User Commands sslclnt(1)
NAME
sslclnt - sample I2A2 client-side SSL client
SYNOPSIS
sslclnt [ -c cpath ] [ -C cser ] [ -d dir ] [ -e ] [ -h ] [
-H host ] [ -n nm ] [ -N ] [ -p port ] [ -P priv ] [ -t ] [
-s PUID ] [ -U pub ]
DESCRIPTION
Sslclnt is a sample client that makes client-side SSL con-
nections to I2A2 net daemons. It will also make server-side
only SSL connections when its -N option is specified.
I2A2 stands for Infrastructure for Identification, Authenti-
cation and Authorization. It is a Purdue infrastructure
designed to provide general support to Purdue data systems
for identifying accesses, authenticating their claimed iden-
tities, and determining what services the identities are
authorized to use.
Sslclnt operates in I2A2 external protocol mode. See puid-
netd(4) for more information on the protocol.
You may also consult:
http://www.i2a2.purdue.edu/securepurdue/I2A2/
for more information.
OPTIONS
Sslclnt accepts the following options.
-c cpath
optionally provides a path to the Purdue Certificate
Authority (CA) certificate in PEM format.
The Purdue CA certificate must be available, either
through this -c option, through the -d dir option, or
in the default OpenSSL certificate directory,
/opt/openssl/certs.
-C cser
provides an optional certificate serial number associ-
ated with the net daemon's Purdue University ID (PUID).
Normally the certificate serial number is taken from
the header file puidnetd.h, based on the net daemon's
name. (See the -n nm option.)
-N suppresses the client-side SSL functions, reducing the
connection to server-side only SSL.
When -N is specified, the -P priv and -U pub options
SunOS 5.8 Last change: 1
User Commands sslclnt(1)
must not be specified.
-d dir
optionally specifies the directory where the Purdue CA
may be found. That directory must also contain a sym-
bolic link to the Purdue CA certificate, named with the
certificate's hash.
See the -hash option of the openssl application's x509
function for information on obtaining a certificate's
hash.
-e suppresses all echoing of input commands to standard
output. Normally input echoing is suppressed when the
input device is the terminal and enabled when the input
device is a file or a pipe.
This option makes sure input is never echoed, enabling
sslclnt to be used in child processes with an alternat-
ing command-reply protocol.
-h optionally requests the display of a help output panel.
When this option is used, no further processing takes
place.
-H host
optionally specifies the name of the host where the
I2A2 net daemon is running. See the specification of
the default host names under the description of the -n
nm option. See the -t option for information on how it
changes the default host names.
Sslclnt normally determines the host name from the net
daemon's name - e.g., provided with the -n nm option.
-n nm
optionally specifies the name of the I2A2 net daemon.
Three names may be specified:
authc - the I2A2 authentication net daemon
at authenticate.i2a2.purdue.edu
authz - the I2A2 authorization net daemon
at authorize.i2a2.purdue.edu
refl - the I2A2 reflector (identification)
net daemon at lookup.i2a2.purdue.edu
The default is refl.
When the net daemon is specified with this option,
sslclnt supplies defaults for the net daemon's host
name, port, PUID, and certificate serial number from
SunOS 5.8 Last change: 2
User Commands sslclnt(1)
the puidnetd.h header file.
-p port
optionally specifies the port number at which the net
daemon should be contacted.
Sslclnt normally supplies a default port number for the
indicated net daemon:
1562 (authcs) - for the authentication net daemon
1564 (authzs) - for the authorization net daemon
1566 (refls) - for the reflector (identification)
net daemon
The names - "authcs", "authzs", and "refls" - given in
parentheses are the service sometimes found in the UNIX
system's /etc/services file. The port numbers may also
be found in puidnetd.h.
-P priv
is an option that must be supplied when doing
client-side SSL (i.e., the -N option has not been
specified.) Priv specifies the path to the client-side
certificate's private key in PEM format.
The key may be locked or unlocked. If it is locked,
sslclnt will ask for entry of the pass phrase that
unlocks it.
The key supplied by this option must match the public
certificate, supplied by the -U pub option.
-s PUID
optionally provides the PUID that will be found in the
net daemon's certificate. Normally the PUID is taken
from the header file puidnetd.h, based on the net
daemon's name. (See the -n nm option.)
-t optionally switches sslclnt to test mode. In test mode
the default net daemon host names become
dbm-dev.i2a2.purdue.edu.
-U pub
is an option that must be supplied when doing
client-side SSL (i.e., the -N option has not been
specified.) Pub specifies the path to the client-side
public certificate in PEM format.
The certificate supplied by this option must match the
private key, supplied by the -P priv option.
SunOS 5.8 Last change: 3
User Commands sslclnt(1)
INPUT AND OUTPUT
Once sslclnt has established a connection to the requested
net daemon, it communicates in I2A2 external protocol. (See
puidnetd(4) for details.)
Commands destined for the I2A2 net daemon must be supplied
to sslclnt via its standard input file in external protocol.
When the standard input isn't a terminal device, sslclnt
echoes input commands to standard output.
Sslclnt reports net daemon replies to its standard output
file in external protocol, exactly as received.
DIAGNOSTICS
Sslclnt reports errors to the standard error file and
returns a non-zero exit code.
EXAMPLES
Here's an example which effects a connection to the I2A2
reflector (the default net daemon). The example assumes the
Purdue CA certificate is in /opt/openssl/certs.
sslclnt -P private.pem -U public.pem
This example initiates a server-side SSL connection to the
I2A2 authenticator.
sslclnt -N -n authc
This example fragment selects a connection to the I2A2
authorizer.
sslclnt -n authz ...
This example shows how to specify an alternate directory
where the Purdue CA may be found.
sslclnt -d /foo/bar/certificates ...
PERMISSION
A Purdue certificate is required to use client-side SSL.
PREREQUISITES
The Purdue CA certificate must be available.
The presence of an OpenSSL is desirable. It's required for
compiling sslclnt from its sources.
FILES
All certificate files must contain X.509 certificates in PEM
format - i.e., have the ".pem" extension.
SunOS 5.8 Last change: 4
User Commands sslclnt(1)
AUTHORS
Vic Abell
SEE ALSO
openssl(1), puidnetd(4), puidnetd.h,
SunOS 5.8 Last change: 5
Feedback |
Contact Purdue
Maintained by: IAMO Team
Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University |
An equal access/equal opportunity university |
Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at itap@purdue.edu or (765) 494-4000.