NAME
util/sgeCA/sge_ca - Sun Grid Engine CSP Support control com-
mand
SYNTAX
sge_ca command [command options]
DESCRIPTION
sge_ca controls a simple Sun Grid Engine Certificate Author-
ity that is used for the special Certificate Security Proto-
col (CSP) mode. CSP mode improves the security behavior of
Sun Grid Engine by enabling OpenSSL secured communication
channels and X509v3 certificates for authentication. In
addition it is possible to export the key material or to
create JKS keystores for the JMX connector. It follows a
list of possible commands and command options to give an
overview which functionality is available. For further
details about every command refer to the COMMAND DETAILS
section.
COMMAND OVERVIEW
sge_ca [-help]
show usage
sge_ca -init [command options]
create the infrastructure for a new Sun Grid Engine
Certificate Authority with its corresponding files and
directories and a set of keys and certificates for SGE
Daemon, root and admin user.
sge_ca -req | -verify <cert> | -sign | -
copy [command options]
manipulate individual keys and certificates
sge_ca -print <cert> | -printkey <key> | -printcrl <crl>
print out certificates, keys and certificate revocation
lists in human readable form.
sge_ca -showCaTop | -showCaLocalTop [command options]
echo the $CATOP or $CALOCALTOP directory. This command
is usually run as root on the qmaster host after a CA
infrastructure has been created. If "-cadir" or "-
catop" or "-calocaltop" are set the corresponding
directories are printed.
hedeby_introduction(1) )
options]
sge_ca -pkcs12 <user> | -sdm_pkcs12 <g> | -
sys_pkcs12 [command
are used to export the certificate and key for user
<user> or SDM daemon <g> in pkcs12 format and to export
the SGE Daemon certificate and key in pkcs12 format.
sge_ca -userks | -ks <user> | -sysks [command options]
are used for creation of keystore for all users with a
certificate and key, the keystore for a single user
<user> and the keystore containing the SGE Daemon cer-
tificate and key.
[command options]
sge_ca -renew <user> | -renew_ca | -renew_sys | -
renew_sdm <g>
are used to renew the corresponding certificates for
user <user>, for the CA, for the SGE Daemon certificate
and for the SDM daemon <g> certificate.
where "[command options]" is a combination of the following
options depending on the command. The COMMAND DETAILS sec-
tion explains which options are usable for each command.
-days <days>
days of validity of the certificate
-sha1
use sha-1 instead of md5 as message digest
-encryptkey
use des to encrypt the generated private key with a
passphrase. The passphrase is requested when a key is
created or used.
-outdir <dir>
write to directory <dir>
-cahost <host>
define CA hostname (CA master host)
-cadir <dir>
define $CALOCALTOP and $CATOP settings
-calocaltop <dir>
define $CALOCALTOP setting
-catop <dir>
define $CATOP setting
-kspwf <file>
define a keystore password file that contains a
password that is used to encrypt the keystore and the
keys contained therein
-ksout <file>
define output file to write the keystore to
-pkcs12pwf <file>
define a pkcs12 password file that contains a password
that is used to encrypt the pkcs12 export file and the
keys contained therein
-pkcs12dir <dir>
define the output directory <dir> to write the exported
pkcs12 format file to. Otherwise the current working
directory is used.
COMMAND DETAILS
[-adminuser <admin>] [-days <num days>]
sge_ca -init [-cadir <dir>] [-catop <dir>] [-
calocaltop <dir>]
The -init command creates a new Sun Grid Engine certi-
ficate authority and its corresponding files. Usually
"sge_ca -init" is run by user root on the master host.
If the options -adminuser, -cadir, -calocaltop, -catop
and the Sun Grid Engine environment variables SGE_ROOT,
SGE_CELL and SGE_QMASTER_PORT are set the CA direc-
tories are created in the following locations:
two letter country code, state, location, e.g city or
your buildingcode, organization (e.g. your company
name), organizational unit, e.g. your department, email
address of the CA administrator (you!)
Certificates and keys are generated for the CA itself,
for SGE Daemon, for SGE install user (usually root) and
finally for the SGE admin user.
How and where the certificates and keys are created can
be influenced additionally by:
-days <days> change the time of validity of the certi-
ficates to number of <days> instead of 365 days
-sha1 change the message digest algorithm from md5 to
sha-1
-encryptkey encrypt the generated keys with a
passphrase
-adminuser <user> use <user> as admin user
-cahost <host> use <host> as the CA master host
[-cadir <dir>] [-catop <dir> [-calocaltop <dir>] set
$CATOP and $CALOCALTOP to <dir> to use something dif-
ferent than the Sun Grid Engine default directories.
Either -cadir <dir> has to be specified to replace
$CATOP and $CALOCALTOP by the same directory or -catop
<dir> for $CATOP and -calocaltop <dir> for $CALOCALTOP.
sge_ca The command must be usually called with Sun Grid
Engine root permissions on the master host. For more
details on the permission requirements consult the detailed
description for the different commands above.
FILES
sge_ca creates a file tree starting in $CATOP and $CALOCAL-
TOP. The default for $CATOP is usually
$SGE_ROOT/$SGE_CELL/common/sgeCA and for $CALOCALTOP
/var/sgeCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL
where the subpaths beginning with $ expands to the content
of the corresponding environment variable.
In addition there may optionally exist the user certificate
in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem
and the corresponding private key in
$HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/private/key.pem
which are used instead of the files in $CATOP and $CALOCAL-
TOP. (see sge_ca -copy above)
SEE ALSO
sge_qmaster(8).
COPYRIGHT
See sge_intro(1) for a full statement of rights and permis-
sions.
Man(1) output converted with
man2html