]>
Commit | Line | Data |
---|---|---|
9a1955a7 JF |
1 | .\"/* |
2 | .\" * Copyright (C) 2016 Red Hat, Inc. | |
3 | .\" * | |
4 | .\" * All rights reserved. | |
5 | .\" * | |
6 | .\" * Author: Jan Friesse <jfriesse@redhat.com> | |
7 | .\" * | |
8 | .\" * This software licensed under BSD license, the text of which follows: | |
9 | .\" * | |
10 | .\" * Redistribution and use in source and binary forms, with or without | |
11 | .\" * modification, are permitted provided that the following conditions are met: | |
12 | .\" * | |
13 | .\" * - Redistributions of source code must retain the above copyright notice, | |
14 | .\" * this list of conditions and the following disclaimer. | |
15 | .\" * - Redistributions in binary form must reproduce the above copyright notice, | |
16 | .\" * this list of conditions and the following disclaimer in the documentation | |
17 | .\" * and/or other materials provided with the distribution. | |
18 | .\" * - Neither the name of Red Hat, Inc. nor the names of its | |
19 | .\" * contributors may be used to endorse or promote products derived from this | |
20 | .\" * software without specific prior written permission. | |
21 | .\" * | |
22 | .\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
23 | .\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
24 | .\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
25 | .\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | |
26 | .\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
27 | .\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
28 | .\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
29 | .\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
30 | .\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
31 | .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF | |
32 | .\" * THE POSSIBILITY OF SUCH DAMAGE. | |
33 | .\" */ | |
34 | .TH COROSYNC-QNETD-CERTUTIL 8 2016-06-28 | |
35 | .SH NAME | |
36 | corosync-qnetd-certutil - tool to generate qnetd TLS certificates | |
37 | .SH SYNOPSIS | |
38 | .B "corosync-qnetd-certutil [-i|-s] [-c certificate] [-n cluster_name]" | |
39 | .SH DESCRIPTION | |
40 | .B corosync-qnetd-certutil | |
41 | is a frontend for the NSS certutil, it is used for generating the QNetd CA (Certificate Authority), | |
42 | server certificate and signing cluster certificate used by | |
43 | .B corosync-qdevice | |
44 | when using the model 'net'. | |
45 | .SH OPTIONS | |
46 | .TP | |
47 | .B -i | |
48 | Initialize the QNetd NSS certificate database and generate the QNetd CA and server certificates. | |
49 | The default directory for the database is /etc/corosync/qnetd. This directory must be | |
50 | writeable by the current user. The QNetd CA certificate is also exported into the file | |
51 | /etc/corosync/qnetd/nssdb/qnetd-cacert.crt. | |
52 | .TP | |
53 | .B -s | |
54 | Sign the cluster certificate. It is necessary to pass the cluster name (as | |
55 | configured in corosync.conf) and the certificate request file - see options below. | |
56 | The signed certificate will be written to the | |
57 | file /etc/corosync/qnetd/nssdb/cluster-$ClusterName.crt | |
58 | .TP | |
59 | .B -c | |
60 | Certificate request file to sign. | |
4cd74c80 JF |
61 | .TP |
62 | .B -G | |
63 | Do not set group write bit for new files. This option has effect only when used together with | |
64 | .B -i | |
65 | option. It is useful when extended security is needed and it's viable to prohibit daemon to change its | |
66 | configuration. Expected usage is to first set owner of the /etc/corosync/qnetd directory | |
67 | to root:$COROQNETD with permissions 0750 and then create database (as a root): | |
68 | ||
69 | .nf | |
70 | # corosync-qnetd-certutil -i -G | |
71 | .fi | |
72 | ||
9a1955a7 JF |
73 | .TP |
74 | .B -n | |
75 | Name of the cluster. | |
76 | .SH NOTES | |
77 | If qnetd is executed by a non root user, /etc/corosync/qnetd and its subdirectories must be owned by (or have group access for) the given user. If | |
78 | .B corosync-qnetd-certutil | |
79 | is executed as root it tries to copy the owner and group of /etc/corosync/qnetd to all of the created files. | |
80 | .SH SEE ALSO | |
81 | .BR corosync-qnetd (8) | |
82 | .BR corosync-qdevice (8) | |
83 | .SH AUTHOR | |
84 | Jan Friesse | |
85 | .PP |