gx-check-index - Check for updates in a CA index file
gx-check-index -help
gx-check-index -version
gx-check-index [options]
gx-check-index, part of the gx-map system, is an administrative command. It checks for updates in a certificate authority's index file, and invokes the gx-request command as needed for any changes. This allows DNs issued by a CA to be entered automatically into one or more grid-mapfiles without further user or administrator action.
The gx-check-index command should be invoked either from a cron job or via the gx-cron-job command.
Option processing is done using the Perl Getopt::Long module.
Options may be specified with a single or double leading '-' character. Option names may be abbreviated to whatever is unique. Arguments may be separated either by a blank or by an '=' character. For example, ``-foobar 42'', ``--foobar=42'', and ``-foob 42'' would all be equivalent.
The CA name can be given either as a hexadecimal hash value (such as 3deda549 or b89793e4) or as a short name (such as sdsc or npaci). There must be a cadesc file for the CA in the etc/gx-map/ca-config subdirectory of the gx-map installation; the hash or short name is a component of the name of the cadesc file.
This can be specified either as a local file name (recommended) or as a URL.
The index file must contain certain information; see the INDEX FILE section below.
Some Certificate Authorities (CAs) maintain a plain-text index file, containing information about all certificates that have been issued.
The format of this index file is specified by the OpenSSL software package, so most CAs probably have one, though it may be kept hidden.
The gx-check-index command should be run locally at the CA's site. The index file may be specified as a URL, but it's usually better to use a local file name. (The contents of the index file may be considered sensitive information).
The gx-check-index command maintains a saved copy of the index file, and looks for changes between its saved copy and the current version. It assumes that any DN with a ``/UID=...'' field is for a user certificate; if the CA issues user certificates with no ``/UID=...'' field, gx-ca-update will not work. It also assumes that the argument to the ``/UID=...'' field is a Unix username; if this is not the case you should not attempt to use gx-check-index.
You must make sure that the specified index file is valid for the CA. If an attacker is able to create a forged index file, it could break system security.
gx-map(7), gx-request(1), gx-cron-job(8)
Keith Thompson, San Diego Supercomputer Center, <kst@sdsc.edu>
See the file LICENSE in the gx-map distribution, installed in the etc/gx-map subdirectory.