH]
[-nosec]
Description
The globus-wsc-container is a stand-alone SOAP service hosting container. It listens for SOAP / HTTP operation requests on a network port and dispatches those to dynamically loaded service modules. By default, globus-wsc-container will process SOAP messages until it receives a SIGINT or SIGTERM signal. In interactive usage, it typically runs until the user enters Ctrl+C on the keyboard.
The full set of command-line options to globus-wsc-container are:
| -help | Display a help message and exit |
| -usage | Display a short usage message and exit |
| -version | Display the program version and exit |
| -bg | Run the program as a daemon |
-pid PIDFILE | Write the process ID of the program to PIDFILE |
-max MAX-SESSIONS | Allow at most MAX-SESSIONS concurrent sessions to be processed by the program |
-port PORT | Listen for SOAP/HTTP(s) connections on TCP port PORT |
-log LOGPATH | Log container information to LOGPATH |
| -nosec | Disable TLS |
By default, the globus-wsc-container program picks an
anonymous TCP port within values specified by the GLOBUS_TCP_PORT_RANGE
environment variable, if present. To choose a specific port to listen on,
pass the option -port PORT on the command-line of the process.
The globus-wsc-container program can also be run
in the background as a daemon. This is done by passing the -bg
command-line option. This can be combined with the -pidfile PID
option to run in the background and record the PID of the process in a file,
so that the daemon can be easily terminated.
By default, the container uses
TLS for SOAP
requests over https. This can be disabled to use unprotected http by passing
the -nosec command-line option to this program. Message-level
security may be enabled on a per-service basis if this is used.
To enable CEDPs "best practices" logging, pass the -log LOGPATH
option to the container. The log file will contain name=value pairs for all
events that the container processes.
By default the container will accept as many SOAP connections as the operating
system will allow. To throttle the number of outstanding connections that can
be processed in parallel, use the -max MAX-SESSIONS
command-line option.
Services
The container looks for services in dynamic modules located in the
directory.
The Globus Toolkit ships with a number of sample services, test services, and
implementations of the core
WSRF services
for implementing Resource Properties, Resource Lifetime, Service Groups, and
Notifications. The globus-wsrf-cgen command
parses WSDL
schemas and generates service skeletons which can be used to implement
additional web services.
$GLOBUS_LOCATION/lib/globus_service_modules
Examples
Start a container in the foreground on port 8443:
%globus-wsc-container-port 8443Contact: https://grid.example.org:8443/
Star a container as a daemon on an anonymous port, with a maximum of 64 parallel sessions, recording the port number to a file and logging to another file.
%globus-wsc-container \-bg\-pidfile\$GLOBUS_LOCATION/var/globus-wsc-container.pid-log\$GLOBUS_LOCATION/var/globus-wsc-container.log-max 64>$GLOBUS_LOCATION/var/globus-wsc-container.contact%cat$GLOBUS_LOCATION/var/globus-wsc-container.contactContact: https://grid.example.org:18332/%cat$GLOBUS_LOCATION/var/globus-wsc-container.logts=2008-06-19T22:43:21.645807Z id=21475 event=globus_service_engine.start engine_id=40235 contact=https://grid.example.org:18332/
Name
globus-wsrf-cgen — Generate Stubs/Skeletons in C
Synopsis
globus-wsrf-cgen [-help] [-dr]
[-s PACKAGE-NAME] [-sn SERVICE-NAME] [-d DIRECTORY] [-flavor FLAVOR] [-lang [ c | cpp ]]
[-p PREFIX-MAP-FILE] [-P NAMESPACE=PREFIX]
[-n NAMESPACE-FILE] [-N NAMESPACE]
[-g NAMESPACE-FILE] [-G NAMESPACE] [-gg]
[-np] [-nb] [-nk] [-ns] [-nc] [-no-sources] [-nt] [-nf FUNCTION]
[-extra-cppflags CPPFLAGS] [-extra-ldflags LDFLAGS] [-extra-libs LIBS]
SCHEMA-FILENAME...
Description
The globus-wsrf-cgen tool generates C-language bindings from
WSDL and XML Schema files. The input SCHEMA-FILENAME
value should be either a WSDL document containing a service description or an
XML schema file containing type definitions.
If a WSDL Schema file is specified as input, globus-wsrf-cgen generates a GPT source package containing client stubs, service skeleton and stubs, and type bindings for included schema types. If an XML Schema file is specified as input, it generates a GPT source package containing type bindings. A full description of the generated files is part of the WSDL to C mapping document.
The full set of command-line options to globus-wsrf-cgen are:
| -help | Display a help message and exit |
| -dr | Dry-run: parse the command-line options and display the command-line arguments to the globus-wsdl-parser program. |
-s PACKAGE-NAME | Use PACKAGE-NAME_bindings as
the name for the generated GPT package |
-sn SERVICE-NAME | Use SERVICE-NAME as the
name of the service instead of the name in the WSDL schema
document. |
-d DIRECTORY | Generate the GPT source package in
DIRECTORY, creating it if does not
exist. |
-flavor FLAVOR | Build the package using the FLAVOR
GPT flavor |
-lang LANG | Create the service implementation file with the extension
matching LANG, either "c" or "cpp".
See the limitations section
for more details. |
-p PREFIX-MAP-FILE | Use the contents of
PREFIX-MAP-FILE to define the
set of strings to prepend to elements, attributes, and types
in various XML namespaces.
See the
namespace handling section of this document for more
details. |
-P NAMESPACE=PREFIX | Prepend element, attribute, and type names in the XML
namespace NAMESPACE
with the string PREFIX.
See the
namespace handling section of this document for more
details. |
-n NAMESPACE-FILE | Generate bindings for schemas in the XML namespaces
contained in the NAMESPACE-FILE.
See the
namespace handling section of this document for more
details. |
-N NAMESPACE | Generate bindings for schemas in the XML namespace
NAMESPACE.
See the
namespace handling section of this document for more
details. |
-g NAMESPACE-FILE | Do not generate bindings for schemas in the XML namespaces
contained in the NAMESPACE-FILE.
See the
namespace handling section of this document for more
details. |
-G NAMESPACE | Do not generate bindings for schemas in the XML namespace
NAMESPACE.
See the
namespace handling section of this document for more
details. |
| -gg | Do not generate bindings for core WSRF namespaces. (Used internally only) |
| -np | Do not generate a GPT package. Only create source files from the schemas. Implies -nb. |
| -nb | Do not attempt to run configure and make dist on the generated GPT source package. |
| -nk | Do not generate a skeleton service implementation. Used in Makefiles for packages that want to generate the types at build time, but already contain a full implementation of the service. |
| -ns | Do not generate service bindings and skeletons. Useful for creating types- or client-only packages. |
| -nc | Do not generate client bindings. Useful for creating types- or service-only packages. |
| -nt | Do not generate type bindings. Useful for creating separate service or client bindings that depend on a common types package. |
| -no-sources | Delay generating C source files until the package is built. By default the package Makefile contains a list of source files. This option delays the creation of the files and the list until build time. This can be used to avoid storing dynamic files in a version control system. |
-nf FUNCTION | Do not generate an implementation of
FUNCTION. This is useful if extra
semantic information is needed to serialize or deserialize
a particular data type (for example, the wsnt:TopicExpressionType
requires different processing based on the value of the Dialect
|
-extra-cppflags CPPFLAGS | Add CPPFLAGS to the preprocessor
command-line for this package. |
-extra-ldflags LDFLAGS | Add LDFLAGS to the linker
command-line for this package. |
-extra-libs LIBS | Add LIBS to the libraries to
link with this package. |
Namespace Handling
XML and WSDL schemas generally contain a
targetNamespace attribute which distinguishes
operations, elements, attributes, type, etc from others with the same name.
The C language does not define namespaces.
globus-wsrf-cgen instead uses prefixes to distinguish
similarly-named data types and functions. There are two ways to define
a namespace prefix with globus-wsrf-cgen. The
-P command-line option defines a single namespace prefix,
and the -p command-line option instructs
globus-wsrf-cgen to load a set of prefix definitions
from a file (one per line).
For example, consider the namepace http://counter.com
from the sample CounterService. In the schema for that service, there is
an element named Value. the command-line option
-P http://counter.com=counter_ will cause
globus-wsrf-cgen to generate bindings for that element
with the name counter_Value.
If a service is built from several namespaces it might make sense
instead to use the -P parameter instead. Using the same
service as the previous example, we could instead create a file containing
http://counter.com=counter_ http://another.counter.com=another_counter_
to generate C prefixes for multiple namespaces.
