SGE_CA(8) System Manager's Manual SGE_CA(8) NAME util/sgeCA/sge_ca - Univa Grid Engine CSP Support control command SYNTAX sge_ca command [command options] DESCRIPTION sge_ca controls a simple Univa Grid Engine Certificate Authority that is used for the special Certificate Security Protocol (CSP) mode. CSP mode improves the security behavior of Univa Grid Engine by enabling OpenSSL secured communication channels and X509v3 certificates for authentication. In addition it is possible to export the key material or to create JKS keystores for the JMX connector. It follows a list of possible commands and command options to give an overview which func- tionality is available. For further details about every command refer to the COMMAND DETAILS section. COMMAND OVERVIEW sge_ca [-help] show usage sge_ca -init [command options] create the infrastructure for a new Univa Grid Engine Certifi- cate Authority with its corresponding files and directories and a set of keys and certificates for SGE daemon, root and admin user. sge_ca -req | -verify | -sign | -copy [command options] manipulate individual keys and certificates sge_ca -print | -printkey | -printcrl print out certificates, keys and certificate revocation lists in human readable form. sge_ca -showCaTop | -showCaLocalTop [command options] echo the $CATOP or $CALOCALTOP directory. This command is usu- ally run as root on the qmaster host after a CA infrastructure has been created. If "-cadir" or "-catop" or "-calocaltop" are set the corresponding directories are printed. sge_ca -usercert | -user | -sdm_daemon [command options] are used for creation of certificates and keys for a bunch of users contained in , a single user or SDM daemon . (see hedeby_introduction(1) ) sge_ca -pkcs12 | -sdm_pkcs12 | -sys_pkcs12 [command options] are used to export the certificate and key for user or SDM daemon in PKCS12 format and to export the SGE daemon certificate and key in PKCS12 format. sge_ca -userks | -ks | -sysks [command options] are used for creation of keystore for all users with a certifi- cate and key, the keystore for a single user and the key- store containing the SGE daemon certificate and key. sge_ca -renew | -renew_ca | -renew_sys | -renew_sdm [command options] are used to renew the corresponding certificates for user , for the CA, for the SGE daemon certificate and for the SDM daemon certificate. where "[command options]" is a combination of the following options depending on the command. The COMMAND DETAILS section explains which options are usable for each command. -days days of validity of the certificate -sha1 use SHA-1 instead of MD5 as message digest -encryptkey use DES to encrypt the generated private key with a passphrase. The passphrase is requested when a key is created or used. -outdir write to directory -cahost define CA hostname (CA master host) -cadir define $CALOCALTOP and $CATOP settings -calocaltop define $CALOCALTOP setting -catop define $CATOP setting -kspwf define a keystore password file that contains a password that is used to encrypt the keystore and the keys contained therein -ksout define output file to write the keystore to -pkcs12pwf define a PKCS12 password file that contains a password that is used to encrypt the PKCS12 export file and the keys contained therein -pkcs12dir define the output directory to write the exported PKCS12 format file to. Otherwise the current working directory is used. COMMAND DETAILS sge_ca -init [-cadir ] [-catop ] [-calocaltop ] [-admi- nuser ] [-days ] The -init command creates a new Univa Grid Engine certificate authority and its corresponding files. Usually "sge_ca -init" is run by user root on the master host. If the options -adminuser, -cadir, -calocaltop, -catop and the Univa Grid Engine environ- ment variables SGE_ROOT, SGE_CELL and SGE_QMASTER_PORT are set the CA directories are created in the following locations: two letter country code, state, location, e.g city or your building-code, organization (e.g. your company name), organiza- tional unit, e.g. your department, email address of the CA administrator (you!) Certificates and keys are generated for the CA itself, for SGE daemon, for Univa Grid Engine install user (usually root) and finally for the Univa Grid Engine admin user. How and where the certificates and keys are created can be influenced additionally by: -days change the time of validity of the certificates to number of instead of 365 days -sha1 change the message digest algorithm from MD5 to SHA-1 -encryptkey encrypt the generated keys with a passphrase -adminuser use as admin user -cahost use as the CA master host [-cadir ] [-catop [-calocaltop ] set $CATOP and $CALOCALTOP to to use something different than the Univa Grid Engine default directories. Either -cadir has to be specified to replace $CATOP and $CALOCALTOP by the same direc- tory or -catop for $CATOP and -calocaltop for $CALO- CALTOP. sge_ca -user [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] [-days ] generate certificate and keys for with u='Unix user account name', g='common name' and e='email address'. By default the certificate is valid for 365 days or by specified with -days . This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -sdm_daemon generate daemon certificate and keys for with u='Unix user account name', g='common name' and e='email address'. By default the certificate is valid for 365 days or by spec- ified with "-days ". This command is usually run as user root on the qmaster host. sge_ca -usercert [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] [-days ] [-encryptkey] [-sha1] Usually sge_ca -usercert is run as user root on the master host. The argument contains a list of users in the following format: eddy:Eddy Smith:eddy@griders.org sarah:Sarah Miller:sarah@griders.org leo:Leo Lion:leo@griders.org where the fields separated by colon are: Unix user:Gecos field:email address sge_ca -renew [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] [-days ] Renew the certificate for . By default the certificate is extended for 365 days or by specified with -days . If the value is negative the certificate becomes invalid. This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocal- top. sge_ca -renew_ca [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] [-days ] Renew the CA certificate. By default the certificate is extended for 365 days or by specified with -days . If the value is negative the certificate becomes invalid. This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -renew_sys [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] [-days ] Renew the SGE daemon certificate. By default the certificate is extended for 365 days or by specified with -days . If the value is negative the certificate becomes invalid. This command is usually run as user root on the qmaster host. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocal- top. sge_ca -renew_sdm [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] [-days ] Renew the SDM daemon certificate of , where is the common name of the daemon. By default the certificate is extended for 365 days or by specified with -days . If the value is negative the certificate becomes invalid. This command is usually run as user root on the qmaster host. $CATOP and $CALO- CALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -pkcs12 [-pkcs12pwf ] [-pkcs12dir ] [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] export certificate and key of user 'the Unix user name' in PKCS12 format. This command is usually run as user root on the qmaster host. If -pkcs12pwf is used the file and the corresponding key will be encrypted with the password in . If -pkcs12dir is used the output file is written into /.p12 instead of ./.p12 . $CATOP and $CALOCAL- TOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -sys_pkcs12 [-pkcs12pwf ] [-pkcs12dir ] [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] export certificate and key of SGE daemon in PKCS12 format. This command is usually run as user root on the qmaster host. If -pkcs12pwf is used the file and the corresponding key will be encrypted with the password in . If -pkcs12dir is used the output file is written into /.p12 instead of ./.p12 . $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -sdm_pkcs12 [-pkcs12pwf ] [-pkcs12dir ] [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] export certificate and key of daemon g='common name' in PKCS12 format. This command is usually run as user root on the qmaster host. If -pkcs12pwf is used the file and the cor- responding key will be encrypted with the password in . If -pkcs12dir is used the output file is written into /.p12 instead of ./.p12 . $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -ks [-ksout ] [-kspwf ] [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] create a keystore containing certificate and key of user in JKS format where is the Unix user name. This command is usually run as user root on the qmaster host. If -kspwf is used the keystore and the corresponding key will be encrypted with the password in . The -ksout option specifies the keystore file that is created. If the -ksout option is missing the default location for the keystore is $CALOCALTOP/userkeys//keystore. This command is usually invoked by sge_ca -userks. A prerequisite is a valid JAVA_HOME environment variable setting. $CATOP and $CALOCALTOP maybe over- ruled by -cadir, -catop and -calocaltop. sge_ca -userks [-kspwf ] [-cadir ] [-catop ] [-calocal- top ] [-adminuser ] generate a keystore in JKS format for all users having a key and certificate. This command is usually run as user root on the qmaster host. If -kspwf is used the keystore and the corresponding key will be encrypted with the password in . The keystore files are created in $CALOCAL- TOP/userkeys//keystore. This command is run after user certificates and keys have been created with sge_ca -usercert or if any of the certificates have been renewed. