User Commands sslclnt(1) NAME sslclnt - sample I2A2 client-side SSL client SYNOPSIS sslclnt [ -c cpath ] [ -C cser ] [ -d dir ] [ -e ] [ -h ] [ -H host ] [ -n nm ] [ -N ] [ -p port ] [ -P priv ] [ -t ] [ -s PUID ] [ -U pub ] DESCRIPTION Sslclnt is a sample client that makes client-side SSL con- nections to I2A2 net daemons. It will also make server-side only SSL connections when its -N option is specified. I2A2 stands for Infrastructure for Identification, Authenti- cation and Authorization. It is a Purdue infrastructure designed to provide general support to Purdue data systems for identifying accesses, authenticating their claimed iden- tities, and determining what services the identities are authorized to use. Sslclnt operates in I2A2 external protocol mode. See puid- netd(4) for more information on the protocol. You may also consult: http://www.i2a2.purdue.edu/securepurdue/I2A2/ for more information. OPTIONS Sslclnt accepts the following options. -c cpath optionally provides a path to the Purdue Certificate Authority (CA) certificate in PEM format. The Purdue CA certificate must be available, either through this -c option, through the -d dir option, or in the default OpenSSL certificate directory, /opt/openssl/certs. -C cser provides an optional certificate serial number associ- ated with the net daemon's Purdue University ID (PUID). Normally the certificate serial number is taken from the header file puidnetd.h, based on the net daemon's name. (See the -n nm option.) -N suppresses the client-side SSL functions, reducing the connection to server-side only SSL. When -N is specified, the -P priv and -U pub options SunOS 5.8 Last change: 1 User Commands sslclnt(1) must not be specified. -d dir optionally specifies the directory where the Purdue CA may be found. That directory must also contain a sym- bolic link to the Purdue CA certificate, named with the certificate's hash. See the -hash option of the openssl application's x509 function for information on obtaining a certificate's hash. -e suppresses all echoing of input commands to standard output. Normally input echoing is suppressed when the input device is the terminal and enabled when the input device is a file or a pipe. This option makes sure input is never echoed, enabling sslclnt to be used in child processes with an alternat- ing command-reply protocol. -h optionally requests the display of a help output panel. When this option is used, no further processing takes place. -H host optionally specifies the name of the host where the I2A2 net daemon is running. See the specification of the default host names under the description of the -n nm option. See the -t option for information on how it changes the default host names. Sslclnt normally determines the host name from the net daemon's name - e.g., provided with the -n nm option. -n nm optionally specifies the name of the I2A2 net daemon. Three names may be specified: authc - the I2A2 authentication net daemon at authenticate.i2a2.purdue.edu authz - the I2A2 authorization net daemon at authorize.i2a2.purdue.edu refl - the I2A2 reflector (identification) net daemon at lookup.i2a2.purdue.edu The default is refl. When the net daemon is specified with this option, sslclnt supplies defaults for the net daemon's host name, port, PUID, and certificate serial number from SunOS 5.8 Last change: 2 User Commands sslclnt(1) the puidnetd.h header file. -p port optionally specifies the port number at which the net daemon should be contacted. Sslclnt normally supplies a default port number for the indicated net daemon: 1562 (authcs) - for the authentication net daemon 1564 (authzs) - for the authorization net daemon 1566 (refls) - for the reflector (identification) net daemon The names - "authcs", "authzs", and "refls" - given in parentheses are the service sometimes found in the UNIX system's /etc/services file. The port numbers may also be found in puidnetd.h. -P priv is an option that must be supplied when doing client-side SSL (i.e., the -N option has not been specified.) Priv specifies the path to the client-side certificate's private key in PEM format. The key may be locked or unlocked. If it is locked, sslclnt will ask for entry of the pass phrase that unlocks it. The key supplied by this option must match the public certificate, supplied by the -U pub option. -s PUID optionally provides the PUID that will be found in the net daemon's certificate. Normally the PUID is taken from the header file puidnetd.h, based on the net daemon's name. (See the -n nm option.) -t optionally switches sslclnt to test mode. In test mode the default net daemon host names become dbm-dev.i2a2.purdue.edu. -U pub is an option that must be supplied when doing client-side SSL (i.e., the -N option has not been specified.) Pub specifies the path to the client-side public certificate in PEM format. The certificate supplied by this option must match the private key, supplied by the -P priv option. SunOS 5.8 Last change: 3 User Commands sslclnt(1) INPUT AND OUTPUT Once sslclnt has established a connection to the requested net daemon, it communicates in I2A2 external protocol. (See puidnetd(4) for details.) Commands destined for the I2A2 net daemon must be supplied to sslclnt via its standard input file in external protocol. When the standard input isn't a terminal device, sslclnt echoes input commands to standard output. Sslclnt reports net daemon replies to its standard output file in external protocol, exactly as received. DIAGNOSTICS Sslclnt reports errors to the standard error file and returns a non-zero exit code. EXAMPLES Here's an example which effects a connection to the I2A2 reflector (the default net daemon). The example assumes the Purdue CA certificate is in /opt/openssl/certs. sslclnt -P private.pem -U public.pem This example initiates a server-side SSL connection to the I2A2 authenticator. sslclnt -N -n authc This example fragment selects a connection to the I2A2 authorizer. sslclnt -n authz ... This example shows how to specify an alternate directory where the Purdue CA may be found. sslclnt -d /foo/bar/certificates ... PERMISSION A Purdue certificate is required to use client-side SSL. PREREQUISITES The Purdue CA certificate must be available. The presence of an OpenSSL is desirable. It's required for compiling sslclnt from its sources. FILES All certificate files must contain X.509 certificates in PEM format - i.e., have the ".pem" extension. SunOS 5.8 Last change: 4 User Commands sslclnt(1) AUTHORS Vic Abell SEE ALSO openssl(1), puidnetd(4), puidnetd.h, SunOS 5.8 Last change: 5