Akenti Command Line Interface

Command line Akenti interfaces


CheckAccess (akenti CA)

Checks a user's access to a resource. Since a user must authenticate themselves before they can gain any access either the -x flag or the -u, -c flags must be included to identify a user.

-f arg - akenti engine config file
-r arg - resource
[-x arg] - user's x509 certificate chain
[-u arg -c arg] - user's DN and user's CADN
[-R arg]* - a specific action(s)
[-A arg -V arg]* - attribute/value pair
[-P] - show all certificates used in making the decision
[-o arg] - certificates' output file (defaults to stdout)
[-q] - show concise output
[-v] - verbose
[-h] - prints this message

example: akenti CheckAccess -f conf.txt -x CertFile -r R1

akenti CA -q -f conf.txt -u UserDN -c UserCA -r R1

RemoteCheckAccess (akenti RCA)

Checks a users access to a resource remotely. Since a user must authenticate themselves before they can gain any access either the -x flag or the -u, -c flags must be included to identify a user.

-F arg - akenti client config file
-r arg - resource
[-x arg] - user's x509 certificate chain
[-u arg -c arg] - user's DN and user's CADN
[-q] - concise output
[-v] - verbose
[-h] - prints this message

example: akenti RemoteCheckAccess -F conf.txt -r "R1"


CheckPolicy (akenti CP)

Use this program to receive a resource's Policy and Use-Conditions. The resource Policy describes who may upload Use-Conditions (in the form of Use-Condition certificates) and where they can be found. Use-Condition certificates specify which attribute certificates a user must present in order to gain access to the resource and where they can be found.

-f arg - akenti engine config file
-r arg - resource
[-l arg] - level 1, 2, or 3
where each level is as follows:
1 - prints WORKED/FAILED only
2 - prints all messages collected (this is the default level)
3 - prints level 3 and all the certificates as well, same as -a option
[-a] - use level 3
[-v] - verbose
[-h] - prints this message

example: akenti CheckPolicy -f conf.txt -r "R1" -l 2


RemoteCheckPolicy (akenti CP)

Use this program to receive a resource's Policy and Use-Conditions. The resource Policy describes who may upload Use-Conditions (in the form of Use-Condition certificates) and where they can be found. Use-Condition certificates specify which attribute certificates a user must present in order to gain access to the resource and where they can be found.

-F arg - akenti client config file
-r arg - resource
[-v] - verbose
[-h] - prints this message

example: akenti RemoteCheckPolicy -f conf.txt -r "R1"


ResourceBrowse (akenti RB)

Use this program to browse a resource. To request a list of all root resources do not include any -r flag or argument. Resources are listed in a hierarchy with the root resources at the top. Make this request to discover the immediate descendants of a particular resource or (without the -r flag) to discover all root resources.

-f arg - akenti engine config file
-r arg - resource
[-v] - verbose
[-h] - prints this message

example: akenti ResourceBrowse -F conf.txt -r "R1"


RemoteResourceBrowse (akenti RRB)

Use this program to browse a resource remotely. To request a list of all root resources do not include any -r flag or argument. Resources are listed in a hierarchy with the root resources at the top. Make this request to discover the immediate descendants of a particular resource or (without the -r flag) to discover all root resources.

-F arg - akenti client config file
[-r arg] - resource
[-v] - verbose
[-h] - prints this message

example: RemoteResourceBrowse -F conf.txt -r "R1"

example: akenti RemoteResourceBrowse -F conf.txt


CreateResource (akenti CR)

Use this program to create a resource. (Cannot be used to create a root resource.) The resource created through this command will not have a policy file which describes who may add Use-Conditions. Unless a policy file is uploaded using the UploadPolicyCertificate command the resource will inherit policy attributes from its parent resource.

-f arg - akenti engine config file
-r arg - resource
[-v] - verbose
[-h] - prints this message

example: akenti CreateResource -f conf.txt -r "R1/S2"


RemoteCreateResource (akenti RCR)

Use this program to create a resource remotely. (Cannot be used to create a root resource.) The resource created through this command will not have a policy file which describes who may add Use-Conditions. Unless a policy file is uploaded using the UploadPolicyCertificate command the resource will inherit policy attributes from its parent resource.

-F arg - akenti client config file
-r arg - resource
[-v] - verbose
[-h] - prints this message

example: akenti RemoteCreateResource -F conf.txt -r "R1/S2"


UploadPolCert (akenti UP)

Use this program to upload a policy certificate. Policy certificates describe who may upload Use-Condition certificates to control access to a resource.

-f arg - akenti engine config file
-p arg - policy certificate file
[-v] - verbose
[-h] - prints this message

example: akenti UploadPolCert -f conf.txt -p mycertfile


RemoteUploadPolCert (akenti RUP)

Use this program to upload a policy certificate remotely. Policy certificates describe who may upload Use-Condition certificates to control access to a resource.

-F arg - akenti client config file
-p arg - policy certificate file
[-v] - verbose
[-h] - prints this message

example: akenti RemoteUploadPolCert -F conf.txt -p mycertfile


DeletePolCert (akenti DP)

Use this program to delete a policy certificate. Policy certificates describe who may upload Use-Condition certificates to control access to a resource. When you delete a policy certificate the resource will inherit policy attributes from it's parent. Since root resources has no parent, deleting their Policy certificates will cause them to become unusable.