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -sysks [-kspwf ] [-cadir ] [-catop ] [-calocal- top ] [-adminuser ] generate a keystore containing the SGE daemon certificate and key in JKS format. This command is usually run as user root on the qmaster host. If -kspwf is used the keystore and the corresponding key will be encrypted with the password in . The keystore file is created in $CALOCALTOP/private/keystore. $CATOP and $CALOCALTOP maybe overruled by -cadir, -catop and -calocaltop. sge_ca -print Print a certificate where is the corresponding certifi- cate in pem format. sge_ca -printkey Print a key where is the corresponding key in pem format. sge_ca -printcrl Print a certificate revocation list where is the corre- sponding certificate revocation list in pem format. sge_ca -printcrl Print a certificate revocation list where is the corre- sponding certificate revocation list in pem format. sge_ca -req [-cadir ] [-catop ] [-calocaltop ] [-admi- nuser ] [-days ] [-encryptkey] [-sha1] [-outdir ] create a private key and a certificate request for the calling user. This are created as newkey.pem and newreq.pem in the cur- rent working directory. If the option -outdir is speci- fied in addition the files are created in . sge_ca -sign [-cadir ] [-catop ] [-calocaltop ] [-admi- nuser ] [-days ] [-encryptkey] [-sha1] [-outdir Sign a certificate request. The CA certificate under $CATOP (default: $SGE_ROOT/$SGE_CELL/common/sgeCA) and CA key from $CALOCALTOP (default: /var/sgaCA/{port$SGE_QMAS- TER_PORT|sge_qmaster}/$SGE_CELL) are used for the signature. If $CATOP and $CALOCALTOP are set to a different directory the information there is used. The certificate is created as newcert.pem in the current working directory or in if the option -outdir has been specified. In addition the option "-days " can be specified to change the default validity from 365 to number of days. sge_ca -verify [-cadir ] [-catop ] [-calocaltop ] [-adminuser ] Verify a certificates validity where is the corresponding certificate in pem format. $CATOP and $CALOCALTOP can be over- ruled by -cadir, -catop and -calocaltop. sge_ca -copy [-cadir ] [-catop ] [-calocaltop ] sge_ca -copy is run by a user to copy the users certificate and key on the master host to $HOME/.sge/port$SGE_QMAS- TER_PORT/$SGE_CELL/certs/cert.pem and the corresponding private key in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/pri- vate/key.pem which are used instead of the files in $CATOP and $CALOCALTOP. The command is only recommended for testing pur- poses or where $HOME is on a secure shared file system. EXAMPLES # sge_ca -init -cadir /tmp -sha1 -encryptkey -days 31 create a CA infrastructure in /tmp with a certificate validity of 31 days using SHA-1 instead of MD5 as message digest.The keys are encrypted and a passphrase has to be entered during the cre- ation of the different keys or during signing a certificate with the created CA key. # sge_ca -usercert /tmp/myusers.txt -cadir /tmp /tmp/myusers.txt contains user1:My User:user1@myorg.org and user1 is a valid Unix user account. Create a key and certificate for user1. # sge_ca -userks -cadir /tmp create a keystore for all users of the simple CA. The keystore is stored under /tmp/userkeys//keystore. # sge_ca -renew root -cadir /tmp -days -1 make the root certificate temporarily invalid. # sge_ca -renew_ca -days 365 -cadir /tmp renew the CA certificate for 365 days ENVIRONMENTAL VARIABLES SGE_ROOT Specifies the location of the Univa Grid Engine standard configuration files. SGE_CELL If set, specifies the default Univa Grid Engine cell. RESTRICTIONS sge_ca The command must be usually called with Univa Grid Engine root permissions on the master host. For more details on the permission requirements consult the detailed description for the different com- mands above. FILES sge_ca creates a file tree starting in $CATOP and $CALOCALTOP. The default for $CATOP is usually $SGE_ROOT/$SGE_CELL/common/sgeCA and for $CALOCALTOP /var/sgeCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL where the subpaths beginning with $ expands to the content of the cor- responding environment variable. In addition there may optionally exist the user certificate in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem and the cor- responding private key in $HOME/.sge/port$SGE_QMAS- TER_PORT/$SGE_CELL/private/key.pem which are used instead of the files in $CATOP and $CALOCALTOP. (see sge_ca -copy above) SEE ALSO sge_qmaster(8). COPYRIGHT See sge_intro(1) for a full statement of rights and permissions. Univa Grid Engine Administrative CoUGEn8.5.4 SGE_CA(8)