A service may be composed of operations and data types from multiple namespaces. By default globus-wsrf-cgen generates bindings for all namespaces except those used by the core WSRF specifications. These are (along with their C prefixes):
Table 37. WSRF Core Namespaces and C Prefixes
| http://www.w3.org/XML/1998/namespace | xml_ |
| http://www.w3.org/2001/XMLSchema | xsd_ |
| http://www.w3.org/2005/08/addressing | wsa_ |
| http://docs.oasis-open.org/wsrf/r-2 | wsr_ |
| http://docs.oasis-open.org/wsrf/rw-2 | wsrw_ |
| http://docs.oasis-open.org/wsrf/bf-2 | wsbf_ |
| http://docs.oasis-open.org/wsrf/rp-2 | wsrp_ |
| http://docs.oasis-open.org/wsrf/rpw-2 | wsrpw_ |
| http://docs.oasis-open.org/wsrf/rl-2 | wsrl_ |
| http://docs.oasis-open.org/wsrf/rlw-2 | wsrlw_ |
| http://docs.oasis-open.org/wsrf/sg-2 | wssg_ |
| http://docs.oasis-open.org/wsrf/sgw-2 | wssgw_ |
| http://docs.oasis-open.org/wsn/b-2 | wsnt_ |
| http://docs.oasis-open.org/wsn/bw-2 | wsntw_ |
| http://docs.oasis-open.org/wsn/t-1 | wstop_ |
| http://schemas.xmlsoap.org/ws/2002/12/policy | wsp_ |
| http://schemas.xmlsoap.org/ws/2002/07/utility | wsu_ |
| http://schemas.xmlsoap.org/ws/2004/04/trust | wst_ |
| http://www.w3.org/2000/09/xmldsig# | ds_ |
| http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd | wsse_ |
| http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd | wsseu_ |
| http://schemas.xmlsoap.org/ws/2004/04/sc | wsc_ |
| http://schemas.xmlsoap.org/ws/2004/09/enumeration | wsen_ |
Often it is enough for a package to contain bindings for
the namespaces unique to the service and compile against other packages
which contain the bindings for the other namespaces. This control can
be done positively via the -N and
-n command-line options.
For example, to generate bindings for the
http://counter.com namespace only,
pass the command-line option -N http://counter.com. To
generate for both the http://counter.com nd
http://another.counter.com namespaces, either pass
multiple -N options with one namespace each, or create
a file containing:
http://counter.com http://another.counter.com
and pass the name of the file to globus-wsrf-cgen as the parameter to the
-n command-line option.
Examples
Here is a brief example of the globus-wsrf-cgen command. For more details, see the tutorials in the C WS Core developer documentation.
Create bindings for a service in the http://counter.com namespace:
%globus-wsrf-cgen-d counter\-N http://counter.com\-s counter\-P http://counter.com=counter_\$GLOBUS_LOCATION/share/schemas/core/samples/counter_service.wsdlCreating Bindings Package A new package has been created at /home/griduser/counter/counter_bindings-1.2.tar.gz To install, use the following command: $GLOBUS_LOCATION/sbin/gpt-build /Users/bester/tmp/foo/counter/counter_bindings-1.2.tar.gz <flavor>%
Limitations
- This program only generates bindings from document/literal style WSDL schemas. IBM developerworks has an article describing the different WSDL schema styles.
-
The bindings generated when
-lang cppis used are ANSI-C. However, all C++ keywords are avoided and no constructs that differ between C and C++ are used. This command-line option merely creates a makefile which compiles the service implementation with the C++ compiler. - Not all XML Schema constructs are supported. In particular, abstract types, substitution groups, and nested sequences are not implemented.
Name
globus-wsrf-destroy — Set the scheduled termination time for a WSRF resource.
Synopsis
globus-wsrf-destroy [OPTIONS]... SERVICE-SPECIFIER
Command syntax
globus-wsrf-destroy [OPTIONS]... SERVICE-SPECIFIER
Table 38. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
Examples:
%globus-wsrf-destroy-e widget.eprResource destroyed
Contents of widget.epr:
<ns01:EndpointReference xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080/wsrf/services/WidgetService</ns01:Address>
<ns01:ReferenceProperties>
<ResourceID xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns03="http://www.w3.org/2001/XMLSchema" ns02:type="ns03:string">7f554f7c-efd9-11da-97a5-00096b86f788</ResourceID>
</ns01:ReferenceProperties>
</ns01:EndpointReference>
Name
globus-wsrf-set-termination-time — Set the scheduled termination time for a WSRF resource.
Synopsis
globus-wsrf-set-termination-time [OPTIONS]... SERVICE-SPECIFIER TERMINATION-TIME
Command syntax
globus-wsrf-set-termination-time [OPTIONS]... SERVICE-SPECIFIER TERMINATION-TIME
Table 39. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
TERMINATION-TERMINATION: [SECONDS | 'infinity']
Examples:
% globus-wsrf-set-termination-time -e widget.epr `expr 24 \* 60 \* 60`
Termination time set to 2006-05-31T20:18:43Z
Contents of widget.epr:
<ns01:EndpointReference xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080/wsrf/services/WidgetService</ns01:Address>
<ns01:ReferenceProperties>
<ResourceID xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns03="http://www.w3.org/2001/XMLSchema" ns02:type="ns03:string">7f554f7c-efd9-11da-97a5-00096b86f788</ResourceID>
</ns01:ReferenceProperties>
</ns01:EndpointReference>
Output and Exit Code
If the termination time is set successfully, the string
Termination time set to YYYY-MM-DD-THH:MM:SS[.MSEC]Z
will be displayed to stdout and the program will
terminate with exit code 0. In the case of an error, the
type of error will be displayed to stderr and
the program will terminate with a non-0 exit code.
Name
globus-wsrf-query — Query a WSRF resource's Resource Property document
Synopsis
globus-wsrf-query [OPTIONS]... SERVICE-SPECIFIER QUERY-EXPRESSION
Command syntax
globus-wsrf-query [OPTIONS]... SERVICE-SPECIFIER QUERY-EXPRESSION
Table 40. Application-specific options
| -n | ----nsMapFile FILENAME. |
Use the namespace map entries in FILENAME in the XPATH context. |
| -N | --namespace PREFIX=NAMESPACE-URI |
Create a namespace mapping in the XPATH context for the PREFIX string to resolve to the NAMESPACE-URI namespace. |
| -D | --dialect DIALECT-URI |
Set query dialect to DIALECT-URI. The value targeted will be interpreted as http://wsrf.globus.org/core/query/targetedXPath (default: http://www.w3.org/TR/1999/REC-xpath-19991116). |
Table 41. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
QUERY-EXPRESSION: XPath-Expression-String
Examples:
%globus-wsrf-query -e widget.epr "//*[local-name() = 'CurrentTime']"<ns02:CurrentTime xmlns:ns00="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns01="http://www.w3.org/2001/XMLSchema" xmlns:ns02="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd" ns00:type="ns01:dateTime">2006-05-30T13:53:15Z</ns02:CurrentTime>
%globus-wsrf-query -e widget.epr "//*[local-name() = 'CurrentTime']/text()"2006-05-30T13:53:35Z
%globus-wsrf-query -e widget.epr \ -N wsrl=http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd \ "//wsrl:CurrentTime/text()"2006-05-30T13:54:36Z
Contents of widget.epr:
<ns01:EndpointReference xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080/wsrf/services/WidgetService</ns01:Address>
<ns01:ReferenceProperties>
<ResourceID xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns03="http://www.w3.org/2001/XMLSchema" ns02:type="ns03:string">7f554f7c-efd9-11da-97a5-00096b86f788</ResourceID>
</ns01:ReferenceProperties>
</ns01:EndpointReference>Name
globus-wsrf-get-property — Get a resource property's value
Synopsis
globus-wsrf-get-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-NAME
Command syntax
globus-wsrf-get-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-NAME
Table 42. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
PROPERTY-NAME: [{Namespace-URI}]Property-Name
Example:
%globus-wsrf-get-property -e widget.epr \ '{http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd}CurrentTime'<ns02:CurrentTime xmlns:ns00="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns01="http://www.w3.org/2001/XMLSchema" xmlns:ns02="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd" ns00:type="ns01:dateTime">2006-05-30T14:26:35Z</ns02:CurrentTime>
Name
globus-wsrf-get-properties — Get multiple resource property value
Synopsis
globus-wsrf-get-properties [OPTIONS]... SERVICE-SPECIFIER PROPERTY-NAME...
Command syntax
globus-wsrf-get-properties [OPTIONS]... SERVICE-SPECIFIER PROPERTY-NAME...
Table 43. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
PROPERTY-NAME: [{Namespace-URI}]Property-Name
Example:
%globus-wsrf-get-properties \ -s http://grid.example.org:8080/wsrf/services/WidgetService \ -k "{http://www.globus.org/namespaces/2004/06/core}WidgetKey" 123 \ "{http://widgets.com}foo" \ "{http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd}CurrentTime"<ns02:foo xmlns:ns00="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns01="http://www.w3.org/2001/XMLSchema" xmlns:ns02="http://widgets.com" ns00:type="ns01:string"> Foo Value String </ns02:foo><ns03:CurrentTime xmlns:ns00="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns01="http://www.w3.org/2001/XMLSchema" xmlns:ns03="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd" ns00:type="ns01:dateTime">2006-05-30T16:04:15Z</ns03:CurrentTime>
Name
globus-wsrf-insert-property — Insert a resource property value
Synopsis
globus-wsrf-insert-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-VALUE-FILENAME
Tool description
Insert a resource property into a WSRF resource's Resource Properties document. The new property will be read from the XML file specified by PROPERTY-VALUE-FILENAME.
Command syntax
globus-wsrf-insert-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-VALUE-FILENAME...
