ipsec_openac(8)

NAME

ipsec openac - Generation of X.509 attribute certificates

SYNOPSIS

ipsec openac [ --help ]  [  --version  ]  [  --optionsfrom
filename ] [ --quiet ]
   [  --debug-all  ] [ --debug-parsing ] [ --debug-raw ] [
--debug-private ]
   [ --days days ] [ --hours hours ]
   [   --startdate   YYYYMMDDHHMMSSZ   ]   [    --stopdate
YYYYMMDDHHMMSSZ ]
   --cert certfile --key keyfile [ --password password ]
   --usercert  certfile  --groups  attr1,attr2,...   --out
filename

DESCRIPTION

openac is intended to be used by an Authorization Authori
ty (AA) to generate and sign X.509 attribute certificates. Cur
rently only the inclusion of one ore several group attributes is
supported. An attribute certificate is linked to a holder by in
cluding the issuer and serial number of the holder's X.509 cer
tificate.

OPTIONS

--help display the usage message.

--version
display the version of openac.
--optionsfrom filename
adds the contents of the file to the argument list.
If filename is a relative path then the file is searched in the
directory /etc/openac.
--quiet
By default openac logs all control output both to
syslog and stderr. With the --quiet option no output is written
to stderr.
--days days
Validity of the X.509 attribute certificate in
days. If neiter the --days nor the --hours option is specified
then a default validity interval of 1 day is assumed. The --days
option can be combined with the --hours option.
--hours hours
Validity of the X.509 attribute certificate in
hours. If neiter the --hours nor the --days option is specified
then a default validity interval of 24 hours is assumed. The
--hours option can be combined with the --days option.
--startdate YYYYMMDDHHMMSSZ
defines the notBefore date when the X.509 attribute
certificate becomes valid. The date YYYYMMDDHHMMSS must be spec
ified in UTC (Zulu time). If the --startdate option is not spec
ified then the current date is taken as a default.
--stopdate YYYYMMDDHHMMSSZ
defines the notAfter date when the X.509 attribute
certificate will expire. The date YYYYMMDDHHMMSS must be speci
fied in UTC (Zulu time). If the --stopdate option is not speci
fied then the default notAfter value is computed by adding the
validity interval specified by the --days and/or --days options
to the notBefore date.
--cert certfile
specifies the file containing the X.509 certificate
of the Authorization Authority. The certificate is stored either
in PEM or DER format.
--key keyfile
specifies the encrypted file containing the private
RSA key of the Authoritzation Authority. The private key is
stored in PKCS#1 format.
--password password
specifies the password with which the private RSA
keyfile defined by the --key option has been protected. If the
option is missing then the password is prompted for on the com
mand line.
--usercert certfile
specifies file containing the X.509 certificate of
the user to which the generated attribute certificate will apply.
The certificate file is stored either in PEM or DER format.
--groups attr1,attr2
specifies a comma-separated list of group at
tributes that will go into the X.509 attribute certificate.
--out filename
specifies the file where the generated X.509 at
tribute certificate will be stored to.
Debugging
openac produces a prodigious amount of debugging informa
tion. To do so, it must be compiled with -DDEBUG. There are
several classes of debugging output, and openac may be directed
to produce a selection of them. All lines of debugging output
are prefixed with ``| '' to distinguish them from error messages.
When openac is invoked, it may be given arguments to spec
ify which classes to output. The current options are:
--debug-raw
show the raw bytes of the parsed user and autho
rization authority certificates as well as of the generated X.509
attribute certificate.
--debug-parsing
show the parsed structure of user and authorization
authority certificats as well as of the generated X.509 attribute
certificate.
--debug-all
all of the above.
--debug-private
enables debugging output of the authorization au
thority's private key.

EXIT STATUS

The execution of openac terminates with one of the follow
ing two exit codes:
0 means that the attribute certificate was success
fully generated and stored.
1 means that something went wrong.

FILES

/etc/openac/serial serial number of latest attribute
certificate

SEE ALSO

The X.509 attribute certificates generated with openac can
be used to enforce group policies defined by ipsec.conf(5). Use
ipsec_auto(8) to load and list X.509 attribute certificates.
For more information on X.509 attribute certificates, re
fer to the following IETF RFC:

RFC 3281 An Internet Attribute Certificate Profile
for Authorization

HISTORY

The openac program was originally written by Ariane Seiler
and Ueli Galizzi. The software was recoded by Andreas Steffen
using strongSwan's X.509 library and the ASN.1 code synthesis
functions written by Christoph Gysin and Christoph Zwahlen. All
authors were with the Zurich University of Applied Sciences in
Winterthur, Switzerland.

BUGS

Bugs should be reported to the
<users@lists.strongswan.org> mailing list.

29 September 2005

IPSEC_OPENAC(8)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Index | Man stránky | tLDP | Dokumenty | Utilitky | O projekte
Design by styleshout