-f arg - akenti engine config file
-r arg - resource
[-v] - verbose
[-h] - prints this message

example: akenti DeletePolCert -f conf.txt -r "R2"


RemoteDeletePolCert (akenti RDP)

Use this program to delete a policy certificate remote. Policy certificates describe who may upload Use-Condition certificates to control access to a resource. When you delete a policy certificate the resource will inherit policy attributes from it's parent. Since root resources has no parent, deleting their Policy certificates will cause them to become unusable.

-F arg - akenti client config file
-r arg - resource
[-v] - verbose
[-h] - prints this message

example: akenti RemoteDeletePolCert -F conf.txt -r "R2"


CertGen (akenti CG)

Use this program to generate and sign Policy, Use-Condition, and Attribute certificates. The xml input file you provide must contain a valid xml-encoded akenti certificate. Use existing certificates/templates. Policy Certificates describe who may add Use-Conditions to a resource. Use-Conditions specify what attribute certificates a user must present to gain access to a resource. Attribute Certificates are issued to users to allow them access to resources.

-k arg - keyfile in p12 format
-p arg - file where passphrase is stored
-i arg - xml input file
[-o arg] - friendly name to store file
[-d arg] - number of days
[-v] - verbose
[-h] - prints this message

example: akenti CG -k mykeyfile -p mypasswordfile -i myxmlfile


PrintAkentiCertTemplate (akenti PT)

Use this program to print an akenti certificate template. Edit the templates for your own use.

[-R] - Root Policy certificate
[-P] - Policy certificate
[-U] - Use-Condition certificate
[-A] - Attribute certificate
[-o] - output file name
[-v] - verbose
[-h] - prints this message

example: akenti PrintAkentiCertTemplate -R myrootPolicy


ConvertAkentiCert (akenti CO)

Use this program to convert an akenti certificate from one format to another.

Currently we support two formats PEM and XML

-a arg - akenti certificate
[-i arg] - in format PEM or XML
[-o arg] - out format PEM or XML
[-v] - verbose
[-h] - prints this message

example: akenti ConvertAkentiCert -a mycertificate -i PEM -o XML
Will convert a 1.4 style certificate to a 1.5 certificate.


VerifyAkentiCert (akenti VA)

Check 1: akenti certificate has not expired
Check 2: akenti certificate's signature is valid (optional)
Note: a check is made on the time validity of the signer's certificate if one is supplied.

-a arg - akenti certificate
[-i arg] - issuer's x509 certificate
[-v] - verbose
[-h] - prints this message

example: akenti VA -a mycertificate


PrettyPrintAkentiCert (akenti PP)

Use this program to pretty print an akenti certificate.

-a arg - akenti certificate
[-v] - verbose
[-h] - prints this message

example: akenti PrettyPrintAkentiCert -a mycertificate


VerifyX509Cert (akenti VX)

Purpose: Use this program to verify an x509 cert.

Check 1: time validity
Check 2: signature (optional)

-x arg - X509 certificate
[-i arg] - ca's X509 cert
[-v] - verbose
[-h] - prints this message

example: akenti VerifyX509Cert -a myX509certificate


HashX509 (akenti HX)

Use this program to generate the hash of an X509 cert. Compare hashes to see if two X509 certificates are identical.

-x arg - X509 certificate (in PEM format)
[-v] - verbose
[-h] - prints this message

example: akenti HashX509 -x myX509certificate


FindUC (akenti FU)

Use this program to locate Use-Condition certificates.

-x arg - X509 certificate (in PEM format)
-u arg - location in a url format
[-v] - verbose
[-h] - prints this message

example: akenti FindUC -x myX509certificate -u file:/home/blah/blah/file


Notes on the configuration file

The akenti client/engine configuration files are used to hold information used by the server, client, and local tools.

RootResourceName (root resource name followed by full path on local machine) One of possibly many root resources.
PolicyFileName The name of the files that hold policy certificates.
AK_CERT_ENC_TYPE The encoding type of Akenti Certificates (currently only XML and PEM are supported). If it is set to blank, the engine will support both kinds of certificates.
SignCerts [on, off] Signing capability and cached certs.
Caching [on, off] whether we should cache certificates.
- CacheType [server, file] whether the files should be cached using the server or directly to the filesystem.
- CacheHost hostname (used with CacheType server)
- CachePort port (used with CacheType server)
- CacheBase a directory pathname (used with CacheType file)
- CacheDir the name of the caching directory (used with CacheType file)
SSLMode [on, off] Whether to use SSL.
- AkentiPort Defaults to 8443 for SSl and 8444 for unsecure.
- ServerCertFile server's certificate pathanme
- ServerKeyFile server's private key pathname
- CertificateAuthorityPath dirpath to trusted CAS
- CertificateAuthorityFile file containing trusted CA
Logging [off, file, server, stdout, stderr] Logging
- LogLevel [1, 2, 3, 4, 5] Only logs errors higher than this level.
- TempLogDir temporary storage
- MonitorLogFile permanent storage (used with Logging server)
- MonitorServer server's hostname (used with Logging server)
- MonitorPort server's port (used with Logging server)


Last Modified