Table 44. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
Example:
% globus-wsrf-insert-property -e widget.epr widget:foo.xml
Contents of widget.epr:
<ns01:EndpointReference xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080/wsrf/services/WidgetService</ns01:Address>
<ns01:ReferenceProperties>
<ResourceID xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns03="http://www.w3.org/2001/XMLSchema" ns02:type="ns03:string">7f554f7c-efd9-11da-97a5-00096b86f788</ResourceID>
</ns01:ReferenceProperties>
</ns01:EndpointReference>
Contents of widget:foo.xml:
<doc>
<foo xmlns="http://widgets.com"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">
Foo Value String
</foo>
</doc>
Name
globus-wsrf-update-property — Update a resource property value
Synopsis
globus-wsrf-update-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-VALUE-FILENAME
Tool description
Update a resource property in a WSRF resource's Resource Properties document. The property's new value will be read from the XML file specified by PROPERTY-VALUE-FILENAME. An update operation will replace the value(s) of the resource property with the new value(s) in the property file.
Command syntax
globus-wsrf-update-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-VALUE-FILENAME
Table 45. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
Example:
% globus-wsrf-update-property -e widget.epr widget:foo.xmlContents of widget.epr:
<ns01:EndpointReference xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080/wsrf/services/WidgetService</ns01:Address>
<ns01:ReferenceProperties>
<ResourceID xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns03="http://www.w3.org/2001/XMLSchema" ns02:type="ns03:string">7f554f7c-efd9-11da-97a5-00096b86f788</ResourceID>
</ns01:ReferenceProperties>
</ns01:EndpointReference>Contents of widget:foo.xml:
<doc>
<foo xmlns="http://widgets.com"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">
Foo Value String
</foo>
</doc>
Name
globus-wsrf-delete-property — Delete a resource property
Synopsis
globus-wsrf-delete-property [OPTIONS] SERVICE-SPECIFIER PROPERTY-NAME
Command syntax
globus-wsrf-delete-property [OPTIONS]... SERVICE-SPECIFIER PROPERTY-NAMETable 46. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
PROPERTY-NAME: [{Namespace-URI}]Property-Name
Example:
% globus-wsrf-delete-property \
-s http://grid.example.org:8080/wsrf/services/WidgetService \
-k "{http://www.globus.org/namespaces/2004/06/core}WidgetKey" 123 \
"{http://widgets.com}foo"
Name
globus-wsn-get-current-message — Get the current message associated with a specified topic
Synopsis
globus-wsn-get-current-message [OPTIONS] SERVICE-SPECIFIER TOPIC-EXPRESSION
Command syntax
globus-wsn-get-current-message [OPTIONS]... SERVICE-SPECIFIER TOPIC-EXPRESSIONTable 47. Application-specific options
| -N | --namespace PREFIX=NAMESPACE-URI |
Create a namespace mapping in the XPATH context for the PREFIX string to resolve to the NAMESPACE-URI namespace in the Topic Expression. |
| -D | --dialect DIALECT-URI |
Set the Topic Expression dialect to DIALECT-URI. If not specified, the dialect is chosen automatically between http://docs.oasis-open.org/wsn/2004/06/TopicExpression/Simple, http://docs.oasis-open.org/wsn/2004/06/TopicExpression/Concrete, and http://docs.oasis-open.org/wsn/2004/06/TopicExpression/Full based on the presence of substrings '*', '//', '|', and '/' in the Topic Expression string. |
Table 48. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
TOPIC-EXPRESSION: [{Namespace-URI} | prefix ':']RootTopic[/ChildTopic]...
TOPIC-EXPRESSION [ '|' TOPIC-EXPRESSION]
RootChild or ChildTopic may contain '*' (wildcard) and/or
'//' (all descendents)
Example:
%globus-wsn-get-current-message \ -e widget.epr \ -N wsrl=http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd \ 'wsrl:TerminationTime'<ns00:ResourcePropertyValueChangeNotification xmlns:ns00="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceProperties-1.2-draft-01.xsd" xmlns:ns01="http://www.w3.org/2001/XMLSchema-instance" ns01:type="ns00:ResourcePropertyValueChangeNotificationType"> <ns00:NewValue ns01:type="ns00:NewValueType"> <ns03:TerminationTime xmlns:ns02="http://www.w3.org/2001/XMLSchema" xmlns:ns03="http://docs.oasis-open.org/wsrf/2004/06/wsrf-WS-ResourceLifetime-1.2-draft-01.xsd" ns01:type="ns02:dateTime">2006-05-31T20:10:08Z</ns03:TerminationTime> </ns00:NewValue> </ns00:ResourcePropertyValueChangeNotification>
Contents of widget.epr:
<ns01:EndpointReference xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080/wsrf/services/WidgetService</ns01:Address>
<ns01:ReferenceProperties>
<ResourceID
xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns03="http://www.w3.org/2001/XMLSchema"
ns02:type="ns03:string">7f554f7c-efd9-11da-97a5-00096b86f788</ResourceID>
</ns01:ReferenceProperties>
</ns01:EndpointReference>
Output and Exit Code
If the Topic exists and has a current message, globus-wsn-get-current-message will print the current message value to stdout and then terminate with the exit code 0. In the case of an error, the type of error will be displayed to stderr and the program will terminate with a non-0 exit code.
Name
globus-wsn-pause-subscription — Pause a WSRF notification subscription.
Synopsis
globus-wsn-pause-subscription [OPTIONS] SERVICE-SPECIFIER
Command syntax
globus-wsn-pause-subscription [OPTIONS]... SERVICE-SPECIFIER TOPIC-EXPRESSIONTable 49. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
Example:
% globus-wsn-pause-subscription \
-e subscription.eprContents of subscription.epr:
<ns00:EndpointReference
xmlns:ns00="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns00:Address>http://globus.my.org:8080/wsrf/services/SubscriptionManagerService</ns00:Address>
<ns00:ReferenceProperties>
<ns03:ResourceID
xmlns:ns01="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns02="http://www.w3.org/2001/XMLSchema"
xmlns:ns03="http://www.globus.org/docs.oasis-open.org/wsn/2004/06/wsn-WS-BaseNotification-1.2-draft-01.xsd"
ns01:type="ns02:string">7d6430e4-f019-11da-a1b9-00096b86f788</ns03:ResourceID>
</ns00:ReferenceProperties>
</ns00:EndpointReference>Output and Exit Code
If the subscription is successfully paused, globus-wsn-pause-subscription will terminate with the exit code 0. No further notifications should be expected on the Subscription resource until it is resumed again. In the case of an error, the type of error will be displayed to stderr and the program will terminate with a non-0 exit code.
Name
globus-wsn-resume-subscription — Resume a WSRF notification subscription.
Synopsis
globus-wsn-resume-subscription [OPTIONS] SERVICE-SPECIFIER
Command syntax
globus-wsn-resume-subscription [OPTIONS]... SERVICE-SPECIFIER TOPIC-EXPRESSIONTable 50. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
Example:
% globus-wsn-resume-subscription \
-e subscription.eprContents of subscription.epr:
<ns00:EndpointReference
xmlns:ns00="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns00:Address>http://globus.my.org:8080/wsrf/services/SubscriptionManagerService</ns00:Address>
<ns00:ReferenceProperties>
<ns03:ResourceID
xmlns:ns01="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns02="http://www.w3.org/2001/XMLSchema"
xmlns:ns03="http://www.globus.org/docs.oasis-open.org/wsn/2004/06/wsn-WS-BaseNotification-1.2-draft-01.xsd"
ns01:type="ns02:string">7d6430e4-f019-11da-a1b9-00096b86f788</ns03:ResourceID>
</ns00:ReferenceProperties>
</ns00:EndpointReference>Output and Exit Code
If the subscription is successfully resumed, globus-wsn-resume-subscription will terminate with the exit code 0. Notifications should again flow to the Subscription resource. In the case of an error, the type of error will be displayed to stderr and the program will terminate with a non-0 exit code.
Name
globus-wsn-subscribe — Subscribe for notification for a specified topic.
