[mirror_corosync-qdevice.git] / man / corosync-qnetd-certutil.8

.\"/*
.\" * Copyright (C) 2016 Red Hat, Inc.
.\" *
.\" * All rights reserved.
.\" *
.\" * Author: Jan Friesse <jfriesse@redhat.com>
.\" *
.\" * This software licensed under BSD license, the text of which follows:
.\" *
.\" * Redistribution and use in source and binary forms, with or without
.\" * modification, are permitted provided that the following conditions are met:
.\" *
.\" * - Redistributions of source code must retain the above copyright notice,
.\" *   this list of conditions and the following disclaimer.
.\" * - Redistributions in binary form must reproduce the above copyright notice,
.\" *   this list of conditions and the following disclaimer in the documentation
.\" *   and/or other materials provided with the distribution.
.\" * - Neither the name of Red Hat, Inc. nor the names of its
.\" *   contributors may be used to endorse or promote products derived from this
.\" *   software without specific prior written permission.
.\" *
.\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
.\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
.\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" * THE POSSIBILITY OF SUCH DAMAGE.
.\" */
.TH COROSYNC-QNETD-CERTUTIL 8 2016-06-28
.SH NAME
corosync-qnetd-certutil - tool to generate qnetd TLS certificates
.SH SYNOPSIS
.B "corosync-qnetd-certutil [-i|-s] [-c certificate] [-n cluster_name]"
.SH DESCRIPTION
.B corosync-qnetd-certutil
is a frontend for the NSS certutil, it is used for generating the QNetd CA (Certificate Authority), 
server certificate and signing cluster certificate used by
.B corosync-qdevice
when using the model 'net'.
.SH OPTIONS
.TP
.B -i
Initialize the QNetd NSS certificate database and generate the QNetd CA and server certificates.
The default directory for the database is /etc/corosync/qnetd. This directory must be
writeable by the current user. The QNetd CA certificate is also exported into the file
/etc/corosync/qnetd/nssdb/qnetd-cacert.crt.
.TP
.B -s
Sign the cluster certificate. It is necessary to pass the cluster name (as
configured in corosync.conf) and the certificate request file - see options below.
The signed certificate will be written to the 
file /etc/corosync/qnetd/nssdb/cluster-$ClusterName.crt
.TP
.B -c
Certificate request file to sign.
.TP
.B -G
Do not set group write bit for new files. This option has effect only when used together with
.B -i
option. It is useful when extended security is needed and it's viable to prohibit daemon to change its
configuration. Expected usage is to first set owner of the /etc/corosync/qnetd directory
to root:$COROQNETD with permissions 0750 and then create database (as a root):

.nf
# corosync-qnetd-certutil -i -G
.fi

.TP
.B -n
Name of the cluster.
.SH NOTES
If qnetd is executed by a non root user, /etc/corosync/qnetd and its subdirectories must be owned by (or have group access for) the given user. If
.B corosync-qnetd-certutil
is executed as root it tries to copy the owner and group of /etc/corosync/qnetd to all of the created files.
.SH SEE ALSO
.BR corosync-qnetd (8)
.BR corosync-qdevice (8)
.SH AUTHOR
Jan Friesse
.PP
Commit	Line	Data
9a1955a7 JF	1	.\"/*
	2	.\" * Copyright (C) 2016 Red Hat, Inc.
	3	.\" *
	4	.\" * All rights reserved.
	5	.\" *
	6	.\" * Author: Jan Friesse <jfriesse@redhat.com>
	7	.\" *
	8	.\" * This software licensed under BSD license, the text of which follows:
	9	.\" *
	10	.\" * Redistribution and use in source and binary forms, with or without
	11	.\" * modification, are permitted provided that the following conditions are met:
	12	.\" *
	13	.\" * - Redistributions of source code must retain the above copyright notice,
	14	.\" * this list of conditions and the following disclaimer.
	15	.\" * - Redistributions in binary form must reproduce the above copyright notice,
	16	.\" * this list of conditions and the following disclaimer in the documentation
	17	.\" * and/or other materials provided with the distribution.
	18	.\" * - Neither the name of Red Hat, Inc. nor the names of its
	19	.\" * contributors may be used to endorse or promote products derived from this
	20	.\" * software without specific prior written permission.
	21	.\" *
	22	.\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
	23	.\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	24	.\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	25	.\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
	26	.\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	27	.\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	28	.\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	29	.\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	30	.\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	31	.\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
	32	.\" * THE POSSIBILITY OF SUCH DAMAGE.
	33	.\" */
	34	.TH COROSYNC-QNETD-CERTUTIL 8 2016-06-28
	35	.SH NAME
	36	corosync-qnetd-certutil - tool to generate qnetd TLS certificates
	37	.SH SYNOPSIS
	38	.B "corosync-qnetd-certutil [-i\|-s] [-c certificate] [-n cluster_name]"
	39	.SH DESCRIPTION
	40	.B corosync-qnetd-certutil
	41	is a frontend for the NSS certutil, it is used for generating the QNetd CA (Certificate Authority),
	42	server certificate and signing cluster certificate used by
	43	.B corosync-qdevice
	44	when using the model 'net'.
	45	.SH OPTIONS
	46	.TP
	47	.B -i
	48	Initialize the QNetd NSS certificate database and generate the QNetd CA and server certificates.
	49	The default directory for the database is /etc/corosync/qnetd. This directory must be
	50	writeable by the current user. The QNetd CA certificate is also exported into the file
	51	/etc/corosync/qnetd/nssdb/qnetd-cacert.crt.
	52	.TP
	53	.B -s
	54	Sign the cluster certificate. It is necessary to pass the cluster name (as
	55	configured in corosync.conf) and the certificate request file - see options below.
	56	The signed certificate will be written to the
	57	file /etc/corosync/qnetd/nssdb/cluster-$ClusterName.crt
	58	.TP
	59	.B -c
	60	Certificate request file to sign.
4cd74c80 JF	61	.TP
	62	.B -G
	63	Do not set group write bit for new files. This option has effect only when used together with
	64	.B -i
	65	option. It is useful when extended security is needed and it's viable to prohibit daemon to change its
	66	configuration. Expected usage is to first set owner of the /etc/corosync/qnetd directory
	67	to root:$COROQNETD with permissions 0750 and then create database (as a root):
	68
	69	.nf
	70	# corosync-qnetd-certutil -i -G
	71	.fi
	72
9a1955a7 JF	73	.TP
	74	.B -n
	75	Name of the cluster.
	76	.SH NOTES
	77	If qnetd is executed by a non root user, /etc/corosync/qnetd and its subdirectories must be owned by (or have group access for) the given user. If
	78	.B corosync-qnetd-certutil
	79	is executed as root it tries to copy the owner and group of /etc/corosync/qnetd to all of the created files.
	80	.SH SEE ALSO
	81	.BR corosync-qnetd (8)
	82	.BR corosync-qdevice (8)
	83	.SH AUTHOR
	84	Jan Friesse
	85	.PP