Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Note: This version of the VDT (1.10.1) is supported, but is not our latest stable release. The current stable release is 2.0.0.

NAME

vdt-update-certs - Update the VDT CA certificate installation

SYNOPSIS

    vdt-update-certs [options] 
                --vdt-install <location>
                --force
                --quiet 
                --debug
                --help

DESCRIPTION

This program is used to update the VDT CA certificate distribtion which in a location pointed to by a symlink, $VDT_LOCATION/globus/TRUSTED_CA.

Normally, this program is run by cron once every hour, but you can choose to run it manually if you prefer. From the command-line, the only interesting parameter to pass is --vdt-location, to specify where the VDT is installed. Normally you do not need to specify this parameter because it is obtained from the $VDT_LOCATION environment variable.

When this program runs, it exits immediately if the program has been successfully run in the last 24 hours. The --force command line option overrides this check, and forces the program to run. The reason for this is reliability: the VDT installation will set this program to run every hour via cron, but it has the goal of checking for an update every 24 hours. If the VDT web site is down, or some other serious error occurs, it retries an hour later in hopes that the error has resolved itself. Once the program has run successfully it will not try to do any updates for 24 hours.

When vdt-update-certs runs, if it finds a previous incarnation of itself still running, it will kill the old process before it runs.

OPTIONS

--vdt-location <location>: The location the VDT was installed in. This option overrides the $VDT_LOCATION environment variable if it exists. This option is not needed if $VDT_LOCATION is set to the correct location.
--force: Forces the script to run, ignoring the check that exits if the program ran successfully in the last 24 hours.
--quiet Run with no output to standard output. All output will be in the log file.
--debug: Provide slightly more information in the log file.
--help: Show brief explanatory text for using vdt-update-certs

CONFIGURATION

When vdt-update-certs is run, it looks for a configuration file in $VDT_LOCATION/vdt/etc/vdt-update-certs.conf. This file is not necessary: there are reasonable defaults for everything that can be in the file. However, you can use it to customize the behavior of vdt-update-certs.

The configuration file can have blank lines as well as comment lines: comment lines begin with a hash mark (#).

Each option is of the form

 name=value

The following configuration options can be specified:

cacerts_url

This option is required.

The cacerts_url option specifies where to download the CA certificates from. For most users, you will be told what this URL should be. For people who are responsible for a CA certificate distribution, this should be the full URL to the description file, not the URL to the tarball or the directory containing these files.

log

The log option specifies where the log file for vdt-update-certs is located. The log file is always created. It defaults to $VDT_LOCATION/vdt/var/log/vdt-update-certs.log. Example:

 log=/var/log/vdt-update-certs.log

debug

This option is equivalent to the command line --debug option listed above. If enabled, it will provide more information in the log file. The default is to not print this information. To enable it:

 debug=1

include

The full pathname of a file to be copied into the CA certificates directory in addition to any files that are downloaded from the VDT. This can be used to add a CA that is not part of the VDT. It is necessary because when the VDT installs a new set of CA certificates it creates a directory and does not preserve anything that was previously part of the CA certificate directory. This option only allows a single file to be specified, but the option can be specified multiple times to include multiple files. The default for this option is not to include any files. Example:

 include=/opt/local-ca/12345678.0
 include=/opt/local-ca/12345678.signing_policy
 include=/opt/local-ca/12345678.crl_url

Note that you should not copy files into the CA certificates directory then specify the full path of the CA certificiates directory. Though it may seem like a handy shortcut, at the time the files are copied they will be in a different directory and the copy will fail.

exclude_ca

The hash of a Certificate Authority to be removed from the CA certificates directory when they are installed. All files of the form <hash>.* will be removed. This is to remove any CA certificates that you do not wish to trust but are provided by the VDT. The default for this option is not to exclude any CAs. To exclude a CA with hash '87654321', include a line such as:

 exclude_ca=87654321