Synopsis
globus-wsn-subscribe [OPTIONS] SERVICE-SPECIFIER TOPIC-EXPRESSION
Command syntax
globus-wsn-subscribe [OPTIONS]... SERVICE-SPECIFIER TOPIC-EXPRESSIONTable 51. Application-specific options
| -b | --subEpr FILENAME |
Save the Subscription Manager EPR in FILENAME. This EPR file can be used with the globus-wsn-pause-subscription and globus-wsn-resume-subscription commands |
| -N | --namespace PREFIX=NAMESPACE-URI |
Create a namespace mapping in the XPATH context for the PREFIX string to resolve to the NAMESPACE-URI namespace in the Topic Expression. |
| -D | --dialect DIALECT-URI |
Set the Topic Expression dialect to DIALECT-URI. If not specified, the dialect is chosen automatically between http://docs.oasis-open.org/wsn/2004/06/TopicExpression/Simple, http://docs.oasis-open.org/wsn/2004/06/TopicExpression/Concrete, and http://docs.oasis-open.org/wsn/2004/06/TopicExpression/Full based on the presence of substrings '*', '//', '|', and '/' in the Topic Expression string. |
Table 52. Common options
| -a | --anonymous |
Use anonymous authentication. Requires either -m 'conv' or transport (https) security. |
| -d, --debug |
Enables debug mode. In debug mode, all SOAP messages will be displayed to stderr and full WSRF Fault messages will be displayed. |
| -e | --eprFile FILENAME |
Load service EPR from FILENAME. This EPR is used to contact the WSRF service. |
| -h | --help |
Displays help information about the command. |
| -k | --key KEYNAME VALUE |
Set resource key in the service EPR to be named KEYNAME with VALUE as its value. This can be combined with -s to construct an EPR without having an xml file on hand. The KEYNAME is a QName string in the format {namespaceURI}localPart. while the VALUE is a literal string to place in the element. For example, the option -k '{http://www.globus.org}MyKey' 128 would be rendered as <MyKey xmlns="http://www.globus.org">128</MyKey> |
| -m, --securityMech TYPE |
Set authentication mechanism. TYPE is one of msg for WS-SecureMessage or conv for WS-SecureConversation. |
| -p, --protection LEVEL |
Set message protection level. LEVEL is one of sig for digital signature or enc for encryption. The default is 'sig'. |
| -s | --service ENDPOINT |
Set ENDPOINT the service URL to use. Will be composed with the -k parameter if present to add ReferenceProperties to the ENDPOINT |
| -t | --timeout SECONDS |
Set client timeout to SECONDS. |
| -u | --usage |
Print short usage message. |
| -V | --version |
Show version information and exit. |
| -v | --certKeyFiles CERTIFICATE-FILENAME KEY-FILENAME |
Use credentials located in CERTIFICATE-FILENAME and KEY-FILENAME. The key file must be unencrypted. |
| -x | --proxyFilename FILENAME |
Use proxy credentials located in FILENAME. |
| -z | --authorization TYPE |
Set authorization mode. TYPE can be self, host, none, or a string specifying the identity of the remote party. The default is self. |
| --versions |
Show version information for all loaded modules and exit. |
SERVICE-SPECIFIER: [-s URI [-k KEY VALUE] | -e FILENAME]
TOPIC-EXPRESSION: [{Namespace-URI} | prefix ':']RootTopic[/ChildTopic]...
TOPIC-EXPRESSION [ '|' TOPIC-EXPRESSION]
RootChild or ChildTopic may contain '*' (wildcard) and/or
'//' (all descendents)
Example:
%globus-wsn-subscribe \ -e counter.epr \ -N counter=http://www.counter.com \ 'counter:Value'<ns02:Value xmlns:ns00="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns01="http://www.w3.org/2001/XMLSchema" xmlns:ns02="http://counter.com" ns00:type="ns01:int">10</ns02:Value> <ns02:Value xmlns:ns00="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns01="http://www.w3.org/2001/XMLSchema" xmlns:ns02="http://counter.com" ns00:type="ns01:int">20</ns02:Value>
Contents of counter.epr:
<ns01:EndpointReference
xmlns:ns01="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<ns01:Address>http://globus.my.org:8080//wsrf/services/CounterService</ns01:Address>
<ns01:ReferenceProperties>
<ns04:CounterKey
xmlns:ns02="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns03="http://www.w3.org/2001/XMLSchema"
xmlns:ns04="http://counter.com/service"
ns02:type="ns03:string">1804289383</ns04:CounterKey>
</ns01:ReferenceProperties>
</ns01:EndpointReference>Output and Exit Code
globus-wsn-subscribe will print the the contents of notification message to stdout. If the message is a ResourcePropertyValueChangedNotification message, then only the NewValue subelement will be displayed. Otherwise, the entire message will be displayed. This program will run until terminated by a signal. In the case of an error, the type of error will be displayed to stderr and the program will terminate with a non-0 exit code.
Table of Contents
- grid-cert-diagnostics - Print diagnostic information about certificates and keys
- grid-cert-info - Display certificate information
- grid-cert-request - Create a certificate request
- grid-default-ca - Set the default CA to use for certificate requests
- grid-change-pass-phrase - Change the pass phrase on a private key
- grid-proxy-init - Generate a new proxy certificate
- grid-proxy-destroy - Destroy the current proxy certificate (previously created with grid-proxy-init)
- grid-proxy-info - Display information obtained from a proxy certificate
- grid-mapfile-add-entry - Add an entry to a grid map file
- grid-mapfile-check-consistency - Check the internal consistency of a grid map file
- grid-mapfile-delete-entry - Delete an entry from a grid map file
Name
grid-cert-diagnostics — Print diagnostic information about certificates and keys
Synopsis
grid-cert-diagnostics [-h] [-p]
Description
The grid-cert-diagnostics command displays information about the current user's security environment, including information about security-related environment variables, security directory search path, personal key and certificates, and trusted certificates. It is intended to provide information to help diagnose problems using GSI security.
The full set of command-line options to grid-cert-diagnostics consists of:
| -h | Display a help message and exit |
| -p | Display information about the personal certificate and key that is the current user's default credential. |
Examples
In this example, we see the default mode of checking the default security
environment for the system, without processing the user's key and certificate.
Note the user receives a warning about a cog.properties
and about an expired CA certificate.
%grid-cert-diagnosticsChecking Environment Variables ============================== Checking if X509_CERT_DIR is set... no Checking if X509_USER_CERT is set... no Checking if X509_USER_KEY is set... no Checking if X509_USER_PROXY is set... no Checking Security Directories ======================= Determining trusted cert path... /etc/grid-security/certificates Checking for cog.properties... found WARNING: If the cog.properties file contains security properties, Java apps will ignore the security paths described in the GSI documentation Checking trusted certificates... ================================ Getting trusted certificate list... Checking CA file /etc/grid-security/certificates/1c4f4c48.0... ok Verifying certificate chain for "/etc/grid-security/certificates/1c3f2ca8.0"... ok Checking CA file /etc/grid-security/certificates/9d8788eb.0... ok Verifying certificate chain for "/etc/grid-security/certificates/9d8753eb.0"... failed globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has expired: Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired.
In this example, we show a user with a mismatched private key and certificate:
%grid-cert-diagnostics-pChecking Environment Variables ============================== Checking if X509_CERT_DIR is set... no Checking if X509_USER_CERT is set... no Checking if X509_USER_KEY is set... no Checking if X509_USER_PROXY is set... no Checking Security Directories ======================= Determining trusted cert path... /etc/grid-security/certificates Checking for cog.properties... not found Checking Default Credentials ============================== Determining certificate and key file names... ok Certificate Path: "/home/juser/.globus/usercert.pem" Key Path: "/home/juser/.globus/userkey.pem" Reading certificate... ok Reading private key... ok Checking Certificate Subject... "/O=Grid/OU=Example/OU=User/CN=Joe User" Checking cert... ok Checking key... ok Checking that certificate contains an RSA key... ok Checking that private key is an RSA key... ok Checking that public and private keys have the same modulus... failed Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5 219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8 FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403 CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2 Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790 600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022 6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF 7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5 Certificate and and private key don't match
Name
grid-cert-info — Display certificate information
Synopsis
grid-cert-info [-help] [-version]
[-file CERTIFICATE-FILENAME]
[-all] [-subject] [-issuer] [-issuerhash] [-startdate] [-enddate]
Description
The grid-cert-info displays information from a
user's credential, or from any X.509 certificate if the -file
CERTIFICATE-FILENAME is used. By default, a text
representation of the entire certificate is displayed. If more than one
display option is present on the command line, the output is generated
in the order the options occur on the command line.
The following search order is used to locate the default certificate:
$X509_USER_CERT$HOME/.globus/usercert.pem$HOME/.globus/usercred.p12
If the certificate is encoded in pkcs12, grid-cert-info
will prompt for the password used to protect the .p12
file.
The full set of command-line options to grid-cert-info is:
-help | Print help information and exit |
-version | Print version information and exit |
-file
| Read credential from
CERTIFICATE-FILENAME instead of
the default location. The file must have a
.pem or .p12
extension. |
-all | Print all information from the certificate. This is the default unless any of the following options are given. |
-subject | Print the subject name of the certificate. |
-issuer | Print the subject name of the issuer of the certificate. This is the subject name of the Certificate Authority which signed the certificate. |
-issuerhash | Print the hash of the name of the issuer of the certificate. This is the hash of the Certificate Authority which signed the certificate. |
-startdate | Print the date and time from which the certificate is valid |
-enddate | Print the date and time when the certificate expires. |
Name
grid-cert-request — Create a certificate request
Synopsis
grid-cert-request [-help] [-version] [-verbose] [-force]
[-commonname NAME] [-service SERVICE] [-host FQDN] [-dns FQDN,...] [-ip IP-ADDRESS, ...] [-interactive]
[-dir DIRECTORY] [-prefix PREFIX] [-ca [HASH]] [-nopw]
Description
grid-cert-request generates a public/private key pair an X.509 certificate request containing the public key and a subject name. By default, it generates a request for a user certificate for the invoking user. grid-cert-request can also be used to create host or service certificates based on command-line options. At least one Certificate Authority must be configured to use with the Globus Toolkit in order for this command to succeed.
Complete set of options to grid-cert-request is:
-help | Print help information and exit |
-version | Print version information and exit |
-verbose | Don't clear screen after running OpenSSL |
-force | Overwrite an existing certificate request if present. |
-commonname | Construct a subject name with
NAME as the final name
component. By default, the subject name is inferred from
the output of the finger program. If that
fails, grid-cert-request will prompt
of a name. |
-service | Construct a subject name with the common name
constructed from the SERVICE
name and the hostname joined by the /
character. The -service requires that the
-host option also be used. The private
key created for a service certificate request is not
encrypted. |
-host | Construct a subject name with
FQDN as the name of the host.
