summaryrefslogtreecommitdiff
path: root/src/pt-tls-client/pt-tls-client.1.in
blob: 6bd3c642e476e50cf6629be88b2511ab308ac4ce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
.TH PT-TLS-CLIENT 1 "2018-11-20" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pt-tls-client \- Simple client using PT-TLS to collect integrity information
.
.SH "SYNOPSIS"
.
.SY "pt-tls-client"
.BI \-\-connect
.IR hostname |\fIaddress
.OP \-\-port port
.RB [ \-\-certid
.IR hex |\fB\-\-cert
.IR file ]+
.RB [ \-\-keyid
.IR hex |\fB\-\-key
.IR file ]
.RB [ \-\-key-type
.BR rsa |\fBecdsa\fR]
.OP \-\-client client-id
.OP \-\-secret password
.OP \-\-mutual
.OP \-\-options filename
.OP \-\-quiet
.OP \-\-debug level
.YS
.
.SY "pt-tls-client"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
.B pt-tls-client
is a simple client using the PT-TLS (RFC 6876) transport protocol to collect
integrity measurements on the client platform. PT-TLS does an initial TLS
handshake with certificate-based server authentication and optional
certificate-based client authentication.  Alternatively simple password-based
SASL client authentication protected by TLS can be used.
.P
Attribute requests and integrity measurements are exchanged via the PA-TNC (RFC
5792) message protocol between any number of Integrity Measurement Verifiers
(IMVs) residing on the remote PT-TLS server and multiple Integrity Measurement
Collectors (IMCs) loaded dynamically by the PT-TLS client according to a list
defined by \fI/etc/tnc_config\fR. PA-TNC messages that contain one or several
PA-TNC attributes are multiplexed into PB-TNC (RFC 5793) client or server data
batches which in turn are transported via PT-TLS.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Prints usage information and a short summary of the available commands.
.TP
.BI "\-c, \-\-connect " hostname\fR|\fIaddress
Set the hostname or IP address of the PT-TLS server.
.TP
.BI "\-p, \-\-port " port
Set the port of the PT-TLS server, default: 271.
.TP
.BI "\-x, \-\-cert " file
Set the path to an X.509 certificate file. This option can be repeated to load
multiple client and CA certificates.
.TP
.BI "\-X, \-\-certid " hex
Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
Platform Module.
.TP
.BI "\-k, \-\-key " file
Set the path to the client's PKCS#1 or PKCS#8 private key file
.TP
.BI "\-t, \-\-key\-type " type
Define the type of the private key if stored in PKCS#1 format. Can be omitted
with PKCS#8 keys.
.TP
.BI "\-K, \-\-keyid " hex
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
Platform Module.
.TP
.BI "\-i, \-\-client " client-id
Set the username or client ID of the client required for password-based SASL
authentication.
.TP
.BI "\-s, \-\-secret " password
Set the preshared secret or client password required for password-based SASL
authentication.
.TP
.B "\-q, \-\-mutual
Enable mutual attestation between PT-TLS client and PT-TLS server.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.B "\-q, \-\-quiet
Disable debug output to stderr.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.
.SH "EXAMPLES"
.
Connect to a PT-TLS server using certificate-based authentication,
storing the private ECDSA key in a file:
.PP
.EX
  pt-tls-client \-\-connect pdp.example.com \-\-cert ca.crt \\
                \-\-cert client.crt \-\-key client.key \-\-key\-type ecdsa
.EE
.PP
Connect to a PT-TLS server using certificate-based authentication,
storing the private key in a smartcard or a TPM 2.0 Trusted Platform Module:
.PP
.EX
  pt-tls-client \-\-connect pdp.example.com \-\-cert ca.crt \\
                \-\-cert client.crt \-\-keyid 0x81010002
.EE
.PP
Connect to a PT-TLS server listening on port 443, using SASL password-based
authentication:
.PP
.EX
  pt-tls-client \-\-connect pdp.example.com --port 443 \-\-cert ca.crt \\
                \-\-client jane \-\-password p2Nl9trKlb
.EE
.SH FILES
.TP
/etc/tnc_config
.
.SH "SEE ALSO"
.
.BR strongswan.conf (5)