This must be a fully-qualified name in dotted string
notation (e.g. grid.example.org). If
no service is specified by the -service
option, the subject name will be
host/FQDN.The
private key created for a host certificate request is not
encrypted. By default the host certificate request and key
are created in /etc/grid-security.
|
-dns | Add a subjectAltName extension to the certificate request containing one or more DNS names separated by the comma (,) character. These names may contain the wildcard character (*). Globus Toolkit 4.2.1 and later will process the subjectAltName extension if present when performing mutual authentication with a service. |
-ip | Add a subjectAltName extension to the certificate request containing one or more IP address values separated by the comma (,) character. Globus Toolkit 4.2.1 and later will process the subjectAltName extension if present when performing mutual authentication with a service when the client is presented with an IP address as input. |
-interactive | Interactively prompt for the components of the certificate subject name. |
-dir | Write the certificate request and key to
DIRECTORY, creating it if the
directory does not exist. By default, the certificate
request and key are placed in |
-prefix | Prepend the string PREFIX
to the certificate, key, and request filenames. The default
prefix is user for user certificates and
host for host certificates. |
-ca | Choose a non-default Certificate Authority
configuration to construct the certificate request. If
HASH is present on the command
line, then grid-cert-request will use
that certificate authority's configuration. Otherwise, it
will prompt the user for a CA to choose from the list of
configured CAs. |
-nopw | Create a private key without a password. This may be a security risk if the file permissions of the private key are not carefully maintained. |
Examples
Request a user certificate:
%grid-cert-requestA certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Generating a 1024 bit RSA private key .....................++++++ ........++++++ writing new private key to '/home/juser/.globus/userkey.pem' Enter PEM pass phrase: A private key and a certificate request has been generated with the subject: /O=Grid/OU=Example/OU=User/CN=Joe User If the CN=Joe User is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/juser/.globus/userkey.pem Your request is stored in /home/juser/.globus/usercert_request.pem Please e-mail the request to the Globus Certificate Service ca@grid.example.org You may use a command similar to the following: cat /home/juser/.globus/usercert_request.pem | mail ca@grid.example.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Certificate Service at ca@grid.example.org
Request a host certificate, putting the request and key files in the
directory.
$HOME/.globus/host
%grid-cert-request-host grid.example.org-dir $HOME/.globus/hostA private host key and a certificate request has been generated with the subject: /O=Grid/OU=Example/OU=User/CN=host/grid.example.org ---------------------------------------------------------- The private key is stored in /tmp/examplegrid/hostkey.pem The request is stored in /tmp/examplegrid/hostcert_request.pem Please e-mail the request to the Globus Certificate Service ca@grid.example.org You may use a command similar to the following: cat /tmp/examplegrid/hostcert_request.pem | mail ca@grid.example.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Certificate Service at ca@grid.example.org
Request a host certificate with subjectAltName extensions. This certificate is valid for hosts with DNS names execution.example.org and transfer.example.org.
%grid-cert-request-host grid.example.org-dns execution.example.org,transfer.example.org$HOME/.globus/hostA private host key and a certificate request has been generated with the subject: /O=Grid/OU=Example/OU=User/CN=host/grid.example.org ---------------------------------------------------------- The private key is stored in /tmp/examplegrid/hostkey.pem The request is stored in /tmp/examplegrid/hostcert_request.pem Please e-mail the request to the Globus Certificate Service ca@grid.example.org You may use a command similar to the following: cat /tmp/examplegrid/hostcert_request.pem | mail ca@grid.example.org Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Certificate Service at ca@grid.example.org
Name
grid-default-ca — Set the default CA to use for certificate requests
Synopsis
grid-default-ca [-help] [-list] [-ca CA-HASH] [-dir SECURITY-DIRECTORY]
Description
The grid-default-ca program sets the default CA used by grid-cert-request. Based on the default CA choice, grid-cert-request will create a certificate request that matches the CA's naming policies.
If the -ca option is not provided on the command-line,
grid-default-ca will display a list of available
Certificate Authorities and prompt the user to choose one.
The full set of command-line options to grid-default-ca are:
| -help | Display a help message and exit |
| -list | List the available CAs but do not alter the default |
-ca CA-HASH | Select the default CA whose subject name hash
matches CA-HASH.
|
-dir SECURITY-DIRECTORY | Search
SECURITY-DIRECTORY for
additional CA certificates. |
Examples
Show what certificate authorities are in the trusted cert directory:
%grid-default-ca-listThe available CA configurations installed on this host are: Directory: /etc/grid-security/certificates 1) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 2) 3d8e6ce8 - /O=Grid/CN=Example CA 3) 6349a761 - /O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager 4) b38b4d8c - /C=US/O=Globus Alliance/CN=Globus Certificate Service The default CA is: /C=US/O=Globus Alliance/CN=Globus Certificate Service Location: /etc/grid-security/certificates/b38b4d8c.0
Change the default CA to be DOEGrids CA 1:
%grid-default-caThe available CA configurations installed on this host are: Directory: /etc/grid-security/certificates 1) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 2) 3d8e6ce8 - /O=Grid/CN=Example CA 3) 6349a761 - /O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager 4) b38b4d8c - /C=US/O=Globus Alliance/CN=Globus Certificate Service The default CA is: /C=US/O=Globus Alliance/CN=Globus Certificate Service Location: /etc/grid-security/certificates/b38b4d8c.0Enter the index number of the CA to set as the default [q to quit]:1setting the default CA to: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 linking /etc/grid-security/certificates/grid-security.conf.1c3f2ca8 to /etc/grid-security/grid-security.conf linking /etc/grid-security/certificates/globus-host-ssl.conf.1c3f2ca8 to /etc/grid-security/globus-host-ssl.conf linking /etc/grid-security/certificates/globus-user-ssl.conf.1c3f2ca8 to /etc/grid-security/globus-user-ssl.conf ...done.
Name
grid-change-pass-phrase — Change the pass phrase on a private key
Synopsis
grid-change-pass-phrase
Tool description
grid-change-pass-phrase allows one to change the passphrase that protects the private key.
Command syntax
grid-change-pass-phrase [-help] [-version] [-file private_key_file]
Changes the passphrase that protects the private key. Note that this command will work even if the original key is not password protected. If the -file argument is not given, the default location of the file containing the private key is assumed:
- The location pointed to by X509_USER_KEY
- If X509_USER_KEY not set, $HOME/.globus/userkey.pem
Name
grid-proxy-init — Generate a new proxy certificate
Synopsis
grid-proxy-init
Tool description
grid-proxy-init generates X.509 proxy certificates.
By default, this command generates RFC 3820 Proxy Certificates.
There are also options available for generating other types of proxy certificates, including limited, independent and legacy. For more information about proxy certificate types and their compatibility in GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.
Options
Table 54. Command line options
| -help, -usage | Displays usage. |
| -version | Displays version. |
| -debug | Enables extra debug output. |
| -q | Quiet mode, minimal output. |
| -verify | Verifies the certificate to make the proxy for. |
| -pwstdin | Allows passphrase from stdin. |
| -limited | Creates a limited globus proxy. |
| -independent | Creates an independent globus proxy. |
| -draft | Creates a draft (GSI-3) proxy. |
| -old | Creates a legacy globus proxy. |
| -valid <h:m> | Proxy is valid for h hours and m minutes (default:12:00). |
| -hours <hours> | Deprecated support of hours option. |
| -bits <bits> | Number of bits in key {512|1024|2048|4096}. |
| -policy <policyfile> | File containing the policy to store in the ProxyCertInfo extension. |
| -pl <oid>, -policy-language <oid> | OID string for the policy language used in the policy file. |
| -path-length <l> | Allows a chain of at most 1 proxies to be generated from this one. |
| -cert <certfile> | Non-standard location of user certificate. |
| -key <keyfile> | Non-standard location of user key. |
| -certdir <certdir> | Non-standard location of trusted cert directory. |
| -out <proxyfile> | Non-standard location of new proxy cert. |
Creating a Proxy Certificate
Proxies are certificates signed by the user, or by another proxy, that do not require a password to submit a job. They are intended for short-term use, when the user is submitting many jobs and cannot be troubled to repeat his password for every job.
The subject of a proxy certificate is the same as the subject of the certificate that signed it, with /CN=proxy added to the name. The gatekeeper will accept any job requests submitted by the user, as well as any proxies he has created.
Proxies provide a convenient alternative to constantly entering passwords, but are also less secure than the user's normal security credential. Therefore, they should always be user-readable only, and should be deleted after they are no longer needed (or after they expire).
To create a proxy with the default expiration (12 hours), run the grid-proxy-init program. For example:
% grid-proxy-init
The grid-proxy-init program can also take arguments to specify the expiration and proxy key length. For example:
% grid-proxy-init -hours 8 -bits 512
Name
grid-proxy-destroy — Destroy the current proxy certificate (previously created with grid-proxy-init)
Synopsis
grid-proxy-destroy
Options
Table 55. Command line options
| -help, -usage | Displays usage. |
| -version | Displays version. |
| -debug | Displays debugging information. |
| -dryrun | Prints what files would have been destroyed. |
| -default | Destroys file at default proxy location. |
| -all | Destroys any user (default) and delegated proxies that are found. |
| -- | Ends processing of options. |
| file1 file2 ... | Destroys the files listed. |
Name
grid-proxy-info — Display information obtained from a proxy certificate
Synopsis
grid-proxy-info
Options
Table 56. Command line options
| -help, -usage | Displays usage. |
| -version | Displays version. |
| -debug | Displays debugging output. |
| -file <proxyfile> (-f) | Non-standard location of proxy. |
| [printoptions] | |
| -exists [options] (-e) |
Determine whether a valid proxy exists. |
Table 57. Print options
| -subject (-s) | Distinguished name (DN) of the subject. |
| -issuer (-i) | DN of the issuer (certificate signer). |
| -identity | DN of the identity represented by the proxy. |
| -type | Type of proxy (full or limited). |
| -timeleft | Time (in seconds) until proxy expires. |
| -strength | Key size (in bits). |
| -all | All above options in a human readable format. |
| -text | All of the certificate. |
| -path | Pathname of the proxy file. |
Name
grid-mapfile-add-entry — Add an entry to a grid map file
Synopsis
grid-mapfile-add-entry
Command syntax
grid-mapfile-add-entry -dn DN -ln LN [-help] [-d] [-f mapfile FILE]
Options:
Table 59. Command line options
| -help, -usage | Displays help. |
| -version | Displays version. |
| -dn DN | Distinguished Name (DN) to add. Remember to quote the DN if it contains spaces. |
| -ln LN1 [LN2...] | Local login name(s) to which the DN is mapped. |
| -dryrun, -d | Shows what would be done but will not add the entry. |
| -mapfile FILE, -f FILE | Path of the grid map file to be used. |
Name
grid-mapfile-check-consistency — Check the internal consistency of a grid map file
Synopsis
grid-mapfile-check-consistency
Tool description
grid-mapfile-check-consistency checks that the given grid mapfile conforms to the expected format as well as checking for common subject name problems.
Name
grid-mapfile-delete-entry — Delete an entry from a grid map file
Synopsis
grid-mapfile-delete-entry
Options:
Table 61. Command line options
| -help, -usage | Displays help. |
| -version | Displays version. |
| -dn <DN> | Distinguished Name (DN) to delete. |
| -ln <local name> | Local Login Name (LN) to delete. |
| -dryrun, -d | Shows what would be done but will not delete the entry. |
| -mapfile file, -f file | Path of the grid map file to be used. |
The CAS Query commands do not alter the state of the database and any CAS user who has cas/query permissions may use the commands to retrieve data from the CAS server.
The following queries can be run against the CAS server. These are typically used by CAS clients (who may not be administrators).
The user need cas/query permissions to perform these operations—that is, the user must have permission to query on the cas server object.
Table of Contents
- cas-whoami - Getting a user's CAS identity.
- cas-list-object - Getting object list
- cas-get-object - Getting CAS object
- cas-group-list-entries - Getting group members
- cas-find-policies - Getting policy information
- query-cas-service - Query CAS Service (using OGSA AuthZ interface)
Name
cas-whoami — Getting a user's CAS identity.
Synopsis
cas-whoami [ options]
Command options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-list-object — Getting object list
Synopsis
cas-list-object [ options] type
Tool description
The cas-list-object command returns a list of CasObjects in the database of the requested type.
Command Options
-
type Use one of the following to indicate the type of of CasObjects you want listed:
trustAnchoruseruserGroupobjectobjectGroupobjectGroupnamespaceserviceTypeserviceActionserviceActionGp
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-get-object — Getting CAS object
Synopsis
cas-get-object [ options] type name
Tool description
The cas-get-object command returns the particular object of the said type and name.
Command Options
-
type Use one of the following to indicate the type of of CasObjects you want to get:
trustAnchoruseruserGroupobjectobjectGroupnamespaceserviceTypeserviceActionserviceActionGp
-
name Use one of the following to indicate the name of the specific CAS object you want to get:
nickname(if getting trustAnchor, user, userGroup, or namespace)objectNamespace objectName(if getting object or objectGroup)serviceTypeName(if getting serviceType, serviceAction, or serviceActionGp)
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-group-list-entries — Getting group members
Synopsis
cas-group-list-entries [ options] type name
Command Options
-
type Use one of the following to indicate the type of group for which you want a list of members:
userobjectserviceType
-
name - The name of the group.
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-find-policies — Getting policy information
Synopsis
cas-find-policies [ options] [-c cas-url] type name
Tool description
The cas-find-policies command returns all applicable policies, both policies that are implicit to the CAS server and those that are external.
Command options
-ccas-url- The URL of the CAS service.
-
type Use one of the following to indicate the type of CasObjects:
trustAnchoruseruserGroupobjectobjectGroupnamespaceserviceTypeserviceActionserviceActionGp
-
name Use the type of name corresponding to the appropriate CasObject:
nickname(for trustAnchors, users, or namespaces)groupName(for userGroups, objectGroups, or serviceActionGps)objectNamespace|objectName(for objects)serviceTypeName (or) serviceType/Action(for serviceTypes or serviceActions)
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
query-cas-service — Query CAS Service (using OGSA AuthZ interface)
Synopsis
query-cas-service [ options] assertionFilename
Tool description
The query-cas-service command returns a SAML Response containg SAML Assertions with user rights for a given SAML Query. This client uses the OGSA AuthZ interface and writes out the retrieved assertion to a file.
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Table of Contents
- cas-proxy-init - Generate a CAS proxy
- cas-wrap - Runs program with CAS credentials
- cas-enroll - Enroll a CAS Object
- cas-remove - Remove a CAS object from the database
- cas-action - Maintains service types
- cas-group-admin - Maintains user groups, object groups, or serviceAction groups
- cas-group-add-entry - Adds CAS objects to CAS groups
- cas-group-remove-entry - Removing CAS objects from CAS groups
- cas-rights-admin - Granting or revoking permissions
Name
cas-proxy-init — Generate a CAS proxy
Synopsis
cas-proxy-init [common options] [ -p proxyfile | -t tag ]
Tool description
The cas-proxy-init command contacts a CAS server, obtains an assertion for the user, and embeds it in a credential. This credential can be used to access CAS-enabled services.
Options
Command-specific options
- -b
policyFileName Generate a CAS credential that includes only those permissions specified in file
policyFileName(the default is to generate a credential with all the user's permissions). Details about the template of the file is provided here.- -u
tag Choose a filename in which to store the CAS credential based on the value
tag. Cannot be used with the-poption.- -w
generatedCredFile Specify the file in which to store the CAS credential. Cannot be used with the
-toption.
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Usage
The following gets the assertion from the CAS server, generates a proxy with the assertion and writes it out to "casProxy".
cas-proxy-init -p casProxy
Requesting specific permissions from the CAS server
It is possible to request specific permissions from the CAS server
using the -f option. This option causes cas-proxy-init
to read a set of requested rights from a file.
This file should contain one or more resource identifiers:
Resource:ResourceNamespace|ResourceName
For each resource, there should be one or more action identifiers:
serviceType actionFor example, if the client needed assertions for "file/read" service/action (permission) on two resources ("ftp://sample1.org" and "ftp://sample3.org", both in "FTPNamespace") but "directory/read" and "directory/write" permissions on the former resource only, the policy file should have the following entries:
Resource: FTPNamespace|ftp://sample1.org
file read
directory read
directory write
Resource: FTPNamespace|ftp://sample3.org
file readTo indicate any resource, the following wildcard notation should be used:
uri:samlResourceWildcard
To indicate any action, the following wildcard notation for
serviceType and action should be used. Note that this should be the
first (and clearly the only action) in the list of actions
specified. All other actions in the list are ignored and if it is not
the first, it is not treated as a wildcard.
uri:samlActionNSWildcard uri:samlActionWildcard
For example, if the client needs assertions for all resources and all actions, the policy file should look like:
Resource: uri:samlResourceWildcard
uri:samlActionNSWildcard uri:samlActionWildcardIf the client needs assertions for all actions on resource "FTPNamespace|ftp://sample1.org", the policy file should be as follows:
Resource: FTPNamespace|ftp://sample1.org
uri:samlActionNSWildcard uri:samlActionWildcard
Name
cas-wrap — Runs program with CAS credentials
Synopsis
cas-wrap [common options] [ -p proxyfile | -t tag ]
Tool description
The cas-wrap command runs a grid-enabled program, causing it to use previously-generated CAS credentials.
This command invokes the given command with the given argument using the specified previously-generated CAS credential. For example:
casAdmin$ cas-wrap -t my-community gsincftp myhost.eduwill look for a credential generated by a previous execution of:
casAdmin$ cas-proxy-init -t my-communityand then set the environment to use that credential while running the command:
casAdmin$ gsincftp myhost.eduThe second form should be used if cas-proxy-init was
run with the -p option. For example:
casAdmin$ cas-wrap -p /path/to/my/cas/credential gsincftp myhost.eduwill look for a credential generated by a previous execution of:
casAdmin$ cas-proxy-init -p /path/to/my/cas/credential and then set the environment to use that credential while running the command:
casAdmin$ gsincftp myhost.eduOptions
Command-specific Options
- -p
proxyfile Specify the file in which to store the CAS credential. Cannot be used with the
-toption.- -t
tag Choose a filename in which to store the CAS credential based on the value
tag. Cannot be used with the-poption.
Common Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-enroll — Enroll a CAS Object
Synopsis
cas-enroll [common options] trustAnchor userGpName nickname authMethod authData cas-enroll [common options] namespace userGpName nickname basename comparisonAlg cas-enroll [common options] object userGpName objectName namespaceNick cas-enroll [common options] serviceType userGpName serviceTypeName
Tool description
This command line client is used to enroll a CAS Object, which includes trust anchors, namespaces, objects and service types.
Enrolling Trust Anchors
To enroll a trust anchor, the user must have cas/enroll_trustAnchor permission on that CAS server object (that is, the user must have permission to perform the enroll_trustAnchor action on the CAS service type).
The enroll operation allows the user to choose a user group to which cas/grantAll permission on the enrolled object should be granted. The nickname should be unique across the CAS database and is used to refer to this trust anchor.
To enroll trust anchors:
casAdmin$cas-enroll [common options] trustAnchoruserGpNamenicknameauthMethodauthData
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this trust anchor entity.
nickname- Indicates the trust anchor nickname.
authMethod- Indicates the authentication method used by the trust anchor.
-
authData - Indicates the data used for authentication, typically the DN.
Enrolling Namespaces
To enroll a namespace, the user must have cas/enroll_namespace permission (that is, the user must have permission to perform the enroll_namespace action on the cas service type).
The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled object. The comparison algorithm specified should be the name of the Comparison class that needs to be used to compare objects that belong to this namespace. The nickname should be unique across the CAS database and is used to refer to this user.
Also, two namespaces are added to the CAS database at boot up time, other than the inherent CAS Namespace:
FTPDirectoryTreeuses the WildCardComparison Algorithm and has the base URL set to the current directory.FTPExactuses the ExactComparison Algorithm and has the base URL set to the current directory.
To enroll namespaces:
casAdmin$cas-enroll [common options] namespaceuserGpNamenicknamebasenamecomparisonAlg
where:
-
userGpName - Indicates the user group to which cas/grantAll permission should be granted on this trust anchor entity.
nicknameIndicates the nickname of the namespace to be unenrolled.
If the trust anchor nickname specified does not exist, an error is not thrown. If the unenroll operation is successful, all policy data on that trust anchor is purged.
basename- Indicates the base URL for the namespace.
comparisonAlgIndicates the comparison algorithm to be used. Unless the standard comparison algorithms described below are used, the fully qualified name of the class that needs to be used should be given. The class needs to extend from the abstract class
org.globus.cas.impl.service.ObjectComparison.The two comparison classes provided as a part of the distribution are:
ExactComparison: This class does a case-sensitive exact comparison of the object names. IfcomparisonAlgin the above method is set toExactComparison, the class in the distribution is loaded and used.WildcardComparison: This class does wild card matching as described in CAS Simple Policy Language. It assumes that the wild card character is "*" and that the file separator is "/". IfcomparisonAlgin the above method is set toWildCardComparison, the class in the distribution is loaded and used.
Enrolling Objects
To enroll an object, the user must have cas/enroll_object permission (that is, the use must have permission to perform the enroll_object action on the cas service type).
The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled object. The name of the object and the namespace this object belongs to identify an object in the database and should be unique across the CAS database.
To enroll objects:
casAdmin$cas-enroll [common options] objectuserGpNameobjectNamenamespaceNick
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this trust anchor entity.
objectName- Indicates the name of the object.
namespaceNick- Indicates the nickname of the namespace to which this object belongs.
Enrolling Service Types
To enroll a service type, the user must have cas/enroll_serviceType permission (that is, the user must have permission to perform the enroll_serviceType action on the cas service type).
The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled service type. The service type name should be unique across the CAS database.
To enroll service types:
casAdmin$cas-enroll [common options] serviceTypeuserGpNameserviceTypeName
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this trust anchor entity.
serviceTypeName- Indicates the service type name.
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Usage
For detailed examples of using this command, see Chapter 6, Example of CAS Server Administration .
Name
cas-remove — Remove a CAS object from the database
Synopsis
cas-remove [common options] trustAnchor nickname cas-remove [common options] namespace nickname cas-remove [common options] object objName namespaceNick cas-remove [common options] serviceType serviceTypeName
Tool description
Removing Trust Anchors
To remove a trust anchor, the user must have cas/remove permission on that trust anchor. The trust anchor must also be unused (that is, there may not be any users in the database that have this trust anchor or it may not be a part of any object group).
To remove trust anchors:
casAdmin$cas-remove [options] trustAnchornickname
where:
nicknameIndicates the nickname of the trust anchor to be unenrolled.
If the trust anchor nickname specified does not exist, an error is not thrown. If the unenroll operation is successful, all policy data on that trust anchor is purged.
Removing Namespaces
To remove a namespace, the user must have cas/remove permission on that namespace. The namespace must also be unused — that is, there may not be any object in the database that belongs to this namespace.
casAdmin$cas-remove [options] namespacenickname
where:
nicknameIndicates the nickname of the namespace to be unenrolled.
If the namespace nickname specified does not exist, an error is not thrown. If the remove operation is successful, all policy data on that trust anchor is purged.
Removing Objects
To remove an object the user must have cas/remove permission on that object. The object must also be unused — that is, there may not be any object group in the database that this object belongs to.
casAdmin$cas-remove [options] objectobjNamenamespaceNick
where:
objName- Indicates the name of the object to be removed.
namespaceNickIndicates the nickname of the namespace to which this object belongs.
If the object specified does not exist, an error is not thrown. If the remove operation is successful, all policy data on that object is purged.
Removing Service Types
To remove a service type the user must have cas/remove permission on that service type. The service type must also be unused — that is, there may not be any service type to action mapping.
casAdmin$cas-remove [options] serviceTypeserviceTypeName
where:
serviceTypeNameIndicates the service type name.
If the service type specified does not exist, an error is not thrown. If the remove operation is successful, all policy data on that service type is purged.
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-action — Maintains service types
Synopsis
cas-action [common options] [ add | remove ] serviceTypeName actionName
Tool description
Use the cas-action command to add an action mapping to a service type or remove an action mapping from a service type.
To add an action mapping to a service type, the user must have cas/create_group_entry permission on the service type.
To remove a service type action mapping, the user must have cas/delete_group_entry permission on the service type.
If the group member being removed does not exist, an error is not thrown.
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-group-admin — Maintains user groups, object groups, or serviceAction groups
Synopsis
cas-group-admin [common options] [ user | object | serviceAction ] create userGpName groupName cas-group-admin [common options] [ user | object | serviceAction ] delete groupName
Tool description
Use cas-group-admin to create or delete user groups, object groups, or serviceAction groups. Note: to add or delete entries to these groups, see [fixme olink to other clients].
Adding user groups
To create a new user group the user must have cas/create_user_group permission (that is, the user must have permission to perform the create_user_group action on the cas service type). The user group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created user group. If the user group that is chosen to have cas/grantAll permission is the new group created, then the user making this request is added to the new group.
To add a user group:
casAdmin$cas-group-admin [common options] user createuserGpNamegroupName
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this trust anchor entity.
groupName- Indicates the name of the user group being created.
Deleting user groups
To delete a user group, the user must have cas/delete_user_group entry permission on that user group. The group must be empty and also must not be referenced from other entities in the database (for example, it should not be a member of some object group).
If the user group specified does not exist, an error is not thrown. If the delete operation is successful, all policy data on that user group is purged.
casAdmin$cas-group-admin [common options] user deletegroupName
where:
groupName- Indicates the name of the user group to be deleted.
Creating An Object Group
To create a new object group, the user must have cas/create_object_group permission (that is, the user must have permission to perform the create_object_group action on the CAS service type). The object group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created object group.
casAdmin$cas-group-admin [common options] object createuserGpNamegroupName
where:
userGpName- Indicates the user group to which cas/grantAll permission should be granted on this object group.
groupName- Indicates the object group name.
Deleting An Object Group
To delete an object group, the user must have cas/delete_user_group entry permission on that object group. The group must be empty.
If the object group specified does not exist, an error is not thrown. If the delete operation is successful, all policy data on that object group is purged.
casAdmin$cas-group-admin [common options] object deletegroupName
where:
groupName- The name of the object group to be deleted.
Creating A Service/Action Group
To create a new service/action group, the user must have cas/create_serviceAction_group permission (that is, the user must have permission to perform the create_serviceAction_group action on the CAS service type). The serviceAction group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created serviceAction group.
casAdmin$cas-group-admin [common options] serviceAction createuserGpNamegroupName
where:
-
userGpName - Indicates the user group to which cas/grantAll permission should be granted on this service/action group.
groupName- Indicates the name of the service/action group being created.
Deleting A Service/Action Group
To delete a service/action group, the user must have cas/delete_user_group entry permission on that service/action group. The group must be empty and also must not be referenced from any other entity in the database. For example, it should not be a member of some object group.
If the service/action group specified does not exist, an error is not thrown. If the delete operation is successful, all policy data on that service/action group is purged.
casAdmin$cas-group-admin [common options] serviceAction deletegroupName
where:
-
groupName - Indicates the name of the service/action group to be deleted.
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-group-add-entry — Adds CAS objects to CAS groups
Synopsis
cas-group-add-entry [common options] user groupName nickname cas-group-add-entry [common options] object groupName objectSpecDesc objectSpec cas-group-add-entry [common options] serviceAction groupName serviceTypeName actionName
Tool description
Use cas-group-add-entry to add users to a user group, objects to an object group, or service/actions to service/action groups. Note: to add or delete groups, see [fixme olink to other clients].
Adding Member To A User Group
To add a user to a user group, the user must have cas/add_group_entry permission on that particular user group. Only user nicknames that exist in the CAS database can be valid members.
casAdmin$cas-group-add-entry [common options] usergroupNamenickname
where:
-
groupName - Indicates the user group name to which the member needs to be added.
-
nickname - Indicates the nickname of the user to be added to this group.
Adding Member To An Object Group
To add a member (an object group can have the following CasObjects as members: object, user, user group, service type, namespace or trust anchor) to an object group, the user must have cas/add_group_entry permission on that particular object group.
casAdmin$cas-group-add-entry [common options] objectgroupNameobjectSpecDescobjectSpec
where:
-
groupName - Indicates the object group name to which the member needs to be added.
-
objectSpecDesc Indicates the type of CasObject. Can be one of the following options:
trustAnchoruseruserGroupobjectnamespaceserviceType
-
objectSpec Indicates the identifier for the CasObject the user is adding. Can be one of the following:
nicknameif adding a trustAnchor or usergroupNameif adding a userGroupobjectNamespaceobjectName if adding an objectnicknameif adding a namespaceserviceTypeNameif adding a serviceType
Adding Service/Action To A Service/Action Group
To add a service/action to a serviceAction group, the user must have cas/add_group_entry permission on that particular serviceAction group (that is, the user must have permission to perform add_group_entry action on that service action group).
casAdmin$cas-group-add-entry [common options] serviceActiongroupNameserviceTypeNameactionName
where:
-
groupName - Indicates the service/action group to which the service/action needs to be added.
-
serviceTypeName - Indicates the service type name part of the mapping to be added to the group.
-
actionName - Indicates the action name part of the mapping to be added to the group.
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-group-remove-entry — Removing CAS objects from CAS groups
Synopsis
cas-group-remove-entry [common options] user groupName nickname cas-group-remove-entry [common options] object groupName objectSpec objectSpecDesc cas-group-remove-entry [common options] serviceAction groupName serviceTypeName actionName
Tool description
Use cas-group-remove-entry to remove users from a user group, objects from an object group, or service/actions from a service/action group. Note: to add or delete groups, see [fixme olink to other clients].
Removing User From A User Group
To remove a user from a user group, the user must have cas/remove_group_entry permission on that particular user group.
If the group member being removed does not exist, an error is not thrown.
casAdmin$cas-group-remove-entry [common options] usergroupNamenickname
where:
-
groupName - Indicates the user group name from which the member needs to be removed.
-
nickname - Indicates the nickname of the user to be removed from this group.
Removing Member From An Object Group
To remove an object from an object group the user must have cas/remove_group_entry permission on that particular object group:
If the group member being removed does not exist, an error is not thrown.
casAdmin$cas-group-remove-entry [common options] objectgroupNameobjectSpecobjectSpecDesc
where:
-
groupName - Indicates the object group name from which the member needs to be removed.
-
objectSpecDesc Indicates the type of CasObject. Can be one of the following options:
trustAnchoruseruserGroupobjectnamespaceserviceType
-
objectSpec Indicates the identifier for the CasObject the user is adding. Can be one of the following:
nicknameif adding a trustAnchor or usergroupNameif adding a userGroupobjectNamespaceobjectName if adding an objectnicknameif adding a namespaceserviceTypeNameif adding a serviceType
Removing A Service/Action From A Service/Action Group
To remove a service/action from a service/action group, the user must have cas/remove_group_entry permission on that particular service/action group.
If the action being removed does not exist, an error is not thrown.
casAdmin$cas-group-remove-entry [common options] serviceActiongroupNameserviceTypeNameactionName
where:
-
groupName - Indicates the serviceAction group name from which the service/action needs to be removed.
-
serviceTypeName - Indicates the service type name part of the mapping to be removed from the group.
-
actionName - Indicates the action name part of the mapping to be removed from the group.
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Name
cas-rights-admin — Granting or revoking permissions
Synopsis
cas-rights-admin [common options] [ grant | revoke ] userGroupName objectSpecDesc objectSpec actionSpecDesc actionSpec
Tool description
Use cas-rights-admin to grant or revoke rights.
Granting Permissions To A User Group On An Object/Object Group
The user may grant permissions to a user group on an object or object group to perform a service action or service action group (that is, to perform any action that is a member of the service action group to which permission is granted), provided the user has both:
- cas/grant permission on the object or object group, and
- permission to perform the service action or service action group on the object or object group.
casAdmin$cas-rights-admin [common options] grantuserGroupNameobjectSpecDescobjectSpecactionSpecDescactionSpec
where:
-
userGroupName - Indicates the user group to be granted permission.
-
objectSpec - Indicates the identifier for the object or object group.
-
objectSpecDesc Indicates the type:
objectobjectGroup
-
actionSpec - Indicates the identifier for action or action group.
-
actionSpecDesc Indicates the type:
serviceActionserviceActionGp
Revoking A Policy In The CAS Database
The user may revoke a policy in the CAS database if the user has cas/revoke permission on the object or object group on which the policy is defined.
casAdmin$cas-rights-admin [common options] revokeuserGroupNameobjectSpecDescobjectSpecactionSpecDescactionSpec
where:
-
userGroupName - Indicates the user group for which you want to grant permission.
-
objectSpecDesc Indicates the type of CasObject. Can be one of the following:
trustAnchoruseruserGroupobjectnamespaceserviceTypeuserGroup
-
objectSpec - Indicates the identifier for the object or object group.
-
actionSpec - Indicates the identifier for the action or action group.
-
actionSpecDesc - Indicates the type (serviceAction or serviceActionGp).
Options
Important
If you have an asterisk (*) in your command, you might need to escape it with a backslash ( \ ).
- -a, --anonymous
Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism.
- -c, --serverCertificate
<file> Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism.
- -debug
Runs the client with debug message traces and error stack traces.
- -f, --descriptor
<file> Specifies a client security descriptor. Overrides all other security settings.
- -help
Prints the usage message for the client.
- -l, --contextLifetime
<value> Sets the lifetime of the client security context.
valueis in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism.- -m, --securityMech
<type> Specifies the authentication mechanism. The value
typecan be:msgfor GSI Secure Message, orconvfor GSI Secure Conversation.
- -p, --protection
<type> Specifies the protection level.
typecan be:sigfor signature, orencfor encryption.
- -s
cas-url Sets the CAS Service instance, where
cas-urlis the URL of the CAS service instance. Alternatively, an environment variable can be set as shown here.The instance URL typically looks like
http://Host:Port/wsrf/services/CASService, whereHostandPortare the host and port where the container with the CAS service is running.- -v
Prints the version number.
- -x, --proxyFilename
<value> Sets the proxy file to use as client credential.
- -z
authorization Specifies the type of authorization used, such as
selforhost.If you cannot use a standard method for authorization, you can use the specific CAS server's identity as the value.
Alternatively, an environment variable can be set as shown here.
If none of the above are set, host authorization is done by default and the expected server credential is
cas/, where<fqdn><fqdn>is the fully qualified domain name of the host on which the CAS service is up.![[Note]](/docbook-images/note.gif)
Note If the service being contacted is using GSI Secure Transport , then the container credentials configured for the service will be used, even if service/resource level credentials are configured. Hence authorization needs to be done based on the DN of the container credentials.
Table of Contents
- globus-credential-delegate - Delegation client
- globus-credential-refresh - Delegation refresh client
- globus-delegation-client - C Delegation client
Name
globus-credential-delegate — Delegation client
Synopsis
globus-credential-delegate
Tool description
Used to contact a Delegation Factory Service and store a delegated credential. A delegated credential is created and stored in a delegated credential WS-Resource, and the Endpoint Reference(EPR) of the credential is written out to a file for further use.
Command syntax
globus-credential-delegate [options] <eprFilename>
Table 62. globus-credential-delegate options
| -a, --anonymous | Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| -c, --serverCertificate <file> | Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
| -debug | Runs the client with debug message traces and error stack traces. |
| -f, --descriptor <file> | Specifies a client security descriptor. Overrides all other security settings. |
| -g, --delegation <mode> | Enables delegation. mode can be either 'limited' or 'full'. Only supported with the GSI Secure Conversation authentication mechanism. |
| -help | Prints the usage message for the client. |
| -l, --contextLifetime <value> | Sets the lifetime of the client security context. value is in milliseconds. Only supported with the GSI Secure Conversation authentication mechanism. |
| -x, --proxyFilename <value> | Sets the proxy file to use as the client credential. |
| -m, --securityMech <type> | Specifies the authentication mechanism. type can be 'msg' for GSI Secure Message, or 'conv' for GSI Secure Conversation. |
| -p, --protection <type> | Specifies the protection level. type can be 'sig' for signature or 'enc' for encryption. |
| -s, --service <url> | Specifies the Delegtion Factory Service URL. |
| -x, --proxyFilename <value> | Sets the proxy file to use as client credential. |
| -y, --lifetine <value> | Lifetime of delegated credentia |